@backstage/plugin-auth-backend-module-microsoft-provider 0.2.0 → 0.2.1-next.1

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @backstage/plugin-auth-backend-module-microsoft-provider
 
+## 0.2.1-next.1
+
+### Patch Changes
+
+- 217458a: Updated configuration schema to include the new `allowedDomains` option for the `emailLocalPartMatchingUserEntityName` sign-in resolver.
+- daa02d6: Add `skipUserProfile` config flag to Microsoft authenticator
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.5.3-next.1
+  - @backstage/backend-plugin-api@1.0.1-next.1
+
+## 0.2.1-next.0
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.5.3-next.0
+  - @backstage/backend-plugin-api@1.0.1-next.0
+
 ## 0.2.0
 
 ### Minor Changes

package/config.d.ts

@@ -29,10 +29,14 @@ export interface Config {
           domainHint?: string;
           callbackUrl?: string;
           additionalScopes?: string | string[];
+          skipUserProfile?: boolean;
           signIn?: {
             resolvers: Array<
               | { resolver: 'emailMatchingUserEntityAnnotation' }
-              | { resolver: 'emailLocalPartMatchingUserEntityName' }
+              | {
+                  resolver: 'emailLocalPartMatchingUserEntityName';
+                  allowedDomains?: string[];
+                }
               | { resolver: 'emailMatchingUserEntityProfileEmail' }
             >;
           };

package/dist/authenticator.cjs.js

@@ -0,0 +1,60 @@
+'use strict';
+
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var strategy = require('./strategy.cjs.js');
+
+const microsoftAuthenticator = pluginAuthNode.createOAuthAuthenticator({
+  defaultProfileTransform: pluginAuthNode.PassportOAuthAuthenticatorHelper.defaultProfileTransform,
+  scopes: {
+    required: ["email", "openid", "offline_access", "user.read"],
+    transform({ requested, granted, required, additional }) {
+      const hasResourceScope = Array.from(requested).some((s) => s.includes("/"));
+      if (hasResourceScope) {
+        return [...requested, "offline_access"];
+      }
+      return [...requested, ...granted, ...required, ...additional];
+    }
+  },
+  initialize({ callbackUrl, config }) {
+    const clientId = config.getString("clientId");
+    const clientSecret = config.getString("clientSecret");
+    const tenantId = config.getString("tenantId");
+    const domainHint = config.getOptionalString("domainHint");
+    const skipUserProfile = config.getOptionalBoolean("skipUserProfile") ?? false;
+    const strategy$1 = new strategy.ExtendedMicrosoftStrategy(
+      {
+        clientID: clientId,
+        clientSecret,
+        callbackURL: callbackUrl,
+        tenant: tenantId
+      },
+      (accessToken, refreshToken, params, fullProfile, done) => {
+        done(void 0, { fullProfile, params, accessToken }, { refreshToken });
+      }
+    );
+    strategy$1.setSkipUserProfile(skipUserProfile);
+    const helper = pluginAuthNode.PassportOAuthAuthenticatorHelper.from(strategy$1);
+    return {
+      helper,
+      domainHint
+    };
+  },
+  async start(input, ctx) {
+    const options = {
+      accessType: "offline"
+    };
+    if (ctx.domainHint !== void 0) {
+      options.domain_hint = ctx.domainHint;
+    }
+    return ctx.helper.start(input, options);
+  },
+  async authenticate(input, ctx) {
+    return ctx.helper.authenticate(input);
+  },
+  async refresh(input, ctx) {
+    return ctx.helper.refresh(input);
+  }
+});
+
+exports.microsoftAuthenticator = microsoftAuthenticator;
+//# sourceMappingURL=authenticator.cjs.js.map

