- \n
- Network communication:<\/strong> Mutual Transport Layer Security (mTLS) used for securing network communication with and within a Temporal cluster.<\/li>\n
- Data isolation and encryption:<\/strong>\n
- \n
- Namespaces:<\/strong> help isolate code (data and workflows) from each other.<\/li>\n
- Data Converter:<\/strong> helps encrypt data at rest (in data store).<\/li>\n<\/ul>\n<\/li>\n
- Authentication and Authorization:<\/strong> authenticate and control access to all API calls.\n
- \n
- Servers:<\/strong> To prevent spoofing and man in the middle attacks<\/a> you can specify the server name in the client section of your respective mTLS configuration.<\/li>\n
- Client connections:<\/strong> To restrict a client’s network access to cluster endpoints you can limit it to clients with certificates issued by a specific Certificate Authority (CA).<\/li>\n
- Users and Clients:<\/strong> To restrict access to specific users or client through extensibility plugins (Authorizer<\/a> and ClaimMapper<\/a>).<\/li>\n
- Authorizer:<\/strong> allows a wide range of authorization logic, including call target, role\/permissions claims, and other data available to the system.<\/li>\n
- ClaimMapper:<\/strong> component that extracts claims from JSON Web Tokens (JWT).<\/li>\n
- Single sign-on:<\/strong> Temporal Web offers SSO authentication by integrating with multiple OAuth providers<\/a>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
This post consists of two parts describing how to implement critical Temporal security features using Azure services:<\/strong><\/p>\n
- \n
- Part 1:<\/strong> Enable and configure mTLS using Azure Key Vault for generating and storing TLS certificates<\/a>.<\/li>\n
- Part 2:<\/strong> Users authentication and authorization using Azure Active Directory (AAD) as identity provider<\/a>.<\/li>\n<\/ul>\n
Part 1: Configure Temporal mTLS using Azure KeyVault as a certificates store<\/h2>\n
This part demonstrates the fundamental concepts and pieces needed to setup and configure a Temporal cluster with mTLS enabled and use Azure Key Vault to generate and store the mTLS certificates in a secure way.<\/p>\n
Note: The sample is using
self-signed certificates signed with a custom CA<\/code> for TLS setup. For production or public-facing environments, certificates issued by a trusted CA(Certificate Authority) must be used.<\/em><\/p>\nComplete source code here at temporalio-mtls repository<\/a>.<\/em><\/p>\n
Temporal supports mTLS as a way of encrypting network traffic between the services of a cluster<\/a> and also between application processes and a cluster. Self-signed or properly minted certificates can be used for mTLS. mTLS is set in Temporal\u2019s TLS configuration<\/a>. The configuration includes two sections where intra-cluster and external traffic can be encrypted with different sets of certificates and settings:<\/p>\n
- \n
- Internode:<\/strong> Configuration for encrypting communication between nodes in the cluster.<\/li>\n
- Frontend:<\/strong> Configuration for encrypting the frontend\u2019s public endpoints.<\/li>\n<\/ul>\n
![\"services](\"https:\/\/docs.temporal.io\/diagrams\/temporal-frontend-service.svg\")
<\/p>\nSelf-signed vs. Trusted CA-signed Certificates<\/h3>\n
Let’s start with a brief overview of the certificate types that could be used in mTLS.<\/p>\n
Self-signed certificates<\/strong> are created, issued, and signed by the same entities for whom the certificates are meant to verify their identities. This means that the individual developers or the companies that have created and\/or own the website or software in question are, essentially, signing off on themselves.<\/p>\n
