Allow static JWKS for `jwtKeyProvider`

dhiaayachi / temporal

Temporal service

https://docs.temporal.io

MIT License

0 stars 0 forks source link

Allow static JWKS for `jwtKeyProvider` #282

Open dhiaayachi opened 2 months ago

dhiaayachi commented 2 months ago

Is your feature request related to a problem? Please describe. In our internal setup, temporal is isolated and cannot reach out to our externally hosted IDP and get the keys necessary for authz.

Describe the solution you'd like Add a jwkStaticKeySource string that can contain the keys and would be equal to the response of the JWKS endpoint. jwkStaticKeySource could/should be loaded via dynamic config as well so that key rotation can be implemented easily

dhiaayachi commented 1 month ago

Thank you for the feature request! This is a great idea. At the moment, you can use the following workaround:

Provide a static JWKS endpoint in your environment that is accessible by Temporal and host your keys there.
Configure Temporal with that endpoint.

Let us know if you have any other questions!

dhiaayachi commented 1 month ago

Thank you for the feature request. We understand the need for providing static keys for authorization in isolated environments. Currently, Temporal relies on a dynamic key source, which requires an external IDP.

As a workaround, you can consider using a local keystore or a secure configuration management system to store the keys within your isolated environment. This way, Temporal can access the keys without reaching out to an external IDP.

We appreciate your feedback and will consider this feature request for future releases.

dhiaayachi commented 1 month ago

Thank you for your feature request!

This is a great suggestion for improving Temporal's Web UI authorization process. Currently, there's no direct way to provide static JWKS keys for authentication.

However, you can achieve a similar effect by using a local JWT token generator and configuring the Temporal Web UI to accept those tokens.

This will provide a workaround for your current setup and allow you to manage key rotation.

Let me know if you have any other questions.

dhiaayachi commented 1 month ago

Thank you for your feature request. While we do not have a specific setting for loading static JWKS into the Temporal Web UI, you can achieve the same result by utilizing the TEMPORAL_AUTH_PROVIDER_URL environment variable.

This variable allows you to point the Temporal Web UI to a publicly accessible URL that hosts your JWKS.

This will enable the UI to fetch the necessary keys for authentication and authorization. You can also leverage the TEMPORAL_CONFIG_REFRESH_INTERVAL to control the frequency of key updates.

Let me know if you have any other questions!