package/dist/authenticator.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authenticator.cjs.js","sources":["../src/authenticator.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  createOAuthAuthenticator,\n  PassportOAuthAuthenticatorHelper,\n  PassportOAuthDoneCallback,\n  PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport { ExtendedMicrosoftStrategy } from './strategy';\n\n/** @public */\nexport const microsoftAuthenticator = createOAuthAuthenticator({\n  defaultProfileTransform:\n    PassportOAuthAuthenticatorHelper.defaultProfileTransform,\n  scopes: {\n    required: ['email', 'openid', 'offline_access', 'user.read'],\n    transform({ requested, granted, required, additional }) {\n      // Resources scopes are of the form `<resource>/<scope>`, and are handled\n      // separately from the normal scopes in the client. When request a\n      // resource scope we should only include forward the request scope along\n      // with offline_access.\n      const hasResourceScope = Array.from(requested).some(s => s.includes('/'));\n      if (hasResourceScope) {\n        return [...requested, 'offline_access'];\n      }\n      return [...requested, ...granted, ...required, ...additional];\n    },\n  },\n  initialize({ callbackUrl, config }) {\n    const clientId = config.getString('clientId');\n    const clientSecret = config.getString('clientSecret');\n    const tenantId = config.getString('tenantId');\n    const domainHint = config.getOptionalString('domainHint');\n    const skipUserProfile =\n      config.getOptionalBoolean('skipUserProfile') ?? false;\n\n    const strategy = new ExtendedMicrosoftStrategy(\n      {\n        clientID: clientId,\n        clientSecret: clientSecret,\n        callbackURL: callbackUrl,\n        tenant: tenantId,\n      },\n      (\n        accessToken: string,\n        refreshToken: string,\n        params: any,\n        fullProfile: PassportProfile,\n        done: PassportOAuthDoneCallback,\n      ) => {\n        done(undefined, { fullProfile, params, accessToken }, { refreshToken });\n      },\n    );\n\n    strategy.setSkipUserProfile(skipUserProfile);\n    const helper = PassportOAuthAuthenticatorHelper.from(strategy);\n\n    return {\n      helper,\n      domainHint,\n    };\n  },\n\n  async start(input, ctx) {\n    const options: Record<string, string> = {\n      accessType: 'offline',\n    };\n\n    if (ctx.domainHint !== undefined) {\n      options.domain_hint = ctx.domainHint;\n    }\n\n    return ctx.helper.start(input, options);\n  },\n\n  async authenticate(input, ctx) {\n    return ctx.helper.authenticate(input);\n  },\n\n  async refresh(input, ctx) {\n    return ctx.helper.refresh(input);\n  },\n});\n"],"names":["createOAuthAuthenticator","PassportOAuthAuthenticatorHelper","strategy","ExtendedMicrosoftStrategy"],"mappings":";;;;;AAyBO,MAAM,yBAAyBA,uCAAyB,CAAA;AAAA,EAC7D,yBACEC,+CAAiC,CAAA,uBAAA;AAAA,EACnC,MAAQ,EAAA;AAAA,IACN,QAAU,EAAA,CAAC,OAAS,EAAA,QAAA,EAAU,kBAAkB,WAAW,CAAA;AAAA,IAC3D,UAAU,EAAE,SAAA,EAAW,OAAS,EAAA,QAAA,EAAU,YAAc,EAAA;AAKtD,MAAM,MAAA,gBAAA,GAAmB,KAAM,CAAA,IAAA,CAAK,SAAS,CAAA,CAAE,KAAK,CAAK,CAAA,KAAA,CAAA,CAAE,QAAS,CAAA,GAAG,CAAC,CAAA,CAAA;AACxE,MAAA,IAAI,gBAAkB,EAAA;AACpB,QAAO,OAAA,CAAC,GAAG,SAAA,EAAW,gBAAgB,CAAA,CAAA;AAAA,OACxC;AACA,MAAO,OAAA,CAAC,GAAG,SAAW,EAAA,GAAG,SAAS,GAAG,QAAA,EAAU,GAAG,UAAU,CAAA,CAAA;AAAA,KAC9D;AAAA,GACF;AAAA,EACA,UAAW,CAAA,EAAE,WAAa,EAAA,MAAA,EAAU,EAAA;AAClC,IAAM,MAAA,QAAA,GAAW,MAAO,CAAA,SAAA,CAAU,UAAU,CAAA,CAAA;AAC5C,IAAM,MAAA,YAAA,GAAe,MAAO,CAAA,SAAA,CAAU,cAAc,CAAA,CAAA;AACpD,IAAM,MAAA,QAAA,GAAW,MAAO,CAAA,SAAA,CAAU,UAAU,CAAA,CAAA;AAC5C,IAAM,MAAA,UAAA,GAAa,MAAO,CAAA,iBAAA,CAAkB,YAAY,CAAA,CAAA;AACxD,IAAA,MAAM,eACJ,GAAA,MAAA,CAAO,kBAAmB,CAAA,iBAAiB,CAAK,IAAA,KAAA,CAAA;AAElD,IAAA,MAAMC,aAAW,IAAIC,kCAAA;AAAA,MACnB;AAAA,QACE,QAAU,EAAA,QAAA;AAAA,QACV,YAAA;AAAA,QACA,WAAa,EAAA,WAAA;AAAA,QACb,MAAQ,EAAA,QAAA;AAAA,OACV;AAAA,MACA,CACE,WAAA,EACA,YACA,EAAA,MAAA,EACA,aACA,IACG,KAAA;AACH,QAAK,IAAA,CAAA,KAAA,CAAA,EAAW,EAAE,WAAa,EAAA,MAAA,EAAQ,aAAe,EAAA,EAAE,cAAc,CAAA,CAAA;AAAA,OACxE;AAAA,KACF,CAAA;AAEA,IAAAD,UAAA,CAAS,mBAAmB,eAAe,CAAA,CAAA;AAC3C,IAAM,MAAA,MAAA,GAASD,+CAAiC,CAAA,IAAA,CAAKC,UAAQ,CAAA,CAAA;AAE7D,IAAO,OAAA;AAAA,MACL,MAAA;AAAA,MACA,UAAA;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,KAAM,CAAA,KAAA,EAAO,GAAK,EAAA;AACtB,IAAA,MAAM,OAAkC,GAAA;AAAA,MACtC,UAAY,EAAA,SAAA;AAAA,KACd,CAAA;AAEA,IAAI,IAAA,GAAA,CAAI,eAAe,KAAW,CAAA,EAAA;AAChC,MAAA,OAAA,CAAQ,cAAc,GAAI,CAAA,UAAA,CAAA;AAAA,KAC5B;AAEA,IAAA,OAAO,GAAI,CAAA,MAAA,CAAO,KAAM,CAAA,KAAA,EAAO,OAAO,CAAA,CAAA;AAAA,GACxC;AAAA,EAEA,MAAM,YAAa,CAAA,KAAA,EAAO,GAAK,EAAA;AAC7B,IAAO,OAAA,GAAA,CAAI,MAAO,CAAA,YAAA,CAAa,KAAK,CAAA,CAAA;AAAA,GACtC;AAAA,EAEA,MAAM,OAAQ,CAAA,KAAA,EAAO,GAAK,EAAA;AACxB,IAAO,OAAA,GAAA,CAAI,MAAO,CAAA,OAAA,CAAQ,KAAK,CAAA,CAAA;AAAA,GACjC;AACF,CAAC;;;;"}

package/dist/deprecated.cjs.js

@@ -0,0 +1,8 @@
+'use strict';
+
+var module$1 = require('./module.cjs.js');
+
+const authModuleMicrosoftProvider = module$1.authModuleMicrosoftProvider;
+
+exports.authModuleMicrosoftProvider = authModuleMicrosoftProvider;
+//# sourceMappingURL=deprecated.cjs.js.map

package/dist/deprecated.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deprecated.cjs.js","sources":["../src/deprecated.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { authModuleMicrosoftProvider as deprecatedAuthModuleMicrosoftProvider } from './module';\n\n/**\n * @public\n * @deprecated Use default import instead\n */\nexport const authModuleMicrosoftProvider =\n  deprecatedAuthModuleMicrosoftProvider;\n"],"names":["deprecatedAuthModuleMicrosoftProvider"],"mappings":";;;;AAsBO,MAAM,2BACX,GAAAA;;;;"}

package/dist/index.cjs.js

@@ -2,197 +2,18 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var pluginAuthNode = require('@backstage/plugin-auth-node');
-var jose = require('jose');
-var fetch = require('node-fetch');
-var passportMicrosoft = require('passport-microsoft');
-var backendPluginApi = require('@backstage/backend-plugin-api');
+var authenticator = require('./authenticator.cjs.js');
+var module$1 = require('./module.cjs.js');
+var resolvers = require('./resolvers.cjs.js');
+var deprecated = require('./deprecated.cjs.js');
 
-function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
 
-var fetch__default = /*#__PURE__*/_interopDefaultCompat(fetch);
 
-class ExtendedMicrosoftStrategy extends passportMicrosoft.Strategy {
-  userProfile(accessToken, done) {
-    if (this.skipUserProfile(accessToken)) {
-      done(null, void 0);
-      return;
-    }
-    super.userProfile(
-      accessToken,
-      (err, profile) => {
-        if (!profile || profile.photos) {
-          done(err, profile);
-          return;
-        }
-        this.getProfilePhotos(accessToken).then((photos) => {
-          profile.photos = photos;
-          done(err, profile);
-        });
-      }
-    );
-  }
-  hasGraphReadScope(accessToken) {
-    const { aud, scp } = jose.decodeJwt(accessToken);
-    return aud === "00000003-0000-0000-c000-000000000000" && !!scp && scp.split(" ").map((s) => s.toLocaleLowerCase("en-US")).some(
-      (s) => [
-        "https://graph.microsoft.com/user.read",
-        "https://graph.microsoft.com/user.read.all",
-        "user.read",
-        "user.read.all"
-      ].includes(s)
-    );
-  }
-  skipUserProfile(accessToken) {
-    try {
-      return !this.hasGraphReadScope(accessToken);
-    } catch {
-      return false;
-    }
-  }
-  async getProfilePhotos(accessToken) {
-    return this.getCurrentUserPhoto(accessToken, "96x96").then(
-      (photo) => photo ? [{ value: photo }] : void 0
-    );
-  }
-  async getCurrentUserPhoto(accessToken, size) {
-    try {
-      const res = await fetch__default.default(
-        `https://graph.microsoft.com/v1.0/me/photos/${size}/$value`,
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`
-          }
-        }
-      );
-      const data = await res.buffer();
-      return `data:image/jpeg;base64,${data.toString("base64")}`;
-    } catch (error) {
-      return void 0;
-    }
-  }
-}
-
-const microsoftAuthenticator = pluginAuthNode.createOAuthAuthenticator({
-  defaultProfileTransform: pluginAuthNode.PassportOAuthAuthenticatorHelper.defaultProfileTransform,
-  scopes: {
-    required: ["email", "openid", "offline_access", "user.read"],
-    transform({ requested, granted, required, additional }) {
-      const hasResourceScope = Array.from(requested).some((s) => s.includes("/"));
-      if (hasResourceScope) {
-        return [...requested, "offline_access"];
-      }
-      return [...requested, ...granted, ...required, ...additional];
-    }
-  },
-  initialize({ callbackUrl, config }) {
-    const clientId = config.getString("clientId");
-    const clientSecret = config.getString("clientSecret");
-    const tenantId = config.getString("tenantId");
-    const domainHint = config.getOptionalString("domainHint");
-    const helper = pluginAuthNode.PassportOAuthAuthenticatorHelper.from(
-      new ExtendedMicrosoftStrategy(
-        {
-          clientID: clientId,
-          clientSecret,
-          callbackURL: callbackUrl,
-          tenant: tenantId
-        },
-        (accessToken, refreshToken, params, fullProfile, done) => {
-          done(
-            void 0,
-            { fullProfile, params, accessToken },
-            { refreshToken }
-          );
-        }
-      )
-    );
-    return {
-      helper,
-      domainHint
-    };
-  },
-  async start(input, ctx) {
-    const options = {
-      accessType: "offline"
-    };
-    if (ctx.domainHint !== void 0) {
-      options.domain_hint = ctx.domainHint;
-    }
-    return ctx.helper.start(input, options);
-  },
-  async authenticate(input, ctx) {
-    return ctx.helper.authenticate(input);
-  },
-  async refresh(input, ctx) {
-    return ctx.helper.refresh(input);
-  }
-});
-
-exports.microsoftSignInResolvers = void 0;
-((microsoftSignInResolvers2) => {
-  microsoftSignInResolvers2.emailMatchingUserEntityAnnotation = pluginAuthNode.createSignInResolverFactory({
-    create() {
-      return async (info, ctx) => {
-        const { profile } = info;
-        if (!profile.email) {
-          throw new Error("Microsoft profile contained no email");
-        }
-        return ctx.signInWithCatalogUser({
-          annotations: {
-            "microsoft.com/email": profile.email
-          }
-        });
-      };
-    }
-  });
-  microsoftSignInResolvers2.userIdMatchingUserEntityAnnotation = pluginAuthNode.createSignInResolverFactory(
-    {
-      create() {
-        return async (info, ctx) => {
-          const { result } = info;
-          const id = result.fullProfile.id;
-          if (!id) {
-            throw new Error("Microsoft profile contained no id");
-          }
-          return ctx.signInWithCatalogUser({
-            annotations: {
-              "graph.microsoft.com/user-id": id
-            }
-          });
-        };
-      }
-    }
-  );
-})(exports.microsoftSignInResolvers || (exports.microsoftSignInResolvers = {}));
-
-const authModuleMicrosoftProvider$1 = backendPluginApi.createBackendModule({
-  pluginId: "auth",
-  moduleId: "microsoft-provider",
-  register(reg) {
-    reg.registerInit({
-      deps: {
-        providers: pluginAuthNode.authProvidersExtensionPoint
-      },
-      async init({ providers }) {
-        providers.registerProvider({
-          providerId: "microsoft",
-          factory: pluginAuthNode.createOAuthProviderFactory({
-            authenticator: microsoftAuthenticator,
-            signInResolverFactories: {
-              ...exports.microsoftSignInResolvers,
-              ...pluginAuthNode.commonSignInResolvers
-            }
-          })
-        });
-      }
-    });
-  }
+exports.microsoftAuthenticator = authenticator.microsoftAuthenticator;
+exports.default = module$1.authModuleMicrosoftProvider;
+Object.defineProperty(exports, "microsoftSignInResolvers", {
+	enumerable: true,
+	get: function () { return resolvers.microsoftSignInResolvers; }
 });
-
-const authModuleMicrosoftProvider = authModuleMicrosoftProvider$1;
-
-exports.authModuleMicrosoftProvider = authModuleMicrosoftProvider;
-exports.default = authModuleMicrosoftProvider$1;
-exports.microsoftAuthenticator = microsoftAuthenticator;
+exports.authModuleMicrosoftProvider = deprecated.authModuleMicrosoftProvider;
