Hi,
I was hoping for some insight in an issue I’ve been facing with getting SSO enabled and working for temporal. I’ve got a temporal service running locally setup with mTLS and the relevant Auth options, however I get a strange error when attempting to login:
"Authorization error","error":"RSA key not found for key ID: 3PaK4EfyBNQu3CtjYsa3YmhQ5E0"
Checking the JWKS URI that I set (https://login.microsoftonline.com/common/discovery/v2.0/keys), I can see the RSA key there, so I’m not sure why it is unable to retrieve the value.
Any ideas?
For additional context, here are the relevant properties set in my docker compose:
- TEMPORAL_AUTH_AUTHORIZER=default
- TEMPORAL_AUTH_CLAIM_MAPPER=default
- TEMPORAL_JWT_PERMISSIONS_CLAIM=roles
- TEMPORAL_JWT_KEY_SOURCE1=https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys
- TEMPORAL_JWT_KEY_REFRESH=30m
Help would be greatly appreciated.
I managed to figure out why it couldn’t find the RSA key.
When updating the keys, it failed to reach the JWKS URI due to our proxy. Updating the trusted certs resolved that issue.
I also then realised I had incorrectly named my roles “system:read” instead of “temporal-system:read” and that seems to have done the trick for me.