backstage: ๐ Bug Report: Breaking change in auth breaks Backstage 1.23.x
๐ Description
Due to the addition of the new Auth Module, existing backstage instances have stopped working despite being built against the same package.json โ^x.x.xโ versions because breaking changes were included in the patch version bumps of some of the modules.
For example, in the search-backend-module-techdocs in commit bb368a59 the original tokenManager.getToken(); call was replaced with a call to the authPlugin. This auth plugin doesnโt exist in 1.23.x and therefore our deployments have started throwing a 500 error on an invalid token alg when trying to call techdocs.
I am able to workaround this issue by pinning the versions in the package.json for both the frontend and backend to those listed on the lefthand side of the upgrade page (https://backstage.github.io/upgrade-helper/?from=1.23.4&to=1.24.0).
However, I have major concerns about the fact that a breaking change was released under a series of patch fixes which means that maintainability of the 1.23.x release is severely degraded since any future bugs/vulnerability fixes cannot be easily picked up since the patch chain is now inclusive of these breaks.
Is it possible to correct this at this point and properly redo the package versioning bumps so the breaking change is moved to Major/Minor versioning bumps instead of patch?
๐ Expected behavior
Plugins that use the legacy auth token manager should continue to work as expected with the existing package.json provided by the 1.23.x version of bakcstageโs recommended versions (coming from the backstage-cli and upgrade guide)
i.e. Techdocs should correctly render docs when selected by a user on the Docs page.
๐ Actual Behavior with Screenshots
The following error is observed in the backend logs when leveraging plugins that have been updated to use the new auth module:
backstage error Request failed with status 500 There was a problem performing the search query: "alg" (Algorithm) Header Parameter value not allowed type=errorHandler stack=Error: There was a problem performing the search query: "alg" (Algorithm) Header Parameter value not allowed
The UI shows a 404 error, but the API call results in a 401:
๐ Reproduction steps
- Navigate to the Docs tab on the router
- Try to open any doc
๐ Provide the context for the Bug.
No response
๐ฅ๏ธ Your Environment
OS: Darwin 23.3.0 - darwin/arm64
node: v18.17.1
yarn: 1.22.21
cli: 0.25.2 (installed)
backstage: 1.23.4
Dependencies:
@backstage/app-defaults 1.5.0, 1.5.3
@backstage/backend-app-api 0.6.2
@backstage/backend-common 0.21.6
@backstage/backend-dev-utils 0.1.4
@backstage/backend-openapi-utils 0.1.9
@backstage/backend-plugin-api 0.6.16
@backstage/backend-tasks 0.5.21
@backstage/backend-test-utils 0.3.6
@backstage/catalog-client 1.6.3
@backstage/catalog-model 1.4.4, 1.4.5
@backstage/cli-common 0.1.13
@backstage/cli-node 0.2.4
@backstage/cli 0.25.2
@backstage/config-loader 1.7.0
@backstage/config 1.2.0
@backstage/core-app-api 1.12.3
@backstage/core-compat-api 0.2.3
@backstage/core-components 0.14.0, 0.14.3
@backstage/core-plugin-api 1.9.0, 1.9.1
@backstage/dev-utils 1.0.30
@backstage/errors 1.2.4
@backstage/eslint-plugin 0.1.6
@backstage/frontend-plugin-api 0.6.3
@backstage/integration-aws-node 0.1.12
@backstage/integration-react 1.1.24, 1.1.25
@backstage/integration 1.9.1
@backstage/plugin-api-docs 0.11.0
@backstage/plugin-app-backend 0.3.64
@backstage/plugin-app-node 0.1.16
@backstage/plugin-auth-backend-module-atlassian-provider 0.1.8
@backstage/plugin-auth-backend-module-aws-alb-provider 0.1.8
@backstage/plugin-auth-backend-module-gcp-iap-provider 0.2.11
@backstage/plugin-auth-backend-module-github-provider 0.1.13
@backstage/plugin-auth-backend-module-gitlab-provider 0.1.13
@backstage/plugin-auth-backend-module-google-provider 0.1.13
@backstage/plugin-auth-backend-module-microsoft-provider 0.1.11
@backstage/plugin-auth-backend-module-oauth2-provider 0.1.13
