🐛 Bug Report: auth-backend signs tokens with apparently-unsupported algorithm

[jamieklassen]

📜 Description

There's a discrepancy between the algorithms declared as supported by the OpenID metadata endpoint (/api/auth/.well-known/openid-configuration) and the actual ID tokens issued by Backstage.

👍 Expected behavior

The ID token issued by Backstage should be signed with an algorithm which the OpenID metadata endpoint declares as supported.

👎 Actual Behavior with Screenshots

The only algorithm declared to be supported is RS256, but the ID token is signed with ES256 and the only advertised JWK is for ES256.

👟 Reproduction steps

1. Create an OAuth app in GitHub, using these settings:

   

2. Generate a client secret for the app

3. Run yarn start-backend with app-config.local.yaml:

   auth:
     environment: development
     providers:
       github:
         development:
           clientId: <client ID of OAuth App>
           clientSecret: <generated client secret>

4. Visit http://localhost:7007/api/auth/github/start?env=development, consent, get redirected back to the handler, and execute this snippet at the javascript console to grab the header portion of the ID token:

   atob(JSON.parse(authResponse).response.backstageIdentity.token.split('.')[0])

5. Compare these two things:

   • the algorithm in the header portion of the ID token (and the actual algorithms advertised by the JWKS endpoint http://localhost:7007/api/auth/.well-known/jwks.json)
   • the supported algorithms declared by the OIDC metadata endpoint http://localhost:7007/api/auth/.well-known/openid-configuration

📃 Provide the context for the Bug.

I noticed this while helping @RubenV-dev explore a solution for #12394. It's not seriously interfering with anything I need to do, it just seemed like a good idea to be spec-compliant.

Why does this discrepancy occur? Because the openID configuration here:

https://github.com/backstage/backstage/blob/39952df9160c8c3f027a85738e2188fd1f9076fc/plugins/auth-backend/src/identity/router.ts#L37

in many cases doesn't match the actual signing algorithm here:

https://github.com/backstage/backstage/blob/39952df9160c8c3f027a85738e2188fd1f9076fc/plugins/auth-backend/src/identity/TokenFactory.ts#L73

🖥️ Your Environment

% yarn backstage-cli info
OS:   Darwin 22.4.0 - darwin/x64
node: v16.19.0
yarn: 3.2.3
cli:  0.22.8-next.1 (local)
backstage:  N/A

