@backstage/plugin-auth-backend 0.12.3 → 0.13.0-next.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +156 -0
  2. package/config.d.ts +3 -0
  3. package/dist/index.cjs.js +798 -1139
  4. package/dist/index.cjs.js.map +1 -1
  5. package/dist/index.d.ts +634 -64
  6. package/package.json +9 -9
package/CHANGELOG.md CHANGED
@@ -1,5 +1,161 @@
1
1
  # @backstage/plugin-auth-backend
2
2
 
3
+ ## 0.13.0-next.2
4
+
5
+ ### Minor Changes
6
+
7
+ - c5aeaf339d: **BREAKING**: All auth providers have had their default sign-in resolvers removed. This means that if you want to use a particular provider for sign-in, you must provide an explicit sign-in resolver. For more information on how to configure sign-in resolvers, see the [sign-in resolver documentation](https://backstage.io/docs/auth/identity-resolver).
8
+
9
+ ### Patch Changes
10
+
11
+ - c5aeaf339d: **DEPRECATION**: The `AuthProviderFactoryOptions` type has been deprecated, as the options are now instead inlined in the `AuthProviderFactory` type. This will make it possible to more easily introduce new options in the future without a possibly breaking change.
12
+ - 794f7542b6: Updated openid-client from 4.1.2 to 5.1.3
13
+ - c5aeaf339d: **DEPRECATION**: The `getEntityClaims` helper has been deprecated, with `getDefaultOwnershipEntityRefs` being added to replace it.
14
+ - de231e5b06: Declare oauth2 `clientSecret` with visibility secret
15
+ - c5aeaf339d: **DEPRECATION**: All `create<Provider>Provider` and `<provider>*SignInResolver` have been deprecated. Instead, a single `providers` object is exported which contains all built-in auth providers.
16
+
17
+ If you have a setup that currently looks for example like this:
18
+
19
+ ```ts
20
+ import {
21
+ createRouter,
22
+ defaultAuthProviderFactories,
23
+ createGoogleProvider,
24
+ googleEmailSignInResolver,
25
+ } from '@backstage/plugin-auth-backend';
26
+ import { Router } from 'express';
27
+ import { PluginEnvironment } from '../types';
28
+
29
+ export default async function createPlugin(
30
+ env: PluginEnvironment,
31
+ ): Promise<Router> {
32
+ return await createRouter({
33
+ ...env,
34
+ providerFactories: {
35
+ ...defaultAuthProviderFactories,
36
+ google: createGoogleProvider({
37
+ signIn: {
38
+ resolver: googleEmailSignInResolver,
39
+ },
40
+ }),
41
+ },
42
+ });
43
+ }
44
+ ```
45
+
46
+ You would migrate it to something like this:
47
+
48
+ ```ts
49
+ import {
50
+ createRouter,
51
+ providers,
52
+ defaultAuthProviderFactories,
53
+ } from '@backstage/plugin-auth-backend';
54
+ import { Router } from 'express';
55
+ import { PluginEnvironment } from '../types';
56
+
57
+ export default async function createPlugin(
58
+ env: PluginEnvironment,
59
+ ): Promise<Router> {
60
+ return await createRouter({
61
+ ...env,
62
+ providerFactories: {
63
+ ...defaultAuthProviderFactories,
64
+ google: providers.google.create({
65
+ signIn: {
66
+ resolver:
67
+ providers.google.resolvers.emailMatchingUserEntityAnnotation(),
68
+ },
69
+ }),
70
+ },
71
+ });
72
+ }
73
+ ```
74
+
75
+ - c5aeaf339d: **DEPRECATION** The `AuthResolverContext` has received a number of changes, which is the context used by auth handlers and sign-in resolvers.
76
+
77
+ The following fields deprecated: `logger`, `tokenIssuer`, `catalogIdentityClient`. If you need to access the `logger`, you can do so through a closure instead. The `tokenIssuer` has been replaced with an `issueToken` method, which is available directory on the context. The `catalogIdentityClient` has been replaced by the `signInWithCatalogUser` method, as well as the lower level `findCatalogUser` method and `getDefaultOwnershipEntityRefs` helper.
