To allow or deny a user to perform a certain operation, such as terminating a workflow, you will need to:
-
configure users permissions in your auth provider. Typically you would give permissions to users for example
read:my-namespaceif you want them to have read access but not perform Terminate and other “write” operations (you can have your own pattern for the permission naming). -
secure Temporal server endpoints
- in addition to the security documentation, some additional notes here from @SergeyBykov How to do workflow api authentication using jwt in java, please help me on this.i need required code changes for client ad server side for this? - #4 by SergeyBykov
- so your Temporal server authorizer plugin needs to return a decision to either allow or deny the user request based, based on the permissions that you gave to the user (permissions are passed as part of JWT token to the server). You can look into defaultClaimMapper and defaultAuthorizer as the examples , they might even work to cover your case so you don’t have to write your own claim mapper and authorizer
-
once the Web UI’s oidc is configured (oidc is enabled, client_id and other oidc params are passed) and a user is authenticated, Web UI will start passing the JWT token with each request to your Temporal server. Here is when the claim mapper and authorizer plugins will process the JWT token and make a decision
As for Active Directory and OIDC, i haven’t personally tried using it with Temporal Web UI, though have seen few docs Issue in Enabling SSO for Web - #10 by Ruslan
Let me know if this answers some of your questions and helps to understand how the OIDC integration works