backstage: π Bug Report: OneLogin provider doesn't refresh token returning 401
π Description
Refreshing the page with the OneLogin setup, tries to log you in again. The OneLogin provider tries to refresh the bearer token. resulting in a 401, because of a scope issue.
π Expected behavior
The provider should handle refreshing tokens properly. The provider should allow the user to customize the scope.
π Actual Behavior with Screenshots
Weβve inspected the error below in our network tab when inspecting the website:
{
"error": {
"name": "AuthenticationError",
"message": "Refresh failed; caused by Error: Failed to refresh access token [object Object]",
"cause": {
"name": "Error",
"message": "Failed to refresh access token [object Object]",
"stack": "Error: Failed to refresh access token [object Object]\n at /app/node_modules/@backstage/plugin-auth-backend/dist/index.cjs.js:526:18\n at /app/node_modules/oauth/lib/oauth2.js:191:18\n at passBackControl (/app/node_modules/oauth/lib/oauth2.js:132:9)\n at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:157:7)\n at IncomingMessage.emit (node:events:529:35)\n at IncomingMessage.emit (node:domain:489:12)\n at endReadableNT (node:internal/streams/readable:1400:12)\n at process.processTicksAndRejections (node:internal/process/task_queues:82:21)"
}
},
"request": {
"method": "GET",
"url": "/api/auth/onelogin/refresh?optional&scope=openid%20email%20profile%20offline_access&env=development"
},
"response": { "statusCode": 401 }
}
Adding a console.log inside the file @backstage/plugin-auth-backend/dist/index.cjs.js:526:18 gives us:
{
statusCode: 400,
data: '{"error":"invalid_scope","error_description":"refresh token missing requested scope","scope":"email profile offline_access"}'
}
π Reproduction steps
- Setup OneLogin provider with backstage
- Log in with your credentials
- Inspect browsers network and filter on /refresh
- Refresh the page, redirects you to login page
- 401 occurs
- Youβre logged in again
π Provide the context for the Bug.
app.config.yaml
auth:
providers:
onelogin:
development:
clientId: ${AUTH_ONELOGIN_CLIENT_ID}
clientSecret: ${AUTH_ONELOGIN_CLIENT_SECRET}
issuer: ${AUTH_ONELOGIN_ISSUER}
auth.ts
import {
createRouter,
defaultAuthProviderFactories,
providers,
} from '@backstage/plugin-auth-backend';
import { Router } from 'express';
import { PluginEnvironment } from '../types';
export default async function createPlugin(env: PluginEnvironment): Promise<Router> {
return createRouter({
logger: env.logger,
config: env.config,
database: env.database,
discovery: env.discovery,
tokenManager: env.tokenManager,
providerFactories: {
...defaultAuthProviderFactories,
onelogin: providers.onelogin.create({
signIn: {
async resolver(info, ctx) {
const {
profile: { email },
} = info;
if (!email) {
throw new Error('User profile contained no email');
}
const [name] = email.split('@');
return ctx.signInWithCatalogUser({
entityRef: { name },
});
},
},
}),
},
});
}
π₯οΈ Your Environment
@backstage/app-defaults 1.4.5
@backstage/backend-app-api 0.5.8
@backstage/backend-common 0.17.0, 0.19.9
@backstage/backend-dev-utils 0.1.2
@backstage/backend-openapi-utils 0.1.0
@backstage/backend-plugin-api 0.6.7
@backstage/backend-tasks 0.5.12
@backstage/catalog-client 1.4.6
@backstage/catalog-model 1.2.0, 1.4.3
@backstage/cli-common 0.1.13
@backstage/cli-node 0.2.0
@backstage/cli 0.24.0
@backstage/config-loader 1.5.3
@backstage/config 1.1.1
@backstage/core-app-api 1.11.1
@backstage/core-components 0.12.4, 0.12.5, 0.13.8