Dependencies:
  @backstage/app-defaults                                            0.0.0-use.local
  @backstage/backend-app-api                                         0.0.0-use.local
  @backstage/backend-common                                          0.0.0-use.local
  @backstage/backend-defaults                                        0.0.0-use.local
  @backstage/backend-dev-utils                                       0.0.0-use.local
  @backstage/backend-openapi-utils                                   0.0.0-use.local
  @backstage/backend-plugin-api                                      0.0.0-use.local
  @backstage/backend-tasks                                           0.0.0-use.local
  @backstage/backend-test-utils                                      0.0.0-use.local
  @backstage/catalog-client                                          1.4.1, 0.0.0-use.local
  @backstage/catalog-model                                           1.3.0, 0.0.0-use.local
  @backstage/cli-common                                              0.0.0-use.local
  @backstage/cli-node                                                0.0.0-use.local
  @backstage/cli                                                     0.0.0-use.local
  @backstage/codemods                                                0.0.0-use.local
  @backstage/config-loader                                           0.0.0-use.local
  @backstage/config                                                  0.0.0-use.local
  @backstage/core-app-api                                            0.0.0-use.local
  @backstage/core-components                                         0.12.5, 0.13.1, 0.0.0-use.local
  @backstage/core-plugin-api                                         1.5.1, 0.0.0-use.local
  @backstage/create-app                                              0.0.0-use.local
  @backstage/dev-utils                                               0.0.0-use.local
  @backstage/errors                                                  1.1.5, 0.0.0-use.local
  @backstage/eslint-plugin                                           0.0.0-use.local
  @backstage/integration-aws-node                                    0.0.0-use.local
  @backstage/integration-react                                       1.1.13, 0.0.0-use.local
  @backstage/integration                                             1.4.5, 0.0.0-use.local
  @backstage/plugin-adr-backend                                      0.0.0-use.local
  @backstage/plugin-adr-common                                       0.0.0-use.local
  @backstage/plugin-adr                                              0.0.0-use.local
  @backstage/plugin-airbrake-backend                                 0.0.0-use.local
  @backstage/plugin-airbrake                                         0.0.0-use.local
  @backstage/plugin-allure                                           0.0.0-use.local
  @backstage/plugin-analytics-module-ga4                             0.0.0-use.local
  @backstage/plugin-analytics-module-ga                              0.0.0-use.local
  @backstage/plugin-apache-airflow                                   0.0.0-use.local
  @backstage/plugin-api-docs-module-protoc-gen-doc                   0.0.0-use.local
  @backstage/plugin-api-docs                                         0.0.0-use.local
  @backstage/plugin-apollo-explorer                                  0.0.0-use.local
  @backstage/plugin-app-backend                                      0.0.0-use.local
  @backstage/plugin-auth-backend                                     0.0.0-use.local
  @backstage/plugin-auth-node                                        0.0.0-use.local
  @backstage/plugin-azure-devops-backend                             0.0.0-use.local
  @backstage/plugin-azure-devops-common                              0.0.0-use.local
  @backstage/plugin-azure-devops                                     0.0.0-use.local
  @backstage/plugin-azure-sites-backend                              0.0.0-use.local
  @backstage/plugin-azure-sites-common                               0.0.0-use.local
  @backstage/plugin-azure-sites                                      0.0.0-use.local
  @backstage/plugin-badges-backend                                   0.0.0-use.local
  @backstage/plugin-badges                                           0.0.0-use.local
  @backstage/plugin-bazaar-backend                                   0.0.0-use.local
  @backstage/plugin-bazaar                                           0.0.0-use.local
  @backstage/plugin-bitbucket-cloud-common                           0.0.0-use.local
  @backstage/plugin-bitrise                                          0.0.0-use.local
  @backstage/plugin-catalog-backend-module-aws                       0.0.0-use.local
  @backstage/plugin-catalog-backend-module-azure                     0.0.0-use.local
  @backstage/plugin-catalog-backend-module-bitbucket-cloud           0.0.0-use.local
  @backstage/plugin-catalog-backend-module-bitbucket-server          0.0.0-use.local
  @backstage/plugin-catalog-backend-module-bitbucket                 0.0.0-use.local
  @backstage/plugin-catalog-backend-module-gerrit                    0.0.0-use.local
  @backstage/plugin-catalog-backend-module-github                    0.0.0-use.local
  @backstage/plugin-catalog-backend-module-gitlab                    0.0.0-use.local
  @backstage/plugin-catalog-backend-module-incremental-ingestion     0.0.0-use.local
  @backstage/plugin-catalog-backend-module-ldap                      0.0.0-use.local
  @backstage/plugin-catalog-backend-module-msgraph                   0.0.0-use.local
  @backstage/plugin-catalog-backend-module-openapi                   0.0.0-use.local
  @backstage/plugin-catalog-backend-module-puppetdb                  0.0.0-use.local
  @backstage/plugin-catalog-backend-module-unprocessed               0.0.0-use.local
  @backstage/plugin-catalog-backend                                  0.0.0-use.local
  @backstage/plugin-catalog-common                                   1.0.13, 0.0.0-use.local
  @backstage/plugin-catalog-graph                                    0.0.0-use.local
