@backstage/plugin-auth-backend 0.16.0-next.2 → 0.16.0

package/CHANGELOG.md

@@ -1,5 +1,49 @@
 # @backstage/plugin-auth-backend
 
+## 0.16.0
+
+### Minor Changes
+
+- 2fc41ebf07: Removed the previously deprecated class `AtlassianAuthProvider`. Please use `providers.atlassian.create(...)` instead.
+- a291688bc5: Renamed the `RedirectInfo` type to `OAuthStartResponse`
+- 8600855fbf: The auth0 integration is updated to use the `passport-auth0` library. The configuration under `auth.providers.auth0.\*` now supports an optional `audience` parameter; providing that allows you to connect to the correct API to get permissions, access tokens, and full profile information.
+
+  [What is an Audience](https://community.auth0.com/t/what-is-the-audience/71414)
+
+### Patch Changes
+
+- 5b011fb2e6: Allow adding misc claims to JWT
+- d669d89206: Minor API signatures cleanup
+- 667d917488: Updated dependency `msw` to `^0.47.0`.
+- 87ec2ba4d6: Updated dependency `msw` to `^0.46.0`.
+- bf5e9030eb: Updated dependency `msw` to `^0.45.0`.
+- e1ebaeb332: Cloudflare Access Provider: Add JWT to CloudflareAccessResult
+- Updated dependencies
+  - @backstage/backend-common@0.15.1
+  - @backstage/plugin-auth-node@0.2.5
+  - @backstage/catalog-client@1.1.0
+  - @backstage/catalog-model@1.1.1
+  - @backstage/config@1.0.2
+  - @backstage/errors@1.1.1
+
+## 0.16.0-next.3
+
+### Minor Changes
+
+- 8600855fbf: The auth0 integration is updated to use the `passport-auth0` library. The configuration under `auth.providers.auth0.\*` now supports an optional `audience` parameter; providing that allows you to connect to the correct API to get permissions, access tokens, and full profile information.
+
+  [What is an Audience](https://community.auth0.com/t/what-is-the-audience/71414)
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/catalog-client@1.1.0-next.2
+  - @backstage/catalog-model@1.1.1-next.0
+  - @backstage/config@1.0.2-next.0
+  - @backstage/errors@1.1.1-next.0
+  - @backstage/backend-common@0.15.1-next.3
+  - @backstage/plugin-auth-node@0.2.5-next.3
+
 ## 0.16.0-next.2
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -11,6 +11,7 @@ var pickBy = require('lodash/pickBy');
 var crypto = require('crypto');
 var url = require('url');
 var jwtDecoder = require('jwt-decode');
+var Auth0InternalStrategy = require('passport-auth0');
 var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
@@ -64,6 +65,7 @@ var pickBy__default = /*#__PURE__*/_interopDefaultLegacy(pickBy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
 var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
 var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
+var Auth0InternalStrategy__default = /*#__PURE__*/_interopDefaultLegacy(Auth0InternalStrategy);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
 var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
@@ -494,7 +496,7 @@ const executeRedirectStrategy = async (req, providerStrategy, options) => {
     strategy.authenticate(req, { ...options });
   });
 };
-const executeFrameHandlerStrategy = async (req, providerStrategy) => {
+const executeFrameHandlerStrategy = async (req, providerStrategy, options) => {
   return new Promise(
     (resolve, reject) => {
       const strategy = Object.create(providerStrategy);
@@ -523,7 +525,7 @@ const executeFrameHandlerStrategy = async (req, providerStrategy) => {
       strategy.redirect = () => {
         reject(new Error("Unexpected redirect"));
       };
-      strategy.authenticate(req, {});
+      strategy.authenticate(req, { ...options != null ? options : {} });
     }
   );
 };
@@ -701,7 +703,7 @@ const atlassian = createAuthProviderIntegration({
   }
 });
 
-class Auth0Strategy extends OAuth2Strategy__default["default"] {
+class Auth0Strategy extends Auth0InternalStrategy__default["default"] {
   constructor(options, verify) {
     const optionsWithURLs = {
       ...options,
@@ -716,16 +718,26 @@ class Auth0Strategy extends OAuth2Strategy__default["default"] {
 
 class Auth0AuthProvider {
   constructor(options) {
+    this.store = {
+      store(_req, cb) {
+        cb(null, null);
+      },
+      verify(_req, _state, cb) {
+        cb(null, true);
+      }
+    };
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
+    this.audience = options.audience;
     this._strategy = new Auth0Strategy(
       {
         clientID: options.clientId,
         clientSecret: options.clientSecret,
         callbackURL: options.callbackUrl,
         domain: options.domain,
-        passReqToCallback: false
+        passReqToCallback: false,
+        store: this.store
       },
       (accessToken, refreshToken, params, fullProfile, done) => {
         done(
@@ -748,11 +760,14 @@ class Auth0AuthProvider {
       accessType: "offline",
       prompt: "consent",
       scope: req.scope,
-      state: encodeState(req.state)
+      state: encodeState(req.state),
+      ...this.audience ? { audience: this.audience } : {}
     });
   }
   async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy, {
+      ...this.audience ? { audience: this.audience } : {}
+    });
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
@@ -808,6 +823,7 @@ const auth0 = createAuthProviderIntegration({
       const clientSecret = envConfig.getString("clientSecret");
       const domain = envConfig.getString("domain");
       const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const audience = envConfig.getOptionalString("audience");
       const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
       const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
         profile: makeProfileInfo(fullProfile, params.id_token)
@@ -820,7 +836,8 @@ const auth0 = createAuthProviderIntegration({
         domain,
         authHandler,
         signInResolver,
-        resolverContext
+        resolverContext,
+        audience
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
         providerId,
@@ -2707,8 +2724,7 @@ class TokenFactory {
   async issueToken(params) {
     const key = await this.getKey();
     const iss = this.issuer;
-    const sub = params.claims.sub;
-    const ent = params.claims.ent;
+    const { sub, ent, ...additionalClaims } = params.claims;
     const aud = "backstage";
     const iat = Math.floor(Date.now() / MS_IN_S);
     const exp = iat + this.keyDurationSeconds;
@@ -2723,7 +2739,7 @@ class TokenFactory {
     if (!key.alg) {
       throw new errors.AuthenticationError("No algorithm was provided in the key");
     }
-    return new jose.SignJWT({ iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    return new jose.SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
   }
   async listPublicKeys() {
     const { items: keys } = await this.keyStore.listKeys();