[Feature Request] SSO Authentication via the CLI

[gmintoco]

Is your feature request related to a problem? Please describe.

It is time consuming to distribute certificates to developers so they can use temporal CLI. It is also a potential security concern as these are long lived credentials stored on developers laptops.

Describe the solution you'd like

Ideally you would be able to authenticate using the browser SSO to collect a short term token that would allow authentication to the Temporal Server. This would make the user experience much smoother. Similar to how gcloud auth or aws sso works.

Additional context

[feedmeapples]

ty for the request, discussing with the team

[feedmeapples]

currently there is no plan to authenticate CLI using browser SSO to not incentivize people doing that in their pipelines. As an option a JWT server could be used to provide the token to CLI, ex https://github.com/temporalio/samples-go/tree/main/serverjwtauth#using-tctl-and-registering-the-default-namespace . The example uses tctl, in temporal CLI the alternative to tctl's --auth flag is --grpc-meta

[gmintoco]

Hey @feedmeapples just was having a look at this again. I am curious as to why it would be unwanted to facilitate OAuth via the CLI within pipelines or not?

In my mind running tctl auth would trigger an OAuth flow from the CLI client to get the user to authenticate to cloud.temporal.io, the CLI would then get a token it could use as a JWT to authenticate to the server endpoint. This would be a really easy user experience for developers and reduce the burden of maintain TLS keys.

I took a look through the JWT option you mentioned above a) doesn't seem possible for use with Temporal Cloud and b) is rather complex operationally.

Perhaps I should have clarified as well is that we are using Temporal Cloud with Google SSO.

Thanks :)

[tlalfano]

Re-opening for consideration.

[kobybum]

+1 for the request A perfect example of this would be aws cli, which has aws sso login The user is redirected to the web browser and granted a temporary token. It's not possible to run this in CI, as it uses an OTP through the web UI

[bergundy]

Could you explain a bit more what type of solution you're expecting? Is this for Temporal Cloud or self-hosted?