@backstage/plugin-auth-backend-module-aws-alb-provider 0.0.0-nightly-20240126021148

package/CHANGELOG.md

@@ -0,0 +1,16 @@
+# @backstage/plugin-auth-backend-module-aws-alb-provider
+
+## 0.0.0-nightly-20240126021148
+
+### Minor Changes
+
+- 23a98f8: Migrated the AWS ALB auth provider to new `@backstage/plugin-auth-backend-module-aws-alb-provider` module package.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.0.0-nightly-20240126021148
+  - @backstage/backend-common@0.0.0-nightly-20240126021148
+  - @backstage/plugin-auth-node@0.0.0-nightly-20240126021148
+  - @backstage/backend-plugin-api@0.0.0-nightly-20240126021148
+  - @backstage/errors@1.2.3

package/README.md

@@ -0,0 +1,8 @@
+# Auth Module: AWS ALB Provider
+
+This module provides an GitHub auth provider implementation for `@backstage/plugin-auth-backend`.
+
+## Links
+
+- [Backstage](https://backstage.io)
+- [Repository](https://github.com/backstage/backstage/tree/master/plugins/auth-backend-module-github-provider)

package/dist/index.cjs.js

@@ -0,0 +1,200 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var errors = require('@backstage/errors');
+var jose = require('jose');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var NodeCache = require('node-cache');
+var jwtDecoder = require('jwt-decode');
+var crypto = require('crypto');
+var backendPluginApi = require('@backstage/backend-plugin-api');
+
+function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n["default"] = e;
+  return Object.freeze(n);
+}
+
+var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
+var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
+var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
+
+const makeProfileInfo = (profile, idToken) => {
+  var _a, _b;
+  let email = void 0;
+  if (profile.emails && profile.emails.length > 0) {
+    const [firstEmail] = profile.emails;
+    email = firstEmail.value;
+  }
+  let picture = void 0;
+  if (profile.avatarUrl) {
+    picture = profile.avatarUrl;
+  } else if (profile.photos && profile.photos.length > 0) {
+    const [firstPhoto] = profile.photos;
+    picture = firstPhoto.value;
+  }
+  let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
+  if ((!email || !picture || !displayName) && idToken) {
+    try {
+      const decoded = jwtDecoder__default["default"](idToken);
+      if (!email && decoded.email) {
+        email = decoded.email;
+      }
+      if (!picture && decoded.picture) {
+        picture = decoded.picture;
+      }
+      if (!displayName && decoded.name) {
+        displayName = decoded.name;
+      }
+    } catch (e) {
+      throw new Error(`Failed to parse id token and get profile info, ${e}`);
+    }
+  }
+  return {
+    email,
+    picture,
+    displayName
+  };
+};
+const provisionKeyCache = (region, keyCache) => {
+  return async (header) => {
+    if (!header.kid) {
+      throw new errors.AuthenticationError("No key id was specified in header");
+    }
+    const optionalCacheKey = keyCache.get(header.kid);
+    if (optionalCacheKey) {
+      return crypto__namespace.createPublicKey(optionalCacheKey);
+    }
+    const keyText = await fetch(
+      `https://public-keys.auth.elb.${encodeURIComponent(
+        region
+      )}.amazonaws.com/${encodeURIComponent(header.kid)}`
