cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon temporalio

[Feature Request] SSO Authentication via the CLI

Open gmintoco opened this issue 1 year ago • 6 comments

Is your feature request related to a problem? Please describe.

It is time consuming to distribute certificates to developers so they can use temporal CLI. It is also a potential security concern as these are long lived credentials stored on developers laptops.

Describe the solution you'd like

Ideally you would be able to authenticate using the browser SSO to collect a short term token that would allow authentication to the Temporal Server. This would make the user experience much smoother. Similar to how gcloud auth or aws sso works.

Additional context

gmintoco avatar Apr 18 '23 10:04 gmintoco

ty for the request, discussing with the team

feedmeapples avatar Apr 24 '23 22:04 feedmeapples

currently there is no plan to authenticate CLI using browser SSO to not incentivize people doing that in their pipelines. As an option a JWT server could be used to provide the token to CLI, ex https://github.com/temporalio/samples-go/tree/main/serverjwtauth#using-tctl-and-registering-the-default-namespace . The example uses tctl, in temporal CLI the alternative to tctl's --auth flag is --grpc-meta

feedmeapples avatar Apr 26 '23 22:04 feedmeapples

Hey @feedmeapples just was having a look at this again. I am curious as to why it would be unwanted to facilitate OAuth via the CLI within pipelines or not?

In my mind running tctl auth would trigger an OAuth flow from the CLI client to get the user to authenticate to cloud.temporal.io, the CLI would then get a token it could use as a JWT to authenticate to the server endpoint. This would be a really easy user experience for developers and reduce the burden of maintain TLS keys.

I took a look through the JWT option you mentioned above a) doesn't seem possible for use with Temporal Cloud and b) is rather complex operationally.

Perhaps I should have clarified as well is that we are using Temporal Cloud with Google SSO.

Thanks :)

gmintoco avatar Jun 29 '23 13:06 gmintoco

Re-opening for consideration.

tlalfano avatar Oct 03 '23 21:10 tlalfano

+1 for the request A perfect example of this would be aws cli, which has aws sso login The user is redirected to the web browser and granted a temporary token. It's not possible to run this in CI, as it uses an OTP through the web UI

kobybum avatar Oct 20 '23 13:10 kobybum

Could you explain a bit more what type of solution you're expecting? Is this for Temporal Cloud or self-hosted?

bergundy avatar Oct 20 '23 16:10 bergundy