search

RoadieHQ / roadie-backstage-plugins

All Backstage plugins created by Roadie.
https://roadie.io
Apache License 2.0
263 stars 389 forks source link

SSO to plugins - e.g. Pass along SSO token to ArgoCD rather than rely on a single auth token #970

Closed lukepatrick closed 8 months ago

lukepatrick commented 1 year ago

SSO to plugins - e.g. Pass along SSO token to ArgoCD rather than rely on a single auth token. If I have the BackStage UI and ArgoCD UI both authenticating to the same SSO (e.g. AD or GitHub), have Backstage send that token or trust/handshake to ArgoCD rather than require an argocd api token to be managed.

Feature Suggestion

In a large organization with a "multitenancy" model, I would like to not create more api tokens when all internal tools (backstage and ArgoCD) share the same AuthN providers.

Possible Implementation

Context

roadie-bot commented 1 year ago

https://app.shortcut.com/larder/story/14678

deeparavirdc commented 1 year ago

+1 Interested in this too

sudermanjr commented 1 year ago

I was just thinking this myself, and here we are with an issue created 6 hours ago. #great-minds-think-alike

kissmikijr commented 1 year ago

Hmm interesting take. I'm not entirely familiar with this flow, are there other plugins which already use this and forwarding the SSO token to the plugin itself?

adamdabbracci commented 1 year ago

@kissmikijr not that I've seen. Once the actual SSO is complete (i.e. through Azure AD or Github), a JWT is generated that's then passed to plugins. My understanding of this request is that the original token (from Azure or Github) be retained somewhere so that it can be used to call services which also use that auth mechanism.

I do see one problem with just passing the token along - the client ID of the original request will be Backstage, which will likely fail validation on any other services. I could see a setup like IdP relaying party trust working (something like this), but I imagine that would be provider-specific.

github-actions[bot] commented 10 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

lukepatrick commented 10 months ago

@adamdabbracci makes a good suggestion.

github-actions[bot] commented 8 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.