VMware Cloud Authentication Provider
Backstage comes with an auth provider module to allow users to sign-in with their VMware Cloud account. This page describes some actions within the VMware Cloud Console and within a Backstage app required to enable this capability.
Create an OAuth App in the VMware Cloud Console
- Log in to the VMware Cloud Console.
- Navigate to Identity & Access Management > OAuth Apps and click the Owned Apps tab -- if you are not an Organization Owner or Administrator but only a Member, you will not see this nav entry unless the Developer check box is selected for your role (see the Organization roles and permissions docs for details).
- Click Create App, choose 'Web/Mobile app' and click Continue.
- Use default settings except:
App Name
andApp Description
of your choosing.Redirect URIs
:${baseUrl}/api/auth/vmwareCloudServices/handler/frame
wherebaseUrl
is the URL where your Backstage backend can be reached; note that VMware Cloud does not support the combination of anhttp://
scheme and alocalhost
hostname, so when testing locally it may help to set your backend base URL tohttp://127.0.0.1:7007
.Refresh Token
: checkIssue refresh token
; refresh tokens are required to prevent forcing users to re-login when they refresh their browser.Define Scopes
: checkOpenID
at the bottom.
- Click Create.
- Take note of the
App ID
in the resulting modal; this is the client ID to be used by Backstage.
Install the provider in the backend
New backend system
Apps using the new backend system, can enable the VMware Cloud provider with a small modification like:
import { createBackend } from '@backstage/backend-defaults';
const backend = createBackend();
backend.add(import('@backstage/plugin-auth-backend'));
backend.add(
import('@backstage/plugin-auth-backend-module-vmware-cloud-provider'),
);
backend.start();
Old backend system
This provider was added after the migration of the auth-backend plugin to the new backend system, so no default provider factory was added. Because of this, the installation procedure for old-style backends is slightly more involved:
import {
DEFAULT_NAMESPACE,
stringifyEntityRef,
} from '@backstage/catalog-model';
import {
createRouter,
providers,
defaultAuthProviderFactories,
} from '@backstage/plugin-auth-backend';
import { Router } from 'express';
import { PluginEnvironment } from '../types';
import {
commonSignInResolvers,
createOAuthProviderFactory,
} from '@backstage/plugin-auth-node';
import {
vmwareCloudAuthenticator,
} from '@backstage/plugin-auth-backend-module-vmware-cloud-provider';
export default async function createPlugin(
env: PluginEnvironment,
): Promise<Router> {
return await createRouter({
logger: env.logger,
config: env.config,
database: env.database,
discovery: env.discovery,
tokenManager: env.tokenManager,
providerFactories: {
...defaultAuthProviderFactories,
vmwareCloudServices: createOAuthProviderFactory({
authenticator: vmwareCloudAuthenticator,
signInResolver:
commonSignInResolvers.emailLocalPartMatchingUserEntityName(),
}),
In the above, commonSignInResolvers.emailLocalPartMatchingUserEntityName()
can be replaced with a more suitable resolver for the app in question.
Configure Sign-in Resolution
See Sign-in Identities and Resolvers for details.
Add to Sign-in Page
See the Sign-In Configuration docs for general guidance, but as an example:
import { vmwareCloudAuthApiRef } from '@backstage/core-plugin-api';
import { SignInPage } from '@backstage/core-components';
const app = createApp({
components: {
SignInPage: props => (
<SignInPage
{...props}
provider={{
id: 'vmware-cloud-auth-provider',
title: 'VMware Cloud',
message: 'Sign in using VMware Cloud',
apiRef: vmwareCloudAuthApiRef,
}}
/>
),
},
// ..
});
Configuration
Add the following to your app-config.yaml
under the root auth
configuration:
auth:
session:
secret: your session secret
environment: development
providers:
vmwareCloudServices:
development:
clientId: ${APP_ID}
organizationId: ${ORG_ID}
where APP_ID
refers to the ID retrieved when creating the OAuth App, and
ORG_ID
is the long ID of the
Organization
in VMware Cloud for which you wish to enable sign-in.
Note that VMware Cloud requires OAuth Apps to use
PKCE when performing authorization code flows; the
library used by this provider requires the use of Express session middleware to
do this. Therefore the value your session secret
under auth.session.secret
should be replaced with a long, complex and unique string which will act as a
key for signing session cookies set by Backstage.