Skip to content

Add decorators to forward user's IDP token to scaffolder actions #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kaviththiranga wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add decorators to forward user's IDP token to scaffolder actions #137

kaviththiranga wants to merge 2 commits into from

Conversation

@kaviththiranga
Copy link
Contributor

@kaviththiranga kaviththiranga commented Dec 15, 2025
edited
Loading

Summary

  • Implement form decorators to forward user's IDP token to scaffolder actions for user-based authorization
  • Remove service token fallback - all scaffolder actions now require user authentication
  • Add EXPERIMENTAL_formDecorators to auto-generated templates from Component Type Definitions

Changes

Frontend (packages/app)

  • Create openChoreoTokenDecorator that injects OPENCHOREO_USER_TOKEN secret before form submission
  • Extract defaultIdpAuthApiRef to authRefs.ts to fix circular dependency
  • Register decorator with formDecoratorsApiRef

Catalog Backend Module

  • Add EXPERIMENTAL_formDecorators to CtdToTemplateConverter so dynamically generated templates enable user token injection

Scaffolder Backend Module

  • Remove openChoreoTokenServiceRef dependency from module
  • Update component.ts and project.ts actions to only use user token from secrets
  • Fail with clear error if user token is not available

Templates

  • Add EXPERIMENTAL_formDecorators to static OpenChoreo templates

Breaking Changes

  • Guest mode will no longer work for scaffolder actions
  • Automation without user context will fail
  • All scaffolder actions require authenticated user session

Test Plan

  • Create a component via scaffolder while logged in - should succeed
  • Verify OpenChoreo API receives user token (check backend logs)
  • Attempt scaffolder action without authentication - should fail with clear error

Related to openchoreo/openchoreo#1170

As per the suggestions discussed in backstage/backstage#7684 and Experimental feature https://backstage.io/docs/features/software-templates/experimental#form-decorators

@kaviththiranga
Add form decorator to inject user token for authorization
6228101 
  Implement Backstage form decorators to forward user's IDP token to
  scaffolder actions, enabling user-based authorization at OpenChoreo API.

  Changes:
  - Create openChoreoTokenDecorator that injects OPENCHOREO_USER_TOKEN secret
  - Register decorator with formDecoratorsApiRef in apis.ts
  - Update component and project actions to prefer user token from secrets
  - Add EXPERIMENTAL_formDecorators to OpenChoreo templates

  The scaffolder actions now check for user token first (injected by the
  form decorator), falling back to service token if unavailable. This
  allows OpenChoreo API to perform user-based authorization checks.
@kaviththiranga
Require user token, remove service token fallback
2fe9ae4 
  - Add EXPERIMENTAL_formDecorators to auto-generated templates from
    Component Type Definitions (CtdToTemplateConverter)
  - Remove service token dependency from scaffolder module
  - Update component and project actions to only use user token from secrets
  - Extract defaultIdpAuthApiRef to authRefs.ts to fix circular dependency
  - Simplify form decorator by removing console logs

  All scaffolder actions now require user authentication via form decorator.
  Guest mode and automation without user context will fail.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhivandb jhivandb Awaiting requested review from jhivandb jhivandb is a code owner

@sameerajayasoma sameerajayasoma Awaiting requested review from sameerajayasoma sameerajayasoma is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kaviththiranga