@backstage/plugin-auth-backend-module-oidc-provider 0.0.0-nightly-20240122021809

package/CHANGELOG.md

@@ -0,0 +1,15 @@
+# @backstage/plugin-auth-backend-module-oidc-provider
+
+## 0.0.0-nightly-20240122021809
+
+### Minor Changes
+
+- 5d2fcba: Created new `@backstage/plugin-auth-backend-module-oidc-provider` module package to house oidc auth provider migration.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.0.0-nightly-20240122021809
+  - @backstage/backend-common@0.0.0-nightly-20240122021809
+  - @backstage/plugin-auth-node@0.0.0-nightly-20240122021809
+  - @backstage/backend-plugin-api@0.0.0-nightly-20240122021809

package/README.md

@@ -0,0 +1,8 @@
+# Auth Module: Oidc Provider
+
+This module provides an Oidc auth provider implementation for `@backstage/plugin-auth-backend`.
+
+## Links
+
+- [Repository](https://oidc.com/backstage/backstage/tree/master/plugins/auth-backend-module-oidc-provider)
+- [Backstage Project Homepage](https://backstage.io)

package/config.d.ts

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2020 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export interface Config {
+  auth?: {
+    providers?: {
+      /** @visibility frontend */
+      oidc?: {
+        [authEnv: string]: {
+          clientId: string;
+          /**
+           * @visibility secret
+           */
+          clientSecret: string;
+          metadataUrl: string;
+          callbackUrl?: string;
+          tokenEndpointAuthMethod?: string;
+          tokenSignedResponseAlg?: string;
+          scope?: string;
+          prompt?: string;
+        };
+      };
+    };
+  };
+}

package/dist/index.cjs.js

@@ -0,0 +1,161 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var openidClient = require('openid-client');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var backendPluginApi = require('@backstage/backend-plugin-api');
+
+const oidcAuthenticator = pluginAuthNode.createOAuthAuthenticator({
+  defaultProfileTransform: async (input) => ({
+    profile: {
+      email: input.fullProfile.userinfo.email,
+      picture: input.fullProfile.userinfo.picture,
+      displayName: input.fullProfile.userinfo.name
+    }
+  }),
+  initialize({ callbackUrl, config }) {
+    const clientId = config.getString("clientId");
+    const clientSecret = config.getString("clientSecret");
+    const metadataUrl = config.getString("metadataUrl");
+    const customCallbackUrl = config.getOptionalString("callbackUrl");
+    const tokenEndpointAuthMethod = config.getOptionalString(
+      "tokenEndpointAuthMethod"
+    );
+    const tokenSignedResponseAlg = config.getOptionalString(
+      "tokenSignedResponseAlg"
+    );
+    const initializedScope = config.getOptionalString("scope");
+    const initializedPrompt = config.getOptionalString("prompt");
+    const promise = openidClient.Issuer.discover(metadataUrl).then((issuer) => {
+      const client = new issuer.Client({
+        access_type: "offline",
+        // this option must be passed to provider to receive a refresh token
+        client_id: clientId,
+        client_secret: clientSecret,
+        redirect_uris: [customCallbackUrl || callbackUrl],
+        response_types: ["code"],
+        token_endpoint_auth_method: tokenEndpointAuthMethod || "client_secret_basic",
