backstage
backstage copied to clipboard
backstage
auth-node: refactor OAuth scope management
Hey, I just made a Pull Request!
This standardizes scope management across OAuth providers, and also aims to fix a couple of issues, especially providers that persist scopes. The overall goal of this is to be able to completely remove the need for bespoke auth APIs in the frontend, in particular for sign-in.
One issue that's been fixed is refreshing with scope persistence. In the current implementation the persisted scopes will always be used, which can break this client flow where a session is refreshed with requested scopes.
An issue that I'll be aiming to fix in followup usages of this is that many auth providers pass the scope option to the passport strategy. That only works if no scopes are requested by the client, because they are not merged. This aims to fix that by properly merging together required, additional, requested and granted scopes.
Will do updates for each provider in followups, so that we can get some eyes/testing of each individual update.
:heavy_check_mark: Checklist
- [x] A changeset describing the change and affected packages. (more info)
- [ ] Added or updated documentation
- [x] Tests for new functionality and regression tests for bug fixes
- [ ] Screenshots attached (for UI changes)
- [x] All your commits have a
Signed-off-byline in the message. (more info)
Changed Packages
| Package Name | Package Path | Changeset Bump | Current Version |
|---|---|---|---|
| @backstage/plugin-auth-backend-module-atlassian-provider | plugins/auth-backend-module-atlassian-provider | minor | v0.1.11-next.1 |
| @backstage/plugin-auth-backend-module-bitbucket-provider | plugins/auth-backend-module-bitbucket-provider | patch | v0.1.2-next.1 |
| @backstage/plugin-auth-backend-module-github-provider | plugins/auth-backend-module-github-provider | patch | v0.1.16-next.1 |
| @backstage/plugin-auth-backend-module-gitlab-provider | plugins/auth-backend-module-gitlab-provider | patch | v0.1.16-next.1 |
| @backstage/plugin-auth-backend-module-google-provider | plugins/auth-backend-module-google-provider | patch | v0.1.16-next.1 |
| @backstage/plugin-auth-backend-module-microsoft-provider | plugins/auth-backend-module-microsoft-provider | patch | v0.1.14-next.1 |
| @backstage/plugin-auth-backend-module-oauth2-provider | plugins/auth-backend-module-oauth2-provider | minor | v0.1.16-next.1 |
| @backstage/plugin-auth-backend-module-oidc-provider | plugins/auth-backend-module-oidc-provider | minor | v0.1.10-next.2 |
| @backstage/plugin-auth-backend-module-okta-provider | plugins/auth-backend-module-okta-provider | patch | v0.0.12-next.1 |
| @backstage/plugin-auth-backend-module-pinniped-provider | plugins/auth-backend-module-pinniped-provider | patch | v0.1.13-next.1 |
| @backstage/plugin-auth-backend-module-vmware-cloud-provider | plugins/auth-backend-module-vmware-cloud-provider | minor | v0.1.11-next.1 |
| @backstage/plugin-auth-node | plugins/auth-node | patch | v0.4.14-next.2 |
![backstage-goalie[bot] avatar](https://avatars.githubusercontent.com/u/72526453?v=4 "Published by a pub.dev verified publisher"){kind=small}
This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @Rugvip , I wonder is that planned in this PR to remove some duplicated defaultScopes from different places and keep them in a standard way ?
https://github.com/backstage/backstage/blob/6839b059a4681885856d34ede045853173e1a5cd/packages/core-app-api/src/apis/implementations/auth/okta/OktaAuth.ts#L52
https://github.com/backstage/backstage/blob/6839b059a4681885856d34ede045853173e1a5cd/plugins/auth-backend-module-okta-provider/src/authenticator.ts#L37
@liununu yep that's one of the goals of this refactor. Some of it will be in followup PRs though
There are quite a lot of reports coming in of issues that are fixed by this PR. I was aiming to have these changes go out a bit slower and per provider, but since this fixes a lot of known issues I think we're better off shipping this a bit faster and aim to have it put us in a better state than we are now. I've updated existing providers in https://github.com/backstage/backstage/pull/24743/commits/8efc6cf0d4ad29abc8ced6eab2a86e2d71479f70 so this PR is not ready to go with hopefully not breakages of existing providers other than intentional ones.
@liununu to follow up a bit more, it's not the goal of this PR to completely remove the default scopes in the frontend. We're keeping them around to ensure compatibility as these changes are rolled out. In theory it would be safe to remove them straight away based on our version skew policy, but in practice it's nice to give a bit of leeway where possible to avoid breaking deployments it tricky ways.
I'll follow up on this work in a later release to start consolidating the auth APIs in the frontend and remove duplicated declarations.
Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.28.0 release, scheduled for Tue, 18 Jun 2024.