Temporal Web (UI) OIDC Setup Issue

Community Support
1

Hello - we are integrating SSO using OIDC on Temporal Web UI and SSO has been successfull , but the page timeouts and have to re login in 5 minutes with the below messages in UI and docker logs in session. Also provided the OIDC Settings which has been configured

invalid ID token: token invalid or expired

2026/04/10 20:13:16 [JWT Validation] Token verification failed: oidc: token is expired (Token Expiry: 2026-04-10 19:15:45 +0000 UTC)
2026/04/10 20:13:16 token_refresh_attempt ip=10.185.192.85
2026/04/10 20:13:16 token_refresh_failed reason=missing_refresh_token ip=10.185.192.85 duration_ms=0
2026/04/10 20:13:21 [Auth] Validating ID token from Authorization-Extras header
2026/04/10 20:13:21 [JWT Validation] Token verification failed: oidc: token is expired (Token Expiry: 2026-04-10 19:15:45 +0000 UTC)
2026/04/10 20:13:21 token_refresh_attempt ip=10.185.192.85
2026/04/10 20:13:21 token_refresh_failed reason=missing_refresh_token ip=10.185.192.85 duration_ms=0
2026/04/10 20:13:40 [Auth] Validating ID token from Authorization-Extras header
2026/04/10 20:13:40 [JWT Validation] Token verified successfully
2026/04/10 20:13:42 token_refresh_attempt ip=10.136.41.43
2026/04/10 20:13:42 token_refresh_failed reason=missing_refresh_token ip=10.136.41.43 duration_ms=0
2026/04/10 20:13:44 [Auth] Validating ID token from Authorization-Extras header
2026/04/10 20:13:44 [JWT Validation] Token verification failed: oidc: token is expired (Token Expiry: 2026-04-10 18:26:43 +0000 UTC)
2026/04/10 20:13:44 token_refresh_attempt ip=10.136.41.45
2026/04/10 20:13:44 token_refresh_failed reason=missing_refresh_token ip=10.136.41.45 duration_ms=0
sudo-sh[root@ip-10-122-150-170]# timed out waiting for input: auto-logout
Working directory prior to timeout: /home/e5us3s
sudo-sh[ssm-user@ip-10-122-150-170]$

environment:
  TEMPORAL_ADDRESS: temporal:7233
  TEMPORAL_UI_PORT: "8080"
  maxSessionDuration: "8h"
  TEMPORAL_AUTH_ENABLED: "true"
  TEMPORAL_AUTH_TYPE: "oidc"
  TEMPORAL_AUTH_PROVIDER_URL: "https://fmsso-devl.fanniemae.com"
  TEMPORAL_AUTH_ISSUER_URL: "https://fmsso-devl.fanniemae.com"
  TEMPORAL_AUTH_CLIENT_ID: "sso-p2x-IDS-d2-oidc-cots-Temporal"
  TEMPORAL_AUTH_CLIENT_SECRET: "****"
  TEMPORAL_AUTH_CALLBACK_URL: "https://temporal-idp-ec2.temporal.devl-utss.aws.fanniemae.com/auth/sso/callback"
  TEMPORAL_AUTH_SCOPES: "openid,email,profile"
  TEMPORAL_AUTH_SESSION_TTL: "1h"
  TEMPORAL_AUTH_SESSION_IDLE_TTL: "1h"
  TEMPORAL_AUTH_OIDC_TOKEN_REFRESH_ENABLED: "true"
2

This looks like the refresh path, not the OIDC handshake itself. The key line is token_refresh_failed reason=missing_refresh_token.

With TEMPORAL_AUTH_OIDC_TOKEN_REFRESH_ENABLED=true, Temporal expects a refresh token once the ID token expires. Right now you’re only requesting openid,email,profile, so I’d check whether your IdP/client is actually issuing refresh tokens for this app. In a lot of setups that means adding offline_access and making sure the client is using the authorization code flow, not a flow that only returns an ID token.

I’d verify those two things first: the token response after login actually contains a refresh token, and the IdP’s ID token lifetime for this client isn’t only a few minutes.

If no refresh token is returned, the UI session will keep dying as soon as the ID token ages out, no matter what you set for the Temporal session TTL.

3

Thanks for the response. Is temporal OIDC mechanism for Single Sign on is to read ID Token expiration and if the ID Token expiration is 5 minutes, then look for refresh token to reauthenticate. The reason I am asking is because, our company policy restricts ID token expiration to 5 minutes, and it also does not allow offline access and refresh token to reauthenticate. Our Idp team is asking if temporal can support only implicit pattern which seems to be deprecated and need to move towards Authorization code grant. Also, they are asking why Temporal is dependent upon ID Token expiration rather than access token. Can you please confirm if either of this can be done through temporal out of the box or need to enable customization. Also we are in need to setup Role based authorization and our company’s Idp is using Access token to read the roles, can you also confirm if this is possible in Temporal - Thanks