Issue in Enabling SSO for Web

Hello,

I am try to run temporal docker image with SSO web enabled in local and I updated my config.yml file as per documentation. created client id and secret in GCP . When I am trying to run the temporal web I am getting following error " Error: Unknown authentication strategy “oidc”.

Can some one suggest how to proceed on this issue?

My config file:

auth:
enabled: true # Temporal Web checks this first before reading your provider config
providers:
- label: ‘google oidc’ # for internal use; in future may expose as button text
type: oidc # for futureproofing; only oidc is supported today
issuer: https://accounts.google.com
client_id: xxxxxxxxx
client_secret: xxxxxxxxxxxxxxxx
scope: openid profile email
audience: temporal # identifier of the audience for an issued token (optional)
callback_base_uri: http://localhost:8088/auth/sso_callback
pass_id_token: false # adds ID token as ‘authorization-extras’ header with every request to server

routing:
default_to_namespace: # internal use only
issue_report_link: XXXXX # set this field if you need to direct people to internal support forums

What version of the web is this?

Thanks Ruslan. Got that I just realized I am using 1.10.0 . I updated to 1.11.0 and I am getting following error when I try to enter the callback url .

Screen Shot 2021-09-29 at 12.36.03 PM

oh, could you try

callback_base_uri: http://localhost:8088

instead of http://localhost:8088/auth/sso_callback. /auth/sso_callback is added automatically in web v1

I did tried both ways. Still getting the same error.

When I removed audience in my config file it started working as expected. Thanks Rusian . This helps alot

1 Like

Hello Ruslan- Quick Question currently when I test web SSO, any google user is able to login to the temporal server where as I created secret and client Id from (Xyz user). Is this expected behavior? My understanding was it should be logging only with XYZ user where client id and secret created.

i’m assuming you are trying to use Google OIDC directly as the auth provider in GCP?

Afaik Google OIDC doesn’t allow controlling what Google accounts should have access to your app (though i can be wrong here, please double check)

There are OIDC providers that certainly allow limiting authorization to specific users only and also control their permissions, such as Auth0, Okta, or open source - Keycloak. You can still use Google accounts with these providers and receive nice permissions granularity.

Just in case, some additional notes on protecting Temporal server endpoints and enabling authorization for them: Temporal Server security | Temporal documentation

1 Like

Hello Ruslan,

can we implement active directory for temporal web? If yes do we have any documentation?

Temporal Web currently only supports OIDC protocol. Do you want to use an on-prem AD or Azure Active Directory, Google AD FS?

i’ve found these docs on AD’s OIDC support:

Also some of Microsoft’s announcements regarding OIDC microsoft | OpenID

As for configuring Temporal Web: this would be the same as with other OIDC providers. AD should provide you the OIDC params such as the issuer link, client_id, client_secret etc. as in your original post