npm - @backstage/plugin-auth-backend-module-azure-easyauth-provider - Versions diffs - 0.0.0-nightly-20240420021132 - Mend

@backstage/plugin-auth-backend-module-azure-easyauth-provider 0.0.0-nightly-20240420021132

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,25 @@
+# @backstage/plugin-auth-backend-module-azure-easyauth-provider
+## 0.0.0-nightly-20240420021132
+### Patch Changes
+- Updated dependencies
+  - @backstage/backend-plugin-api@0.0.0-nightly-20240420021132
+  - @backstage/catalog-model@1.4.5
+  - @backstage/errors@1.2.4
+  - @backstage/plugin-auth-node@0.0.0-nightly-20240420021132
+## 0.1.0
+### Minor Changes
+- 06a6725: New auth backend module to add `azure-easyauth` provider. Note that as part of this change the default provider ID has been changed from `easyAuth` to `azureEasyAuth`, which means that if you switch to this new module you need to update your app config as well as the `provider` prop of the `ProxiedSignInPage` in the frontend.
+### Patch Changes
+- Updated dependencies
+  - @backstage/backend-plugin-api@0.6.17
+  - @backstage/plugin-auth-node@0.4.12
+  - @backstage/catalog-model@1.4.5
+  - @backstage/errors@1.2.4

package/README.md ADDED Viewed

@@ -0,0 +1,5 @@
+# Auth Backend Module - Azure Easy Auth Provider
+## Links
+- [The Backstage homepage](https://backstage.io)

package/dist/index.cjs.js ADDED Viewed

@@ -0,0 +1,123 @@
+'use strict';
+Object.defineProperty(exports, '__esModule', { value: true });
+var backendPluginApi = require('@backstage/backend-plugin-api');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var errors = require('@backstage/errors');
+var jose = require('jose');
+const ID_TOKEN_HEADER = "x-ms-token-aad-id-token";
+const ACCESS_TOKEN_HEADER = "x-ms-token-aad-access-token";
+const azureEasyAuthAuthenticator = pluginAuthNode.createProxyAuthenticator({
+  defaultProfileTransform: async (result) => {
+    var _a, _b;
+    return {
+      profile: {
+        displayName: result.fullProfile.displayName,
+        email: (_a = result.fullProfile.emails) == null ? void 0 : _a[0].value,
+        picture: (_b = result.fullProfile.photos) == null ? void 0 : _b[0].value
+      }
+    };
+  },
+  initialize() {
+  },
+  async authenticate({ req }) {
+    const result = await getResult(req);
+    return {
+      result,
+      providerInfo: {
+        accessToken: result.accessToken
+      }
+    };
+  }
+});
+async function getResult(req) {
+  const idToken = req.header(ID_TOKEN_HEADER);
+  const accessToken = req.header(ACCESS_TOKEN_HEADER);
+  if (idToken === void 0) {
+    throw new errors.AuthenticationError(`Missing ${ID_TOKEN_HEADER} header`);
+  }
+  return {
+    fullProfile: idTokenToProfile(idToken),
+    accessToken
+  };
+}
+function idTokenToProfile(idToken) {
+  const claims = jose.decodeJwt(idToken);
+  if (claims.ver !== "2.0") {
+    throw new Error("id_token is not version 2.0 ");
+  }
+  return {
+    id: claims.oid,
+    displayName: claims.name,
+    provider: "easyauth",
+    emails: [{ value: claims.email }],
+    username: claims.preferred_username
+  };
+}
+exports.azureEasyAuthSignInResolvers = void 0;
+((azureEasyAuthSignInResolvers2) => {
