Skip to content

Auth: granular service-to-service tokens#23993

Merged
Rugvip merged 30 commits intomasterfrom
mob/auth-service-to-service
Apr 6, 2024
Merged

Auth: granular service-to-service tokens#23993
Rugvip merged 30 commits intomasterfrom
mob/auth-service-to-service

Conversation

@vinzscam
Copy link
Copy Markdown
Member

@vinzscam vinzscam commented Apr 4, 2024

Hey, I just made a Pull Request!

This PR provides a more granular implementation of service-to-service tokens, as described in #15999, ensuring that each plugin can generate its own signing key for issuing tokens. A new authentication mechanism between plugins has been implemented, allowing plugins to verify tokens issued by other plugins. The objective is to provide a more granular level of access control on requests originating from other plugins.

✔️ Checklist

  • A changeset describing the change and affected packages. (more info)
  • Added or updated documentation
  • Tests for new functionality and regression tests for bug fixes
  • Screenshots attached (for UI changes)
  • All your commits have a Signed-off-by line in the message. (more info)

vinzscam and others added 20 commits April 4, 2024 14:40
@vinzscam @Rugvip
backend-plugin-api: add publicKeyStore service
b438fea 
Co-authored-by: Patrik Oldsberg <poldsberg@gmail.com>
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam @Rugvip
backend-app-api: add publicKeyStoreServiceFactory
8d24ced 
Co-authored-by: Patrik Oldsberg <poldsberg@gmail.com>
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: add createAuthIntegrationRouter
6e611a7 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: fix typings
8c861be 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: add PluginTokenHandler
1bb2134 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: pass expiration key
7231bc2 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: pass dependencies
e8fd082 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-defaults: instantiate publicKeyStoreService
eca60af 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: add signing keys migration
f1a0569 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam @Rugvip
backend-app-api: test service to service auth
ed99c79 
Co-authored-by: Patrik Oldsberg <poldsberg@gmail.com>
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam @Rugvip
backend-app-api: move listPublicServiceKeys to authService
8c0401a 
Co-authored-by: Patrik Oldsberg <poldsberg@gmail.com>
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: remove publicKeyStoreService implementation
6ce253d 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: verify service-to-service token
701c51a 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-test-utils: add missing mock methods
112eca5 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: return valid subject
e1afe84 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam @Rugvip
backend-app-api: final service to service refactoring
130b215 
Co-authored-by: Patrik Oldsberg <poldsberg@gmail.com>
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam @Rugvip
backend-app-api: move jwks to JwksClient
ad8f173 
Co-authored-by: Patrik Oldsberg <poldsberg@gmail.com>
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam @Rugvip
backend-app-api: detect legacy auth
39de4a7 
Co-authored-by: Patrik Oldsberg <poldsberg@gmail.com>
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-next: rollback auth example
ea84d25 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam
backend-app-api: auth changeset
bce0879 
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
@vinzscam vinzscam mentioned this pull request Apr 4, 2024
Open
19 tasks
@backstage-goalie
Copy link
Copy Markdown
Contributor

backstage-goalie bot commented Apr 4, 2024
edited
Loading

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

  • @backstage/plugin-auth-node

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name Package Path Changeset Bump Current Version
@backstage/backend-app-api packages/backend-app-api patch v0.6.3-next.0
@backstage/backend-common packages/backend-common patch v0.21.7-next.0
example-backend-next packages/backend-next none v0.0.25-next.0
@backstage/backend-plugin-api packages/backend-plugin-api patch v0.6.17-next.0
@backstage/backend-test-utils packages/backend-test-utils patch v0.3.7-next.0
e2e-test packages/e2e-test none v0.2.15-next.0
@backstage/plugin-auth-node plugins/auth-node none v0.4.12-next.0

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 4, 2024
edited
Loading

Uffizzi Cluster pr-23993 was deleted.

@Rugvip Rugvip marked this pull request as ready for review April 5, 2024 13:11
@Rugvip Rugvip requested review from a team and backstage-service as code owners April 5, 2024 13:11
@Rugvip Rugvip requested review from Rugvip and camilaibs April 5, 2024 13:11
@Rugvip
backend-app-api: update DatabaseKeyStore to trim expired keys
4f2aafb 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
@Rugvip Rugvip force-pushed the mob/auth-service-to-service branch from 0eae0e1 to 4f2aafb Compare April 5, 2024 13:12
Rugvip added 3 commits April 5, 2024 16:04
@Rugvip
backend-app-api: update DatabaseKeyStore to store expiration as string
ae38fbb 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
@Rugvip
changesets: added changesets for listPublicServiceKeys addition to Au…
007e7ea 
…thService

Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
@Rugvip
backend-app-api: reorder auth service methods in implementation
a5f71d0 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Rugvip
Rugvip approved these changes Apr 5, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@Rugvip Rugvip left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 , assuming it's all good we're good

Assuming we can :shipit:, let's :shipit:

@Rugvip
api report updates for service token improvements
318c0b7 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
@Rugvip Rugvip enabled auto-merge April 5, 2024 14:31
Rugvip added 2 commits April 5, 2024 17:01
@Rugvip
backend-app-api: fix race end DatabaseKeyStore tests
d627a67 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
@Rugvip
e2e-test: added --keep option + error message improvements
9d74e68 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
@Rugvip Rugvip force-pushed the mob/auth-service-to-service branch from 6e31310 to 9d74e68 Compare April 6, 2024 09:56
Rugvip added 3 commits April 6, 2024 11:57
@Rugvip
backend-app-api: add routing test for DefaultRootHttpRouter
40548a6 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
@Rugvip
e2e-test: disable default auth policy for backend testing
7395364 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
@Rugvip
e2e-test: delay backend check
31ee337 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
@Rugvip Rugvip merged commit 0ed34a1 into master Apr 6, 2024
@Rugvip Rugvip deleted the mob/auth-service-to-service branch April 6, 2024 13:41
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 6, 2024

Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.26.0 release, scheduled for Tue, 14 May 2024.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Rugvip Rugvip Rugvip approved these changes

@backstage-service backstage-service Awaiting requested review from backstage-service backstage-service is a code owner

@camilaibs camilaibs Awaiting requested review from camilaibs camilaibs was automatically assigned from backstage/reviewers

Assignees

No one assigned

Labels

area:auth

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vinzscam @Rugvip