Add env var to use ID Token as Bearer token

[jamie-thatch]

Description & motivation 💭

This PR adds support for using ID tokens as Bearer tokens in the Authorization header for OIDC providers that require this authentication pattern.

Changes:

• Added useIdTokenAsBearer configuration option to the AuthProvider struct
• Implemented server-side token swapping in the auth middleware
• When enabled, the server will use the ID token from the authorization-extras header as the Bearer token instead of the access token

Motivation:

Some OIDC providers (like certain Auth0 configurations) return opaque access tokens that cannot be used for API authorization. Instead, they require the ID token (which is a JWT) to be used as the Bearer token. This change allows the Temporal UI to work with such providers without requiring client-side configuration changes.

Screenshots (if applicable) 📸

N/A - Backend configuration change

Design Considerations 🎨

• The configuration is kept at the provider level since it's OIDC-specific
• The client remains agnostic to this configuration - it always sends access token as Bearer and ID token in extras
• Token swapping happens transparently on the server side before forwarding to Temporal

Testing 🧪

How was this tested 👻

• Manual testing with local OIDC provider
• E2E tests added
• Unit tests added for ValidateAuthHeaderExists function with token swapping scenarios

Steps for others to test: 🚶🏽‍♂️🚶🏽‍♀️

1. Configure an OIDC provider in your development.yaml:

     auth:
       enabled: true
       providers:
         - type: oidc
           providerUrl: <your-provider-url>
           clientId: <your-client-id>
           clientSecret: <your-client-secret>
           callbackUrl: http://localhost:8080/auth/sso/callback
           useIdTokenAsBearer: true  # Enable the feature

2. Start the UI server and authenticate via OIDC (Tested with https://github.com/panva/node-oidc-provider/ but many other OIDC providers will work)
3. Verify that API requests to Temporal use the ID token as the Bearer token
4. Check server logs to confirm token swapping is occurring
5. Log in successfully

Checklists

Draft Checklist

• Code implementation complete
• Unit tests added
• Manual testing completed

Merge Checklist

• Code review feedback addressed
• Documentation updated if needed

Issue(s) closed
#2365

Docs

Any docs updates needed?

Yes, the following documentation should be updated:

• Add useIdTokenAsBearer to the auth provider configuration documentation
• Include an example configuration for OIDC providers that require ID tokens as Bearer tokens
• Document when and why this option should be used (opaque access tokens scenario)

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
holocene	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 3, 2025 4:21pm

[CLAassistant]

All committers have signed the CLA.

[rossnelson]

Nice work, thanks!

[jamie-thatch]

Thanks for approving. Is there anything blocking this from being merged?

[rossnelson]

Thanks for approving. Is there anything blocking this from being merged?

No blockers, feel free to merge.

[jamie-thatch]

Ah thanks for the quick response! I just don't have permission as far as I'm aware.

[jamie-thatch]

Thanks, Ross