backstage: π Bug Report: Auth Tutorial not working as described
π Description
The above tutorial was followed to implement the service-to-service authentication for Techdocs (and other libraries), and although itβs working with our internal plugins, itβs not working as described when it comes to Techdocs asset or event stream retrieval.
After doing some fiddling around with the node_modules was able to determine that the authorization header gets sent βsometimesβ and the cookie is forwarded consistently, however, we still receive a 401 since it canβt find the authorization header.
We attempted to also add the permissions framework as it appears that itβs a requirement of the techdocs item from what was displayed in the code.
Found a similar issue here https://github.com/backstage/backstage/issues/5041, but reports make it seem like the issue was fixed by using the tutorial.
π Expected behavior
The authorization header is pulled from the cookie and passed along to the services requiring it.
π Actual Behavior with Screenshots
401 errors when trying to retrieve assets
401 from event stream
π Reproduction steps
- Install backstage
- Follow steps in this tutorial: https://github.com/backstage/backstage/blob/master/contrib/docs/tutorials/authenticate-api-requests.md
π Provide the context for the Bug.
Our company is having a hard time moving forward with the service-to-service auth structure
π₯οΈ Your Environment
OS: Linux 5.15.0-58-generic - linux/x64 node: v18.12.1 yarn: 1.22.19 cli: 0.22.1 (installed) backstage: 1.10.1
Dependencies: @backstage/app-defaults 1.1.0 @backstage/backend-app-api 0.3.1 @backstage/backend-common 0.18.1 @backstage/backend-plugin-api 0.3.1 @backstage/backend-tasks 0.4.2 @backstage/catalog-client 0.9.0, 1.3.0 @backstage/catalog-model 0.13.0, 1.1.5 @backstage/cli-common 0.1.11 @backstage/cli 0.22.1 @backstage/config-loader 1.1.8 @backstage/config 0.1.15, 1.0.6 @backstage/core-api 0.2.23 @backstage/core-app-api 1.4.0 @backstage/core-components 0.11.2, 0.12.3, 0.9.5 @backstage/core-plugin-api 0.1.13, 0.8.0, 1.3.0 @backstage/core 0.7.14 @backstage/dev-utils 1.0.11 @backstage/errors 0.1.5, 0.2.2, 1.1.4 @backstage/integration-aws-node 0.1.1 @backstage/integration-react 0.1.25, 1.1.9 @backstage/integration 0.8.0, 1.4.2 @backstage/plugin-analytics-module-ga 0.1.25 @backstage/plugin-api-docs 0.8.14 @backstage/plugin-app-backend 0.3.41 @backstage/plugin-auth-backend 0.17.4 @backstage/plugin-auth-node 0.2.10 @backstage/plugin-catalog-backend-module-github 0.2.4 @backstage/plugin-catalog-backend 1.7.1 @backstage/plugin-catalog-common 1.0.10 @backstage/plugin-catalog-graph 0.2.26 @backstage/plugin-catalog-import 0.9.4 @backstage/plugin-catalog-node 1.3.2 @backstage/plugin-catalog-react 0.9.0, 1.2.4 @backstage/plugin-catalog 1.7.2 @backstage/plugin-events-node 0.2.2 @backstage/plugin-github-actions 0.5.14 @backstage/plugin-github-issues 0.2.3 @backstage/plugin-home 0.4.30 @backstage/plugin-org 0.6.4 @backstage/plugin-permission-common 0.5.3, 0.6.4, 0.7.3 @backstage/plugin-permission-node 0.7.4 @backstage/plugin-permission-react 0.3.4, 0.4.9 @backstage/plugin-proxy-backend 0.2.35 @backstage/plugin-scaffolder-backend 1.10.1 @backstage/plugin-scaffolder-common 1.2.4 @backstage/plugin-scaffolder-react 1.0.1 @backstage/plugin-scaffolder 1.10.1 @backstage/plugin-search-backend-module-elasticsearch 1.1.2 @backstage/plugin-search-backend-module-pg 0.5.2 @backstage/plugin-search-backend-node 1.1.2 @backstage/plugin-search-backend 1.2.2 @backstage/plugin-search-common 0.3.4, 1.2.1 @backstage/plugin-search-react 1.4.0 @backstage/plugin-search 1.0.7 @backstage/plugin-shortcuts 0.3.6 @backstage/plugin-stack-overflow 0.1.10 @backstage/plugin-tech-radar 0.6.0 @backstage/plugin-techdocs-addons-test-utils 1.0.9 @backstage/plugin-techdocs-backend 1.5.2 @backstage/plugin-techdocs-module-addons-contrib 1.0.9 @backstage/plugin-techdocs-node 1.4.5 @backstage/plugin-techdocs-react 1.1.2 @backstage/plugin-techdocs 1.4.3 @backstage/plugin-user-settings 0.6.2 @backstage/release-manifests 0.0.8 @backstage/search-common 0.3.4 @backstage/test-utils 1.2.4 @backstage/theme 0.2.16 @backstage/types 0.1.3, 1.0.2 @backstage/version-bridge 0.1.2, 1.0.3
π Have you spent some time to check if this bug has been raised before?
- I checked and didnβt find similar issue
π’ Have you read the Code of Conduct?
- I have read the Code of Conduct
Are you willing to submit PR?
Yes I am willing to submit a PR!
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 17 (7 by maintainers)
Yep, itβs in https://github.com/backstage/backstage/blob/2cc2155bcf823145d6ce910b228eda2d5c1daf50/contrib/docs/tutorials/authenticate-api-requests.md#L98
That could probably be highlighted a bit in the doc.
Erik commented on why the API requests work, they set up the auth header directly.
π It was a while ago I looked at this but the original implementation still seems to work for me (weβre running Backstage 1.9.1 at the moment).
This suggests to me that there is an issue with the cookie. Most client plugins send an authorization header with any API request, and it sounds as if this still works. Techdocs assets (and the Scaffolder event stream) is a bit different, as these asset requests are sent by the browser in response to other protocols, e.g. when Techdocs loads a HTML document the browser tries to load the related javascript/css assets - without Backstage being involved and able to inject the Authorization header. This is the cookie trick in the guide, where the client regularly pings the backend to set a token cookie that gets forwarded on asset and event stream requests.
Could you double-check if this cookie is set on your browser, and maybe specifically on which domain it is set? Iβm wondering if there could be some discrepancy there causing this to fail:
The cookie is simply called
tokenand should contain a JWT token.