@backstage/plugin-auth-backend 0.13.1-next.1 → 0.14.1-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +58 -0
  2. package/dist/index.cjs.js +15 -16
  3. package/dist/index.cjs.js.map +1 -1
  4. package/dist/index.d.ts +1 -2
  5. package/package.json +9 -9
package/CHANGELOG.md CHANGED
@@ -1,5 +1,63 @@
1
1
  # @backstage/plugin-auth-backend
2
2
 
3
+ ## 0.14.1-next.0
4
+
5
+ ### Patch Changes
6
+
7
+ - f6aae90e4e: Added configurable algorithm field for TokenFactory
8
+ - Updated dependencies
9
+ - @backstage/backend-common@0.13.6-next.0
10
+ - @backstage/plugin-auth-node@0.2.2-next.0
11
+
12
+ ## 0.14.0
13
+
14
+ ### Minor Changes
15
+
16
+ - 2df2f01a29: Removed the explicit `disableRefresh` option from `OAuthAdapter`. Refresh can still be disabled for a provider by not implementing the `refresh` method.
17
+
18
+ ### Patch Changes
19
+
20
+ - cac3ba68a2: Fixed a bug that was introduced in `0.13.1-next.0` which caused the `ent` claim of issued tokens to be dropped.
21
+ - 5d268623dd: Updates the OAuth2 Proxy provider to require less infrastructure configuration.
22
+
23
+ The auth result object of the OAuth2 Proxy now provides access to the request headers, both through the `headers` object as well as `getHeader` method. The existing logic that parses and extracts the user information from ID tokens is deprecated and will be removed in a future release. See the OAuth2 Proxy provider documentation for more details.
24
+
25
+ The OAuth2 Proxy provider now also has a default `authHandler` implementation that reads the display name and email from the incoming request headers.
26
+
27
+ - 2df2f01a29: The Auth0 adapter no longer disables session refreshing.
28
+ - cfc0f19699: Updated dependency `fs-extra` to `10.1.0`.
29
+ - 787ae0d541: Add more common predefined sign-in resolvers to auth providers.
30
+
31
+ Add the existing resolver to more providers (already available at `google`):
32
+
33
+ - `providers.microsoft.resolvers.emailLocalPartMatchingUserEntityName()`
34
+ - `providers.okta.resolvers.emailLocalPartMatchingUserEntityName()`
35
+
36
+ Add a new resolver for simple email-to-email matching:
37
+
38
+ - `providers.google.resolvers.emailMatchingUserEntityProfileEmail()`
39
+ - `providers.microsoft.resolvers.emailMatchingUserEntityProfileEmail()`
40
+ - `providers.okta.resolvers.emailMatchingUserEntityProfileEmail()`
41
+
42
+ - 9ec4e0613e: Update to `jose` 4.6.0
43
+ - Updated dependencies
44
+ - @backstage/backend-common@0.13.3
45
+ - @backstage/config@1.0.1
46
+ - @backstage/plugin-auth-node@0.2.1
47
+ - @backstage/catalog-client@1.0.2
48
+ - @backstage/catalog-model@1.0.2
49
+
50
+ ## 0.13.1-next.2
51
+
52
+ ### Patch Changes
53
+
54
+ - Updated dependencies
55
+ - @backstage/backend-common@0.13.3-next.2
56
+ - @backstage/config@1.0.1-next.0
57
+ - @backstage/catalog-model@1.0.2-next.0
58
+ - @backstage/plugin-auth-node@0.2.1-next.1
59
+ - @backstage/catalog-client@1.0.2-next.0
60
+
3
61
  ## 0.13.1-next.1
4
62
 
5
63
  ### Patch Changes
package/dist/index.cjs.js CHANGED
@@ -26,9 +26,9 @@ var passportOneloginOauth = require('passport-onelogin-oauth');
26
26
  var passportSaml = require('passport-saml');
27
27
  var googleAuthLibrary = require('google-auth-library');
28
28
  var catalogClient = require('@backstage/catalog-client');
29
- var uuid = require('uuid');
30
- var luxon = require('luxon');
31
29
  var catalogModel = require('@backstage/catalog-model');
30
+ var luxon = require('luxon');
31
+ var uuid = require('uuid');
32
32
  var backendCommon = require('@backstage/backend-common');
33
33
  var firestore = require('@google-cloud/firestore');
34
34
  var lodash = require('lodash');
@@ -367,7 +367,7 @@ class OAuthAdapter {
367
367
  this.setGrantedScopeCookie(res, state.scope);
368
368
  response.providerInfo.scope = state.scope;
369
369
  }
370
- if (refreshToken && !this.options.disableRefresh) {
370
+ if (refreshToken) {
371
371
  this.setRefreshTokenCookie(res, refreshToken);
372
372
  }
373
373
  const identity = await this.populateIdentity(response.backstageIdentity);
@@ -395,7 +395,7 @@ class OAuthAdapter {
395
395
  if (!ensuresXRequestedWith(req)) {
396
396
  throw new errors.AuthenticationError("Invalid X-Requested-With header");
397
397
  }
398
- if (!this.handlers.refresh || this.options.disableRefresh) {
398
+ if (!this.handlers.refresh) {
399
399
  throw new errors.InputError(`Refresh token is not supported for provider ${this.options.providerId}`);
400
400
  }
401
401
  try {
@@ -752,7 +752,6 @@ const auth0 = createAuthProviderIntegration({
752
752
  resolverContext
753
753
  });
754
754
  return OAuthAdapter.fromConfig(globalConfig, provider, {
755
- disableRefresh: true,
756
755
  providerId,
757
756
  callbackUrl
758
757
  });
@@ -964,7 +963,6 @@ const bitbucket = createAuthProviderIntegration({
964
963
  resolverContext
965
964
  });
966
965
  return OAuthAdapter.fromConfig(globalConfig, provider, {
967
- disableRefresh: false,
968
966
  providerId,
969
967
  callbackUrl
970
968
  });
@@ -1236,7 +1234,6 @@ const gitlab = createAuthProviderIntegration({
1236
1234
  resolverContext
1237
1235
  });
1238
1236
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1239
- disableRefresh: false,
1240
1237
  providerId,
1241
1238
  callbackUrl
1242
1239
  });
@@ -1355,7 +1352,6 @@ const google = createAuthProviderIntegration({
1355
1352
  resolverContext
1356
1353
  });
1357
1354
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1358
- disableRefresh: false,
1359
1355
  providerId,
1360
1356
  callbackUrl
1361
1357
  });
@@ -1486,7 +1482,6 @@ const microsoft = createAuthProviderIntegration({
1486
1482
  resolverContext
1487
1483
  });
1488
1484
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1489
- disableRefresh: false,
1490
1485
  providerId,
1491
1486
  callbackUrl
1492
1487
  });
@@ -1515,9 +1510,11 @@ const microsoftEmailSignInResolver = microsoft.resolvers.emailMatchingUserEntity
1515
1510
 
