backstage-plugins icon indicating copy to clipboard operation
backstage-plugins copied to clipboard

Published 20 hours ago verified publisher icon janus-idp

ACR: Support scope-tokens

Open davidkarlsen opened this issue 1 year ago • 6 comments
trafficstars

What do you want to improve?

Avoid root-access keys by either using managed identities or scope-tokens.

What is the current behavior?

Docs at https://janus-idp.io/plugins/acr tell to generate access token, but this will have a short-validity period.

What will the new behavior be?

See https://azure.github.io/acr/Token-BasicAuth.html#using-the-token-api, let user define a scope token, and have a backend plugin do the login to keep the token fresh and provide api.

davidkarlsen avatar Dec 29 '23 14:12 davidkarlsen

Anyone at home?

davidkarlsen avatar Jan 13 '24 20:01 davidkarlsen

Thanks @davidkarlsen for logging the issue. The docs provide an option for both Basic and Bearer and yeah with Bearer the token needs refresh.

so with suggestion, what would need to be provided as part of app-config?

It seems https://www.npmjs.com/package/@azure/container-registry/v/1.0.0?activeTab=versions can be used.

invincibleJai avatar Jan 16 '24 06:01 invincibleJai

Looking at https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/containerregistry/container-registry they support AD, then it could work similar to: https://github.com/backstage/backstage/tree/master/plugins/azure-sites-backend .

We can open a ticket for support for scope-tokens if they don't already support that.

The point is to be able to use strong authentication and avoid powerful long-validity tokens like the current situation. The only way to really do that (in order to do rotation) is to have a backend plugin AFAIK.

davidkarlsen avatar Jan 16 '24 08:01 davidkarlsen

Looking at https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/containerregistry/container-registry they support AD, then it could work similar to: https://github.com/backstage/backstage/tree/master/plugins/azure-sites-backend .

We can open a ticket for support for scope-tokens if they don't already support that.

The point is to be able to use strong authentication and avoid powerful long-validity tokens like the current situation. The only way to really do that (in order to do rotation) is to have a backend plugin AFAIK.

yeah currently, ACR plugin in janus is frontend and to support this we would need to evaluate this and decide if https://github.com/backstage/backstage/tree/master/plugins/azure-sites-backend can serve or new backend plugin needs to be created.

@christophe-f / @kadel FYI

invincibleJai avatar Jan 16 '24 13:01 invincibleJai

Yes this is something we should definitely consider doing.

christophe-f avatar Jan 16 '24 14:01 christophe-f

I just mentioned azure-sites-backend as an example which does MS integration (there are other too, like azure-resources, the ADO-stuff etc) - it serves another purpose, so I don't think it is suitable for the ACR stuff.

davidkarlsen avatar Jan 16 '24 18:01 davidkarlsen

This issue has been closed due to the fact that the Janus community is being sunset.

For future plugin issues, please use https://github.com/backstage/community-plugins/issues

For future showcase issues, please use https://issues.redhat.com/browse/RHIDP

For more information on the sunset, see:

https://janus-idp.io/blog/2024/07/05/future-of-janus-community https://issues.redhat.com/browse/RHIDP-3690 https://issues.redhat.com/browse/RHIDP-1018

rhdh-bot avatar Sep 03 '24 17:09 rhdh-bot