@backstage/plugin-auth-backend-module-auth0-provider 0.3.2-next.1 → 0.4.0

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # @backstage/plugin-auth-backend-module-auth0-provider
 
+## 0.4.0
+
+### Minor Changes
+
+- 9244b70: Sign-out now redirects the browser to Auth0's `/v2/logout` endpoint, clearing the Auth0 session cookie so that the next sign-in creates a new Auth0 session. Previously, only the Backstage session was cleared, allowing users to sign back in without going through Auth0 logout first.
+
+  Set `federatedLogout: true` in the Auth0 provider config to additionally clear the upstream IdP session (e.g. Okta, Google). This is what guarantees a full re-login across the entire SSO chain and may require users to re-enter credentials.
+
+### Patch Changes
+
+- b3bbd42: Added `createAuth0Authenticator` factory function that accepts a `CacheService` to cache Auth0 profile API responses for 1 minute during token refreshes. This avoids hitting Auth0 rate limits on repeated page refreshes. The module now uses the cached variant by default. The existing `auth0Authenticator` export remains available for use without caching.
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.9.0
+  - @backstage/errors@1.3.0
+  - @backstage/plugin-auth-node@0.7.0
+
+## 0.4.0-next.2
+
+### Minor Changes
+
+- 9244b70: Added federated logout support. Set `federatedLogout: true` in the Auth0 provider config to clear both the Auth0 session and any upstream IdP session on sign-out. The authenticator returns a logout URL that redirects the browser to Auth0's `/v2/logout?federated` endpoint, ensuring users must fully re-authenticate after signing out.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/errors@1.3.0-next.0
+  - @backstage/plugin-auth-node@0.7.0-next.2
+  - @backstage/backend-plugin-api@1.9.0-next.2
+
 ## 0.3.2-next.1
 
 ### Patch Changes

package/config.d.ts

@@ -33,6 +33,11 @@ export interface Config {
           connection?: string;
           connectionScope?: string;
           organization?: string;
+          /**
+           * Whether to perform federated logout, clearing both the Auth0
+           * session and any upstream IdP session. Defaults to false.
+           */
+          federatedLogout?: boolean;
           sessionDuration?: HumanDuration | string;
         };
       };

package/dist/authenticator.cjs.js

@@ -1,29 +1,33 @@
 'use strict';
 
+var jose = require('jose');
 var pluginAuthNode = require('@backstage/plugin-auth-node');
 var strategy = require('./strategy.cjs.js');
 
