Integrate with Backstage

[vrabbi]

really loving this project. Have you ever tried integrating Openunison with Backstage? I have tried but am getting weird nonce errors when trying to login. any ideas what may be wrong? the error im getting is:

Login failed; caused by Error: Authentication rejected, nonce mismatch, expected undefined, got: b18293c5-0a01-4416-9864-8bbf84c60797

[mlbiam]

really loving this project.

Thank you!

Have you ever tried integrating Openunison with Backstage?

Not yet, though its on my list

Login failed; caused by Error: Authentication rejected, nonce mismatch, expected undefined, got: b18293c5-0a01-4416-9864-8bbf84c60797

interesting, can you please share your backstage and openunison config? It looks like we generate a nonce if one isn't provided to make sure there's some entropy when we store the session, but i'm kinda amazed that backstage isn't sending a nonce.

[vrabbi]

It seems the issue may have been fixed already in backstage. https://github.com/backstage/backstage/issues/23773 I will try next week to bump my backstage version and try it out

[vrabbi]

so i got it to work now as an OIDC provider to log into backstage! now im having issues trying to make it work with the kubernetes plugin though for k8s auth from backstage. if i have a dedicated Application CR created for backstage should the OIDC tokens it generates be valid against my k8s clusters integrated with openunison? i am using the kube-oidc-proxy in this setup as well. i tried to configure the api endpoint of the oidc proxy as the cluster endpoint in backstage and tell it to use the same auth as backstage itself but it doesnt seem to like that and cant pull any data

[mlbiam]

so i got it to work now as an OIDC provider to log into backstage!

Fantastic!

if i have a dedicated Application CR created for backstage should the OIDC tokens it generates be valid against my k8s clusters integrated with openunison?

No. The token is scoped to your specific client (backstage) based on the client id and issuer (your Application object). Your kube-oidc-proxy instance is scoped to the kubernetes client id and the k8sidp Application.

Since you're using impersonation already, you can setup an additional kube-oidc-proxy to trust the identity provider and client for backstage. The easiest way to do this is with https://cicd-proxy.github.io/, where we have some pre-built helm charts for running a standalone kube-oidc-proxy. A helm values file like:

cicd_proxy:
  oidc:
    audience: backstage
    issuer: https://k8sou.domain/auth/idp/backstageidp
  network:
    api_server_host: my-kube-oidc-proxy.domain
    ingress_type: nginx

Update with your own values of coarse. This way your kube-oidc-proxy will trust the token you get from backstage.

The problem is that Kubernetes (and most API developers) abuse the OIDC spec by using an id_token for API calls. At least specific to spec, what you're SUPPOSED to do is take the access_token you get from your IdP (ie OpenUnison) and say "give me a token for this other thing".

[vrabbi]

It works! thanks for all the help!

[vrabbi]

im guessing that just adding the backstage redirect URI to the k8sidp application would work as well? i know it may be not a best practice but just wondering if im correct in that assumption

[mlbiam]

im guessing that just adding the backstage redirect URI to the k8sidp application would work as well? i know it may be not a best practice but just wondering if im correct in that assumption

yes, i think that would work too. Though like you said, wouldn't be a best practice.

In your Application, what are you setting the token lifetime to? Curious if backstage is refreshing the token correctly.

[vrabbi]

Its set to 2 minutes and backstage does refreshes perfectly

[mlbiam]

Would you be willing to share what you did? would love to add it to our integrations section of our docs.

[vrabbi]

I will work on getting some basic readme together for step by step instructions and then share it with you. Will probably only be end if next week or week after but will try to do it as soon as i can find the time

[mlbiam]

I will work on getting some basic readme together for step by step instructions and then share it with you. Will probably only be end if next week or week after but will try to do it as soon as i can find the time

much appreciated! Going to close this out.