openchoreo · mevan-karu · May 15, 2026 · May 15, 2026
@@ -172,10 +172,15 @@ export BACKSTAGE_BASE_URL=http://localhost:3000
 export BACKEND_SECRET=your-secret-key-here
 export OPENCHOREO_API_URL=http://api.openchoreo.localhost:8080/api/v1
 export THUNDER_BASE_URL=http://thunder.openchoreo.localhost:8080
+# User sign-in client (OIDC — used by auth.providers.openchoreo-auth)
 export OPENCHOREO_AUTH_CLIENT_ID=openchoreo-backstage-client
 export OPENCHOREO_AUTH_CLIENT_SECRET=backstage-portal-secret
 export OPENCHOREO_AUTH_AUTHORIZATION_URL=http://thunder.openchoreo.localhost:8080/oauth2/authorize
 export OPENCHOREO_AUTH_TOKEN_URL=http://thunder.openchoreo.localhost:8080/oauth2/token
+# Service client (client credentials — used by background tasks such as the Catalog Provider)
+# Can be the same client as above in development, but should be a separate client in production
+export OPENCHOREO_SERVICE_CLIENT_ID=openchoreo-backstage-client
+export OPENCHOREO_SERVICE_CLIENT_SECRET=backstage-portal-secret
 export GITHUB_TOKEN=your-github-token  # Optional
 ```
 

@@ -151,12 +151,13 @@ openchoreo:
 
   # Authentication configuration
   # User-initiated requests: Token forwarded from frontend (IDP access token via x-openchoreo-token header)
-  # Background tasks (Catalog Provider): Uses client credentials below
+  # Background tasks (Catalog Provider): Uses a separate service client via client credentials below
   auth:
     # OAuth2 Client Credentials for background tasks (Catalog Entity Provider)
+    # Uses a dedicated service client — independent from the user-facing sign-in client (auth.providers.openchoreo-auth)
     # Required for the Catalog Provider to fetch organizations, projects, and components
-    clientId: ${OPENCHOREO_AUTH_CLIENT_ID}
-    clientSecret: ${OPENCHOREO_AUTH_CLIENT_SECRET}
+    clientId: ${OPENCHOREO_SERVICE_CLIENT_ID}
+    clientSecret: ${OPENCHOREO_SERVICE_CLIENT_SECRET}
     tokenUrl: ${OPENCHOREO_AUTH_TOKEN_URL}
     scope: ${OPENCHOREO_AUTH_SCOPE} # Optional: space-separated scopes (e.g. 'api://client-id/.default openid')
 

@@ -152,12 +152,13 @@ openchoreo:
 
   # Authentication configuration
   # User-initiated requests: Token forwarded from frontend (IDP access token via x-openchoreo-token header)
-  # Background tasks (Catalog Provider): Uses client credentials below
+  # Background tasks (Catalog Provider): Uses a separate service client via client credentials below
   auth:
     # OAuth2 Client Credentials for background tasks (Catalog Entity Provider)
+    # Uses a dedicated service client — independent from the user-facing sign-in client (auth.providers.openchoreo-auth)
     # Required for the Catalog Provider to fetch organizations, projects, and components
-    clientId: ${OPENCHOREO_AUTH_CLIENT_ID}
-    clientSecret: ${OPENCHOREO_AUTH_CLIENT_SECRET}
+    clientId: ${OPENCHOREO_SERVICE_CLIENT_ID}
+    clientSecret: ${OPENCHOREO_SERVICE_CLIENT_SECRET}
     tokenUrl: ${OPENCHOREO_AUTH_TOKEN_URL}
     scope: ${OPENCHOREO_AUTH_SCOPE} # Optional: space-separated scopes (e.g. 'api://client-id/.default openid')
 

@@ -25,7 +25,7 @@ import { decodeJwtUnsafe } from './jwtUtils';
  * - Extracts user profile from JWT tokens
  * - Pre-caches user capabilities at sign-in for permission checks
  *
- * Configuration:
+ * Configuration (user sign-in client — separate from the service client used by background tasks):
  * ```yaml
  * auth:
  *   providers:
@@ -38,6 +38,9 @@ import { decodeJwtUnsafe } from './jwtUtils';
  *         scope: 'openid profile email'
  * ```
  *
+ * Background tasks (Catalog Provider) use a separate service client configured under
+ * `openchoreo.auth` with `OPENCHOREO_SERVICE_CLIENT_ID` / `OPENCHOREO_SERVICE_CLIENT_SECRET`.
+ *
  * This provider checks the openchoreo.features.auth.enabled config flag.
  * When disabled (false), this provider skips registration to allow guest mode.
  */