Latest release 1.24.0 breaks GitHub auth

[pogo61]

📜 Description

I've been trying for the last day to get GitHub auth working, after upgrading to the latest release, assuming it was my fault, even though my config hasn't changed. Then I noticed that the latest release introduced braking changes to the auth providers. I downloaded release 1.23.4 and build it and it is working as before. It would be nice if you had made sure the auth provider plugins worked before releasing these changes.

👍 Expected behavior

Return a HTTP 200

👎 Actual Behavior with Screenshots

This is the error response gotten when trying to auth against gitHub using a GitHub App and the PAT:

"error": {
        "name": "NotFoundError",
        "message": "Unknown auth provider 'github'",
        "stack": "NotFoundError: Unknown auth provider 'github'\n    at <anonymous> (/Users/paulpog/backstage/node_modules/@backstage/plugin-auth-backend/src/service/router.ts:161:11)\n    at handleReturn (/Users/paulpog/backstage/node_modules/express-promise-router/lib/express-promise-router.js:24:23)\n    at /Users/paulpog/backstage/node_modules/express-promise-router/lib/express-promise-router.js:64:7\n    at Layer.handle [as handle_request] (/Users/paulpog/backstage/node_modules/express/lib/router/layer.js:95:5)\n    at trim_prefix (/Users/paulpog/backstage/node_modules/express/lib/router/index.js:328:13)\n    at /Users/paulpog/backstage/node_modules/express/lib/router/index.js:286:9\n    at param (/Users/paulpog/backstage/node_modules/express/lib/router/index.js:365:14)\n    at param (/Users/paulpog/backstage/node_modules/express/lib/router/index.js:376:14)\n    at Function.process_params (/Users/paulpog/backstage/node_modules/express/lib/router/index.js:421:3)\n    at next (/Users/paulpog/backstage/node_modules/express/lib/router/index.js:280:10)\n    at /Users/paulpog/backstage/node_modules/express/lib/router/index.js:646:15\n    at next (/Users/paulpog/backstage/node_modules/express/lib/router/index.js:265:14)\n    at Function.handle (/Users/paulpog/backstage/node_modules/express/lib/router/index.js:175:3)\n    at router (/Users/paulpog/backstage/node_modules/express/lib/router/index.js:47:12)\n    at handleReturn (/Users/paulpog/backstage/node_modules/express-promise-router/lib/express-promise-router.js:24:23)\n    at router (/Users/paulpog/backstage/node_modules/express-promise-router/lib/express-promise-router.js:64:7)"
    },
    "request": {
        "method": "GET",
        "url": "/api/auth/github/refresh?optional&scope=read%3Auser&env=development"
    },
    "response": {
        "statusCode": 404
    }
} 

👟 Reproduction steps

settings->Authentication Providers -> choose GitHub->sign in

📃 Provide the context for the Bug.

No response

🖥️ Your Environment

local installation of backstage with env:development

👀 Have you spent some time to check if this bug has been raised before?

• [X] I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• [X] I have read the Code of Conduct

Are you willing to submit PR?

None

[HiGein]

Having the same issue. Did all the steps as @sivaprasadreddy, now something different appeared:

Login failed, user profile does not contain an email

UPD. Fixed by making my email visible in GitHub and selecting it in settings.

[freben]

Alright, I think we'll consider this a general "migration questions" thread at this point, rather than an actual underlying issue to be fixed. That's perfectly fine, but just noting that if I understand things correctly, there are no actionable outcomes besides docs improvements which we agree really are needed. I'll close for now, but of course it stays around and is searchable and hopefully helps others who encounter the same type of situations.

[bluu926]

I got this to work by adding the resolvers above and updating examples/org.yaml to my own user, but how do we add more users or can we use a github Team instead?

[freben]

@bluu926 You are meant to add a catalog integration with some provider of actual user/group data, like ldap or whatnot. See the different "Org" sections under https://backstage.io/docs/integrations/

[vinzscam]

I got this to work by adding the resolvers above and updating examples/org.yaml to my own user, but how do we add more users or can we use a github Team instead?

you probably need to use the appropriate resolved in your app-config.yaml. Depending on your use case you might want to choose between emailMatchingUserEntityProfileEmail, emailLocalPartMatchingUserEntityName or usernameMatchingUserEntityName

[Estehsan]

I followed every step, yet I'm still encountering an error when trying to log in with Microsoft.

Login failed; caused by Error: Failed to sign-in, unable to resolve user identity

[vinzscam]

I followed every step, yet I'm still encountering an error when trying to log in with Microsoft.

Login failed; caused by Error: Failed to sign-in, unable to resolve user identity

Hi @Estehsan, does your app-config.yaml contain the following?

auth:
  environment: development
  providers:
    microsoft:
      development:
        clientId: ${AZURE_CLIENT_ID}
        clientSecret: ${AZURE_CLIENT_SECRET}
        tenantId: ${AZURE_TENANT_ID}
        signIn:
          resolvers:
            # one of the following resolvers
            - resolver: emailMatchingUserEntityAnnotation
            - resolver: emailMatchingUserEntityProfileEmail
            - resolver: emailLocalPartMatchingUserEntityName

the error you are getting is due to the fact that either you don't have any resolver in place or none of your resolvers can match the provided user, meaning that the ingestion in the catalog isn't working as it should

cc @Sarabadu 😅

[sara4dev]

I followed every step, yet I'm still encountering an error when trying to log in with Microsoft.

Login failed; caused by Error: Failed to sign-in, unable to resolve user identity

@Estehsan - I got into the same issue too. It turns out I need to have the user ingested into the system (via Azure integrations) that should match the user trying to login.

[paco-sparta]

The patch I applied is below. Note that you'll need to import the entities as I mentioned on this message: https://github.com/backstage/backstage/issues/23748#issuecomment-2066290169

diff --git a/app-config.yaml b/app-config.yaml
index 248cff1..416b120 100644
--- a/app-config.yaml
+++ b/app-config.yaml
@@ -66,6 +66,13 @@ auth:
   # see https://backstage.io/docs/auth/ to learn about auth providers
   providers:
     # See https://backstage.io/docs/auth/guest/provider
+    github:
+      development:
+        clientId: XXX
+        clientSecret: YYY
+        signIn:
+          resolvers:
+            - resolver: usernameMatchingUserEntityName
     guest: {}

 scaffolder:
diff --git a/examples/org.yaml b/examples/org.yaml
index a10e81f..2dbbda9 100644
--- a/examples/org.yaml
+++ b/examples/org.yaml
@@ -15,3 +15,12 @@ metadata:
 spec:
   type: team
   children: []
+---
+# https://backstage.io/docs/features/software-catalog/descriptor-format#kind-user
+apiVersion: backstage.io/v1alpha1
+kind: User
+metadata:
+  name: paco-sparta
+spec:
+  memberOf: [guests]
+---
diff --git a/packages/app/src/App.tsx b/packages/app/src/App.tsx
index f751cf6..51aa0e5 100644
--- a/packages/app/src/App.tsx
+++ b/packages/app/src/App.tsx
@@ -26,6 +26,8 @@ import { apis } from './apis';
 import { entityPage } from './components/catalog/EntityPage';
 import { searchPage } from './components/search/SearchPage';
 import { Root } from './components/Root';
+import { githubAuthApiRef } from '@backstage/core-plugin-api';
+import { AutoLogout } from '@backstage/core-components';

 import {
   AlertDisplay,
@@ -58,7 +60,21 @@ const app = createApp({
     });
   },
   components: {
-    SignInPage: props => <SignInPage {...props} auto providers={['guest']} />,
+    SignInPage: props => (
+      <SignInPage
+        {...props}
+        auto
+        providers={[
+          'guest',
+          {
+            id: 'github-auth-provider',
+            title: 'GitHub',
+            message: 'Sign in using GitHub',
+            apiRef: githubAuthApiRef,
+          },
+        ]}
+      />
+    ),
   },
 });

