Issue with Token Retrieval in http:backstage:request Action - failing with JWTClaimValidationFailed

[davormilutinovic]

Expected Behavior The http:backstage:request action should use the initiator's credentials to retrieve the token, ensuring proper authentication when making HTTP requests.

Current Behavior The http:backstage:request action uses old ctx.secrets?.backstageToken or ctx.secrets.backstageToken to retrieve the token, which leads to an authentication error with the message "Invalid plugin token; caused by JWTClaimValidationFailed: unexpected 'aud' claim value".

link to code line :https://github.com/RoadieHQ/roadie-backstage-plugins/blob/c62ec52707b3be39c40d240d299dba00995a3243/plugins/scaffolder-actions/scaffolder-backend-module-http-request/src/actions/run/backstageRequest.ts#L120

Steps to Reproduce Configure a template in Backstage that uses the http:backstage:request action to make an authenticated HTTP request. Execute the template to trigger the action. Observe the authentication error in the logs.

Possible Solution

Modify the http:backstage:request action to use ctx.getInitiatorCredentials().token instead of ctx.secrets?.backstageToken

Quick fix

// Original line
const token = ctx.secrets?.backstageToken; 

// Updated lines
const credentials = await ctx.getInitiatorCredentials(); 

// @ts-expect-error
const token = credentials.token;

Context

This issue prevents us from properly authenticating HTTP requests within the Backstage scaffolder, causing our pipeline creation process to fail with authentication errors. We are trying to automate the creation of SonarQube pipelines in Azure, and this bug is a blocker for our workflow.