-const auth0Authenticator = pluginAuthNode.createOAuthAuthenticator({
-  defaultProfileTransform: pluginAuthNode.PassportOAuthAuthenticatorHelper.defaultProfileTransform,
-  initialize({ callbackUrl, config }) {
-    const clientID = config.getString("clientId");
-    const clientSecret = config.getString("clientSecret");
-    const domain = config.getString("domain");
-    const audience = config.getOptionalString("audience");
-    const connection = config.getOptionalString("connection");
-    const connectionScope = config.getOptionalString("connectionScope");
-    const callbackURL = config.getOptionalString("callbackUrl") ?? callbackUrl;
-    const organization = config.getOptionalString("organization");
-    const store = {
-      store(_req, cb) {
-        cb(null, null);
-      },
-      verify(_req, _state, cb) {
-        cb(null, true);
-      }
-    };
-    const helper = pluginAuthNode.PassportOAuthAuthenticatorHelper.from(
-      new strategy.Auth0Strategy(
+function createAuth0Authenticator(options) {
+  const profileCache = options?.cache?.withOptions({
+    defaultTtl: { minutes: 1 }
+  });
+  return pluginAuthNode.createOAuthAuthenticator({
+    defaultProfileTransform: pluginAuthNode.PassportOAuthAuthenticatorHelper.defaultProfileTransform,
+    initialize({ callbackUrl, config }) {
+      const clientID = config.getString("clientId");
+      const clientSecret = config.getString("clientSecret");
+      const domain = config.getString("domain");
+      const audience = config.getOptionalString("audience");
+      const connection = config.getOptionalString("connection");
+      const connectionScope = config.getOptionalString("connectionScope");
+      const callbackURL = config.getOptionalString("callbackUrl") ?? callbackUrl;
+      const organization = config.getOptionalString("organization");
+      const store = {
+        store(_req, cb) {
+          cb(null, null);
+        },
+        verify(_req, _state, cb) {
+          cb(null, true);
+        }
+      };
+      const strategy$1 = new strategy.Auth0Strategy(
         {
           clientID,
           clientSecret,
@@ -48,30 +52,82 @@ const auth0Authenticator = pluginAuthNode.createOAuthAuthenticator({
             }
           );
         }
-      )
-    );
-    return { helper, audience, connection, connectionScope };
-  },
-  async start(input, { helper, audience, connection, connectionScope: connection_scope }) {
-    return helper.start(input, {
-      accessType: "offline",
-      prompt: "consent",
-      ...audience ? { audience } : {},
-      ...connection ? { connection } : {},
-      ...connection_scope ? { connection_scope } : {}
-    });
-  },
-  async authenticate(input, { helper, audience, connection, connectionScope: connection_scope }) {
-    return helper.authenticate(input, {
-      ...audience ? { audience } : {},
-      ...connection ? { connection } : {},
-      ...connection_scope ? { connection_scope } : {}
-    });
-  },
-  async refresh(input, { helper }) {
-    return helper.refresh(input);
-  }
-});
+      );
+      const helper = pluginAuthNode.PassportOAuthAuthenticatorHelper.from(strategy$1);
+      const federated = config.getOptionalBoolean("federatedLogout") ?? false;
+      return {
+        helper,
+        strategy: strategy$1,
+        audience,
+        connection,
+        connectionScope,
+        domain,
+        clientID,
+        federated
+      };
+    },
+    async start(input, { helper, audience, connection, connectionScope: connection_scope }) {
+      return helper.start(input, {
+        accessType: "offline",
+        prompt: "consent",
+        ...audience ? { audience } : {},
+        ...connection ? { connection } : {},
+        ...connection_scope ? { connection_scope } : {}
+      });
+    },
+    async authenticate(input, { helper, audience, connection, connectionScope: connection_scope }) {
+      return helper.authenticate(input, {
+        ...audience ? { audience } : {},
+        ...connection ? { connection } : {},
+        ...connection_scope ? { connection_scope } : {}
+      });
+    },
+    async refresh(input, { helper, strategy }) {
+      const result = await pluginAuthNode.PassportHelpers.executeRefreshTokenStrategy(
+        strategy,
+        input.refreshToken,
+        input.scope
+      );
+      const { sub } = jose.decodeJwt(result.params.id_token);
+      const cacheKey = sub ? `auth0-profile:${sub}` : void 0;
+      let fullProfile = cacheKey ? await profileCache?.get(cacheKey) : void 0;
+      if (!fullProfile) {
+        fullProfile = await helper.fetchProfile(result.accessToken);
+        if (cacheKey) {
+          await profileCache?.set(
+            cacheKey,
+            JSON.parse(JSON.stringify(fullProfile))
+          );
+        }
+      }
+      return {
+        fullProfile,
+        session: {
+          accessToken: result.accessToken,
+          tokenType: result.params.token_type ?? "bearer",
+          scope: result.params.scope,
+          expiresInSeconds: result.params.expires_in,
+          idToken: result.params.id_token,
+          refreshToken: result.refreshToken
+        }
+      };
+    },
+    async logout(input, { domain, clientID, federated }) {
+      const logoutUrl = new URL(`https://${domain}/v2/logout`);
+      if (federated) {
+        logoutUrl.searchParams.set("federated", "");
+      }
+      logoutUrl.searchParams.set("client_id", clientID);
+      const origin = input.req.get("origin");
+      if (origin) {
+        logoutUrl.searchParams.set("returnTo", origin);
+      }
+      return { logoutUrl: logoutUrl.toString() };
+    }
+  });
+}
+const auth0Authenticator = createAuth0Authenticator();
 
 exports.auth0Authenticator = auth0Authenticator;
+exports.createAuth0Authenticator = createAuth0Authenticator;
 //# sourceMappingURL=authenticator.cjs.js.map

package/dist/authenticator.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"authenticator.cjs.js","sources":["../src/authenticator.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport {\n  createOAuthAuthenticator,\n  PassportOAuthAuthenticatorHelper,\n  PassportOAuthDoneCallback,\n  PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport { Auth0Strategy } from './strategy';\n\n/** @public */\nexport const auth0Authenticator = createOAuthAuthenticator({\n  defaultProfileTransform:\n    PassportOAuthAuthenticatorHelper.defaultProfileTransform,\n  initialize({ callbackUrl, config }) {\n    const clientID = config.getString('clientId');\n    const clientSecret = config.getString('clientSecret');\n    const domain = config.getString('domain');\n    const audience = config.getOptionalString('audience');\n    const connection = config.getOptionalString('connection');\n    const connectionScope = config.getOptionalString('connectionScope');\n    const callbackURL = config.getOptionalString('callbackUrl') ?? callbackUrl;\n    const organization = config.getOptionalString('organization');\n    // Due to passport-auth0 forcing options.state = true,\n    // passport-oauth2 requires express-session to be installed\n    // so that the 'state' parameter of the oauth2 flow can be stored.\n    // This implementation of StateStore matches the NullStore found within\n    // passport-oauth2, which is the StateStore implementation used when options.state = false,\n    // allowing us to avoid using express-session in order to integrate with auth0.\n    const store = {\n      store(_req: express.Request, cb: any) {\n        cb(null, null);\n      },\n      verify(_req: express.Request, _state: string, cb: any) {\n        cb(null, true);\n      },\n    };\n\n    const helper = PassportOAuthAuthenticatorHelper.from(\n      new Auth0Strategy(\n        {\n          clientID,\n          clientSecret,\n          callbackURL,\n          domain,\n          store,\n          organization,\n          // We need passReqToCallback set to false to get params, but there's\n          // no matching type signature for that, so instead behold this beauty\n          passReqToCallback: false as true,\n        },\n        (\n          accessToken: string,\n          refreshToken: string,\n          params: any,\n          fullProfile: PassportProfile,\n          done: PassportOAuthDoneCallback,\n        ) => {\n          done(\n            undefined,\n            {\n              fullProfile,\n              accessToken,\n              params,\n            },\n            {\n              refreshToken,\n            },\n          );\n        },\n      ),\n    );\n    return { helper, audience, connection, connectionScope };\n  },\n\n  async start(\n    input,\n    { helper, audience, connection, connectionScope: connection_scope },\n  ) {\n    return helper.start(input, {\n      accessType: 'offline',\n      prompt: 'consent',\n      ...(audience ? { audience } : {}),\n      ...(connection ? { connection } : {}),\n      ...(connection_scope ? { connection_scope } : {}),\n    });\n  },\n\n  async authenticate(\n    input,\n    { helper, audience, connection, connectionScope: connection_scope },\n  ) {\n    return helper.authenticate(input, {\n      ...(audience ? { audience } : {}),\n      ...(connection ? { connection } : {}),\n      ...