@backstage/plugin-auth-backend-module-auth0-provider 0.3.2-next.0 → 0.4.0-next.2

package/CHANGELOG.md

@@ -1,5 +1,26 @@
 # @backstage/plugin-auth-backend-module-auth0-provider
 
+## 0.4.0-next.2
+
+### Minor Changes
+
+- 9244b70: Added federated logout support. Set `federatedLogout: true` in the Auth0 provider config to clear both the Auth0 session and any upstream IdP session on sign-out. The authenticator returns a logout URL that redirects the browser to Auth0's `/v2/logout?federated` endpoint, ensuring users must fully re-authenticate after signing out.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/errors@1.3.0-next.0
+  - @backstage/plugin-auth-node@0.7.0-next.2
+  - @backstage/backend-plugin-api@1.9.0-next.2
+
+## 0.3.2-next.1
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.9.0-next.1
+  - @backstage/plugin-auth-node@0.7.0-next.1
+
 ## 0.3.2-next.0
 
 ### Patch Changes

package/config.d.ts

@@ -33,6 +33,11 @@ export interface Config {
           connection?: string;
           connectionScope?: string;
           organization?: string;
+          /**
+           * Whether to perform federated logout, clearing both the Auth0
+           * session and any upstream IdP session. Defaults to false.
+           */
+          federatedLogout?: boolean;
           sessionDuration?: HumanDuration | string;
         };
       };

package/dist/authenticator.cjs.js

@@ -50,7 +50,16 @@ const auth0Authenticator = pluginAuthNode.createOAuthAuthenticator({
         }
       )
     );
-    return { helper, audience, connection, connectionScope };
+    const federated = config.getOptionalBoolean("federatedLogout") ?? false;
+    return {
+      helper,
+      audience,
+      connection,
+      connectionScope,
+      domain,
+      clientID,
+      federated
+    };
   },
   async start(input, { helper, audience, connection, connectionScope: connection_scope }) {
     return helper.start(input, {
@@ -70,6 +79,18 @@ const auth0Authenticator = pluginAuthNode.createOAuthAuthenticator({
   },
   async refresh(input, { helper }) {
     return helper.refresh(input);
+  },
+  async logout(input, { domain, clientID, federated }) {
+    const logoutUrl = new URL(`https://${domain}/v2/logout`);
+    if (federated) {
+      logoutUrl.searchParams.set("federated", "");
+    }
+    logoutUrl.searchParams.set("client_id", clientID);
+    const origin = input.req.get("origin");
+    if (origin) {
+      logoutUrl.searchParams.set("returnTo", origin);
+    }
+    return { logoutUrl: logoutUrl.toString() };
   }
 });
 

