Bearer token not passed to remote cluster when adding or upserting remote cluster

[dhiaayachi]

Set up: 2 seperate running clusters, Cluster-1 and Cluster-2. Both are configured with custom authorizers with OAuth authorization.

Expected Behavior

1. Request-1: addOrUpsertRemoteCluster request to Cluster-1 with bearer token.
2. Request-1 passes authorization check on Cluster-1
3. Frontend service from Cluster-1 makes a Request-2 to Cluster-2 with propagated token from Request-1
4. Request-2 passes authorization check on Cluster-2

Actual Behavior

1. Request-1: addOrUpsertRemoteCluster request to Cluster-1 with bearer token.
2. Request-1 passes authorization check on Cluster-1
3. Frontend service from Cluster-1 makes a Request-2 to Cluster-2 does not propagate token from Request-1
4. Request-2 fails authorization check on Cluster-2

Steps to Reproduce the Problem

1. Run 2 seperate clusters with OAuth authorizers (set them up to deny request with emtpy tokens)
2. Make a request addOrUpsertRemoteCluster : temporal operator cluster upsert --frontend-address 'remote.address' --grpc-meta 'authorization=bearer TOKEN'

Specifications

• Version: 1.20.3
• Platform: kubernetes, docker compose, any.

[dhiaayachi]

Thank you for reporting this issue.

It seems that the addOrUpsertRemoteCluster command doesn't propagate the authorization token from the initial request to the remote cluster. This is an issue that's not currently documented. Could you please share more details about the setup of your two clusters? Especially, are you using the same authorizer implementation for both clusters?

I will keep you updated on the progress of this issue.

[dhiaayachi]

Thank you for reporting this issue. We understand your frustration. Unfortunately, the provided information is not sufficient for us to properly diagnose the issue.

To better understand the problem and find a solution, could you please provide some more context?

1. What are the custom authorizers you are using? Please share the code or configuration snippets you are using for OAuth authentication in both clusters.
2. How is the token propagated from Request-1 to Request-2? Are you using a custom middleware or library to handle this?

Having this information will help us identify if there is a configuration issue, a bug in the token propagation mechanism, or a potential conflict between your authorizers and Temporal's inter-cluster communication.

[dhiaayachi]

Thank you for reporting this issue. It seems you are experiencing an issue with token propagation between Temporal clusters.

Could you please provide more information about how you are setting up the connection between your clusters?

For example, do you have any custom code that is handling the token propagation? Also, could you please clarify what kind of front-end service you are using in this scenario?

This information will help me identify the root cause of the problem and suggest the appropriate solutions.

[dhiaayachi]

Thank you for reporting this issue. We appreciate you providing such detailed steps to reproduce it.

It appears that the bearer token is not being propagated when making a request to a remote cluster. This behavior is expected as currently there is no mechanism to propagate the token automatically across different Temporal clusters.

To work around this, you may need to manually include the token in the Request-2 to Cluster-2. This can be achieved by retrieving the token from the Request-1 and including it in the headers of the Request-2.

Please let us know if you have any further questions.