I’m configuring my web authentication with keycloak and I’m getting the error below in pod temporal-web:
2024/04/05 23:08:59 Loading config; env=docker,configDir=config
2024/04/05 23:08:59 Loading config files=[config/docker.yaml]
2024/04/05 23:08:59 Loading config files=[config/docker.yaml]
2024/04/05 23:08:59 404 Not Found: {"error":"HTTP 404 Not Found"}
my configuration is:
- name: TEMPORAL_AUTH_ENABLED
value: 'true'
- name: TEMPORAL_AUTH_PROVIDER_URL
value: 'https://xxxxx/openid-configuration'
- name: TEMPORAL_AUTH_ISSUER_URL
value: 'https://xxxxx/auth/realms/master'
- name: TEMPORAL_AUTH_CLIENT_ID
value: 'xxxxx'
- name: TEMPORAL_AUTH_CLIENT_SECRET
value: 'xxxxxxxxxxxx'
- name: TEMPORAL_AUTH_CALLBACK_URL
value: 'https://xxxxxxxx/auth/sso_callback'
- name: TEMPORAL_OPENAPI_ENABLED
value: 'true'
- name: TEMPORAL_UI_ENABLED
value: 'true'
- name: TEMPORAL_NOTIFY_ON_NEW_VERSION
value: 'false'
- name: TEMPORAL_DEFAULT_NAMESPACE
value: 'default'
- name: TEMPORAL_UI_PORT
value: '8080'
any suggestion
elan
April 10, 2024, 10:32pm
2
Hi, did you ever find resolution for this?
elan
May 3, 2024, 12:08am
4
@renatovieira.altbank sorry for the delay, here is what worked:
- name: TEMPORAL_AUTH_ENABLED
value: "true"
- name: TEMPORAL_AUTH_PROVIDER_URL
value: https://keycloak/realms/$REALM/protocol/openid-connect
- name: TEMPORAL_AUTH_ISSUER_URL
value: https://keycloak/realms/$REALM
- name: TEMPORAL_AUTH_CLIENT_ID
value: temporal-ui
- name: TEMPORAL_AUTH_CLIENT_SECRET
value: secret-here-please
- name: TEMPORAL_AUTH_CALLBACK_URL
value: https://your-temporal-ui-hostname/auth/sso/callback
1 Like
Galo
August 20, 2024, 3:55pm
5
Oh man… I am losing my mind re-checking and trying to figure out why this config doesn’t seem to work for me. Any special configs for the client on Keycloak’s side?
@renatovieira.altbank , did this work for you?
Galo
August 21, 2024, 2:17am
6
Here is what worked for me:
TEMPORAL_AUTH_ENABLED=true
TEMPORAL_AUTH_PROVIDER_URL=https://keycloak/realms/$REALM
TEMPORAL_AUTH_ISSUER_URL=https://keycloak/realms/$REALM
TEMPORAL_AUTH_CLIENT_ID=temporal-ui
TEMPORAL_AUTH_CLIENT_SECRET=client-secret-here
TEMPORAL_AUTH_CALLBACK_URL=https://temporal/auth/sso/callback
TEMPORAL_AUTH_SCOPES=openid,profile,email
I have no idea if this is due to some change in behavior with newer Keycloak versions, but as you can see providing only the realm URL in both provider and issuer variables does the trick?
Hopefully this helps someone.
1 Like