backstage: 🐛 Bug Report: Trying to add custom SCMAUTH for GHE. Documentation not so clear

📜 Description

Hello,

We were able to build and deploy backstage in an OpenShift cluster, but now we want to use the user token for the user currently logged in backstage.

We configured the authentication and user/groups for GHE and is working properly. The user can authenticate with corporate GHE user and we can see the user details in the settings page. Also we can “choose” a template that publish a repo in the organization.

But we also wanted to use the

        requestUserCredentials:
          secretsKey: USER_OAUTH_TOKEN

in a template to allow the user to publish in his own GHE account. So we tried to follow

this https://backstage.io/docs/auth/#scaffolder-configuration-software-templates

If you want to use the authentication capabilities of the [Repository Picker](https://backstage.io/docs/features/software-templates/writing-templates#the-repository-picker) inside your software templates you will need to configure the [ScmAuthApi](https://backstage.io/docs/reference/integration-react.scmauthapi) alongside your authentication provider. It is an API used to authenticate towards different SCM systems in a generic way, based on what resource is being accessed.

and https://backstage.io/docs/auth/#custom-scmauthapi-implementation

to implement a new ScmAuthAPI for GHE, but we can’t build the image in Openshift in Dockerfile. We are getting compile errors

👍 Expected behavior

A correct build

👎 Actual Behavior with Screenshots

[2/3] STEP 14/15: RUN --mount=type=cache,target=/opt/app-root/src/.cache/yarn,uid=1001,gid=0 yarn tsc && yarn --cwd packages/backend build yarn run v1.22.21 $ tsc [96mpackages/app/src/apis.ts[0m:[93m39[0m:[93m29[0m - [91merror[0m[90m TS2304: [0mCannot find name ‘ApiRef’.

[7m39[0m export const gheAuthApiRef: ApiRef<OAuthApi & ProfileInfoApi & SessionApi> = [7m [0m [91m ~~~~~~[0m

[96mpackages/app/src/apis.ts[0m:[93m39[0m:[93m29[0m - [91merror[0m[90m TS4025: [0mExported variable ‘gheAuthApiRef’ has or is using private name ‘ApiRef’.

[7m39[0m export const gheAuthApiRef: ApiRef<OAuthApi & ProfileInfoApi & SessionApi> = [7m [0m [91m ~~~~~~[0m

[96mpackages/app/src/apis.ts[0m:[93m39[0m:[93m36[0m - [91merror[0m[90m TS2304: [0mCannot find name ‘OAuthApi’.

[7m39[0m export const gheAuthApiRef: ApiRef<OAuthApi & ProfileInfoApi & SessionApi> = [7m [0m [91m ~~~~~~~~[0m

[96mpackages/app/src/apis.ts[0m:[93m39[0m:[93m36[0m - [91merror[0m[90m TS4025: [0mExported variable ‘gheAuthApiRef’ has or is using private name ‘OAuthApi’.

[7m39[0m export const gheAuthApiRef: ApiRef<OAuthApi & ProfileInfoApi & SessionApi> = [7m [0m [91m ~~~~~~~~[0m

[96mpackages/app/src/apis.ts[0m:[93m39[0m:[93m47[0m - [91merror[0m[90m TS2304: [0mCannot find name ‘ProfileInfoApi’.

[7m39[0m export const gheAuthApiRef: ApiRef<OAuthApi & ProfileInfoApi & SessionApi> = [7m [0m [91m ~~~~~~~~~~~~~~[0m

[96mpackages/app/src/apis.ts[0m:[93m39[0m:[93m47[0m - [91merror[0m[90m TS4025: [0mExported variable ‘gheAuthApiRef’ has or is using private name ‘ProfileInfoApi’.

[7m39[0m export const gheAuthApiRef: ApiRef<OAuthApi & ProfileInfoApi & SessionApi> = [7m [0m [91m ~~~~~~~~~~~~~~[0m

[96mpackages/app/src/apis.ts[0m:[93m39[0m:[93m64[0m - [91merror[0m[90m TS2304: [0mCannot find name ‘SessionApi’.

[7m39[0m export const gheAuthApiRef: ApiRef<OAuthApi & ProfileInfoApi & SessionApi> = [7m [0m [91m ~~~~~~~~~~[0m

[96mpackages/app/src/apis.ts[0m:[93m39[0m:[93m64[0m - [91merror[0m[90m TS4025: [0mExported variable ‘gheAuthApiRef’ has or is using private name ‘SessionApi’.

