openchoreo · kaviththiranga · Dec 12, 2025
@@ -45,19 +45,20 @@ openchoreo:
 thunder:
   baseUrl: http://thunder.openchoreo.localhost:8080
 
-# OAuth authentication configuration (Kind cluster)
+# OIDC authentication configuration (Kind cluster)
 auth:
   environment: development
+  session:
+    secret: local-dev-secret
   providers:
-    default-idp:
+    openchoreo-idp:
       development:
         # OAuth credentials from Kind cluster helm values
         # (see openchoreo/install/dev/openchoreo-values.yaml)
         clientId: openchoreo-backstage-client
         clientSecret: backstage-portal-secret
-        authorizationUrl: http://thunder.openchoreo.localhost:8080/oauth2/authorize
-        tokenUrl: http://thunder.openchoreo.localhost:8080/oauth2/token
-        scope: 'openid profile email'
+        metadataUrl: http://thunder.openchoreo.localhost:8080/.well-known/openid-configuration
+        prompt: auto
 
 # GitHub integration (optional)
 # Uncomment and add your personal access token if you need GitHub integration

@@ -50,19 +50,19 @@ techdocs:
     type: 'local' # Alternatives - 'googleGcs' or 'awsS3'. Read documentation for using alternatives.
 
 auth:
+  session:
+    secret: ${SESSION_SECRET}
   providers:
-    # OpenChoreo Default IDP - Custom OAuth provider (without discovery endpoint)
+    # OpenChoreo IDP - OIDC provider with discovery endpoint
     # Environment variables are injected by Helm chart (see https://github.com/openchoreo/openchoreo install/helm/openchoreo/templates/backstage/deployment.yaml)
     # Client credentials are automatically configured from asgardeoThunder.backstagePortal values
-    # OPENCHOREO_AUTH_AUTHORIZATION_URL and OPENCHOREO_AUTH_TOKEN_URL are auto-configured from backstage.thunder.baseUrl
-    # or can be explicitly set via backstage.auth.authorizationUrl and backstage.auth.tokenUrl in Helm values
-    default-idp:
+    # THUNDER_BASE_URL is used to derive the OIDC discovery endpoint
+    openchoreo-idp:
       development:
         clientId: ${OPENCHOREO_AUTH_CLIENT_ID}
         clientSecret: ${OPENCHOREO_AUTH_CLIENT_SECRET}
-        authorizationUrl: ${OPENCHOREO_AUTH_AUTHORIZATION_URL}
-        tokenUrl: ${OPENCHOREO_AUTH_TOKEN_URL}
-        scope: 'openid profile email'
+        metadataUrl: ${THUNDER_BASE_URL}/.well-known/openid-configuration
+        prompt: auto
 
     # Guest provider - used when openchoreo.features.auth.enabled is false
     # Allows users to access the portal without authentication (demo/development mode)

@@ -86,19 +86,19 @@ techdocs:
 auth:
   # see https://backstage.io/docs/auth/ to learn about auth providers
   environment: development
+  # session.secret is required for OIDC - set via SESSION_SECRET env var or in app-config.local.yaml
   providers:
-    # OpenChoreo Default IDP - Custom OAuth provider (without discovery endpoint)
+    # OpenChoreo IDP - OIDC provider with discovery endpoint
     # Environment variables are injected by Helm chart (see https://github.com/openchoreo/openchoreo install/helm/openchoreo/templates/backstage/deployment.yaml)
     # Client credentials are automatically configured from asgardeoThunder.backstagePortal values
     # For local development with Kind: URLs set via https://github.com/openchoreo/openchoreo install/dev/openchoreo-values.yaml (e.g., http://sts.openchoreo.localhost)
     # For production: set via https://github.com/openchoreo/openchoreo install/helm/openchoreo/values.yaml backstage.thunder.baseUrl (external URL with ingress/load balancer)
-    default-idp:
+    openchoreo-idp:
       development:
         clientId: ${OPENCHOREO_AUTH_CLIENT_ID}
         clientSecret: ${OPENCHOREO_AUTH_CLIENT_SECRET}
-        authorizationUrl: ${OPENCHOREO_AUTH_AUTHORIZATION_URL}
-        tokenUrl: ${OPENCHOREO_AUTH_TOKEN_URL}
-        scope: 'openid profile email'
+        metadataUrl: ${THUNDER_BASE_URL}/.well-known/openid-configuration
+        prompt: auto
 
     # Guest provider - used when openchoreo.features.auth.enabled is false
     # Allows users to access the portal without authentication (demo/development mode)

