ui icon indicating copy to clipboard operation
ui copied to clipboard
verified publisher icon temporalio

Redireted back to login page after successful login in idp (keycloak)

Open mbkh68 opened this issue 3 years ago • 8 comments

Describe the bug Deployed web UI to kubernetes using helm chart, sso login configured to use keycloak. when try to login, redirected to keycloak, login successfully there, when returning back, facing login page again.

Expected behavior When redirecting back from idp, should presented with working workflow UI, not being asked for login again.

Additional context No log on container, no console error in browser, no failed network call in chrome developer console.

mbkh68 avatar Dec 18 '22 06:12 mbkh68

i see message | "No id_token field in oauth2 token." in broweser. used to work fine in old ui and previous version of new ui too.

kkcmadhu avatar Feb 09 '23 13:02 kkcmadhu

I had the same issue when using the helm chart to deploy, and when I upgraded to the latest build of the UI. The issue stems from the token sent back from the idp doesn't contain the relevant field. That hints at scope of the request being set incorrectly. I looked into the container and noticed the value for the scope is empty, I assume at some point there was a default value, which now is not set or there is an issue how it is set.

I got around it by adding the scope as ENV:

    - name: TEMPORAL_AUTH_SCOPES
      value: "openid profile email"

udoniyor avatar May 15 '23 15:05 udoniyor

Which is not documented in the documentation here

getarun avatar Jun 09 '23 18:06 getarun

I had the same issue when using the helm chart to deploy, and when I upgraded to the latest build of the UI. The issue stems from the token sent back from the idp doesn't contain the relevant field. That hints at scope of the request being set incorrectly. I looked into the container and noticed the value for the scope is empty, I assume at some point there was a default value, which now is not set or there is an issue how it is set.

I got around it by adding the scope as ENV:

    - name: TEMPORAL_AUTH_SCOPES
      value: "openid profile email"

非常感谢,我在docker配置文件中加入了- TEMPORAL_AUTH_SCOPES="openid profile email"环境变量,在sso认证的时候跳转地址加上了scope这个参数,但是在文档中并没有这个环境变量。

ChuckChen123 avatar Apr 02 '24 09:04 ChuckChen123

How are you configuring the other values?

I get a 502 bad gateway after a successful login in keycloak.. image

No errors in the log either.

                    - name: TEMPORAL_AUTH_ENABLED
                      value: 'true'
                    - name: TEMPORAL_AUTH_PROVIDER_URL
                      value: https://idp.local/realms/enterprise
                    - name: TEMPORAL_AUTH_ISSUER_URL
                      value: https://idp.local/realms/enterprise
                    - name: TEMPORAL_AUTH_CLIENT_ID
                      value: temporal-ui
                    - name: TEMPORAL_AUTH_CLIENT_SECRET
                      value: redacted
                    - name: TEMPORAL_AUTH_CALLBACK_URL
                      value: >-
                        https://temporal.admin.infinityflow.dev/auth/sso/callback
                    - name: TEMPORAL_AUTH_SCOPES
                      value: openid email profile

ElanHasson avatar Apr 10 '24 23:04 ElanHasson

@ElanHasson, hey. In my case, I have updated the default proxy-buffer-size property from 8k to 128k for a nginx ingress.

web:
  ingress:
    enabled: true
    annotations:
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
      nginx.ingress.kubernetes.io/proxy-buffers-number: "8"

al-cheb avatar May 24 '24 18:05 al-cheb

@al-cheb yep! I got this fixed and shared in slack but forgot here.

ElanHasson avatar May 24 '24 21:05 ElanHasson

@al-cheb Thank you, fixed my issue. 🚀

rezaxd avatar Jul 13 '24 10:07 rezaxd