Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authentication Error | User not found [Google Provider]

See original GitHub issue

Expected Behavior

Authentication Plugin allow the user to access the platform.

Actual Behavior

Error message.

Steps to Reproduce

packages/backend/src/plugins/auth.ts

import {
  createRouter,
  providers,
  defaultAuthProviderFactories,
} from '@backstage/plugin-auth-backend';
import { Router } from 'express';
import { PluginEnvironment } from '../types';

export default async function createPlugin(
  env: PluginEnvironment,
): Promise<Router> {
  return await createRouter({
    ...env,
    providerFactories: {
      ...defaultAuthProviderFactories,
      google: providers.google.create({
        signIn: {
          resolver:
            providers.google.resolvers.emailLocalPartMatchingUserEntityName(),
        },
      })
    },
  });
}

Context

After releasing https://github.com/backstage/backstage/blob/master/plugins/auth-backend/CHANGELOG.md#0130 we started to encounter this issue.

Your Environment

Node.js v16.14.2 Yarn 1.22.17 Ubuntu 20.04.4 LTS

Issue Analytics

State:
Created a year ago
Reactions:2
Comments:12 (6 by maintainers)

Top GitHub Comments

9reactions

Rugvipcommented, Apr 26, 2022

Sorry we didn’t document the pattern of bypassing the catalog during login more clearly. It’s apparent it’s something a lot of you do. Here’s an example of a sign-in resolver that uses the local part of the email directly as the user entity name, without looking up the user in the catalog:

okta: providers.okta.create({
  signIn: {
    resolver: async ({ profile }, ctx) => {
      if (!profile.email) {
        throw new Error(
          'Login failed, user profile does not contain an email',
        );
      }
      const [localPart] = profile.email.split('@');

      const userEntityRef = stringifyEntityRef({
        kind: 'User',
        name: localPart,
        namespace: DEFAULT_NAMESPACE,
      });
      return ctx.issueToken({
        claims: {
          sub: userEntityRef,
          ent: [userEntityRef],
        },
      });
    },
  },
}),

The example here is with the Okta provider, but the general pattern applies to all providers. stringifyEntityRef and DEFAULT_NAMESPACE are both imported from @backstage/catalog-model. We’ll probably have a few more of these built in in the future, gonna make sure we add it to docs too.

Regarding the removal of the default sign-in resolver for each provider, it was partly to remove confusion, but most importantly a security fix. Allowing all providers to be used for sign-in by default leads to at best confusing behavior, and at work an insecure setup.

7reactions

Alan-padcommented, Apr 25, 2022

Seems to affect more than only the Google provider, got the issue on Github Provider as well. It seems that the default behavior before was to create the user entity if it wasn’t found during lookup. Now the entity is not created, thus we’re getting “User Not Found”. Does anyone have a workaround for that ? For Github I think enabling the organization auto-discovery feature will make it work but it does not really address the elephant in the room for other providers 😄

Top Results From Across the Web

Can't sign in from a third-party service - Google Account Help

A general error that your sign-in was unsuccessful. An error saying that your password and username are incorrect, even if you've entered the...

Authorization Errors | Device Access

During the authorization process, Google OAuth may return an error. Use this guide to troubleshoot the most common errors during this ...

Steps to resolve authentication failed email error when ...

Find the steps to configure gmail authentication failed error while syncing the Gmail with Apptivo.

Admin Authentication API Errors | Firebase - Google

Each user must have a unique phoneNumber . auth/project-not-found, No Firebase project was found for the credential used to initialize the Admin SDKs....

Authentication Failed error when sending email ...

Go to your Google My Account settings · Click “Security” visible on the Navigation panel on the left · Under “Signing in to...