@backstage/plugin-auth-backend 0.14.2-next.0 → 0.15.0-next.3

package/CHANGELOG.md

@@ -1,5 +1,54 @@
 # @backstage/plugin-auth-backend
 
+## 0.15.0-next.3
+
+### Minor Changes
+
+- fe8e025af5: Allowed post method on /refresh path
+
+### Patch Changes
+
+- a70869e775: Updated dependency `msw` to `^0.43.0`.
+- 4e9a90e307: Updated dependency `luxon` to `^3.0.0`.
+- 3a014730dc: Add new config option for okta auth server and IDP
+- Updated dependencies
+  - @backstage/backend-common@0.14.1-next.3
+  - @backstage/catalog-client@1.0.4-next.2
+  - @backstage/plugin-auth-node@0.2.3-next.2
+  - @backstage/catalog-model@1.1.0-next.3
+
+## 0.15.0-next.2
+
+### Patch Changes
+
+- 8e03db907a: Auth provider now also export createAuthProviderIntegration
+- 679b32172e: Updated dependency `knex` to `^2.0.0`.
+- Updated dependencies
+  - @backstage/catalog-model@1.1.0-next.2
+  - @backstage/backend-common@0.14.1-next.2
+
+## 0.15.0-next.1
+
+### Minor Changes
+
+- 9d4040777e: **BREAKING**: Removed all directly exported auth provider factories, option types, and sign-in resolvers. For example: `AwsAlbProviderOptions`, `bitbucketUserIdSignInResolver`, `createGithubProvider`. These are all still accessible via the `providers` export. For example, use `providers.github.create()` rather than `createGithubProvider()`, and `providers.bitbucket.resolvers.userIdMatchingUserEntityAnnotation()` rather than `bitbucketUserIdSignInResolver`.
+
+  **BREAKING**: Removed the exported `AuthProviderFactoryOptions` type as well as the deprecated option fields of the `AuthProviderFactory` callback. This includes the `tokenManager`, `tokenIssuer`, `discovery`, and `catalogApi` fields. Existing usage of these should be replaced with the new utilities in the `resolverContext` field. The deprecated `TokenIssuer` type is now also removed, since it is no longer used.
+
+  **BREAKING**: Removed `getEntityClaims`, use `getDefaultOwnershipEntityRefs` instead.
+
+  **DEPRECATION**: Deprecated `AtlassianAuthProvider` as it was unintentionally exported.
+
+### Patch Changes
+
+- f2cf79d62e: Added an option for the auth backend router to select the algorithm for the JWT token signing keys
+- Updated dependencies
+  - @backstage/catalog-model@1.1.0-next.1
+  - @backstage/backend-common@0.14.1-next.1
+  - @backstage/errors@1.1.0-next.0
+  - @backstage/catalog-client@1.0.4-next.1
+  - @backstage/plugin-auth-node@0.2.3-next.1
+
 ## 0.14.2-next.0
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -15,16 +15,16 @@ var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
 var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
+var googleAuthLibrary = require('google-auth-library');
 var passportGithub2 = require('passport-github2');
 var passportGitlab2 = require('passport-gitlab2');
 var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
 var pluginAuthNode = require('@backstage/plugin-auth-node');
 var openidClient = require('openid-client');
-var passportOktaOauth = require('passport-okta-oauth');
+var passportOktaOauth = require('@davidzemon/passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('passport-saml');
-var googleAuthLibrary = require('google-auth-library');
 var catalogClient = require('@backstage/catalog-client');
 var catalogModel = require('@backstage/catalog-model');
 var luxon = require('luxon');
@@ -645,7 +645,6 @@ const atlassian = createAuthProviderIntegration({
     });
   }
 });
-const createAtlassianProvider = atlassian.create;
 
 class Auth0Strategy extends OAuth2Strategy__default["default"] {
   constructor(options, verify) {
@@ -758,7 +757,6 @@ const auth0 = createAuthProviderIntegration({
     });
   }
 });
-const createAuth0Provider = auth0.create;
 