 //# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/strategy.ts","../src/authenticator.ts","../src/resolvers.ts","../src/module.ts","../src/deprecated.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PassportProfile } from '@backstage/plugin-auth-node';\nimport { decodeJwt } from 'jose';\nimport fetch from 'node-fetch';\nimport { Strategy as MicrosoftStrategy } from 'passport-microsoft';\n\nexport class ExtendedMicrosoftStrategy extends MicrosoftStrategy {\n  userProfile(\n    accessToken: string,\n    done: (err?: unknown, profile?: PassportProfile) => void,\n  ): void {\n    if (this.skipUserProfile(accessToken)) {\n      done(null, undefined);\n      return;\n    }\n\n    super.userProfile(\n      accessToken,\n      (err?: unknown, profile?: PassportProfile) => {\n        if (!profile || profile.photos) {\n          done(err, profile);\n          return;\n        }\n\n        this.getProfilePhotos(accessToken).then(photos => {\n          profile.photos = photos;\n          done(err, profile);\n        });\n      },\n    );\n  }\n\n  private hasGraphReadScope(accessToken: string): boolean {\n    const { aud, scp } = decodeJwt(accessToken);\n    return (\n      aud === '00000003-0000-0000-c000-000000000000' &&\n      !!scp &&\n      (scp as string)\n        .split(' ')\n        .map(s => s.toLocaleLowerCase('en-US'))\n        .some(s =>\n          [\n            'https://graph.microsoft.com/user.read',\n            'https://graph.microsoft.com/user.read.all',\n            'user.read',\n            'user.read.all',\n          ].includes(s),\n        )\n    );\n  }\n\n  private skipUserProfile(accessToken: string): boolean {\n    try {\n      return !this.hasGraphReadScope(accessToken);\n    } catch {\n      // If there is any error with checking the scope\n      // we fall back to not skipping the user profile\n      // which may still result in an auth failure\n      // e.g. due to a foreign scope.\n      return false;\n    }\n  }\n\n  private async getProfilePhotos(\n    accessToken: string,\n  ): Promise<Array<{ value: string }> | undefined> {\n    return this.getCurrentUserPhoto(accessToken, '96x96').then(photo =>\n      photo ? [{ value: photo }] : undefined,\n    );\n  }\n\n  private async getCurrentUserPhoto(\n    accessToken: string,\n    size: string,\n  ): Promise<string | undefined> {\n    try {\n      const res = await fetch(\n        `https://graph.microsoft.com/v1.0/me/photos/${size}/$value`,\n        {\n          headers: {\n            Authorization: `Bearer ${accessToken}`,\n          },\n        },\n      );\n      const data = await res.buffer();\n\n      return `data:image/jpeg;base64,${data.toString('base64')}`;\n    } catch (error) {\n      return undefined;\n    }\n  }\n}\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  createOAuthAuthenticator,\n  PassportOAuthAuthenticatorHelper,\n  PassportOAuthDoneCallback,\n  PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport { ExtendedMicrosoftStrategy } from './strategy';\n\n/** @public */\nexport const microsoftAuthenticator = createOAuthAuthenticator({\n  defaultProfileTransform:\n    PassportOAuthAuthenticatorHelper.defaultProfileTransform,\n  scopes: {\n    required: ['email', 'openid', 'offline_access', 'user.read'],\n    transform({ requested, granted, required, additional }) {\n      // Resources scopes are of the form `<resource>/<scope>`, and are handled\n      // separately from the normal scopes in the client. When request a\n      // resource scope we should only include forward the request scope along\n      // with offline_access.\n      const hasResourceScope = Array.from(requested).some(s => s.includes('/'));\n      if (hasResourceScope) {\n        return [...requested, 'offline_access'];\n      }\n      return [...requested, ...granted, ...required, ...additional];\n    },\n  },\n  initialize({ callbackUrl, config }) {\n    const clientId = config.getString('clientId');\n    const clientSecret = config.getString('clientSecret');\n    const tenantId = config.getString('tenantId');\n    const domainHint = config.getOptionalString('domainHint');\n\n    const helper = PassportOAuthAuthenticatorHelper.from(\n      new ExtendedMicrosoftStrategy(\n        {\n          clientID: clientId,\n          clientSecret: clientSecret,\n          callbackURL: callbackUrl,\n          tenant: tenantId,\n        },\n        (\n          accessToken: string,\n          refreshToken: string,\n          params: any,\n          fullProfile: PassportProfile,\n          done: PassportOAuthDoneCallback,\n        ) => {\n          done(\n            undefined,\n            { fullProfile, params, accessToken },\n            { refreshToken },\n          );\n        },\n      ),\n    );\n\n    return {\n      helper,\n      domainHint,\n    };\n  },\n\n  async start(input, ctx) {\n    const options: Record<string, string> = {\n      accessType: 'offline',\n    };\n\n    if (ctx.domainHint !== undefined) {\n      options.domain_hint = ctx.domainHint;\n    }\n\n    return ctx.helper.start(input, options);\n  },\n\n  async authenticate(input, ctx) {\n    return ctx.helper.authenticate(input);\n  },\n\n  async refresh(input, ctx) {\n    return ctx.helper.refresh(input);\n  },\n});\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  OAuthAuthenticatorResult,\n  createSignInResolverFactory,\n  PassportProfile,\n  SignInInfo,\n} from '@backstage/plugin-auth-node';\n\n/**\n * Available sign-in resolvers for the Microsoft auth provider.\n *\n * @public\n */\nexport namespace microsoftSignInResolvers {\n  /**\n   * Looks up the user by matching their Microsoft email to the email entity annotation.\n   */\n  export const emailMatchingUserEntityAnnotation = createSignInResolverFactory({\n    create() {\n      return async (\n        info: SignInInfo<OAuthAuthenticatorResult<PassportProfile>>,\n        ctx,\n      ) => {\n        const { profile } = info;\n\n        if (!profile.email) {\n          throw new Error('Microsoft profile contained no email');\n        }\n\n        return ctx.signInWithCatalogUser({\n          annotations: {\n            'microsoft.com/email': profile.email,\n          },\n        });\n      };\n    },\n  });\n  /**\n   * Looks up the user by matching their Microsoft user id to the user id entity annotation.