Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue with Token Retrieval in http:backstage:request Action - failing with JWTClaimValidationFailed #1475

Closed
davormilutinovic opened this issue Jul 10, 2024 · 10 comments
Labels
kind/bug Something isn't working stale

Comments

@davormilutinovic
Copy link

davormilutinovic commented Jul 10, 2024

Expected Behavior
The http:backstage:request action should use the initiator's credentials to retrieve the token, ensuring proper authentication when making HTTP requests.

Current Behavior
The http:backstage:request action uses old ctx.secrets?.backstageToken or ctx.secrets.backstageToken to retrieve the token, which leads to an authentication error with the message "Invalid plugin token; caused by JWTClaimValidationFailed: unexpected 'aud' claim value".

link to code line :

Steps to Reproduce
Configure a template in Backstage that uses the http:backstage:request action to make an authenticated HTTP request.
Execute the template to trigger the action.
Observe the authentication error in the logs.

Possible Solution

Modify the http:backstage:request action to use ctx.getInitiatorCredentials().token instead of ctx.secrets?.backstageToken

Quick fix

// Original line
const token = ctx.secrets?.backstageToken; 

// Updated lines
const credentials = await ctx.getInitiatorCredentials(); 

// @ts-expect-error
const token = credentials.token;

Context

This issue prevents us from properly authenticating HTTP requests within the Backstage scaffolder, causing our pipeline creation process to fail with authentication errors. We are trying to automate the creation of SonarQube pipelines in Azure, and this bug is a blocker for our workflow.

Your Environment
yarn: 1.22.21
cli: 0.26.6 (installed)
backstage: 1.27.6

Dependencies:
"@roadiehq/scaffolder-backend-module-http-request": "^4.3.2",
@backstage/app-defaults 1.5.5
@backstage/backend-app-api 0.7.5
@backstage/backend-common 0.22.0
@backstage/backend-defaults 0.2.18
@backstage/backend-dev-utils 0.1.4
@backstage/backend-openapi-utils 0.1.11
@backstage/backend-plugin-api 0.6.21
@backstage/backend-tasks 0.5.26
@backstage/catalog-client 1.6.5
@backstage/catalog-model 1.5.0
@backstage/cli-common 0.1.14
@backstage/cli-node 0.2.5
@backstage/cli 0.26.6
@backstage/config-loader 1.8.0
@backstage/config 1.2.0
@backstage/core-app-api 1.13.0
@backstage/core-compat-api 0.2.5
@backstage/core-components 0.14.7
@backstage/core-plugin-api 1.9.3
@backstage/dev-utils 1.0.32
@backstage/e2e-test-utils 0.1.1
@backstage/errors 1.2.4
@backstage/eslint-plugin 0.1.8
@backstage/frontend-plugin-api 0.6.5
@backstage/integration-aws-node 0.1.12
@backstage/integration-react 1.1.27
@backstage/integration 1.12.0
@backstage/plugin-analytics-module-ga4 0.2.5
@backstage/plugin-api-docs 0.11.5
@backstage/plugin-app-backend 0.3.67
@backstage/plugin-app-node 0.1.18
@backstage/plugin-auth-backend-module-atlassian-provider 0.1.10
@backstage/plugin-auth-backend-module-aws-alb-provider 0.1.10
@backstage/plugin-auth-backend-module-azure-easyauth-provider 0.1.1
@backstage/plugin-auth-backend-module-bitbucket-provider 0.1.1
@backstage/plugin-auth-backend-module-cloudflare-access-provider 0.1.1
@backstage/plugin-auth-backend-module-gcp-iap-provider 0.2.13
@backstage/plugin-auth-backend-module-github-provider 0.1.15
@backstage/plugin-auth-backend-module-gitlab-provider 0.1.15
@backstage/plugin-auth-backend-module-google-provider 0.1.15
@backstage/plugin-auth-backend-module-guest-provider 0.1.7
@backstage/plugin-auth-backend-module-microsoft-provider 0.1.13
@backstage/plugin-auth-backend-module-oauth2-provider 0.1.15
@backstage/plugin-auth-backend-module-oauth2-proxy-provider 0.1.11
@backstage/plugin-auth-backend-module-oidc-provider 0.1.9
@backstage/plugin-auth-backend-module-okta-provider 0.0.11
@backstage/plugin-auth-backend 0.22.5
@backstage/plugin-auth-node 0.4.16
@backstage/plugin-auth-react 0.1.2
@backstage/plugin-azure-devops-common 0.4.2
@backstage/plugin-azure-devops 0.4.4
@backstage/plugin-catalog-backend-module-azure 0.1.41
@backstage/plugin-catalog-backend-module-msgraph 0.5.26
@backstage/plugin-catalog-backend-module-scaffolder-entity-model 0.1.19
@backstage/plugin-catalog-backend 1.22.0
@backstage/plugin-catalog-common 1.0.24
@backstage/plugin-catalog-graph 0.4.5
@backstage/plugin-catalog-import 0.11.0
@backstage/plugin-catalog-node 1.12.3
@backstage/plugin-catalog-react 1.12.0
@backstage/plugin-catalog 1.20.0
@backstage/plugin-events-node 0.3.4
@backstage/plugin-gcalendar 0.3.28
@backstage/plugin-github-actions 0.6.16
@backstage/plugin-home-react 0.1.13
@backstage/plugin-home 0.7.4
@backstage/plugin-microsoft-calendar 0.1.17
@backstage/plugin-org 0.6.25
@backstage/plugin-pagerduty 0.7.7
@backstage/plugin-permission-backend-module-allow-all-policy 0.1.18
@backstage/plugin-permission-backend 0.5.45
@backstage/plugin-permission-common 0.7.14
@backstage/plugin-permission-node 0.7.32
@backstage/plugin-permission-react 0.4.22
@backstage/plugin-proxy-backend 0.4.16
@backstage/plugin-scaffolder-backend-module-azure 0.1.13
@backstage/plugin-scaffolder-backend-module-bitbucket-cloud 0.1.11
@backstage/plugin-scaffolder-backend-module-bitbucket-server 0.1.11
@backstage/plugin-scaffolder-backend-module-bitbucket 0.2.11
@backstage/plugin-scaffolder-backend-module-gerrit 0.1.13
@backstage/plugin-scaffolder-backend-module-gitea 0.1.11
@backstage/plugin-scaffolder-backend-module-github 0.3.2
@backstage/plugin-scaffolder-backend-module-gitlab 0.4.3
@backstage/plugin-scaffolder-backend 1.22.11
@backstage/plugin-scaffolder-common 1.5.3
@backstage/plugin-scaffolder-node 0.2.10, 0.4.7
@backstage/plugin-scaffolder-react 1.8.6
@backstage/plugin-scaffolder 1.20.1
@backstage/plugin-search-backend-module-catalog 0.1.24
@backstage/plugin-search-backend-module-pg 0.5.27
@backstage/plugin-search-backend-module-techdocs 0.1.23
@backstage/plugin-search-backend-node 1.2.23
@backstage/plugin-search-backend 1.5.9
@backstage/plugin-search-common 1.2.12
@backstage/plugin-search-react 1.7.11
@backstage/plugin-search 1.4.11
@backstage/plugin-sonarqube-backend 0.2.20
@backstage/plugin-sonarqube-react 0.1.16
@backstage/plugin-sonarqube 0.7.17
@backstage/plugin-stack-overflow 0.1.30
@backstage/plugin-tech-radar 0.7.4
@backstage/plugin-techdocs-backend 1.10.5
@backstage/plugin-techdocs-module-addons-contrib 1.1.10
@backstage/plugin-techdocs-node 1.12.4
@backstage/plugin-techdocs-react 1.2.4
@backstage/plugin-techdocs 1.10.5
@backstage/plugin-user-settings 0.8.6
@backstage/release-manifests 0.0.11
@backstage/repo-tools 0.9.0
@backstage/test-utils 1.5.5
@backstage/theme 0.5.5
@backstage/types 1.1.1
@backstage/version-bridge 1.0.8