(connection_scope ? { connection_scope } : {}),\n    });\n  },\n\n  async refresh(input, { helper }) {\n    return helper.refresh(input);\n  },\n});\n"],"names":["createOAuthAuthenticator","PassportOAuthAuthenticatorHelper","Auth0Strategy"],"mappings":";;;;;AA0BO,MAAM,qBAAqBA,uCAAA,CAAyB;AAAA,EACzD,yBACEC,+CAAA,CAAiC,uBAAA;AAAA,EACnC,UAAA,CAAW,EAAE,WAAA,EAAa,MAAA,EAAO,EAAG;AAClC,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,SAAA,CAAU,UAAU,CAAA;AAC5C,IAAA,MAAM,YAAA,GAAe,MAAA,CAAO,SAAA,CAAU,cAAc,CAAA;AACpD,IAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,QAAQ,CAAA;AACxC,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,iBAAA,CAAkB,UAAU,CAAA;AACpD,IAAA,MAAM,UAAA,GAAa,MAAA,CAAO,iBAAA,CAAkB,YAAY,CAAA;AACxD,IAAA,MAAM,eAAA,GAAkB,MAAA,CAAO,iBAAA,CAAkB,iBAAiB,CAAA;AAClE,IAAA,MAAM,WAAA,GAAc,MAAA,CAAO,iBAAA,CAAkB,aAAa,CAAA,IAAK,WAAA;AAC/D,IAAA,MAAM,YAAA,GAAe,MAAA,CAAO,iBAAA,CAAkB,cAAc,CAAA;AAO5D,IAAA,MAAM,KAAA,GAAQ;AAAA,MACZ,KAAA,CAAM,MAAuB,EAAA,EAAS;AACpC,QAAA,EAAA,CAAG,MAAM,IAAI,CAAA;AAAA,MACf,CAAA;AAAA,MACA,MAAA,CAAO,IAAA,EAAuB,MAAA,EAAgB,EAAA,EAAS;AACrD,QAAA,EAAA,CAAG,MAAM,IAAI,CAAA;AAAA,MACf;AAAA,KACF;AAEA,IAAA,MAAM,SAASA,+CAAA,CAAiC,IAAA;AAAA,MAC9C,IAAIC,sBAAA;AAAA,QACF;AAAA,UACE,QAAA;AAAA,UACA,YAAA;AAAA,UACA,WAAA;AAAA,UACA,MAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA;AAAA;AAAA,UAGA,iBAAA,EAAmB;AAAA,SACrB;AAAA,QACA,CACE,WAAA,EACA,YAAA,EACA,MAAA,EACA,aACA,IAAA,KACG;AACH,UAAA,IAAA;AAAA,YACE,MAAA;AAAA,YACA;AAAA,cACE,WAAA;AAAA,cACA,WAAA;AAAA,cACA;AAAA,aACF;AAAA,YACA;AAAA,cACE;AAAA;AACF,WACF;AAAA,QACF;AAAA;AACF,KACF;AACA,IAAA,OAAO,EAAE,MAAA,EAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAgB;AAAA,EACzD,CAAA;AAAA,EAEA,MAAM,MACJ,KAAA,EACA,EAAE,QAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAiB,gBAAA,EAAiB,EAClE;AACA,IAAA,OAAO,MAAA,CAAO,MAAM,KAAA,EAAO;AAAA,MACzB,UAAA,EAAY,SAAA;AAAA,MACZ,MAAA,EAAQ,SAAA;AAAA,MACR,GAAI,QAAA,GAAW,EAAE,QAAA,KAAa,EAAC;AAAA,MAC/B,GAAI,UAAA,GAAa,EAAE,UAAA,KAAe,EAAC;AAAA,MACnC,GAAI,gBAAA,GAAmB,EAAE,gBAAA,KAAqB;AAAC,KAChD,CAAA;AAAA,EACH,CAAA;AAAA,EAEA,MAAM,aACJ,KAAA,EACA,EAAE,QAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAiB,gBAAA,EAAiB,EAClE;AACA,IAAA,OAAO,MAAA,CAAO,aAAa,KAAA,EAAO;AAAA,MAChC,GAAI,QAAA,GAAW,EAAE,QAAA,KAAa,EAAC;AAAA,MAC/B,GAAI,UAAA,GAAa,EAAE,UAAA,KAAe,EAAC;AAAA,MACnC,GAAI,gBAAA,GAAmB,EAAE,gBAAA,KAAqB;AAAC,KAChD,CAAA;AAAA,EACH,CAAA;AAAA,EAEA,MAAM,OAAA,CAAQ,KAAA,EAAO,EAAE,QAAO,EAAG;AAC/B,IAAA,OAAO,MAAA,CAAO,QAAQ,KAAK,CAAA;AAAA,EAC7B;AACF,CAAC;;;;"}
+{"version":3,"file":"authenticator.cjs.js","sources":["../src/authenticator.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { CacheService } from '@backstage/backend-plugin-api';\nimport express from 'express';\nimport { decodeJwt } from 'jose';\nimport { Strategy } from 'passport';\nimport {\n  createOAuthAuthenticator,\n  PassportHelpers,\n  PassportOAuthAuthenticatorHelper,\n  PassportOAuthDoneCallback,\n  PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport { Auth0Strategy } from './strategy';\n\n/** @public */\nexport function createAuth0Authenticator(options?: { cache?: CacheService }) {\n  const profileCache = options?.cache?.withOptions({\n    defaultTtl: { minutes: 1 },\n  });\n\n  return createOAuthAuthenticator({\n    defaultProfileTransform:\n      PassportOAuthAuthenticatorHelper.defaultProfileTransform,\n    initialize({ callbackUrl, config }) {\n      const clientID = config.getString('clientId');\n      const clientSecret = config.getString('clientSecret');\n      const domain = config.getString('domain');\n      const audience = config.getOptionalString('audience');\n      const connection = config.getOptionalString('connection');\n      const connectionScope = config.getOptionalString('connectionScope');\n      const callbackURL =\n        config.getOptionalString('callbackUrl') ?? callbackUrl;\n      const organization = config.getOptionalString('organization');\n      // Due to passport-auth0 forcing options.state = true,\n      // passport-oauth2 requires express-session to be installed\n      // so that the 'state' parameter of the oauth2 flow can be stored.\n      // This implementation of StateStore matches the NullStore found within\n      // passport-oauth2, which is the StateStore implementation used when options.state = false,\n      // allowing us to avoid using express-session in order to integrate with auth0.\n      const store = {\n        store(_req: express.Request, cb: any) {\n          cb(null, null);\n        },\n        verify(_req: express.Request, _state: string, cb: any) {\n          cb(null, true);\n        },\n      };\n\n      const strategy = new Auth0Strategy(\n        {\n          clientID,\n          clientSecret,\n          callbackURL,\n          domain,\n          store,\n          organization,\n          // We need passReqToCallback set to false to get params, but there's\n          // no matching type signature for that, so instead behold this beauty\n          passReqToCallback: false as true,\n        },\n        (\n          accessToken: string,\n          refreshToken: string,\n          params: any,\n          fullProfile: PassportProfile,\n          done: PassportOAuthDoneCallback,\n        ) => {\n          done(\n            undefined,\n            {\n              fullProfile,\n              accessToken,\n              params,\n            },\n            {\n              refreshToken,\n            },\n          );\n        },\n      );\n\n      const helper = PassportOAuthAuthenticatorHelper.from(strategy);\n      const federated = config.getOptionalBoolean('federatedLogout') ?? false;\n      return {\n        helper,\n        strategy: strategy as Strategy,\n        audience,\n        connection,\n        connectionScope,\n        domain,\n        clientID,\n        federated,\n      };\n    },\n\n    async start(\n      input,\n      { helper, audience, connection, connectionScope: connection_scope },\n    ) {\n      return helper.start(input, {\n        accessType: 'offline',\n        prompt: 'consent',\n        ...(audience ? { audience } : {}),\n        ...(connection ? { connection } : {}),\n        ...(connection_scope ? { connection_scope } : {}),\n      });\n    },\n\n    async authenticate(\n      input,\n      { helper, audience, connection, connectionScope: connection_scope },\n    ) {\n      return helper.authenticate(input, {\n        ...(audience ? { audience } : {}),\n        ...(connection ? { connection } : {}),\n        ...(connection_scope ? { connection_scope } : {}),\n      });\n    },\n\n    async refresh(input, { helper, strategy }) {\n      const result = await PassportHelpers.executeRefreshTokenStrategy(\n        strategy,\n        input.refreshToken,\n        input.scope,\n      );\n\n      const { sub } = decodeJwt(result.params.id_token);\n      const cacheKey = sub ? `auth0-profile:${sub}` : undefined;\n\n      let fullProfile = cacheKey\n        ? ((await profileCache?.get(cacheKey)) as PassportProfile | undefined)\n        : undefined;\n\n      if (!fullProfile) {\n        fullProfile = await helper.fetchProfile(result.accessToken);\n        if (cacheKey) {\n          await profileCache?.set(\n            cacheKey,\n            JSON.parse(JSON.stringify(fullProfile)),\n          );\n        }\n      }\n\n      return {\n        fullProfile,\n        session: {\n          accessToken: result.accessToken,\n          tokenType: result.params.token_type ?? 'bearer',\n          scope: result.params.scope,\n          expiresInSeconds: result.params.expires_in,\n          idToken: result.params.id_token,\n          refreshToken: result.refreshToken,\n        },\n      };\n    },\n\n    async logout(input, { domain, clientID, federated }) {\n      const logoutUrl = new URL(`https://${domain}/v2/logout`);\n      if (federated) {\n        logoutUrl.searchParams.set('federated', '');\n      }\n      logoutUrl.searchParams.set('client_id', clientID);\n      const origin = input.req.get('origin');\n      if (origin) {\n        logoutUrl.searchParams.set('returnTo', origin);\n      }\n      return { logoutUrl: logoutUrl.toString() };\n    },\n  });\n}\n\n/** @public */\nexport const auth0Authenticator = createAuth0Authenticator();\n"],"names":["createOAuthAuthenticator","PassportOAuthAuthenticatorHelper","strategy","Auth0Strategy","PassportHelpers","decodeJwt"],"mappings":";;;;;;AA8BO,SAAS,yBAAyB,OAAA,EAAoC;AAC3E,EAAA,MAAM,YAAA,GAAe,OAAA,EAAS,KAAA,EAAO,WAAA,CAAY;AAAA,IAC/C,UAAA,EAAY,EAAE,OAAA,EAAS,CAAA;AAAE,GAC1B,CAAA;AAED,EAAA,OAAOA,uCAAA,CAAyB;AAAA,IAC9B,yBACEC,+CAAA,CAAiC,uBAAA;AAAA,IACnC,UAAA,CAAW,EAAE,WAAA,EAAa,MAAA,EAAO,EAAG;AAClC,MAAA,MAAM,QAAA,GAAW,MAAA,CAAO,SAAA,CAAU,UAAU,CAAA;AAC5C,MAAA,MAAM,YAAA,GAAe,MAAA,CAAO,SAAA,CAAU,cAAc,CAAA;AACpD,MAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,QAAQ,CAAA;AACxC,MAAA,MAAM,QAAA,GAAW,MAAA,CAAO,iBAAA,CAAkB,UAAU,CAAA;AACpD,MAAA,MAAM,UAAA,GAAa,MAAA,CAAO,iBAAA,CAAkB,YAAY,CAAA;AACxD,MAAA,MAAM,eAAA,GAAkB,MAAA,CAAO,iBAAA,CAAkB,iBAAiB,CAAA;AAClE,MAAA,MAAM,WAAA,GACJ,MAAA,CAAO,iBAAA,CAAkB,aAAa,CAAA,IAAK,WAAA;AAC7C,MAAA,MAAM,YAAA,GAAe,MAAA,CAAO,iBAAA,CAAkB,cAAc,CAAA;AAO5D,MAAA,MAAM,KAAA,GAAQ;AAAA,QACZ,KAAA,CAAM,MAAuB,EAAA,EAAS;AACpC,UAAA,EAAA,CAAG,MAAM,IAAI,CAAA;AAAA,QACf,CAAA;AAAA,QACA,MAAA,CAAO,IAAA,EAAuB,MAAA,EAAgB,EAAA,EAAS;AACrD,UAAA,EAAA,CAAG,MAAM,IAAI,CAAA;AAAA,QACf;AAAA,OACF;AAEA,MAAA,MAAMC,aAAW,IAAIC,sBAAA;AAAA,QACnB;AAAA,UACE,QAAA;AAAA,UACA,YAAA;AAAA,UACA,WAAA;AAAA,UACA,MAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA;AAAA;AAAA,UAGA,iBAAA,EAAmB;AAAA,SACrB;AAAA,QACA,CACE,WAAA,EACA,YAAA,EACA,MAAA,EACA,aACA,IAAA,KACG;AACH,UAAA,IAAA;AAAA,YACE,MAAA;AAAA,YACA;AAAA,cACE,WAAA;AAAA,cACA,WAAA;AAAA,cACA;AAAA,aACF;AAAA,YACA;AAAA,cACE;AAAA;AACF,WACF;AAAA,QACF;AAAA,OACF;AAEA,MAAA,MAAM,MAAA,GAASF,+CAAA,CAAiC,IAAA,CAAKC,UAAQ,CAAA;AAC7D,MAAA,MAAM,SAAA,GAAY,MAAA,CAAO,kBAAA,CAAmB,iBAAiB,CAAA,IAAK,KAAA;AAClE,MAAA,OAAO;AAAA,QACL,MAAA;AAAA,kBACAA,UAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA,eAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF,CAAA;AAAA,IAEA,MAAM,MACJ,KAAA,EACA,EAAE,QAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAiB,gBAAA,EAAiB,EAClE;AACA,MAAA,OAAO,MAAA,CAAO,MAAM,KAAA,EAAO;AAAA,QACzB,UAAA,EAAY,SAAA;AAAA,QACZ,MAAA,EAAQ,SAAA;AAAA,QACR,GAAI,QAAA,GAAW,EAAE,QAAA,KAAa,EAAC;AAAA,QAC/B,GAAI,UAAA,GAAa,EAAE,UAAA,KAAe,EAAC;AAAA,QACnC,GAAI,gBAAA,GAAmB,EAAE,gBAAA,KAAqB;AAAC,OAChD,CAAA;AAAA,IACH,CAAA;AAAA,IAEA,MAAM,aACJ,KAAA,EACA,EAAE,QAAQ,QAAA,EAAU,UAAA,EAAY,eAAA,EAAiB,gBAAA,EAAiB,EAClE;AACA,MAAA,OAAO,MAAA,CAAO,aAAa,KAAA,EAAO;AAAA,QAChC,GAAI,QAAA,GAAW,EAAE,QAAA,KAAa,EAAC;AAAA,QAC/B,GAAI,UAAA,GAAa,EAAE,UAAA,KAAe,EAAC;AAAA,QACnC,GAAI,gBAAA,GAAmB,EAAE,gBAAA,KAAqB;AAAC,OAChD,CAAA;AAAA,IACH,CAAA;AAAA,IAEA,MAAM,OAAA,CAAQ,KAAA,EAAO,EAAE,MAAA,EAAQ,UAAS,EAAG;AACzC,MAAA,MAAM,MAAA,GAAS,MAAME,8BAAA,CAAgB,2BAAA;AAAA,QACnC,QAAA;AAAA,QACA,KAAA,CAAM,YAAA;AAAA,QACN,KAAA,CAAM;AAAA,OACR;AAEA,MAAA,MAAM,EAAE,GAAA,EAAI,GAAIC,cAAA,CAAU,MAAA,CAAO,OAAO,QAAQ,CAAA;AAChD,MAAA,MAAM,QAAA,GAAW,GAAA,GAAM,CAAA,cAAA,EAAiB,GAAG,CAAA,CAAA,GAAK,MAAA;AAEhD,MAAA,IAAI,cAAc,QAAA,GACZ,MAAM,YAAA,EAAc,GAAA,CAAI,QAAQ,CAAA,GAClC,MAAA;AAEJ,MAAA,IAAI,CAAC,WAAA,EAAa;AAChB,QAAA,WAAA,GAAc,MAAM,MAAA,CAAO,YAAA,CAAa,MAAA,CAAO,WAAW,CAAA;AAC1D,QAAA,IAAI,QAAA,EAAU;AACZ,UAAA,MAAM,YAAA,EAAc,GAAA;AAAA,YAClB,QAAA;AAAA,YACA,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,WAAW,CAAC;AAAA,WACxC;AAAA,QACF;AAAA,MACF;AAEA,MAAA,OAAO;AAAA,QACL,WAAA;AAAA,QACA,OAAA,EAAS;AAAA,UACP,aAAa,MAAA,CAAO,WAAA;AAAA,UACpB,SAAA,EAAW,MAAA,CAAO,MAAA,CAAO,UAAA,IAAc,QAAA;AAAA,UACvC,KAAA,EAAO,OAAO,MAAA,CAAO,KAAA;AAAA,UACrB,gBAAA,EAAkB,OAAO,MAAA,CAAO,UAAA;AAAA,UAChC,OAAA,EAAS,OAAO,MAAA,CAAO,QAAA;AAAA,UACvB,cAAc,MAAA,CAAO;AAAA;AACvB,OACF;AAAA,IACF,CAAA;AAAA,IAEA,MAAM,MAAA,CAAO,KAAA,EAAO,EAAE,MAAA,EAAQ,QAAA,EAAU,WAAU,EAAG;AACnD,MAAA,MAAM,SAAA,GAAY,IAAI,GAAA,CAAI,CAAA,QAAA,EAAW,MAAM,CAAA,UAAA,CAAY,CAAA;AACvD,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,SAAA,CAAU,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,EAAE,CAAA;AAAA,MAC5C;AACA,MAAA,SAAA,CAAU,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,QAAQ,CAAA;AAChD,MAAA,MAAM,MAAA,GAAS,KAAA,CAAM,GAAA,CAAI,GAAA,CAAI,QAAQ,CAAA;AACrC,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,SAAA,CAAU,YAAA,CAAa,GAAA,CAAI,UAAA,EAAY,MAAM,CAAA;AAAA,MAC/C;AACA,MAAA,OAAO,EAAE,SAAA,EAAW,SAAA,CAAU,QAAA,EAAS,EAAE;AAAA,IAC3C;AAAA,GACD,CAAA;AACH;AAGO,MAAM,qBAAqB,wBAAA;;;;;"}

