Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Bug Report: Okta auth provider missing additionalScopes #27994

Open
2 tasks done
robbat2 opened this issue Dec 4, 2024 · 3 comments · May be fixed by DavidZemon/passport-okta-oauth#1
Open
2 tasks done

🐛 Bug Report: Okta auth provider missing additionalScopes #27994

robbat2 opened this issue Dec 4, 2024 · 3 comments · May be fixed by DavidZemon/passport-okta-oauth#1
Labels
bug Something isn't working

Comments

@robbat2
Copy link

robbat2 commented Dec 4, 2024

📜 Description

Okta authorization is not including expected additionalScopes. This was supposedly fixed in earlier releases for some PRs and issues, but I think something was missed.

#24875
#24743

👍 Expected behavior

Okta authorize request should have included additionalScopes.

👎 Actual Behavior with Screenshots

Okta authorize request does not include additionalScopes; following the login debugging, the browser is sent via:

https://(redacted).okta.com/oauth2/v1/authorize?response_type=code&redirect_uri=https%3A%2F%2F(redacted)%2Fapi%2Fauth%2Fokta%2Fhandler%2Fframe&scope=openid%20email%20profile%20offline_access&state=(redacted)&client_id=(redacted)

👟 Reproduction steps

  1. Backstage Configuration snippet:
"auth":{
"environment":"production"
"providers":{
"okta":{
"production":{
"additionalScopes":"groups"
"audience":"(redacted)"
"clientId":"(redacted)"
"clientSecret":"<secret>"
} } } }
  1. Fire up Backstage
  2. With DevTools open, load https://(redacted)/api/auth/okta/start?env=production # production should match the provider auth env.

📃 Provide the context for the Bug.

Trying to consume the groups additional scope data to make internal business decisions.

🖥️ Your Environment

$ yarn backstage-cli info
yarn run v1.22.22
$ /app/node_modules/.bin/backstage-cli info
OS:   Linux 6.8.0-49-generic - linux/x64
node: v20.18.0
yarn: 1.22.22
cli:  0.28.2 (installed)
backstage:  1.32.5