\n   */\n  export const userIdMatchingUserEntityAnnotation = createSignInResolverFactory(\n    {\n      create() {\n        return async (\n          info: SignInInfo<OAuthAuthenticatorResult<PassportProfile>>,\n          ctx,\n        ) => {\n          const { result } = info;\n\n          const id = result.fullProfile.id;\n\n          if (!id) {\n            throw new Error('Microsoft profile contained no id');\n          }\n\n          return ctx.signInWithCatalogUser({\n            annotations: {\n              'graph.microsoft.com/user-id': id,\n            },\n          });\n        };\n      },\n    },\n  );\n}\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createOAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { microsoftAuthenticator } from './authenticator';\nimport { microsoftSignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleMicrosoftProvider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'microsoft-provider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n      },\n      async init({ providers }) {\n        providers.registerProvider({\n          providerId: 'microsoft',\n          factory: createOAuthProviderFactory({\n            authenticator: microsoftAuthenticator,\n            signInResolverFactories: {\n              ...microsoftSignInResolvers,\n              ...commonSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { authModuleMicrosoftProvider as deprecatedAuthModuleMicrosoftProvider } from './module';\n\n/**\n * @public\n * @deprecated Use default import instead\n */\nexport const authModuleMicrosoftProvider =\n  deprecatedAuthModuleMicrosoftProvider;\n"],"names":["MicrosoftStrategy","decodeJwt","fetch","createOAuthAuthenticator","PassportOAuthAuthenticatorHelper","microsoftSignInResolvers","createSignInResolverFactory","authModuleMicrosoftProvider","createBackendModule","authProvidersExtensionPoint","createOAuthProviderFactory","commonSignInResolvers","deprecatedAuthModuleMicrosoftProvider"],"mappings":";;;;;;;;;;;;;;AAqBO,MAAM,kCAAkCA,0BAAkB,CAAA;AAAA,EAC/D,WAAA,CACE,aACA,IACM,EAAA;AACN,IAAI,IAAA,IAAA,CAAK,eAAgB,CAAA,WAAW,CAAG,EAAA;AACrC,MAAA,IAAA,CAAK,MAAM,KAAS,CAAA,CAAA,CAAA;AACpB,MAAA,OAAA;AAAA,KACF;AAEA,IAAM,KAAA,CAAA,WAAA;AAAA,MACJ,WAAA;AAAA,MACA,CAAC,KAAe,OAA8B,KAAA;AAC5C,QAAI,IAAA,CAAC,OAAW,IAAA,OAAA,CAAQ,MAAQ,EAAA;AAC9B,UAAA,IAAA,CAAK,KAAK,OAAO,CAAA,CAAA;AACjB,UAAA,OAAA;AAAA,SACF;AAEA,QAAA,IAAA,CAAK,gBAAiB,CAAA,WAAW,CAAE,CAAA,IAAA,CAAK,CAAU,MAAA,KAAA;AAChD,UAAA,OAAA,CAAQ,MAAS,GAAA,MAAA,CAAA;AACjB,UAAA,IAAA,CAAK,KAAK,OAAO,CAAA,CAAA;AAAA,SAClB,CAAA,CAAA;AAAA,OACH;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAEQ,kBAAkB,WAA8B,EAAA;AACtD,IAAA,MAAM,EAAE,GAAA,EAAK,GAAI,EAAA,GAAIC,eAAU,WAAW,CAAA,CAAA;AAC1C,IAAA,OACE,GAAQ,KAAA,sCAAA,IACR,CAAC,CAAC,OACD,GACE,CAAA,KAAA,CAAM,GAAG,CAAA,CACT,IAAI,CAAK,CAAA,KAAA,CAAA,CAAE,iBAAkB,CAAA,OAAO,CAAC,CACrC,CAAA,IAAA;AAAA,MAAK,CACJ,CAAA,KAAA;AAAA,QACE,uCAAA;AAAA,QACA,2CAAA;AAAA,QACA,WAAA;AAAA,QACA,eAAA;AAAA,OACF,CAAE,SAAS,CAAC,CAAA;AAAA,KACd,CAAA;AAAA,GAEN;AAAA,EAEQ,gBAAgB,WAA8B,EAAA;AACpD,IAAI,IAAA;AACF,MAAO,OAAA,CAAC,IAAK,CAAA,iBAAA,CAAkB,WAAW,CAAA,CAAA;AAAA,KACpC,CAAA,MAAA;AAKN,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAAA,GACF;AAAA,EAEA,MAAc,iBACZ,WAC+C,EAAA;AAC/C,IAAA,OAAO,IAAK,CAAA,mBAAA,CAAoB,WAAa,EAAA,OAAO,CAAE,CAAA,IAAA;AAAA,MAAK,WACzD,KAAQ,GAAA,CAAC,EAAE,KAAO,EAAA,KAAA,EAAO,CAAI,GAAA,KAAA,CAAA;AAAA,KAC/B,CAAA;AAAA,GACF;AAAA,EAEA,MAAc,mBACZ,CAAA,WAAA,EACA,IAC6B,EAAA;AAC7B,IAAI,IAAA;AACF,MAAA,MAAM,MAAM,MAAMC,sBAAA;AAAA,QAChB,8CAA8C,IAAI,CAAA,OAAA,CAAA;AAAA,QAClD;AAAA,UACE,OAAS,EAAA;AAAA,YACP,aAAA,EAAe,UAAU,WAAW,CAAA,CAAA;AAAA,WACtC;AAAA,SACF;AAAA,OACF,CAAA;AACA,MAAM,MAAA,IAAA,GAAO,MAAM,GAAA,CAAI,MAAO,EAAA,CAAA;AAE9B,MAAA,OAAO,CAA0B,uBAAA,EAAA,IAAA,CAAK,QAAS,CAAA,QAAQ,CAAC,CAAA,CAAA,CAAA;AAAA,aACjD,KAAO,EAAA;AACd,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AAAA,GACF;AACF;;ACjFO,MAAM,yBAAyBC,uCAAyB,CAAA;AAAA,EAC7D,yBACEC,+CAAiC,CAAA,uBAAA;AAAA,EACnC,MAAQ,EAAA;AAAA,IACN,QAAU,EAAA,CAAC,OAAS,EAAA,QAAA,EAAU,kBAAkB,WAAW,CAAA;AAAA,IAC3D,UAAU,EAAE,SAAA,EAAW,OAAS,EAAA,QAAA,EAAU,YAAc,EAAA;AAKtD,MAAM,MAAA,gBAAA,GAAmB,KAAM,CAAA,IAAA,CAAK,SAAS,CAAA,CAAE,KAAK,CAAK,CAAA,KAAA,CAAA,CAAE,QAAS,CAAA,GAAG,CAAC,CAAA,CAAA;AACxE,MAAA,IAAI,gBAAkB,EAAA;AACpB,QAAO,OAAA,CAAC,GAAG,SAAA,EAAW,gBAAgB,CAAA,CAAA;AAAA,OACxC;AACA,MAAO,OAAA,CAAC,GAAG,SAAW,EAAA,GAAG,SAAS,GAAG,QAAA,EAAU,GAAG,UAAU,CAAA,CAAA;AAAA,KAC9D;AAAA,GACF;AAAA,EACA,UAAW,CAAA,EAAE,WAAa,EAAA,MAAA,EAAU,EAAA;AAClC,IAAM,MAAA,QAAA,GAAW,MAAO,CAAA,SAAA,CAAU,UAAU,CAAA,CAAA;AAC5C,IAAM,MAAA,YAAA,GAAe,MAAO,CAAA,SAAA,CAAU,cAAc,CAAA,CAAA;AACpD,IAAM,MAAA,QAAA,GAAW,MAAO,CAAA,SAAA,CAAU,UAAU,CAAA,CAAA;AAC5C,IAAM,MAAA,UAAA,GAAa,MAAO,CAAA,iBAAA,CAAkB,YAAY,CAAA,CAAA;AAExD,IAAA,MAAM,SAASA,+CAAiC,CAAA,IAAA;AAAA,MAC9C,IAAI,yBAAA;AAAA,QACF;AAAA,UACE,QAAU,EAAA,QAAA;AAAA,UACV,YAAA;AAAA,UACA,WAAa,EAAA,WAAA;AAAA,UACb,MAAQ,EAAA,QAAA;AAAA,SACV;AAAA,QACA,CACE,WAAA,EACA,YACA,EAAA,MAAA,EACA,aACA,IACG,KAAA;AACH,UAAA,IAAA;AAAA,YACE,KAAA,CAAA;AAAA,YACA,EAAE,WAAa,EAAA,MAAA,EAAQ,WAAY,EAAA;AAAA,YACnC,EAAE,YAAa,EAAA;AAAA,WACjB,CAAA;AAAA,SACF;AAAA,OACF;AAAA,KACF,CAAA;AAEA,IAAO,OAAA;AAAA,MACL,MAAA;AAAA,MACA,UAAA;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,KAAM,CAAA,KAAA,EAAO,GAAK,EAAA;AACtB,IAAA,MAAM,OAAkC,GAAA;AAAA,MACtC,UAAY,EAAA,SAAA;AAAA,KACd,CAAA;AAEA,IAAI,IAAA,GAAA,CAAI,eAAe,KAAW,CAAA,EAAA;AAChC,MAAA,OAAA,CAAQ,cAAc,GAAI,CAAA,UAAA,CAAA;AAAA,KAC5B;AAEA,IAAA,OAAO,GAAI,CAAA,MAAA,CAAO,KAAM,CAAA,KAAA,EAAO,OAAO,CAAA,CAAA;AAAA,GACxC;AAAA,EAEA,MAAM,YAAa,CAAA,KAAA,EAAO,GAAK,EAAA;AAC7B,IAAO,OAAA,GAAA,CAAI,MAAO,CAAA,YAAA,CAAa,KAAK,CAAA,CAAA;AAAA,GACtC;AAAA,EAEA,MAAM,OAAQ,CAAA,KAAA,EAAO,GAAK,EAAA;AACxB,IAAO,OAAA,GAAA,CAAI,MAAO,CAAA,OAAA,CAAQ,KAAK,CAAA,CAAA;AAAA,GACjC;AACF,CAAC;;ACrEgBC,0CAAA;AAAA,CAAV,CAAUA,yBAAV,KAAA;AAIE,EAAMA,yBAAAA,CAAA,oCAAoCC,0CAA4B,CAAA;AAAA,IAC3E,MAAS,GAAA;AACP,MAAO,OAAA,OACL,MACA,GACG,KAAA;AACH,QAAM,MAAA,EAAE,SAAY,GAAA,IAAA,CAAA;AAEpB,QAAI,IAAA,CAAC,QAAQ,KAAO,EAAA;AAClB,UAAM,MAAA,IAAI,MAAM,sCAAsC,CAAA,CAAA;AAAA,SACxD;AAEA,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,WAAa,EAAA;AAAA,YACX,uBAAuB,OAAQ,CAAA,KAAA;AAAA,WACjC;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAIM,EAAMD,0BAAA,kCAAqC,GAAAC,0CAAA;AAAA,IAChD;AAAA,MACE,MAAS,GAAA;AACP,QAAO,OAAA,OACL,MACA,GACG,KAAA;AACH,UAAM,MAAA,EAAE,QAAW,GAAA,IAAA,CAAA;AAEnB,UAAM,MAAA,EAAA,GAAK,OAAO,WAAY,CAAA,EAAA,CAAA;AAE9B,UAAA,IAAI,CAAC,EAAI,EAAA;AACP,YAAM,MAAA,IAAI,MAAM,mCAAmC,CAAA,CAAA;AAAA,WACrD;AAEA,UAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,YAC/B,WAAa,EAAA;AAAA,cACX,6BAA+B,EAAA,EAAA;AAAA,aACjC;AAAA,WACD,CAAA,CAAA;AAAA,SACH,CAAA;AAAA,OACF;AAAA,KACF;AAAA,GACF,CAAA;AAAA,CAlDe,EAAAD,gCAAA,KAAAA,gCAAA,GAAA,EAAA,CAAA,CAAA;;ACHV,MAAME,gCAA8BC,oCAAoB,CAAA;AAAA,EAC7D,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,oBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,WAAA;AAAA,UACZ,SAASC,yCAA2B,CAAA;AAAA,YAClC,aAAe,EAAA,sBAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGL,gCAAA;AAAA,cACH,GAAGM,oCAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC;;ACzBM,MAAM,2BACX,GAAAC;;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;"}

