From ca1b2892a986d0ae1dfc68d335f9daef6a700119 Mon Sep 17 00:00:00 2001 From: Ruslan <11838981+feedmeapples@users.noreply.github.com> Date: Wed, 10 Nov 2021 14:49:51 -0500 Subject: [PATCH] Add server security notion in readme and remove Google OIDC notion (#412) --- README.md | 14 ++++++-------- server/config.yml | 9 +++++---- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index b5fbf762..9452bcbd 100644 --- a/README.md +++ b/README.md @@ -61,7 +61,7 @@ Setting `TEMPORAL_TLS_REFRESH_INTERVAL` will make the TLS certs reload every N s ### Configuring Authentication (optional) -> ⚠️ This is currently a beta feature, [please report any and all issues to us!](https://github.com/temporalio/web/issues/new) +**Note** For proper security, your server needs to be secured as well and validate the JWT tokens that Temporal Web will be sending to server once users are authenticated. See [security docs](https://docs.temporal.io/docs/server/security/#authorization) for details Since v1.3, Temporal Web offers optional OAuth SSO authentication. You can enable it in 2 steps: @@ -71,13 +71,13 @@ Since v1.3, Temporal Web offers optional OAuth SSO authentication. You can enabl auth: enabled: true # Temporal Web checks this first before reading your provider config providers: - - label: 'google oidc' # for internal use; in future may expose as button text + - label: 'Auth0 oidc' # for internal use; in future may expose as button text type: oidc # for futureproofing; only oidc is supported today - issuer: https://accounts.google.com - client_id: xxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com - client_secret: xxxxxxxxxxxxxxxxxxxxxxx + issuer: https://myorg.us.auth0.com + client_id: xxxxxxxxxxxxxxxxxxxx + client_secret: xxxxxxxxxxxxxxxxxxxx scope: openid profile email - audience: temporal # identifier of the audience for an issued token (optional) + audience: # identifier of the audience for an issued token (optional) callback_base_uri: http://localhost:8088 pass_id_token: false # adds ID token as 'authorization-extras' header with every request to server ``` @@ -101,8 +101,6 @@ Since v1.3, Temporal Web offers optional OAuth SSO authentication. You can enabl In future, multiple Oauth providers may be supported, however for now we only read the first Oauth provider under the `providers` key above. Common Oauth Providers and their docs: - - - Google: https://developers.google.com/identity/protocols/oauth2/openid-connect - Auth0: https://auth0.com/docs/protocols/configure-okta-as-oauth2-identity-provider - Okta: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm
diff --git a/server/config.yml b/server/config.yml index b3c3b84a..6cfc3ca9 100644 --- a/server/config.yml +++ b/server/config.yml @@ -2,12 +2,13 @@ auth: enabled: false providers: # # example provider - # - label: 'google oidc' # for internal use; in future may expose as button text + # - label: 'Auth0 oidc' # for internal use; in future may expose as button text # type: oidc # for futureproofing; only oidc is supported today - # issuer: https://accounts.google.com - # client_id: xxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com - # client_secret: xxxxxxxxxxxxxxxxxxxxxxx + # issuer: https://myorg.us.auth0.com + # client_id: xxxxxxxxxxxxxxxxxxxx + # client_secret: xxxxxxxxxxxxxxxxxxxx # scope: openid profile email + # audience: # callback_base_uri: http://localhost:8088 # pass_id_token: false # for more info see docs: https://github.com/temporalio/web#configuring-authentication-optional