@davormilutinovic davormilutinovic added the kind/bug Something isn't working label Jul 10, 2024
@davormilutinovic
Copy link
Author

Just found another reference to the same issue link.

@ivangonzalezacuna
Copy link
Contributor

I've opened a PR for it. I tested it in our instance and it worked fine. It's following the same idea as other upstream actions in backstage, and always using the bearer token if it's defined. This should do the trick

@davormilutinovic
Copy link
Author

davormilutinovic commented Aug 3, 2024

I've opened a PR for it. I tested it in our instance and it worked fine. It's following the same idea as other upstream actions in backstage, and always using the bearer token if it's defined. This should do the trick

Hi. For some reason your changes are still not working for me.

I have used your fork and there was an error during execution of one template

...There was an issue with your request. Status code: 401 Response body: {"error":{"name":"AuthenticationError","message":"Invalid plugin token; caused by JWTClaimValidationFailed: unexpected "aud" claim value","cause":{"code":"ERR_JWT_CLAIM_VALIDATION_FAILED...

After I reverted from

      const { token } = (await auth?.getPluginRequestToken({
        onBehalfOf: await ctx.getInitiatorCredentials(),
        targetPluginId: 'proxy',
      })) ?? { token: ctx.secrets?.backstageToken };

to

const credentials = await ctx.getInitiatorCredentials(); 

// @ts-expect-error
const token = credentials.token;

It has start working again?

@RaoJackie123
Copy link
Contributor

the PR #1532 have fixed it

@ajaykanse
Copy link

HI Guys ..is there any workaround for this ?

@RaoJackie123
Copy link
Contributor

HI Guys ..is there any workaround for this ?

For the http:backstage:request action, which version are you using?

@ajaykanse
Copy link

if you are asking for this plugin - roadiehq-scaffolder-backend-module-http-request-dynamic , I have 4.3.2.

@RaoJackie123
Copy link
Contributor

if you are asking for this plugin - roadiehq-scaffolder-backend-module-http-request-dynamic , I have 4.3.2.

You can upgrade to 4.3.4 to solve this

@ajaykanse
Copy link

ajaykanse commented Oct 22, 2024

Thank you I'll try that. Where I can find instructions to upgrade plugin to specific version ? I looked at documentation - https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3 but could not find required configurations. Also I would not access to external repo directly and i have to go through proxy if I need to download specific plugin from external repo. Please let me know what doc to refer. TIA

Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label Dec 21, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working stale
Projects
None yet
Development

No branches or pull requests

4 participants