Hello,
Trying to set up Web UI SSO with Azure AD, but having an issue integrating with the Temporal backend.
All Temporal components are deployed with the Helm chart. The UI is accessed from the localhost via kubectl port-forward.
The following environment variables are set for the server deployment:
- name: TEMPORAL_AUTH_AUTHORIZER
value: default
- name: TEMPORAL_AUTH_CLAIM_MAPPER
value: default
- name: TEMPORAL_JWT_KEY_SOURCE1
value: 'https://login.microsoftonline.com/common/discovery/v2.0/keys'
- name: TEMPORAL_JWT_PERMISSIONS_CLAIM
# Take Temporal permissions from the standard AD roles attribute
value: roles
The following environment variables are set for the Web UI deployment:
- name: TEMPORAL_AUTH_ENABLED
value: 'true'
- name: TEMPORAL_AUTH_PROVIDER_URL
value: https://login.microsoftonline.com/xxxxx
- name: TEMPORAL_AUTH_ISSUER_URL
value: https://sts.windows.net/xxxxx
- name: TEMPORAL_AUTH_CLIENT_ID
value: <client ID>
- name: TEMPORAL_AUTH_CLIENT_SECRET
value: <client secret>
- name: TEMPORAL_AUTH_CALLBACK_URL
value: http://localhost:8080/auth/sso/callback
- name: TEMPORAL_AUTH_SCOPES
value: openid,profile,email
- name: TEMPORAL_CODEC_PASS_ACCESS_TOKEN
value: 'true'
After clicking Continue to SSO in the Web UI, I see authorization code flow progressing in the Network tab of the browser.
In particular, I see
- Authorization code is returned to the callback URL: GET http://localhost:8080/auth/sso/callback?code=…
- AuthUser.idToken is stored in browser’s local storage: (appears well-formed, can be validated and parsed)
- AuthUser.accessToken is stored in browser’s local storage: (looks malformed to me)
- Request to the backend (api/v1/namespaces) is sent with the access token in Authorization header and the ID token in the Authorization-Extras header
- Request is rejected by the backend with the message in log “Authorization error”,“error”:“token contains an invalid number of segments”
Apparently the backend also considers the access token malformed.
Could you please advise what we are doing wrong ? Are there any means to further debug the flow ? Is it AD that returns the malformed token or is the token transformed by the UI server in some way ?
Thanks