@backstage/core-plugin-api 1.0.6, 1.7.0, 1.8.0
@backstage/errors 1.2.3
@backstage/eslint-plugin 0.1.3
@backstage/frontend-plugin-api 0.3.0
@backstage/integration-aws-node 0.1.8
@backstage/integration-react 1.1.21
@backstage/integration 1.7.2
@backstage/plugin-api-docs 0.10.0
@backstage/plugin-app-backend 0.3.55
@backstage/plugin-app-node 0.1.7
@backstage/plugin-auth-backend-module-gcp-iap-provider 0.2.1
@backstage/plugin-auth-backend-module-github-provider 0.1.4
@backstage/plugin-auth-backend-module-gitlab-provider 0.1.4
@backstage/plugin-auth-backend-module-google-provider 0.1.4
@backstage/plugin-auth-backend-module-oauth2-provider 0.1.4
@backstage/plugin-auth-backend 0.20.0
@backstage/plugin-auth-node 0.4.1
@backstage/plugin-bitbucket-cloud-common 0.2.14
@backstage/plugin-catalog-backend-module-aws 0.3.1
@backstage/plugin-catalog-backend-module-bitbucket-cloud 0.1.22
@backstage/plugin-catalog-backend-module-github 0.4.5
@backstage/plugin-catalog-backend-module-scaffolder-entity-model 0.1.4
@backstage/plugin-catalog-backend 1.15.0
@backstage/plugin-catalog-common 1.0.18
@backstage/plugin-catalog-graph 0.3.0
@backstage/plugin-catalog-import 0.10.2
@backstage/plugin-catalog-node 1.5.0
@backstage/plugin-catalog-react 1.2.1, 1.9.0, 1.9.1
@backstage/plugin-catalog 1.15.0
@backstage/plugin-events-node 0.2.16
@backstage/plugin-github-actions 0.6.7
@backstage/plugin-home-react 0.1.5
@backstage/plugin-home 0.5.10
@backstage/plugin-kubernetes-common 0.7.1
@backstage/plugin-org 0.6.16
@backstage/plugin-permission-common 0.7.10
@backstage/plugin-permission-node 0.7.18
@backstage/plugin-permission-react 0.4.17
@backstage/plugin-proxy-backend 0.4.5
@backstage/plugin-scaffolder-backend 1.19.1
@backstage/plugin-scaffolder-common 1.4.3
@backstage/plugin-scaffolder-node 0.2.8
@backstage/plugin-scaffolder-react 1.6.0
@backstage/plugin-scaffolder 1.16.0
@backstage/plugin-search-backend-module-catalog 0.1.11
@backstage/plugin-search-backend-module-pg 0.5.16
@backstage/plugin-search-backend-module-techdocs 0.1.11
@backstage/plugin-search-backend-node 1.2.11
@backstage/plugin-search-backend 1.4.7
@backstage/plugin-search-common 1.2.8
@backstage/plugin-search-react 1.7.3
@backstage/plugin-search 1.4.2
@backstage/plugin-tech-radar 0.6.10
@backstage/plugin-techdocs-backend 1.9.0
@backstage/plugin-techdocs-module-addons-contrib 1.1.2
@backstage/plugin-techdocs-node 1.10.0
@backstage/plugin-techdocs-react 1.1.13
@backstage/plugin-techdocs 1.9.0
@backstage/plugin-user-settings 0.7.12
@backstage/release-manifests 0.0.11
@backstage/test-utils 1.4.5
@backstage/theme 0.2.19, 0.4.4
@backstage/types 1.1.1
@backstage/version-bridge 1.0.7
π Have you spent some time to check if this bug has been raised before?
- I checked and didnβt find similar issue
π’ Have you read the Code of Conduct?
- I have read the Code of Conduct
Are you willing to submit PR?
None
About this issue
- Original URL
- State: closed
- Created 7 months ago
- Comments: 21 (12 by maintainers)
hey team we are having same issue, is there any ongoing work to fix this? what is the temporal fix you are using? Thanks
Hmm ok - Iβm gonna bring in @Rugvip to this too, he might have some ideas, but itβs good that youβve found something that at least works so we can investigate this a little more.
Closing as fixed π thanks @manuelfalcon! π
Yeah kind looks like weβll just want to hardcode this to just be
'openid'tbh, to mirror the behavior in thestartmethod. On the frontend we can then simply remove the scopes altogether, since theyβll be ignored anyway.