fix(orchestrator): detect GitHub SAML SSO session expiry and prompt users to re-authorize

[karthikjeeyar]

Hey, I just made a Pull Request!

Fixes: https://redhat.atlassian.net/browse/RHDHBUGS-3216

Changes included in this PR:

• Detects GitHub SAML SSO session expiry and shows a re-authorization dialog
• Extracts the re-authorize URL from the x-github-sso response header when available
• Detection is GitHub-specific to avoid false positives with other identity providers
• All user-facing strings are translated (de, es, fr, it, ja)

Screenshots:

How to Test:

1. Create these workflow and schema files:

   • packages/backend/.devModeTemp/repository/workflows/github-sso-test.sw.yaml

     id: github-sso-test
     version: "1.0"
     specVersion: "0.8"
     name: "GitHub SSO Test"
     description: "Simple workflow to test GitHub SAML SSO authentication. Authenticates via OAuth, checks SSO session validity, and fetches repository info for the given org."
     dataInputSchema: schemas/github-sso-test-input-schema.json
     extensions:
       - extensionid: workflow-output-schema
         outputSchema: schemas/workflow-output-schema.json
     functions:
       - name: sysLog
         type: custom
         operation: sysout:INFO
       - name: getRepository
         operation: specs/github.yaml#getRepository
       - name: successResult
         type: expression
         operation: '{
             "result": {
               "message": "GitHub SSO check passed. Authenticated successfully.",
               "outputs": [
                   {
                     "key": "Organization",
                     "value": .orgName,
                     "format": "text"
                   },
                   {
                     "key": "Repository",
                     "value": .repoInfo.html_url,
                     "format": "link"
                   },
                   {
                     "key": "SSO Status",
                     "value": "Active",
                     "format": "text"
                   }
                 ]
             }
           }'
     start: "VerifyAccess"
     states:
       - name: VerifyAccess
         type: operation
         actions:
           - name: logStart
             functionRef:
               refName: sysLog
               arguments:
                 message: ${ "Verifying GitHub SSO access for org " + .orgName }
           - name: getRepo
             functionRef:
               refName: getRepository
               arguments:
                 owner: .orgName
                 repo: "rhdh"
             actionDataFilter:
               toStateData: .repoInfo
         transition: SetOutput
     
       - name: SetOutput
         type: operation
         actions:
           - name: setOutput
             functionRef:
               refName: successResult
         end: true

     • packages/backend/.devModeTemp/repository/workflows/schemas/github-sso-test-input-schema.json

       {
        "$id": "classpath:/schemas/github-sso-test-input-schema.json",
        "title": "GitHub SSO Test",
        "$schema": "http://json-schema.org/draft-07/schema#",
        "type": "object",
        "properties": {
          "orgName": {
            "title": "Organization Name",
            "description": "The GitHub organization to verify SSO access for",
            "type": "string",
            "default": "redhat-developer"
          },
          "auth": {
            "title": "GitHub Authentication",
            "type": "string",
            "description": "Authenticate with GitHub to verify SSO",
            "ui:widget": "AuthRequester",
            "ui:props": {
              "authTokenDescriptors": [
                {
                  "provider": "github",
                  "scope": "repo read:org",
                  "tokenType": "oauth"
                }
              ]
            }
          },
          "ssoCheck": {
            "title": "SSO Check",
            "type": "string",
            "ui:hidden": true,
            "ui:widget": "ActiveTextInput",
            "ui:props": {
              "fetch:error:ignoreUnready": true,
              "fetch:error:silent": true,
              "fetch:headers": {
                "Accept": "application/vnd.github.v3+json",
                "Authorization": "Bearer $${{githubAuthApi.token}}"
              },
              "fetch:method": "GET",
              "fetch:response:value": "login",
              "fetch:url": "https://api.github.com/user"
            }
          }
        },
        "required": ["orgName"]
      }

2. start the application using yarn dev

3. Set the simulate sso variable in localstorage localStorage.setItem('SIMULATE_SAML_SSO_ERROR', true)

4. Execute the Github SSO Test workflow by visiting http://localhost:3000/orchestrator/workflows/github-sso-test/execute

NOTE: SIMULATE_SAML_SSO_ERROR logic is only added for the testing purpose, I will remove this before merging it.

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-gh-app]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@red-hat-developer-hub/backstage-plugin-orchestrator-form-api	workspaces/orchestrator/plugins/orchestrator-form-api	patch	v2.7.3
@red-hat-developer-hub/backstage-plugin-orchestrator-form-react	workspaces/orchestrator/plugins/orchestrator-form-react	patch	v2.8.4
@red-hat-developer-hub/backstage-plugin-orchestrator-form-widgets	workspaces/orchestrator/plugins/orchestrator-form-widgets	patch	v1.10.7
@red-hat-developer-hub/backstage-plugin-orchestrator	workspaces/orchestrator/plugins/orchestrator	patch	v5.7.12

[karthikjeeyar]

Added this block so reviewers can simulate this sso error by setting localStorage.setItem('SIMULATE_SAML_SSO_ERROR', true) in thee browser console.

This will be removed before merging.

[sonarqubecloud]

Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

❌ Patch coverage is 22.03390% with 46 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.27%. Comparing base (f5a6948) to head (85ca52a).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3253      +/-   ##
==========================================
- Coverage   53.29%   53.27%   -0.02%     
==========================================
  Files        2407     2408       +1     
  Lines       86420    86473      +53     
  Branches    23957    23972      +15     
==========================================
+ Hits        46056    46070      +14     
- Misses      38887    38929      +42     
+ Partials     1477     1474       -3     

Flag	Coverage Δ		*Carryforward flag
adoption-insights	83.58% <ø> (ø)		Carriedforward from f5a6948
ai-integrations	70.03% <ø> (ø)		Carriedforward from f5a6948
app-defaults	69.60% <ø> (ø)		Carriedforward from f5a6948
augment	46.39% <ø> (ø)		Carriedforward from f5a6948
bulk-import	72.86% <ø> (ø)		Carriedforward from f5a6948
cost-management	16.49% <ø> (ø)		Carriedforward from f5a6948
dcm	32.85% <ø> (ø)		Carriedforward from f5a6948
extensions	61.79% <ø> (ø)		Carriedforward from f5a6948
global-floating-action-button	74.30% <ø> (ø)		Carriedforward from f5a6948
global-header	61.63% <ø> (ø)		Carriedforward from f5a6948
homepage	51.52% <ø> (ø)		Carriedforward from f5a6948
konflux	91.01% <ø> (ø)		Carriedforward from f5a6948
lightspeed	68.33% <ø> (ø)		Carriedforward from f5a6948
mcp-integrations	85.46% <ø> (ø)		Carriedforward from f5a6948
orchestrator	36.42% <22.03%> (-0.09%)	⬇️
quickstart	62.88% <ø> (ø)		Carriedforward from f5a6948
sandbox	79.42% <ø> (ø)		Carriedforward from f5a6948
scorecard	83.84% <ø> (ø)		Carriedforward from f5a6948
theme	64.54% <ø> (ø)		Carriedforward from f5a6948
translations	8.49% <ø> (ø)		Carriedforward from f5a6948
x2a	78.79% <ø> (ø)		Carriedforward from f5a6948

*This pull request uses carry forward flags. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f5a6948...85ca52a. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.