Closed vrabbi closed 1 month ago
really loving this project.
Thank you!
Have you ever tried integrating Openunison with Backstage?
Not yet, though its on my list
Login failed; caused by Error: Authentication rejected, nonce mismatch, expected undefined, got: b18293c5-0a01-4416-9864-8bbf84c60797
interesting, can you please share your backstage and openunison config? It looks like we generate a nonce if one isn't provided to make sure there's some entropy when we store the session, but i'm kinda amazed that backstage isn't sending a nonce.
It seems the issue may have been fixed already in backstage. https://github.com/backstage/backstage/issues/23773 I will try next week to bump my backstage version and try it out
so i got it to work now as an OIDC provider to log into backstage! now im having issues trying to make it work with the kubernetes plugin though for k8s auth from backstage. if i have a dedicated Application CR created for backstage should the OIDC tokens it generates be valid against my k8s clusters integrated with openunison? i am using the kube-oidc-proxy in this setup as well. i tried to configure the api endpoint of the oidc proxy as the cluster endpoint in backstage and tell it to use the same auth as backstage itself but it doesnt seem to like that and cant pull any data
so i got it to work now as an OIDC provider to log into backstage!
Fantastic!
if i have a dedicated Application CR created for backstage should the OIDC tokens it generates be valid against my k8s clusters integrated with openunison?
No. The token is scoped to your specific client (backstage) based on the client id and issuer (your Application
object). Your kube-oidc-proxy
instance is scoped to the kubernetes
client id and the k8sidp
Application
.
Since you're using impersonation already, you can setup an additional kube-oidc-proxy to trust the identity provider and client for backstage. The easiest way to do this is with https://cicd-proxy.github.io/, where we have some pre-built helm charts for running a standalone kube-oidc-proxy. A helm values file like:
cicd_proxy:
oidc:
audience: backstage
issuer: https://k8sou.domain/auth/idp/backstageidp
network:
api_server_host: my-kube-oidc-proxy.domain
ingress_type: nginx
Update with your own values of coarse. This way your kube-oidc-proxy will trust the token you get from backstage.
The problem is that Kubernetes (and most API developers) abuse the OIDC spec by using an id_token
for API calls. At least specific to spec, what you're SUPPOSED to do is take the access_token you get from your IdP (ie OpenUnison) and say "give me a token for this other thing".
It works! thanks for all the help!
im guessing that just adding the backstage redirect URI to the k8sidp application would work as well? i know it may be not a best practice but just wondering if im correct in that assumption
im guessing that just adding the backstage redirect URI to the k8sidp application would work as well? i know it may be not a best practice but just wondering if im correct in that assumption
yes, i think that would work too. Though like you said, wouldn't be a best practice.
In your Application
, what are you setting the token lifetime to? Curious if backstage is refreshing the token correctly.
Its set to 2 minutes and backstage does refreshes perfectly
Would you be willing to share what you did? would love to add it to our integrations section of our docs.
I will work on getting some basic readme together for step by step instructions and then share it with you. Will probably only be end if next week or week after but will try to do it as soon as i can find the time
I will work on getting some basic readme together for step by step instructions and then share it with you. Will probably only be end if next week or week after but will try to do it as soon as i can find the time
much appreciated! Going to close this out.
really loving this project. Have you ever tried integrating Openunison with Backstage? I have tried but am getting weird nonce errors when trying to login. any ideas what may be wrong? the error im getting is: