Sign-In Providers
Overview how dynamic authentication provider selection works in Backstage on our platform, and how users can configure available login options.
High-Level Overview
Backstage supports multiple authentication providers such as GitHub, GitLab, and OIDC (Keycloak). In kubriX we provide:
- OIDC / Keycloak is always enabled as the base identity provider.
- Additional providers (GitHub, GitLab) can be enabled or disabled dynamically through configuration.
The platform reads the configured providers at runtime and only shows those on the Backstage login screen.
Configuration can be fully controlled by the user via *app-config.yaml in the Backstage Helm chart.
Configuring Sign-In Providers
To configure which login buttons appear in the Backstage sign-in page, use the following section in your app-config.yaml:
Example
appConfig:
kubrix:
auth:
allowedProviders:
- github
# and/or
- gitlab
Supported values:
githubgitlab
OIDC / Keycloak is always active.
Backend Requirements
For each provider you enable in allowedProviders, the Backstage backend must have a matching authentication configuration:
- GitHub: requires
auth.providers.github - GitLab: requires
auth.providers.gitlab - OIDC / Keycloak: already configured on the platform
If a provider is enabled in allowedProviders but not configured in the backend, the login button appears but authentication will fail.
Known Behaviour
- OIDC provider is always present and cannot be disabled.
- If no providers are configured, only OIDC will be shown, and backstage logs:
No kubrix.auth.allowedProviders configured. Only OIDC will be shown.
- Unsupported provider values are ignored but logged in the browser console:
Unknown sign-in providers in kubrix.auth.allowedProviders: bitbucket.
Supported: github, gitlab
- If the configuration block is missing, Backstage falls back to OIDC only.
- The feature is modular and ready for extension (e.g. Azure AD, Google Auth) in future versions.