Google Authentication Provider
The Backstage core-plugin-api
package comes with a Google authentication
provider that can authenticate users using Google OAuth.
Create OAuth Credentials
To support Google authentication, you must create OAuth credentials:
- Log in to the Google Console
- Select or create a new project from the dropdown menu on the top bar
- Navigate to APIs & Services > Credentials
- Click Create Credentials and choose
OAuth client ID
- Configure an OAuth consent screen, if required
- For local development, you do not need to enter any Authorized domain
- For scopes, select
openid
,auth/userinfo.email
andauth/userinfo.profile
- Add yourself as a test user, if using External user type
- Set Application Type to
Web Application
with these settings:Name
: Backstage (or your custom app name)Authorized JavaScript origins
: http://localhost:3000Authorized Redirect URIs
: http://localhost:7007/api/auth/google/handler/frame
- Click Create
Configuration
The provider configuration can then be added to your app-config.yaml
under the
root auth
configuration:
auth:
environment: development
providers:
google:
development:
clientId: ${AUTH_GOOGLE_CLIENT_ID}
clientSecret: ${AUTH_GOOGLE_CLIENT_SECRET}
signIn:
resolvers:
# See https://backstage.io/docs/auth/google/provider#resolvers for more resolvers
- resolver: emailMatchingUserEntityAnnotation
The Google provider is a structure with two configuration keys:
clientId
: The client ID that you generated, e.g.10023341500512-beui241gjwwkrdkr2eh7dprewj2pp1q.apps.googleusercontent.com
clientSecret
: The client secret tied to the generated client ID.
Resolvers
This provider includes several resolvers out of the box that you can use:
emailMatchingUserEntityProfileEmail
: Matches the email address from the auth provider with the User entity that has a matchingspec.profile.email
. If no match is found it will throw aNotFoundError
.emailLocalPartMatchingUserEntityName
: Matches the local part of the email address from the auth provider with the User entity that has a matchingname
. If no match is found it will throw aNotFoundError
.emailMatchingUserEntityAnnotation
: Matches the email address from the auth provider with the User entity where the value of thegoogle.com/email
annotation matches. If no match is found it will throw aNotFoundError
.
The resolvers will be tried in order, but will only be skipped if they throw a NotFoundError
.
If these resolvers do not fit your needs you can build a custom resolver, this is covered in the Building Custom Resolvers section of the Sign-in Identities and Resolvers documentation.
Backend Installation
To add the provider to the backend we will first need to install the package by running this command:
yarn --cwd packages/backend add @backstage/plugin-auth-backend-module-google-provider
Then we will need to add this line:
backend.add(import('@backstage/plugin-auth-backend'));
backend.add(import('@backstage/plugin-auth-backend-module-google-provider'));
Adding the provider to the Backstage frontend
To add the provider to the frontend, add the googleAuthApiRef
reference and
SignInPage
component as shown in
Adding the provider to the sign-in page.