npm - @backstage/plugin-auth-backend - Versions diffs - 0.13.0 → 0.13.1-next.2 - Mend

@backstage/plugin-auth-backend 0.13.0 → 0.13.1-next.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,53 @@
 # @backstage/plugin-auth-backend
+## 0.13.1-next.2
+### Patch Changes
+- Updated dependencies
+  - @backstage/backend-common@0.13.3-next.2
+  - @backstage/config@1.0.1-next.0
+  - @backstage/catalog-model@1.0.2-next.0
+  - @backstage/plugin-auth-node@0.2.1-next.1
+  - @backstage/catalog-client@1.0.2-next.0
+## 0.13.1-next.1
+### Patch Changes
+- cac3ba68a2: Fixed a bug that was introduced in `0.13.1-next.0` which caused the `ent` claim of issued tokens to be dropped.
+- 5d268623dd: Updates the OAuth2 Proxy provider to require less infrastructure configuration.
+  The auth result object of the OAuth2 Proxy now provides access to the request headers, both through the `headers` object as well as `getHeader` method. The existing logic that parses and extracts the user information from ID tokens is deprecated and will be removed in a future release. See the OAuth2 Proxy provider documentation for more details.
+  The OAuth2 Proxy provider now also has a default `authHandler` implementation that reads the display name and email from the incoming request headers.
+- Updated dependencies
+  - @backstage/backend-common@0.13.3-next.1
+## 0.13.1-next.0
+### Patch Changes
+- cfc0f19699: Updated dependency `fs-extra` to `10.1.0`.
+- 787ae0d541: Add more common predefined sign-in resolvers to auth providers.
+  Add the existing resolver to more providers (already available at `google`):
+  - `providers.microsoft.resolvers.emailLocalPartMatchingUserEntityName()`
+  - `providers.okta.resolvers.emailLocalPartMatchingUserEntityName()`
+  Add a new resolver for simple email-to-email matching:
+  - `providers.google.resolvers.emailMatchingUserEntityProfileEmail()`
+  - `providers.microsoft.resolvers.emailMatchingUserEntityProfileEmail()`
+  - `providers.okta.resolvers.emailMatchingUserEntityProfileEmail()`
+- 9ec4e0613e: Update to `jose` 4.6.0
+- Updated dependencies
+  - @backstage/backend-common@0.13.3-next.0
+  - @backstage/plugin-auth-node@0.2.1-next.0
 ## 0.13.0
 ### Minor Changes

package/dist/index.cjs.js CHANGED Viewed

@@ -763,10 +763,6 @@ const createAuth0Provider = auth0.create;
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
-const getJWTHeaders = (input) => {
-  const encoded = input.split(".")[0];
-  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
-};
 class AwsAlbAuthProvider {
   constructor(options) {
     this.region = options.region;
@@ -801,9 +797,8 @@ class AwsAlbAuthProvider {
       throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`);
     }
     try {
-      const headers = getJWTHeaders(jwt);
-      const key = await this.getKey(headers.kid);
-      const claims = jose.JWT.verify(jwt, key);
+      const verifyResult = await jose.jwtVerify(jwt, this.getKey);
+      const claims = verifyResult.payload;
       if (this.issuer && claims.iss !== this.issuer) {
         throw new errors.AuthenticationError("Issuer mismatch on JWT token");
       }
@@ -843,14 +838,17 @@ class AwsAlbAuthProvider {
       profile
     };
   }
-  async getKey(keyId) {
-    const optionalCacheKey = this.keyCache.get(keyId);
+  async getKey(header) {
+    if (!header.kid) {
+      throw new errors.AuthenticationError("No key id was specified in header");
+    }
+    const optionalCacheKey = this.keyCache.get(header.kid);
     if (optionalCacheKey) {
       return crypto__namespace.createPublicKey(optionalCacheKey);
     }
-    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${encodeURIComponent(this.region)}.amazonaws.com/${encodeURIComponent(keyId)}`).then((response) => response.text());
+    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${encodeURIComponent(this.region)}.amazonaws.com/${encodeURIComponent(header.kid)}`).then((response) => response.text());
     const keyValue = crypto__namespace.createPublicKey(keyText);
-    this.keyCache.set(keyId, keyValue.export({ format: "pem", type: "spki" }));
+    this.keyCache.set(header.kid, keyValue.export({ format: "pem", type: "spki" }));
     return keyValue;
   }
 }
@@ -1257,6 +1255,17 @@ const commonByEmailLocalPartResolver = async (info, ctx) => {
     entityRef: { name: localPart }
   });
 };
+const commonByEmailResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Login failed, user profile does not contain an email");
+  }
+  return ctx.signInWithCatalogUser({
+    filter: {
+      "spec.profile.email": profile.email
+    }
+  });
+};
 class GoogleAuthProvider {
   constructor(options) {
@@ -1354,6 +1363,7 @@ const google = createAuthProviderIntegration({
   },
   resolvers: {
     emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
     emailMatchingUserEntityAnnotation() {
       return async (info, ctx) => {
         const { profile } = info;
@@ -1483,6 +1493,8 @@ const microsoft = createAuthProviderIntegration({
     });
   },
   resolvers: {
+    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
     emailMatchingUserEntityAnnotation() {
       return async (info, ctx) => {
         const { profile } = info;
@@ -1629,7 +1641,20 @@ class Oauth2ProxyAuthProvider {
   }
   async refresh(req, res) {
     try {
-      const result = this.getResult(req);
+      const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
+      const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
+      const decodedJWT = jwt && jose.decodeJwt(jwt);
+      const result = {
+        fullProfile: decodedJWT || {},
+        accessToken: jwt || "",
+        headers: req.headers,
+        getHeader(name) {
+          if (name.toLocaleLowerCase("en-US") === "set-cookie") {
+            throw new Error("Access Set-Cookie via the headers object instead");
+          }
+          return req.get(name);
+        }
+      };
       const response = await this.handleResult(result);
       res.json(response);
     } catch (e) {
@@ -1653,18 +1678,14 @@ class Oauth2ProxyAuthProvider {
       profile
     };
   }
-  getResult(req) {
-    const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
-    const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
-    if (!jwt) {
-      throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
+}
+async function defaultAuthHandler$1(result) {
+  return {
+    profile: {
+      email: result.getHeader("x-forwarded-email"),
+      displayName: result.getHeader("x-forwarded-preferred-username") || result.getHeader("x-forwarded-user")
     }
-    const decodedJWT = jose.JWT.decode(jwt);
-    return {
-      fullProfile: decodedJWT,
-      accessToken: jwt
-    };
-  }
+  };
 }
 const oauth2Proxy = createAuthProviderIntegration({
   create(options) {
@@ -1674,7 +1695,7 @@ const oauth2Proxy = createAuthProviderIntegration({
       return new Oauth2ProxyAuthProvider({
         resolverContext,
         signInResolver,
-        authHandler
+        authHandler: authHandler != null ? authHandler : defaultAuthHandler$1
       });
     };
   }
@@ -1919,6 +1940,8 @@ const okta = createAuthProviderIntegration({
     });
   },
   resolvers: {
+    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
     emailMatchingUserEntityAnnotation() {
       return async (info, ctx) => {
         const { profile } = info;
@@ -2299,10 +2322,10 @@ class TokenFactory {
       throw new Error('"sub" claim provided by the auth resolver is not a valid EntityRef.');
     }
     this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
-    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
-      alg: key.alg,
-      kid: key.kid
-    });
+    if (!key.alg) {
+      throw new errors.AuthenticationError("No algorithm was provided in the key");
+    }
+    return new jose.SignJWT({ iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
   }
   async listPublicKeys() {
     const { items: keys } = await this.keyStore.listKeys();
@@ -2339,14 +2362,14 @@ class TokenFactory {
       seconds: this.keyDurationSeconds
     }).toJSDate();
     const promise = (async () => {
-      const key = await jose.JWK.generate("EC", "P-256", {
-        use: "sig",
-        kid: uuid.v4(),
-        alg: "ES256"
-      });
-      this.logger.info(`Created new signing key ${key.kid}`);
-      await this.keyStore.addKey(key.toJWK(false));
-      return key;
+      const key = await jose.generateKeyPair("ES256");
+      const publicKey = await jose.exportJWK(key.publicKey);
+      const privateKey = await jose.exportJWK(key.privateKey);
+      publicKey.kid = privateKey.kid = uuid.v4();
+      publicKey.alg = privateKey.alg = "ES256";
+      this.logger.info(`Created new signing key ${publicKey.kid}`);
+      await this.keyStore.addKey(publicKey);
+      return privateKey;
     })();
     this.privateKeyPromise = promise;
     try {