Enabling SSO with GitHub OAuth App kills the Web UI

[baduker]

Describe the bug
I'm migrating the issue from here.

Basically, I've been trying to enable SSO in temporal web ui using an OAuth app created in GitHub.

To Reproduce
Steps to reproduce the behavior:

In my case, run temporal on kubernetes and create an OAuth app in GitHub. Plug in the values, as shown here:

web:
  ingress:
    enabled: true
    className: alb
    hosts:
      - temporal.MY-DOMAIN.click
    annotations:
      alb.ingress.kubernetes.io/backend-protocol: "HTTP"
      alb.ingress.kubernetes.io/group.name: MY-GROUP
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/ssl-redirect: "443"
      alb.ingress.kubernetes.io/target-type: ip
      external-dns.alpha.kubernetes.io/manage: "true"
  additionalEnv:
    - name: TEMPORAL_AUTH_ENABLED
      value: "true"
    - name: TEMPORAL_AUTH_PROVIDER_URL
      value: "https://github.com/login/oauth/authorize"
    - name: TEMPORAL_AUTH_CLIENT_ID
      value: "Ov23lDEADCODE8LHILl"
    - name: TEMPORAL_AUTH_CALLBACK_URL
      value: "https://temporal.MY-DOMAIN.click/auth/sso/callback"
  additionalEnvSecretName: temporal-auth-client-secret

Deploy and expect failure.

Expected behavior

I should be getting a login landing page for my OAuth GitHub App like this one here:

However, the moment I deploy the changes with SSO enabled, the web-ui pod dies. I'm sure the envs get passed along with the temporal-auth-client-secret because when I inspect the pod I see this:

Restart Count:  5
Environment Variables from:
temporal-auth-client-secret  Secret  Optional: false                 
Environment:                                            
TEMPORAL_ADDRESS:            temporal-dev-frontend.temporal.svc:7233     
TEMPORAL_AUTH_ENABLED:       true        
TEMPORAL_AUTH_PROVIDER_URL:  https://github.com/login/oauth/authorize               
TEMPORAL_AUTH_CLIENT_ID:     Ov23lDEADCODE8LHILl
TEMPORAL_AUTH_CALLBACK_URL:  https://temporal.<MY_DOMAIN>.click/auth/sso/callback

When I check the logs, I get a huge HTML from GitHub that when rendered says it's a 404.

This is what the log starts with:

2024/12/04 16:00:25 Loading config; env=docker,configDir=config
2024/12/04 16:00:25 Loading config files=[config/docker.yaml]
2024/12/04 16:00:25 Loading config; env=docker,configDir=config
2024/12/04 16:00:25 Loading config files=[config/docker.yaml]
2024/12/04 16:00:26 404 Not Found:

<GITHUB'S 404 HTML GOES HERE>

Additional context

• Temporal Version: Helm Chart v0.51.0 and Temporal Web 2.31.2
• I'm using Kubernetes
• I'm using an OAuth App in GitHub

Here's the feedback I got in the previous issue:

This is not a bug with the helm chart, but a configuration issue for the ui-server. You can file an issue against here: https://github.com/temporalio/ui. At a quick glance though, it does not look like Github OIDC is supported by the UI Server as I don't think it provides a "well known" endpoint. It's this endpoint that the UI Server expects to see in the TEMPORAL_AUTH_PROVIDER_URL so it can discover the authorize and token endpoints. Currently the UI Server does not offer a way to configure the authorize and token endpoints separately which would be required to support Github for OIDC.