backstage: Scaffolder does not work when Backstage API requires auth
Expected Behavior
- One can create new entities using the scaffolder, via the
/createpage, with a backend that requires token authorization of api requests
Current Behavior
- The scaffolder plugin will not work in its current state if the backstage API is protected behind token auth, breaking with a 401 when trying to register the new entity using the catalog API
- (Running the latest code in master, which seems to use the v2 api of the scaffolder)
2021-03-21T14:02:50.845Z Beginning step Register
2021-03-21T14:02:50.852Z info: Registering https://github.example.com/ab/template-test/blob/master/catalog-info.yaml in the catalog {"timestamp":"2021-03-21T14:02:50.849Z"}
2021-03-21T14:02:50.856Z Error: Unauthorized
at CatalogClient.addLocation (/usr/src/app/node_modules/@backstage/catalog-client/dist/index.cjs.js:53:13)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at async Object.handler (/usr/src/app/node_modules/@backstage/plugin-scaffolder-backend/dist/index.cjs.js:945:22)
at async TaskWorker.runOneTask (/usr/src/app/node_modules/@backstage/plugin-scaffolder-backend/dist/index.cjs.js:2181:11)
at async /usr/src/app/node_modules/@backstage/plugin-scaffolder-backend/dist/index.cjs.js:2122:9
Possible Solution
- The catalog request at https://github.com/backstage/backstage/blob/master/plugins/scaffolder-backend/src/scaffolder/actions/builtin/catalog/register.ts#L98 needs to provide a auth token as the second parameter
- Pass on the token from the user requesting the template creation. With the current scaffolder design (v2) that likely means storing the token alongside the task specification in the database to be able to retrieve it when the action is later executed
- Have the scaffolder backend issue its own token (see https://github.com/backstage/backstage/blob/master/plugins/auth-backend/src/providers/google/provider.ts#L164 for a possible example)
Steps to Reproduce
- Follow instructions in https://github.com/backstage/backstage/blob/master/contrib/docs/tutorials/authenticate-api-requests.md on how to require authentication of the backstage api
- Start backstage and use the UI to create a new entity using the scaffolder
- The error above should appear when trying to register the new entity
Context
Since we protect our Backstage API using the token auth method, the scaffolder does not work. This is sad as we would like to start using it.
See also https://github.com/backstage/backstage/issues/5039 which has the same problem, although not as critical
Your Environment
- NodeJS Version (v12): v14
- Operating System and Version (e.g. Ubuntu 14.04): alpine
- Browser Information: Chrome
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 18 (15 by maintainers)
We are still having authentication issues in this scenario. For example, loading the
/create/actionspage gives us a 500 error.I think auth needs to be passed to that page as well?https://github.com/backstage/backstage/blob/47dac4081978cfa66ab6f5035b1191c67b6ebb9c/plugins/scaffolder/src/api.ts#L246-L256
We also get a 401 to an eventstream endpoint.
https://github.com/backstage/backstage/blob/master/plugins/scaffolder/src/api.ts#L193
@erikxiv I just confirmed it works once I follow this more closely. Sorry about the confusion there!
@hill-giant feel free to raise a PR for this contributions are welcome 👍 , although you could always fall back to using the long polling behaviour instead of the event stream instead although maybe that’s what you’re already doing?