Propagating credentials to microservices

I’ve found information on authorizing calls to the Temporal server and workers. It looks like mTLS is a good way to handle that. What I’m looking for guidance on is how to handle credentials specific to the micro-services called by Activities.

We have many gRPC services and an ACL system to authorize various operations. There are frontend or gateway endpoints that external callers access. These calls have JWTs from various authorization servers in the Authorization header that identity the security context of the caller.

This needs to be attached to start workflow requests so Workflows can pass them on to Activities which will make the gRPC requests. The permission checking is complex and we don’t want to move it from the micro-services.

For my proof of concept I just added a token parameter to every workflow and activity API but that doesn’t feel DRY and maybe not secure. Is there a best practice or recommendations on handling this? Any guidance will be appreciated.

I’m working with the Java SDK.

1 Like

You can create a custom ContextPropagator or use interceptors to propagate the custom security context.

1 Like