@backstage/plugin-auth-backend 0.15.0-next.1 → 0.15.0

package/CHANGELOG.md

@@ -1,5 +1,64 @@
 # @backstage/plugin-auth-backend
 
+## 0.15.0
+
+### Minor Changes
+
+- 9d4040777e: **BREAKING**: Removed all directly exported auth provider factories, option types, and sign-in resolvers. For example: `AwsAlbProviderOptions`, `bitbucketUserIdSignInResolver`, `createGithubProvider`. These are all still accessible via the `providers` export. For example, use `providers.github.create()` rather than `createGithubProvider()`, and `providers.bitbucket.resolvers.userIdMatchingUserEntityAnnotation()` rather than `bitbucketUserIdSignInResolver`.
+
+  **BREAKING**: Removed the exported `AuthProviderFactoryOptions` type as well as the deprecated option fields of the `AuthProviderFactory` callback. This includes the `tokenManager`, `tokenIssuer`, `discovery`, and `catalogApi` fields. Existing usage of these should be replaced with the new utilities in the `resolverContext` field. The deprecated `TokenIssuer` type is now also removed, since it is no longer used.
+
+  **BREAKING**: Removed `getEntityClaims`, use `getDefaultOwnershipEntityRefs` instead.
+
+  **DEPRECATION**: Deprecated `AtlassianAuthProvider` as it was unintentionally exported.
+
+- fe8e025af5: Allowed post method on /refresh path
+
+### Patch Changes
+
+- 3cedfd8365: add Cloudflare Access auth provider to auth-backend
+- f2cf79d62e: Added an option for the auth backend router to select the algorithm for the JWT token signing keys
+- 8e03db907a: Auth provider now also export createAuthProviderIntegration
+- a70869e775: Updated dependency `msw` to `^0.43.0`.
+- 4e9a90e307: Updated dependency `luxon` to `^3.0.0`.
+- 8006d0f9bf: Updated dependency `msw` to `^0.44.0`.
+- 679b32172e: Updated dependency `knex` to `^2.0.0`.
+- 859346bfbb: Updated dependency `google-auth-library` to `^8.0.0`.
+- 3a014730dc: Add new config option for okta auth server and IDP
+- Updated dependencies
+  - @backstage/backend-common@0.14.1
+  - @backstage/catalog-model@1.1.0
+  - @backstage/catalog-client@1.0.4
+  - @backstage/plugin-auth-node@0.2.3
+  - @backstage/errors@1.1.0
+
+## 0.15.0-next.3
+
+### Minor Changes
+
+- fe8e025af5: Allowed post method on /refresh path
+
+### Patch Changes
+
+- a70869e775: Updated dependency `msw` to `^0.43.0`.
+- 4e9a90e307: Updated dependency `luxon` to `^3.0.0`.
+- 3a014730dc: Add new config option for okta auth server and IDP
+- Updated dependencies
+  - @backstage/backend-common@0.14.1-next.3
+  - @backstage/catalog-client@1.0.4-next.2
+  - @backstage/plugin-auth-node@0.2.3-next.2
+  - @backstage/catalog-model@1.1.0-next.3
+
+## 0.15.0-next.2
+
+### Patch Changes
+
+- 8e03db907a: Auth provider now also export createAuthProviderIntegration
+- 679b32172e: Updated dependency `knex` to `^2.0.0`.
+- Updated dependencies
+  - @backstage/catalog-model@1.1.0-next.2
+  - @backstage/backend-common@0.14.1-next.2
+
 ## 0.15.0-next.1
 
 ### Minor Changes

package/config.d.ts

@@ -116,6 +116,9 @@ export interface Config {
         issuer?: string;
         region: string;
       };
+      cfaccess?: {
+        teamName: string;
+      };
     };
   };
 }

package/dist/index.cjs.js

@@ -22,7 +22,7 @@ var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
 var pluginAuthNode = require('@backstage/plugin-auth-node');
 var openidClient = require('openid-client');
-var passportOktaOauth = require('passport-okta-oauth');
+var passportOktaOauth = require('@davidzemon/passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('passport-saml');
 var catalogClient = require('@backstage/catalog-client');
@@ -995,6 +995,143 @@ const bitbucket = createAuthProviderIntegration({
   }
 });
 
