Problem configuring SSO with keycloak

I’m configuring my web authentication with keycloak and I’m getting the error below in pod temporal-web:

2024/04/05 23:08:59 Loading config; env=docker,configDir=config
2024/04/05 23:08:59 Loading config files=[config/docker.yaml]
2024/04/05 23:08:59 Loading config files=[config/docker.yaml]
2024/04/05 23:08:59 404 Not Found: {"error":"HTTP 404 Not Found"}

my configuration is:

 - name: TEMPORAL_AUTH_ENABLED
    value: 'true'
  - name: TEMPORAL_AUTH_PROVIDER_URL
    value: 'https://xxxxx/openid-configuration'
  - name: TEMPORAL_AUTH_ISSUER_URL
    value: 'https://xxxxx/auth/realms/master'
  - name: TEMPORAL_AUTH_CLIENT_ID
    value: 'xxxxx'                   
  - name: TEMPORAL_AUTH_CLIENT_SECRET
    value: 'xxxxxxxxxxxx'
  - name: TEMPORAL_AUTH_CALLBACK_URL
    value: 'https://xxxxxxxx/auth/sso_callback'
  - name: TEMPORAL_OPENAPI_ENABLED
    value: 'true'
  - name: TEMPORAL_UI_ENABLED
    value: 'true'
  - name: TEMPORAL_NOTIFY_ON_NEW_VERSION
    value: 'false'
  - name: TEMPORAL_DEFAULT_NAMESPACE
    value: 'default'
  - name: TEMPORAL_UI_PORT
    value: '8080'

any suggestion

Hi, did you ever find resolution for this?

Not yet!

You can you help?

@renatovieira.altbank sorry for the delay, here is what worked:

- name: TEMPORAL_AUTH_ENABLED
  value: "true"
- name: TEMPORAL_AUTH_PROVIDER_URL
  value: https://keycloak/realms/$REALM/protocol/openid-connect
- name: TEMPORAL_AUTH_ISSUER_URL
  value: https://keycloak/realms/$REALM
- name: TEMPORAL_AUTH_CLIENT_ID
  value: temporal-ui
- name: TEMPORAL_AUTH_CLIENT_SECRET
  value: secret-here-please
- name: TEMPORAL_AUTH_CALLBACK_URL
  value: https://your-temporal-ui-hostname/auth/sso/callback
1 Like

Oh man… I am losing my mind re-checking and trying to figure out why this config doesn’t seem to work for me. Any special configs for the client on Keycloak’s side?

@renatovieira.altbank , did this work for you?

Here is what worked for me:

TEMPORAL_AUTH_ENABLED=true
TEMPORAL_AUTH_PROVIDER_URL=https://keycloak/realms/$REALM
TEMPORAL_AUTH_ISSUER_URL=https://keycloak/realms/$REALM
TEMPORAL_AUTH_CLIENT_ID=temporal-ui
TEMPORAL_AUTH_CLIENT_SECRET=client-secret-here
TEMPORAL_AUTH_CALLBACK_URL=https://temporal/auth/sso/callback
TEMPORAL_AUTH_SCOPES=openid,profile,email

I have no idea if this is due to some change in behavior with newer Keycloak versions, but as you can see providing only the realm URL in both provider and issuer variables does the trick?

Hopefully this helps someone.

1 Like

Hi @Galo

What version are you on?