@backstage/plugin-auth-backend 0.18.1-next.2 → 0.18.2-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +32 -0
  2. package/config.d.ts +88 -9
  3. package/dist/index.cjs.js +21 -8
  4. package/dist/index.cjs.js.map +1 -1
  5. package/dist/index.d.ts +2 -0
  6. package/package.json +10 -10
package/CHANGELOG.md CHANGED
@@ -1,5 +1,37 @@
1
1
  # @backstage/plugin-auth-backend
2
2
 
3
+ ## 0.18.2-next.0
4
+
5
+ ### Patch Changes
6
+
7
+ - d8f774c30df: Enforce the secret visibility of certificates and client secrets in the auth backend. Also, document all known options for each auth plugin.
8
+ - 7908d72e033: Introduce a new global config parameter, `auth.enableExperimentalRedirectFlow`. When enabled, auth will happen with an in-window redirect flow rather than through a popup window.
9
+ - Updated dependencies
10
+ - @backstage/backend-common@0.18.4-next.0
11
+ - @backstage/config@1.0.7
12
+ - @backstage/catalog-client@1.4.0
13
+ - @backstage/catalog-model@1.2.1
14
+ - @backstage/errors@1.1.5
15
+ - @backstage/types@1.0.2
16
+ - @backstage/plugin-auth-node@0.2.13-next.0
17
+
18
+ ## 0.18.1
19
+
20
+ ### Patch Changes
21
+
22
+ - e262738b8a0: Handle difference in expiration time between Microsoft session and Backstage session which caused the Backstage token to be invalid during a time frame.
23
+ - 86cece2c1fb: Updated dependency `@types/passport-microsoft` to `^1.0.0`.
24
+ - 52b0022dab7: Updated dependency `msw` to `^1.0.0`.
25
+ - 529de8c4211: Added authentication provider for Azure Easy Authentication.
26
+ - Updated dependencies
27
+ - @backstage/catalog-client@1.4.0
28
+ - @backstage/plugin-auth-node@0.2.12
29
+ - @backstage/backend-common@0.18.3
30
+ - @backstage/errors@1.1.5
31
+ - @backstage/catalog-model@1.2.1
32
+ - @backstage/config@1.0.7
33
+ - @backstage/types@1.0.2
34
+
3
35
  ## 0.18.1-next.2
4
36
 