package/dist/module.cjs.js

@@ -0,0 +1,33 @@
+'use strict';
+
+var backendPluginApi = require('@backstage/backend-plugin-api');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var authenticator = require('./authenticator.cjs.js');
+var resolvers = require('./resolvers.cjs.js');
+
+const authModuleMicrosoftProvider = backendPluginApi.createBackendModule({
+  pluginId: "auth",
+  moduleId: "microsoft-provider",
+  register(reg) {
+    reg.registerInit({
+      deps: {
+        providers: pluginAuthNode.authProvidersExtensionPoint
+      },
+      async init({ providers }) {
+        providers.registerProvider({
+          providerId: "microsoft",
+          factory: pluginAuthNode.createOAuthProviderFactory({
+            authenticator: authenticator.microsoftAuthenticator,
+            signInResolverFactories: {
+              ...resolvers.microsoftSignInResolvers,
+              ...pluginAuthNode.commonSignInResolvers
+            }
+          })
+        });
+      }
+    });
+  }
+});
+
+exports.authModuleMicrosoftProvider = authModuleMicrosoftProvider;
+//# sourceMappingURL=module.cjs.js.map

package/dist/module.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.cjs.js","sources":["../src/module.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createOAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { microsoftAuthenticator } from './authenticator';\nimport { microsoftSignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleMicrosoftProvider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'microsoft-provider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n      },\n      async init({ providers }) {\n        providers.registerProvider({\n          providerId: 'microsoft',\n          factory: createOAuthProviderFactory({\n            authenticator: microsoftAuthenticator,\n            signInResolverFactories: {\n              ...microsoftSignInResolvers,\n              ...commonSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n"],"names":["createBackendModule","authProvidersExtensionPoint","createOAuthProviderFactory","microsoftAuthenticator","microsoftSignInResolvers","commonSignInResolvers"],"mappings":";;;;;;;AAyBO,MAAM,8BAA8BA,oCAAoB,CAAA;AAAA,EAC7D,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,oBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,WAAA;AAAA,UACZ,SAASC,yCAA2B,CAAA;AAAA,YAClC,aAAe,EAAAC,oCAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGC,kCAAA;AAAA,cACH,GAAGC,oCAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC;;;;"}

package/dist/resolvers.cjs.js

@@ -0,0 +1,41 @@
+'use strict';
+
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+
+exports.microsoftSignInResolvers = void 0;
+((microsoftSignInResolvers2) => {
+  microsoftSignInResolvers2.emailMatchingUserEntityAnnotation = pluginAuthNode.createSignInResolverFactory({
+    create() {
+      return async (info, ctx) => {
+        const { profile } = info;
+        if (!profile.email) {
+          throw new Error("Microsoft profile contained no email");
+        }
+        return ctx.signInWithCatalogUser({
+          annotations: {
+            "microsoft.com/email": profile.email
+          }
+        });
+      };
+    }
+  });
+  microsoftSignInResolvers2.userIdMatchingUserEntityAnnotation = pluginAuthNode.createSignInResolverFactory(
+    {
+      create() {
+        return async (info, ctx) => {
+          const { result } = info;
+          const id = result.fullProfile.id;
+          if (!id) {
+            throw new Error("Microsoft profile contained no id");
+          }
+          return ctx.signInWithCatalogUser({
+            annotations: {
+              "graph.microsoft.com/user-id": id
+            }
+          });
+        };
+      }
+    }
+  );
+})(exports.microsoftSignInResolvers || (exports.microsoftSignInResolvers = {}));
+//# sourceMappingURL=resolvers.cjs.js.map