+        id_token_signed_response_alg: tokenSignedResponseAlg || "RS256",
+        scope: initializedScope || ""
+      });
+      const strategy = new openidClient.Strategy(
+        {
+          client,
+          passReqToCallback: false
+        },
+        (tokenset, userinfo, done) => {
+          if (typeof done !== "function") {
+            throw new Error(
+              "OIDC IdP must provide a userinfo_endpoint in the metadata response"
+            );
+          }
+          done(
+            void 0,
+            { tokenset, userinfo },
+            { refreshToken: tokenset.refresh_token }
+          );
+        }
+      );
+      const helper = pluginAuthNode.PassportOAuthAuthenticatorHelper.from(strategy);
+      return { helper, client, strategy };
+    });
+    return { initializedScope, initializedPrompt, promise };
+  },
+  async start(input, ctx) {
+    const { initializedScope, initializedPrompt, promise } = ctx;
+    const { helper, strategy } = await promise;
+    const options = {
+      scope: input.scope || initializedScope || "openid profile email",
+      state: input.state
+    };
+    const prompt = initializedPrompt || "none";
+    if (prompt !== "auto") {
+      options.prompt = prompt;
+    }
+    return new Promise((resolve, reject) => {
+      strategy.error = reject;
+      return helper.start(input, {
+        ...options
+      }).then(resolve);
+    });
+  },
+  async authenticate(input, ctx) {
+    var _a;
+    const { strategy } = await ctx.promise;
+    const { result, privateInfo } = await pluginAuthNode.PassportHelpers.executeFrameHandlerStrategy(input.req, strategy);
+    return {
+      fullProfile: result,
+      session: {
+        accessToken: result.tokenset.access_token,
+        tokenType: (_a = result.tokenset.token_type) != null ? _a : "bearer",
+        scope: result.tokenset.scope,
+        expiresInSeconds: result.tokenset.expires_in,
+        idToken: result.tokenset.id_token,
+        refreshToken: privateInfo.refreshToken
+      }
+    };
+  },
+  async refresh(input, ctx) {
+    const { client } = await ctx.promise;
+    const tokenset = await client.refresh(input.refreshToken);
+    if (!tokenset.access_token) {
+      throw new Error("Refresh failed");
+    }
+    if (!tokenset.scope) {
+      tokenset.scope = input.scope;
+    }
+    const userinfo = await client.userinfo(tokenset.access_token);
+    return new Promise((resolve, reject) => {
+      var _a;
+      if (!tokenset.access_token) {
+        reject(new Error("Refresh Failed"));
+      }
+      resolve({
+        fullProfile: { userinfo, tokenset },
+        session: {
+          accessToken: tokenset.access_token,
+          tokenType: (_a = tokenset.token_type) != null ? _a : "bearer",
+          scope: tokenset.scope,
+          expiresInSeconds: tokenset.expires_in,
+          idToken: tokenset.id_token,
+          refreshToken: tokenset.refresh_token
+        }
+      });
+    });
+  }
+});
+
+exports.oidcSignInResolvers = void 0;
+((oidcSignInResolvers2) => {
+  oidcSignInResolvers2.emailLocalPartMatchingUserEntityName = pluginAuthNode.commonSignInResolvers.emailLocalPartMatchingUserEntityName;
+  oidcSignInResolvers2.emailMatchingUserEntityProfileEmail = pluginAuthNode.commonSignInResolvers.emailMatchingUserEntityProfileEmail;
