npm - @backstage/plugin-auth-backend - Versions diffs - 0.18.2-next.2 → 0.18.2-next.3 - Mend

@backstage/plugin-auth-backend 0.18.2-next.2 → 0.18.2-next.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,33 @@
 # @backstage/plugin-auth-backend
+## 0.18.2-next.3
+### Patch Changes
+- 475abd1dc3f: The `microsoft` (i.e. Azure) auth provider now supports negotiating tokens for
+  Azure resources besides Microsoft Graph (e.g. AKS, Virtual Machines, Machine
+  Learning Services, etc.). When the `/frame/handler` endpoint is called with an
+  authorization code for a non-Microsoft Graph scope, the user profile will not be
+  fetched. Similarly no user profile or photo data will be fetched by the backend
+  if the `/refresh` endpoint is called with the `scope` query parameter strictly
+  containing scopes for resources besides Microsoft Graph.
+  Furthermore, the `offline_access` scope will be requested by default, even when
+  it is not mentioned in the argument to `getAccessToken`. This means that any
+  Azure access token can be automatically refreshed, even if the user has not
+  signed in via Azure.
+- 6a900951336: Add common identify resolvers for `oidc` auth provider.
+- a0ef1ec7349: Export Azure Easy Auth provider so it can actually be used.
+- Updated dependencies
+  - @backstage/catalog-model@1.3.0-next.0
+  - @backstage/backend-common@0.18.4-next.2
+  - @backstage/catalog-client@1.4.1-next.1
+  - @backstage/config@1.0.7
+  - @backstage/errors@1.1.5
+  - @backstage/types@1.0.2
+  - @backstage/plugin-auth-node@0.2.13-next.2
 ## 0.18.2-next.2
 ### Patch Changes

