@backstage/plugin-auth-backend 0.13.1-next.0 → 0.14.0

package/CHANGELOG.md

@@ -1,5 +1,68 @@
 # @backstage/plugin-auth-backend
 
+## 0.14.0
+
+### Minor Changes
+
+- 2df2f01a29: Removed the explicit `disableRefresh` option from `OAuthAdapter`. Refresh can still be disabled for a provider by not implementing the `refresh` method.
+
+### Patch Changes
+
+- cac3ba68a2: Fixed a bug that was introduced in `0.13.1-next.0` which caused the `ent` claim of issued tokens to be dropped.
+- 5d268623dd: Updates the OAuth2 Proxy provider to require less infrastructure configuration.
+
+  The auth result object of the OAuth2 Proxy now provides access to the request headers, both through the `headers` object as well as `getHeader` method. The existing logic that parses and extracts the user information from ID tokens is deprecated and will be removed in a future release. See the OAuth2 Proxy provider documentation for more details.
+
+  The OAuth2 Proxy provider now also has a default `authHandler` implementation that reads the display name and email from the incoming request headers.
+
+- 2df2f01a29: The Auth0 adapter no longer disables session refreshing.
+- cfc0f19699: Updated dependency `fs-extra` to `10.1.0`.
+- 787ae0d541: Add more common predefined sign-in resolvers to auth providers.
+
+  Add the existing resolver to more providers (already available at `google`):
+
+  - `providers.microsoft.resolvers.emailLocalPartMatchingUserEntityName()`
+  - `providers.okta.resolvers.emailLocalPartMatchingUserEntityName()`
+
+  Add a new resolver for simple email-to-email matching:
+
+  - `providers.google.resolvers.emailMatchingUserEntityProfileEmail()`
+  - `providers.microsoft.resolvers.emailMatchingUserEntityProfileEmail()`
+  - `providers.okta.resolvers.emailMatchingUserEntityProfileEmail()`
+
+- 9ec4e0613e: Update to `jose` 4.6.0
+- Updated dependencies
+  - @backstage/backend-common@0.13.3
+  - @backstage/config@1.0.1
+  - @backstage/plugin-auth-node@0.2.1
+  - @backstage/catalog-client@1.0.2
+  - @backstage/catalog-model@1.0.2
+
+## 0.13.1-next.2
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-common@0.13.3-next.2
+  - @backstage/config@1.0.1-next.0
+  - @backstage/catalog-model@1.0.2-next.0
+  - @backstage/plugin-auth-node@0.2.1-next.1
+  - @backstage/catalog-client@1.0.2-next.0
+
+## 0.13.1-next.1
+
+### Patch Changes
+
+- cac3ba68a2: Fixed a bug that was introduced in `0.13.1-next.0` which caused the `ent` claim of issued tokens to be dropped.
+- 5d268623dd: Updates the OAuth2 Proxy provider to require less infrastructure configuration.
+
+  The auth result object of the OAuth2 Proxy now provides access to the request headers, both through the `headers` object as well as `getHeader` method. The existing logic that parses and extracts the user information from ID tokens is deprecated and will be removed in a future release. See the OAuth2 Proxy provider documentation for more details.
+
+  The OAuth2 Proxy provider now also has a default `authHandler` implementation that reads the display name and email from the incoming request headers.
+
+- Updated dependencies
+  - @backstage/backend-common@0.13.3-next.1
+
 ## 0.13.1-next.0
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -367,7 +367,7 @@ class OAuthAdapter {
         this.setGrantedScopeCookie(res, state.scope);
         response.providerInfo.scope = state.scope;
       }
-      if (refreshToken && !this.options.disableRefresh) {
+      if (refreshToken) {
         this.setRefreshTokenCookie(res, refreshToken);
       }
       const identity = await this.populateIdentity(response.backstageIdentity);
@@ -395,7 +395,7 @@ class OAuthAdapter {
     if (!ensuresXRequestedWith(req)) {
       throw new errors.AuthenticationError("Invalid X-Requested-With header");
     }
-    if (!this.handlers.refresh || this.options.disableRefresh) {
+    if (!this.handlers.refresh) {
       throw new errors.InputError(`Refresh token is not supported for provider ${this.options.providerId}`);
     }
     try {
@@ -752,7 +752,6 @@ const auth0 = createAuthProviderIntegration({
         resolverContext
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
-        disableRefresh: true,
         providerId,
         callbackUrl
       });
@@ -964,7 +963,6 @@ const bitbucket = createAuthProviderIntegration({
         resolverContext
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
-        disableRefresh: false,
         providerId,
         callbackUrl
       });
@@ -1236,7 +1234,6 @@ const gitlab = createAuthProviderIntegration({
         resolverContext
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
-        disableRefresh: false,
         providerId,
         callbackUrl
       });
@@ -1355,7 +1352,6 @@ const google = createAuthProviderIntegration({
         resolverContext
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
-        disableRefresh: false,
         providerId,
         callbackUrl
       });
@@ -1486,7 +1482,6 @@ const microsoft = createAuthProviderIntegration({
         resolverContext
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
-        disableRefresh: false,
         providerId,
         callbackUrl
       });
@@ -1515,9 +1510,11 @@ const microsoftEmailSignInResolver = microsoft.resolvers.emailMatchingUserEntity
 