+    ).then((response) => response.text());
+    const keyValue = crypto__namespace.createPublicKey(keyText);
+    keyCache.set(header.kid, keyValue.export({ format: "pem", type: "spki" }));
+    return keyValue;
+  };
+};
+
+const ALB_JWT_HEADER = "x-amzn-oidc-data";
+const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
+const awsAlbAuthenticator = pluginAuthNode.createProxyAuthenticator({
+  defaultProfileTransform: async (result) => {
+    return {
+      profile: makeProfileInfo(result.fullProfile, result.accessToken)
+    };
+  },
+  initialize({ config }) {
+    const issuer = config.getString("issuer");
+    const region = config.getString("region");
+    const keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
+    const getKey = provisionKeyCache(region, keyCache);
+    return { issuer, getKey };
+  },
+  async authenticate({ req }, { issuer, getKey }) {
+    const jwt = req.header(ALB_JWT_HEADER);
+    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);
+    if (jwt === void 0) {
+      throw new errors.AuthenticationError(
+        `Missing ALB OIDC header: ${ALB_JWT_HEADER}`
+      );
+    }
+    if (accessToken === void 0) {
+      throw new errors.AuthenticationError(
+        `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`
+      );
+    }
+    try {
+      const verifyResult = await jose.jwtVerify(jwt, getKey);
+      const claims = verifyResult.payload;
+      if (issuer && (claims == null ? void 0 : claims.iss) !== issuer) {
+        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
+      }
+      const fullProfile = {
+        provider: "unknown",
+        id: claims.sub,
+        displayName: claims.name,
+        username: claims.email.split("@")[0].toLowerCase(),
+        name: {
+          familyName: claims.family_name,
+          givenName: claims.given_name
+        },
+        emails: [{ value: claims.email.toLowerCase() }],
+        photos: [{ value: claims.picture }]
+      };
+      return {
+        result: {
+          fullProfile,
+          expiresInSeconds: claims.exp,
+          accessToken
+        }
+      };
+    } catch (e) {
+      throw new Error(`Exception occurred during JWT processing: ${e}`);
+    }
+  }
+});
+
+exports.awsAlbSignInResolvers = void 0;
+((awsAlbSignInResolvers2) => {
+  awsAlbSignInResolvers2.emailMatchingUserEntityProfileEmail = pluginAuthNode.createSignInResolverFactory({
+    create() {
+      return async (info, ctx) => {
+        if (!info.result.fullProfile.emails) {
+          throw new Error(
+            "Login failed, user profile does not contain an email"
+          );
+        }
+        return ctx.signInWithCatalogUser({
+          filter: {
+            kind: ["User"],
+            "spec.profile.email": info.result.fullProfile.emails[0].value
+          }
+        });
+      };
+    }
+  });
+})(exports.awsAlbSignInResolvers || (exports.awsAlbSignInResolvers = {}));
+
+const authModuleAwsAlbProvider = backendPluginApi.createBackendModule({
+  pluginId: "auth",
+  moduleId: "awsAlbProvider",
+  register(reg) {
+    reg.registerInit({
+      deps: {
+        providers: pluginAuthNode.authProvidersExtensionPoint
+      },
+      async init({ providers }) {
+        providers.registerProvider({
