Hello!
My task is to ensure that temporal-ui is accessible only to one user with the email landroverstudio@gmail.com.
I tried the following configuration in docker-compose.yml:
temporal-ui:
image: temporalio/ui:2.20.0
container_name: "moysklad-py-v1_temporal-ui"
restart: unless-stopped
environment:
- TEMPORAL_ADDRESS=temporal:7233
- TEMPORAL_CORS_ORIGINS=http://localhost:8088
- TEMPORAL_AUTH_ENABLED=true
- TEMPORAL_UI_AUTH_REQUIRED=true
- TEMPORAL_AUTH_PROVIDER_URL=https://accounts.google.com
- TEMPORAL_AUTH_ISSUER_URL=https://accounts.google.com
- TEMPORAL_AUTH_CLIENT_ID=${TEMPORAL_AUTH_CLIENT_ID}
- TEMPORAL_AUTH_CLIENT_SECRET=${TEMPORAL_AUTH_CLIENT_SECRET}
- TEMPORAL_AUTH_CALLBACK_URL=http://localhost:8088/auth/sso/callback
- TEMPORAL_AUTH_SCOPES=openid profile email
- TEMPORAL_UI_AUTH_ALLOWED_EMAILS=landroverstudio@gmail.com
ports:
- "8088:8080"
depends_on:
- temporal
networks:
- app
With this configuration, when trying to log in with a different user, it indeed returns to the login page with an “unauthorized” error.
But! If after a failed login I navigate to the workflow page (http://localhost:8088/namespaces/default/workflows) - it allows access there. The expected behavior is to return to the login page with an “unauthorized” error.
I tried changing the version to temporalio/ui:2.36.0, but in that case, it doesn’t even return to the page with “unauthorized” during login, but simply allows any authenticated user inside.