Dependencies:
  @backstage/app-defaults                                            1.5.12
  @backstage/backend-app-api                                         1.0.0, 1.0.1
  @backstage/backend-common                                          0.23.3, 0.24.1, 0.25.0
  @backstage/backend-defaults                                        0.5.0, 0.5.2
  @backstage/backend-dev-utils                                       0.1.4, 0.1.5
  @backstage/backend-openapi-utils                                   0.2.0
  @backstage/backend-plugin-api                                      0.7.0, 0.8.1, 1.0.0, 1.0.1
  @backstage/backend-tasks                                           0.6.1
  @backstage/backend-test-utils                                      1.0.2
  @backstage/catalog-client                                          1.6.2, 1.7.0, 1.7.1
  @backstage/catalog-model                                           1.4.5, 1.7.0
  @backstage/cli-common                                              0.1.14
  @backstage/cli-node                                                0.2.8, 0.2.9
  @backstage/cli                                                     0.28.2
  @backstage/config-loader                                           1.9.1
  @backstage/config                                                  1.2.0
  @backstage/core-app-api                                            1.15.0, 1.15.1
  @backstage/core-compat-api                                         0.2.8, 0.3.0, 0.3.1
  @backstage/core-components                                         0.12.5, 0.14.10, 0.14.2, 0.15.0, 0.15.1
  @backstage/core-plugin-api                                         1.10.0, 1.9.1, 1.9.4
  @backstage/errors                                                  1.2.4
  @backstage/eslint-plugin                                           0.1.10
  @backstage/frontend-app-api                                        0.10.0
  @backstage/frontend-defaults                                       0.1.1
  @backstage/frontend-plugin-api                                     0.6.2, 0.7.0, 0.8.0, 0.9.0
  @backstage/frontend-test-utils                                     0.2.1
  @backstage/integration-aws-node                                    0.1.12
  @backstage/integration-react                                       1.1.25, 1.1.31, 1.2.0
  @backstage/integration                                             1.15.0, 1.15.1, 1.9.1
  @backstage/plugin-api-docs                                         0.11.11
  @backstage/plugin-app-backend                                      0.3.76
  @backstage/plugin-app-node                                         0.1.26
  @backstage/plugin-app                                              0.1.1
  @backstage/plugin-auth-backend-module-atlassian-provider           0.3.1
  @backstage/plugin-auth-backend-module-auth0-provider               0.1.1
  @backstage/plugin-auth-backend-module-aws-alb-provider             0.2.1
  @backstage/plugin-auth-backend-module-azure-easyauth-provider      0.2.1
  @backstage/plugin-auth-backend-module-bitbucket-provider           0.2.1
  @backstage/plugin-auth-backend-module-bitbucket-server-provider    0.1.1
  @backstage/plugin-auth-backend-module-cloudflare-access-provider   0.3.1
  @backstage/plugin-auth-backend-module-gcp-iap-provider             0.3.1
  @backstage/plugin-auth-backend-module-github-provider              0.2.1
  @backstage/plugin-auth-backend-module-gitlab-provider              0.2.1
  @backstage/plugin-auth-backend-module-google-provider              0.2.1
  @backstage/plugin-auth-backend-module-microsoft-provider           0.2.1
  @backstage/plugin-auth-backend-module-oauth2-provider              0.3.1
  @backstage/plugin-auth-backend-module-oauth2-proxy-provider        0.2.1
  @backstage/plugin-auth-backend-module-oidc-provider                0.3.1
  @backstage/plugin-auth-backend-module-okta-provider                0.1.1
  @backstage/plugin-auth-backend-module-onelogin-provider            0.2.1
  @backstage/plugin-auth-backend                                     0.23.1
  @backstage/plugin-auth-node                                        0.4.17, 0.5.2, 0.5.3
  @backstage/plugin-auth-react                                       0.1.7
  @backstage/plugin-bitbucket-cloud-common                           0.2.23, 0.2.24
  @backstage/plugin-catalog-backend-module-github                    0.7.6
  @backstage/plugin-catalog-backend-module-scaffolder-entity-model   0.2.0, 0.2.1
  @backstage/plugin-catalog-backend-module-unprocessed               0.5.1
  @backstage/plugin-catalog-backend                                  1.27.1
  @backstage/plugin-catalog-common                                   1.0.22, 1.1.0
  @backstage/plugin-catalog-graph                                    0.4.11
  @backstage/plugin-catalog-node                                     1.13.0, 1.13.1
  @backstage/plugin-catalog-react                                    1.13.0, 1.14.0, 1.11.1
  @backstage/plugin-catalog-unprocessed-entities-common              0.0.4
  @backstage/plugin-catalog-unprocessed-entities                     0.2.9
  @backstage/plugin-catalog                                          1.24.0
  @backstage/plugin-devtools-backend                                 0.4.1
  @backstage/plugin-devtools-common                                  0.1.12
  @backstage/plugin-devtools                                         0.1.19
  @backstage/plugin-events-backend                                   0.3.15
  @backstage/plugin-events-node                                      0.4.0, 0.4.4
  @backstage/plugin-home-react                                       0.1.17, 0.1.18
  @backstage/plugin-home                                             0.8.0
  @backstage/plugin-kubernetes-backend                               0.18.7
  @backstage/plugin-kubernetes-common                                0.8.3
  @backstage/plugin-kubernetes-node                                  0.1.20
  @backstage/plugin-kubernetes-react                                 0.4.4
  @backstage/plugin-kubernetes                                       0.11.16
  @backstage/plugin-org                                              0.6.31
  @backstage/plugin-permission-backend                               0.5.50
  @backstage/plugin-permission-common                                0.7.13, 0.8.1
  @backstage/plugin-permission-node                                  0.8.3, 0.8.4
  @backstage/plugin-permission-react                                 0.4.21, 0.4.26, 0.4.27
  @backstage/plugin-proxy-backend                                    0.5.7
  @backstage/plugin-scaffolder-backend-module-azure                  0.2.0, 0.2.1
  @backstage/plugin-scaffolder-backend-module-bitbucket-cloud        0.2.0, 0.2.1
  @backstage/plugin-scaffolder-backend-module-bitbucket-server       0.2.0, 0.2.1
  @backstage/plugin-scaffolder-backend-module-bitbucket              0.3.0, 0.3.1
  @backstage/plugin-scaffolder-backend-module-confluence-to-markdown 0.3.1
  @backstage/plugin-scaffolder-backend-module-gerrit                 0.2.0, 0.2.1
  @backstage/plugin-scaffolder-backend-module-gitea                  0.2.0, 0.2.1
  @backstage/plugin-scaffolder-backend-module-github                 0.5.0, 0.5.1
  @backstage/plugin-scaffolder-backend-module-gitlab                 0.5.0, 0.6.0
  @backstage/plugin-scaffolder-backend                               1.25.0, 1.26.2
  @backstage/plugin-scaffolder-common                                1.5.6
  @backstage/plugin-scaffolder-node                                  0.4.11, 0.5.0
  @backstage/plugin-scaffolder-react                                 1.13.2
  @backstage/plugin-scaffolder                                       1.26.2
  @backstage/plugin-search-backend-module-catalog                    0.2.4
  @backstage/plugin-search-backend-module-elasticsearch              1.6.1
  @backstage/plugin-search-backend-module-explore                    0.2.4
  @backstage/plugin-search-backend-module-pg                         0.5.37
  @backstage/plugin-search-backend-module-stack-overflow-collator    0.3.2
  @backstage/plugin-search-backend-module-techdocs                   0.3.1
  @backstage/plugin-search-backend-node                              1.3.4
  @backstage/plugin-search-backend                                   1.6.1
  @backstage/plugin-search-common                                    1.2.11, 1.2.14
  @backstage/plugin-search-react                                     1.8.1
  @backstage/plugin-search                                           1.4.18
  @backstage/plugin-signals-backend                                  0.2.2
  @backstage/plugin-signals-node                                     0.1.13
  @backstage/plugin-signals-react                                    0.0.6
  @backstage/plugin-techdocs-backend                                 1.11.1
  @backstage/plugin-techdocs-common                                  0.1.0
  @backstage/plugin-techdocs-module-addons-contrib                   1.1.16
  @backstage/plugin-techdocs-node                                    1.12.12
  @backstage/plugin-techdocs-react                                   1.2.9
  @backstage/plugin-techdocs                                         1.11.0
  @backstage/plugin-user-settings-common                             0.0.1
  @backstage/plugin-user-settings                                    0.8.14
  @backstage/release-manifests                                       0.0.11
  @backstage/test-utils                                              1.7.0
  @backstage/theme                                                   0.2.19, 0.5.2, 0.5.7, 0.6.0
  @backstage/types                                                   1.1.1
  @backstage/version-bridge                                          1.0.10, 1.0.7, 1.0.9
Done in 1.17s.