+          providerId: "awsalb",
+          factory: pluginAuthNode.createProxyAuthProviderFactory({
+            authenticator: awsAlbAuthenticator,
+            signInResolverFactories: {
+              ...pluginAuthNode.commonSignInResolvers,
+              ...exports.awsAlbSignInResolvers
+            }
+          })
+        });
+      }
+    });
+  }
+});
+
+exports.authModuleAwsAlbProvider = authModuleAwsAlbProvider;
+exports.awsAlbAuthenticator = awsAlbAuthenticator;
+//# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs.js","sources":["../src/helpers.ts","../src/authenticator.ts","../src/resolvers.ts","../src/module.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { PassportProfile } from '@backstage/plugin-auth-node/';\nimport { ProfileInfo } from '@backstage/plugin-auth-node';\nimport { KeyObject } from 'crypto';\nimport jwtDecoder from 'jwt-decode';\nimport NodeCache from 'node-cache';\nimport * as crypto from 'crypto';\nimport { JWTHeaderParameters } from 'jose';\nimport { AuthenticationError } from '@backstage/errors';\n\nexport const makeProfileInfo = (\n  profile: PassportProfile,\n  idToken?: string,\n): ProfileInfo => {\n  let email: string | undefined = undefined;\n  if (profile.emails && profile.emails.length > 0) {\n    const [firstEmail] = profile.emails;\n    email = firstEmail.value;\n  }\n\n  let picture: string | undefined = undefined;\n  if (profile.avatarUrl) {\n    picture = profile.avatarUrl;\n  } else if (profile.photos && profile.photos.length > 0) {\n    const [firstPhoto] = profile.photos;\n    picture = firstPhoto.value;\n  }\n\n  let displayName: string | undefined =\n    profile.displayName ?? profile.username ?? profile.id;\n\n  if ((!email || !picture || !displayName) && idToken) {\n    try {\n      const decoded: Record<string, string> = jwtDecoder(idToken);\n      if (!email && decoded.email) {\n        email = decoded.email;\n      }\n      if (!picture && decoded.picture) {\n        picture = decoded.picture;\n      }\n      if (!displayName && decoded.name) {\n        displayName = decoded.name;\n      }\n    } catch (e) {\n      throw new Error(`Failed to parse id token and get profile info, ${e}`);\n    }\n  }\n\n  return {\n    email,\n    picture,\n    displayName,\n  };\n};\n\nexport const provisionKeyCache = (region: string, keyCache: NodeCache) => {\n  return async (header: JWTHeaderParameters): Promise<KeyObject> => {\n    if (!header.kid) {\n      throw new AuthenticationError('No key id was specified in header');\n    }\n    const optionalCacheKey = keyCache.get<KeyObject>(header.kid);\n    if (optionalCacheKey) {\n      return crypto.createPublicKey(optionalCacheKey);\n    }\n    const keyText: string = await fetch(\n      `https://public-keys.auth.elb.${encodeURIComponent(\n        region,\n      )}.amazonaws.com/${encodeURIComponent(header.kid)}`,\n    ).then(response => response.text());\n\n    const keyValue = crypto.createPublicKey(keyText);\n    keyCache.set(header.kid, keyValue.export({ format: 'pem', type: 'spki' }));\n    return keyValue;\n  };\n};\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthenticationError } from '@backstage/errors';\nimport { AwsAlbClaims, AwsAlbResult } from './types';\nimport { jwtVerify } from 'jose';\nimport {\n  PassportProfile,\n  createProxyAuthenticator,\n} from '@backstage/plugin-auth-node';\nimport NodeCache from 'node-cache';\nimport { makeProfileInfo, provisionKeyCache } from './helpers';\n\nexport const ALB_JWT_HEADER = 'x-amzn-oidc-data';\nexport const ALB_ACCESS_TOKEN_HEADER = 'x-amzn-oidc-accesstoken';\n\n/** @public */\nexport const awsAlbAuthenticator = createProxyAuthenticator({\n  defaultProfileTransform: async (result: AwsAlbResult) => {\n    return {\n      profile: makeProfileInfo(result.fullProfile, result.accessToken),\n    };\n  },\n  initialize({ config }) {\n    const issuer = config.getString('issuer');\n    const region = config.getString('region');\n    const keyCache = new NodeCache({ stdTTL: 3600 });\n    const getKey = provisionKeyCache(region, keyCache);\n    return { issuer, getKey };\n  },\n  async authenticate({ req }, { issuer, getKey }) {\n    const jwt = req.header(ALB_JWT_HEADER);\n    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);\n\n    if (jwt === undefined) {\n      throw new AuthenticationError(\n        `Missing ALB OIDC header: ${ALB_JWT_HEADER}`,\n      );\n    }\n\n    if (accessToken === undefined) {\n      throw new AuthenticationError(\n        `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`,\n      );\n    }\n\n    try {\n      const verifyResult = await jwtVerify(jwt, getKey);\n      const claims = verifyResult.payload as AwsAlbClaims;\n\n      if (issuer && claims?.iss !== issuer) {\n        throw new AuthenticationError('Issuer mismatch on JWT token');\n      }\n\n      const fullProfile: PassportProfile = {\n        provider: 'unknown',\n        id: claims.sub,\n        displayName: claims.name,\n        username: claims.email.split('@')[0].toLowerCase(),\n        name: {\n          familyName: claims.family_name,\n          givenName: claims.given_name,\n        },\n        emails: [{ value: claims.email.toLowerCase() }],\n        photos: [{ value: claims.picture }],\n      };\n\n      return {\n        result: {\n          fullProfile,\n          expiresInSeconds: claims.exp,\n          accessToken,\n        },\n      };\n    } catch (e) {\n      throw new Error(`Exception occurred during JWT processing: ${e}`);\n    }\n  },\n});\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  createSignInResolverFactory,\n  SignInInfo,\n} from '@backstage/plugin-auth-node';\nimport { AwsAlbResult } from './types';\n/**\n * Available sign-in resolvers for the Google auth provider.\n *\n * @public\n */\nexport namespace awsAlbSignInResolvers {\n  export const emailMatchingUserEntityProfileEmail =\n    createSignInResolverFactory({\n      create() {\n        return async (info: SignInInfo<AwsAlbResult>, ctx) => {\n          if (!info.result.fullProfile.emails) {\n            throw new Error(\n              'Login failed, user profile does not contain an email',\n            );\n          }\n          return ctx.signInWithCatalogUser({\n            filter: {\n              kind: ['User'],\n              'spec.profile.email': info.result.fullProfile.emails[0].value,\n            },\n          });\n        };\n      },\n    });\n}\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createProxyAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { awsAlbAuthenticator } from './authenticator';\nimport { awsAlbSignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleAwsAlbProvider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'awsAlbProvider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n      },\n      async init({ providers }) {\n        providers.registerProvider({\n          providerId: 'awsalb',\n          factory: createProxyAuthProviderFactory({\n            authenticator: awsAlbAuthenticator,\n            signInResolverFactories: {\n              ...commonSignInResolvers,\n              ...awsAlbSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n"],"names":["jwtDecoder","AuthenticationError","crypto","createProxyAuthenticator","NodeCache","jwtVerify","awsAlbSignInResolvers","createSignInResolverFactory","createBackendModule","authProvidersExtensionPoint","createProxyAuthProviderFactory","commonSignInResolvers"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwBa,MAAA,eAAA,GAAkB,CAC7B,OAAA,EACA,OACgB,KAAA;AA3BlB,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AA4BE,EAAA,IAAI,KAA4B,GAAA,KAAA,CAAA,CAAA;AAChC,EAAA,IAAI,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AAC/C,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,KAAA,GAAQ,UAAW,CAAA,KAAA,CAAA;AAAA,GACrB;AAEA,EAAA,IAAI,OAA8B,GAAA,KAAA,CAAA,CAAA;AAClC,EAAA,IAAI,QAAQ,SAAW,EAAA;AACrB,IAAA,OAAA,GAAU,OAAQ,CAAA,SAAA,CAAA;AAAA,aACT,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACtD,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,OAAA,GAAU,UAAW,CAAA,KAAA,CAAA;AAAA,GACvB;AAEA,EAAA,IAAI,eACF,EAAQ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAA,WAAA,KAAR,YAAuB,OAAQ,CAAA,QAAA,KAA/B,YAA2C,OAAQ,CAAA,EAAA,CAAA;AAErD,EAAA,IAAA,CAAK,CAAC,KAAS,IAAA,CAAC,OAAW,IAAA,CAAC,gBAAgB,OAAS,EAAA;AACnD,IAAI,IAAA;AACF,MAAM,MAAA,OAAA,GAAkCA,+BAAW,OAAO,CAAA,CAAA;AAC1D,MAAI,IAAA,CAAC,KAAS,IAAA,OAAA,CAAQ,KAAO,EAAA;AAC3B,QAAA,KAAA,GAAQ,OAAQ,CAAA,KAAA,CAAA;AAAA,OAClB;AACA,MAAI,IAAA,CAAC,OAAW,IAAA,OAAA,CAAQ,OAAS,EAAA;AAC/B,QAAA,OAAA,GAAU,OAAQ,CAAA,OAAA,CAAA;AAAA,OACpB;AACA,MAAI,IAAA,CAAC,WAAe,IAAA,OAAA,CAAQ,IAAM,EAAA;AAChC,QAAA,WAAA,GAAc,OAAQ,CAAA,IAAA,CAAA;AAAA,OACxB;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAAkD,+CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KACvE;AAAA,GACF;AAEA,EAAO,OAAA;AAAA,IACL,KAAA;AAAA,IACA,OAAA;AAAA,IACA,WAAA;AAAA,GACF,CAAA;AACF,CAAA,CAAA;AAEa,MAAA,iBAAA,GAAoB,CAAC,MAAA,EAAgB,QAAwB,KAAA;AACxE,EAAA,OAAO,OAAO,MAAoD,KAAA;AAChE,IAAI,IAAA,CAAC,OAAO,GAAK,EAAA;AACf,MAAM,MAAA,IAAIC,2BAAoB,mCAAmC,CAAA,CAAA;AAAA,KACnE;AACA,IAAA,MAAM,gBAAmB,GAAA,QAAA,CAAS,GAAe,CAAA,MAAA,CAAO,GAAG,CAAA,CAAA;AAC3D,IAAA,IAAI,gBAAkB,EAAA;AACpB,MAAO,OAAAC,iBAAA,CAAO,gBAAgB,gBAAgB,CAAA,CAAA;AAAA,KAChD;AACA,IAAA,MAAM,UAAkB,MAAM,KAAA;AAAA,MAC5B,CAAgC,6BAAA,EAAA,kBAAA;AAAA,QAC9B,MAAA;AAAA,OACD,CAAA,eAAA,EAAkB,kBAAmB,CAAA,MAAA,CAAO,GAAG,CAAC,CAAA,CAAA;AAAA,KACjD,CAAA,IAAA,CAAK,CAAY,QAAA,KAAA,QAAA,CAAS,MAAM,CAAA,CAAA;AAElC,IAAM,MAAA,QAAA,GAAWA,iBAAO,CAAA,eAAA,CAAgB,OAAO,CAAA,CAAA;AAC/C,IAAS,QAAA,CAAA,GAAA,CAAI,MAAO,CAAA,GAAA,EAAK,QAAS,CAAA,MAAA,CAAO,EAAE,MAAA,EAAQ,KAAO,EAAA,IAAA,EAAM,MAAO,EAAC,CAAC,CAAA,CAAA;AACzE,IAAO,OAAA,QAAA,CAAA;AAAA,GACT,CAAA;AACF,CAAA;;AC9DO,MAAM,cAAiB,GAAA,kBAAA,CAAA;AACvB,MAAM,uBAA0B,GAAA,yBAAA,CAAA;AAGhC,MAAM,sBAAsBC,uCAAyB,CAAA;AAAA,EAC1D,uBAAA,EAAyB,OAAO,MAAyB,KAAA;AACvD,IAAO,OAAA;AAAA,MACL,OAAS,EAAA,eAAA,CAAgB,MAAO,CAAA,WAAA,EAAa,OAAO,WAAW,CAAA;AAAA,KACjE,CAAA;AAAA,GACF;AAAA,EACA,UAAA,CAAW,EAAE,MAAA,EAAU,EAAA;AACrB,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAA,MAAM,WAAW,IAAIC,6BAAA,CAAU,EAAE,MAAA,EAAQ,MAAM,CAAA,CAAA;AAC/C,IAAM,MAAA,MAAA,GAAS,iBAAkB,CAAA,MAAA,EAAQ,QAAQ,CAAA,CAAA;AACjD,IAAO,OAAA,EAAE,QAAQ,MAAO,EAAA,CAAA;AAAA,GAC1B;AAAA,EACA,MAAM,aAAa,EAAE,GAAA,IAAO,EAAE,MAAA,EAAQ,QAAU,EAAA;AAC9C,IAAM,MAAA,GAAA,GAAM,GAAI,CAAA,MAAA,CAAO,cAAc,CAAA,CAAA;AACrC,IAAM,MAAA,WAAA,GAAc,GAAI,CAAA,MAAA,CAAO,uBAAuB,CAAA,CAAA;AAEtD,IAAA,IAAI,QAAQ,KAAW,CAAA,EAAA;AACrB,MAAA,MAAM,IAAIH,0BAAA;AAAA,QACR,4BAA4B,cAAc,CAAA,CAAA;AAAA,OAC5C,CAAA;AAAA,KACF;AAEA,IAAA,IAAI,gBAAgB,KAAW,CAAA,EAAA;AAC7B,MAAA,MAAM,IAAIA,0BAAA;AAAA,QACR,4BAA4B,uBAAuB,CAAA,CAAA;AAAA,OACrD,CAAA;AAAA,KACF;AAEA,IAAI,IAAA;AACF,MAAA,MAAM,YAAe,GAAA,MAAMI,cAAU,CAAA,GAAA,EAAK,MAAM,CAAA,CAAA;AAChD,MAAA,MAAM,SAAS,YAAa,CAAA,OAAA,CAAA;AAE5B,MAAI,IAAA,MAAA,IAAA,CAAU,MAAQ,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,MAAA,CAAA,GAAA,MAAQ,MAAQ,EAAA;AACpC,QAAM,MAAA,IAAIJ,2BAAoB,8BAA8B,CAAA,CAAA;AAAA,OAC9D;AAEA,MAAA,MAAM,WAA+B,GAAA;AAAA,QACnC,QAAU,EAAA,SAAA;AAAA,QACV,IAAI,MAAO,CAAA,GAAA;AAAA,QACX,aAAa,MAAO,CAAA,IAAA;AAAA,QACpB,QAAA,EAAU,OAAO,KAAM,CAAA,KAAA,CAAM,GAAG,CAAE,CAAA,CAAC,EAAE,WAAY,EAAA;AAAA,QACjD,IAAM,EAAA;AAAA,UACJ,YAAY,MAAO,CAAA,WAAA;AAAA,UACnB,WAAW,MAAO,CAAA,UAAA;AAAA,SACpB;AAAA,QACA,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,OAAO,KAAM,CAAA,WAAA,IAAe,CAAA;AAAA,QAC9C,QAAQ,CAAC,EAAE,KAAO,EAAA,MAAA,CAAO,SAAS,CAAA;AAAA,OACpC,CAAA;AAEA,MAAO,OAAA;AAAA,QACL,MAAQ,EAAA;AAAA,UACN,WAAA;AAAA,UACA,kBAAkB,MAAO,CAAA,GAAA;AAAA,UACzB,WAAA;AAAA,SACF;AAAA,OACF,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAA6C,0CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KAClE;AAAA,GACF;AACF,CAAC;;ACjEgBK,uCAAA;AAAA,CAAV,CAAUA,sBAAV,KAAA;AACE,EAAMA,sBAAAA,CAAA,sCACXC,0CAA4B,CAAA;AAAA,IAC1B,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAgC,GAAQ,KAAA;AACpD,QAAA,IAAI,CAAC,IAAA,CAAK,MAAO,CAAA,WAAA,CAAY,MAAQ,EAAA;AACnC,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,sDAAA;AAAA,WACF,CAAA;AAAA,SACF;AACA,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,MAAQ,EAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,YACb,sBAAsB,IAAK,CAAA,MAAA,CAAO,WAAY,CAAA,MAAA,CAAO,CAAC,CAAE,CAAA,KAAA;AAAA,WAC1D;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAAA,CAlBY,EAAAD,6BAAA,KAAAA,6BAAA,GAAA,EAAA,CAAA,CAAA;;ACDV,MAAM,2BAA2BE,oCAAoB,CAAA;AAAA,EAC1D,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,gBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,QAAA;AAAA,UACZ,SAASC,6CAA+B,CAAA;AAAA,YACtC,aAAe,EAAA,mBAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGC,oCAAA;AAAA,cACH,GAAGL,6BAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC;;;;;"}

package/dist/index.d.ts

@@ -0,0 +1,38 @@
+/// <reference types="node" />
+import * as _backstage_plugin_auth_node from '@backstage/plugin-auth-node';
+import * as crypto from 'crypto';
+import * as jose from 'jose';
+import { PassportProfile } from '@backstage/plugin-auth-node/';
+import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
+
+/**
+ * JWT header extraction result, containing the raw value and the parsed JWT
+ * payload.