+})(exports.oidcSignInResolvers || (exports.oidcSignInResolvers = {}));
+
+const authModuleOidcProvider = backendPluginApi.createBackendModule({
+  pluginId: "auth",
+  moduleId: "oidc-provider",
+  register(reg) {
+    reg.registerInit({
+      deps: {
+        providers: pluginAuthNode.authProvidersExtensionPoint
+      },
+      async init({ providers }) {
+        providers.registerProvider({
+          providerId: "oidc",
+          factory: pluginAuthNode.createOAuthProviderFactory({
+            authenticator: oidcAuthenticator,
+            signInResolverFactories: {
+              ...exports.oidcSignInResolvers,
+              ...pluginAuthNode.commonSignInResolvers
+            }
+          })
+        });
+      }
+    });
+  }
+});
+
+exports["default"] = authModuleOidcProvider;
+exports.oidcAuthenticator = oidcAuthenticator;
+//# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs.js","sources":["../src/authenticator.ts","../src/resolvers.ts","../src/module.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  Issuer,\n  ClientAuthMethod,\n  TokenSet,\n  UserinfoResponse,\n  Strategy as OidcStrategy,\n} from 'openid-client';\nimport {\n  createOAuthAuthenticator,\n  OAuthAuthenticatorResult,\n  PassportDoneCallback,\n  PassportHelpers,\n  PassportOAuthAuthenticatorHelper,\n  PassportOAuthPrivateInfo,\n} from '@backstage/plugin-auth-node';\n\n/**\n * authentication result for the OIDC which includes the token set and user\n * profile response\n * @public\n */\nexport type OidcAuthResult = {\n  tokenset: TokenSet;\n  userinfo: UserinfoResponse;\n};\n\n/** @public */\nexport const oidcAuthenticator = createOAuthAuthenticator({\n  defaultProfileTransform: async (\n    input: OAuthAuthenticatorResult<OidcAuthResult>,\n  ) => ({\n    profile: {\n      email: input.fullProfile.userinfo.email,\n      picture: input.fullProfile.userinfo.picture,\n      displayName: input.fullProfile.userinfo.name,\n    },\n  }),\n  initialize({ callbackUrl, config }) {\n    const clientId = config.getString('clientId');\n    const clientSecret = config.getString('clientSecret');\n    const metadataUrl = config.getString('metadataUrl');\n    const customCallbackUrl = config.getOptionalString('callbackUrl');\n    const tokenEndpointAuthMethod = config.getOptionalString(\n      'tokenEndpointAuthMethod',\n    ) as ClientAuthMethod;\n    const tokenSignedResponseAlg = config.getOptionalString(\n      'tokenSignedResponseAlg',\n    );\n    const initializedScope = config.getOptionalString('scope');\n    const initializedPrompt = config.getOptionalString('prompt');\n\n    const promise = Issuer.discover(metadataUrl).then(issuer => {\n      const client = new issuer.Client({\n        access_type: 'offline', // this option must be passed to provider to receive a refresh token\n        client_id: clientId,\n        client_secret: clientSecret,\n        redirect_uris: [customCallbackUrl || callbackUrl],\n        response_types: ['code'],\n        token_endpoint_auth_method:\n          tokenEndpointAuthMethod || 'client_secret_basic',\n        id_token_signed_response_alg: tokenSignedResponseAlg || 'RS256',\n        scope: initializedScope || '',\n      });\n\n      const strategy = new OidcStrategy(\n        {\n          client,\n          passReqToCallback: false,\n        },\n        (\n          tokenset: TokenSet,\n          userinfo: UserinfoResponse,\n          done: PassportDoneCallback<OidcAuthResult, PassportOAuthPrivateInfo>,\n        ) => {\n          if (typeof done !