Allow configuration of expected audience value for Temporal authorization

[dhiaayachi]

Author: Dima Ponomarenko

Summary of the feature being proposed

Extend global:authorization section of docker config to allow configuring of expected audience value. Currently, it's possible to configure JWTClaimMapper via config file. If defaultJWTClaimMapper is used, one of the existing checks there is to validate aud claim against the expected values received from audienceGetter.Audience. But the audienceGetter is not defined by default and the only way to set it is to use custom temporal build. If audienceGetter is not set, 'aud' is not validated at all. There is no way to configure it using docker config file unlike claimMapper and authorizer. Ideally, we should allow specifying the expected audience value in the docker config itself, but I'd like to hear if you can suggest a better way.

What value does this feature bring to Temporal?

This feature will simplify Temporal setup when JWT-based authentication is used. As an example, Azure Active Directory oAuth2. In's commonly used in enterprise environment, where you must check the aud because application within your organisation share the same JWT signing key. As a result, another application from your org can successfully authenticate and mimic your JWT claims to get access into your system, unless you check aud. https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims

It's possible to build custom Temporal with your own audienceGetter backed in. But it requires more knowledge (including golang) and make is harder to maintain. As well as keeping your custom build up to date. But I believe the following security feature should be achievable using configuration file and without custom Temporal builds.

Are you willing to implement this feature yourself?

Yes

[dhiaayachi]

Hi Dima,

Thanks for the feature request! We understand the need to simplify Temporal setup with JWT-based authentication, especially when using Azure Active Directory OAuth2.

While directly configuring the expected audience value in the Docker config isn't currently supported, you can achieve this through a workaround by using a custom audienceGetter implementation. You can define your own implementation of the audienceGetter interface and provide it as a custom Temporal build. This approach allows you to control the expected audience value without relying on the default behavior.

We'll explore the possibility of adding a configuration option for the expected audience in future releases.

Here's a link to the relevant documentation on JWT claim mappers: link to Temporal docs on JWT claim mappers

Let us know if you have any further questions.

[dhiaayachi]

Hi Dima,

Thanks for the feature request! We appreciate you taking the time to share your thoughts on how to enhance Temporal's security capabilities.

You've identified a potential vulnerability in JWT authentication when using the default defaultJWTClaimMapper and the lack of audienceGetter configuration in the docker config.

We understand your desire for a simpler and more secure setup, especially when working with environments like Azure Active Directory OAuth2.

While we don't have a direct configuration option for audienceGetter in the docker config, we recommend exploring the following workaround:

1. Use a custom claim mapper: You can implement your own JWTClaimMapper that includes the desired audience validation logic. You can then configure this custom mapper in your docker config, eliminating the need for a custom Temporal build. This approach allows you to maintain your desired audience check while leveraging the flexibility of Temporal's configuration system.

Here are some additional resources that might be helpful:

• Temporal Authentication: https://docs.temporal.io/docs/authentication
• JWT Claim Mappers: https://docs.temporal.io/docs/authentication#jwt-claim-mapper

We value your feedback and are actively working on improving the security and ease of use of Temporal. We'll keep your suggestion in mind as we plan future enhancements.

[dhiaayachi]

Hi Dima,

Thank you for your feature request! I understand your need for a more streamlined way to configure the expected audience value when using JWT-based authentication in Temporal.

While we currently don't offer direct configuration of expected audience values in the Docker config, we can definitely explore options for improving this experience.

Here are a couple of suggestions for workarounds until this feature is implemented:

• Use a custom Temporal build with a configured audienceGetter: As you mentioned, this requires more knowledge about GoLang and might introduce maintenance complexities. However, it allows you to customize your Temporal environment with the specific security checks you need. You can find more information about custom builds in the Temporal documentation https://docs.temporal.io/.

• Leverage the existing JWTClaimMapper configuration: You can configure JWTClaimMapper in your Temporal config file to define your own audience validation logic. This approach provides flexibility and allows you to use your existing security infrastructure. https://docs.temporal.io/

We value your feedback and will consider your feature request as we plan future improvements. Let us know if you have any other questions.

[dhiaayachi]

Thank you for the feature request, Dima Ponomarenko. We understand the need for simplifying Temporal setup with JWT-based authentication and the importance of validating the aud claim in scenarios like Azure Active Directory OAuth2.

While we don't currently have a built-in way to configure the expected audience value directly in the docker config file, here's a workaround you can use:

1. Implement a custom audienceGetter: You can implement a custom audienceGetter to define the expected audience value. This approach requires some knowledge of Go, but it gives you full control over the audience validation process. Here's an example:

   package main
   
   import (
       "context"
       "fmt"
   
       "go.temporal.io/sdk/client"
       "go.temporal.io/sdk/common/authorization"
       "go.temporal.io/sdk/common/jwt"
   )
   
   func main() {
       // Create a client with a custom audience getter
       client, err := client.NewClient(client.Options{
           HostPort: "localhost:7233",
           Identity: authorization.NewIdentity(
               authorization.IdentityOptions{
                   DefaultJWTClaimMapper: jwt.NewDefaultJWTClaimMapper(),
                   AudienceGetter: func(ctx context.Context) ([]string, error) {
                       // Replace with your actual expected audience value(s)
                       return []string{"my-expected-audience"}, nil
                   },
               },
           ),
       })
       if err != nil {
           fmt.Println("Error creating client:", err)
           return
       }
   
       // Use the client
       defer client.Close()
       // ... your workflow logic ...
   }

2. Use a custom Temporal build: You can build Temporal from source with a custom audienceGetter included. This approach offers more flexibility but requires maintaining your custom build.

We appreciate your feedback and will consider incorporating a direct configuration option for the expected audience value in future releases.

[dhiaayachi]

Hi Dima, thanks for the feature request! We appreciate you taking the time to share your suggestion.

We understand the need for simplified configuration when using JWT-based authentication and the importance of validating the aud claim for security purposes.

Currently, Temporal does not offer a direct way to configure the expected audience value through the docker config file. However, you can work around this by using a custom temporal build with your own audienceGetter. This approach gives you complete control over the validation process.

We value your willingness to contribute and implement this feature. We'll consider this request in our future roadmap.

Let us know if you have any other questions or feedback.