Skip to content

fix(orchestrator): detect GitHub SAML SSO session expiry and prompt users to re-authorize#3253

Merged
lokanandaprabhu merged 1 commit into
redhat-developer:mainfrom
karthikjeeyar:orchestrator/saml-sso-error
Jun 2, 2026
Merged

fix(orchestrator): detect GitHub SAML SSO session expiry and prompt users to re-authorize#3253
lokanandaprabhu merged 1 commit into
redhat-developer:mainfrom
karthikjeeyar:orchestrator/saml-sso-error

Conversation

@karthikjeeyar
Copy link
Copy Markdown
Member

@karthikjeeyar karthikjeeyar commented May 29, 2026

Hey, I just made a Pull Request!

Fixes: https://redhat.atlassian.net/browse/RHDHBUGS-3216

Changes included in this PR:

  • Detects GitHub SAML SSO session expiry and shows a re-authorization dialog
  • Extracts the re-authorize URL from the x-github-sso response header when available
  • Detection is GitHub-specific to avoid false positives with other identity providers
  • All user-facing strings are translated (de, es, fr, it, ja)

Screenshots:

image

How to Test:

  1. Create these workflow and schema files:

    • packages/backend/.devModeTemp/repository/workflows/github-sso-test.sw.yaml

      id: github-sso-test
version: "1.0"
specVersion: "0.8"
name: "GitHub SSO Test"
description: "Simple workflow to test GitHub SAML SSO authentication. Authenticates via OAuth, checks SSO session validity, and fetches repository info for the given org."
dataInputSchema: schemas/github-sso-test-input-schema.json
extensions:
  - extensionid: workflow-output-schema
    outputSchema: schemas/workflow-output-schema.json
functions:
  - name: sysLog
    type: custom
    operation: sysout:INFO
  - name: getRepository
    operation: specs/github.yaml#getRepository
  - name: successResult
    type: expression
    operation: '{
        "result": {
          "message": "GitHub SSO check passed. Authenticated successfully.",
          "outputs": [
              {
                "key": "Organization",
                "value": .orgName,
                "format": "text"
              },
              {
                "key": "Repository",
                "value": .repoInfo.html_url,
                "format": "link"
              },
              {
                "key": "SSO Status",
                "value": "Active",
                "format": "text"
              }
            ]
        }
      }'
start: "VerifyAccess"
states:
  - name: VerifyAccess
    type: operation
    actions:
      - name: logStart
        functionRef:
          refName: sysLog
          arguments:
            message: ${ "Verifying GitHub SSO access for org " + .orgName }
      - name: getRepo
        functionRef:
          refName: getRepository
          arguments:
            owner: .orgName
            repo: "rhdh"
        actionDataFilter:
          toStateData: .repoInfo
    transition: SetOutput

  - name: SetOutput
    type: operation
    actions:
      - name: setOutput
        functionRef:
          refName: successResult
    end: true
      • packages/backend/.devModeTemp/repository/workflows/schemas/github-sso-test-input-schema.json
        {
   "$id": "classpath:/schemas/github-sso-test-input-schema.json",
   "title": "GitHub SSO Test",
   "$schema": "http://json-schema.org/draft-07/schema#",
   "type": "object",
   "properties": {
     "orgName": {
       "title": "Organization Name",
       "description": "The GitHub organization to verify SSO access for",
       "type": "string",
       "default": "redhat-developer"
     },
     "auth": {
       "title": "GitHub Authentication",
       "type": "string",
       "description": "Authenticate with GitHub to verify SSO",
       "ui:widget": "AuthRequester",
       "ui:props": {
         "authTokenDescriptors": [
           {
             "provider": "github",
             "scope": "repo read:org",
             "tokenType": "oauth"
           }
         ]
       }
     },
     "ssoCheck": {
       "title": "SSO Check",
       "type": "string",
       "ui:hidden": true,
       "ui:widget": "ActiveTextInput",
       "ui:props": {
         "fetch:error:ignoreUnready": true,
         "fetch:error:silent": true,
         "fetch:headers": {
           "Accept": "application/vnd.github.v3+json",
           "Authorization": "Bearer $${{githubAuthApi.token}}"
         },
         "fetch:method": "GET",
         "fetch:response:value": "login",
         "fetch:url": "https://api.github.com/user"
       }
     }
   },
   "required": ["orgName"]
 }

  2. start the application using yarn dev

  3. Set the simulate sso variable in localstorage localStorage.setItem('SIMULATE_SAML_SSO_ERROR', true)

  4. Execute the Github SSO Test workflow by visiting http://localhost:3000/orchestrator/workflows/github-sso-test/execute

NOTE: SIMULATE_SAML_SSO_ERROR logic is only added for the testing purpose, I will remove this before merging it.

✔️ Checklist

  • A changeset describing the change and affected packages. (more info)
  • Added or Updated documentation
  • Tests for new functionality and regression tests for bug fixes
  • Screenshots attached (for UI changes)

@karthikjeeyar karthikjeeyar force-pushed the orchestrator/saml-sso-error branch from 6776cee to 462448f Compare May 29, 2026 14:18
@rhdh-gh-app
Copy link
Copy Markdown

rhdh-gh-app Bot commented May 29, 2026

Changed Packages

Package Name Package Path Changeset Bump Current Version
@red-hat-developer-hub/backstage-plugin-orchestrator-form-api workspaces/orchestrator/plugins/orchestrator-form-api patch v2.7.3
@red-hat-developer-hub/backstage-plugin-orchestrator-form-react workspaces/orchestrator/plugins/orchestrator-form-react patch v2.8.4
@red-hat-developer-hub/backstage-plugin-orchestrator-form-widgets workspaces/orchestrator/plugins/orchestrator-form-widgets patch v1.10.7
@red-hat-developer-hub/backstage-plugin-orchestrator workspaces/orchestrator/plugins/orchestrator patch v5.7.12