  @backstage/plugin-catalog-graphql                                  0.0.0-use.local
  @backstage/plugin-catalog-import                                   0.0.0-use.local
  @backstage/plugin-catalog-node                                     0.0.0-use.local
  @backstage/plugin-catalog-react                                    1.6.0, 0.0.0-use.local
  @backstage/plugin-catalog-unprocessed-entities                     0.0.0-use.local
  @backstage/plugin-catalog                                          0.0.0-use.local
  @backstage/plugin-cicd-statistics-module-gitlab                    0.0.0-use.local
  @backstage/plugin-cicd-statistics                                  0.0.0-use.local
  @backstage/plugin-circleci                                         0.0.0-use.local
  @backstage/plugin-cloudbuild                                       0.0.0-use.local
  @backstage/plugin-code-climate                                     0.0.0-use.local
  @backstage/plugin-code-coverage-backend                            0.0.0-use.local
  @backstage/plugin-code-coverage                                    0.0.0-use.local
  @backstage/plugin-codescene                                        0.0.0-use.local
  @backstage/plugin-config-schema                                    0.0.0-use.local
  @backstage/plugin-cost-insights-common                             0.0.0-use.local
  @backstage/plugin-cost-insights                                    0.0.0-use.local
  @backstage/plugin-devtools-backend                                 0.0.0-use.local
  @backstage/plugin-devtools-common                                  0.0.0-use.local
  @backstage/plugin-devtools                                         0.0.0-use.local
  @backstage/plugin-dynatrace                                        0.0.0-use.local
  @backstage/plugin-entity-feedback-backend                          0.0.0-use.local
  @backstage/plugin-entity-feedback-common                           0.0.0-use.local
  @backstage/plugin-entity-feedback                                  0.0.0-use.local
  @backstage/plugin-entity-validation                                0.0.0-use.local
  @backstage/plugin-events-backend-module-aws-sqs                    0.0.0-use.local
  @backstage/plugin-events-backend-module-azure                      0.0.0-use.local
  @backstage/plugin-events-backend-module-bitbucket-cloud            0.0.0-use.local
  @backstage/plugin-events-backend-module-gerrit                     0.0.0-use.local
  @backstage/plugin-events-backend-module-github                     0.0.0-use.local
  @backstage/plugin-events-backend-module-gitlab                     0.0.0-use.local
  @backstage/plugin-events-backend-test-utils                        0.0.0-use.local
  @backstage/plugin-events-backend                                   0.0.0-use.local
  @backstage/plugin-events-node                                      0.0.0-use.local
  @backstage/plugin-explore-backend                                  0.0.0-use.local
  @backstage/plugin-explore-common                                   0.0.0-use.local
  @backstage/plugin-explore-react                                    0.0.0-use.local
  @backstage/plugin-explore                                          0.0.0-use.local
  @backstage/plugin-firehydrant                                      0.0.0-use.local
  @backstage/plugin-fossa                                            0.0.0-use.local
  @backstage/plugin-gcalendar                                        0.0.0-use.local
  @backstage/plugin-gcp-projects                                     0.0.0-use.local
  @backstage/plugin-git-release-manager                              0.0.0-use.local
  @backstage/plugin-github-actions                                   0.0.0-use.local
  @backstage/plugin-github-deployments                               0.0.0-use.local
  @backstage/plugin-github-issues                                    0.0.0-use.local
  @backstage/plugin-github-pull-requests-board                       0.0.0-use.local
  @backstage/plugin-gitops-profiles                                  0.0.0-use.local
  @backstage/plugin-gocd                                             0.0.0-use.local
  @backstage/plugin-graphiql                                         0.0.0-use.local
  @backstage/plugin-graphql-backend                                  0.0.0-use.local
  @backstage/plugin-graphql-voyager                                  0.0.0-use.local
  @backstage/plugin-home-react                                       0.0.0-use.local
  @backstage/plugin-home                                             0.5.2, 0.0.0-use.local
  @backstage/plugin-ilert                                            0.0.0-use.local
  @backstage/plugin-jenkins-backend                                  0.0.0-use.local
  @backstage/plugin-jenkins-common                                   0.0.0-use.local
  @backstage/plugin-jenkins                                          0.0.0-use.local
  @backstage/plugin-kafka-backend                                    0.0.0-use.local
  @backstage/plugin-kafka                                            0.0.0-use.local
  @backstage/plugin-kubernetes-backend                               0.0.0-use.local
  @backstage/plugin-kubernetes-common                                0.0.0-use.local
  @backstage/plugin-kubernetes                                       0.0.0-use.local
  @backstage/plugin-lighthouse-backend                               0.0.0-use.local
  @backstage/plugin-lighthouse-common                                0.0.0-use.local
  @backstage/plugin-lighthouse                                       0.0.0-use.local
  @backstage/plugin-linguist-backend                                 0.0.0-use.local
  @backstage/plugin-linguist-common                                  0.0.0-use.local
  @backstage/plugin-linguist                                         0.0.0-use.local
  @backstage/plugin-microsoft-calendar                               0.0.0-use.local
  @backstage/plugin-newrelic-dashboard                               0.0.0-use.local
  @backstage/plugin-newrelic                                         0.0.0-use.local
  @backstage/plugin-octopus-deploy                                   0.0.0-use.local
  @backstage/plugin-org-react                                        0.0.0-use.local
  @backstage/plugin-org                                              0.0.0-use.local
  @backstage/plugin-pagerduty                                        0.0.0-use.local
  @backstage/plugin-periskop-backend                                 0.0.0-use.local
  @backstage/plugin-periskop                                         0.0.0-use.local
  @backstage/plugin-permission-backend                               0.0.0-use.local
  @backstage/plugin-permission-common                                0.7.5, 0.0.0-use.local
  @backstage/plugin-permission-node                                  0.0.0-use.local
  @backstage/plugin-permission-react                                 0.4.12, 0.0.0-use.local
  @backstage/plugin-playlist-backend                                 0.0.0-use.local
  @backstage/plugin-playlist-common                                  0.0.0-use.local
  @backstage/plugin-playlist                                         0.0.0-use.local
  @backstage/plugin-proxy-backend                                    0.0.0-use.local
  @backstage/plugin-puppetdb                                         0.0.0-use.local
  @backstage/plugin-rollbar-backend                                  0.0.0-use.local
  @backstage/plugin-rollbar                                          0.0.0-use.local
  @backstage/plugin-scaffolder-backend-module-confluence-to-markdown 0.0.0-use.local
  @backstage/plugin-scaffolder-backend-module-cookiecutter           0.0.0-use.local
  @backstage/plugin-scaffolder-backend-module-gitlab                 0.0.0-use.local
  @backstage/plugin-scaffolder-backend-module-rails                  0.0.0-use.local
  @backstage/plugin-scaffolder-backend-module-sentry                 0.0.0-use.local
  @backstage/plugin-scaffolder-backend-module-yeoman                 0.0.0-use.local
  @backstage/plugin-scaffolder-backend                               0.0.0-use.local
  @backstage/plugin-scaffolder-common                                0.0.0-use.local
  @backstage/plugin-scaffolder-node                                  0.0.0-use.local
  @backstage/plugin-scaffolder-react                                 0.0.0-use.local
  @backstage/plugin-scaffolder                                       0.0.0-use.local
  @backstage/plugin-search-backend-module-catalog                    0.0.0-use.local
  @backstage/plugin-search-backend-module-elasticsearch              0.0.0-use.local
  @backstage/plugin-search-backend-module-explore                    0.0.0-use.local
  @backstage/plugin-search-backend-module-pg                         0.0.0-use.local
  @backstage/plugin-search-backend-module-techdocs                   0.0.0-use.local
  @backstage/plugin-search-backend-node                              0.0.0-use.local
  @backstage/plugin-search-backend                                   0.0.0-use.local
  @backstage/plugin-search-common                                    1.2.3, 0.0.0-use.local
  @backstage/plugin-search-react                                     0.0.0-use.local
  @backstage/plugin-search                                           0.0.0-use.local
  @backstage/plugin-sentry                                           0.0.0-use.local
  @backstage/plugin-shortcuts                                        0.0.0-use.local
  @backstage/plugin-sonarqube-backend                                0.0.0-use.local
  @backstage/plugin-sonarqube-react                                  0.0.0-use.local
  @backstage/plugin-sonarqube                                        0.0.0-use.local
  @backstage/plugin-splunk-on-call                                   0.0.0-use.local
  @backstage/plugin-stack-overflow-backend                           0.0.0-use.local
  @backstage/plugin-stack-overflow                                   0.0.0-use.local
  @backstage/plugin-stackstorm                                       0.0.0-use.local
  @backstage/plugin-tech-insights-backend-module-jsonfc              0.0.0-use.local
  @backstage/plugin-tech-insights-backend                            0.0.0-use.local
  @backstage/plugin-tech-insights-common                             0.0.0-use.local
  @backstage/plugin-tech-insights-node                               0.0.0-use.local
  @backstage/plugin-tech-insights                                    0.0.0-use.local
  @backstage/plugin-tech-radar                                       0.0.0-use.local
  @backstage/plugin-techdocs-addons-test-utils                       0.0.0-use.local
  @backstage/plugin-techdocs-backend                                 0.0.0-use.local
  @backstage/plugin-techdocs-module-addons-contrib                   0.0.0-use.local
  @backstage/plugin-techdocs-node                                    0.0.0-use.local
  @backstage/plugin-techdocs-react                                   0.0.0-use.local
  @backstage/plugin-techdocs                                         0.0.0-use.local
  @backstage/plugin-todo-backend                                     0.0.0-use.local
  @backstage/plugin-todo                                             0.0.0-use.local
  @backstage/plugin-user-settings-backend                            0.0.0-use.local
  @backstage/plugin-user-settings                                    0.0.0-use.local
  @backstage/plugin-vault-backend                                    0.0.0-use.local
  @backstage/plugin-vault                                            0.0.0-use.local
  @backstage/plugin-xcmetrics                                        0.0.0-use.local
  @backstage/release-manifests                                       0.0.0-use.local
  @backstage/repo-tools                                              0.0.0-use.local
  @backstage/test-utils                                              0.0.0-use.local
  @backstage/theme                                                   0.2.19, 0.3.0, 0.0.0-use.local
  @backstage/types                                                   0.0.0-use.local
  @backstage/version-bridge                                          0.0.0-use.local