+ *
+ * @public
+ */
+type AwsAlbResult = {
+    fullProfile: PassportProfile;
+    expiresInSeconds?: number;
+    accessToken: string;
+};
+
+/** @public */
+declare const awsAlbAuthenticator: _backstage_plugin_auth_node.ProxyAuthenticator<{
+    issuer: string;
+    getKey: (header: jose.JWTHeaderParameters) => Promise<crypto.KeyObject>;
+}, AwsAlbResult>;
+
+/** @public */
+declare const authModuleAwsAlbProvider: () => _backstage_backend_plugin_api.BackendFeature;
+
+/**
+ * Available sign-in resolvers for the Google auth provider.
+ *
+ * @public
+ */
+declare namespace awsAlbSignInResolvers {
+    const emailMatchingUserEntityProfileEmail: _backstage_plugin_auth_node.SignInResolverFactory<AwsAlbResult, unknown>;
+}
+
+export { AwsAlbResult, authModuleAwsAlbProvider, awsAlbAuthenticator, awsAlbSignInResolvers };

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@backstage/plugin-auth-backend-module-aws-alb-provider",
+  "description": "The aws-alb provider module for the Backstage auth backend.",
+  "version": "0.0.0-nightly-20240126021148",
+  "main": "dist/index.cjs.js",
+  "types": "dist/index.d.ts",
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "types": "dist/index.d.ts"
+  },
+  "backstage": {
+    "role": "backend-plugin-module"
+  },
+  "homepage": "https://backstage.io",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/backstage/backstage",
+    "directory": "plugins/auth-backend-module-aws-alb-provider"
+  },
+  "keywords": [
+    "backstage"
+  ],
+  "scripts": {
+    "start": "backstage-cli package start",
+    "build": "backstage-cli package build",
+    "lint": "backstage-cli package lint",
+    "test": "backstage-cli package test",
+    "clean": "backstage-cli package clean",
+    "prepack": "backstage-cli package prepack",
+    "postpack": "backstage-cli package postpack"
+  },
+  "dependencies": {
+    "@backstage/backend-common": "^0.0.0-nightly-20240126021148",
+    "@backstage/backend-plugin-api": "^0.0.0-nightly-20240126021148",
+    "@backstage/errors": "^1.2.3",
+    "@backstage/plugin-auth-backend": "^0.0.0-nightly-20240126021148",
+    "@backstage/plugin-auth-node": "^0.0.0-nightly-20240126021148",
+    "jose": "^4.6.0",
+    "jwt-decode": "^3.1.0",
+    "node-cache": "^5.1.2"
+  },
+  "devDependencies": {
+    "@backstage/backend-test-utils": "^0.0.0-nightly-20240126021148",
+    "@backstage/cli": "^0.0.0-nightly-20240126021148",
+    "@backstage/config": "^1.1.1",
+    "express": "^4.18.2"
+  },
+  "files": [
+    "dist"
+  ]
+}