feat(auth-provider): initialize auth-providers workspace

[JessicaJHee]

Hey, I just made a Pull Request!

Adds Keycloak and PingFederate authentication providers with RHDH-specific sign-in resolvers and frontend support

In the new auth-providers workspace: auth-backend-module-rhdh-oidc-provider

• Keycloak provider with oidcSubClaimMatchingKeycloakUserId as default resolver
• PingFederate provider with oidcLdapUuidMatchingAnnotation as default resolver
• Additional resolvers: preferredUsernameMatchingUserEntityName, oidcSubClaimMatchingPingIdentityUserId

In app-auth: Register Keycloak and PingFederate auth API factories and add sign-in page entries for Keycloak and PingFederate

Fixes RHIDP-11787

Breaking Changes when installed in RHDH

• Mandatory signInResolver config to align with upstream
  • Otherwise error: <provider-id> is not configured to support sign-in
• Redirect URL in IdP needs to be updated to http://<BASE_URL>/api/auth//handler/frame

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

Testing Notes

After installing app-auth, app-integrations, and auth-backend-module-rhdh-oidc-provider as dynamic plugins in RHDH, run in root: ENABLE_AUTH_PROVIDER_MODULE_OVERRIDE=true yarn start:next --env-mode=loose

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Hard-requires auth.providers 🐞 Bug ☼ Reliability

Description

The new backend module unconditionally reads auth.providers with
config.getConfig('auth.providers'), which will throw if that config block is absent and prevent
module initialization. This is inconsistent with other parts of the repo that treat
auth.providers.* as optional and can make the dynamic module fragile in minimally-configured
environments.

Code

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/module.ts[R60-62]

+      async init({ config, providers }) {
+        const providersConfig = config.getConfig('auth.providers');
+

Evidence

module.ts uses getConfig('auth.providers') without an optional/guarded path; if auth.providers
is not present, initialization will fail before it can simply “register nothing”. In contrast, other
code in this repo uses getOptionalConfig for auth.providers.* lookups, indicating optionality is
expected in at least some contexts.

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/module.ts[55-77]
workspaces/konflux/packages/app/src/components/SignInPage.tsx[27-41]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`authProvidersModule` calls `config.getConfig('auth.providers')` during init. If `auth.providers` is not present, this throws and prevents the module from initializing, even though the module could safely no-op when not configured.

### Issue Context
This module registers Keycloak/PingFederate providers only when corresponding config keys exist, so it’s safe to treat `auth.providers` as optional and return early when absent.

### Fix Focus Areas
- workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/module.ts[60-77]

### Suggested change
- Replace `getConfig('auth.providers')` with `getOptionalConfig('auth.providers')`.
- If the result is undefined, return early (register nothing).
- Keep the rest of the registration logic unchanged.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Prototype key passes filter 🐞 Bug ☼ Reliability

Description

Provider selection uses providerId in providerFactories, which also matches prototype-chain
properties (for example toString) rather than only real factory entries. If such a key appears in
config, the code can index a non-factory value and pass it to registerProvider, causing confusing
runtime failures.

Code

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/module.ts[R68-76]

+        providersConfig
+          .keys()
+          .filter(providerId => providerId in providerFactories)
+          .forEach(providerId => {
+            const factory = providerFactories[providerId];
+            providers.registerProvider({
+              providerId,
+              factory,
+            });

Evidence

The filter uses the in operator and then indexes providerFactories[providerId] based on that
check; in is not an own-property check and can match inherited properties, making the subsequent
indexing potentially unsafe.

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/module.ts[63-77]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The module filters provider IDs using `providerId in providerFactories`, which checks the prototype chain and can match inherited keys (e.g., `toString`). This can lead to indexing a non-factory value and passing it to `registerProvider`.