+const commonByEmailLocalPartResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Login failed, user profile does not contain an email");
+  }
+  const [localPart] = profile.email.split("@");
+  return ctx.signInWithCatalogUser({
+    entityRef: { name: localPart }
+  });
+};
+const commonByEmailResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Login failed, user profile does not contain an email");
+  }
+  return ctx.signInWithCatalogUser({
+    filter: {
+      "spec.profile.email": profile.email
+    }
+  });
+};
+
+const CF_JWT_HEADER = "cf-access-jwt-assertion";
+const COOKIE_AUTH_NAME = "CF_Authorization";
+const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
+class CloudflareAccessAuthProvider {
+  constructor(options) {
+    this.teamName = options.teamName;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.resolverContext = options.resolverContext;
+    this.jwtKeySet = jose.createRemoteJWKSet(new URL(`https://${this.teamName}.cloudflareaccess.com/cdn-cgi/access/certs`));
+    this.cache = options.cache;
+  }
+  frameHandler() {
+    return Promise.resolve();
+  }
+  async refresh(req, res) {
+    const result = await this.getResult(req);
+    const response = await this.handleResult(result);
+    res.json(response);
+  }
+  start() {
+    return Promise.resolve();
+  }
+  async getIdentityProfile(jwt) {
+    const headers = new fetch.Headers();
+    headers.set(CF_JWT_HEADER, jwt);
+    headers.set("cookie", `${COOKIE_AUTH_NAME}=${jwt}`);
+    try {
+      const res = await fetch__default["default"](`https://${this.teamName}.cloudflareaccess.com/cdn-cgi/access/get-identity`, { headers });
+      if (!res.ok) {
+        throw errors.ResponseError.fromResponse(res);
+      }
+      const cfIdentity = await res.json();
+      return cfIdentity;
+    } catch (err) {
+      throw new errors.ForwardedError("getIdentityProfile failed", err);
+    }
+  }
+  async getResult(req) {
+    var _a, _b;
+    let jwt = req.header(CF_JWT_HEADER);
+    if (!jwt) {
+      jwt = req.cookies.CF_Authorization;
+    }
+    if (!jwt) {
+      throw new errors.AuthenticationError(`Missing ${CF_JWT_HEADER} from Cloudflare Access`);
+    }
+    const verifyResult = await jose.jwtVerify(jwt, this.jwtKeySet, {
+      issuer: `https://${this.teamName}.cloudflareaccess.com`
+    });
+    const sub = verifyResult.payload.sub;
+    const cfAccessResultStr = await ((_a = this.cache) == null ? void 0 : _a.get(`${CACHE_PREFIX}/${sub}`));
+    if (typeof cfAccessResultStr === "string") {
+      return JSON.parse(cfAccessResultStr);
+    }
+    const claims = verifyResult.payload;
+    try {
+      const cfIdentity = await this.getIdentityProfile(jwt);
+      const cfAccessResult = {
+        claims,
+        cfIdentity,
+        expiresInSeconds: claims.exp - claims.iat
+      };
+      (_b = this.cache) == null ? void 0 : _b.set(`${CACHE_PREFIX}/${sub}`, JSON.stringify(cfAccessResult));
+      return cfAccessResult;
+    } catch (err) {
+      throw new errors.ForwardedError("Failed to populate access identity information", err);
+    }
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result, this.resolverContext);
+    const backstageIdentity = await this.signInResolver({
+      result,
+      profile
+    }, this.resolverContext);
+    return {
+      providerInfo: {
+        expiresInSeconds: result.expiresInSeconds,
+        claims: result.claims,
+        cfAccessIdentityProfile: result.cfIdentity
+      },
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
+      profile
+    };
+  }
+}
+const cfAccess = createAuthProviderIntegration({
+  create(options) {
+    return ({ config, resolverContext }) => {
+      const teamName = config.getString("teamName");
+      if (!options.signIn.resolver) {
+        throw new Error("SignInResolver is required to use this authentication provider");
+      }
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ claims, cfIdentity }) => {
+        return {
+          profile: {
+            email: claims.email,
+            displayName: cfIdentity.name
+          }
+        };
+      };
+      return new CloudflareAccessAuthProvider({
+        teamName,
+        signInResolver: options == null ? void 0 : options.signIn.resolver,
+        authHandler,
+        resolverContext,
+        ...options.cache && { cache: options.cache }
+      });
+    };
+  },
+  resolvers: {
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver
+  }
+});
+
 const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
 
 function createTokenValidator(audience, mockClient) {
@@ -1314,28 +1451,6 @@ const gitlab = createAuthProviderIntegration({
   }
 });
 
-const commonByEmailLocalPartResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Login failed, user profile does not contain an email");
-  }
-  const [localPart] = profile.email.split("@");
-  return ctx.signInWithCatalogUser({
-    entityRef: { name: localPart }
-  });
-};
-const commonByEmailResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Login failed, user profile does not contain an email");
-  }
-  return ctx.signInWithCatalogUser({
-    filter: {
-      "spec.profile.email": profile.email
-    }
-  });
-};
-
 class GoogleAuthProvider {
   constructor(options) {
     this.authHandler = options.authHandler;
@@ -1911,6 +2026,8 @@ class OktaAuthProvider {
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
       audience: options.audience,
+      authServerID: options.authServerId,
+      idp: options.idp,
       passReqToCallback: false,
       store: this.store,
       response_type: "code"
@@ -1979,6 +2096,8 @@ const okta = createAuthProviderIntegration({
       const clientId = envConfig.getString("clientId");
       const clientSecret = envConfig.getString("clientSecret");
       const audience = envConfig.getString("audience");
+      const authServerId = envConfig.getOptionalString("authServerId");
+      const idp = envConfig.getOptionalString("idp");
       const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
       const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
       if (!audience.startsWith("https://")) {
@@ -1989,6 +2108,8 @@ const okta = createAuthProviderIntegration({
       });
       const provider = new OktaAuthProvider({
         audience,
+        authServerId,
+        idp,
         clientId,
         clientSecret,
         callbackUrl,
@@ -2215,6 +2336,7 @@ const providers = Object.freeze({
   auth0,
   awsAlb,
   bitbucket,
+  cfAccess,
   gcpIap,
   github,
   gitlab,
@@ -2724,6 +2846,7 @@ async function createRouter(options) {
         }
         if (provider.refresh) {
           r.get("/refresh", provider.refresh.bind(provider));
+          r.post("/refresh", provider.refresh.bind(provider));
         }
         router.use(`/${providerId}`, r);
       } catch (e) {
@@ -2770,6 +2893,7 @@ exports.AtlassianAuthProvider = AtlassianAuthProvider;
 exports.CatalogIdentityClient = CatalogIdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
+exports.createAuthProviderIntegration = createAuthProviderIntegration;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;
 exports.defaultAuthProviderFactories = defaultAuthProviderFactories;