package/dist/authenticator.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"authenticator.cjs.js","sources":["../src/authenticator.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport {\n  createOAuthAuthenticator,\n  PassportOAuthAuthenticatorHelper,\n  PassportOAuthDoneCallback,\n  PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport { Auth0Strategy } from './strategy';\n\n/** @public */\nexport const auth0Authenticator = createOAuthAuthenticator({\n  defaultProfileTransform:\n    PassportOAuthAuthenticatorHelper.defaultProfileTransform,\n  initialize({ callbackUrl, config }) {\n    const clientID = config.getString('clientId');\n    const clientSecret = config.getString('clientSecret');\n    const domain = config.getString('domain');\n    const audience = config.getOptionalString('audience');\n    const connection = config.getOptionalString('connection');\n    const connectionScope = config.getOptionalString('connectionScope');\n    const callbackURL = config.getOptionalString('callbackUrl') ?? callbackUrl;\n    const organization = config.getOptionalString('organization');\n    // Due to passport-auth0 forcing options.state = true,\n    // passport-oauth2 requires express-session to be installed\n    // so that the 'state' parameter of the oauth2 flow can be stored.\n    // This implementation of StateStore matches the NullStore found within\n    // passport-oauth2, which is the StateStore implementation used when options.state = false,\n    // allowing us to avoid using express-session in order to integrate with auth0.\n    const store = {\n      store(_req: express.Request, cb: any) {\n        cb(null, null);\n      },\n      verify(_req: express.Request, _state: string, cb: any) {\n        cb(null, true);\n      },\n    };\n\n    const helper = PassportOAuthAuthenticatorHelper.from(\n      new Auth0Strategy(\n        {\n          clientID,\n          clientSecret,\n          callbackURL,\n          domain,\n          store,\n          organization,\n          // We need passReqToCallback set to false to get params, but there's\n          // no matching type signature for that, so instead behold this beauty\n          passReqToCallback: false as true,\n        },\n        (\n          accessToken: string,\n          refreshToken: string,\n          params: any,\n          fullProfile: PassportProfile,\n          done: PassportOAuthDoneCallback,\n        ) => {\n          done(\n            undefined,\n            {\n              fullProfile,\n              accessToken,\n              params,\n            },\n            {\n              refreshToken,\n            },\n          );\n        },\n      ),\n    );\n    return { helper, audience, connection, connectionScope };\n  },\n\n  async start(\n    input,\n    { helper, audience, connection, connectionScope: connection_scope },\n  ) {\n    return helper.start(input, {\n      accessType: 'offline',\n      prompt: 'consent',\n      ...(audience ? { audience } : {}),\n      ...(connection ? { connection } : {}),\n      ...(connection_scope ? { connection_scope } : {}),\n    });\n  },\n\n  async authenticate(\n    input,\n    { helper, audience, connection, connectionScope: connection_scope },\n  ) {\n    return helper.authenticate(input, {\n      ...(audience ? { audience } : {}),\n      ...(connection ? { connection } : {}),\n      ...(connection_scope ? { connection_scope } : {}),\n    });\n  },\n\n  async refresh(input, { helper }) {\n    return helper.refresh(input);\n  },\n});\n"],"names":["createOAuthAuthenticator","PassportOAuthAuthenticatorHelper","Auth0Strategy"],"mappings":";;;;;AA0BO,MAAM,qBAAqBA,uCAAA,CAAyB;AAAA,EACzD,yBACEC,+CAAA,CAAiC,uBAAA;AAAA,EACnC,UAAA,CAAW,EAAE,WAAA,EAAa,MAAA,EAAO,EAAG;AAClC,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,SAAA,CAAU,UAAU,CAAA;AAC5C,IAAA,MAAM,YAAA,GAAe,MAAA,CAAO,SAAA,CAAU,cAAc,CAAA;AACpD,IAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,QAAQ,CAAA;AACxC,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,iBAAA,CAAkB,UAAU,CAAA;AACpD,IAAA,MAAM,UAAA,GAAa,MAAA,CAAO,iBAAA,CAAkB,YAAY,CAAA;AACxD,IAAA,MAAM,eAAA,GAAkB,MAAA,CAAO,iBAAA,CAAkB,iBAAiB,CAAA;AAClE,IAAA,MAAM,WAAA,GAAc,MAAA,CAAO,iBAAA,CAAkB,aAAa,CAAA,IAAK,WAAA;AAC/D,IAAA,MAAM,YAAA,GAAe,MAAA,CAAO,iBAAA,CAAkB,cAAc,CAAA;AAO5D,IAAA,MAAM,KAAA,GAAQ;AAAA,MACZ,KAAA,CAAM,MAAuB,EAAA,EAAS;AACpC,QAAA,EAAA,CAAG,MAAM,IAAI,CAAA;AAAA,MACf,CAAA;AAAA,MACA,MAAA,CAAO,IAAA,EAAuB,MAAA,EAAgB,EAAA,EAAS;AACrD,QAAA,EAAA,CAAG,MAAM,IAAI,CAAA;AAAA,MACf;AAAA,KACF;AAEA,IAAA,MAAM,SAASA,+CAAA,CAAiC,IAAA;AAAA,MAC9C,IAAIC,sBAAA;AAAA,QACF;AAAA,UACE,QAAA;AAAA,UACA,YAAA;AAAA,UACA,WAAA;AAAA,UACA,MAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA;AAAA;AAAA,UAGA,iBAAA,EAAmB;AAAA,SACrB;AAAA,QACA,CACE,WAAA,EACA,YAAA,EACA,MAAA,EACA,aACA,IAAA,KACG;AACH,UAAA,IAAA;AAAA,YACE,MAAA;AAAA,YACA;AAAA,cACE,WAAA;AAAA,cACA,WAAA;AAAA,cACA;AAAA,aACF;AAAA,YACA;AAAA,cACE;AAAA;AACF,WACF;AAAA,QACF;AAAA;AACF,KACF;AACA,IAAA,OAAO,EAAE,MAAA,EAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAgB;AAAA,EACzD,CAAA;AAAA,EAEA,MAAM,MACJ,KAAA,EACA,EAAE,QAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAiB,gBAAA,EAAiB,EAClE;AACA,IAAA,OAAO,MAAA,CAAO,MAAM,KAAA,EAAO;AAAA,MACzB,UAAA,EAAY,SAAA;AAAA,MACZ,MAAA,EAAQ,SAAA;AAAA,MACR,GAAI,QAAA,GAAW,EAAE,QAAA,KAAa,EAAC;AAAA,MAC/B,GAAI,UAAA,GAAa,EAAE,UAAA,KAAe,EAAC;AAAA,MACnC,GAAI,gBAAA,GAAmB,EAAE,gBAAA,KAAqB;AAAC,KAChD,CAAA;AAAA,EACH,CAAA;AAAA,EAEA,MAAM,aACJ,KAAA,EACA,EAAE,QAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAiB,gBAAA,EAAiB,EAClE;AACA,IAAA,OAAO,MAAA,CAAO,aAAa,KAAA,EAAO;AAAA,MAChC,GAAI,QAAA,GAAW,EAAE,QAAA,KAAa,EAAC;AAAA,MAC/B,GAAI,UAAA,GAAa,EAAE,UAAA,KAAe,EAAC;AAAA,MACnC,GAAI,gBAAA,GAAmB,EAAE,gBAAA,KAAqB;AAAC,KAChD,CAAA;AAAA,EACH,CAAA;AAAA,EAEA,MAAM,OAAA,CAAQ,KAAA,EAAO,EAAE,QAAO,EAAG;AAC/B,IAAA,OAAO,MAAA,CAAO,QAAQ,KAAK,CAAA;AAAA,EAC7B;AACF,CAAC;;;;"}
+{"version":3,"file":"authenticator.cjs.js","sources":["../src/authenticator.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport {\n  createOAuthAuthenticator,\n  PassportOAuthAuthenticatorHelper,\n  PassportOAuthDoneCallback,\n  PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport { Auth0Strategy } from './strategy';\n\n/** @public */\nexport const auth0Authenticator = createOAuthAuthenticator({\n  defaultProfileTransform:\n    PassportOAuthAuthenticatorHelper.defaultProfileTransform,\n  initialize({ callbackUrl, config }) {\n    const clientID = config.getString('clientId');\n    const clientSecret = config.getString('clientSecret');\n    const domain = config.getString('domain');\n    const audience = config.getOptionalString('audience');\n    const connection = config.getOptionalString('connection');\n    const connectionScope = config.getOptionalString('connectionScope');\n    const callbackURL = config.getOptionalString('callbackUrl') ?? callbackUrl;\n    const organization = config.getOptionalString('organization');\n    // Due to passport-auth0 forcing options.state = true,\n    // passport-oauth2 requires express-session to be installed\n    // so that the 'state' parameter of the oauth2 flow can be stored.\n    // This implementation of StateStore matches the NullStore found within\n    // passport-oauth2, which is the StateStore implementation used when options.state = false,\n    // allowing us to avoid using express-session in order to integrate with auth0.\n    const store = {\n      store(_req: express.Request, cb: any) {\n        cb(null, null);\n      },\n      verify(_req: express.Request, _state: string, cb: any) {\n        cb(null, true);\n      },\n    };\n\n    const helper = PassportOAuthAuthenticatorHelper.from(\n      new Auth0Strategy(\n        {\n          clientID,\n          clientSecret,\n          callbackURL,\n          domain,\n          store,\n          organization,\n          // We need passReqToCallback set to false to get params, but there's\n          // no matching type signature for that, so instead behold this beauty\n          passReqToCallback: false as true,\n        },\n        (\n          accessToken: string,\n          refreshToken: string,\n          params: any,\n          fullProfile: PassportProfile,\n          done: PassportOAuthDoneCallback,\n        ) => {\n          done(\n            undefined,\n            {\n              fullProfile,\n              accessToken,\n              params,\n            },\n            {\n              refreshToken,\n            },\n          );\n        },\n      ),\n    );\n    const federated = config.getOptionalBoolean('federatedLogout') ?? false;\n    return {\n      helper,\n      audience,\n      connection,\n      connectionScope,\n      domain,\n      clientID,\n      federated,\n    };\n  },\n\n  async start(\n    input,\n    { helper, audience, connection, connectionScope: connection_scope },\n  ) {\n    return helper.start(input, {\n      accessType: 'offline',\n      prompt: 'consent',\n      ...