OIDC provider from scratch
This documentation is written for the new backend system which is the default since Backstage version 1.24. If you are still on the old backend system, you may want to read its own article instead, and consider migrating!
This section shows how to use an OIDC provider from scratch, same steps apply for custom
providers. Please note these steps are for using a provider, not how to implement one,
and Backstage recommends creating custom providers specific to the IDP, so we'll use a
azureOIDC provider throughout this example, feel free to change any of those refs
to your provider name.
Summary
To add providers not enabled by default like OIDC, we need to follow some steps, we assume you already have a sign-in page to which we'll add the provider so users can sign in through the provider. In simple steps here's how you enable the provider:
- Create an API reference to identify the provider.
- Create the API factory that will handle the authentication.
- Add or reuse an auth provider so you can authenticate.
- Add or reuse a resolver to handle the result from the authentication.
- Configure the provider to access your 3rd party auth solution.
- Add the provider to sign in page so users can login with it.
We'll explain each step more in detail next.
The API reference
An API reference exist for the sake of Dependency Injection, check Utility APIs for extended explanation.
In this OIDC example, we'll create the API reference directly in the
packages/app/src/apis.ts file, it is not a requirement to put the reference in this
file. Any location will do as long as it's available to be imported to where the API
factory is, as well as easily accessible to the rest of the application so any package
and plugin can inject the API instance when necessary.
An example of such would be when you use an auth provider from a library installed with NPM, or any other library repository, you would import the API ref from the library.
export const azureOIDCAuthApiRef: ApiRef<
OpenIdConnectApi & ProfileInfoApi & BackstageIdentityApi & SessionApi
> = createApiRef({
id: 'auth.my-custom-provider',
});
Please note a few things, the ID can be anything you want as long as it doesn't conflict
with other refs, backstage recommends to use a custom name that references your custom
provider, for example we are using OIDC protocol with Azure, so we could use something
like auth.azure.oidc as well.
Also we're exporting this reference, as well as the typings, we need to
be able to import this reference anywhere in the app, and the typings will tell typescript
what instance we're getting from DI when injecting the API. In this case we are defining
an API for authentication, so we tell TS that this instance complies with 4 API
interfaces:
- The OICD API that will handle authentication.
- Profile API for requesting user profile info from the auth provider in question.
- Backstage identity API to handle and associate the user profile with backstage identity.
- Session API, to handle the session the user will have while logged in.
The API Factory
A factory is a function that can take some parameters or dependencies and return an instance of something, in our case it will be a function that requests some backstage APIs and use them to create an instance of an OIDC API provider.
Please note that this function only runs (creates the instance) when somewhere else in the app you request the DI to give you an instance of the OIDC provider using the API ref defined above, and the DI will only run this function the first time, from then on any other DI injection will just receive the same instance created the first time, basically the instance is cached by the DI library, a singleton.
Let's add our OIDC API factory to the APIs array in the packages/app/src/apis.ts file:
import { OAuth2 } from '@backstage/core-app-api';
export const apis: AnyApiFactory[] = [
createApiFactory({
api: azureOIDCAuthApiRef,
deps: {
discoveryApi: discoveryApiRef,
oauthRequestApi: oauthRequestApiRef,
configApi: configApiRef,
},
factory: ({ discoveryApi, oauthRequestApi, configApi }) =>
OAuth2.create({
configApi,
discoveryApi,
oauthRequestApi,
provider: {
id: 'my-auth-provider',
title: 'My custom auth provider',
icon: () => null,
},
environment: configApi.getOptionalString('auth.environment'),
defaultScopes: ['openid', 'profile', 'email'],
popupOptions: {
// optional, used to customize login in popup size
size: {
fullscreen: true,
},
/**
* or specify popup width and height
* size: {
width: 1000,
height: 1000,
}
*/
},
}),
}),
// ..
];
Please note we're importing the OAuth2 class from @backstage/core-app-api effectively
delegating the authentication to it. Also we're using the my-auth-provider ID to tell
OAuth2 to use the auth provider we'll define in the next section, and added the default
scopes to request ID, profile, email and user read permissions.
The Auth Provider
The Auth Provider is responsible for authenticating with the 3rd party service, and give us back the credentials, here's where you pick which protocol to use, be it Auth0, OAuth2, OIDC, SAML or any other that your 3rd party IDP provider supports.