package/dist/resolvers.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolvers.cjs.js","sources":["../src/resolvers.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  OAuthAuthenticatorResult,\n  createSignInResolverFactory,\n  PassportProfile,\n  SignInInfo,\n} from '@backstage/plugin-auth-node';\n\n/**\n * Available sign-in resolvers for the Microsoft auth provider.\n *\n * @public\n */\nexport namespace microsoftSignInResolvers {\n  /**\n   * Looks up the user by matching their Microsoft email to the email entity annotation.\n   */\n  export const emailMatchingUserEntityAnnotation = createSignInResolverFactory({\n    create() {\n      return async (\n        info: SignInInfo<OAuthAuthenticatorResult<PassportProfile>>,\n        ctx,\n      ) => {\n        const { profile } = info;\n\n        if (!profile.email) {\n          throw new Error('Microsoft profile contained no email');\n        }\n\n        return ctx.signInWithCatalogUser({\n          annotations: {\n            'microsoft.com/email': profile.email,\n          },\n        });\n      };\n    },\n  });\n  /**\n   * Looks up the user by matching their Microsoft user id to the user id entity annotation.\n   */\n  export const userIdMatchingUserEntityAnnotation = createSignInResolverFactory(\n    {\n      create() {\n        return async (\n          info: SignInInfo<OAuthAuthenticatorResult<PassportProfile>>,\n          ctx,\n        ) => {\n          const { result } = info;\n\n          const id = result.fullProfile.id;\n\n          if (!id) {\n            throw new Error('Microsoft profile contained no id');\n          }\n\n          return ctx.signInWithCatalogUser({\n            annotations: {\n              'graph.microsoft.com/user-id': id,\n            },\n          });\n        };\n      },\n    },\n  );\n}\n"],"names":["microsoftSignInResolvers","createSignInResolverFactory"],"mappings":";;;;AA4BiBA,0CAAA;AAAA,CAAV,CAAUA,yBAAV,KAAA;AAIE,EAAMA,yBAAAA,CAAA,oCAAoCC,0CAA4B,CAAA;AAAA,IAC3E,MAAS,GAAA;AACP,MAAO,OAAA,OACL,MACA,GACG,KAAA;AACH,QAAM,MAAA,EAAE,SAAY,GAAA,IAAA,CAAA;AAEpB,QAAI,IAAA,CAAC,QAAQ,KAAO,EAAA;AAClB,UAAM,MAAA,IAAI,MAAM,sCAAsC,CAAA,CAAA;AAAA,SACxD;AAEA,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,WAAa,EAAA;AAAA,YACX,uBAAuB,OAAQ,CAAA,KAAA;AAAA,WACjC;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAIM,EAAMD,0BAAA,kCAAqC,GAAAC,0CAAA;AAAA,IAChD;AAAA,MACE,MAAS,GAAA;AACP,QAAO,OAAA,OACL,MACA,GACG,KAAA;AACH,UAAM,MAAA,EAAE,QAAW,GAAA,IAAA,CAAA;AAEnB,UAAM,MAAA,EAAA,GAAK,OAAO,WAAY,CAAA,EAAA,CAAA;AAE9B,UAAA,IAAI,CAAC,EAAI,EAAA;AACP,YAAM,MAAA,IAAI,MAAM,mCAAmC,CAAA,CAAA;AAAA,WACrD;AAEA,UAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,YAC/B,WAAa,EAAA;AAAA,cACX,6BAA+B,EAAA,EAAA;AAAA,aACjC;AAAA,WACD,CAAA,CAAA;AAAA,SACH,CAAA;AAAA,OACF;AAAA,KACF;AAAA,GACF,CAAA;AAAA,CAlDe,EAAAD,gCAAA,KAAAA,gCAAA,GAAA,EAAA,CAAA,CAAA;;"}

package/dist/strategy.cjs.js

@@ -0,0 +1,77 @@
+'use strict';
+
+var jose = require('jose');
+var fetch = require('node-fetch');
+var passportMicrosoft = require('passport-microsoft');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var fetch__default = /*#__PURE__*/_interopDefaultCompat(fetch);
+
+class ExtendedMicrosoftStrategy extends passportMicrosoft.Strategy {
+  shouldSkipUserProfile = false;
+  setSkipUserProfile(shouldSkipUserProfile) {
+    this.shouldSkipUserProfile = shouldSkipUserProfile;
+  }
+  userProfile(accessToken, done) {
+    if (this.skipUserProfile(accessToken)) {
+      done(null, void 0);
+      return;
+    }
+    super.userProfile(
+      accessToken,
+      (err, profile) => {
+        if (!profile || profile.photos) {
+          done(err, profile);
+          return;
+        }
+        this.getProfilePhotos(accessToken).then((photos) => {
+          profile.photos = photos;
+          done(err, profile);
+        });
+      }
+    );
+  }
+  hasGraphReadScope(accessToken) {
+    const { aud, scp } = jose.decodeJwt(accessToken);
+    return aud === "00000003-0000-0000-c000-000000000000" && !!scp && scp.split(" ").map((s) => s.toLocaleLowerCase("en-US")).some(
+      (s) => [
+        "https://graph.microsoft.com/user.read",
+        "https://graph.microsoft.com/user.read.all",
+        "user.read",
+        "user.read.all"
+      ].includes(s)
+    );
+  }
+  skipUserProfile(accessToken) {
+    try {
+      return this.shouldSkipUserProfile || !this.hasGraphReadScope(accessToken);
+    } catch {
+      return false;
+    }
+  }
+  async getProfilePhotos(accessToken) {
+    return this.getCurrentUserPhoto(accessToken, "96x96").then(
+      (photo) => photo ? [{ value: photo }] : void 0
+    );
+  }
+  async getCurrentUserPhoto(accessToken, size) {
+    try {
+      const res = await fetch__default.default(
+        `https://graph.microsoft.com/v1.0/me/photos/${size}/$value`,
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`
+          }
+        }
+      );
+      const data = await res.buffer();
+      return `data:image/jpeg;base64,${data.toString("base64")}`;
+    } catch (error) {
+      return void 0;
+    }
+  }
+}
+
+exports.ExtendedMicrosoftStrategy = ExtendedMicrosoftStrategy;
+//# sourceMappingURL=strategy.cjs.js.map

