-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Bug Report: auth.getAccessToken doesn't survive page reloads anymore #20322
Comments
Relates to #20103 which doesn't seem to be fully fixed |
Can anyone else confirm that they're experiencing this issue? |
@kunickiaj I can confirm the issue. After some investigation I think there is a problem in the session refresh handler. I see that the
|
@kunickiaj I updated and am encountering this issue as well, using Okta auth. |
Not very familiar with this implementation so going to try to add some more details to what i'm observing if it helps.. When loading a page that has a plugin that wants gh repo scope (to make some gh requests) i see: it returns a response that even includes the accessToken, however scope is {
...
"providerInfo": {
"accessToken": "ghu_....",
"scope": "",
"expiresInSeconds": "28800"
}
...
} Once i click on the login popup i see that GH requests are made with a different I think this might confirm your suspicions that the requested scope is not being returned in the response. |
I can confirm that modifying one of our internal plugins to request an access token for I'm happy to open a PR with the suggested change, just not entirely sure how to best test it (or add a unit test for it). |
nvm, was able to repro/verify fix using what is the process for getting this backported as 1.18.4 ? |
The refresh handler is returning an empty scope if scope was previously saved in a cookie. The session is successfully refreshed but the client receives a response without the scope it requested, prompting a new login. Resolves #20322 Signed-off-by: Adam Kunicki <kunickiaj@gmail.com>
📜 Description
When calling auth.getAccesToken for the GitHub provider, it forces the user to login even if they're already logged in. This session can withstand route changes and subsequent calls, but not a page reload. The user will see a login popup again.
👍 Expected behavior
It should work as it used to where if the provider has already been authorized, a token should be returned.
👎 Actual Behavior with Screenshots
It actually props the user to login on every page load.
👟 Reproduction steps
Using backstage 1.18.3 try something like the PR plugin (https://github.com/RoadieHQ/roadie-backstage-plugins/tree/main/plugins/frontend/backstage-plugin-github-pull-requests)
I'm experiencing the same behavior on an internal techdocs addon that calls the GH api.
📃 Provide the context for the Bug.
No response
🖥️ Your Environment
Chrome Version 117.0.5938.132 (Official Build) (arm64)
👀 Have you spent some time to check if this bug has been raised before?
🏢 Have you read the Code of Conduct?
Are you willing to submit PR?
Yes I am willing to submit a PR!
The text was updated successfully, but these errors were encountered: