Open crazy-canux opened 1 month ago
Rugvip
commented
1 month ago Hmm, could be that the required scopes have changed and they need to be approved over on the Microsoft end? I believe there might be an option to allow users to approve individual scopes as well if you are alright with that.
crazy-canux
commented
1 month ago @Rugvip , I don't think so, because it's working with 1.25. Nothing changes on Azure.
Follow this guide https://backstage.io/docs/auth/identity-resolver#sign-in-without-users-in-the-catalog, I created packages/backend/src/auth.ts, still not working. I believe something changes in 1.29
Rugvip
commented
1 month ago @crazy-canux alright. Could you provide a bit more information about when the error happens and if there are any clues in logs etc.?
crazy-canux
commented
1 month ago No error in logs. The different is "Approval required" popup in 1.29. Is there any changes about the "api permission" on azure?
Rugvip
commented
1 month ago Are you able to easily try the old 1.25 version? I'm curious if that screen still appears on the old version or not. It does look like something that's been changed in the Microsoft configuration on your end rather than anything to do with the auth provider in Backstage, although I could be wrong about that ofc.
Rugvip
commented
1 month ago I realize a change that's happened between 1.25 and 1.29 is that the additionalScopes config has been fixed. Earlier it used to never be included, but it is now fixed an will always be included. It's likely that the addition of the Mail.Send scope is what breaks things here, and it should most likely be safe for you to remove it. If you do want it to be included you'll need to configure it in the list of defaultScopes in the frontend MicrosoftAuth implementation instead, due to how the Microsoft auth provider still manages multiple different auth clients for different resources through the frontend.
afscrome
commented
1 month ago That error suggests you need to provide admin consent to one or more permissions. Can you check you've followed the section on Admin Consent at https://backstage.io/docs/auth/microsoft/provider/#configure-app-registration-on-azure .
If you're asking for additional scopes, you'll probably need to grant admin consent for those too.
afscrome
commented
1 month ago Another question is do you really need the Mail.Send scope? If not, I'd just remove that. Mail.Send is included in the docs as an example at https://backstage.io/docs/auth/microsoft/provider/#configuration , but you probably don't want that unless you've built a custom plugin to send email.
Rugvip
commented
1 month ago Somewhat fixed by https://github.com/backstage/backstage/pull/25728. The Mail.Send scope was included in the configuration block in the docs, which I got rid of. In general I don't think we need to advertise the additionalScopes config quite that much.
crazy-canux
commented
1 month ago @Rugvip , @afscrome thanks for help. After remove "Mail.Send", it's working. Like you mentioned, there is a bug, that's why the same configuration works with 1.25, but not working with 1.29.
One more thing. After remove "Mail.Send", I got error with "user don't have email" after setup "sign-in-without-users-in-catalog". https://backstage.io/docs/auth/identity-resolver#sign-in-without-users-in-the-catalog. Now, I use msgraph to import org data before login.
enryson
commented
1 month ago to me is a god idea include this description on the documentation.
📜 Description
After upgrade from 1.25 to 1.29, microsoft authenticator not working.
👍 Expected behavior
SSO login works.
👎 Actual Behavior with Screenshots
SSO login not working, always ask said "Approval required".
👟 Reproduction steps
follow official guide. debug localy.
📃 Provide the context for the Bug.
🖥️ Your Environment
👀 Have you spent some time to check if this bug has been raised before?
🏢 Have you read the Code of Conduct?
Are you willing to submit PR?
None