@backstage/plugin-auth-backend 0.0.0-nightly-2021102922210 → 0.0.0-nightly-202111922557

package/dist/index.d.ts

@@ -7,6 +7,7 @@ import { UserEntity, Entity } from '@backstage/catalog-model';
 import { Config } from '@backstage/config';
 import { Profile } from 'passport';
 import { JSONWebKey } from 'jose';
+import { TokenSet, UserinfoResponse } from 'openid-client';
 
 /** Represents any form of serializable JWK */
 interface AnyJWK extends Record<string, string> {
@@ -69,7 +70,16 @@ declare type OAuthResult = {
     accessToken: string;
     refreshToken?: string;
 };
-declare type OAuthResponse = AuthResponse<OAuthProviderInfo>;
+/**
+ * The expected response from an OAuth flow.
+ *
+ * @public
+ */
+declare type OAuthResponse = {
+    profile: ProfileInfo;
+    providerInfo: OAuthProviderInfo;
+    backstageIdentity?: BackstageSignInResult;
+};
 declare type OAuthProviderInfo = {
     /**
      * An access token issued for the signed in user.
@@ -122,7 +132,7 @@ interface OAuthHandlers {
      * @param {express.Request} req
      */
     handler(req: express.Request): Promise<{
-        response: AuthResponse<OAuthProviderInfo>;
+        response: OAuthResponse;
         refreshToken?: string;
     }>;
     /**
@@ -130,7 +140,7 @@ interface OAuthHandlers {
      * @param {string} refreshToken
      * @param {string} scope
      */
-    refresh?(req: OAuthRefreshRequest): Promise<AuthResponse<OAuthProviderInfo>>;
+    refresh?(req: OAuthRefreshRequest): Promise<OAuthResponse>;
     /**
      * (Optional) Sign out of the auth provider.
      */
@@ -157,7 +167,7 @@ declare class IdentityClient {
      * Returns a BackstageIdentity (user) matching the token.
      * The method throws an error if verification fails.
      */
-    authenticate(token: string | undefined): Promise<BackstageIdentity>;
+    authenticate(token: string | undefined): Promise<BackstageIdentityResponse>;
     /**
      * Parses the given authorization header and returns
      * the bearer token, or null if no bearer token is given
@@ -210,7 +220,7 @@ declare class CatalogIdentityClient {
      *
      * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
      */
-    resolveCatalogMembership({ entityRefs, logger, }: MemberClaimQuery): Promise<string[]>;
+    resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
 }
 
 declare function getEntityClaims(entity: UserEntity): TokenParams['claims'];
@@ -316,37 +326,83 @@ declare type AuthProviderFactory = (options: AuthProviderFactoryOptions) => Auth
 declare type AuthResponse<ProviderInfo> = {
     providerInfo: ProviderInfo;
     profile: ProfileInfo;
-    backstageIdentity?: BackstageIdentity;
+    backstageIdentity?: BackstageIdentityResponse;
 };
-declare type BackstageIdentity = {
+/**
+ * User identity information within Backstage.
+ *
+ * @public
+ */
+declare type BackstageUserIdentity = {
     /**
-     * An opaque ID that uniquely identifies the user within Backstage.
-     *
-     * This is typically the same as the user entity `metadata.name`.
+     * The type of identity that this structure represents. In the frontend app
+     * this will currently always be 'user'.
      */
-    id: string;
+    type: 'user';
     /**
-     * This is deprecated, use `token` instead.
-     * @deprecated
+     * The entityRef of the user in the catalog.
+     * For example User:default/sandra
      */
-    idToken?: string;
+    userEntityRef: string;
     /**
-     * The token used to authenticate the user within Backstage.
+     * The user and group entities that the user claims ownership through
      */
-    token?: string;
+    ownershipEntityRefs: string[];
+};
+/**
+ * A representation of a successful Backstage sign-in.
+ *
+ * Compared to the {@link BackstageIdentityResponse} this type omits
+ * the decoded identity information embedded in the token.
+ *
+ * @public
+ */
+interface BackstageSignInResult {
+    /**
+     * An opaque ID that uniquely identifies the user within Backstage.
+     *
+     * This is typically the same as the user entity `metadata.name`.
+     *
+     * @deprecated Use the `identity` field instead
+     */
+    id: string;
     /**
      * The entity that the user is represented by within Backstage.
      *
      * This entity may or may not exist within the Catalog, and it can be used
      * to read and store additional metadata about the user.
+     *
+     * @deprecated Use the `identity` field instead.
      */
     entity?: Entity;
-};
+    /**
+     * The token used to authenticate the user within Backstage.
+     */
+    token: string;
+}
+/**
+ * The old exported symbol for {@link BackstageSignInResult}.
+ * @public
+ * @deprecated Use the `BackstageSignInResult` type instead.
+ */
+declare type BackstageIdentity = BackstageSignInResult;
+/**
+ * Response object containing the {@link BackstageUserIdentity} and the token from the authentication provider.
+ * @public
+ */
+interface BackstageIdentityResponse extends BackstageSignInResult {
+    /**
+     * A plaintext description of the identity that is encapsulated within the token.
+     */
+    identity: BackstageUserIdentity;
+}
 /**
  * Used to display login information to user, i.e. sidebar popup.
  *
  * It is also temporarily used as the profile of the signed-in user's Backstage
  * identity, but we want to replace that with data from identity and/org catalog service
+ *
+ * @public
  */
 declare type ProfileInfo = {
     /**
@@ -377,7 +433,7 @@ declare type SignInResolver<AuthResult> = (info: SignInInfo<AuthResult>, context
     tokenIssuer: TokenIssuer;
     catalogIdentityClient: CatalogIdentityClient;
     logger: Logger;
-}) => Promise<BackstageIdentity>;
+}) => Promise<BackstageSignInResult>;
 declare type AuthHandlerResult = {
     profile: ProfileInfo;
 };
@@ -554,6 +610,18 @@ declare type OAuth2ProviderOptions = {
 };
 declare const createOAuth2Provider: (options?: OAuth2ProviderOptions | undefined) => AuthProviderFactory;
 
