chore(auth): Update GitHub and GitLab auth to use secure sign-in resolvers

JessicaJHee · JessicaJHee · commit d8536f74debb · 2026-03-09T13:42:38.000-04:00
Signed-off-by: Jessica He &lt;jhe@redhat.com&gt;
diff --git a/.ci/pipelines/value_files/values_showcase-auth-providers.yaml b/.ci/pipelines/value_files/values_showcase-auth-providers.yaml
@@ -7,7 +7,7 @@ global:
         disabled: true
       - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-org-dynamic
         disabled: true
-      - package: oci://quay.io/rh-ee-jhe/catalog-github-org-transformer:v0.1.0!internal-backstage-plugin-catalog-backend-module-github-org-transformer
+      - package: oci://quay.io/rh-ee-jhe/catalog-github-org-transformer:v0.2.0!internal-backstage-plugin-catalog-backend-module-github-org-transformer
         disabled: true
       - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-msgraph-dynamic
         disabled: true
diff --git a/e2e-tests/playwright/e2e/auth-providers/github.spec.ts b/e2e-tests/playwright/e2e/auth-providers/github.spec.ts
@@ -8,7 +8,8 @@ let context: BrowserContext;
 
 /* SUPORTED RESOLVERS
 GITHUB:
-    [x] usernameMatchingUserEntityName -> (Default)
+    [x] userIdMatchingUserEntityAnnotation -> (Default >=1.10.x)
+    [x] usernameMatchingUserEntityName -> (Default <=1.9.x)
     [x] emailMatchingUserEntityProfileEmail
     [x] emailLocalPartMatchingUserEntityName
 */
@@ -146,6 +147,30 @@ test.describe("Configure Github Provider", async () => {
     await context.clearCookies();
   });
 
+  test("Login with Github usernameMatchingUserEntityName resolver", async () => {
+    //A github sign-in resolver that looks up the user using their github username as the entity name.
+    await deployment.setGithubResolver("usernameMatchingUserEntityName", false);
+    await deployment.updateAllConfigs();
+    await deployment.restartLocalDeployment();
+    await page.waitForTimeout(3000);
+    await deployment.waitForDeploymentReady();
+
+    // wait for rhdh first sync and portal to be reachable
+    await deployment.waitForSynced();
+
+    const login = await common.githubLogin(
+      "rhdhqeauth1",
+      process.env.AUTH_PROVIDERS_GH_USER_PASSWORD,
+      process.env.AUTH_PROVIDERS_GH_USER_2FA,
+    );
+    expect(login).toBe("Login successful");
+
+    await uiHelper.verifyAlertErrorMessage(
+      NO_USER_FOUND_IN_CATALOG_ERROR_MESSAGE,
+    );
+    await context.clearCookies();
+  });
+
   test("Login with Github emailMatchingUserEntityProfileEmail resolver", async () => {
     //A common sign-in resolver that looks up the user using the local part of their email address as the entity name.
     await deployment.setGithubResolver(
diff --git a/e2e-tests/playwright/e2e/auth-providers/gitlab.spec.ts b/e2e-tests/playwright/e2e/auth-providers/gitlab.spec.ts
@@ -6,6 +6,14 @@ import { GitLabHelper } from "../../utils/authentication-providers/gitlab-helper
 let page: Page;
 let context: BrowserContext;
 
+/* SUPORTED RESOLVERS
+GITLAB:
+    [x] userIdMatchingUserEntityAnnotation -> (Default >=1.10.x)
+    [x] usernameMatchingUserEntityName -> (Default <=1.9.x)
+    [x] emailMatchingUserEntityProfileEmail
+    [x] emailLocalPartMatchingUserEntityName
+*/
+
 test.describe("Configure GitLab Provider", async () => {
   let common: Common;
   let uiHelper: UIhelper;
diff --git a/e2e-tests/playwright/utils/authentication-providers/rhdh-deployment.ts b/e2e-tests/playwright/utils/authentication-providers/rhdh-deployment.ts
@@ -1236,7 +1236,7 @@ class RHDHDeployment {
     // Use local path for local development, OCI path for CI/CD
     const transformerPluginPath = this.isRunningLocal
       ? "./dynamic-plugins/dist/@internal/backstage-plugin-catalog-backend-module-github-org-transformer-dynamic"
-      : "oci://quay.io/rh-ee-jhe/catalog-github-org-transformer:v0.1.0!internal-backstage-plugin-catalog-backend-module-github-org-transformer";
+      : "oci://quay.io/rh-ee-jhe/catalog-github-org-transformer:v0.2.0!internal-backstage-plugin-catalog-backend-module-github-org-transformer";
 
     this.setDynamicPluginEnabled(transformerPluginPath, true);
 
diff --git a/e2e-tests/playwright/utils/authentication-providers/yamls/dynamic-plugins-config.yaml b/e2e-tests/playwright/utils/authentication-providers/yamls/dynamic-plugins-config.yaml
@@ -5,7 +5,7 @@ plugins:
     disabled: true
   - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-org-dynamic
     disabled: true
-  - package: oci://quay.io/rh-ee-jhe/catalog-github-org-transformer:v0.1.0!internal-backstage-plugin-catalog-backend-module-github-org-transformer
+  - package: oci://quay.io/rh-ee-jhe/catalog-github-org-transformer:v0.2.0!internal-backstage-plugin-catalog-backend-module-github-org-transformer
     disabled: true
   - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-msgraph-dynamic
     disabled: true
diff --git a/packages/backend/src/modules/authProvidersModule.ts b/packages/backend/src/modules/authProvidersModule.ts
@@ -155,7 +155,7 @@ function getAuthProviderFactory(
         authenticator: githubAuthenticator,
         ...applySignInResolvers({
           signInResolver:
-            githubSignInResolvers.usernameMatchingUserEntityName(),
+            githubSignInResolvers.userIdMatchingUserEntityAnnotation(),
           signInResolverFactories: {
             ...githubSignInResolvers,
             ...commonSignInResolvers,
@@ -167,7 +167,7 @@ function getAuthProviderFactory(
         authenticator: gitlabAuthenticator,
         ...applySignInResolvers({
           signInResolver:
-            gitlabSignInResolvers.usernameMatchingUserEntityName(),
+            gitlabSignInResolvers.userIdMatchingUserEntityAnnotation(),
           signInResolverFactories: {
             ...gitlabSignInResolvers,
             ...commonSignInResolvers,
