Skip to content

feat(ui-server): add forward of static headers from env#3093

Open
wensiet wants to merge 1 commit intotemporalio:mainfrom
wensiet:feat-add-static-headers-forward
Open

feat(ui-server): add forward of static headers from env#3093
wensiet wants to merge 1 commit intotemporalio:mainfrom
wensiet:feat-add-static-headers-forward

Conversation

@wensiet
Copy link

@wensiet wensiet commented Jan 14, 2026
edited
Loading

Description & motivation 💭

This PR introduces static headers forwarding to gRPC temporal frontend.

Our scenario is:

  • custom authorizer & claim-mapper plugin for temporal server
  • TLS is provided by the infrastructure and cannot be configured
  • to authenticate request, we need custom header, like x-service-auth=some-token-here
  • it works with temporal-cli or SDK's, with grpc-meta, but UI only has forwarding headers, which is not suitable

To solve this issue, we introduce new env var: TEMPORAL_SERVER_STATIC_HEADERS. It is later converted to config field staticHeaders.

Format is: TEMPORAL_SERVER_STATIC_HEADERS="some-header=someval,another-header=someval"

Screenshots (if applicable) 📸

No ui components changed.

Design Considerations 🎨

No ui components changed.

Testing 🧪

Manually tested with temporal-frontend. Added unit tests to ensure logic is correct.

How was this tested 👻

  • Manual testing
  • E2E tests added
  • Unit tests added

Steps for others to test: 🚶🏽‍♂️🚶🏽‍♀️

Add staticHeaders to configs, example:

staticHeaders:
  authorization: some-tkn

Or use ENV var TEMPORAL_SERVER_STATIC_HEADERS="authorization=some-tkn"

Checklists

Draft Checklist

Merge Checklist

Issue(s) closed

Docs

Any docs updates needed?

Yes, UI startup docs.

@vercel
Copy link

vercel bot commented Jan 14, 2026

Someone is attempting to deploy a commit to the Temporal Team on Vercel.

A member of the Team first needs to authorize it.

@CLAassistant
Copy link

CLAassistant commented Jan 14, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@wensiet wensiet marked this pull request as ready for review January 14, 2026 11:41
@wensiet wensiet requested a review from a team as a code owner January 14, 2026 11:41
@wensiet wensiet requested review from laurakwhit and removed request for a team January 14, 2026 11:41
@wensiet wensiet force-pushed the feat-add-static-headers-forward branch from 73bcb30 to 784f8c3 Compare January 16, 2026 06:45
@wensiet
Copy link
Author

wensiet commented Jan 22, 2026

@laurakwhit hi! can you take a look at it pls

@laurakwhit
Copy link
Collaborator

laurakwhit commented Jan 22, 2026
edited
Loading

it works with temporal-cli or SDK's, with grpc-meta, but UI only has forwarding headers, which is not suitable

@wensiet can you provide a little more context as to why forwarding headers is not suitable for your use case?

@laurakwhit laurakwhit requested review from picatz and removed request for Alex-Tideman January 22, 2026 21:05
@wensiet
Copy link
Author

wensiet commented Jan 23, 2026

Someone is attempting to deploy a commit to the Temporal Team on Vercel.

A member of the Team first needs to authorize it.

If we use forwarding we will need to expose token to ui end user (for example tech support) and somehow forward it (for example via browser extensions). However we already have authorization in UI via SSO, so it creates some amount of redundant actions, and does not allow us to seamlessly rotate token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurakwhit laurakwhit Awaiting requested review from laurakwhit laurakwhit is a code owner automatically assigned from temporalio/frontend-engineering

@rossnelson rossnelson Awaiting requested review from rossnelson

@picatz picatz Awaiting requested review from picatz

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wensiet @CLAassistant @laurakwhit