+  azureEasyAuthSignInResolvers2.idMatchingUserEntityAnnotation = pluginAuthNode.createSignInResolverFactory({
+    create() {
+      return async (info, ctx) => {
+        const {
+          fullProfile: { id }
+        } = info.result;
+        if (!id) {
+          throw new Error("User profile contained no id");
+        }
+        return await ctx.signInWithCatalogUser({
+          annotations: {
+            "graph.microsoft.com/user-id": id
+          }
+        });
+      };
+    }
+  });
+})(exports.azureEasyAuthSignInResolvers || (exports.azureEasyAuthSignInResolvers = {}));
+const authModuleAzureEasyAuthProvider = backendPluginApi.createBackendModule({
+  pluginId: "auth",
+  moduleId: "azure-easyauth-provider",
+  register(reg) {
+    reg.registerInit({
+      deps: {
+        providers: pluginAuthNode.authProvidersExtensionPoint
+      },
+      async init({ providers }) {
+        validateAppServiceConfiguration(process.env);
+        providers.registerProvider({
+          providerId: "azureEasyAuth",
+          factory: pluginAuthNode.createProxyAuthProviderFactory({
+            authenticator: azureEasyAuthAuthenticator,
+            signInResolverFactories: {
+              ...pluginAuthNode.commonSignInResolvers,
+              ...exports.azureEasyAuthSignInResolvers
+            }
+          })
+        });
+      }
+    });
+  }
+});
+function validateAppServiceConfiguration(env) {
+  var _a, _b, _c;
+  if (env.WEBSITE_SKU === void 0) {
+    throw new Error("Backstage is not running on Azure App Services");
+  }
+  if (((_a = env.WEBSITE_AUTH_ENABLED) == null ? void 0 : _a.toLocaleLowerCase("en-US")) !== "true") {
+    throw new Error("Azure App Services does not have authentication enabled");
+  }
+  if (((_b = env.WEBSITE_AUTH_DEFAULT_PROVIDER) == null ? void 0 : _b.toLocaleLowerCase("en-US")) !== "azureactivedirectory") {
+    throw new Error("Authentication provider is not Entra ID");
+  }
+  if (((_c = env.WEBSITE_AUTH_TOKEN_STORE) == null ? void 0 : _c.toLocaleLowerCase("en-US")) !== "true") {
+    throw new Error("Token Store is not enabled");
+  }
+}
+exports.azureEasyAuthAuthenticator = azureEasyAuthAuthenticator;
+exports.default = authModuleAzureEasyAuthProvider;
+//# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.cjs.js","sources":["../src/authenticator.ts","../src/resolvers.ts","../src/module.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthenticationError } from '@backstage/errors';\nimport { createProxyAuthenticator } from '@backstage/plugin-auth-node';\nimport { AzureEasyAuthResult } from './types';\nimport { Request } from 'express';\nimport { Profile } from 'passport';\nimport { decodeJwt } from 'jose';\n\nexport const ID_TOKEN_HEADER = 'x-ms-token-aad-id-token';\nexport const ACCESS_TOKEN_HEADER = 'x-ms-token-aad-access-token';\n\n/** @public */\nexport const azureEasyAuthAuthenticator = createProxyAuthenticator({\n defaultProfileTransform: async (result: AzureEasyAuthResult) => {\n return {\n profile: {\n displayName: result.fullProfile.displayName,\n email: result.fullProfile.emails?.[0].value,\n picture: result.fullProfile.photos?.