@backstage/plugin-auth-backend 0.0.0-nightly-20240403021132 → 0.0.0-nightly-20240404021212
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +21 -20
- package/dist/index.cjs.js +48 -5
- package/dist/index.cjs.js.map +1 -1
- package/package.json +19 -19
package/CHANGELOG.md
CHANGED
|
@@ -1,30 +1,31 @@
|
|
|
1
1
|
# @backstage/plugin-auth-backend
|
|
2
2
|
|
|
3
|
-
## 0.0.0-nightly-
|
|
4
|
-
|
|
5
|
-
### Patch Changes
|
|
6
|
-
|
|
7
|
-
-
|
|
8
|
-
|
|
9
|
-
- @backstage/
|
|
3
|
+
## 0.0.0-nightly-20240404021212
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- d62bc51: Added token type header parameter and user identity proof to issued user tokens.
|
|
8
|
+
- Updated dependencies
|
|
9
|
+
- @backstage/plugin-auth-node@0.0.0-nightly-20240404021212
|
|
10
|
+
- @backstage/plugin-auth-backend-module-aws-alb-provider@0.0.0-nightly-20240404021212
|
|
11
|
+
- @backstage/backend-common@0.0.0-nightly-20240404021212
|
|
12
|
+
- @backstage/plugin-auth-backend-module-atlassian-provider@0.0.0-nightly-20240404021212
|
|
13
|
+
- @backstage/plugin-auth-backend-module-github-provider@0.0.0-nightly-20240404021212
|
|
14
|
+
- @backstage/plugin-auth-backend-module-gitlab-provider@0.0.0-nightly-20240404021212
|
|
15
|
+
- @backstage/plugin-auth-backend-module-google-provider@0.0.0-nightly-20240404021212
|
|
16
|
+
- @backstage/plugin-auth-backend-module-microsoft-provider@0.0.0-nightly-20240404021212
|
|
17
|
+
- @backstage/plugin-auth-backend-module-oauth2-provider@0.0.0-nightly-20240404021212
|
|
18
|
+
- @backstage/plugin-auth-backend-module-oidc-provider@0.0.0-nightly-20240404021212
|
|
19
|
+
- @backstage/plugin-auth-backend-module-okta-provider@0.0.0-nightly-20240404021212
|
|
20
|
+
- @backstage/backend-plugin-api@0.0.0-nightly-20240404021212
|
|
21
|
+
- @backstage/plugin-auth-backend-module-gcp-iap-provider@0.0.0-nightly-20240404021212
|
|
22
|
+
- @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.0.0-nightly-20240404021212
|
|
23
|
+
- @backstage/plugin-catalog-node@0.0.0-nightly-20240404021212
|
|
10
24
|
- @backstage/catalog-client@1.6.3
|
|
11
25
|
- @backstage/catalog-model@1.4.5
|
|
12
26
|
- @backstage/config@1.2.0
|
|
13
27
|
- @backstage/errors@1.2.4
|
|
14
28
|
- @backstage/types@1.1.1
|
|
15
|
-
- @backstage/plugin-auth-backend-module-atlassian-provider@0.0.0-nightly-20240403021132
|
|
16
|
-
- @backstage/plugin-auth-backend-module-aws-alb-provider@0.0.0-nightly-20240403021132
|
|
17
|
-
- @backstage/plugin-auth-backend-module-gcp-iap-provider@0.0.0-nightly-20240403021132
|
|
18
|
-
- @backstage/plugin-auth-backend-module-github-provider@0.0.0-nightly-20240403021132
|
|
19
|
-
- @backstage/plugin-auth-backend-module-gitlab-provider@0.0.0-nightly-20240403021132
|
|
20
|
-
- @backstage/plugin-auth-backend-module-google-provider@0.0.0-nightly-20240403021132
|
|
21
|
-
- @backstage/plugin-auth-backend-module-microsoft-provider@0.0.0-nightly-20240403021132
|
|
22
|
-
- @backstage/plugin-auth-backend-module-oauth2-provider@0.0.0-nightly-20240403021132
|
|
23
|
-
- @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.0.0-nightly-20240403021132
|
|
24
|
-
- @backstage/plugin-auth-backend-module-oidc-provider@0.0.0-nightly-20240403021132
|
|
25
|
-
- @backstage/plugin-auth-backend-module-okta-provider@0.0.0-nightly-20240403021132
|
|
26
|
-
- @backstage/plugin-auth-node@0.0.0-nightly-20240403021132
|
|
27
|
-
- @backstage/plugin-catalog-node@0.0.0-nightly-20240403021132
|
|
28
29
|
|
|
29
30
|
## 0.22.4-next.0
|
|
30
31
|
|
package/dist/index.cjs.js
CHANGED
|
@@ -2225,8 +2225,8 @@ class TokenFactory {
|
|
|
2225
2225
|
async issueToken(params) {
|
|
2226
2226
|
const key = await this.getKey();
|
|
2227
2227
|
const iss = this.issuer;
|
|
2228
|
-
const { sub, ent, ...additionalClaims } = params.claims;
|
|
2229
|
-
const aud =
|
|
2228
|
+
const { sub, ent = [sub], ...additionalClaims } = params.claims;
|
|
2229
|
+
const aud = pluginAuthNode.tokenTypes.user.audClaim;
|
|
2230
2230
|
const iat = Math.floor(Date.now() / MS_IN_S$1);
|
|
2231
2231
|
const exp = iat + this.keyDurationSeconds;
|
|
2232
2232
|
try {
|
|
@@ -2236,12 +2236,35 @@ class TokenFactory {
|
|
|
2236
2236
|
'"sub" claim provided by the auth resolver is not a valid EntityRef.'
