Key Rotation for Temporal Authentication and Authorization using Azure AD

[dhiaayachi]

Expected Behavior

We would expect a way to make Temporal aware of the key rotation.

Actual Behavior

It looks like Temporal caches the RSA keys returned from "keySourceURIs". See https://stackoverflow.com/questions/77305403/need-with-with-authentication-in-temporal-cluster

Steps to Reproduce the Problem

Steps described for example here https://devblogs.microsoft.com/ise/2023/07/12/temporal-mtls-sso/#3-running-temporal-server-with-authorization-enabled

Specifications

• Version: Latest Temporal.io
• Platform: Kubernetes installation via Helm Chart

[dhiaayachi]

Thanks for reporting this issue. The Temporal Server uses a cache for the RSA key returned by keySourceURIs. We are aware of this issue and have a feature request to address key rotation. We have not yet added a mechanism to refresh the cache automatically.

You can work around this issue by:

• Manually restarting the Temporal Server: This will cause Temporal Server to fetch fresh keys from the keySourceURIs.
• Using a service account: Service accounts can have their own set of keys. Using a service account with its own set of keys can help to reduce the impact of key rotation.

We appreciate your patience while we work on adding automatic key rotation to the Temporal Server.