package/dist/strategy.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"strategy.cjs.js","sources":["../src/strategy.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PassportProfile } from '@backstage/plugin-auth-node';\nimport { decodeJwt } from 'jose';\nimport fetch from 'node-fetch';\nimport { Strategy as MicrosoftStrategy } from 'passport-microsoft';\n\nexport class ExtendedMicrosoftStrategy extends MicrosoftStrategy {\n  private shouldSkipUserProfile = false;\n\n  public setSkipUserProfile(shouldSkipUserProfile: boolean): void {\n    this.shouldSkipUserProfile = shouldSkipUserProfile;\n  }\n\n  userProfile(\n    accessToken: string,\n    done: (err?: unknown, profile?: PassportProfile) => void,\n  ): void {\n    if (this.skipUserProfile(accessToken)) {\n      done(null, undefined);\n      return;\n    }\n\n    super.userProfile(\n      accessToken,\n      (err?: unknown, profile?: PassportProfile) => {\n        if (!profile || profile.photos) {\n          done(err, profile);\n          return;\n        }\n\n        this.getProfilePhotos(accessToken).then(photos => {\n          profile.photos = photos;\n          done(err, profile);\n        });\n      },\n    );\n  }\n\n  private hasGraphReadScope(accessToken: string): boolean {\n    const { aud, scp } = decodeJwt(accessToken);\n    return (\n      aud === '00000003-0000-0000-c000-000000000000' &&\n      !!scp &&\n      (scp as string)\n        .split(' ')\n        .map(s => s.toLocaleLowerCase('en-US'))\n        .some(s =>\n          [\n            'https://graph.microsoft.com/user.read',\n            'https://graph.microsoft.com/user.read.all',\n            'user.read',\n            'user.read.all',\n          ].includes(s),\n        )\n    );\n  }\n\n  private skipUserProfile(accessToken: string): boolean {\n    try {\n      return this.shouldSkipUserProfile || !this.hasGraphReadScope(accessToken);\n    } catch {\n      // If there is any error with checking the scope\n      // we fall back to not skipping the user profile\n      // which may still result in an auth failure\n      // e.g. due to a foreign scope.\n      return false;\n    }\n  }\n\n  private async getProfilePhotos(\n    accessToken: string,\n  ): Promise<Array<{ value: string }> | undefined> {\n    return this.getCurrentUserPhoto(accessToken, '96x96').then(photo =>\n      photo ? [{ value: photo }] : undefined,\n    );\n  }\n\n  private async getCurrentUserPhoto(\n    accessToken: string,\n    size: string,\n  ): Promise<string | undefined> {\n    try {\n      const res = await fetch(\n        `https://graph.microsoft.com/v1.0/me/photos/${size}/$value`,\n        {\n          headers: {\n            Authorization: `Bearer ${accessToken}`,\n          },\n        },\n      );\n      const data = await res.buffer();\n\n      return `data:image/jpeg;base64,${data.toString('base64')}`;\n    } catch (error) {\n      return undefined;\n    }\n  }\n}\n"],"names":["MicrosoftStrategy","decodeJwt","fetch"],"mappings":";;;;;;;;;;AAqBO,MAAM,kCAAkCA,0BAAkB,CAAA;AAAA,EACvD,qBAAwB,GAAA,KAAA,CAAA;AAAA,EAEzB,mBAAmB,qBAAsC,EAAA;AAC9D,IAAA,IAAA,CAAK,qBAAwB,GAAA,qBAAA,CAAA;AAAA,GAC/B;AAAA,EAEA,WAAA,CACE,aACA,IACM,EAAA;AACN,IAAI,IAAA,IAAA,CAAK,eAAgB,CAAA,WAAW,CAAG,EAAA;AACrC,MAAA,IAAA,CAAK,MAAM,KAAS,CAAA,CAAA,CAAA;AACpB,MAAA,OAAA;AAAA,KACF;AAEA,IAAM,KAAA,CAAA,WAAA;AAAA,MACJ,WAAA;AAAA,MACA,CAAC,KAAe,OAA8B,KAAA;AAC5C,QAAI,IAAA,CAAC,OAAW,IAAA,OAAA,CAAQ,MAAQ,EAAA;AAC9B,UAAA,IAAA,CAAK,KAAK,OAAO,CAAA,CAAA;AACjB,UAAA,OAAA;AAAA,SACF;AAEA,QAAA,IAAA,CAAK,gBAAiB,CAAA,WAAW,CAAE,CAAA,IAAA,CAAK,CAAU,MAAA,KAAA;AAChD,UAAA,OAAA,CAAQ,MAAS,GAAA,MAAA,CAAA;AACjB,UAAA,IAAA,CAAK,KAAK,OAAO,CAAA,CAAA;AAAA,SAClB,CAAA,CAAA;AAAA,OACH;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAEQ,kBAAkB,WAA8B,EAAA;AACtD,IAAA,MAAM,EAAE,GAAA,EAAK,GAAI,EAAA,GAAIC,eAAU,WAAW,CAAA,CAAA;AAC1C,IAAA,OACE,GAAQ,KAAA,sCAAA,IACR,CAAC,CAAC,OACD,GACE,CAAA,KAAA,CAAM,GAAG,CAAA,CACT,IAAI,CAAK,CAAA,KAAA,CAAA,CAAE,iBAAkB,CAAA,OAAO,CAAC,CACrC,CAAA,IAAA;AAAA,MAAK,CACJ,CAAA,KAAA;AAAA,QACE,uCAAA;AAAA,QACA,2CAAA;AAAA,QACA,WAAA;AAAA,QACA,eAAA;AAAA,OACF,CAAE,SAAS,CAAC,CAAA;AAAA,KACd,CAAA;AAAA,GAEN;AAAA,EAEQ,gBAAgB,WAA8B,EAAA;AACpD,IAAI,IAAA;AACF,MAAA,OAAO,IAAK,CAAA,qBAAA,IAAyB,CAAC,IAAA,CAAK,kBAAkB,WAAW,CAAA,CAAA;AAAA,KAClE,CAAA,MAAA;AAKN,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAAA,GACF;AAAA,EAEA,MAAc,iBACZ,WAC+C,EAAA;AAC/C,IAAA,OAAO,IAAK,CAAA,mBAAA,CAAoB,WAAa,EAAA,OAAO,CAAE,CAAA,IAAA;AAAA,MAAK,WACzD,KAAQ,GAAA,CAAC,EAAE,KAAO,EAAA,KAAA,EAAO,CAAI,GAAA,KAAA,CAAA;AAAA,KAC/B,CAAA;AAAA,GACF;AAAA,EAEA,MAAc,mBACZ,CAAA,WAAA,EACA,IAC6B,EAAA;AAC7B,IAAI,IAAA;AACF,MAAA,MAAM,MAAM,MAAMC,sBAAA;AAAA,QAChB,8CAA8C,IAAI,CAAA,OAAA,CAAA;AAAA,QAClD;AAAA,UACE,OAAS,EAAA;AAAA,YACP,aAAA,EAAe,UAAU,WAAW,CAAA,CAAA;AAAA,WACtC;AAAA,SACF;AAAA,OACF,CAAA;AACA,MAAM,MAAA,IAAA,GAAO,MAAM,GAAA,CAAI,MAAO,EAAA,CAAA;AAE9B,MAAA,OAAO,CAA0B,uBAAA,EAAA,IAAA,CAAK,QAAS,CAAA,QAAQ,CAAC,CAAA,CAAA,CAAA;AAAA,aACjD,KAAO,EAAA;AACd,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AAAA,GACF;AACF;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend-module-microsoft-provider",
-  "version": "0.2.0",
+  "version": "0.2.1-next.1",
   "description": "The microsoft-provider backend module for the auth plugin.",
   "backstage": {
     "role": "backend-plugin-module",
@@ -34,19 +34,19 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "^1.0.0",
-    "@backstage/plugin-auth-node": "^0.5.2",
+    "@backstage/backend-plugin-api": "1.0.1-next.1",
+    "@backstage/plugin-auth-node": "0.5.3-next.1",
     "express": "^4.18.2",
     "jose": "^5.0.0",
     "node-fetch": "^2.7.0",
     "passport-microsoft": "^1.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "^0.5.0",
-    "@backstage/backend-test-utils": "^1.0.0",
-    "@backstage/cli": "^0.27.1",
-    "@backstage/config": "^1.2.0",
-    "@backstage/plugin-auth-backend": "^0.23.0",
+    "@backstage/backend-defaults": "0.5.1-next.2",
+    "@backstage/backend-test-utils": "1.0.1-next.2",
+    "@backstage/cli": "0.28.0-next.2",
+    "@backstage/config": "1.2.0",
+    "@backstage/plugin-auth-backend": "0.23.1-next.1",
     "@types/passport-microsoft": "^1.0.0",
     "msw": "^1.0.0",
     "supertest": "^7.0.0"