The Resolver
Resolvers exist to map user identity from the 3rd party (in this case an azure IDP provider) to the backstage user identity.
The default OIDC provider has built-in resolvers, here is how you configure them:
auth:
environment: development
providers:
oidc:
development:
# ...
signIn:
resolvers:
- resolver: emailMatchingUserEntityProfileEmail
But you can also write a custom resolver as well, see an example below:
import { createBackendModule } from '@backstage/backend-plugin-api';
import {
authProvidersExtensionPoint,
createOAuthProviderFactory,
} from '@backstage/plugin-auth-node';
import { oidcAuthenticator } from '@backstage/plugin-auth-backend-module-oidc-provider';
const myAuthProviderModule = createBackendModule({
// This ID must be exactly "auth" because that's the plugin it targets
pluginId: 'auth',
// This ID must be unique, but can be anything
moduleId: 'my-auth-provider',
register(reg) {
reg.registerInit({
deps: { providers: authProvidersExtensionPoint },
async init({ providers }) {
providers.registerProvider({
// This ID must match the actual provider config, e.g. addressing
// auth.providers.azure means that this must be "azure".
providerId: 'my-auth-provider',
// Use createProxyAuthProviderFactory instead if it's one of the proxy
// based providers rather than an OAuth based one
factory: createOAuthProviderFactory({
// For more info about authenticators please see https://backstage.io/docs/auth/add-auth-provider/#adding-an-oauth-based-provider
authenticator: oidcAuthenticator,
async signInResolver(info, ctx) {
const userRef = stringifyEntityRef({
kind: 'User',
name: info.result.userinfo.sub,
namespace: DEFAULT_NAMESPACE,
});
return ctx.issueToken({
claims: {
sub: userRef, // The user's own identity
ent: [userRef], // A list of identities that the user claims ownership through
},
});
},
}),
});
},
});
},
});
//...
backend.add(import('@backstage/plugin-auth-backend'));
backend.add(myAuthProviderModule);
//...
For a more a detailed explanation about resolvers check the Identity Resolver page.
The configuration
Since we are using our custom OIDC Auth Provider, we need to add a configuration based on the provider used, in this case based on OIDC protocol (remember the 3rd party has to support the protocol).
In this example we'll configure OIDC with my-auth-provider, to do so we need to
Create app registration in the Azure console, the only difference is that the
http://localhost:7007/api/auth/microsoft/handler/frame URL needs to change to
http://localhost:7007/api/auth/my-auth-provider/handler/frame.
Then we need to configure the env variables for the provider, based on the provider's code
in plugins/auth-backend/src/providers/oidc/provider.ts we need the following variables
in the app-config.yaml:
auth:
environment: development
### Providing an auth.session.secret will enable session support in the auth-backend
session:
secret: ${SESSION_SECRET}
providers:
my-auth-provider:
development:
metadataUrl: https://example.com/.well-known/openid-configuration
clientId: ${AUTH_MY_CLIENT_ID}
clientSecret: ${AUTH_MY_CLIENT_SECRET}
Anything enclosed in ${} can be replaced directly in the yaml, or provided as
environment variables, the way you obtain all these except scope and prompt is to
check the App Registration you created:
clientId: Grab from the Overview page.clientSecret: Can only be seen when creating the secret, if you lose it you'll need a new secret.metadataUrl: In Overview > Endpoints tab, grab OpenID Connect metadata document URL.authorizationUrlandtokenUrl: Open themetadataUrlin a browser, that json will hold these 2 urls somewhere in there.tokenEndpointAuthMethod: Don't define it, use the default unless you know what it does.tokenSignedResponseAlg: Don't define it, use the default unless you know what it does.scope: Only used if we didn't specifydefaultScopesin the provider's factory, basically the same thing.prompt: Recommended to useautoso the browser will request login to the IDP if the user has no active session.
Note that for the time being, any change in this yaml file requires a restart of the app,
also you need to have the session.secret part to use OIDC (some other providers might
need this as well) to support user sessions.
The Sign In provider
The last step is to add the provider to the SignInPage so users can sign in with your
new provider, please follow the Sign In Configuration docs, here's where you import
and use the API reference we defined earlier.
Note
These steps apply to most if not all the providers, including custom providers, the main difference between different providers will be the contents of the API factory, the code in the Auth Provider Factory, the resolver, and the different variables each provider needs in the YAML config or env variables.