Pinniped Auth Provider #19846

RubenV-dev · 2023-09-07T19:30:36Z

Hey, I just made a Pull Request!

Enable the auth-backend plugin to get cluster-scoped ID tokens via an RFC 8693 token exchange using a newly introduced Pinniped Auth Provider

Relates to issue #14011 --strictly an integration with the pinniped supervisor, forming only an incomplete part of an overall pinniped integration.

✔️ Checklist

A changeset describing the change and affected packages. (more info)
Added or updated documentation
Tests for new functionality and regression tests for bug fixes
Screenshots attached (for UI changes)
All your commits have a Signed-off-by line in the message. (more info)

backstage-goalie · 2023-09-07T19:31:06Z

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@backstage/plugin-auth-backend-module-pinniped-provider	plugins/auth-backend-module-pinniped-provider	minor	`v0.0.0`
@backstage/plugin-auth-node	plugins/auth-node	patch	`v0.4.0-next.2`

RubenV-dev · 2023-09-07T19:35:40Z

@jamieklassen would appreciate anymore feedback. Thought i would open this up to see if there were any other places that might need addressing for this auth provider.

plugins/auth-backend-module-pinniped-provider/src/module.test.ts

github-actions · 2023-09-07T19:45:27Z

Uffizzi Preview deployment-35479 was deleted.

plugins/auth-backend-module-pinniped-provider/src/authenticator.test.ts

plugins/auth-backend-module-pinniped-provider/src/authenticator.ts

plugins/auth-backend/package.json

jamieklassen · 2023-09-07T21:08:08Z

Worth mentioning that this relates to #14011 -- it is also strictly an integration with the pinniped supervisor, forming only an incomplete part of an overall pinniped integration.

jamieklassen

I scanned and made a bunch of "single comments" and didn't gather them into a review so I'm formally "requesting changes" here. Can we also update plugins/auth-backend/config.d.ts with the schema for this new provider? It's a good place to start documenting the fields like federationDomain, clientId, and clientSecret. At a first glance, it might not be obvious that those config values are required.

RubenV-dev · 2023-09-08T15:03:35Z

Sure thing this all makes sense i will get to working on those changes. I have to take a closer look at those dependencies in my package.json, if i recall correctly the linter was screaming about not having certain dependencies installed and i used the provided cli calls to rectify the issue. Probably in all the refactoring those libraries/dependencies arent even used anymore which makes things look a bit funky.

jamieklassen

Thought of one more improvement before I forget, and requested some additional input from @cfryanr who works on Pinniped

plugins/auth-backend-module-pinniped-provider/src/authenticator.ts

jamieklassen

Looks like this also need a rebase; some conflicts to resolve

Just driving with the test at this point, hitting some trouble with express-session/cookies but I have an idea for an approach when I return to it: Hopefully it will be enough to enable all the right middlewares in our express app under test and then use `request.agent` from supertest as in https://github.com/ladjs/supertest/blob/25920e7a1d246b590123417bfce33221db88e947/README.md?plain=1#L244-L256 which can make an initial request to the `/start` endpoint and persist cookies to the next request (the interesting one under test) to `/handler/frame`. Signed-off-by: Jamie Klassen <jklassen@vmware.com>

Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>

Removed all the code that wasn't impacting a failing test, and removed the "ID token" test -- we'll start with access tokens since they are more important for our token-exchange use case. Signed-off-by: Jamie Klassen <jklassen@vmware.com> Co-authored-by: Ruben Vallejo <rvallejo@vmware.com>

Now the unit tests for the start method should render the '#start' describe in index.test.ts redundant. Signed-off-by: Jamie Klassen <jklassen@vmware.com> Co-authored-by: Ruben Vallejo <rvallejo@vmware.com>

Some thoughts at this point: * it would be nice to gather all the fakePinnipedSupervisor setup together in the beforeEach rather than spreading it throughout the test body * we need a real JWK/JWKS endpoint for token signing Signed-off-by: Jamie Klassen <jklassen@vmware.com> Co-authored-by: Ruben Vallejo <rvallejo@vmware.com>

Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>

…it tests Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>

… state, fix integration tests Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>

Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>

and remove tokenSignedAlg option from pinniped, since it's not actually configurable by end users. This means that all the tests use ID tokens signed with a real JWK. Signed-off-by: Jamie Klassen <jklassen@vmware.com>

… #start refactor complete Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>

Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>

Signed-off-by: Ruben Vallejo <rvallejo@vmware.com> Co-authored-by: Jamie Klassen <jklassen@vmware.com>

Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>

github-actions · 2023-10-13T15:36:54Z

Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.19.0 release, scheduled for Tue, 17 Oct 2023.

RubenV-dev requested review from backstage-service and a team as code owners September 7, 2023 19:30

RubenV-dev requested review from Rugvip and tudi2d September 7, 2023 19:30

github-actions bot added the auth label Sep 7, 2023

github-advanced-security bot found potential problems Sep 7, 2023

View reviewed changes

plugins/auth-backend-module-pinniped-provider/src/module.test.ts Dismissed Show dismissed Hide dismissed

plugins/auth-backend-module-pinniped-provider/src/module.test.ts Dismissed Show dismissed Hide dismissed

RubenV-dev force-pushed the pinniped-auth branch from 81990b5 to 5099cd4 Compare September 7, 2023 19:47