Closed ryan-hanchett closed 1 week ago
Package Name | Package Path | Changeset Bump | Current Version |
---|---|---|---|
@backstage/backend-app-api | packages/backend-app-api | patch | v0.7.3 |
@Rugvip a thought about naming/targeting - should it be
oidc
or openid
/.well-known/openid-configuration
and the JWKS uri from there automatically That's sort of the actual use case being targeted right? Feels like an end user would appreciate the framing of that, and knowing how to ask for and insert the common auth server url rather than the more technical implementation dependant JWKS?
@freben hmm, JWKS endpoints are used for more than just OIDC. I'm thinking that we consider that as an addition, but as a base feature set I think the existing structure makes sense?
@freben I like the idea of calculating the jwks endpoint based on the openid-configuration. Perhaps we could add an additional config where users could provide the base server or the direct JWKS url, or we could add an additional token handler so we have both jwks
and oidc
to give users flexibility but keep them separate.
Happy to do that as a follow-up PR or to make the changes here, whatever makes the most sense.
Yep so if the given url doesn't contain ".well-known", do A, otherwise do B. There's possibilities for future smarts as additions to the basic feature as followups
Prolly need to be a bit more explicit though, JWKS endpoints don't always contain .well-known
, e.g. https://login.microsoftonline.com/common/discovery/v2.0/keys
Alright, makes sense then to keep this one explicit, thanks!
Any other changes/improvements ya'll want me to make on this existing PR?
Was the merge-after-release
added for ^1.27.0
? Or is there another release we're waiting for that I can communicate back to my team?
It was, yes, we've just been busy.
Understood, no worries! Thanks for getting back to me so quickly!
Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.28.0
release, scheduled for Tue, 18 Jun 2024.
Uffizzi Cluster pr-24681
was deleted.
kept working on this one a bit since we have a hackweek and i am poking around in the vicinity of that code right now :)
Hey, I just made a Pull Request!
Re-opening from #24679 after I got into some trouble with git.
This pull request builds on BEP-07 to expand the ExternalTokenHandler to support a configured JWKS auth strategy. This allows external callers to use 3rd party authentication via JWKS, enabling greater flexibility in providing ways to auth with Backstage via signed tokens.
A potential area of improvement for future PRs would be to move the TokenFactory used in the tests into the backend-test-utils plugin, since it is used with near-identical patterns in the jwks.test.ts file, as well as plugins/auth-node/src/identity/DefaultIdentityClient.test.ts, and plugins/auth-node/src/identity/IdentityClient.test.ts.
:heavy_check_mark: Checklist
Signed-off-by
line in the message. (more info)