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
@@ -872,7 +870,6 @@ const awsAlb = createAuthProviderIntegration({
     };
   }
 });
-const createAwsAlbProvider = awsAlb.create;
 
 class BitbucketAuthProvider {
   constructor(options) {
@@ -997,9 +994,86 @@ const bitbucket = createAuthProviderIntegration({
     }
   }
 });
-const createBitbucketProvider = bitbucket.create;
-const bitbucketUsernameSignInResolver = bitbucket.resolvers.usernameMatchingUserEntityAnnotation();
-const bitbucketUserIdSignInResolver = bitbucket.resolvers.userIdMatchingUserEntityAnnotation();
+
+const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+
+function createTokenValidator(audience, mockClient) {
+  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
+  return async function tokenValidator(token) {
+    const response = await client.getIapPublicKeys();
+    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
+    const payload = ticket.getPayload();
+    if (!payload) {
+      throw new TypeError("Token had no payload");
+    }
+    return payload;
+  };
+}
+async function parseRequestToken(jwtToken, tokenValidator) {
+  if (typeof jwtToken !== "string" || !jwtToken) {
+    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
+  }
+  let payload;
+  try {
+    payload = await tokenValidator(jwtToken);
+  } catch (e) {
+    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
+  }
+  if (!payload.sub || !payload.email) {
+    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
+  }
+  return {
+    iapToken: {
+      ...payload,
+      sub: payload.sub,
+      email: payload.email
+    }
+  };
+}
+const defaultAuthHandler$1 = async ({
+  iapToken
+}) => ({ profile: { email: iapToken.email } });
+
+class GcpIapProvider {
+  constructor(options) {
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenValidator = options.tokenValidator;
+    this.resolverContext = options.resolverContext;
+  }
+  async start() {
+  }
+  async frameHandler() {
+  }
+  async refresh(req, res) {
+    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
+    const { profile } = await this.authHandler(result, this.resolverContext);
+    const backstageIdentity = await this.signInResolver({ profile, result }, this.resolverContext);
+    const response = {
+      providerInfo: { iapToken: result.iapToken },
+      profile,
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
+    };
+    res.json(response);
+  }
+}
+const gcpIap = createAuthProviderIntegration({
+  create(options) {
+    return ({ config, resolverContext }) => {
+      var _a;
+      const audience = config.getString("audience");
+      const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler$1;
+      const signInResolver = options.signIn.resolver;
+      const tokenValidator = createTokenValidator(audience);
+      return new GcpIapProvider({
+        authHandler,
+        signInResolver,
+        tokenValidator,
+        resolverContext
+      });
+    };
+  }
+});
 
 const ACCESS_TOKEN_PREFIX = "access-token.";
 const BACKSTAGE_SESSION_EXPIRATION = 3600;
@@ -1144,7 +1218,6 @@ const github = createAuthProviderIntegration({
     }
   }
 });
-const createGithubProvider = github.create;
 
 const gitlabDefaultAuthHandler = async ({
   fullProfile,
@@ -1240,7 +1313,6 @@ const gitlab = createAuthProviderIntegration({
     });
   }
 });
-const createGitlabProvider = gitlab.create;
 
 const commonByEmailLocalPartResolver = async (info, ctx) => {
   const { profile } = info;
@@ -1375,8 +1447,6 @@ const google = createAuthProviderIntegration({
     }
   }
 });
-const createGoogleProvider = google.create;
-const googleEmailSignInResolver = google.resolvers.emailMatchingUserEntityAnnotation();
 
 class MicrosoftAuthProvider {
   constructor(options) {
@@ -1505,8 +1575,6 @@ const microsoft = createAuthProviderIntegration({
     }
   }
 });
-const createMicrosoftProvider = microsoft.create;
-const microsoftEmailSignInResolver = microsoft.resolvers.emailMatchingUserEntityAnnotation();
 
 class OAuth2AuthProvider {
   constructor(options) {
@@ -1627,7 +1695,6 @@ const oauth2 = createAuthProviderIntegration({
     });
   }
 });
-const createOAuth2Provider = oauth2.create;
 
 const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
 class Oauth2ProxyAuthProvider {
@@ -1679,7 +1746,7 @@ class Oauth2ProxyAuthProvider {
     };
   }
 }
-async function defaultAuthHandler$1(result) {
+async function defaultAuthHandler(result) {
   return {
     profile: {
       email: result.getHeader("x-forwarded-email"),
@@ -1695,12 +1762,11 @@ const oauth2Proxy = createAuthProviderIntegration({
       return new Oauth2ProxyAuthProvider({
         resolverContext,
         signInResolver,
-        authHandler: authHandler != null ? authHandler : defaultAuthHandler$1
+        authHandler: authHandler != null ? authHandler : defaultAuthHandler
       });
     };
   }
 });
-const createOauth2ProxyProvider = oauth2Proxy.create;
 
 class OidcAuthProvider {
   constructor(options) {
@@ -1826,7 +1892,6 @@ const oidc = createAuthProviderIntegration({
     });
   }
 });
-const createOidcProvider = oidc.create;
 
 class OktaAuthProvider {
   constructor(options) {
@@ -1846,6 +1911,8 @@ class OktaAuthProvider {
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
       audience: options.audience,
+      authServerID: options.authServerId,
+      idp: options.idp,
       passReqToCallback: false,
       store: this.store,
       response_type: "code"
@@ -1914,6 +1981,8 @@ const okta = createAuthProviderIntegration({
       const clientId = envConfig.getString("clientId");
       const clientSecret = envConfig.getString("clientSecret");
       const audience = envConfig.getString("audience");
+      const authServerId = envConfig.getOptionalString("authServerId");
+      const idp = envConfig.getOptionalString("idp");
       const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
       const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
       if (!audience.startsWith("https://")) {
@@ -1924,6 +1993,8 @@ const okta = createAuthProviderIntegration({
       });
       const provider = new OktaAuthProvider({
         audience,
+        authServerId,
+        idp,
         clientId,
         clientSecret,
         callbackUrl,
@@ -1955,8 +2026,6 @@ const okta = createAuthProviderIntegration({
     }
   }
 });
-const createOktaProvider = okta.create;
-const oktaEmailSignInResolver = okta.resolvers.emailMatchingUserEntityAnnotation();
 
 class OneLoginProvider {
   constructor(options) {
@@ -2055,7 +2124,6 @@ const onelogin = createAuthProviderIntegration({
     });
   }
 });
-const createOneLoginProvider = onelogin.create;
 
 class SamlAuthProvider {
   constructor(options) {
@@ -2147,89 +2215,6 @@ const saml = createAuthProviderIntegration({
     }
   }
 });
-const createSamlProvider = saml.create;
-const samlNameIdEntityNameSignInResolver = saml.resolvers.nameIdMatchingUserEntityName();
-
-const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
-
-function createTokenValidator(audience, mockClient) {
-  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
-  return async function tokenValidator(token) {
-    const response = await client.getIapPublicKeys();
-    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
-    const payload = ticket.getPayload();
-    if (!payload) {
-      throw new TypeError("Token had no payload");
-    }
-    return payload;
-  };
-}
-async function parseRequestToken(jwtToken, tokenValidator) {
-  if (typeof jwtToken !== "string" || !jwtToken) {
-    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
-  }
-  let payload;
-  try {
-    payload = await tokenValidator(jwtToken);
-  } catch (e) {
-    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
-  }
-  if (!payload.sub || !payload.email) {
-    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
-  }
-  return {
-    iapToken: {
-      ...payload,
-      sub: payload.sub,
-      email: payload.email
-    }
-  };
-}
-const defaultAuthHandler = async ({
-  iapToken
-}) => ({ profile: { email: iapToken.email } });
-
-class GcpIapProvider {
-  constructor(options) {
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.tokenValidator = options.tokenValidator;
-    this.resolverContext = options.resolverContext;
-  }
-  async start() {
-  }
-  async frameHandler() {
-  }
-  async refresh(req, res) {
-    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageIdentity = await this.signInResolver({ profile, result }, this.resolverContext);
-    const response = {
-      providerInfo: { iapToken: result.iapToken },
-      profile,
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
-    };
-    res.json(response);
-  }
-}
-const gcpIap = createAuthProviderIntegration({
-  create(options) {
-    return ({ config, resolverContext }) => {
-      var _a;
-      const audience = config.getString("audience");
-      const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
-      const signInResolver = options.signIn.resolver;
-      const tokenValidator = createTokenValidator(audience);
-      return new GcpIapProvider({
-        authHandler,
-        signInResolver,
-        tokenValidator,
-        resolverContext
-      });
-    };
-  }
-});
-const createGcpIapProvider = gcpIap.create;
 
 const providers = Object.freeze({
   atlassian,
@@ -2248,21 +2233,20 @@ const providers = Object.freeze({
   onelogin,
   saml
 });
-
-const factories = {
-  google: createGoogleProvider(),
-  github: createGithubProvider(),
-  gitlab: createGitlabProvider(),
-  saml: createSamlProvider(),
-  okta: createOktaProvider(),
-  auth0: createAuth0Provider(),
-  microsoft: createMicrosoftProvider(),
-  oauth2: createOAuth2Provider(),
-  oidc: createOidcProvider(),
-  onelogin: createOneLoginProvider(),
-  awsalb: createAwsAlbProvider(),
-  bitbucket: createBitbucketProvider(),
-  atlassian: createAtlassianProvider()
+const defaultAuthProviderFactories = {
+  google: google.create(),
+  github: github.create(),
+  gitlab: gitlab.create(),
+  saml: saml.create(),
+  okta: okta.create(),
+  auth0: auth0.create(),
+  microsoft: microsoft.create(),
+  oauth2: oauth2.create(),
+  oidc: oidc.create(),
+  onelogin: onelogin.create(),
+  awsalb: awsAlb.create(),
+  bitbucket: bitbucket.create(),
+  atlassian: atlassian.create()
 };
 
 function createOidcRouter(options) {
@@ -2598,16 +2582,6 @@ class CatalogIdentityClient {
   }
 }
 