(audience ? { audience } : {}),\n      ...(connection ? { connection } : {}),\n      ...(connection_scope ? { connection_scope } : {}),\n    });\n  },\n\n  async authenticate(\n    input,\n    { helper, audience, connection, connectionScope: connection_scope },\n  ) {\n    return helper.authenticate(input, {\n      ...(audience ? { audience } : {}),\n      ...(connection ? { connection } : {}),\n      ...(connection_scope ? { connection_scope } : {}),\n    });\n  },\n\n  async refresh(input, { helper }) {\n    return helper.refresh(input);\n  },\n\n  async logout(input, { domain, clientID, federated }) {\n    const logoutUrl = new URL(`https://${domain}/v2/logout`);\n    if (federated) {\n      logoutUrl.searchParams.set('federated', '');\n    }\n    logoutUrl.searchParams.set('client_id', clientID);\n    const origin = input.req.get('origin');\n    if (origin) {\n      logoutUrl.searchParams.set('returnTo', origin);\n    }\n    return { logoutUrl: logoutUrl.toString() };\n  },\n});\n"],"names":["createOAuthAuthenticator","PassportOAuthAuthenticatorHelper","Auth0Strategy"],"mappings":";;;;;AA0BO,MAAM,qBAAqBA,uCAAA,CAAyB;AAAA,EACzD,yBACEC,+CAAA,CAAiC,uBAAA;AAAA,EACnC,UAAA,CAAW,EAAE,WAAA,EAAa,MAAA,EAAO,EAAG;AAClC,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,SAAA,CAAU,UAAU,CAAA;AAC5C,IAAA,MAAM,YAAA,GAAe,MAAA,CAAO,SAAA,CAAU,cAAc,CAAA;AACpD,IAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,QAAQ,CAAA;AACxC,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,iBAAA,CAAkB,UAAU,CAAA;AACpD,IAAA,MAAM,UAAA,GAAa,MAAA,CAAO,iBAAA,CAAkB,YAAY,CAAA;AACxD,IAAA,MAAM,eAAA,GAAkB,MAAA,CAAO,iBAAA,CAAkB,iBAAiB,CAAA;AAClE,IAAA,MAAM,WAAA,GAAc,MAAA,CAAO,iBAAA,CAAkB,aAAa,CAAA,IAAK,WAAA;AAC/D,IAAA,MAAM,YAAA,GAAe,MAAA,CAAO,iBAAA,CAAkB,cAAc,CAAA;AAO5D,IAAA,MAAM,KAAA,GAAQ;AAAA,MACZ,KAAA,CAAM,MAAuB,EAAA,EAAS;AACpC,QAAA,EAAA,CAAG,MAAM,IAAI,CAAA;AAAA,MACf,CAAA;AAAA,MACA,MAAA,CAAO,IAAA,EAAuB,MAAA,EAAgB,EAAA,EAAS;AACrD,QAAA,EAAA,CAAG,MAAM,IAAI,CAAA;AAAA,MACf;AAAA,KACF;AAEA,IAAA,MAAM,SAASA,+CAAA,CAAiC,IAAA;AAAA,MAC9C,IAAIC,sBAAA;AAAA,QACF;AAAA,UACE,QAAA;AAAA,UACA,YAAA;AAAA,UACA,WAAA;AAAA,UACA,MAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA;AAAA;AAAA,UAGA,iBAAA,EAAmB;AAAA,SACrB;AAAA,QACA,CACE,WAAA,EACA,YAAA,EACA,MAAA,EACA,aACA,IAAA,KACG;AACH,UAAA,IAAA;AAAA,YACE,MAAA;AAAA,YACA;AAAA,cACE,WAAA;AAAA,cACA,WAAA;AAAA,cACA;AAAA,aACF;AAAA,YACA;AAAA,cACE;AAAA;AACF,WACF;AAAA,QACF;AAAA;AACF,KACF;AACA,IAAA,MAAM,SAAA,GAAY,MAAA,CAAO,kBAAA,CAAmB,iBAAiB,CAAA,IAAK,KAAA;AAClE,IAAA,OAAO;AAAA,MACL,MAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,eAAA;AAAA,MACA,MAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF,CAAA;AAAA,EAEA,MAAM,MACJ,KAAA,EACA,EAAE,QAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAiB,gBAAA,EAAiB,EAClE;AACA,IAAA,OAAO,MAAA,CAAO,MAAM,KAAA,EAAO;AAAA,MACzB,UAAA,EAAY,SAAA;AAAA,MACZ,MAAA,EAAQ,SAAA;AAAA,MACR,GAAI,QAAA,GAAW,EAAE,QAAA,KAAa,EAAC;AAAA,MAC/B,GAAI,UAAA,GAAa,EAAE,UAAA,KAAe,EAAC;AAAA,MACnC,GAAI,gBAAA,GAAmB,EAAE,gBAAA,KAAqB;AAAC,KAChD,CAAA;AAAA,EACH,CAAA;AAAA,EAEA,MAAM,aACJ,KAAA,EACA,EAAE,QAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAiB,gBAAA,EAAiB,EAClE;AACA,IAAA,OAAO,MAAA,CAAO,aAAa,KAAA,EAAO;AAAA,MAChC,GAAI,QAAA,GAAW,EAAE,QAAA,KAAa,EAAC;AAAA,MAC/B,GAAI,UAAA,GAAa,EAAE,UAAA,KAAe,EAAC;AAAA,MACnC,GAAI,gBAAA,GAAmB,EAAE,gBAAA,KAAqB;AAAC,KAChD,CAAA;AAAA,EACH,CAAA;AAAA,EAEA,MAAM,OAAA,CAAQ,KAAA,EAAO,EAAE,QAAO,EAAG;AAC/B,IAAA,OAAO,MAAA,CAAO,QAAQ,KAAK,CAAA;AAAA,EAC7B,CAAA;AAAA,EAEA,MAAM,MAAA,CAAO,KAAA,EAAO,EAAE,MAAA,EAAQ,QAAA,EAAU,WAAU,EAAG;AACnD,IAAA,MAAM,SAAA,GAAY,IAAI,GAAA,CAAI,CAAA,QAAA,EAAW,MAAM,CAAA,UAAA,CAAY,CAAA;AACvD,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,SAAA,CAAU,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,EAAE,CAAA;AAAA,IAC5C;AACA,IAAA,SAAA,CAAU,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,QAAQ,CAAA;AAChD,IAAA,MAAM,MAAA,GAAS,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,QAAQ,CAAA;AACrC,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,SAAA,CAAU,YAAA,CAAa,GAAA,CAAI,UAAA,EAAY,MAAM,CAAA;AAAA,IAC/C;AACA,IAAA,OAAO,EAAE,SAAA,EAAW,SAAA,CAAU,QAAA,EAAS,EAAE;AAAA,EAC3C;AACF,CAAC;;;;"}