Your Environment yarn: 1.22.21 cli: 0.26.6 (installed) backstage: 1.27.6

Dependencies: "@roadiehq/scaffolder-backend-module-http-request": "^4.3.2", @backstage/app-defaults 1.5.5 @backstage/backend-app-api 0.7.5 @backstage/backend-common 0.22.0 @backstage/backend-defaults 0.2.18 @backstage/backend-dev-utils 0.1.4 @backstage/backend-openapi-utils 0.1.11 @backstage/backend-plugin-api 0.6.21 @backstage/backend-tasks 0.5.26 @backstage/catalog-client 1.6.5 @backstage/catalog-model 1.5.0 @backstage/cli-common 0.1.14 @backstage/cli-node 0.2.5 @backstage/cli 0.26.6 @backstage/config-loader 1.8.0 @backstage/config 1.2.0 @backstage/core-app-api 1.13.0 @backstage/core-compat-api 0.2.5 @backstage/core-components 0.14.7 @backstage/core-plugin-api 1.9.3 @backstage/dev-utils 1.0.32 @backstage/e2e-test-utils 0.1.1 @backstage/errors 1.2.4 @backstage/eslint-plugin 0.1.8 @backstage/frontend-plugin-api 0.6.5 @backstage/integration-aws-node 0.1.12 @backstage/integration-react 1.1.27 @backstage/integration 1.12.0 @backstage/plugin-analytics-module-ga4 0.2.5 @backstage/plugin-api-docs 0.11.5 @backstage/plugin-app-backend 0.3.67 @backstage/plugin-app-node 0.1.18 @backstage/plugin-auth-backend-module-atlassian-provider 0.1.10 @backstage/plugin-auth-backend-module-aws-alb-provider 0.1.10 @backstage/plugin-auth-backend-module-azure-easyauth-provider 0.1.1 @backstage/plugin-auth-backend-module-bitbucket-provider 0.1.1 @backstage/plugin-auth-backend-module-cloudflare-access-provider 0.1.1 @backstage/plugin-auth-backend-module-gcp-iap-provider 0.2.13 @backstage/plugin-auth-backend-module-github-provider 0.1.15 @backstage/plugin-auth-backend-module-gitlab-provider 0.1.15 @backstage/plugin-auth-backend-module-google-provider 0.1.15 @backstage/plugin-auth-backend-module-guest-provider 0.1.7 @backstage/plugin-auth-backend-module-microsoft-provider 0.1.13 @backstage/plugin-auth-backend-module-oauth2-provider 0.1.15 @backstage/plugin-auth-backend-module-oauth2-proxy-provider 0.1.11 @backstage/plugin-auth-backend-module-oidc-provider 0.1.9 @backstage/plugin-auth-backend-module-okta-provider 0.0.11 @backstage/plugin-auth-backend 0.22.5 @backstage/plugin-auth-node 0.4.16 @backstage/plugin-auth-react 0.1.2 @backstage/plugin-azure-devops-common 0.4.2 @backstage/plugin-azure-devops 0.4.4 @backstage/plugin-catalog-backend-module-azure 0.1.41 @backstage/plugin-catalog-backend-module-msgraph 0.5.26 @backstage/plugin-catalog-backend-module-scaffolder-entity-model 0.1.19 @backstage/plugin-catalog-backend 1.22.0 @backstage/plugin-catalog-common 1.0.24 @backstage/plugin-catalog-graph 0.4.5 @backstage/plugin-catalog-import 0.11.0 @backstage/plugin-catalog-node 1.12.3 @backstage/plugin-catalog-react 1.12.0 @backstage/plugin-catalog 1.20.0 @backstage/plugin-events-node 0.3.4 @backstage/plugin-gcalendar 0.3.28 @backstage/plugin-github-actions 0.6.16 @backstage/plugin-home-react 0.1.13 @backstage/plugin-home 0.7.4 @backstage/plugin-microsoft-calendar 0.1.17 @backstage/plugin-org 0.6.25 @backstage/plugin-pagerduty 0.7.7 @backstage/plugin-permission-backend-module-allow-all-policy 0.1.18 @backstage/plugin-permission-backend 0.5.45 @backstage/plugin-permission-common 0.7.14 @backstage/plugin-permission-node 0.7.32 @backstage/plugin-permission-react 0.4.22 @backstage/plugin-proxy-backend 0.4.16 @backstage/plugin-scaffolder-backend-module-azure 0.1.13 @backstage/plugin-scaffolder-backend-module-bitbucket-cloud 0.1.11 @backstage/plugin-scaffolder-backend-module-bitbucket-server 0.1.11 @backstage/plugin-scaffolder-backend-module-bitbucket 0.2.11 @backstage/plugin-scaffolder-backend-module-gerrit 0.1.13 @backstage/plugin-scaffolder-backend-module-gitea 0.1.11 @backstage/plugin-scaffolder-backend-module-github 0.3.2 @backstage/plugin-scaffolder-backend-module-gitlab 0.4.3 @backstage/plugin-scaffolder-backend 1.22.11 @backstage/plugin-scaffolder-common 1.5.3 @backstage/plugin-scaffolder-node 0.2.10, 0.4.7 @backstage/plugin-scaffolder-react 1.8.6 @backstage/plugin-scaffolder 1.20.1 @backstage/plugin-search-backend-module-catalog 0.1.24 @backstage/plugin-search-backend-module-pg 0.5.27 @backstage/plugin-search-backend-module-techdocs 0.1.23 @backstage/plugin-search-backend-node 1.2.23 @backstage/plugin-search-backend 1.5.9 @backstage/plugin-search-common 1.2.12 @backstage/plugin-search-react 1.7.11 @backstage/plugin-search 1.4.11 @backstage/plugin-sonarqube-backend 0.2.20 @backstage/plugin-sonarqube-react 0.1.16 @backstage/plugin-sonarqube 0.7.17 @backstage/plugin-stack-overflow 0.1.30 @backstage/plugin-tech-radar 0.7.4 @backstage/plugin-techdocs-backend 1.10.5 @backstage/plugin-techdocs-module-addons-contrib 1.1.10 @backstage/plugin-techdocs-node 1.12.4 @backstage/plugin-techdocs-react 1.2.4 @backstage/plugin-techdocs 1.10.5 @backstage/plugin-user-settings 0.8.6 @backstage/release-manifests 0.0.11 @backstage/repo-tools 0.9.0 @backstage/test-utils 1.5.5 @backstage/theme 0.5.5 @backstage/types 1.1.1 @backstage/version-bridge 1.0.8

[davormilutinovic]

Just found another reference to the same issue link.

[ivangonzalezacuna]

I've opened a PR for it. I tested it in our instance and it worked fine. It's following the same idea as other upstream actions in backstage, and always using the bearer token if it's defined. This should do the trick

[davormilutinovic]

I've opened a PR for it. I tested it in our instance and it worked fine. It's following the same idea as other upstream actions in backstage, and always using the bearer token if it's defined. This should do the trick

Hi. For some reason your changes are still not working for me.

I have used your fork and there was an error during execution of one template

...There was an issue with your request. Status code: 401 Response body: {"error":{"name":"AuthenticationError","message":"Invalid plugin token; caused by JWTClaimValidationFailed: unexpected \"aud\" claim value","cause":{"code":"ERR_JWT_CLAIM_VALIDATION_FAILED...

After I reverted from

      const { token } = (await auth?.getPluginRequestToken({
        onBehalfOf: await ctx.getInitiatorCredentials(),
        targetPluginId: 'proxy',
      })) ?? { token: ctx.secrets?.backstageToken };

to

const credentials = await ctx.getInitiatorCredentials(); 

// @ts-expect-error
const token = credentials.token;

It has start working again?