package/dist/index.cjs.js

@@ -8,5 +8,6 @@ var module$1 = require('./module.cjs.js');
 
 
 exports.auth0Authenticator = authenticator.auth0Authenticator;
+exports.createAuth0Authenticator = authenticator.createAuth0Authenticator;
 exports.default = module$1.authModuleAuth0Provider;
 //# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;"}

package/dist/index.d.ts

@@ -1,16 +1,35 @@
 import * as _backstage_plugin_auth_node from '@backstage/plugin-auth-node';
 import { PassportOAuthAuthenticatorHelper, PassportProfile } from '@backstage/plugin-auth-node';
 import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
+import { CacheService } from '@backstage/backend-plugin-api';
+import { Strategy } from 'passport';
 
+/** @public */
+declare function createAuth0Authenticator(options?: {
+    cache?: CacheService;
+}): _backstage_plugin_auth_node.OAuthAuthenticator<{
+    helper: PassportOAuthAuthenticatorHelper;
+    strategy: Strategy;
+    audience: string | undefined;
+    connection: string | undefined;
+    connectionScope: string | undefined;
+    domain: string;
+    clientID: string;
+    federated: boolean;
+}, PassportProfile>;
 /** @public */
 declare const auth0Authenticator: _backstage_plugin_auth_node.OAuthAuthenticator<{
     helper: PassportOAuthAuthenticatorHelper;
+    strategy: Strategy;
     audience: string | undefined;
     connection: string | undefined;
     connectionScope: string | undefined;
+    domain: string;
+    clientID: string;
+    federated: boolean;
 }, PassportProfile>;
 
 /** @public */
 declare const authModuleAuth0Provider: _backstage_backend_plugin_api.BackendFeature;
 
-export { auth0Authenticator, authModuleAuth0Provider as default };
+export { auth0Authenticator, createAuth0Authenticator, authModuleAuth0Provider as default };

package/dist/module.cjs.js

@@ -10,13 +10,14 @@ const authModuleAuth0Provider = backendPluginApi.createBackendModule({
   register(reg) {
     reg.registerInit({
       deps: {
-        providers: pluginAuthNode.authProvidersExtensionPoint
+        providers: pluginAuthNode.authProvidersExtensionPoint,
+        cache: backendPluginApi.coreServices.cache
       },
-      async init({ providers }) {
+      async init({ providers, cache }) {
         providers.registerProvider({
           providerId: "auth0",
           factory: pluginAuthNode.createOAuthProviderFactory({
-            authenticator: authenticator.auth0Authenticator,
+            authenticator: authenticator.createAuth0Authenticator({ cache }),
             signInResolverFactories: {
               ...pluginAuthNode.commonSignInResolvers
             }