== 'function') {\n            throw new Error(\n              'OIDC IdP must provide a userinfo_endpoint in the metadata response',\n            );\n          }\n\n          done(\n            undefined,\n            { tokenset, userinfo },\n            { refreshToken: tokenset.refresh_token },\n          );\n        },\n      );\n\n      const helper = PassportOAuthAuthenticatorHelper.from(strategy);\n      return { helper, client, strategy };\n    });\n\n    return { initializedScope, initializedPrompt, promise };\n  },\n\n  async start(input, ctx) {\n    const { initializedScope, initializedPrompt, promise } = ctx;\n    const { helper, strategy } = await promise;\n    const options: Record<string, string> = {\n      scope: input.scope || initializedScope || 'openid profile email',\n      state: input.state,\n    };\n    const prompt = initializedPrompt || 'none';\n    if (prompt !== 'auto') {\n      options.prompt = prompt;\n    }\n\n    return new Promise((resolve, reject) => {\n      strategy.error = reject;\n\n      return helper\n        .start(input, {\n          ...options,\n        })\n        .then(resolve);\n    });\n  },\n\n  async authenticate(\n    input,\n    ctx,\n  ): Promise<OAuthAuthenticatorResult<OidcAuthResult>> {\n    const { strategy } = await ctx.promise;\n    const { result, privateInfo } =\n      await PassportHelpers.executeFrameHandlerStrategy<\n        OidcAuthResult,\n        PassportOAuthPrivateInfo\n      >(input.req, strategy);\n\n    return {\n      fullProfile: result,\n      session: {\n        accessToken: result.tokenset.access_token!,\n        tokenType: result.tokenset.token_type ?? 'bearer',\n        scope: result.tokenset.scope!,\n        expiresInSeconds: result.tokenset.expires_in,\n        idToken: result.tokenset.id_token,\n        refreshToken: privateInfo.refreshToken,\n      },\n    };\n  },\n\n  async refresh(input, ctx) {\n    const { client } = await ctx.promise;\n    const tokenset = await client.refresh(input.refreshToken);\n    if (!tokenset.access_token) {\n      throw new Error('Refresh failed');\n    }\n    if (!tokenset.scope) {\n      tokenset.scope = input.scope;\n    }\n    const userinfo = await client.userinfo(tokenset.access_token);\n\n    return new Promise((resolve, reject) => {\n      if (!tokenset.access_token) {\n        reject(new Error('Refresh Failed'));\n      }\n      resolve({\n        fullProfile: { userinfo, tokenset },\n        session: {\n          accessToken: tokenset.access_token!,\n          tokenType: tokenset.token_type ?? 'bearer',\n          scope: tokenset.scope!,\n          expiresInSeconds: tokenset.expires_in,\n          idToken: tokenset.id_token,\n          refreshToken: tokenset.refresh_token,\n        },\n      });\n    });\n  },\n});\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { commonSignInResolvers } from '@backstage/plugin-auth-node';\n\n/**\n * Available sign-in resolvers for the Oidc auth provider.