5
37
  ### Patch Changes
package/config.d.ts CHANGED
@@ -62,30 +62,72 @@ export interface Config {
62
62
  */
63
63
  providers?: {
64
64
  google?: {
65
- [authEnv: string]: { [key: string]: string };
65
+ [authEnv: string]: {
66
+ clientId: string;
67
+ /**
68
+ * @visibility secret
69
+ */
70
+ clientSecret: string;
71
+ callbackUrl?: string;
72
+ };
66
73
  };
67
74
  github?: {
68
- [authEnv: string]: { [key: string]: string };
75
+ [authEnv: string]: {
76
+ clientId: string;
77
+ /**
78
+ * @visibility secret
79
+ */
80
+ clientSecret: string;
81
+ callbackUrl?: string;
82
+ enterpriseInstanceUrl?: string;
83
+ };
69
84
  };
70
85
  gitlab?: {
71
- [authEnv: string]: { [key: string]: string };
86
+ [authEnv: string]: {
87
+ clientId: string;
88
+ /**
89
+ * @visibility secret
90
+ */
91
+ clientSecret: string;
92
+ audience?: string;
93
+ callbackUrl?: string;
94
+ };
72
95
  };
73
96
  saml?: {
74
97
  entryPoint: string;
75
98
  logoutUrl?: string;
76
99
  issuer: string;
100
+ /**
101
+ * @visibility secret
102
+ */
77
103
  cert: string;
78
104
  audience?: string;
105
+ /**
106
+ * @visibility secret
107
+ */
79
108
  privateKey?: string;
80
109
  authnContext?: string[];
81
110
  identifierFormat?: string;
111
+ /**
112
+ * @visibility secret
113
+ */
82
114
  decryptionPvk?: string;
83
115
  signatureAlgorithm?: 'sha256' | 'sha512';
84
116
  digestAlgorithm?: string;
85
117
  acceptedClockSkewMs?: number;
86
118
  };
87
119
  okta?: {
88
- [authEnv: string]: { [key: string]: string };
120
+ [authEnv: string]: {
121
+ clientId: string;
122
+ /**
123
+ * @visibility secret
124
+ */
125
+ clientSecret: string;
126
+ audience: string;
127
+ authServerId?: string;
128
+ idp?: string;
129
+ callbackUrl?: string;
130
+ };
89
131
  };
90
132
  oauth2?: {
91
133
  [authEnv: string]: {
@@ -101,19 +143,56 @@ export interface Config {
101
143
  };
102
144
  };
103
145
  oidc?: {
104
- [authEnv: string]: { [key: string]: string };
146
+ [authEnv: string]: {
147
+ clientId: string;
148
+ /**
149
+ * @visibility secret
150
+ */
151
+ clientSecret: string;
152
+ callbackUrl?: string;
153
+ metadataUrl: string;
154
+ scope?: string;
155
+ prompt?: string;
156
+ };
105
157
  };
106
158
  auth0?: {
107
- [authEnv: string]: { [key: string]: string };
159
+ [authEnv: string]: {
160
+ clientId: string;
161
+ /**
162
+ * @visibility secret
163
+ */
164
+ clientSecret: string;
165
+ domain: string;
166
+ callbackUrl?: string;
167
+ audience?: string;
168
+ connection?: string;
169
+ connectionScope?: string;
170
+ };
108
171
  };
109
172
  microsoft?: {
110
- [authEnv: string]: { [key: string]: string };
173
+ [authEnv: string]: {
174
+ clientId: string;
175
+ /**
176
+ * @visibility secret
177
+ */
178
+ clientSecret: string;
179
+ tenantId: string;
180
+ callbackUrl?: string;
181
+ };
111
182
  };
112
183
  onelogin?: {
113
- [authEnv: string]: { [key: string]: string };
184
+ [authEnv: string]: {
185
+ clientId: string;
186
+ /**
187
+ * @visibility secret
188
+ */
189
+ clientSecret: string;
190
+ issuer: string;
191
+ callbackUrl?: string;
192
+ };
114
193
  };
115
194
  awsalb?: {
116
- issuer?: string;
195
+ iss?: string;
117
196
  region: string;
118
197
  };
119
198
  cfaccess?: {
package/dist/index.cjs.js CHANGED
@@ -353,17 +353,19 @@ class OAuthAdapter {
353
353
  });
354
354
  }
355
355
  async start(req, res) {
356
- var _a, _b, _c, _d;
356
+ var _a, _b, _c, _d, _e, _f;
357
357
  const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
358
358
  const env = (_c = req.query.env) == null ? void 0 : _c.toString();
359
359
  const origin = (_d = req.query.origin) == null ? void 0 : _d.toString();
360
+ const redirectUrl = (_e = req.query.redirectUrl) == null ? void 0 : _e.toString();
361
+ const flow = (_f = req.query.flow) == null ? void 0 : _f.toString();
360
362
  if (!env) {
361
363
  throw new errors.InputError("No env provided in request query parameters");
362
364
  }
363
365
  const cookieConfig = this.getCookieConfig(origin);
364
366
  const nonce = crypto__default["default"].randomBytes(16).toString("base64");
365
367
  this.setNonceCookie(res, nonce, cookieConfig);
366
- const state = { nonce, env, origin };
368
+ const state = { nonce, env, origin, redirectUrl, flow };
367
369
  if (this.options.persistScopes) {
368
370
  state.scope = scope;
369
371
  }
@@ -402,10 +404,19 @@ class OAuthAdapter {
402
404
  this.setRefreshTokenCookie(res, refreshToken, cookieConfig);
403
405
  }
404
406
  const identity = await this.populateIdentity(response.backstageIdentity);
405
- return postMessageResponse(res, appOrigin, {
407
+ const responseObj = {
406
408
  type: "authorization_response",
407
409
  response: { ...response, backstageIdentity: identity }
408
- });
410
+ };
411
+ if (state.flow === "redirect") {
412
+ if (!state.redirectUrl) {
413
+ throw new errors.InputError(
414
+ "No redirectUrl provided in request query parameters"
415
+ );
416
+ }
417
+ res.redirect(state.redirectUrl);
418
+ }
419
+ return postMessageResponse(res, appOrigin, responseObj);
409
420
  } catch (error) {
410
421
  const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
411
422
  return postMessageResponse(res, appOrigin, {
@@ -1436,7 +1447,7 @@ const gcpIap = createAuthProviderIntegration({
1436
1447
  });
1437
1448
 
1438
1449
  const ACCESS_TOKEN_PREFIX = "access-token.";
1439
- const BACKSTAGE_SESSION_EXPIRATION = 3600;
1450
+ const BACKSTAGE_SESSION_EXPIRATION$1 = 3600;
1440
1451
  class GithubAuthProvider {
1441
1452
  constructor(options) {
1442
1453
  this.signInResolver = options.signInResolver;
@@ -1530,10 +1541,10 @@ class GithubAuthProvider {
1530
1541
  if (expiresInSeconds) {
1531
1542
  expiresInSeconds = Math.min(
1532
1543
  expiresInSeconds,
1533
- BACKSTAGE_SESSION_EXPIRATION
1544
+ BACKSTAGE_SESSION_EXPIRATION$1
1534
1545
  );
1535
1546
  } else {
1536
- expiresInSeconds = BACKSTAGE_SESSION_EXPIRATION;
1547
+ expiresInSeconds = BACKSTAGE_SESSION_EXPIRATION$1;
1537
1548
  }
1538
1549
  }
1539
1550
  return {
@@ -1858,6 +1869,7 @@ const google = createAuthProviderIntegration({
1858
1869
  }
1859
1870
  });
1860
1871
 
1872
+ const BACKSTAGE_SESSION_EXPIRATION = 3600;
1861
1873
  class MicrosoftAuthProvider {
1862
1874
  constructor(options) {
1863
1875
  this.signInResolver = options.signInResolver;
@@ -1914,12 +1926,13 @@ class MicrosoftAuthProvider {
1914
1926
  const photo = await this.getUserPhoto(result.accessToken);
1915
1927
  result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
1916
1928
  const { profile } = await this.authHandler(result, this.resolverContext);
1929
+ const expiresInSeconds = result.params.expires_in === void 0 ? BACKSTAGE_SESSION_EXPIRATION : Math.min(result.params.expires_in, BACKSTAGE_SESSION_EXPIRATION);
1917
1930
  const response = {
1918
1931
  providerInfo: {
1919
1932
  idToken: result.params.id_token,
1920
1933
  accessToken: result.accessToken,
1921
1934
  scope: result.params.scope,
1922
- expiresInSeconds: result.params.expires_in
1935
+ expiresInSeconds
1923
1936
  },
1924
1937
  profile
1925
1938
  };