[0].value,\n },\n };\n },\n initialize() {},\n async authenticate({ req }) {\n const result = await getResult(req);\n return {\n result,\n providerInfo: {\n accessToken: result.accessToken,\n },\n };\n },\n});\n\nasync function getResult(req: Request): Promise<AzureEasyAuthResult> {\n const idToken = req.header(ID_TOKEN_HEADER);\n const accessToken = req.header(ACCESS_TOKEN_HEADER);\n if (idToken === undefined) {\n throw new AuthenticationError(`Missing ${ID_TOKEN_HEADER} header`);\n }\n\n return {\n fullProfile: idTokenToProfile(idToken),\n accessToken: accessToken,\n };\n}\n\nfunction idTokenToProfile(idToken: string) {\n const claims = decodeJwt(idToken);\n\n if (claims.ver !== '2.0') {\n throw new Error('id_token is not version 2.0 ');\n }\n\n return {\n id: claims.oid,\n displayName: claims.name,\n provider: 'easyauth',\n emails: [{ value: claims.email }],\n username: claims.preferred_username,\n } as Profile;\n}\n","/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n createSignInResolverFactory,\n SignInInfo,\n} from '@backstage/plugin-auth-node';\nimport { AzureEasyAuthResult } from './types';\n\n/** @public */\nexport namespace azureEasyAuthSignInResolvers {\n export const idMatchingUserEntityAnnotation = createSignInResolverFactory({\n create() {\n return async (info: SignInInfo<AzureEasyAuthResult>, ctx) => {\n const {\n fullProfile: { id },\n } = info.result;\n\n if (!id) {\n throw new Error('User profile contained no id');\n }\n\n return await ctx.signInWithCatalogUser({\n annotations: {\n 'graph.microsoft.com/user-id': id,\n },\n });\n };\n },\n });\n}\n","/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n authProvidersExtensionPoint,\n commonSignInResolvers,\n createProxyAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { azureEasyAuthAuthenticator } from './authenticator';\nimport { azureEasyAuthSignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleAzureEasyAuthProvider = createBackendModule({\n pluginId: 'auth',\n moduleId: 'azure-easyauth-provider',\n register(reg) {\n reg.registerInit({\n deps: {\n providers: authProvidersExtensionPoint,\n },\n async init({ providers }) {\n validateAppServiceConfiguration(process.env);\n providers.registerProvider({\n providerId: 'azureEasyAuth',\n factory: createProxyAuthProviderFactory({\n authenticator: azureEasyAuthAuthenticator,\n signInResolverFactories: {\n ...commonSignInResolvers,\n ...azureEasyAuthSignInResolvers,\n },\n }),\n });\n },\n });\n },\n});\n\nfunction validateAppServiceConfiguration(env: NodeJS.ProcessEnv) {\n // Based on https://github.com/AzureAD/microsoft-identity-web/blob/f7403779d1a91f4a3fec0ed0993bd82f50f299e1/src/Microsoft.Identity.Web/AppServicesAuth/AppServicesAuthenticationInformation.cs#L38-L59\n //\n // It's critical to validate we're really running in a correctly configured Azure App Services,\n // As we rely on App Services to manage & validate the ID and Access Token headers\n // Without that, this users can be trivially impersonated.\n if (env.WEBSITE_SKU === undefined) {\n throw new Error('Backstage is not running on Azure App Services');\n }\n if (env.WEBSITE_AUTH_ENABLED?.toLocaleLowerCase('en-US') !