|
|
2237
2237
|
);
|
|
2238
2238
|
}
|
|
2239
|
-
this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
|
|
2240
2239
|
if (!key.alg) {
|
|
2241
2240
|
throw new errors.AuthenticationError("No algorithm was provided in the key");
|
|
2242
2241
|
}
|
|
2243
|
-
|
|
2244
|
-
const
|
|
2242
|
+
this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);
|
|
2243
|
+
const signingKey = await jose.importJWK(key);
|
|
2244
|
+
const uip = await this.createUserIdentityClaim({
|
|
2245
|
+
header: {
|
|
2246
|
+
typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
|
|
2247
|
+
alg: key.alg,
|
|
2248
|
+
kid: key.kid
|
|
2249
|
+
},
|
|
2250
|
+
payload: { sub, ent, iat, exp },
|
|
2251
|
+
key: signingKey
|
|
2252
|
+
});
|
|
2253
|
+
const claims = {
|
|
2254
|
+
...additionalClaims,
|
|
2255
|
+
iss,
|
|
2256
|
+
sub,
|
|
2257
|
+
ent,
|
|
2258
|
+
aud,
|
|
2259
|
+
iat,
|
|
2260
|
+
exp,
|
|
2261
|
+
uip
|
|
2262
|
+
};
|
|
2263
|
+
const token = await new jose.SignJWT(claims).setProtectedHeader({
|
|
2264
|
+
typ: pluginAuthNode.tokenTypes.user.typParam,
|
|
2265
|
+
alg: key.alg,
|
|
2266
|
+
kid: key.kid
|
|
2267
|
+
}).sign(signingKey);
|
|
2245
2268
|
if (token.length > MAX_TOKEN_LENGTH) {
|
|
2246
2269
|
throw new Error(
|
|
2247
2270
|
`Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
|
|
@@ -2308,6 +2331,26 @@ class TokenFactory {
|
|
|
2308
2331
|
}
|
|
2309
2332
|
return promise;
|
|
2310
2333
|
}
|
|
2334
|
+
// Creates a string claim that can be used as part of reconstructing a limited
|
|
2335
|
+
// user token. The output of this function is only the signature part of a
|
|
2336
|
+
// JWS.
|
|
2337
|
+
async createUserIdentityClaim(options) {
|
|
2338
|
+
const header = {
|
|
2339
|
+
typ: options.header.typ,
|
|
2340
|
+
alg: options.header.alg,
|
|
2341
|
+
...options.header.kid ? { kid: options.header.kid } : {}
|
|
2342
|
+
};
|
|
2343
|
+
const payload = {
|
|
2344
|
+
sub: options.payload.sub,
|
|
2345
|
+
ent: options.payload.ent,
|
|
2346
|
+
iat: options.payload.iat,
|
|
2347
|
+
exp: options.payload.exp
|
|
2348
|
+
};
|
|
2349
|
+
const jws = await new jose.GeneralSign(
|
|
2350
|
+
new TextEncoder().encode(JSON.stringify(payload))
|
|
2351
|
+
).addSignature(options.key).setProtectedHeader(header).done().sign();
|
|
2352
|
+
return jws.signatures[0].signature;
|
|
2353
|
+
}
|
|
2311
2354
|
}
|
|
2312
2355
|
|
|
2313
2356
|
const TABLE = "signing_keys";
|