👀 Have you spent some time to check if this bug has been raised before?

  • I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

Are you willing to submit PR?

Yes I am willing to submit a PR!
@robbat2 robbat2 added the bug Something isn't working label Dec 4, 2024
@Rugvip
Copy link
Member

Rugvip commented Dec 5, 2024

Hmm, looks like the Okta passport strategy that we're using is ignoring the provided scopes. Adding in param.scope = options.scope there fixes the issue. I think this is something that's probably best fixed upstream in the passport provider.

robbat2 added a commit to robbat2/passport-okta-oauth that referenced this issue Dec 6, 2024
@robbat2
fix: additionalScope not passed when used in Backstage
b34cdd8 
Signed-off-by: Robin H. Johnson <[email protected]>
Reference: backstage/backstage#27994
@robbat2
Copy link
Author

robbat2 commented Dec 6, 2024

@Rugvip is this where you expect it? robbat2/passport-okta-oauth@b34cdd8 i don't have a fast way to test injecting it right now.

What bugs me is that the the overall options do seem to be passed from the constructor: https://github.com/DavidZemon/passport-okta-oauth/blob/9b064ebc5a9a64f4134e84afbb4b981ab87120cf/lib/passport-okta-oauth/oauth2.js#L38-L43

@Rugvip
Copy link
Member

Rugvip commented Dec 8, 2024

@robbat2 yep!

The constructor options are fixed global ones, we rely on the per-request options instead.

@robbat2 robbat2 linked a pull request Dec 10, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: additionalScope not passed when used in Backstage robbat2/passport-okta-oauth
2 participants
@robbat2 @Rugvip