We’re self-hosting Temporal and have integrated it with our SSO provider via OIDC. Authentication works well; Users can log in through our identity provider and reach the Temporal UI.
Our question is about authorization: we’d like to restrict access so that only certain users (for example, members of a specific group or role) can log in or view workflows. Right now, anybody who can authenticate can just log in and see everything.
We’re wondering:
- Is there a recommended way to enforce fine-grained access control for the Temporal UI?
- Can Temporal be configured to validate roles, groups, or claims in the identity token?
- If not natively supported, what’s the best pattern to handle this — via a reverse proxy, middleware, or a custom auth service?
Any guidance, examples, or patterns others have used for access restriction in self-hosted deployments would be greatly appreciated.
(We are using Keycloak, but wanted to keep the question broad to make it useful for others who are using other providers like Okta, Authenthicc, etc)