@@ -29,7 +29,7 @@ import {
 import { TechDocsAddons } from '@backstage/plugin-techdocs-react';
 import { ReportIssue } from '@backstage/plugin-techdocs-module-addons-contrib';
 import { UserSettingsPage } from '@backstage/plugin-user-settings';
-import { apis, defaultIdpAuthApiRef } from './apis';
+import { apis, openChoreoIdpAuthApiRef } from './apis';
 import { entityPage } from './components/catalog/EntityPage';
 import { CustomCatalogPage } from './components/catalog/CustomCatalogPage';
 import { searchPage } from './components/search/SearchPage';
@@ -81,10 +81,10 @@ function DynamicSignInPage(props: any) {
       {...props}
       auto
       provider={{
-        id: 'default-idp',
+        id: 'openchoreo-idp',
         title: 'OpenChoreo IDP',
         message: 'Sign in using OpenChoreo Identity Provider',
-        apiRef: defaultIdpAuthApiRef,
+        apiRef: openChoreoIdpAuthApiRef,
       }}
     />
   );

@@ -22,9 +22,9 @@ import { VisitsWebStorageApi, visitsApiRef } from '@backstage/plugin-home';
 import { UserSettingsStorage } from '@backstage/plugin-user-settings';
 import { OpenChoreoFetchApi } from './apis/OpenChoreoFetchApi';
 
-// API reference for default-idp OIDC provider
-export const defaultIdpAuthApiRef: ApiRef<OAuthApi> = createApiRef({
-  id: 'auth.default-idp',
+// API reference for OpenChoreo IDP OIDC provider
+export const openChoreoIdpAuthApiRef: ApiRef<OAuthApi> = createApiRef({
+  id: 'auth.openchoreo-idp',
 });
 
 export const apis: AnyApiFactory[] = [
@@ -42,16 +42,16 @@ export const apis: AnyApiFactory[] = [
     api: fetchApiRef,
     deps: {
       identityApi: identityApiRef,
-      oauthApi: defaultIdpAuthApiRef,
+      oauthApi: openChoreoIdpAuthApiRef,
       configApi: configApiRef,
     },
     factory: ({ identityApi, oauthApi, configApi }) =>
       new OpenChoreoFetchApi(identityApi, oauthApi, configApi),
   }),
 
-  // Default IDP OIDC Auth provider
+  // OpenChoreo IDP OIDC Auth provider
   createApiFactory({
-    api: defaultIdpAuthApiRef,
+    api: openChoreoIdpAuthApiRef,
     deps: {
       discoveryApi: discoveryApiRef,
       oauthRequestApi: oauthRequestApiRef,
@@ -62,7 +62,7 @@ export const apis: AnyApiFactory[] = [
         discoveryApi,
         oauthRequestApi,
         provider: {
-          id: 'default-idp',
+          id: 'openchoreo-idp',
           title: 'OpenChoreo IDP',
           icon: () => null,
         },

@@ -41,7 +41,7 @@
     "@backstage/plugin-search-backend-node": "1.3.15",
     "@backstage/plugin-techdocs-backend": "2.1.0",
     "@backstage/plugin-user-settings-backend": "0.3.7",
-    "@openchoreo/backstage-plugin-auth-backend-module-openchoreo-default": "workspace:^",
+    "@openchoreo/backstage-plugin-auth-backend-module-openchoreo-idp": "workspace:^",
     "@openchoreo/backstage-plugin-backend": "workspace:^",
     "@openchoreo/backstage-plugin-catalog-backend-module": "workspace:^",
     "@openchoreo/backstage-plugin-catalog-backend-module-openchoreo-users": "workspace:^",

@@ -7,7 +7,7 @@
  */
 
 import { createBackend } from '@backstage/backend-defaults';
-import { OpenChoreoDefaultAuthModule } from '@openchoreo/backstage-plugin-auth-backend-module-openchoreo-default';
+import { openChoreoIdpAuthModule } from '@openchoreo/backstage-plugin-auth-backend-module-openchoreo-idp';
 import { rootHttpRouterServiceFactory } from '@backstage/backend-defaults/rootHttpRouter';
 import { immediateCatalogServiceFactory } from '@openchoreo/backstage-plugin-catalog-backend-module';
 
@@ -27,8 +27,8 @@ backend.add(import('@backstage/plugin-auth-backend'));
 // See https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
 
 // Auth providers - both registered, but each checks config to determine if it should activate
-// OpenChoreo Default IDP OAuth provider (active when openchoreo.features.auth.enabled = true)
-backend.add(OpenChoreoDefaultAuthModule);
+// OpenChoreo IDP OIDC provider (active when openchoreo.features.auth.enabled = true)
+backend.add(openChoreoIdpAuthModule);
 // Guest provider for development/demo mode (active when openchoreo.features.auth.enabled = false)
 backend.add(import('@backstage/plugin-auth-backend-module-guest-provider'));