== 'true') {\n throw new Error('Azure App Services does not have authentication enabled');\n }\n if (\n env.WEBSITE_AUTH_DEFAULT_PROVIDER?.toLocaleLowerCase('en-US') !==\n 'azureactivedirectory'\n ) {\n throw new Error('Authentication provider is not Entra ID');\n }\n if (env.WEBSITE_AUTH_TOKEN_STORE?.toLocaleLowerCase('en-US') !== 'true') {\n throw new Error('Token Store is not enabled');\n }\n}\n"],"names":["createProxyAuthenticator","AuthenticationError","decodeJwt","azureEasyAuthSignInResolvers","createSignInResolverFactory","createBackendModule","authProvidersExtensionPoint","createProxyAuthProviderFactory","commonSignInResolvers"],"mappings":";;;;;;;;;AAuBO,MAAM,eAAkB,GAAA,yBAAA,CAAA;AACxB,MAAM,mBAAsB,GAAA,6BAAA,CAAA;AAG5B,MAAM,6BAA6BA,uCAAyB,CAAA;AAAA,EACjE,uBAAA,EAAyB,OAAO,MAAgC,KAAA;AA5BlE,IAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AA6BI,IAAO,OAAA;AAAA,MACL,OAAS,EAAA;AAAA,QACP,WAAA,EAAa,OAAO,WAAY,CAAA,WAAA;AAAA,QAChC,KAAO,EAAA,CAAA,EAAA,GAAA,MAAA,CAAO,WAAY,CAAA,MAAA,KAAnB,mBAA4B,CAAG,CAAA,CAAA,KAAA;AAAA,QACtC,OAAS,EAAA,CAAA,EAAA,GAAA,MAAA,CAAO,WAAY,CAAA,MAAA,KAAnB,mBAA4B,CAAG,CAAA,CAAA,KAAA;AAAA,OAC1C;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EACA,UAAa,GAAA;AAAA,GAAC;AAAA,EACd,MAAM,YAAA,CAAa,EAAE,GAAA,EAAO,EAAA;AAC1B,IAAM,MAAA,MAAA,GAAS,MAAM,SAAA,CAAU,GAAG,CAAA,CAAA;AAClC,IAAO,OAAA;AAAA,MACL,MAAA;AAAA,MACA,YAAc,EAAA;AAAA,QACZ,aAAa,MAAO,CAAA,WAAA;AAAA,OACtB;AAAA,KACF,CAAA;AAAA,GACF;AACF,CAAC,EAAA;AAED,eAAe,UAAU,GAA4C,EAAA;AACnE,EAAM,MAAA,OAAA,GAAU,GAAI,CAAA,MAAA,CAAO,eAAe,CAAA,CAAA;AAC1C,EAAM,MAAA,WAAA,GAAc,GAAI,CAAA,MAAA,CAAO,mBAAmB,CAAA,CAAA;AAClD,EAAA,IAAI,YAAY,KAAW,CAAA,EAAA;AACzB,IAAA,MAAM,IAAIC,0BAAA,CAAoB,CAAW,QAAA,EAAA,eAAe,CAAS,OAAA,CAAA,CAAA,CAAA;AAAA,GACnE;AAEA,EAAO,OAAA;AAAA,IACL,WAAA,EAAa,iBAAiB,OAAO,CAAA;AAAA,IACrC,WAAA;AAAA,GACF,CAAA;AACF,CAAA;AAEA,SAAS,iBAAiB,OAAiB,EAAA;AACzC,EAAM,MAAA,MAAA,GAASC,eAAU,OAAO,CAAA,CAAA;AAEhC,EAAI,IAAA,MAAA,CAAO,QAAQ,KAAO,EAAA;AACxB,IAAM,MAAA,IAAI,MAAM,8BAA8B,CAAA,CAAA;AAAA,GAChD;AAEA,EAAO,OAAA;AAAA,IACL,IAAI,MAAO,CAAA,GAAA;AAAA,IACX,aAAa,MAAO,CAAA,IAAA;AAAA,IACpB,QAAU,EAAA,UAAA;AAAA,IACV,QAAQ,CAAC,EAAE,KAAO,EAAA,MAAA,CAAO,OAAO,CAAA;AAAA,IAChC,UAAU,MAAO,CAAA,kBAAA;AAAA,GACnB,CAAA;AACF;;ACrDiBC,8CAAA;AAAA,CAAV,CAAUA,6BAAV,KAAA;AACE,EAAMA,6BAAAA,CAAA,iCAAiCC,0CAA4B,CAAA;AAAA,IACxE,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAuC,GAAQ,KAAA;AAC3D,QAAM,MAAA;AAAA,UACJ,WAAA,EAAa,EAAE,EAAG,EAAA;AAAA,YAChB,IAAK,CAAA,MAAA,CAAA;AAET,QAAA,IAAI,CAAC,EAAI,EAAA;AACP,UAAM,MAAA,IAAI,MAAM,8BAA8B,CAAA,CAAA;AAAA,SAChD;AAEA,QAAO,OAAA,MAAM,IAAI,qBAAsB,CAAA;AAAA,UACrC,WAAa,EAAA;AAAA,YACX,6BAA+B,EAAA,EAAA;AAAA,WACjC;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAAA,CAnBc,EAAAD,oCAAA,KAAAA,oCAAA,GAAA,EAAA,CAAA,CAAA;;ACGV,MAAM,kCAAkCE,oCAAoB,CAAA;AAAA,EACjE,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,yBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,+BAAA,CAAgC,QAAQ,GAAG,CAAA,CAAA;AAC3C,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,eAAA;AAAA,UACZ,SAASC,6CAA+B,CAAA;AAAA,YACtC,aAAe,EAAA,0BAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGC,oCAAA;AAAA,cACH,GAAGL,oCAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC,EAAA;AAED,SAAS,gCAAgC,GAAwB,EAAA;AAnDjE,EAAA,IAAA,EAAA,EAAA,EAAA,EAAA,EAAA,CAAA;AAyDE,