-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Bug Report: Unable to use a different name for the Authorization token #23015
Comments
Hey 👋 ! This is a bit of a two-headed problem.
The project has settled on using There's also a bit of work going on in #22603 that will affect the pattern of calling these clients from the backend. |
Total side note @aramissennyeydd - that was actually meant to use |
@freben Ooo, that would make sense. Should I update the OpenAPI template for that? I was basing off of the existing |
For backend, yeah. The deal for the catalog has been
Now with the new auth work we're doing, we'll see if that backend picture shifts or not :) |
Wait, wouldn't this fit into the last section of the ADR?
Just spent like 15 minutes going down the rabbit hole of |
As which particular fetch? ;) yeah I see the catalog client actually uses global.fetch as its input type but uses cross-fetch as the default actual fallback implementation |
@aramissennyeydd I believe #2260 is the wrong link here? If I understand correctly, frontend should be consistent in using the fetchApi (which allows the authorization header to be named differently) while backend (service-to-service) must use Authorization. We self host backstage so if I'm not mistaken backend traffic doesn't leave the pod - there are scheduled tasks that run and talk to the API but I assume they do it on localhost:7007. To me this sounds like making frontend consistent would solve the proxy authentication requirement (that we leave the external Authorization header intact). |
@alexef Yup, should be #22603, must have accidentally deleted the last digit. And yes, you're correct, the frontend should use We'd love your help in making that frontend consistency happen! |
ok, so here is the battle plan. frontend plugins to adjust to use the fetchApi:
frontend plugins to adjust passing auth with configurable header name but without fetchApi:
need more clarity:
can I bundle multiple plugin updates in one PR or should I do one per plugin? |
The BEP explicitly calls out in its non-goals section that it does not aim to make room for the ability to change out the Authorization header as the carrier. One big reason for leaving that out of that particular workstream is to not scope creep. But also, we realize that Authorization is uniquely positioned in the sense that it doesn't get logged or otherwise handled in such a way that it might be compromised. All parties in all call chains know the semantics of how to handle it. Therefore it seemed like something that if it were to be made a priority, it warranted being a separate thing to look into. In the current work based on that BEP, the old contrib article for securing your backend goes away entirely, and is replaced by the platform "forcibly" locating, validating and unpacking the incoming credentials so that when the plugin is reached, the validity and chain of trust for the caller is already established. And the platform code will only, as part of this initial work at least, look at the Authorization header. We did speak a bit about this subject when we started out, which is why it's mentioned at all in the non-goals. There were some ideas that were floated, including using multiple Authorization headers so as not to interfere with any other ones added by the original caller. The proxy backend could even be smart about it and strip out the Backstage specific one if it sees several, before sending the request along. To get unblocked, if you only want to deal with the frontend calls to the backend, you could replace the fetchApi and then on the server side have a small middleware at the very top that looks for the custom header and injects it again as an Authorization header so the rest of the stack gets happy. I will say though, moving forward with ensuring that the fetchApi is universally used is a massively valuable thing either way. And if/when there's official support for alternative headers, the groundwork has been laid. |
I've got a PR for updating the Azure DevOps, DevTools, and Linguist plugins 👍 #23046 (this has been on my todo list for a bit now and I wanted to make these changes myself to better understand) |
@freben Thoughts on a new On a bit of a separate note, might it be worth moving some of that backend complexity to an abstracted backend implementation of @alexef For the For PRs, I'd recommend splitting it into 2 pieces, the |
Hm maybe. The usages are pretty few though. Would it be worth making it something even higher-level in its naming, so that it could support other tech backing it, or does that just make things unnecessarily complex? Probably. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Gonna reopen this as the requested clients haven't been updated AFAIK |
how do I add a middleware to my backend, I couldn't find an example? |
@alexef You register a custom rootHttpRouter service, and pass in a Something along the lines of (not tested ...) backend.add(rootHttpRouterServiceFactory({
configure({ app, applyDefaults }) {
app.use(myMiddleware);
applyDefaults();
}
}); |
tested, works! |
I wonder if another approach here could be to switch to a fetch-based event source? Afaik there's nothing particularly special about the Quick search found https://github.com/Azure/fetch-event-source, which could be a good candidate. It allows for a custom |
I can try an alternative implementation using microsoft/fetch-event-source. thanks for the pointer! |
I can see that some of the plugins in the list were moved unmodified to https://github.com/search?q=repo%3Abackstage%2Fcommunity-plugins%20Authorization&type=code will follow up with the remainder |
Not fully completed (missing events and a finall checkup that no hardcoded indentityApi token remains) |
@alexef How can I change the name of the backstage authorization header? |
@ggkoning first of all, in
(to trick the backend into consuming authorization from the custom header) then in:
(to trick clients to send the custom header instead of default) |
@alexef Thanks it works. You said that it is not fully completed yet what can I do to help? |
@ggkoning thanks for offering. you can try to spot other frontend->backend clients that don't use the fetchApi or that hardcode the "Authorization" header. (backend->backend is fine) the events PR is merged so it will be part of 1.28. also, similar changes to those in the PRs linked to this ticket need to be done to the plugins that moved out in: https://github.com/backstage/community-plugins |
@alexef I want to make these changes to this plugin https://github.com/backstage/community-plugins/tree/main/workspaces/jenkins/plugins/jenkins But how can I locally add and test that this plugin will work in our backstage deployment? |
@alexef I don't know how to test it but do you think these changes I made are good? backstage/community-plugins#548 |
📜 Description
We use an external authorization layer on our ingresses, and configured oauthProxy as the auth provider.
While some plugins properly implement the
FetchMiddlewares.injectIdentityAuth
method, which allows us to use a custom header name, there are multiple places in code where we assume the name of the header is 'Authorization' (examples: https://github.com/search?q=repo%3Abackstage%2Fbackstage+%22Authorization%3A+%60Bearer%22+language%3ATypeScript+path%3A&type=code) - techdocs, catalog being the most striking.LE: this is by design. Fronted plugins must use
fetchAPI
while backend plugins must pass anAuthorization
header. The bug scope is reduced to only fronted plugins.👍 Expected behavior
All frontend API requests should use the configurable
fetchAPI
so that the header name can be configured and not overlap with other authentication layers.👎 Actual Behavior with Screenshots
Authorization header is (sometimes) hardcoded
👟 Reproduction steps
Try to change the name of the
Authorization
header.📃 Provide the context for the Bug.
No response
🖥️ Your Environment
No response
👀 Have you spent some time to check if this bug has been raised before?
🏢 Have you read the Code of Conduct?
Are you willing to submit PR?
Yes I am willing to submit a PR!
The text was updated successfully, but these errors were encountered: