@backstage/plugin-auth-backend 0.13.1-next.0 → 0.13.1-next.1

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @backstage/plugin-auth-backend
 
+## 0.13.1-next.1
+
+### Patch Changes
+
+- cac3ba68a2: Fixed a bug that was introduced in `0.13.1-next.0` which caused the `ent` claim of issued tokens to be dropped.
+- 5d268623dd: Updates the OAuth2 Proxy provider to require less infrastructure configuration.
+
+  The auth result object of the OAuth2 Proxy now provides access to the request headers, both through the `headers` object as well as `getHeader` method. The existing logic that parses and extracts the user information from ID tokens is deprecated and will be removed in a future release. See the OAuth2 Proxy provider documentation for more details.
+
+  The OAuth2 Proxy provider now also has a default `authHandler` implementation that reads the display name and email from the incoming request headers.
+
+- Updated dependencies
+  - @backstage/backend-common@0.13.3-next.1
+
 ## 0.13.1-next.0
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -1641,7 +1641,20 @@ class Oauth2ProxyAuthProvider {
   }
   async refresh(req, res) {
     try {
-      const result = this.getResult(req);
+      const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
+      const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
+      const decodedJWT = jwt && jose.decodeJwt(jwt);
+      const result = {
+        fullProfile: decodedJWT || {},
+        accessToken: jwt || "",
+        headers: req.headers,
+        getHeader(name) {
+          if (name.toLocaleLowerCase("en-US") === "set-cookie") {
+            throw new Error("Access Set-Cookie via the headers object instead");
+          }
+          return req.get(name);
+        }
+      };
       const response = await this.handleResult(result);
       res.json(response);
     } catch (e) {
@@ -1665,18 +1678,14 @@ class Oauth2ProxyAuthProvider {
       profile
     };
   }
-  getResult(req) {
-    const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
-    const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
-    if (!jwt) {
-      throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
+}
+async function defaultAuthHandler$1(result) {
+  return {
+    profile: {
+      email: result.getHeader("x-forwarded-email"),
+      displayName: result.getHeader("x-forwarded-preferred-username") || result.getHeader("x-forwarded-user")
     }
-    const decodedJWT = jose.decodeJwt(jwt);
-    return {
-      fullProfile: decodedJWT,
-      accessToken: jwt
-    };
-  }
+  };
 }
 const oauth2Proxy = createAuthProviderIntegration({
   create(options) {
@@ -1686,7 +1695,7 @@ const oauth2Proxy = createAuthProviderIntegration({
       return new Oauth2ProxyAuthProvider({
         resolverContext,
         signInResolver,
-        authHandler
+        authHandler: authHandler != null ? authHandler : defaultAuthHandler$1
       });
     };
   }
@@ -2316,7 +2325,7 @@ class TokenFactory {
     if (!key.alg) {
       throw new errors.AuthenticationError("No algorithm was provided in the key");
     }
-    return new jose.SignJWT({ iss, sub, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    return new jose.SignJWT({ iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
   }
   async listPublicKeys() {
     const { items: keys } = await this.keyStore.listKeys();