👀 Have you spent some time to check if this bug has been raised before?

• [X] I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• [X] I have read the Code of Conduct

Are you willing to submit PR?

Yes I am willing to submit a PR!

[Rugvip]

Good find! Definitely want to get https://github.com/backstage/backstage/blob/99978bb0ab0175047340af9453e86cd9004af8e5/plugins/auth-backend/src/identity/router.ts#L37 updated

Not entirely sure what makes sense to list though tbh. If we only list the currently selected algorithm that might actually not be true since we might have old keys laying around in the DB after a reconfiguration. Perhaps simply list all of the ones that the runtime supports? 🤷

[jamieklassen]

according to the spec,

The algorithm RS256 MUST be included.

but otherwise I was thinking of just reporting the current tokenFactoryAlgorithm. Maybe the most honest thing to do would be to read the valid keys from the keystore on demand like this:

https://github.com/backstage/backstage/blob/39952df9160c8c3f027a85738e2188fd1f9076fc/plugins/auth-backend/src/identity/TokenFactory.ts#L114-L129

and check which algorithms appear there -- then the metadata endpoint would be guaranteed to be consistent with the JWKS endpoint. At first this seemed overkill, but after reading through the code it doesn't seem that bad to me.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Rugvip]

Tbh I don't think the list needs to be particularly accurate or list only the algorithms that are currently in use by existing keys. It should be alright to list a broader set of possible algorithms that we support instead? Would just hate to introduce the additional complexity and overhead of DB access on that endpoint tbh.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.