@backstage/plugin-auth-backend-module-oauth2-proxy-provider 0.1.9
@backstage/plugin-auth-backend-module-oidc-provider 0.1.7
@backstage/plugin-auth-backend-module-okta-provider 0.0.3, 0.0.9
@backstage/plugin-auth-backend 0.21.0, 0.22.3
@backstage/plugin-auth-node 0.4.8, 0.4.11
@backstage/plugin-catalog-backend-module-aws 0.3.11
@backstage/plugin-catalog-backend-module-scaffolder-entity-model 0.1.14
@backstage/plugin-catalog-backend 1.21.0
@backstage/plugin-catalog-common 1.0.21, 1.0.22
@backstage/plugin-catalog-graph 0.4.0
@backstage/plugin-catalog-import 0.10.6
@backstage/plugin-catalog-node 1.11.0
@backstage/plugin-catalog-react 1.10.0, 1.11.2
@backstage/plugin-catalog 1.17.0, 1.18.2
@backstage/plugin-events-backend 0.2.22
@backstage/plugin-events-node 0.2.22, 0.3.2
@backstage/plugin-home-react 0.1.11
@backstage/plugin-home 0.6.2
@backstage/plugin-kubernetes-common 0.7.5
@backstage/plugin-org 0.6.20
@backstage/plugin-permission-common 0.7.12, 0.7.13
@backstage/plugin-permission-node 0.7.24, 0.7.27
@backstage/plugin-permission-react 0.4.20, 0.4.21
@backstage/plugin-proxy-backend 0.4.14
@backstage/plugin-scaffolder-backend-module-azure 0.1.8
@backstage/plugin-scaffolder-backend-module-bitbucket-cloud 0.1.6
@backstage/plugin-scaffolder-backend-module-bitbucket-server 0.1.6
@backstage/plugin-scaffolder-backend-module-bitbucket 0.2.6
@backstage/plugin-scaffolder-backend-module-gerrit 0.1.8
@backstage/plugin-scaffolder-backend-module-gitea 0.1.6
@backstage/plugin-scaffolder-backend-module-github 0.2.6
@backstage/plugin-scaffolder-backend-module-gitlab 0.3.2
@backstage/plugin-scaffolder-backend 1.22.3
@backstage/plugin-scaffolder-common 1.5.1
@backstage/plugin-scaffolder-node-test-utils 0.1.2
@backstage/plugin-scaffolder-node 0.4.2
@backstage/plugin-scaffolder-react 1.8.3
@backstage/plugin-scaffolder 1.18.0
@backstage/plugin-search-backend-module-catalog 0.1.21
@backstage/plugin-search-backend-module-pg 0.5.25
@backstage/plugin-search-backend-module-techdocs 0.1.21
@backstage/plugin-search-backend-node 1.2.20
@backstage/plugin-search-backend 1.5.6
@backstage/plugin-search-common 1.2.11
@backstage/plugin-search-react 1.7.6, 1.7.9
@backstage/plugin-search 1.4.6
@backstage/plugin-techdocs-backend 1.10.3
@backstage/plugin-techdocs-module-addons-contrib 1.1.5
@backstage/plugin-techdocs-node 1.12.2
@backstage/plugin-techdocs-react 1.1.16, 1.2.2
@backstage/plugin-techdocs 1.10.0
@backstage/plugin-user-settings 0.8.1
@backstage/release-manifests 0.0.11
@backstage/test-utils 1.5.3
@backstage/theme 0.5.1, 0.5.2
@backstage/types 1.1.1
@backstage/version-bridge 1.0.7
๐ Have you spent some time to check if this bug has been raised before?
- I checked and didnโt find similar issue
๐ข Have you read the Code of Conduct?
- I have read the Code of Conduct
Are you willing to submit PR?
None
About this issue
- Original URL
- State: closed
- Created 3 months ago
- Comments: 17 (13 by maintainers)
@deedubs nice! No worries, and glad that this clearer error let us narrow it down more quickly ๐
@deedubs that looks like an extremely correct token x)
+1 to what Freben said, I donโt think the token that is arriving in your backend is that one, or the
Authorizationheader is malformed in some way. Thereโs really no code path thatโll get you that error if the token contains what you posted, regardless of the versions of different packages etc.@deedubs It really looks OK โฆ can you double check that your
@backstage/backend-app-apiis on0.7.0and not older?Iโm starting to suspect that itโs your oauth2proxy thatโs messing with the authorization header while in transit. Did you set it up with
pass-authorization-headerfor example?Do you have any way of tracking the exact token that gets received by the backstage backend? Wireshark, a yarn patch that adds a console.log statement inside
DefaultAuthService.authorize, or similar@Rugvip let me see if i can build a repo which reproduces the issue without requiring our proprietary auth code.