+declare type AuthResult = {
+    tokenset: TokenSet;
+    userinfo: UserinfoResponse;
+};
+declare type OidcProviderOptions = {
+    authHandler?: AuthHandler<AuthResult>;
+    signIn?: {
+        resolver?: SignInResolver<AuthResult>;
+    };
+};
+declare const createOidcProvider: (options?: OidcProviderOptions | undefined) => AuthProviderFactory;
+
 declare const oktaEmailSignInResolver: SignInResolver<OAuthResult>;
 declare type OktaProviderOptions = {
     /**
@@ -678,10 +746,41 @@ declare type AwsAlbProviderOptions = {
 };
 declare const createAwsAlbProvider: (options?: AwsAlbProviderOptions | undefined) => AuthProviderFactory;
 
+/** @public */
+declare type SamlAuthResult = {
+    fullProfile: any;
+};
+/** @public */
+declare type SamlProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<SamlAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver?: SignInResolver<SamlAuthResult>;
+    };
+};
+/** @public */
+declare const createSamlProvider: (options?: SamlProviderOptions | undefined) => AuthProviderFactory;
+
 declare const factories: {
     [providerId: string]: AuthProviderFactory;
 };
 
+/**
+ * Parses token and decorates the BackstageIdentityResponse with identity information sourced from the token
+ *
+ * @public
+ */
+declare function prepareBackstageIdentityResponse(result: BackstageSignInResult): BackstageIdentityResponse;
+
 declare type ProviderFactories = {
     [s: string]: AuthProviderFactory;
 };
@@ -692,7 +791,7 @@ interface RouterOptions {
     discovery: PluginEndpointDiscovery;
     providerFactories?: ProviderFactories;
 }
-declare function createRouter({ logger, config, discovery, database, providerFactories, }: RouterOptions): Promise<express.Router>;
+declare function createRouter(options: RouterOptions): Promise<express.Router>;
 declare function createOriginFilter(config: Config): (origin: string) => boolean;
 
 /**
@@ -710,4 +809,4 @@ declare type WebMessageResponse = {
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
 
-export { AtlassianAuthProvider, AtlassianProviderOptions, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, OktaProviderOptions, ProfileInfo, RouterOptions, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAwsAlbProvider, createBitbucketProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOktaProvider, createOriginFilter, createRouter, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, readState, verifyNonce };
+export { AtlassianAuthProvider, AtlassianProviderOptions, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BackstageIdentityResponse, BackstageSignInResult, BackstageUserIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, OktaProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAwsAlbProvider, createBitbucketProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOidcProvider, createOktaProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@backstage/plugin-auth-backend",
   "description": "A Backstage backend plugin that handles authentication",
-  "version": "0.0.0-nightly-2021102922210",
+  "version": "0.0.0-nightly-202111922557",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -30,12 +30,12 @@
     "clean": "backstage-cli clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.0.0-nightly-2021102922210",
+    "@backstage/backend-common": "^0.0.0-nightly-202111922557",
     "@backstage/catalog-client": "^0.5.2",
     "@backstage/catalog-model": "^0.9.7",
     "@backstage/config": "^0.1.11",
     "@backstage/errors": "^0.1.5",
-    "@backstage/test-utils": "^0.1.23",
+    "@backstage/test-utils": "^0.0.0-nightly-202111922557",
     "@google-cloud/firestore": "^4.15.1",
     "@types/express": "^4.17.6",
     "@types/passport": "^1.0.3",
@@ -73,7 +73,7 @@
     "yn": "^4.0.0"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.0.0-nightly-2021102922210",
+    "@backstage/cli": "^0.0.0-nightly-202111922557",
     "@types/body-parser": "^1.19.0",
     "@types/cookie-parser": "^1.4.2",
     "@types/express-session": "^1.17.2",