EAAI,IAAA,GAAA,CAAI,gBAAgB,KAAW,CAAA,EAAA;AACjC,IAAM,MAAA,IAAI,MAAM,gDAAgD,CAAA,CAAA;AAAA,GAClE;AACA,EAAA,IAAA,CAAA,CAAI,EAAI,GAAA,GAAA,CAAA,oBAAA,KAAJ,IAA0B,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,iBAAA,CAAkB,cAAa,MAAQ,EAAA;AACnE,IAAM,MAAA,IAAI,MAAM,yDAAyD,CAAA,CAAA;AAAA,GAC3E;AACA,EAAA,IAAA,CAAA,CACE,EAAI,GAAA,GAAA,CAAA,6BAAA,KAAJ,IAAmC,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,iBAAA,CAAkB,cACrD,sBACA,EAAA;AACA,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA,CAAA;AAAA,GAC3D;AACA,EAAA,IAAA,CAAA,CAAI,EAAI,GAAA,GAAA,CAAA,wBAAA,KAAJ,IAA8B,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,iBAAA,CAAkB,cAAa,MAAQ,EAAA;AACvE,IAAM,MAAA,IAAI,MAAM,4BAA4B,CAAA,CAAA;AAAA,GAC9C;AACF;;;;;"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
+import * as _backstage_plugin_auth_node from '@backstage/plugin-auth-node';
+import { Profile } from 'passport';
+/** @public */
+declare const authModuleAzureEasyAuthProvider: () => _backstage_backend_plugin_api.BackendFeature;
+/** @public */
+type AzureEasyAuthResult = {
+    fullProfile: Profile;
+    accessToken?: string;
+};
+/** @public */
+declare const azureEasyAuthAuthenticator: _backstage_plugin_auth_node.ProxyAuthenticator<void, AzureEasyAuthResult, {
+    accessToken: string | undefined;
+}>;
+/** @public */
+declare namespace azureEasyAuthSignInResolvers {
+    const idMatchingUserEntityAnnotation: _backstage_plugin_auth_node.SignInResolverFactory<AzureEasyAuthResult, unknown>;
+}
+export { type AzureEasyAuthResult, azureEasyAuthAuthenticator, azureEasyAuthSignInResolvers, authModuleAzureEasyAuthProvider as default };

package/package.json ADDED Viewed

@@ -0,0 +1,48 @@
+{
+  "name": "@backstage/plugin-auth-backend-module-azure-easyauth-provider",
+  "version": "0.0.0-nightly-20240420021132",
+  "description": "The azure-easyauth-provider backend module for the auth plugin.",
+  "backstage": {
+    "role": "backend-plugin-module"
+  },
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "types": "dist/index.d.ts"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/backstage/backstage",
+    "directory": "plugins/auth-backend-module-azure-easyauth-provider"
+  },
+  "license": "Apache-2.0",
+  "main": "dist/index.cjs.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "backstage-cli package build",
+    "clean": "backstage-cli package clean",
+    "lint": "backstage-cli package lint",
+    "prepack": "backstage-cli package prepack",
+    "postpack": "backstage-cli package postpack",
+    "start": "backstage-cli package start",
+    "test": "backstage-cli package test"
+  },
+  "dependencies": {
+    "@backstage/backend-plugin-api": "^0.0.0-nightly-20240420021132",
+    "@backstage/catalog-model": "^1.4.5",
+    "@backstage/errors": "^1.2.4",
+    "@backstage/plugin-auth-node": "^0.0.0-nightly-20240420021132",
+    "@types/passport": "^1.0.16",
+    "express": "^4.19.2",
+    "jose": "^5.0.0",
+    "passport": "^0.7.0"
+  },
+  "devDependencies": {
+    "@backstage/backend-test-utils": "^0.0.0-nightly-20240420021132",
+    "@backstage/cli": "^0.0.0-nightly-20240420021132",
+    "@backstage/plugin-auth-backend": "^0.0.0-nightly-20240420021132"
+  }
+}