### Issue Context
This is defensive hardening for config-driven keys.

### Fix Focus Areas
- workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/module.ts[68-73]

### Suggested change
- Replace `providerId in providerFactories` with an own-property check, e.g.:
 - `Object.hasOwn(providerFactories, providerId)` (preferred), or
 - `Object.prototype.hasOwnProperty.call(providerFactories, providerId)`.
- Keep the rest of the logic as-is.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[github-actions]

This pull request adds a new top-level directory under workspaces/. Please follow Submitting a Pull Request for a New Workspace in CONTRIBUTING.md.

[rhdh-gh-app]

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

• @red-hat-developer-hub/plugin-auth-backend-module-rhdh-oidc-provider

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@red-hat-developer-hub/backstage-plugin-app-auth	workspaces/app-defaults/plugins/app-auth	patch	v0.0.1
@red-hat-developer-hub/plugin-auth-backend-module-rhdh-oidc-provider	workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider	none	v0.1.0

[rhdh-qodo-merge]

Review Summary by Qodo

Add Keycloak and PingFederate OIDC authentication providers with RHDH-specific resolvers

✨ Enhancement

Walkthroughs

Description

• Adds Keycloak and PingFederate OIDC authentication providers with RHDH-specific sign-in resolvers
• Implements backend module with configurable sign-in resolver factories for both providers
• Extends frontend sign-in page with Keycloak and PingFederate provider support
• Creates new auth-providers workspace with OIDC provider plugin infrastructure

Diagram

flowchart LR
  A["Auth Providers Workspace"] --> B["Backend OIDC Module"]
  B --> C["Keycloak Provider Factory"]
  B --> D["PingFederate Provider Factory"]
  C --> E["Sign-in Resolvers"]
  D --> E
  E --> F["oidcSubClaimMatching"]
  E --> G["oidcLdapUuidMatching"]
  E --> H["preferredUsernameMatching"]
  I["Frontend Auth APIs"] --> J["Keycloak Auth API"]
  I --> K["PingFederate Auth API"]
  J --> L["Sign-in Page"]
  K --> L
  L --> M["Provider-specific Titles"]

Loading

File Changes

1. workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/index.ts ✨ Enhancement +26/-0

Export module and provider factories

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/index.ts

---

2. workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/module.ts ✨ Enhancement +83/-0

Backend module registering Keycloak and PingFederate providers

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/module.ts

---

3. workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/providers/keycloakProviderFactory.ts ✨ Enhancement +52/-0

Keycloak OIDC provider factory with custom resolvers

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/providers/keycloakProviderFactory.ts

---

View more (22)

4. workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/providers/pingFederateProviderFactory.ts ✨ Enhancement +52/-0

PingFederate OIDC provider factory with custom resolvers

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/providers/pingFederateProviderFactory.ts

---

5. workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/resolverUtils.ts ✨ Enhancement +94/-0

Utility for creating OIDC sub claim resolvers

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/resolverUtils.ts

---

6. workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/resolvers.ts ✨ Enhancement +162/-0

RHDH-specific sign-in resolvers for OIDC providers

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/src/resolvers.ts

---

7. workspaces/app-defaults/plugins/app-auth/src/AuthApiRefs.ts ✨ Enhancement +19/-0

Add Keycloak and PingFederate auth API references

workspaces/app-defaults/plugins/app-auth/src/AuthApiRefs.ts

---

8. workspaces/app-defaults/plugins/app-auth/src/translations/signIn.ts ✨ Enhancement +8/-0

Add Keycloak and PingFederate sign-in translations

workspaces/app-defaults/plugins/app-auth/src/translations/signIn.ts

---

9. workspaces/app-defaults/plugins/app-auth/src/appAuthModule.tsx ✨ Enhancement +64/-3

Register Keycloak and PingFederate OAuth2 frontend APIs

workspaces/app-defaults/plugins/app-auth/src/appAuthModule.tsx

---

10. workspaces/app-defaults/plugins/app-auth/src/components/SignInPage.tsx ✨ Enhancement +20/-0