package/dist/index.d.ts

@@ -8,6 +8,9 @@ declare const auth0Authenticator: _backstage_plugin_auth_node.OAuthAuthenticator
     audience: string | undefined;
     connection: string | undefined;
     connectionScope: string | undefined;
+    domain: string;
+    clientID: string;
+    federated: boolean;
 }, PassportProfile>;
 
 /** @public */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend-module-auth0-provider",
-  "version": "0.3.2-next.0",
+  "version": "0.4.0-next.2",
   "description": "The auth0-provider backend module for the auth plugin.",
   "backstage": {
     "role": "backend-plugin-module",
@@ -37,19 +37,19 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "1.8.1-next.0",
-    "@backstage/errors": "1.2.7",
-    "@backstage/plugin-auth-node": "0.6.15-next.0",
+    "@backstage/backend-plugin-api": "1.9.0-next.2",
+    "@backstage/errors": "1.3.0-next.0",
+    "@backstage/plugin-auth-node": "0.7.0-next.2",
     "express": "^4.22.0",
     "passport": "^0.7.0",
     "passport-auth0": "^1.4.3",
     "passport-oauth2": "^1.6.1"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "0.16.1-next.0",
-    "@backstage/backend-test-utils": "1.11.2-next.0",
-    "@backstage/cli": "0.36.1-next.0",
-    "@backstage/plugin-auth-backend": "0.28.0-next.0",
+    "@backstage/backend-defaults": "0.16.1-next.2",
+    "@backstage/backend-test-utils": "1.11.2-next.2",
+    "@backstage/cli": "0.36.1-next.2",
+    "@backstage/plugin-auth-backend": "0.28.0-next.2",
     "@backstage/types": "1.2.2",
     "@types/passport": "^1.0.3",
     "@types/passport-auth0": "^1.0.5",