[7m39[0m export const gheAuthApiRef: ApiRef<OAuthApi & ProfileInfoApi & SessionApi> = [7m [0m [91m ~~~~~~~~~~[0m

[96mpackages/app/src/apis.ts[0m:[93m59[0m:[93m7[0m - [91merror[0m[90m TS2304: [0mCannot find name ‘GithubAuth’.

[7m59[0m GithubAuth.create({ [7m [0m [91m ~~~~~~~~~~[0m

[96mpackages/app/src/apis.ts[0m:[93m77[0m:[93m27[0m - [91merror[0m[90m TS2345: [0mArgument of type ‘unknown’ is not assignable to parameter of type ‘OAuthApi’.

[7m77[0m ScmAuth.forGithub(gheAuthApi, { [7m [0m [91m ~~~~~~~~~~[0m

[96mpackages/backend/src/plugins/kubernetes.ts[0m:[93m10[0m:[93m60[0m - [91merror[0m[90m TS2345: [0mArgument of type ‘{ logger: winston.Logger; config: Config; catalogApi: CatalogClient; }’ is not assignable to parameter of type ‘KubernetesEnvironment’. Property ‘permissions’ is missing in type ‘{ logger: winston.Logger; config: Config; catalogApi: CatalogClient; }’ but required in type ‘KubernetesEnvironment’.

[7m 10[0m const { router } = await KubernetesBuilder.createBuilder({ [7m [0m [91m ~[0m [7m 11[0m logger: env.logger, [7m [0m [91m~~~~~~~~~~~[0m [7m…[0m [7m 13[0m catalogApi, [7m [0m [91m~~~[0m [7m 14[0m }).build(); [7m [0m [91m~~~[0m

[96mnode_modules/@backstage/plugin-kubernetes-backend/dist/index.d.ts[0m:[93m272[0m:[93m5[0m [7m272[0m permissions: PermissionEvaluator; [7m [0m [96m ~~~~~~~~~~~[0m ‘permissions’ is declared here.

Found 11 errors in 2 files.

Errors Files 10 packages/app/src/apis.ts[90m:39[0m 1 packages/backend/src/plugins/kubernetes.ts[90m:10[0m

👟 Reproduction steps

yarn install --verbose --frozen-lockfile --network-timeout 600000

📃 Provide the context for the Bug.

No response

🖥️ Your Environment

OS: Linux 4.4.0-19041-Microsoft - linux/x64 node: v18.14.0 yarn: 1.22.19 cli: 0.25.1 (installed) backstage: 1.22.1

👀 Have you spent some time to check if this bug has been raised before?

I checked and didn’t find similar issue

🏢 Have you read the Code of Conduct?

I have read the Code of Conduct

Are you willing to submit PR?

No, I don’t have time to work on this right now

About this issue

Original URL
State: closed
Created 5 months ago
Comments: 18 (6 by maintainers)

Most upvoted comments

Hi @benjdlambert

More info…

In local it’s working correctly, I’ve created an OAuth App for local development with

Homepage URL: http://localhost:3000
Authorization callback URL: http://localhost:7007/api/auth/github/handler/frame

and another OAuth App for Openshift with

Homepage URL: https://openshift-internal-domain
Authorization callback URL: https://openshift-internal-domain/api/auth/github/handler/frame

With backstage in local I receive a popup request to do the login, for this permission

Then, when requesting the location from template

    - title: Choose a location
      required:
        - repoUrl
      properties:
        repoUrl:
          title: Repository Location
          type: string
          ui:field: RepoUrlPicker
          ui:options:
            requestUserCredentials:
              secretsKey: USER_OAUTH_TOKEN
              additionalScopes:
                github: 
                  - workflow          
            allowedHosts:
              - github.ourcompany.com

I’m getting another logging

and requesting more permissions

and I’m not getting the error

No auth provider available for 'https://github.ourcompany.com/user-account/testRepo', see https://backstage.io/link?scm-auth

And I can create the repo in a personal GHE account.

But the same code, in Openshift, I’m only getting the first login, and for the location I’m receiving the

No auth provider available for 'https://github.ourcompany.com/user-account/testRepo', see https://backstage.io/link?scm-auth

The only difference between local and Openshift is in app-config.yaml, the baseUrl for app and backend

app:
  title: Backstage GO
  #baseUrl: https://openshift-internal-domain
  baseUrl: http://localhost:3000

organization:
  name: Our Company

backend:
  # Used for enabling authentication, secret is shared by all backend plugins
  # See https://backstage.io/docs/auth/service-to-service-auth for
  # information on the format
  # auth:
  #   keys:
  #     - secret: ${BACKEND_SECRET}
  #baseUrl: https://openshift-internal-domain
  baseUrl: http://localhost:7007

bernaxa on Mar 1, 2024