1516
1511
  class OAuth2AuthProvider {
1517
1512
  constructor(options) {
1513
+ var _a;
1518
1514
  this.signInResolver = options.signInResolver;
1519
1515
  this.authHandler = options.authHandler;
1520
1516
  this.resolverContext = options.resolverContext;
1517
+ this.disableRefresh = (_a = options.disableRefresh) != null ? _a : false;
1521
1518
  this._strategy = new OAuth2Strategy.Strategy({
1522
1519
  clientID: options.clientId,
1523
1520
  clientSecret: options.clientSecret,
@@ -1556,6 +1553,9 @@ class OAuth2AuthProvider {
1556
1553
  };
1557
1554
  }
1558
1555
  async refresh(req) {
1556
+ if (this.disableRefresh) {
1557
+ throw new errors.InputError("Session refreshes have been disabled");
1558
+ }
1559
1559
  const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
1560
1560
  const { accessToken, params, refreshToken } = refreshTokenResponse;
1561
1561
  const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
@@ -1617,10 +1617,10 @@ const oauth2 = createAuthProviderIntegration({
1617
1617
  tokenUrl,
1618
1618
  scope,
1619
1619
  includeBasicAuth,
1620
- resolverContext
1620
+ resolverContext,
1621
+ disableRefresh
1621
1622
  });
1622
1623
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1623
- disableRefresh,
1624
1624
  providerId,
1625
1625
  callbackUrl
1626
1626
  });
@@ -1820,7 +1820,6 @@ const oidc = createAuthProviderIntegration({
1820
1820
  resolverContext
1821
1821
  });
1822
1822
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1823
- disableRefresh: false,
1824
1823
  providerId,
1825
1824
  callbackUrl
1826
1825
  });
@@ -1933,7 +1932,6 @@ const okta = createAuthProviderIntegration({
1933
1932
  resolverContext
1934
1933
  });
1935
1934
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1936
- disableRefresh: false,
1937
1935
  providerId,
1938
1936
  callbackUrl
1939
1937
  });
@@ -2051,7 +2049,6 @@ const onelogin = createAuthProviderIntegration({
2051
2049
  resolverContext
2052
2050
  });
2053
2051
  return OAuthAdapter.fromConfig(globalConfig, provider, {
2054
- disableRefresh: false,
2055
2052
  providerId,
2056
2053
  callbackUrl
2057
2054
  });
@@ -2303,10 +2300,12 @@ function createOidcRouter(options) {
2303
2300
  const MS_IN_S = 1e3;
2304
2301
  class TokenFactory {
2305
2302
  constructor(options) {
2303
+ var _a;
2306
2304
  this.issuer = options.issuer;
2307
2305
  this.logger = options.logger;
2308
2306
  this.keyStore = options.keyStore;
2309
2307
  this.keyDurationSeconds = options.keyDurationSeconds;
2308
+ this.algorithm = (_a = options.algorithm) != null ? _a : "ES256";
2310
2309
  }
2311
2310
  async issueToken(params) {
2312
2311
  const key = await this.getKey();
@@ -2362,11 +2361,11 @@ class TokenFactory {
2362
2361
  seconds: this.keyDurationSeconds
2363
2362
  }).toJSDate();
2364
2363
  const promise = (async () => {
2365
- const key = await jose.generateKeyPair("ES256");
2364
+ const key = await jose.generateKeyPair(this.algorithm);
2366
2365
  const publicKey = await jose.exportJWK(key.publicKey);
2367
2366
  const privateKey = await jose.exportJWK(key.privateKey);
2368
2367
  publicKey.kid = privateKey.kid = uuid.v4();
2369
- publicKey.alg = privateKey.alg = "ES256";
2368
+ publicKey.alg = privateKey.alg = this.algorithm;
2370
2369
  this.logger.info(`Created new signing key ${publicKey.kid}`);
2371
2370
  await this.keyStore.addKey(publicKey);
2372
2371
  return privateKey;