Add Keycloak and PingFederate providers to sign-in page

workspaces/app-defaults/plugins/app-auth/src/components/SignInPage.tsx

---

11. workspaces/auth-providers/package.json ⚙️ Configuration changes +62/-0

Auth providers workspace package configuration

workspaces/auth-providers/package.json

---

12. workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/package.json ⚙️ Configuration changes +41/-0

OIDC provider plugin package configuration

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/package.json

---

13. workspaces/auth-providers/tsconfig.json ⚙️ Configuration changes +18/-0

TypeScript configuration for auth providers workspace

workspaces/auth-providers/tsconfig.json

---

14. workspaces/auth-providers/.eslintrc.js ⚙️ Configuration changes +1/-0

ESLint configuration for auth providers workspace

workspaces/auth-providers/.eslintrc.js

---

15. workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/.eslintrc.js ⚙️ Configuration changes +1/-0

ESLint configuration for OIDC provider plugin

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/.eslintrc.js

---

16. workspaces/auth-providers/.changeset/config.json ⚙️ Configuration changes +14/-0

Changesets configuration for auth providers workspace

workspaces/auth-providers/.changeset/config.json

---

17. workspaces/auth-providers/README.md 📝 Documentation +16/-0

Documentation for auth providers workspace

workspaces/auth-providers/README.md

---

18. workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/README.md 📝 Documentation +5/-0

Documentation for OIDC provider plugin

workspaces/auth-providers/plugins/auth-backend-module-rhdh-oidc-provider/README.md

---

19. workspaces/auth-providers/catalog-info.yaml ⚙️ Configuration changes +14/-0

Backstage catalog metadata for workspace

workspaces/auth-providers/catalog-info.yaml

---

20. workspaces/auth-providers/backstage.json ⚙️ Configuration changes +1/-0

Backstage version configuration

workspaces/auth-providers/backstage.json

---

21. workspaces/auth-providers/.dockerignore ⚙️ Configuration changes +8/-0

Docker ignore patterns for workspace

workspaces/auth-providers/.dockerignore

---

22. workspaces/auth-providers/.eslintignore ⚙️ Configuration changes +1/-0

ESLint ignore patterns for workspace

workspaces/auth-providers/.eslintignore

---

23. workspaces/auth-providers/.prettierignore ⚙️ Configuration changes +5/-0

Prettier ignore patterns for workspace

workspaces/auth-providers/.prettierignore

---

24. workspaces/auth-providers/plugins/README.md 📝 Documentation +7/-0

Documentation for plugins folder structure

workspaces/auth-providers/plugins/README.md

---

25. workspaces/auth-providers/.changeset/README.md 📝 Documentation +8/-0

Changesets folder documentation

workspaces/auth-providers/.changeset/README.md

---

[kim-tsao]

Can we also update the CODEOWNERS file?

[rhdh-gh-app]

⚠️ CODEOWNERS Validation Failed

The following users are listed in CODEOWNERS but are not members of the rhdh-plugins-codeowners team:

jessicajhee

An org admin needs to add the missing members to the team before this PR can be merged.

[gashcrumb]

Usually a workspace has a backstage app instance for local dev and e2e test purposes, and can probably be helpful for example usage, would one make sense here?

[JessicaJHee]

Usually a workspace has a backstage app instance for local dev and e2e test purposes, and can probably be helpful for example usage, would one make sense here?

We definitely could, but I'm thinking it makes more sense to pull this into RHDH by installing it as a dynamic plugin since we need to use it with the NFS with app-auth and app-integrations

[hopehadfield]

I left a couple comments, but other than that it looks good to me!

[hopehadfield]

I would think about adding a short description here for quick reference

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[hopehadfield]

Haven't reviewed the plugin content itself, but from a new workspace standpoint everything seems to be in order. LGTM

[JessicaJHee]

Holding off on merging this for now while I investigate the option to contribute this upstream to community-plugins