Open crazy-canux opened 1 month ago
Hmm, could be that the required scopes have changed and they need to be approved over on the Microsoft end? I believe there might be an option to allow users to approve individual scopes as well if you are alright with that.
@Rugvip , I don't think so, because it's working with 1.25. Nothing changes on Azure.
Follow this guide https://backstage.io/docs/auth/identity-resolver#sign-in-without-users-in-the-catalog, I created packages/backend/src/auth.ts, still not working. I believe something changes in 1.29
@crazy-canux alright. Could you provide a bit more information about when the error happens and if there are any clues in logs etc.?
No error in logs. The different is "Approval required" popup in 1.29. Is there any changes about the "api permission" on azure?
Are you able to easily try the old 1.25 version? I'm curious if that screen still appears on the old version or not. It does look like something that's been changed in the Microsoft configuration on your end rather than anything to do with the auth provider in Backstage, although I could be wrong about that ofc.
I realize a change that's happened between 1.25 and 1.29 is that the additionalScopes
config has been fixed. Earlier it used to never be included, but it is now fixed an will always be included. It's likely that the addition of the Mail.Send
scope is what breaks things here, and it should most likely be safe for you to remove it. If you do want it to be included you'll need to configure it in the list of defaultScopes
in the frontend MicrosoftAuth
implementation instead, due to how the Microsoft auth provider still manages multiple different auth clients for different resources through the frontend.
That error suggests you need to provide admin consent to one or more permissions. Can you check you've followed the section on Admin Consent at https://backstage.io/docs/auth/microsoft/provider/#configure-app-registration-on-azure .
If you're asking for additional scopes, you'll probably need to grant admin consent for those too.
Another question is do you really need the Mail.Send
scope? If not, I'd just remove that. Mail.Send
is included in the docs as an example at https://backstage.io/docs/auth/microsoft/provider/#configuration , but you probably don't want that unless you've built a custom plugin to send email.
Somewhat fixed by https://github.com/backstage/backstage/pull/25728. The Mail.Send
scope was included in the configuration block in the docs, which I got rid of. In general I don't think we need to advertise the additionalScopes
config quite that much.
@Rugvip , @afscrome thanks for help. After remove "Mail.Send", it's working. Like you mentioned, there is a bug, that's why the same configuration works with 1.25, but not working with 1.29.
One more thing. After remove "Mail.Send", I got error with "user don't have email" after setup "sign-in-without-users-in-catalog". https://backstage.io/docs/auth/identity-resolver#sign-in-without-users-in-the-catalog. Now, I use msgraph to import org data before login.
to me is a god idea include this description on the documentation.
📜 Description
After upgrade from 1.25 to 1.29, microsoft authenticator not working.
👍 Expected behavior
SSO login works.
👎 Actual Behavior with Screenshots
SSO login not working, always ask said "Approval required".
👟 Reproduction steps
follow official guide. debug localy.
📃 Provide the context for the Bug.
🖥️ Your Environment
👀 Have you spent some time to check if this bug has been raised before?
🏢 Have you read the Code of Conduct?
Are you willing to submit PR?
None