package/dist/module.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"module.cjs.js","sources":["../src/module.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createOAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { auth0Authenticator } from './authenticator';\n\n/** @public */\nexport const authModuleAuth0Provider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'auth0-provider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n      },\n      async init({ providers }) {\n        providers.registerProvider({\n          providerId: 'auth0',\n          factory: createOAuthProviderFactory({\n            authenticator: auth0Authenticator,\n            signInResolverFactories: {\n              ...commonSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n"],"names":["createBackendModule","authProvidersExtensionPoint","createOAuthProviderFactory","auth0Authenticator","commonSignInResolvers"],"mappings":";;;;;;AAyBO,MAAM,0BAA0BA,oCAAA,CAAoB;AAAA,EACzD,QAAA,EAAU,MAAA;AAAA,EACV,QAAA,EAAU,gBAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,SAAA,EAAWC;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAU,EAAG;AACxB,QAAA,SAAA,CAAU,gBAAA,CAAiB;AAAA,UACzB,UAAA,EAAY,OAAA;AAAA,UACZ,SAASC,yCAAA,CAA2B;AAAA,YAClC,aAAA,EAAeC,gCAAA;AAAA,YACf,uBAAA,EAAyB;AAAA,cACvB,GAAGC;AAAA;AACL,WACD;AAAA,SACF,CAAA;AAAA,MACH;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}
+{"version":3,"file":"module.cjs.js","sources":["../src/module.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createBackendModule,\n} from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createOAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { createAuth0Authenticator } from './authenticator';\n\n/** @public */\nexport const authModuleAuth0Provider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'auth0-provider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n        cache: coreServices.cache,\n      },\n      async init({ providers, cache }) {\n        providers.registerProvider({\n          providerId: 'auth0',\n          factory: createOAuthProviderFactory({\n            authenticator: createAuth0Authenticator({ cache }),\n            signInResolverFactories: {\n              ...commonSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n"],"names":["createBackendModule","authProvidersExtensionPoint","coreServices","createOAuthProviderFactory","createAuth0Authenticator","commonSignInResolvers"],"mappings":";;;;;;AA4BO,MAAM,0BAA0BA,oCAAA,CAAoB;AAAA,EACzD,QAAA,EAAU,MAAA;AAAA,EACV,QAAA,EAAU,gBAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,SAAA,EAAWC,0CAAA;AAAA,QACX,OAAOC,6BAAA,CAAa;AAAA,OACtB;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAW,OAAM,EAAG;AAC/B,QAAA,SAAA,CAAU,gBAAA,CAAiB;AAAA,UACzB,UAAA,EAAY,OAAA;AAAA,UACZ,SAASC,yCAAA,CAA2B;AAAA,YAClC,aAAA,EAAeC,sCAAA,CAAyB,EAAE,KAAA,EAAO,CAAA;AAAA,YACjD,uBAAA,EAAyB;AAAA,cACvB,GAAGC;AAAA;AACL,WACD;AAAA,SACF,CAAA;AAAA,MACH;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend-module-auth0-provider",
-  "version": "0.3.2-next.1",
+  "version": "0.4.0",
   "description": "The auth0-provider backend module for the auth plugin.",
   "backstage": {
     "role": "backend-plugin-module",
@@ -37,21 +37,22 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "1.9.0-next.1",
-    "@backstage/errors": "1.2.7",
-    "@backstage/plugin-auth-node": "0.7.0-next.1",
+    "@backstage/backend-plugin-api": "^1.9.0",
+    "@backstage/errors": "^1.3.0",
+    "@backstage/plugin-auth-node": "^0.7.0",
+    "@types/passport": "^1.0.3",
     "express": "^4.22.0",
+    "jose": "^5.0.0",
     "passport": "^0.7.0",
     "passport-auth0": "^1.4.3",
     "passport-oauth2": "^1.6.1"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "0.16.1-next.1",
-    "@backstage/backend-test-utils": "1.11.2-next.1",
-    "@backstage/cli": "0.36.1-next.1",
-    "@backstage/plugin-auth-backend": "0.28.0-next.1",
-    "@backstage/types": "1.2.2",
-    "@types/passport": "^1.0.3",
+    "@backstage/backend-defaults": "^0.17.0",
+    "@backstage/backend-test-utils": "^1.11.2",
+    "@backstage/cli": "^0.36.1",
+    "@backstage/plugin-auth-backend": "^0.28.0",
+    "@backstage/types": "^1.2.2",
     "@types/passport-auth0": "^1.0.5",
     "@types/passport-oauth2": "^1.4.15",
     "supertest": "^7.0.0"