 class OAuth2AuthProvider {
   constructor(options) {
+    var _a;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
+    this.disableRefresh = (_a = options.disableRefresh) != null ? _a : false;
     this._strategy = new OAuth2Strategy.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
@@ -1556,6 +1553,9 @@ class OAuth2AuthProvider {
     };
   }
   async refresh(req) {
+    if (this.disableRefresh) {
+      throw new errors.InputError("Session refreshes have been disabled");
+    }
     const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const { accessToken, params, refreshToken } = refreshTokenResponse;
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
@@ -1617,10 +1617,10 @@ const oauth2 = createAuthProviderIntegration({
         tokenUrl,
         scope,
         includeBasicAuth,
-        resolverContext
+        resolverContext,
+        disableRefresh
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
-        disableRefresh,
         providerId,
         callbackUrl
       });
@@ -1641,7 +1641,20 @@ class Oauth2ProxyAuthProvider {
   }
   async refresh(req, res) {
     try {
-      const result = this.getResult(req);
+      const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
+      const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
+      const decodedJWT = jwt && jose.decodeJwt(jwt);
+      const result = {
+        fullProfile: decodedJWT || {},
+        accessToken: jwt || "",
+        headers: req.headers,
+        getHeader(name) {
+          if (name.toLocaleLowerCase("en-US") === "set-cookie") {
+            throw new Error("Access Set-Cookie via the headers object instead");
+          }
+          return req.get(name);
+        }
+      };
       const response = await this.handleResult(result);
       res.json(response);
     } catch (e) {
@@ -1665,18 +1678,14 @@ class Oauth2ProxyAuthProvider {
       profile
     };
   }
-  getResult(req) {
-    const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
-    const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
-    if (!jwt) {
-      throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
+}
+async function defaultAuthHandler$1(result) {
+  return {
+    profile: {
+      email: result.getHeader("x-forwarded-email"),
+      displayName: result.getHeader("x-forwarded-preferred-username") || result.getHeader("x-forwarded-user")
     }
-    const decodedJWT = jose.decodeJwt(jwt);
-    return {
-      fullProfile: decodedJWT,
-      accessToken: jwt
-    };
-  }
+  };
 }
 const oauth2Proxy = createAuthProviderIntegration({
   create(options) {
@@ -1686,7 +1695,7 @@ const oauth2Proxy = createAuthProviderIntegration({
       return new Oauth2ProxyAuthProvider({
         resolverContext,
         signInResolver,
-        authHandler
+        authHandler: authHandler != null ? authHandler : defaultAuthHandler$1
       });
     };
   }
@@ -1811,7 +1820,6 @@ const oidc = createAuthProviderIntegration({
         resolverContext
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
-        disableRefresh: false,
         providerId,
         callbackUrl
       });
@@ -1924,7 +1932,6 @@ const okta = createAuthProviderIntegration({
         resolverContext
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
-        disableRefresh: false,
         providerId,
         callbackUrl
       });
@@ -2042,7 +2049,6 @@ const onelogin = createAuthProviderIntegration({
         resolverContext
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
-        disableRefresh: false,
         providerId,
         callbackUrl
       });
@@ -2316,7 +2322,7 @@ class TokenFactory {
     if (!key.alg) {
       throw new errors.AuthenticationError("No algorithm was provided in the key");
     }
-    return new jose.SignJWT({ iss, sub, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    return new jose.SignJWT({ iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
   }
   async listPublicKeys() {
     const { items: keys } = await this.keyStore.listKeys();