\n *\n * @public\n */\nexport namespace oidcSignInResolvers {\n  /**\n   * A oidc resolver that looks up the user using the local part of\n   * their email address as the entity name.\n   */\n  export const emailLocalPartMatchingUserEntityName =\n    commonSignInResolvers.emailLocalPartMatchingUserEntityName;\n\n  /**\n   * A oidc resolver that looks up the user using their email address\n   * as email of the entity.\n   */\n  export const emailMatchingUserEntityProfileEmail =\n    commonSignInResolvers.emailMatchingUserEntityProfileEmail;\n}\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createOAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { oidcAuthenticator } from './authenticator';\nimport { oidcSignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleOidcProvider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'oidc-provider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n      },\n      async init({ providers }) {\n        providers.registerProvider({\n          providerId: 'oidc',\n          factory: createOAuthProviderFactory({\n            authenticator: oidcAuthenticator,\n            signInResolverFactories: {\n              ...oidcSignInResolvers,\n              ...commonSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n"],"names":["createOAuthAuthenticator","Issuer","OidcStrategy","PassportOAuthAuthenticatorHelper","PassportHelpers","oidcSignInResolvers","commonSignInResolvers","createBackendModule","authProvidersExtensionPoint","createOAuthProviderFactory"],"mappings":";;;;;;;;AA2CO,MAAM,oBAAoBA,uCAAyB,CAAA;AAAA,EACxD,uBAAA,EAAyB,OACvB,KACI,MAAA;AAAA,IACJ,OAAS,EAAA;AAAA,MACP,KAAA,EAAO,KAAM,CAAA,WAAA,CAAY,QAAS,CAAA,KAAA;AAAA,MAClC,OAAA,EAAS,KAAM,CAAA,WAAA,CAAY,QAAS,CAAA,OAAA;AAAA,MACpC,WAAA,EAAa,KAAM,CAAA,WAAA,CAAY,QAAS,CAAA,IAAA;AAAA,KAC1C;AAAA,GACF,CAAA;AAAA,EACA,UAAW,CAAA,EAAE,WAAa,EAAA,MAAA,EAAU,EAAA;AAClC,IAAM,MAAA,QAAA,GAAW,MAAO,CAAA,SAAA,CAAU,UAAU,CAAA,CAAA;AAC5C,IAAM,MAAA,YAAA,GAAe,MAAO,CAAA,SAAA,CAAU,cAAc,CAAA,CAAA;AACpD,IAAM,MAAA,WAAA,GAAc,MAAO,CAAA,SAAA,CAAU,aAAa,CAAA,CAAA;AAClD,IAAM,MAAA,iBAAA,GAAoB,MAAO,CAAA,iBAAA,CAAkB,aAAa,CAAA,CAAA;AAChE,IAAA,MAAM,0BAA0B,MAAO,CAAA,iBAAA;AAAA,MACrC,yBAAA;AAAA,KACF,CAAA;AACA,IAAA,MAAM,yBAAyB,MAAO,CAAA,iBAAA;AAAA,MACpC,wBAAA;AAAA,KACF,CAAA;AACA,IAAM,MAAA,gBAAA,GAAmB,MAAO,CAAA,iBAAA,CAAkB,OAAO,CAAA,CAAA;AACzD,IAAM,MAAA,iBAAA,GAAoB,MAAO,CAAA,iBAAA,CAAkB,QAAQ,CAAA,CAAA;AAE3D,IAAA,MAAM,UAAUC,mBAAO,CAAA,QAAA,CAAS,WAAW,CAAA,CAAE,KAAK,CAAU,MAAA,KAAA;AAC1D,MAAM,MAAA,MAAA,GAAS,IAAI,MAAA,CAAO,MAAO,CAAA;AAAA,QAC/B,WAAa,EAAA,SAAA;AAAA;AAAA,QACb,SAAW,EAAA,QAAA;AAAA,QACX,aAAe,EAAA,YAAA;AAAA,QACf,aAAA,EAAe,CAAC,iBAAA,IAAqB,WAAW,CAAA;AAAA,QAChD,cAAA,EAAgB,CAAC,MAAM,CAAA;AAAA,QACvB,4BACE,uBAA2B,IAAA,qBAAA;AAAA,QAC7B,8BAA8B,sBAA0B,IAAA,OAAA;AAAA,QACxD,OAAO,gBAAoB,IAAA,EAAA;AAAA,OAC5B,CAAA,CAAA;AAED,MAAA,MAAM,WAAW,IAAIC,qBAAA;AAAA,QACnB;AAAA,UACE,MAAA;AAAA,UACA,iBAAmB,EAAA,KAAA;AAAA,SACrB;AAAA,QACA,CACE,QACA,EAAA,QAAA,EACA,IACG,KAAA;AACH,UAAI,IAAA,OAAO,SAAS,UAAY,EAAA;AAC9B,YAAA,MAAM,IAAI,KAAA;AAAA,cACR,oEAAA;AAAA,aACF,CAAA;AAAA,WACF;AAEA,UAAA,IAAA;AAAA,YACE,KAAA,CAAA;AAAA,YACA,EAAE,UAAU,QAAS,EAAA;AAAA,YACrB,EAAE,YAAc,EAAA,QAAA,CAAS,aAAc,EAAA;AAAA,WACzC,CAAA;AAAA,SACF;AAAA,OACF,CAAA;AAEA,MAAM,MAAA,MAAA,GAASC,+CAAiC,CAAA,IAAA,CAAK,QAAQ,CAAA,CAAA;AAC7D,MAAO,OAAA,EAAE,MAAQ,EAAA,MAAA,EAAQ,QAAS,EAAA,CAAA;AAAA,KACnC,CAAA,CAAA;AAED,IAAO,OAAA,EAAE,gBAAkB,EAAA,iBAAA,EAAmB,OAAQ,EAAA,CAAA;AAAA,GACxD;AAAA,EAEA,MAAM,KAAM,CAAA,KAAA,EAAO,GAAK,EAAA;AACtB,IAAA,MAAM,EAAE,gBAAA,EAAkB,iBAAmB,EAAA,OAAA,EAAY,GAAA,GAAA,CAAA;AACzD,IAAA,MAAM,EAAE,MAAA,EAAQ,QAAS,EAAA,GAAI,MAAM,OAAA,CAAA;AACnC,IAAA,MAAM,OAAkC,GAAA;AAAA,MACtC,KAAA,EAAO,KAAM,CAAA,KAAA,IAAS,gBAAoB,IAAA,sBAAA;AAAA,MAC1C,OAAO,KAAM,CAAA,KAAA;AAAA,KACf,CAAA;AACA,IAAA,MAAM,SAAS,iBAAqB,IAAA,MAAA,CAAA;AACpC,IAAA,IAAI,WAAW,MAAQ,EAAA;AACrB,MAAA,OAAA,CAAQ,MAAS,GAAA,MAAA,CAAA;AAAA,KACnB;AAEA,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAA,QAAA,CAAS,KAAQ,GAAA,MAAA,CAAA;AAEjB,MAAO,OAAA,MAAA,CACJ,MAAM,KAAO,EAAA;AAAA,QACZ,GAAG,OAAA;AAAA,OACJ,CACA,CAAA,IAAA,CAAK,OAAO,CAAA,CAAA;AAAA,KAChB,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,MAAM,YACJ,CAAA,KAAA,EACA,GACmD,EAAA;AAzIvD,IAAA,IAAA,EAAA,CAAA;AA0II,IAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,GAAI,CAAA,OAAA,CAAA;AAC/B,IAAM,MAAA,EAAE,QAAQ,WAAY,EAAA,GAC1B,MAAMC,8BAAgB,CAAA,2BAAA,CAGpB,KAAM,CAAA,GAAA,EAAK,QAAQ,CAAA,CAAA;AAEvB,IAAO,OAAA;AAAA,MACL,WAAa,EAAA,MAAA;AAAA,MACb,OAAS,EAAA;AAAA,QACP,WAAA,EAAa,OAAO,QAAS,CAAA,YAAA;AAAA,QAC7B,SAAW,EAAA,CAAA,EAAA,GAAA,MAAA,CAAO,QAAS,CAAA,UAAA,KAAhB,IAA8B,GAAA,EAAA,GAAA,QAAA;AAAA,QACzC,KAAA,EAAO,OAAO,QAAS,CAAA,KAAA;AAAA,QACvB,gBAAA,EAAkB,OAAO,QAAS,CAAA,UAAA;AAAA,QAClC,OAAA,EAAS,OAAO,QAAS,CAAA,QAAA;AAAA,QACzB,cAAc,WAAY,CAAA,YAAA;AAAA,OAC5B;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,OAAQ,CAAA,KAAA,EAAO,GAAK,EAAA;AACxB,IAAA,MAAM,EAAE,MAAA,EAAW,GAAA,MAAM,GAAI,CAAA,OAAA,CAAA;AAC7B,IAAA,MAAM,QAAW,GAAA,MAAM,MAAO,CAAA,OAAA,CAAQ,MAAM,YAAY,CAAA,CAAA;AACxD,IAAI,IAAA,CAAC,SAAS,YAAc,EAAA;AAC1B,MAAM,MAAA,IAAI,MAAM,gBAAgB,CAAA,CAAA;AAAA,KAClC;AACA,IAAI,IAAA,CAAC,SAAS,KAAO,EAAA;AACnB,MAAA,QAAA,CAAS,QAAQ,KAAM,CAAA,KAAA,CAAA;AAAA,KACzB;AACA,IAAA,MAAM,QAAW,GAAA,MAAM,MAAO,CAAA,QAAA,CAAS,SAAS,YAAY,CAAA,CAAA;AAE5D,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AAzK5C,MAAA,IAAA,EAAA,CAAA;AA0KM,MAAI,IAAA,CAAC,SAAS,YAAc,EAAA;AAC1B,QAAO,MAAA,CAAA,IAAI,KAAM,CAAA,gBAAgB,CAAC,CAAA,CAAA;AAAA,OACpC;AACA,MAAQ,OAAA,CAAA;AAAA,QACN,WAAA,EAAa,EAAE,QAAA,EAAU,QAAS,EAAA;AAAA,QAClC,OAAS,EAAA;AAAA,UACP,aAAa,QAAS,CAAA,YAAA;AAAA,UACtB,SAAA,EAAA,CAAW,EAAS,GAAA,QAAA,CAAA,UAAA,KAAT,IAAuB,GAAA,EAAA,GAAA,QAAA;AAAA,UAClC,OAAO,QAAS,CAAA,KAAA;AAAA,UAChB,kBAAkB,QAAS,CAAA,UAAA;AAAA,UAC3B,SAAS,QAAS,CAAA,QAAA;AAAA,UAClB,cAAc,QAAS,CAAA,aAAA;AAAA,SACzB;AAAA,OACD,CAAA,CAAA;AAAA,KACF,CAAA,CAAA;AAAA,GACH;AACF,CAAC;;ACnKgBC,qCAAA;AAAA,CAAV,CAAUA,oBAAV,KAAA;AAKE,EAAMA,oBAAAA,CAAA,uCACXC,oCAAsB,CAAA,oCAAA,CAAA;AAMjB,EAAMD,oBAAAA,CAAA,sCACXC,oCAAsB,CAAA,mCAAA,CAAA;AAAA,CAbT,EAAAD,2BAAA,KAAAA,2BAAA,GAAA,EAAA,CAAA,CAAA;;ACEV,MAAM,yBAAyBE,oCAAoB,CAAA;AAAA,EACxD,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,eAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,MAAA;AAAA,UACZ,SAASC,yCAA2B,CAAA;AAAA,YAClC,aAAe,EAAA,iBAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGJ,2BAAA;AAAA,cACH,GAAGC,oCAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC;;;;;"}

package/dist/index.d.ts

@@ -0,0 +1,48 @@
+import * as _backstage_plugin_auth_node from '@backstage/plugin-auth-node';
+import { PassportOAuthAuthenticatorHelper } from '@backstage/plugin-auth-node';
+import * as openid_client from 'openid-client';