CA-signed certificate<\/strong>, on the other hand, is signed by a third-party, publicly trusted certificate authority (CA). The popular CAs are Symantec, DigiCert, GeoTrust, GlobalSign, GoDaddy, and Entrust. These entities are responsible for validating the person or organization that requests each certificate. read more here<\/a>.<\/p>\n
How to use each certificate:<\/strong><\/p>\n
- \n
- Self-signed certificates<\/strong> are suitable for sites or services that are used in internal (intranet) or testing environments.<\/li>\n
- CA certificates<\/strong> are suitable for all public-facing websites and software.<\/li>\n<\/ul>\n
CA (Certificate Authority) has two types:<\/strong><\/p>\n
- \n
- Trusted CA:<\/strong> publicly trusted certificate authority (CA) to sign certificates for production environments;more details<\/a>.\n
- \n
- Azure Key Vault natively supports (DigiCert – GlobalSign)<\/li>\n<\/ul>\n<\/li>\n
- Custom CA:<\/strong> It is created locally by the company or developer to sign and verify the self-signed certificates for internal, development, and testing environments.<\/li>\n<\/ul>\n
Certificate generation tools:<\/strong> Azure Key Vault and OpenSSL are used for this sample.<\/p>\n
The following diagram shows the flow of creating a new certificate using an Azure Key Vault custom or non-integrated CA provider, more details<\/a><\/p>\n
![\"Create](\"https:\/\/learn.microsoft.com\/en-us\/azure\/Key-Vault\/media\/certificate-authority-1.png\")
<\/p>\nStart Temporal Cluster with mTLS\u00a0enabled<\/h3>\n
To start a Temporal cluster with mTLS enabled, three steps need to be executed in order:<\/p>\n
- \n
- 1. Generate the required certificates<\/a><\/li>\n
- 2. Deploy and start a Temporal Cluster<\/a><\/li>\n
- 3. Start Temporal Worker<\/a><\/li>\n<\/ul>\n
1. Generate the required certificates<\/h3>\n
Temporal has some requirements from the CA and end-entity certificates listed here<\/a>. The simplest Temporal TLS environment requires three certificates:<\/p>\n
- \n
- CA certificate:<\/strong> the certificate used for signing and verifying the cluster and client certificates.<\/li>\n
- Cluster certificate:<\/strong> encrypting communication between nodes in the cluster.<\/li>\n
- Client certificate:<\/strong> encrypting communication between worker and the cluster front-end service.<\/li>\n<\/ul>\n
More advanced environment setup can be found in Temporal samples repository<\/a><\/p>\n
The list of configuration required to create the new certs:<\/p>\n
- \n
- CA:<\/strong> config<\/a> and policy<\/a> files<\/li>\n
- Cluster:<\/strong> config<\/a> and policy<\/a> files<\/li>\n
- Client:<\/strong> config<\/a> and policy<\/a> files<\/li>\n<\/ul>\n
Full source code generate-test-certs-keyvault.sh<\/a><\/p>\n
###################################################\r\n# Create a custom CA certificate to be used for \r\n# signing both cluster and client the certificate\r\n###################################################\r\n# Variables\r\ncertDir=.\/certs\r\ncertName=\"ca\"\r\nkeyVault=\"<key-vault-name>\"\r\n\r\n# `az rest` is used instead of `az keyvault certificate create` \r\n# because the latter does not support creating a CA self-signed certificate\r\n# https:\/\/github.com\/Azure\/azure-cli\/issues\/18178\r\naz rest \\\r\n --method post \\\r\n --body @$certName-cert-policy.json \\\r\n --resource \"https:\/\/vault.azure.net\" \\\r\n --headers '{\"content-type\":\"application\/json\"}' \\\r\n --uri \"https:\/\/$keyVault.vault.azure.net\/certificates\/$certName\/create\" \\\r\n --uri-parameters 'api-version=7.2'\r\n\r\n# Wait for cert to be ready\r\nstatus=\"inProgress\"\r\nwhile [ \"$status\" != \"completed\" ]\r\ndo\r\n status=$(az keyvault certificate pending show --vault-name=$keyVault --name=$certName --query status --output tsv)\r\n sleep 1\r\ndone\r\n\r\n# Download the certificate from Key Vault\r\naz keyvault secret download --vault-name $keyVault --name $certName --file \"$certDir\/$certName.pem\"\r\n\r\n# Export private key\r\nopenssl pkey -in \"$certDir\/$certName.pem\" -out \"$certDir\/$certName.key\"\r\n\r\n# Export certificate\r\nopenssl x509 -in \"$certDir\/$certName.pem\" -out \"$certDir\/$certName.cert\"<\/code><\/pre>\n###################################################\r\n# Create a certificate signed by the custom CA certificate generated above\r\n# The same script is used to generate both the cluster and client certs\r\n###################################################\r\n\r\n# Variables\r\ncertDir=.\/certs\r\ncertName=\"cluster\"\r\ncaCertName=\"ca\"\r\nkeyVault=\"<key-vault-name>\"\r\n\r\n# Create a new certificate in Key Vault\r\nCSR=$(az keyvault certificate create --vault-name $keyVault --name $certName --policy \"@$certName-cert-policy.json\" | jq -r '.csr')\r\n\r\n# Create the certificate CSR(Certificate signing request) file\r\nCSR_FILE_CONTENT=\"-----BEGIN CERTIFICATE REQUEST-----\\n$CSR\\n-----END CERTIFICATE REQUEST-----\"\r\necho -e $CSR_FILE_CONTENT >> \"$certDir\/$certName.csr\"\r\n\r\n# Download the private key from Key Vault in PEM Format\r\naz keyvault secret download --vault-name $keyVault --name $certName --file \"$certDir\/$certName.pem\"\r\n\r\n# Export private key from the downloaded pem file\r\nopenssl pkey -in \"$certDir\/$certName.pem\" -out \"$certDir\/$certName.key\"\r\n\r\n# Create the signed certificate using the downloaded CSR (certificate signing request)\r\nopenssl x509 -req -in $certDir\/$certName.csr -CA $caCertName.cert -CAkey $caCertName.key -sha256 -CAcreateserial -out $certDir\/$certName.cert -days 365 -extfile $certName.conf -extensions $exts\r\nlocal chain_file=\"$certDir\/$certName.cert\"\r\nif [[ $no_chain_opt != no_chain ]]; then\r\n chain_file=\"$certDir\/$certName-chain.cert\"\r\n cat $certDir\/$certName.cert $caCertName.cert > $chain_file\r\nfi\r\n\r\n# Generate the updated pem file with both cert and key to be imported into the Key Vault\r\ncat \"$certDir\/$certName.key\" $chain_file > \"$certDir\/$certName.pem\"\r\n\r\n# Import new pem into the Key Vault to be safely stored and used by the application\r\nCERT_IMPORT_RESPONSE=$(az keyvault certificate import --vault-name $keyVault --name $certName --file \"$certDir\/$certName.pem\")<\/code><\/pre>\n2. Deploy and start Temporal cluster<\/h3>\n
After generating the certificates, we can now start up the Temporal cluster using:<\/p>\n
- \n
- docker-compose.yml<\/strong><\/a>: contains the definition for cluster nodes and configurations.<\/li>\n
- start-temporal.sh<\/strong><\/a>: Script to set the environment variables and compose the cluster.<\/li>\n<\/ul>\n
3. Start Temporal Worker (Client)<\/h3>\n
Full source code Client.java<\/a><\/p>\n
\/\/ client certificate, which should look like:\r\nInputStream clientCert = new FileInputStream(env.getProperty(\"temporal.tls.client.certPath\"));\r\n\/\/ client key, which should look like:\r\nInputStream clientKey = new FileInputStream(env.getProperty(\"temporal.tls.client.keyPath\"));\r\n\/\/ certification Authority signing certificate\r\nInputStream caCert = new FileInputStream(env.getProperty(\"temporal.tls.ca.certPath\"));\r\n\r\n \/\/ Create SSL Context using the client certificate and key\r\n var sslContext = GrpcSslContexts.configure(SslContextBuilder\r\n .forClient()\r\n .keyManager(clientCert, clientKey)\r\n .trustManager(caCert))\r\n .build();\r\n\r\n\/*\r\n* Get a Workflow service temporalClient which can be used to start, Signal, and\r\n* Query Workflow Executions, This gRPC stubs wrapper talks to the Temporal service.