From ed11560004c1cd26e43504a35dfd026db41d1340 Mon Sep 17 00:00:00 2001 From: Jordan Kueh Date: Fri, 25 Jul 2025 12:00:29 +1000 Subject: [PATCH 1/2] doc: Add section on authorization on the Backstage Backend API --- docs/getting-started/backstage.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/getting-started/backstage.md b/docs/getting-started/backstage.md index 6248131..96a02dc 100644 --- a/docs/getting-started/backstage.md +++ b/docs/getting-started/backstage.md @@ -156,6 +156,21 @@ backend.add(import('@pagerduty/backstage-plugin-backend')); ``` +## Configure Backstage Backend API Authorization + +By default, this plugin will allow any unauthenticated user to make calls using your PagerDuty API token. + +You should consider carefully if this is appropriate in your production environment. + +To disable this behaviour, you can set `pagerDuty.disableUnauthenticatedAccess` to true. + +Example `app-config.yaml` excerpt: + +```yaml +pagerduty: + disableUnauthenticatedAccess: true +``` + ## Configure API Authorization The PagerDuty plugin requires access to PagerDuty APIs and so we need to configure our Backstage app with the necessary credentials to reach the APIs. This step requires you to use an access token - for OAuth - or an API token. From 022b6a6467945d6c81cbcda57d29eda102a0f7f5 Mon Sep 17 00:00:00 2001 From: Jordan Kueh Date: Wed, 5 Nov 2025 16:15:29 +1030 Subject: [PATCH 2/2] Updating documentation to reflect this option now being an opt-in --- docs/getting-started/backstage.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/getting-started/backstage.md b/docs/getting-started/backstage.md index 96a02dc..a783434 100644 --- a/docs/getting-started/backstage.md +++ b/docs/getting-started/backstage.md @@ -156,19 +156,22 @@ backend.add(import('@pagerduty/backstage-plugin-backend')); ``` -## Configure Backstage Backend API Authorization +## Disable Backstage Backend API Authorization -By default, this plugin will allow any unauthenticated user to make calls using your PagerDuty API token. +This option is available as a way to maintain backwards compatibility, and should not be used in situations where your +Backstage instance is accessible from outside of a trusted network - Or ideally, at all. -You should consider carefully if this is appropriate in your production environment. +Access to a Backstage plugin's routes is restricted by use of a Bearer authorization token, which is typically issued +after successfully signing in to Backstage. -To disable this behaviour, you can set `pagerDuty.disableUnauthenticatedAccess` to true. +Previous versions of this plugin had this behaviour disabled. Restoring this previous behaviour is now opt-in, and can +be achieved by setting `pagerduty.enableUnauthenticatedAccess` to `true`. Example `app-config.yaml` excerpt: ```yaml pagerduty: - disableUnauthenticatedAccess: true + enableUnauthenticatedAccess: true ``` ## Configure API Authorization