@@ -107,6 +123,7 @@ export default app.createRoot(
   <>
     <AlertDisplay />
     <OAuthRequestDialog />
+    <AutoLogout />
     <AppRouter>
       <Root>{routes}</Root>
     </AppRouter>
diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts
index 44fde69..6fdd0a9 100644
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@@ -17,6 +17,7 @@ backend.add(import('@backstage/plugin-techdocs-backend/alpha'));

 // auth plugin
 backend.add(import('@backstage/plugin-auth-backend'));
+backend.add(import('@backstage/plugin-auth-backend-module-github-provider'));
 // See https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
 backend.add(import('@backstage/plugin-auth-backend-module-guest-provider'));
 // See https://github.com/backstage/backstage/blob/master/docs/auth/guest/provider.md

[Chilinot]

The patch I applied:

diff --git a/app-config.yaml b/app-config.yaml
index 248cff1..416b120 100644
--- a/app-config.yaml
+++ b/app-config.yaml
@@ -66,6 +66,13 @@ auth:
   # see https://backstage.io/docs/auth/ to learn about auth providers
   providers:
     # See https://backstage.io/docs/auth/guest/provider
+    github:
+      development:
+        clientId: XXX
+        clientSecret: YYY
+        signIn:
+          resolvers:
+            - resolver: usernameMatchingUserEntityName
     guest: {}

 scaffolder:
diff --git a/examples/org.yaml b/examples/org.yaml
index a10e81f..2dbbda9 100644
--- a/examples/org.yaml
+++ b/examples/org.yaml
@@ -15,3 +15,12 @@ metadata:
 spec:
   type: team
   children: []
+---
+# https://backstage.io/docs/features/software-catalog/descriptor-format#kind-user
+apiVersion: backstage.io/v1alpha1
+kind: User
+metadata:
+  name: paco-sparta
+spec:
+  memberOf: [guests]
+---
diff --git a/packages/app/src/App.tsx b/packages/app/src/App.tsx
index f751cf6..51aa0e5 100644
--- a/packages/app/src/App.tsx
+++ b/packages/app/src/App.tsx
@@ -26,6 +26,8 @@ import { apis } from './apis';
 import { entityPage } from './components/catalog/EntityPage';
 import { searchPage } from './components/search/SearchPage';
 import { Root } from './components/Root';
+import { githubAuthApiRef } from '@backstage/core-plugin-api';
+import { AutoLogout } from '@backstage/core-components';

 import {
   AlertDisplay,
@@ -58,7 +60,21 @@ const app = createApp({
     });
   },
   components: {
-    SignInPage: props => <SignInPage {...props} auto providers={['guest']} />,
+    SignInPage: props => (
+      <SignInPage
+        {...props}
+        auto
+        providers={[
+          'guest',
+          {
+            id: 'github-auth-provider',
+            title: 'GitHub',
+            message: 'Sign in using GitHub',
+            apiRef: githubAuthApiRef,
+          },
+        ]}
+      />
+    ),
   },
 });

@@ -107,6 +123,7 @@ export default app.createRoot(
   <>
     <AlertDisplay />
     <OAuthRequestDialog />
+    <AutoLogout />
     <AppRouter>
       <Root>{routes}</Root>
     </AppRouter>
diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts
index 44fde69..6fdd0a9 100644
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@@ -17,6 +17,7 @@ backend.add(import('@backstage/plugin-techdocs-backend/alpha'));

 // auth plugin
 backend.add(import('@backstage/plugin-auth-backend'));
+backend.add(import('@backstage/plugin-auth-backend-module-github-provider'));
 // See https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
 backend.add(import('@backstage/plugin-auth-backend-module-guest-provider'));
 // See https://github.com/backstage/backstage/blob/master/docs/auth/guest/provider.md

Thanks a lot! However even after applying these exact patches on a new backstage installation i am still getting Login failed; caused by Error: Failed to sign-in, unable to resolve user identity when trying to authenticate.

[Chilinot]

This is what my app-config.yml looks like:

auth:
  environment: development
  # see https://backstage.io/docs/auth/ to learn about auth providers
  providers:
    # See https://backstage.io/docs/auth/guest/provider
    guest: {}
    github:
      development:
        clientId: 'xxx'
        clientSecret: 'xxx'
        signIn:
          resolvers:
            - resolver: usernameMatchingUserEntityName

[Chilinot]

Turns out i missed this patch:

diff --git a/examples/org.yaml b/examples/org.yaml
index a10e81f..2dbbda9 100644
--- a/examples/org.yaml
+++ b/examples/org.yaml
@@ -15,3 +15,12 @@ metadata:
 spec:
   type: team
   children: []
+---
+# https://backstage.io/docs/features/software-catalog/descriptor-format#kind-user
+apiVersion: backstage.io/v1alpha1
+kind: User
+metadata:
+  name: chilinot
+spec:
+  memberOf: [guests]
+---

[paco-sparta]

Yeah, you need another plugin to import your User + Group + Repo entities from github.

backend.add(import('@backstage/plugin-catalog-backend-module-github/alpha'));
backend.add(import('@backstage/plugin-catalog-backend-module-github-org'));

integrations:
  github:
    - host: github.com
      // Personal Access Token
      token: ghp_XXXX

....

catalog:
  import:
    entityFilename: catalog-info.yaml
    pullRequestBranchName: backstage-integration
  providers:
    github:
      your-org-gh-provider:
        organization: <yourOrg>
        schedule:
          frequency: PT30M
          timeout: PT30S
    githubOrg:
      id: <your-org>
      orgs: [<yourOrg>]
      githubUrl: https://github.com/
      schedule:
        frequency: PT30M
        timeout: PT30S

[pogo61]

Yeah, you need another plugin to import your User + Group + Repo entities from github.

backend.add(import('@backstage/plugin-catalog-backend-module-github/alpha'));

backend.add(import('@backstage/plugin-catalog-backend-module-github-org'));

integrations:

  github:

    - host: github.com

      // Personal Access Token

      token: ghp_XXXX

....

catalog:

  import:

    entityFilename: catalog-info.yaml

    pullRequestBranchName: backstage-integration

  providers:

    github:

      your-org-gh-provider:

        organization: <yourOrg>

        schedule:

          frequency: PT30M

          timeout: PT30S

    githubOrg:

      id: <your-org>

      orgs: [<yourOrg>]

      githubUrl: https://github.com/

      schedule:

        frequency: PT30M

        timeout: PT30S

I disagree.

• Take a look at my solution further up the chain. All you need to do is add a definition of your GitHub user to the /examples/org.yaml file

[paco-sparta]

Obviously hardcoding the users will also work. Pulling from the org keeps it up-to-date and doesn't require redeploying whenever a dev joins or leaves the company.

[pogo61]

Obviously hardcoding the users will also work. Pulling from the org keeps it up-to-date and doesn't require redeploying whenever a dev joins or leaves the company.

There are many ways to do that, what I indicated was a way of boot strapping Backstage so that you could use it. It would totally depend on what authentication integration you have defined as to what you do after that. BYW, a change to the base configuration will result in a re-initiation of Backstage without the need to redeploy.

[shadygrove]

I am going to try and summarize it all in one post for others. This is for enabling Github Auth:

Create an OAuth app in Github account under Developer Settings

• Github.com > Account Settings > Developer Settings > OAuth Apps
• http://localhost:7007/api/auth/github/handler/frame

Add auth section to app-config.yaml:

auth:
  # see https://backstage.io/docs/auth/ to learn about auth providers
  environment: development
  providers:
    github:
      development:
        clientId: 6cfd...9bd
        clientSecret: 7695...546c
        signIn:
          resolvers:
            # Only one of these
            - resolver: emailMatchingUserEntityProfileEmail
            - resolver: emailLocalPartMatchingUserEntityName
            - resolver: usernameMatchingUserEntityName

NOTE: the resolvers used is dependent on the auth provider being used!

Update the Frontend. Add the following to packages/app/src/App.tsx

import { githubAuthApiRef } from '@backstage/core-plugin-api';

const githubAuthCfg = {
  id: 'github-auth-provider',
  title: 'GitHub',
  message: 'Sign in using GitHub',
  apiRef: githubAuthApiRef,
} 

...

components: {
    SignInPage: props => <SignInPage {...props} auto providers={['guest', githubAuthCfg]} />,
},

Update the Backend: add github provider import in packages/backend/src/index.ts:

backend.add(import('@backstage/plugin-auth-backend-module-github-provider'))  

Make sure your Github user is defined in examples/org.yaml

# https://backstage.io/docs/features/software-catalog/descriptor-format#kind-user
apiVersion: backstage.io/v1alpha1
kind: User
metadata:
  name: <github-username>
spec:
  memberOf: [guests]

Hope that helps the next person that comes along. This was a bit tricky to track down for this Backstage newbie that simply wanted to do a local run to explore.

[awanlin]

Hope that helps the next person that comes along. This was a bit tricky to track down for this Backstage newbie that simply wanted to do a local run to explore.

Hi @shadygrove, sorry you had issues with this, the docs for sure have not been helpful. I've been slowly working to fix this in many areas. If you are open to it would like to get some feedback: was the issue that there was no docs at all our that they were spread out in a way that made them hard to find? If you'd rather chat on the Backstage Discord that works too I'm Ahhhndre there.

[shadygrove]

@awanlin thanks for reaching out. I will follow up on Discord to prevent this issue from getting sidetracked in unrelated discussion.

[hungryengineer]

Got it working

[hungryengineer]

• Update app-config.yaml
• Update packages/app/src/App.tsx
• Update packages/backend/src/index.ts
• Update examples/org.yaml to change "guest" to my GH username. got it working Thanks

[joebowbeer]

@freben @paco-sparta wrote:

Yeah, you need another plugin to import your User + Group + Repo entities from github.

backend.add(import('@backstage/plugin-catalog-backend-module-github/alpha'));
backend.add(import('@backstage/plugin-catalog-backend-module-github-org'));

catalog:
  providers:
    githubOrg:
      id: <your-org>
      orgs: [<yourOrg>]
      githubUrl: https://github.com/
      schedule:
        frequency: PT30M
        timeout: PT30S

How were the users ingested in the old version?

Can someone explain the following error?

I'm seeing an unresolved user failure only when I run backstage locally, but it works in the cloud. I noticed that the githubOrg catalog provider is missing from app-config. That would explain the local failure. But how is it working in the cloud? Could it be running with stale user data left behind by the old version?

Update: After adding githubOrg catalog provider, sign-in now works locally.

However, I did overcome two additional obstacles in the process:

• The docs say: The catalog module for GitHub Org comes with events support enabled. This was true in 1.26 but not 1.27? I was forced to install the events plugin until I bumped versions.
• The docs say: If you were providing a schedule in code, this now needs to be set via configuration. In reality, the schedule configuration is required, right? By the way, why can't a reasonable default schedule be provided?

[joxondavis]

Hello, I am new to backstage and able to solve sign in issue locally with https://github.com/backstage/backstage/issues/23748#issuecomment-2094010722, but still it is not working for docker image which is created as part of https://backstage.io/docs/deployment/k8s/. Error I am getting is " Login failed; caused by Error: Failed to sign-in, unable to resolve user identity" I am using github app for auth.