Problem configuring SSO with keycloak

renatovieira.altbank · April 5, 2024, 11:18pm

I’m configuring my web authentication with keycloak and I’m getting the error below in pod temporal-web:

2024/04/05 23:08:59 Loading config; env=docker,configDir=config
2024/04/05 23:08:59 Loading config files=[config/docker.yaml]
2024/04/05 23:08:59 Loading config files=[config/docker.yaml]
2024/04/05 23:08:59 404 Not Found: {"error":"HTTP 404 Not Found"}

my configuration is:

 - name: TEMPORAL_AUTH_ENABLED
    value: 'true'
  - name: TEMPORAL_AUTH_PROVIDER_URL
    value: 'https://xxxxx/openid-configuration'
  - name: TEMPORAL_AUTH_ISSUER_URL
    value: 'https://xxxxx/auth/realms/master'
  - name: TEMPORAL_AUTH_CLIENT_ID
    value: 'xxxxx'                   
  - name: TEMPORAL_AUTH_CLIENT_SECRET
    value: 'xxxxxxxxxxxx'
  - name: TEMPORAL_AUTH_CALLBACK_URL
    value: 'https://xxxxxxxx/auth/sso_callback'
  - name: TEMPORAL_OPENAPI_ENABLED
    value: 'true'
  - name: TEMPORAL_UI_ENABLED
    value: 'true'
  - name: TEMPORAL_NOTIFY_ON_NEW_VERSION
    value: 'false'
  - name: TEMPORAL_DEFAULT_NAMESPACE
    value: 'default'
  - name: TEMPORAL_UI_PORT
    value: '8080'

any suggestion

elan · April 10, 2024, 10:32pm

Hi, did you ever find resolution for this?

renatovieira.altbank · April 12, 2024, 1:28pm

Not yet!

You can you help?

elan · May 3, 2024, 12:08am

@renatovieira.altbank sorry for the delay, here is what worked:

- name: TEMPORAL_AUTH_ENABLED
  value: "true"
- name: TEMPORAL_AUTH_PROVIDER_URL
  value: https://keycloak/realms/$REALM/protocol/openid-connect
- name: TEMPORAL_AUTH_ISSUER_URL
  value: https://keycloak/realms/$REALM
- name: TEMPORAL_AUTH_CLIENT_ID
  value: temporal-ui
- name: TEMPORAL_AUTH_CLIENT_SECRET
  value: secret-here-please
- name: TEMPORAL_AUTH_CALLBACK_URL
  value: https://your-temporal-ui-hostname/auth/sso/callback

Galo · August 20, 2024, 3:55pm

Oh man… I am losing my mind re-checking and trying to figure out why this config doesn’t seem to work for me. Any special configs for the client on Keycloak’s side?

@renatovieira.altbank , did this work for you?

Galo · August 21, 2024, 2:17am

Here is what worked for me:

TEMPORAL_AUTH_ENABLED=true
TEMPORAL_AUTH_PROVIDER_URL=https://keycloak/realms/$REALM
TEMPORAL_AUTH_ISSUER_URL=https://keycloak/realms/$REALM
TEMPORAL_AUTH_CLIENT_ID=temporal-ui
TEMPORAL_AUTH_CLIENT_SECRET=client-secret-here
TEMPORAL_AUTH_CALLBACK_URL=https://temporal/auth/sso/callback
TEMPORAL_AUTH_SCOPES=openid,profile,email

I have no idea if this is due to some change in behavior with newer Keycloak versions, but as you can see providing only the realm URL in both provider and issuer variables does the trick?

Hopefully this helps someone.

elan · October 2, 2024, 5:35pm

Hi @Galo

What version are you on?

hyperion1209 · November 5, 2025, 4:01pm

Hey guys, I’m also seeing the same issue. I’ve tried both Galo’s and elan’s env var setup and still seeing this error in the web pod’s logs:
Kecyloak version: 26.4.0

2025/11/05 15:26:27 Loading config; env=docker,configDir=config
2025/11/05 15:26:27 Loading config files=[config/docker.yaml]
2025/11/05 15:26:27 Loading config; env=docker,configDir=config
2025/11/05 15:26:27 Loading config files=[config/docker.yaml]
2025/11/05 15:26:28 404 Not Found: Resource not found

Here’s my config:

web:
  enabled: true
  additionalEnv:
     - name: TEMPORAL_AUTH_ENABLED
       value: “true”
     - name: TEMPORAL_AUTH_PROVIDER_URL
       value: “https://keycloak.${domain_name}/realms/${realm}”
     - name: TEMPORAL_AUTH_ISSUER_URL
       value: “https://keycloak.${domain_name}/realms/${realm}”
     - name: TEMPORAL_AUTH_CLIENT_ID
       value: “temporal-oauth”
     - name: TEMPORAL_AUTH_CALLBACK_URL
       value: “https://temporal-ui.${domain_name}/auth/sso/callback”
     - name: TEMPORAL_AUTH_SCOPES
       value: “openid,profile,email”
  additionalEnvSecretName: “keycloak-oauth-custom”

hyperion1209 · November 5, 2025, 4:09pm

And sure enough, just after hitting the Reply button, the solution dropped in my lap:

web:
  enabled: true
  additionalEnv:
     - name: TEMPORAL_AUTH_ENABLED
       value: “true”
     - name: TEMPORAL_AUTH_PROVIDER_URL
       value: “https://keycloak.${domain_name}/auth/realms/${realm}”
     - name: TEMPORAL_AUTH_ISSUER_URL
       value: “https://keycloak.${domain_name}/auth/realms/${realm}”
     - name: TEMPORAL_AUTH_CLIENT_ID
       value: “temporal-oauth”
     - name: TEMPORAL_AUTH_CALLBACK_URL
       value: “https://temporal-ui.${domain_name}/auth/sso/callback”
     - name: TEMPORAL_AUTH_SCOPES
       value: “openid,profile,email”
  additionalEnvSecretName: “keycloak-oauth-custom”

Notice the auth in the keycloak URL paths. Doooooh!

Galo · November 6, 2025, 1:22am

you are welcome

Topic		Replies	Views
JWT Auth with Keycloak, Key ID not found Community Support jwt , auth , server	2	748	August 13, 2024
Temporal web openid authentication fails Community Support web-ui	3	1288	May 29, 2021
How to configure SSO for temporal in helm chart Community Support helm	44	5383	July 3, 2024
Not able to integrate sso with new temporal ui Community Support web-ui , sso	26	2690	June 22, 2023
Temporal SSO: RSA key not found for key ID Server Deployment jwt , auth , server	2	125	November 1, 2024

Problem configuring SSO with keycloak

Related topics