JWT token and mTLS switching

Community Support
1

Hi guys,
I implemented a custom authorizer and claimmapper in order to manage the incoming calls trought JWT token.

I want to cover the following scenarios:

  1. a request from the tctl should be driven by jwt without a TLS connection (U2A)
  2. a request from a worker will be by TLS (A2A)

In my claimmpper I would cover the following cases:

if authInfo.AuthToken == "" && authInfo.TLSConnection != nil {
   // A2A
}
if authInfo.AuthToken != "" && authInfo.TLSConnection == nil {
  // U2A
}
if authInfo.AuthToken == "" && authInfo.TLSConnection == nil {
  // Deny
}

I was not able to drive this scenario:
set requireClientAuth: false seems to disable the call to my authorizer.
set requireClientAuth: true seems to block any incoming call from tctl (with jwt and no mTLS)

Is this scenario covered?
Probably I miss something in the configuration

Great thanks for your support
Regards
Marco

2

Hi Marco,

Can you share the configuration you are using?

Looking at the code, I see that regardless of the TLS config options, if “authorization” header is present, ClaimMapper should be called here; and so long at an authorizer is set, it should be called here.

Are you 100% positive your authorizer isn’t getting called at all?

3

Hi,
this my current configuration:

   tls:
        refreshInterval: 0s
        expirationChecks:
            warningWindow: 0s
            errorWindow: 0s
            checkInterval: 0s
        internode:
            # This server section configures the TLS certificate that internal temporal
            # cluster nodes (history or matching) present to other clients within the Temporal Cluster. 
            server:
                requireClientAuth: false

                certFile: /test/server/certs/cluster.pem
                keyFile: /test/server/certs/cluster.key
                clientCaFiles:
                    - /test/server/certs/ca.cert

                certData: 
                keyData: 
            
            # This client section is used to configure the TLS clients within
            # the Temporal Cluster that connect to an Internode (history or matching)
            client:
                serverName: tls-sample
                disableHostVerification: true
                rootCaFiles:
                    - /test/server/certs/ca.cert
        frontend:
            # This server section configures the TLS certificate that the Frontend
            # server presents to all clients (specifically the Worker role within
            # the Temporal Cluster and all External SDKs connecting to the Cluster)
            server:
                requireClientAuth: true
                certFile: /test/server/certs/cluster.pem
                keyFile: /test/server/certs/cluster.key
                clientCaFiles:
                    - /test/server/certs/ca.cert

                certData: 
                keyData: 
            
            # This client section is used to configure the TLS clients within
            # the Temporal Cluster (specifically the Worker role) that connect to the Frontend service
            client:
                serverName: tls-sample
                disableHostVerification: false
                rootCaFiles:
                    - /test/server/certs/ca.cert

I would implement the following two cases:

  1. connection with worker (A2A) → use mTLS with no JWT
  2. connection with tctl (U2A) → use onely JWT without mTLS

I use tctl with no certs I observe that the request is blocked and the code GetClaims is not reached (it seems that the “requireClientAuth: true” set “tls.RequireAndVerifyClientCert” and so only a client with valid certificate is accepted)

Otherwise if I set “requireClientAuth: false” no certificate is taken into consideration and so I cannot implement “case 1”

Thanks
Regards

4

I wonder if the following will work for you.

Leave

frontend:
            server:
                requireClientAuth: true

for worker to be authenticated with mTLS (case 1).

Add (within the same frontend section)

frontend:
            hostOverrides:
                <some host name>:
                       requireClientAuth: false

for tctl access with JWT and set the host name via the --tls_server_name=<some host name> flag.

5

Thanks a lot for your reply.
I tried the scenario you suggested and all works fine.

Regards
Marco

1 Like