78
+
79
+ It should be possible to migrate most sign-in resolvers to more or less only use `signInWithCatalogUser`, for example an email lookup resolver like this one:
80
+
81
+ ```ts
82
+ async ({ profile }, ctx) => {
83
+ if (!profile.email) {
84
+ throw new Error('Profile contained no email');
85
+ }
86
+
87
+ const entity = await ctx.catalogIdentityClient.findUser({
88
+ annotations: {
89
+ 'acme.org/email': profile.email,
90
+ },
91
+ });
92
+
93
+ const claims = getEntityClaims(entity);
94
+ const token = await ctx.tokenIssuer.issueToken({ claims });
95
+
96
+ return { id: entity.metadata.name, entity, token };
97
+ };
98
+ ```
99
+
100
+ can be migrated to the following:
101
+
102
+ ```ts
103
+ async ({ profile }, ctx) => {
104
+ if (!profile.email) {
105
+ throw new Error('Profile contained no email');
106
+ }
107
+
108
+ return ctx.signInWithCatalogUser({
109
+ annotations: {
110
+ 'acme.org/email': profile.email,
111
+ },
112
+ });
113
+ };
114
+ ```
115
+
116
+ While a direct entity name lookup using a user ID might look like this:
117
+
118
+ ```ts
119
+ async ({ result: { fullProfile } }, ctx) => {
120
+ return ctx.signInWithCatalogUser({
121
+ entityRef: {
122
+ name: fullProfile.userId,
123
+ },
124
+ });
125
+ };
126
+ ```
127
+
128
+ If you want more control over the way that users are looked up, ownership is assigned, or tokens are issued, you can use a combination of the `findCatalogUser`, `getDefaultOwnershipEntityRefs`, and `issueToken` instead.
129
+
130
+ - f4cdf4cac1: Defensively encode URL parameters when fetching ELB keys
131
+ - c5aeaf339d: Added exports of the following types: `AuthProviderConfig`, `StateEncoder`, `TokenParams`, `AwsAlbResult`.
132
+ - Updated dependencies
133
+ - @backstage/backend-common@0.13.2-next.2
134
+
135
+ ## 0.13.0-next.1
136
+
137
+ ### Patch Changes
138
+
139
+ - a45bce06e3: Handle trailing slashes on GitHub `enterpriseInstanceUrl` settings
140
+ - Updated dependencies
141
+ - @backstage/backend-common@0.13.2-next.1
142
+
143
+ ## 0.13.0-next.0
144
+
145
+ ### Minor Changes
146
+
147
+ - 15d3a3c39a: **BREAKING**: All sign-in resolvers must now return a `token` in their sign-in result. Returning an `id` is no longer supported.
148
+
149
+ ### Patch Changes
150
+
151
+ - 2cc1d1b235: Applied the fix from version 0.12.3 of this package, which is part of the v1.0.1 release of Backstage.
152
+ - 6ee04078e1: **DEPRECATION**: The `tokenIssuer` option for `OAuthAdapter` is no longer needed and has been deprecated.
153
+ - Updated dependencies
154
+ - @backstage/catalog-model@1.0.1-next.0
155
+ - @backstage/plugin-auth-node@0.2.0-next.0
156
+ - @backstage/backend-common@0.13.2-next.0
157
+ - @backstage/catalog-client@1.0.1-next.0
158
+
3
159
  ## 0.12.3
4
160
 
5
161
  ### Patch Changes
package/config.d.ts CHANGED
@@ -90,6 +90,9 @@ export interface Config {
90
90
  oauth2?: {
91
91
  [authEnv: string]: {
92
92
  clientId: string;
93
+ /**
94
+ * @visibility secret
95
+ */
93
96
  clientSecret: string;
94
97
  authorizationUrl: string;
95
98
  tokenUrl: string;