Skip to content

feat: add Keycloak JWT support via metadata provider and injection in… #377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
0xNadeem wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add Keycloak JWT support via metadata provider and injection in… #377

0xNadeem wants to merge 1 commit into from

Conversation

@0xNadeem
Copy link

@0xNadeem 0xNadeem commented Jan 8, 2026

  • Add MetadataProvider base class and KeycloakJwtProvider implementation
  • Add MetadataInjectionInterceptor to inject JWT into all gRPC calls
  • Support for obtaining JWT tokens from Keycloak using client credentials flow
  • Automatic token caching with expiration handling
  • Metadata injection into all Temporal workflow API calls

This enables JWT-based authentication with Keycloak for Temporal services without requiring an Envoy proxy or external gateway.

What was changed

Why?

Checklist

  1. Closes

  2. How was this tested:

  1. Any docs updates needed?

@nadeemsbs
feat: add Keycloak JWT support via metadata provider and injection in…
85d5015 
…terceptor

- Add MetadataProvider base class and KeycloakJwtProvider implementation
- Add MetadataInjectionInterceptor to inject JWT into all gRPC calls
- Support for obtaining JWT tokens from Keycloak using client credentials flow
- Automatic token caching with expiration handling
- Metadata injection into all Temporal workflow API calls

This enables JWT-based authentication with Keycloak for Temporal services
without requiring an Envoy proxy or external gateway.
@0xNadeem 0xNadeem requested a review from a team as a code owner January 8, 2026 14:00
@CLAassistant
Copy link

CLAassistant commented Jan 8, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

cretz
cretz reviewed Jan 8, 2026
View reviewed changes
temporalio/lib/temporalio/client/metadata_injection_interceptor.rb
Copy link
Member

@cretz cretz Jan 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this is kind of a good example of why we have interceptors (so anyone can build these), not sure we want this one built in to the SDK.

There are a couple of problems with this approach. You can't really use client interceptors to inject RPC options. Not every client call goes through interceptors. This is especially true for internal client calls that the workers use.

The way that auth bearer tokes should be set is by using the api_key setter method on the client's connection that we very intentionally expose for this exact reason (or rpc_metadata if it wasn't an auth bearer token). So you have to push auth updates, it cannot be a lazy pull model. This is because the client is actually in Rust and does not call back in to Ruby for every call.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cretz cretz cretz left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@0xNadeem @CLAassistant @cretz @nadeemsbs