Issue with temporal web UI with OAuth SSO authentication (JWT no mTLS)

Community Support
,
1

Hi,
I’m trying to configure temporal web for using JWT token (without certificates) with ws02 iis.

In particular I configured wso2is with a tenant and with a service provider with related “OAuth/OpenID Connect Configuration” (to produce JWT token). In particular “redirect url” http://localhost:8088/auth/sso_callback . (I’m able to obtain a JWT)

I then configure the server side part (in order to enable TLS for other clients but not for web one):

        frontend:
            # This server section configures the TLS certificate that the Frontend
            # server presents to all clients (specifically the Worker role within
            # the Temporal Cluster and all External SDKs connecting to the Cluster)
            server:
                requireClientAuth: true
                certFile: /tmp/certs/cluster.pem
                keyFile: /tmp/certs/cluster.key
                clientCaFiles:
                    - /tmp/certs/ca.cert

                certData: 
                keyData: 
            hostOverrides:
                web-server:
                    requireClientAuth: false
                    certFile: /tmp/certs/cluster.pem
                    keyFile: /tmp/certs/cluster.key
                    clientCaFiles:
                       - /tmp/certs/ca.cert

I then run docker web UI by:

docker run --network="host" --env-file ${PWD}/web/config/temporal-web-env -v ${PWD}/test/web/config.yml:/usr/app/server/config.yml docker-registry.gld-1.cloud.bankit.it/temporalio/web:<version>

with ${PWD}/web/config/temporal-web-env (disabling host verification and specifying tls server name):

TEMPORAL_GRPC_ENDPOINT=127.0.0.1:7233
TEMPORAL_PERMIT_WRITE_API=false
TEMPORAL_TLS_ENABLE_HOST_VERIFICATION=false
TEMPORAL_TLS_SERVER_NAME=web-server

with ${PWD}/test/web/config.yml:

auth:
  enabled: true # Temporal Web checks this first before reading your provider config
  providers:
    - label: "wso2is" # for internal use; in future may expose as button text
      type: oidc # for futureproofing; only oidc is supported today
      issuer: https://localhost:9443/oauth2/token
      client_id: xxxxx
      client_secret: xxxxx
      scope: openid profile email
      audience: temporal # identifier of the audience for an issued token (optional)
      callback_base_uri: http://localhost:8088
      pass_id_token: false # adds ID token as 'authorization-extras' header with every request to server

I obtain the following error by accessing web ui (http://localhost:8088):

 AggregateError: 
    RequestError: self signed certificate
        at ClientRequest.<anonymous> (/usr/app/node_modules/got/dist/source/core/index.js:953:111)
        at ClientRequest.origin.emit (/usr/app/node_modules/@szmarczak/http-timer/dist/source/index.js:39:20)

Have you got an idea about the possible reason? I followed the same approach for tctl cli and it worked fine.

Great Thanks
regards
Marco

2

hey Marco,

Not sure about the “self signed certificate” error from the top of my head, checking too

Afaict this is related to mTLS and not exactly to JWT/OAuth. Still, after the certificate issue is resolved, you might see an issue with the audience field which is set to temporal in your config. Unless intentional, see if it should be empty or some other value depending on your ws02 configuration

3

Hi Ruslan,
regarding audience temporal I set it in my wso2 configuration so it should not be an issue.

Considering the mTLS configuration, please let me know if you find the reason.
I followed the suggestion provided me in post JWT token and mTLS switching - #3 by marimp8888 (I successfully used it for tctl and it should work also for web ui).

Great Thanks
Marco