-function getEntityClaims(entity) {
-  var _a, _b;
-  const userRef = catalogModel.stringifyEntityRef(entity);
-  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")).map((r) => r.targetRef)) != null ? _b : [];
-  return {
-    sub: userRef,
-    ent: [userRef, ...membershipRefs]
-  };
-}
-
 function getDefaultOwnershipEntityRefs(entity) {
   var _a, _b;
   const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")).map((r) => r.targetRef)) != null ? _b : [];
@@ -2687,6 +2661,7 @@ async function createRouter(options) {
     discovery,
     database,
     tokenManager,
+    tokenFactoryAlgorithm,
     providerFactories
   } = options;
   const router = Router__default["default"]();
@@ -2698,7 +2673,8 @@ async function createRouter(options) {
     issuer: authUrl,
     keyStore,
     keyDurationSeconds,
-    logger: logger.child({ component: "token-factory" })
+    logger: logger.child({ component: "token-factory" }),
+    algorithm: tokenFactoryAlgorithm
   });
   const catalogApi = new catalogClient.CatalogClient({ discoveryApi: discovery });
   const secret = config.getOptionalString("auth.session.secret");
@@ -2719,7 +2695,7 @@ async function createRouter(options) {
   router.use(express__default["default"].urlencoded({ extended: false }));
   router.use(express__default["default"].json());
   const allProviderFactories = {
-    ...factories,
+    ...defaultAuthProviderFactories,
     ...providerFactories
   };
   const providersConfig = config.getConfig("auth.providers");
@@ -2738,10 +2714,6 @@ async function createRouter(options) {
           },
           config: providersConfig.getConfig(providerId),
           logger,
-          tokenManager,
-          tokenIssuer,
-          discovery,
-          catalogApi,
           resolverContext: CatalogAuthResolverContext.create({
             logger,
             catalogApi,
@@ -2758,6 +2730,7 @@ async function createRouter(options) {
         }
         if (provider.refresh) {
           r.get("/refresh", provider.refresh.bind(provider));
+          r.post("/refresh", provider.refresh.bind(provider));
         }
         router.use(`/${providerId}`, r);
       } catch (e) {
@@ -2800,40 +2773,20 @@ function createOriginFilter(config) {
   };
 }
 
+exports.AtlassianAuthProvider = AtlassianAuthProvider;
 exports.CatalogIdentityClient = CatalogIdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
-exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;
-exports.bitbucketUsernameSignInResolver = bitbucketUsernameSignInResolver;
-exports.createAtlassianProvider = createAtlassianProvider;
-exports.createAuth0Provider = createAuth0Provider;
-exports.createAwsAlbProvider = createAwsAlbProvider;
-exports.createBitbucketProvider = createBitbucketProvider;
-exports.createGcpIapProvider = createGcpIapProvider;
-exports.createGithubProvider = createGithubProvider;
-exports.createGitlabProvider = createGitlabProvider;
-exports.createGoogleProvider = createGoogleProvider;
-exports.createMicrosoftProvider = createMicrosoftProvider;
-exports.createOAuth2Provider = createOAuth2Provider;
-exports.createOauth2ProxyProvider = createOauth2ProxyProvider;
-exports.createOidcProvider = createOidcProvider;
-exports.createOktaProvider = createOktaProvider;
-exports.createOneLoginProvider = createOneLoginProvider;
+exports.createAuthProviderIntegration = createAuthProviderIntegration;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;
-exports.createSamlProvider = createSamlProvider;
-exports.defaultAuthProviderFactories = factories;
+exports.defaultAuthProviderFactories = defaultAuthProviderFactories;
 exports.encodeState = encodeState;
 exports.ensuresXRequestedWith = ensuresXRequestedWith;
 exports.getDefaultOwnershipEntityRefs = getDefaultOwnershipEntityRefs;
-exports.getEntityClaims = getEntityClaims;
-exports.googleEmailSignInResolver = googleEmailSignInResolver;
-exports.microsoftEmailSignInResolver = microsoftEmailSignInResolver;
-exports.oktaEmailSignInResolver = oktaEmailSignInResolver;
 exports.postMessageResponse = postMessageResponse;
 exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse;
 exports.providers = providers;
 exports.readState = readState;
-exports.samlNameIdEntityNameSignInResolver = samlNameIdEntityNameSignInResolver;
 exports.verifyNonce = verifyNonce;
 //# sourceMappingURL=index.cjs.js.map