You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If to open Backstage in 2 different tabs and perform ScmAuthApi.getCredentials in each tab, the token on tab 1 will be revoked. The problem lies that the session lives only in memory and the session manager doesn't reuse it.
It's not unique when users can open Backstage in multiple tabs or in different browsers, in order to perform different scenarios in each browser session.
🎉 Proposal
The proposal is to store the OAuth session in the database, for example in backstage_plugin_auth database in a new table oauth_session or something like this.
〽️ Alternatives
No response
❌ Risks
Such tokens are short lived, i.e. GitLab token can be valid maximum for 2 hours.
👀 Have you spent some time to check if this RFC has been raised before?
Which provider is it that you're seeing this for? The token being revoked is something that shouldn't happen regardless of whether we have backend storage or not. Agree that that would be a good addition though 👍
There are some potential fixes for this on the way in #24743 too, I spotted some bugs for the refresh endpoint of some providers as part of that refactor.
I see it for GitLab provider.
I could reproduce it by opening 2 different scaffolder templates in separate tabs, where both require to get an access token
🔖 Need
Current issue:
If to open Backstage in 2 different tabs and perform
ScmAuthApi.getCredentials
in each tab, the token on tab 1 will be revoked. The problem lies that the session lives only in memory and the session manager doesn't reuse it.It's not unique when users can open Backstage in multiple tabs or in different browsers, in order to perform different scenarios in each browser session.
🎉 Proposal
The proposal is to store the OAuth session in the database, for example in
backstage_plugin_auth
database in a new tableoauth_session
or something like this.〽️ Alternatives
No response
❌ Risks
Such tokens are short lived, i.e. GitLab token can be valid maximum for 2 hours.
👀 Have you spent some time to check if this RFC has been raised before?
🏢 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: