🙏 Help Wanted: Auth Backend Module Migrations

[Rugvip]

The auth backend recently introduced a new architecture as it was migrated to support the new backend system in #19280. The new architecture implements the auth provider specific logic as "authenticators". There are currently two different kinds of authenticators, OAuth and proxy, along with accompanying route handlers and provider factories.

As part of this we also move all auth providers to be separate modules, and then use that new module for the implementation in auth-backend for backwards compatibility.

Process

For any given OAuth provider implementation, the following is a good starting point for migrating any provider:

1. Duplicate the plugins/auth-backend-module-gitlab-provider directory to plugins/auth-backend-module-<provider-id>-provider
2. Case sensitive search and replace all occurrences of GitLab with <ProviderName>, use the name of the provider as it appears in text.
3. Case sensitive search and replace all occurrences of Gitlab with <ProviderId>, use the PascalCase version of the provider name as it appears in code, this might be the same as the previous step.
4. Case sensitive search and replace all occurrences of gitlab with <providerId>, use the camelCase version of the provider name as it appears in code.
5. Now passport strategy and any other provider-specific logic and configuration from plugins/auth-backend/src/providers/<providerId>/provider.ts. If there are tests for this specific logic then you can migrate those to authenticator or module tests, but other than that the existing provider tests can be deleted. If there are particular tests that you would like too keep, check if it makes sense to add them to https://github.com/backstage/backstage/blob/master/plugins/auth-node/src/oauth/createOAuthRouteHandlers.test.ts.
6. Update config.d.ts in the new module, move over and remove any related configuration in plugins/auth-backend/config.d.ts.
7. Now refactor plugins/auth-backend/src/providers/<providerId> to use the new module, adding a dependency for the new module to auth-backend. Use the legacy helpers as shown in #19475, do not add additional resolvers, options, or other API.

The process for migrating a proxy provider is similar, but use plugins/auth-backend-module-gcp-iap-provider as a starting point instead.

Migration Status

This is the current migration status of all auth providers that need migration. Let us know if you want to help out! 🙏

• atlassian Auth backend module atlassian provider #21007
• auth0 (WIP @ekafeel)
• aws-alb auth-backend: migrated AWS ALB provider to new backend. #22103
• azure-easyauth Add auth-backend-module-azure-easyauth-provider #23909
• bitbucket feat(auth): migrate Bitbucket auth provider to module package #24287
• bitbucketServer
• cloudflare-access auth-backend: extract the cloudflare access auth provider #23997
• gcp-iap auth-backend: migrate to new backend system + new authenticators pattern #19280
• github auth-backend: migrate GitHub provider #19473
• gitlab auth-backend: migrate GitLab provider to separate module #19475
• google auth-backend: migrate to new backend system + new authenticators pattern #19280
• microsoft auth-backend: migrate microsoft provider to separate module #20120 auth-backend: use externalized microsoft auth implementation again #22208
• oauth2 auth: add oauth2 provider module #19696
• oauth2-proxy chore: add oauth2 proxy provider backend module #20685
• oidc auth-backend: migrate oidc auth provider to separate module #20282
• okta Auth backend module Okta provider #21325
• onelogin New OneLogin auth backend module #24353
• pinniped Pinniped Auth Provider #19846
• VMware Cloud feat: Add VMware Cloud auth backend module provider #21337

[mihrab34]

Hi @Rugvip I'd like to help out

[IvyJeptoo]

Hello @Rugvip I'd also want to help

[Rugvip]

@mihrab34 @IvyJeptoo great! 🎉 Best pick a single provider to start with

[mihrab34]

@Rugvip I'm having this error when i try yarn install after forking & cloning the project

[awanlin]

@Rugvip, can we put a hold on the Microsoft auth provider? I'm wondering if now is a good time to rename it. We use Azure in most places and this is one of the only places we call something Microsoft (that I'm aware of could be wrong). I can put together an RFC to get feedback on this if you think that's needed. CC @sanderaernouts @afscrome

[Rugvip]

@awanlin yep we could easily do a rename when creating the new module 👍 Let's not ship any new module before we have settled on the name.

I'd say though that from my understanding "Microsoft" actually makes sense. I find it to be similar to Google auth, where the auth itself if managed through GCP and gives access to a lot of GCP resources, but the scope in the end is much broader than just GCP, so it's the "Google" provider.