\r\n*\/\r\nWorkflowServiceStubs service = WorkflowServiceStubs.newServiceStubs(\r\n WorkflowServiceStubsOptions\r\n .newBuilder()\r\n .setSslContext(sslContext)\r\n .setTarget(temporalServerUrl)\r\n .setChannelInitializer(c -> c.overrideAuthority(temporalServerCertAuthorityName)) \/\/ Override the server name used for TLS handshakes\r\n .build());\r\n\r\n\/\/ WorkflowClient can be used to start, signal, query, cancel, and terminate Workflows.\r\nworkflowClient = WorkflowClient.newInstance(service);<\/code><\/pre>\nPlease follow this readme to run the full sample on your local\u00a0machine<\/a><\/p>\n
Part 2: Temporal Authentication and Authorization using Azure AD<\/h2>\n
This part describes how to enable single-sign-on(SSO) for Temporal web UI users and using the Azure Active directory (AAD) as Oauth identity provider for authenticating users and generating JWT access tokens.<\/p>\n
![\"The](\"https:\/\/docs.temporal.io\/assets\/images\/frontend-authorization-order-of-operations-32581c182f2650f3c54796791e4cbcf1.png\")
<\/p>\nThese steps will be used to enable Temporal SSO using Azure AD:<\/strong><\/p>\n
- \n
- Create an app registration in AAD for authentication<\/li>\n
- Create app roles to set users\u2019 permissions per namespace<\/li>\n
- Enable SSO for Temporal Web UI configuration<\/li>\n
- Query an access token used for Temporal Worker apps and CLI (tctl)<\/li>\n<\/ul>\n
1. Creating an App Registration in AAD<\/h3>\n
When you register your application, Azure AD assigns a unique Application ID to it and allows you to add certain capabilities such as credentials, permissions, and sign-ons. The default settings allow only users from the tenant under which your app is registered to sign into your application.<\/p>\n
Step 1 (Create app registration)<\/h4>\n
- \n
- In Azure portal, select
Azure Active Directory<\/code> and thenApp registrations<\/code>.<\/li>\n- Click on
New registration<\/code> and fill in the following info:\n- \n
- Name:
temporal-auth-demo<\/code><\/li>\n- Other fields: leave default<\/li>\n<\/ul>\n<\/li>\n
- Click on
Register<\/code> to create application.<\/li>\n<\/ul>\nStep 2 (Create login Redirect URIs)<\/h4>\n
- \n
- Go to
Authentication<\/code> menu, click onAdd a platform<\/code> and selectWeb<\/code>.<\/li>\n- Later in this post, we will be running the Temporal Web UI locally at port 8080 so to enable SSO, we need to add a redirect URI for it:
http:\/\/localhost:8080\/auth\/sso\/callback<\/code>\n![\"setting](\"https:\/\/devblogs.microsoft.com\/cse\/wp-content\/uploads\/sites\/55\/2023\/07\/aad-redirect-uris.png\")
<\/li>\n- Remember to check
Access tokens<\/code> and click onConfigure<\/code>.\n<\/li>\n
- Click on
Add URI<\/code> to add another one for Postman, which will be used later for querying access tokens for Temporal CLI:https:\/\/oauth.pstmn.io\/v1\/callback<\/code>\n![\"setting](\"https:\/\/devblogs.microsoft.com\/cse\/wp-content\/uploads\/sites\/55\/2023\/07\/aad-postman-redirect-uri.png\")
<\/li>\n- Click on
Save<\/code> to finish.<\/li>\n<\/ul>\nStep 3 (Create a default scope)<\/h4>\n
Next we will need to create a default scope for the app registration.<\/p>\n
- \n
- Navigate to
Expose an API<\/code> menu, click onAdd a scope<\/code>.<\/li>\n- Leave the application ID URI as its default value:
api:\/\/{Client ID}<\/code> and click onSave and continue<\/code>.<\/li>\n- Set the scope name to
default<\/code> and fill in other required fields.<\/li>\n<\/ul>\nStep 4 (Create a client secret)<\/h4>\n
- \n
- Go to
Certificates & secrets<\/code> menu<\/li>\n- Click on
New client secret<\/code><\/li>\n- Enter a description for the secret and click on
Add<\/code>.<\/li>\n- Remember to copy the client secret\u2019s value for later use.<\/li>\n<\/ul>\n
Step 5 (Testing with Postman)<\/h4>\n
At this point, we can try querying an access token using Postman.<\/p>\n
Open Postman and go to
Authorization<\/code> tab, then select:\nType:OAuth 2.0<\/code>\nGrant Type:Authorization Code<\/code>\nCheckAuthorize using browser<\/code><\/p>\n![\"Testing](\"https:\/\/devblogs.microsoft.com\/cse\/wp-content\/uploads\/sites\/55\/2023\/07\/aad-postman-authorization.png\")
<\/p>\nFill in the required info as below:<\/p>\n
- \n
- Auth URL:
https:\/\/login.microsoftonline.com\/{Tenant ID}\/oauth2\/v2.0\/authorize<\/code><\/li>\n- Access Token URL:
https:\/\/login.microsoftonline.com\/{Tenant ID}\/oauth2\/v2.0\/token<\/code><\/li>\n- Client ID: The application (client) ID<\/li>\n
- Client Secret: The application (client) secret<\/li>\n
- Scope:
api:\/\/{Client ID}\/default<\/code><\/li>\n- Then click on
Get New Access Token<\/code> and sign in using your browser:<\/li>\n- Make sure that your browser allows pop-up windows and can communicate with Postman to provide access tokens. If everything works properly, you can click on
Proceed<\/code> in Postman to see the returned access token:<\/li>\n<\/ul>\n<\/p>\n
Finally, go to jwt.ms<\/a> to decode the access token and check all available claims. We will need to add more claims later for authorization.<\/p>\n
2. Creating App Roles for User Permissions<\/h3>\n
- Access Token URL:
- Click on
- Leave the application ID URI as its default value:
- Later in this post, we will be running the Temporal Web UI locally at port 8080 so to enable SSO, we need to add a redirect URI for it:
- Click on
- In Azure portal, select
- start-temporal.sh<\/strong><\/a>: Script to set the environment variables and compose the cluster.<\/li>\n<\/ul>\n
- Cluster:<\/strong> config<\/a> and policy<\/a> files<\/li>\n
- Cluster certificate:<\/strong> encrypting communication between nodes in the cluster.<\/li>\n
- 2. Deploy and start a Temporal Cluster<\/a><\/li>\n
- 1. Generate the required certificates<\/a><\/li>\n
- CA certificates<\/strong> are suitable for all public-facing websites and software.<\/li>\n<\/ul>\n
- Frontend:<\/strong> Configuration for encrypting the frontend\u2019s public endpoints.<\/li>\n<\/ul>\n
- Part 2:<\/strong> Users authentication and authorization using Azure Active Directory (AAD) as identity provider<\/a>.<\/li>\n<\/ul>\n
- Client connections:<\/strong> To restrict a client’s network access to cluster endpoints you can limit it to clients with certificates issued by a specific Certificate Authority (CA).<\/li>\n
- Data Converter:<\/strong> helps encrypt data at rest (in data store).<\/li>\n<\/ul>\n<\/li>\n
- Data isolation and encryption:<\/strong>\n
![\"App](\"https:\/\/devblogs.microsoft.com\/cse\/wp-content\/uploads\/sites\/55\/2023\/07\/aad-app-roles.png\")
<\/p>\n![\"Assign](\"https:\/\/devblogs.microsoft.com\/cse\/wp-content\/uploads\/sites\/55\/2023\/07\/aad-app-roles-assign.png\")
<\/p>\n![\"Assign](\"https:\/\/devblogs.microsoft.com\/cse\/wp-content\/uploads\/sites\/55\/2023\/07\/aad-app-roles-users.png\")
<\/p>\n![\"Add](\"https:\/\/devblogs.microsoft.com\/cse\/wp-content\/uploads\/sites\/55\/2023\/07\/aad-app-roles-assign-view.png\")
<\/p>\n![\"Assign](\"https:\/\/devblogs.microsoft.com\/cse\/wp-content\/uploads\/sites\/55\/2023\/07\/aad-app-roles-assign-list.png\")
<\/p>\n