@karthikjeeyar karthikjeeyar force-pushed the orchestrator/saml-sso-error branch 3 times, most recently from 6c068e2 to 1428c7e Compare May 29, 2026 14:20
karthikjeeyar
karthikjeeyar commented May 29, 2026
View reviewed changes
Comment thread workspaces/orchestrator/plugins/orchestrator-form-widgets/src/utils/useFetch.ts Outdated
@codecov
Copy link
Copy Markdown

codecov Bot commented May 29, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 23.63636% with 42 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.33%. Comparing base (f5a6948) to head (12962bd).
⚠️ Report is 8 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3253      +/-   ##
==========================================
+ Coverage   53.29%   53.33%   +0.04%     
==========================================
  Files        2407     2408       +1     
  Lines       86420    86514      +94     
  Branches    23957    23978      +21     
==========================================
+ Hits        46056    46142      +86     
- Misses      38887    38895       +8     
  Partials     1477     1477
Flag Coverage Δ *Carryforward flag
adoption-insights 83.58% <ø> (ø) Carriedforward from f5a6948
ai-integrations 70.03% <ø> (ø) Carriedforward from f5a6948
app-defaults 69.60% <ø> (ø) Carriedforward from f5a6948
augment 46.39% <ø> (ø) Carriedforward from f5a6948
bulk-import 72.86% <ø> (ø) Carriedforward from f5a6948
cost-management 16.49% <ø> (ø) Carriedforward from f5a6948
dcm 32.85% <ø> (ø) Carriedforward from f5a6948
extensions 61.79% <ø> (ø) Carriedforward from f5a6948
global-floating-action-button 74.30% <ø> (ø) Carriedforward from f5a6948
global-header 61.63% <ø> (ø) Carriedforward from f5a6948
homepage 51.52% <ø> (ø) Carriedforward from f5a6948
konflux 91.01% <ø> (ø) Carriedforward from f5a6948
lightspeed 68.33% <ø> (ø) Carriedforward from f5a6948
mcp-integrations 85.46% <ø> (ø) Carriedforward from f5a6948
orchestrator 37.34% <23.63%> (+0.83%) ⬆️
quickstart 62.88% <ø> (ø) Carriedforward from f5a6948
sandbox 79.42% <ø> (ø) Carriedforward from f5a6948
scorecard 83.84% <ø> (ø) Carriedforward from f5a6948
theme 64.54% <ø> (ø) Carriedforward from f5a6948
translations 8.49% <ø> (ø) Carriedforward from f5a6948
x2a 78.79% <ø> (ø) Carriedforward from f5a6948

*This pull request uses carry forward flags. Click here to find out more.

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f5a6948...12962bd. Read the comment docs.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

lokanandaprabhu
lokanandaprabhu reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@lokanandaprabhu lokanandaprabhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@karthikjeeyar , Working as expected, I will approve when local testing piece is removed from PR

Image

@karthikjeeyar karthikjeeyar force-pushed the orchestrator/saml-sso-error branch from 85ca52a to 12962bd Compare June 2, 2026 09:03
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Jun 2, 2026

Quality Gate Passed Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

lokanandaprabhu
lokanandaprabhu approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@lokanandaprabhu lokanandaprabhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Jun 2, 2026
@lokanandaprabhu lokanandaprabhu merged commit 611bd81 into redhat-developer:main Jun 2, 2026
74 checks passed
This was referenced Jun 2, 2026
Closed
Merged
karthikjeeyar added a commit that referenced this pull request Jun 2, 2026
@lokanandaprabhu @cursoragent @karthikjeeyar
[release-1.10.z] Backport orchestrator fixes for 1.10 (#3234, #3260, #…
06ac2d0 
…3264, #3253) (#3270)

* fix(orchestrator-form): evaluate conditional ui:hidden with scoped form data

Evaluate sibling when paths against the current object/step form data so
conditionally hidden fields show and hide correctly in wizards. Fix the
review step toggle by iterating schema properties when including hidden
fields and applying the same scoped condition evaluation.

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore(orchestrator): add changeset for scoped conditional ui:hidden fix

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore(orchestrator): clarify changeset for conditional hidden fields fix

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(orchestrator): restore status and date filters on workflow runs

Filtering workflow runs by status or date failed after query variables were introduced. Use the correct filter types so results load instead of showing an error.

Co-authored-by: Cursor <cursoragent@cursor.com>

* feat(orchestrator-form): hide wizard steps for conditional ui:hidden

Evaluate conditional ui:hidden when filtering wizard steps using scoped
form data and root fallbacks, align validation with visible steps, and add
isNotEmptyList/notContains operators with unit tests.

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore(orchestrator-form): update API reports for HiddenCondition operators

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore(orchestrator): revert unrelated report-alpha.api.md ordering change

Co-authored-by: Cursor <cursoragent@cursor.com>

* Update workspaces/orchestrator/.changeset/conditional-step-hiding-operators.md

Co-authored-by: Karthik Jeeyar <karthik@redhat.com>

* detect GitHub SAML SSO session expiry and prompt users to re-authorize

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Karthik Jeeyar <karthik@redhat.com>
Co-authored-by: Karthik <karthik.jk11@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lokanandaprabhu lokanandaprabhu lokanandaprabhu approved these changes

@lholmquist lholmquist Awaiting requested review from lholmquist lholmquist is a code owner

@christoph-jerolimov christoph-jerolimov Awaiting requested review from christoph-jerolimov christoph-jerolimov is a code owner

Assignees

@lokanandaprabhu lokanandaprabhu

Labels

lgtm workspace/orchestrator

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karthikjeeyar @lokanandaprabhu