Files
backstage/docs/auth/auth-backend-classes.md
T
Stefan Ålund a8edb19f61 [Docs] Various fixes (#2136)
* [Docs] Various fixes

* More fixes

* Fix ADRs

* Typo
2020-08-27 13:27:22 +02:00

4.7 KiB

id, title
id title
auth-backend-classes Auth backend classes

How Does Authentication Work?

The Backstage application can use various authentication providers for authentication. A provider has to implement an AuthProviderRouteHandlers interface for handling authentication. This interface consists of four methods. Each of these methods is hosted at an endpoint /auth/[provider]/method, where method performs a certain operation as follows:

  /auth/[provider]/start -> start
  /auth/[provider]/handler/frame -> frameHandler
  /auth/[provider]/refresh -> refresh
  /auth/[provider]/logout -> logout

For more information on how these methods are used and for which purpose, refer to the documentation here.

For details on the parameters, input and output conditions for each method, refer to the type documentation under plugins/auth-backend/src/providers/types.ts.

There are currently two different classes for two authentication mechanisms that implement this interface: an OAuthProvider for OAuth based mechanisms and a SAMLAuthProvider for SAML based mechanisms.

OAuth mechanisms

Currently OAuth is assumed to be the de facto authentication mechanism for Backstage based applications.

Backstage comes with a "batteries-included" set of supported commonly used OAuth providers: Okta, Github, Google, Gitlab, and a generic OAuth2 provider.

All of these use the authorization flow of OAuth2 to implement authentication.

If your authentication provider is any of the above mentioned (except generic OAuth2) providers, you can configure them by setting the right variables in app-config.yaml under the auth section.

Configuration

Each authentication provider (except SAML) needs five parameters: an OAuth client ID, a client secret, an authorization endpoint and a token endpoint, and an app origin. The app origin is the URL at which the frontend of the application is hosted. This is required because the application opens a popup window to perform the authentication, and once the flow is completed, the popup window sends a postMessage to the frontend application to indicate the result of the operation. Also this URL is used to verify that authentication requests are coming from only this endpoint.

These values are configured via the app-config.yaml present in the root of your app folder.

auth:
  providers:
    google:
      development:
        appOrigin: "http://localhost:3000/"
        secure: false
        clientId:
          $secret:
            env: AUTH_GOOGLE_CLIENT_ID
        clientSecret:
          $secret:
            env: AUTH_GOOGLE_CLIENT_SECRET
    github:
      development:
        appOrigin: "http://localhost:3000/"
        secure: false
        clientId:
          $secret:
            env: AUTH_GITHUB_CLIENT_ID
        clientSecret:
          $secret:
            env: AUTH_GITHUB_CLIENT_SECRET
        enterpriseInstanceUrl:
          $secret:
            env: AUTH_GITHUB_ENTERPRISE_INSTANCE_URL
    gitlab:
      development:
        appOrigin: "http://localhost:3000/"
        secure: false
        clientId:
          $secret:
            ...

Technical Notes

EnvironmentHandler

The concept of an "env" is core to the way the auth backend works. It uses an env query parameter to identify the environment in which the application is running (development, staging, production, etc). Each runtime can support multiple environments at the same time and the right handler for each request is identified and dispatched to based on the env parameter. All AuthProviderRouteHandlers are wrapped within an EnvironmentHandler.

An EnvironmentHandler takes an ID for each provider that it wraps, the handlers for each env the provider is supported in, and a function that, given a Request as argument, can extract the information about the env under which it should be processed.

Each provider exposes a factory function createXProvider (where X is the name of the provider) that takes the global config, env and other parameters and returns an AuthProviderRouteHandlers for each env, and an envIdentifier function to identify the env of a request.

For a list of currently available providers, look in the factories module located in plugins/auth-backend/src/providers/factories.ts

OAuth2 provider

The oauth2 provider abstracts a generic OAuth2 + OIDC based authentication provider. What this means is that after the application has been given permission by the user, the authorization code will be exchanged for an access_token, a refresh_token and an id_token. This id_token is used to obtain an email id of the user, which is then used for creating the session.