// Use shorter list in https://issues.redhat.com/browse/RHIDP-2790 .Backend System deprecations and removals As part of the work towards a stable 1.0 release of the new backend system, there are several new deprecations and breaking changes in the backend system packages: .Removed features * The deprecated `token` option has been removed from `PermissionsService`, and the request options are now required and must contain a `credentials` object. * The deprecated `getPath` option has been removed from `httpRouterServiceFactory`, the plugin paths are now always `/api/<pluginId>`. * It is no longer possible to pass service factory callbacks to the `defaultServiceFactories` option of `createSpecializedBackend`. .Deprecated features * The ability to define options for service factories through `createServiceFactory` has been deprecated. See the service architecture documentation for more information on how to define customizable services. * The ability to install backend features in callback form, i.e. `() => BackendFeature`, has been deprecated. This also includes other usages such as `startTestBackend`, and dynamically imported backend features. No manual changes should be needed for this change, as all backend feature creators have been updated to return `BackendFeature` instances directly. * The `ServiceFactoryTest.get` method has been renamed to `ServiceFactoryTest.getSubject`, and is now deprecated. * The following types have been renamed to use an `*Options` suffix instead: `ServiceRefConfig`, `RootServiceFactoryConfig`, `PluginServiceFactoryConfig`. * Deprecated all exports related to the legacy status checker in `@backstage/backend-common`. * The `isDockerDisabledForTests` function exported by `@backstage/backend-test-utils` has been deprecated. .Catalog LDAP Module improvements The `@backstage/plugin-catalog-backend-module-ldap` module has been improved to support multiple or no declarations of both user and group configs. This change is breaking for `readLdapOrg` and `LdapProviderConfig`, which now both always accept arrays of users and groups configurations. .Github integration breaking changes Removed deprecated code from when casing was changed from `GitHub` to `Github` nearly two years ago. The following items have been removed: * `getGitHubFileFetchUrl` (use `getGithubFileFetchUrl` instead) * `GitHubIntegrationConfig` (use `GithubIntegrationConfig` instead) * `GitHubIntegration` (use `GithubIntegration` instead) * `readGitHubIntegrationConfig` (use `readGithubIntegrationConfig` instead) * `readGitHubIntegrationConfigs` (use `readGithubIntegrationConfigs` instead) * `replaceGitHubUrlType` (use `replaceGithubUrlType` instead) .OAuth Scope Updates The way that OAuth-based auth providers handle scopes has received several updates. There is now a new `.additionalScopes` configuration for all OAuth providers, which can be used to request additional scopes for all sessions. Many providers already had a similar configuration, but in most cases this did not work correctly as scopes requested by the client would override the configured set. Many providers now also have a set of required scopes that will always be present. This is in contrast to the previous solution where the client would be responsible for including a set of baseline scopes. A bug has also been fixed in the handling of persistent scopes, which could break session refresh for some providers, such as GitHub. .User Info service Limited-access user tokens (as used in cookies) no longer contain the ent ownership claim. This is notably used by TechDocs and the app-backend. If you use those services, you may want to log out and in again. Background: As part of the previous auth improvements, we added the coreServices.userInfo service. This service can extract user details from incoming credentials - notably the so-called ent claim with its ownership information. In this release, the auth backend part of this has been implemented, such that the information returned by your sign-in resolver gets persisted and can be acquired after the fact. With this in place, we could finally start slimming down on token sizes, starting with the cookie tokens. Unfortunately this has to be done in such a way that it’s breaking in the short term. .Removed some database helper functions The helper functions `createDatabaseClient` and `ensureDatabaseExists` have been removed from the public interface, since they have no usage within the repository and never were suitable for calling from the outside. Switch to using `coreServices.database` or `DatabaseManager` instead. .Deprecated the backend system utilities Utilities in the backend system (@backstage/backend-common) are being deprecated with the intent to remove the package entirely in a future release .Removed the requirement to configure a secret for backend authentication The requirement to configure a secret for backend authentication in production has been removed. It is now only needed if you rely on the legacy authentication mechanism ( https://backstage.io/docs/auth/service-to-service-auth#external-callers-legacy ). If you do not configure any secrets you will also not be able to generate tokens with the TokenManager service, although use of this service is discouraged as the AuthService has replaced it. .Added a user authentication extension point The authentication backend plugin now provides an authOwnershipResolutionExtensionPoint that lets you override the default ownership resolution used by sign-in resolvers. This allows you to customize this logic for all sign-in resolvers without replacing them.