💬 RFC: Make the usage of OAuth Access Token more stable/predictable

[acierto]

🔖 Need

Current issue:

If to open Backstage in 2 different tabs and perform ScmAuthApi.getCredentials in each tab, the token on tab 1 will be revoked. The problem lies that the session lives only in memory and the session manager doesn't reuse it.

It's not unique when users can open Backstage in multiple tabs or in different browsers, in order to perform different scenarios in each browser session.

🎉 Proposal

The proposal is to store the OAuth session in the database, for example in backstage_plugin_auth database in a new table oauth_session or something like this.

〽️ Alternatives

No response

❌ Risks

Such tokens are short lived, i.e. GitLab token can be valid maximum for 2 hours.

👀 Have you spent some time to check if this RFC has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[Rugvip]

Which provider is it that you're seeing this for? The token being revoked is something that shouldn't happen regardless of whether we have backend storage or not. Agree that that would be a good addition though 👍

There are some potential fixes for this on the way in #24743 too, I spotted some bugs for the refresh endpoint of some providers as part of that refactor.

[acierto]

I see it for GitLab provider.
I could reproduce it by opening 2 different scaffolder templates in separate tabs, where both require to get an access token