From f16b39de545ab679803b540d4895654a47fe1e50 Mon Sep 17 00:00:00 2001 From: Lawrence Jones Date: Tue, 14 Nov 2023 15:41:06 +0000 Subject: [PATCH] Opt-out for signing JWT with Backstage source It seems some Backstage instances may prefer to use a simple bearer token over a signed JWT for authentication. Provide an opt-out for those people. --- docs/sources.md | 5 +++++ source/source_backstage.go | 16 ++++++++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/docs/sources.md b/docs/sources.md index e993ef8..5b2d1d7 100644 --- a/docs/sources.md +++ b/docs/sources.md @@ -129,6 +129,11 @@ This looks like: // // https://backstage.io/docs/auth/service-to-service-auth/#usage-in-external-callers token: '$(BACKSTAGE_TOKEN)', + + // Some Backstage instances (e.g. Roadie) may prefer tokens to be used + // as-is instead of signed into JWTs. If this is you, explicitly opt-out of + // signing like so: + sign_jwt: false, }, } ``` diff --git a/source/source_backstage.go b/source/source_backstage.go index d4ee88d..2fbda70 100644 --- a/source/source_backstage.go +++ b/source/source_backstage.go @@ -19,6 +19,7 @@ import ( type SourceBackstage struct { Endpoint string `json:"endpoint"` // https://backstage.company.io/api/catalog/entities Token Credential `json:"token"` + SignJWT *bool `json:"sign_jwt"` } func (s SourceBackstage) Validate() error { @@ -37,10 +38,17 @@ func (s SourceBackstage) String() string { func (s SourceBackstage) Load(ctx context.Context, logger kitlog.Logger) ([]*SourceEntry, error) { var token string if s.Token != "" { - var err error - token, err = s.getJWT() - if err != nil { - return nil, err + // If not provided or explicitly enabled, sign the token into a JWT and use that as + // the Authorization header. + if s.SignJWT == nil || *s.SignJWT { + var err error + token, err = s.getJWT() + if err != nil { + return nil, err + } + // Otherwise if someone has told us not to, don't sign the token and use it as-is. + } else { + token = string(s.Token) } }