OAuth 2 Proxy Provider
The Backstage @backstage/plugin-auth-backend
package comes with an
oauth2Proxy
authentication provider that can authenticate users by using a
oauth2-proxy in front of an
actual Backstage instance. This enables to reuse existing authentications within
a cluster. In general the oauth2-proxy
supports all OpenID Connect providers,
for more details check this
list of supported providers.
Configuration
The provider configuration can be added to your app-config.yaml
under the root
auth
configuration:
auth:
environment: development
providers:
oauth2Proxy:
development: {}
Right now no configuration options are supported, but the empty object is needed to enable the provider in the auth backend.
To use the oauth2Proxy
provider you must also configure it with a sign-in resolver.
For more information about the sign-in process in general, see the
Sign-in Identities and Resolvers documentation.
For the oauth2Proxy
provider, the sign-in result is quite different than other providers.
Because it's a proxy provider that can be configured to forward information through
arbitrary headers, the auth result simply just gives you access to the HTTP headers
of the incoming request. Using these you can either extract the information directly,
or grab ID or access tokens to look up additional information and/or validate the request.
A simple sign-in resolver might for example look like this:
providerFactories: {
...defaultAuthProviderFactories,
oauth2Proxy: providers.oauth2Proxy.create({
signIn: {
async resolver({ result }, ctx) {
const name = result.getHeader('x-forwarded-user');
if (!name) {
throw new Error('Request did not contain a user')
}
return ctx.signInWithCatalogUser({
entityRef: { name },
});
},
},
}),
},
An example on how to sign a user in without a matching user
Adding the provider to the Backstage frontend
It is recommended to use the ProxiedSignInPage
for this provider, which is
installed in packages/app/src/App.tsx
like this:
import { ProxiedSignInPage } from '@backstage/core-components';
const app = createApp({
components: {
SignInPage: props => (
<ProxiedSignInPage {...props} provider="oauth2Proxy" />
),
},
// ..
});
See Sign-In with Proxy Providers for pointers on how to set up the sign-in page to also work smoothly for local development.