I am try to run temporal docker image with SSO web enabled in local and I updated my config.yml file as per documentation. created client id and secret in GCP . When I am trying to run the temporal web I am getting following error " Error: Unknown authentication strategy “oidc”.
Can some one suggest how to proceed on this issue?
My config file:
auth:
enabled: true # Temporal Web checks this first before reading your provider config
providers:
- label: ‘google oidc’ # for internal use; in future may expose as button text
type: oidc # for futureproofing; only oidc is supported today
issuer: https://accounts.google.com
client_id: xxxxxxxxx
client_secret: xxxxxxxxxxxxxxxx
scope: openid profile email
audience: temporal # identifier of the audience for an issued token (optional)
callback_base_uri: http://localhost:8088/auth/sso_callback
pass_id_token: false # adds ID token as ‘authorization-extras’ header with every request to server
routing:
default_to_namespace: # internal use only
issue_report_link: XXXXX # set this field if you need to direct people to internal support forums
Thanks Ruslan. Got that I just realized I am using 1.10.0 . I updated to 1.11.0 and I am getting following error when I try to enter the callback url .
Hello Ruslan- Quick Question currently when I test web SSO, any google user is able to login to the temporal server where as I created secret and client Id from (Xyz user). Is this expected behavior? My understanding was it should be logging only with XYZ user where client id and secret created.
i’m assuming you are trying to use Google OIDC directly as the auth provider in GCP?
Afaik Google OIDC doesn’t allow controlling what Google accounts should have access to your app (though i can be wrong here, please double check)
There are OIDC providers that certainly allow limiting authorization to specific users only and also control their permissions, such as Auth0, Okta, or open source - Keycloak. You can still use Google accounts with these providers and receive nice permissions granularity.
Temporal Web currently only supports OIDC protocol. Do you want to use an on-prem AD or Azure Active Directory, Google AD FS?
i’ve found these docs on AD’s OIDC support:
Also some of Microsoft’s announcements regarding OIDC microsoft | OpenID
As for configuring Temporal Web: this would be the same as with other OIDC providers. AD should provide you the OIDC params such as the issuer link, client_id, client_secret etc. as in your original post