[Rugvip]

@mihrab34 seems like there's an issue with the isolated-vm installation, most likely you'll want to have a look at https://github.com/laverdet/isolated-vm#requirements and make sure that's covered for your OS

[TheGemmell]

@awanlin @Rugvip I'm happy to spend some time doing the Microsoft provider, I think we should keep it as Microsoft, purely because they're rolling Azure AD into Entra ID in the coming months AFAIK

[afscrome]

@awanlin A month of two ago, I'd definitely have said to rename to azure, however Microsoft have now decided to rename Azure Active Directory to Microsoft Entra Id 🤦 https://devblogs.microsoft.com/identity/aad-rebrand

I do think the Microsoft / Azure integrations as a whole could do with a naming check as there are a few naming inconsistencies. (e.g. some of the Azure Devops integrations are just named azure, even though ADO is separate to Azure).

[awanlin]

Alright, that works for me, also forgot about the whole name change for Azure AD. Then feel free to work on this who every wants!

Thanks for the feedback @Rugvip @TheGemmell @afscrome 👍

[IvyJeptoo]

@Rugvip I just wanted to ask if it possible if we can mention the modules that each will be handling so that two people dont work on the same module(just a suggestion)

[Rugvip]

@IvyJeptoo yep makes sense, done

[awanlin]

I'll be running with oauth2 as this is something we need internally 👍

[mihrab34]

@Rugvip I opened a PR for bitbucket on #19665

[ekafeel]

I will take the auth0

[awanlin]

PR for the oauth2 provider is here: #19696

[RubenV-dev]

I will be working on the oidc migration

[ahhhndre]

@TheGemmell what’s the ETA on the Microsoft auth module? This is blocking us from using the new backend system

[TheGemmell]

@ahhhndre
Apologies, I actually finished the code changes, then had to go on leave for an emergency. Got back and had forgotten about it. I'll test and raise a PR by end of the weekend

[TheGemmell]

PR for microsoft provider is here: #20120

[awanlin]

Oh wow, hope everything is fine now @TheGemmell? That's for sure a more important priority but thanks for submitting the PR!

[jamieklassen]

PR for oidc: #20282

[guibes]

Hello, will be my first open source contribution, I can make for atlassian. I'll use some open PR to check how to make it easier.

[Josh-Uvi]

Hi @Rugvip, I opened a PR for the Okta Provider - #20854.

[handsamtw]

Hi @Rugvip , this is my first open-source contribution, and I am very happy help out!

I opened a PR for the Atlassian Provider - #21007 , but there're some yarn install pipeline issue i haven't figured out, would you mind taking a look? Thank you so much!

[Parsifal-M]

Is anyone looking at the aws-alb one? If not, I may take a shot at this one. 👍

[tudi2d]

doesn't look like it - go for it, @Parsifal-M!

[GuptaNavdeep1983]

@Parsifal-M, could you make some progress on aws-alb one? I did not realize that somebody is already working on it and started spending some time. Nevertheless, let me know if I can help as we use that one.

[Parsifal-M]

@Parsifal-M, could you make some progress on aws-alb one? I did not realize that somebody is already working on it and started spending some time. Nevertheless, let me know if I can help as we use that one.

Hey!

I had planned to start this weekend! But if you've already made progress that's fine! I will hold off for now ✌️

Could you tag me in the PR so I can also take a look once it's ready? I'm quite curious about it 👌

Thanks for the heads up!

[minkimcello]

Looking at the auth-backend changelog, looks like oauth2-proxy, microsoft, and atlassian has been refactored?

[GuptaNavdeep1983]

Hi @Rugvip, @Parsifal-M I opened a PR for AWS ALB provider - #21810

[GuptaNavdeep1983]

@Rugvip Is there anything else I can do on this PR #21810?

[hasson82]

Hi, I'm willing to take azure-easyauth.

[yaegashi]

@hasson82 Have there been any updates regarding the azure-easyauth migration on your side?

I’m currently working on setting up DevOps for Backstage on Azure Container Apps and have ported azure-easyauth to the new backend system for internal use, as it has become the default configuration in Backstage v1.24.0.

https://github.com/yaegashi/dx2devops-backstage-containerapp

[yaegashi]

I'm working on the new azure-easyauth auth provider: #23909

The migration in the older provider is not yet implemented but coming soon. Any comments or suggestions would be appreciated.

[salemgolemugoo]

Anyone can pick up Onelogin and/or JumpCloud please?

[freben]

I made one for cfaccess #23997

[matteosilv]

Anyone can pick up Onelogin and/or JumpCloud please?

I started taking a look at OneLogin, but I don't know how much effort I can put on it:

#24353

[matteosilv]

Made progresses with OneLogin impl. If anybody wants to review, I think is pretty much ready

[JeevaRamanathan]

Hi, is bitbucketServer based on OAuth provider

[Rugvip]

@JeevaRamanathan yes it is, the current implementation is over here:

backstage/plugins/auth-backend/src/providers/bitbucketServer/provider.ts

Line 83 in f5e04e3

this.strategy = new OAuth2Strategy(