search

backstage / backstage

Backstage is an open framework for building developer portals
https://backstage.io/
Apache License 2.0
27.54k stars 5.83k forks source link

🚀 Feature: External Auth Token retrieval from backend plugins #25822

Open anumalasri opened 1 month ago

anumalasri commented 1 month ago

🔖 Feature description

We are using Microsoft Azure authentication and need to extract the access tokens for internal API calls at both front end (browser) and also at backend (server) component.

🎤 Context

We have successfully integrated Azure Microsoft authentication. However, unable to extend Azure Entra for internal enterprise APIs.

We could not find a way other than, /refresh API, which will refresh the entire session. It would be good to provide an easy way to manage these tokens at the backend and retrieve them at both the frontend and backend.

Possibly looking for some caching instead of refreshing token always.

✌️ Possible Implementation

No response

👀 Have you spent some time to check if this feature request has been raised before?

🏢 Have you read the Code of Conduct?

Are you willing to submit PR?

None

benjdlambert commented 1 month ago

What do you want to do with these tokens? The frontend can use the microsoftAuthApiRef to get a token from the users oauth session already, and in the backend, depending on what you want to do, should be configured to use a PAT I believe.

Don't really want to dive into the complexities and security of storing refresh tokens in the Backend for access to user scoped resources to be honest, so we're trying to keep that part simple.

anumalasri commented 1 month ago

@benjdlambert .. We can see the AuthTokens returning to the Frontend Application after successful authentication. However, we don't have a correct way to access them. Are there any examples of how to access MS Token using microsoftAuthApiRef?

authApi.getAccessToken() was tested and took the user to re-login though the scope was already used in Login.

Any suggestion further in this regard?

Rugvip commented 1 month ago

Ah, it's possible that this is fixed by https://github.com/backstage/backstage/pull/25728, to be released in two weeks. If a user is already auth'd then they should not need to go through another auth flow unless the scope of the session is being expanded.

anumalasri commented 1 month ago

@Rugvip Thanks for your update.. We shall look forward to test new plugin versions.