+import { TokenSet, UserinfoResponse, Strategy } from 'openid-client';
+import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
+
+/**
+ * authentication result for the OIDC which includes the token set and user
+ * profile response
+ * @public
+ */
+type OidcAuthResult = {
+    tokenset: TokenSet;
+    userinfo: UserinfoResponse;
+};
+/** @public */
+declare const oidcAuthenticator: _backstage_plugin_auth_node.OAuthAuthenticator<{
+    initializedScope: string | undefined;
+    initializedPrompt: string | undefined;
+    promise: Promise<{
+        helper: PassportOAuthAuthenticatorHelper;
+        client: openid_client.BaseClient;
+        strategy: Strategy<OidcAuthResult, openid_client.BaseClient>;
+    }>;
+}, OidcAuthResult>;
+
+/** @public */
+declare const authModuleOidcProvider: () => _backstage_backend_plugin_api.BackendFeature;
+
+/**
+ * Available sign-in resolvers for the Oidc auth provider.
+ *
+ * @public
+ */
+declare namespace oidcSignInResolvers {
+    /**
+     * A oidc resolver that looks up the user using the local part of
+     * their email address as the entity name.
+     */
+    const emailLocalPartMatchingUserEntityName: _backstage_plugin_auth_node.SignInResolverFactory<unknown, unknown>;
+    /**
+     * A oidc resolver that looks up the user using their email address
+     * as email of the entity.
+     */
+    const emailMatchingUserEntityProfileEmail: _backstage_plugin_auth_node.SignInResolverFactory<unknown, unknown>;
+}
+
+export { OidcAuthResult, authModuleOidcProvider as default, oidcAuthenticator, oidcSignInResolvers };

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@backstage/plugin-auth-backend-module-oidc-provider",
+  "description": "The oidc-provider backend module for the auth plugin.",
+  "version": "0.0.0-nightly-20240122021809",
+  "main": "dist/index.cjs.js",
+  "types": "dist/index.d.ts",
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "types": "dist/index.d.ts"
+  },
+  "backstage": {
+    "role": "backend-plugin-module"
+  },
+  "scripts": {
+    "start": "backstage-cli package start",
+    "build": "backstage-cli package build",
+    "lint": "backstage-cli package lint",
+    "test": "backstage-cli package test",
+    "clean": "backstage-cli package clean",
+    "prepack": "backstage-cli package prepack",
+    "postpack": "backstage-cli package postpack"
+  },
+  "dependencies": {
+    "@backstage/backend-common": "^0.0.0-nightly-20240122021809",
+    "@backstage/backend-plugin-api": "^0.0.0-nightly-20240122021809",
+    "@backstage/plugin-auth-backend": "^0.0.0-nightly-20240122021809",
+    "@backstage/plugin-auth-node": "^0.0.0-nightly-20240122021809",
+    "express": "^4.18.2",
+    "openid-client": "^5.5.0",
+    "passport": "^0.6.0"
+  },
+  "devDependencies": {
+    "@backstage/backend-defaults": "^0.0.0-nightly-20240122021809",
+    "@backstage/backend-test-utils": "^0.0.0-nightly-20240122021809",
+    "@backstage/cli": "^0.0.0-nightly-20240122021809",
+    "@backstage/config": "^1.1.1",
+    "cookie-parser": "^1.4.6",
+    "express-promise-router": "^4.1.1",
+    "express-session": "^1.17.3",
+    "jose": "^4.14.6",
+    "msw": "^1.3.1",
+    "supertest": "^6.3.3"
+  },
+  "configSchema": "config.d.ts",
+  "files": [
+    "dist",
+    "config.d.ts"
+  ]
+}