SSO and system worker

[fabianboerner]

Hi,

if i enable SSO with JWT authorization the system worker cannot access the frontend.

msg":"error starting temporal-sys-history-scanner-workflow workflow","service":"worker","error":"Request unauthorized.","logging-call-at":"/home/runner/work/docker-builds/docker-builds/temporal/service/worker/scanner/scanner.go:292","stacktrace":"go.temporal.io/server/common/log.(*zapLogger).Error\n\t/home/runner/work/docker-builds/docker-builds/temporal/common/log/zap_logger.go:154[ngo.temporal.io/server/service/worker/scanner.(*Scanner).startWorkflow](http://ngo.temporal.io/server/service/worker/scanner.(*Scanner).startWorkflow)\n\t/home/runner/work/docker-builds/docker-builds/temporal/service/worker/scanner/scanner.go:292[ngo.temporal.io/server/service/worker/scanner.(*Scanner).startWorkflowWithRetry.func1](http://ngo.temporal.io/server/service/worker/scanner.(*Scanner).startWorkflowWithRetry.func1)\n\t/home/runner/work/docker-builds/docker-builds/temporal/service/worker/scanner/scanner.go:262[ngo.temporal.io/server/common/backoff.ThrottleRetryContext](http://ngo.temporal.io/server/common/backoff.ThrottleRetryContext)\n\t/home/runner/work/docker-builds/docker-builds/temporal/common/backoff/retry.go:89[ngo.temporal.io/server/service/worker/scanner.(*Scanner).startWorkflowWithRetry](http://ngo.temporal.io/server/service/worker/scanner.(*Scanner).startWorkflowWithRetry)\n\t/home/runner/work/docker-builds/docker-builds/temporal/service/worker/scanner/scanner.go:261"} {"level":"fatal","ts":"2025-05-23T23:14:20.986Z","msg":"error starting scanner","service":"worker","error":"Request unauthorized.","logging-call-at":"/home/runner/work/docker-builds/docker-builds/temporal/service/worker/service.go:340","stacktrace":"go.temporal.io/server/common/log.(*zapLogger).Fatal\n\t/home/runner/work/docker-builds/docker-builds/temporal/common/log/zap_logger.go:178[ngo.temporal.io/server/service/worker.(*Service).startScanner](http://ngo.temporal.io/server/service/worker.(*Service).startScanner)\n\t/home/runner/work/docker-builds/docker-builds/temporal/service/worker/service.go:340[ngo.temporal.io/server/service/worker.(*Service).Start](http://ngo.temporal.io/server/service/worker.(*Service).Start)\n\t/home/runner/work/docker-builds/docker-builds/temporal/service/worker/service.go:255[ngo.uber.org/fx/internal/lifecycle.Wrap[...].func1](http://ngo.uber.org/fx/internal/lifecycle.Wrap[...].func1)\n\t/home/runner/go/pkg/mod/go.uber.org/[email protected]/internal/lifecycle/lifecycle.go:80[ngo.uber.org/fx/internal/lifecycle.(*Lifecycle).runStartHook](http://ngo.uber.org/fx/internal/lifecycle.(*Lifecycle).runStartHook)\n\t/home/runner/go/pkg/mod/go.uber.org/[email protected]/internal/lifecycle/lifecycle.go:256[ngo.uber.org/fx/internal/lifecycle.(*Lifecycle).Start](http://ngo.uber.org/fx/internal/lifecycle.(*Lifecycle).Start)\n\t/home/runner/go/pkg/mod/go.uber.org/[email protected]/internal/lifecycle/lifecycle.go:216[ngo.uber.org/fx.(*App).start-fm.(*App).start.func1](http://ngo.uber.org/fx.(*App).start-fm.(*App).start.func1)\n\t/home/runner/go/pkg/mod/go.uber.org/[email protected]/app.go:704[ngo.uber.org/fx.(*App).withRollback](http://ngo.uber.org/fx.(*App).withRollback)\n\t/home/runner/go/pkg/mod/go.uber.org/[email protected]/app.go:686[ngo.uber.org/fx.(*App).start](http://ngo.uber.org/fx.(*App).start)\n\t/home/runner/go/pkg/mod/go.uber.org/[email protected]/app.go:703[ngo.uber.org/fx.withTimeout.func1](http://ngo.uber.org/fx.withTimeout.func1)\n\t/home/runner/go/pkg/mod/go.uber.org/[email protected]/app.go:803"}

This is self hosted in kubernetes, is there a way to make that work without custom programming?

[dnr]

You probably want to use internal-frontend. This isn't documented that well, see the release notes here: https://github.com/temporalio/temporal/releases/tag/v1.20.0 under "Internal frontend"