package/dist/index.cjs.js CHANGED Viewed

@@ -1872,6 +1872,11 @@ const google = createAuthProviderIntegration({
 const BACKSTAGE_SESSION_EXPIRATION = 3600;
 class MicrosoftAuthProvider {
   constructor(options) {
+    this.skipUserProfile = (accessToken) => {
+      const { aud, scp } = jose.decodeJwt(accessToken);
+      const hasGraphReadScope = aud === "00000003-0000-0000-c000-000000000000" && scp.split(" ").map((s) => s.toLowerCase()).includes("user.read");
+      return !hasGraphReadScope;
+    };
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.logger = options.logger;
@@ -1883,7 +1888,10 @@ class MicrosoftAuthProvider {
         callbackURL: options.callbackUrl,
         authorizationURL: options.authorizationUrl,
         tokenURL: options.tokenUrl,
-        passReqToCallback: false
+        passReqToCallback: false,
+        skipUserProfile: (accessToken, done) => {
+          done(null, this.skipUserProfile(accessToken));
+        }
       },
       (accessToken, refreshToken, params, fullProfile, done) => {
         done(void 0, { fullProfile, accessToken, params }, { refreshToken });
@@ -1909,43 +1917,46 @@ class MicrosoftAuthProvider {
       req.refreshToken,
       req.scope
     );
-    const fullProfile = await executeFetchUserProfileStrategy(
-      this._strategy,
-      accessToken
-    );
     return {
       response: await this.handleResult({
-        fullProfile,
         params,
-        accessToken
+        accessToken,
+        ...!this.skipUserProfile(accessToken) && {
+          fullProfile: await executeFetchUserProfileStrategy(
+            this._strategy,
+            accessToken
+          )
+        }
       }),
       refreshToken
     };
   }
   async handleResult(result) {
-    const photo = await this.getUserPhoto(result.accessToken);
-    result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
-    const { profile } = await this.authHandler(result, this.resolverContext);
+    let profile = {};
+    if (result.fullProfile) {
+      const photo = await this.getUserPhoto(result.accessToken);
+      result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
+      ({ profile } = await this.authHandler(
+        result,
+        this.resolverContext
+      ));
+    }
     const expiresInSeconds = result.params.expires_in === void 0 ? BACKSTAGE_SESSION_EXPIRATION : Math.min(result.params.expires_in, BACKSTAGE_SESSION_EXPIRATION);
-    const response = {
+    return {
       providerInfo: {
-        idToken: result.params.id_token,
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds
+        expiresInSeconds,
+        ...{ idToken: result.params.id_token }
       },
-      profile
+      profile,
+      ...result.fullProfile && this.signInResolver && {
+        backstageIdentity: await this.signInResolver(
+          { result, profile },
+          this.resolverContext
+        )
+      }
     };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver(
-        {
-          result,
-          profile
-        },
-        this.resolverContext
-      );
-    }
-    return response;
   }
   async getUserPhoto(accessToken) {
     try {
@@ -1979,7 +1990,7 @@ const microsoft = createAuthProviderIntegration({
       const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
       const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
       const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-        profile: makeProfileInfo(fullProfile, params.id_token)
+        profile: makeProfileInfo(fullProfile != null ? fullProfile : {}, params.id_token)
       });
       const provider = new MicrosoftAuthProvider({
         clientId,
@@ -2382,6 +2393,16 @@ const oidc = createAuthProviderIntegration({
         callbackUrl
       });
     });
+  },
+  resolvers: {
+    /**
+     * Looks up the user by matching their email local part to the entity name.
+     */
+    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
+    /**
+     * Looks up the user by matching their email to the entity email.
+     */
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver
   }
 });
@@ -2934,6 +2955,104 @@ const bitbucketServer = createAuthProviderIntegration({
   }
 });
+const ID_TOKEN_HEADER = "x-ms-token-aad-id-token";
+const ACCESS_TOKEN_HEADER = "x-ms-token-aad-access-token";
+class EasyAuthAuthProvider {
+  constructor(options) {
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.resolverContext = options.resolverContext;
+  }
+  frameHandler() {
+    return Promise.resolve(void 0);
+  }
+  async refresh(req, res) {
+    const result = await this.getResult(req);
+    const response = await this.handleResult(result);
+    res.json(response);
+  }
+  start() {
+    return Promise.resolve(void 0);
+  }
+  async getResult(req) {
+    const idToken = req.header(ID_TOKEN_HEADER);
+    const accessToken = req.header(ACCESS_TOKEN_HEADER);
+    if (idToken === void 0) {
+      throw new errors.AuthenticationError(`Missing ${ID_TOKEN_HEADER} header`);
+    }
+    return {
+      fullProfile: this.idTokenToProfile(idToken),
+      accessToken
+    };
+  }
+  idTokenToProfile(idToken) {
+    const claims = jose.decodeJwt(idToken);
+    if (claims.ver !== "2.0") {
+      throw new Error("id_token is not version 2.0 ");
+    }
+    return {
+      id: claims.oid,
+      displayName: claims.name,
+      provider: "easyauth",
+      emails: [{ value: claims.email }],
+      username: claims.preferred_username
+    };
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result, this.resolverContext);
+    const backstageIdentity = await this.signInResolver(
+      {
+        result,
+        profile
+      },
+      this.resolverContext
+    );
+    return {
+      providerInfo: {
+        accessToken: result.accessToken
+      },
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
+      profile
+    };
+  }
+}
+const easyAuth = createAuthProviderIntegration({
+  create(options) {
+    return ({ resolverContext }) => {
+      var _a;
+      validateAppServiceConfiguration(process.env);
+      if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
+        throw new Error(
+          "SignInResolver is required to use this authentication provider"
+        );
+      }
+      const authHandler = (_a = options.authHandler) != null ? _a : async ({ fullProfile }) => ({
+        profile: makeProfileInfo(fullProfile)
+      });
+      return new EasyAuthAuthProvider({
+        signInResolver: options.signIn.resolver,
+        authHandler,
+        resolverContext
+      });
+    };
+  }
+});
+function validateAppServiceConfiguration(env) {
+  var _a, _b, _c;
+  if (env.WEBSITE_SKU === void 0) {
+    throw new Error("Backstage is not running on Azure App Services");
+  }
+  if (((_a = env.WEBSITE_AUTH_ENABLED) == null ? void 0 : _a.toLowerCase()) !== "true") {
+    throw new Error("Azure App Services does not have authentication enabled");
+  }
+  if (((_b = env.WEBSITE_AUTH_DEFAULT_PROVIDER) == null ? void 0 : _b.toLowerCase()) !== "azureactivedirectory") {
+    throw new Error("Authentication provider is not Azure Active Directory");
+  }
+  if (((_c = process.env.WEBSITE_AUTH_TOKEN_STORE) == null ? void 0 : _c.toLowerCase()) !== "true") {
+    throw new Error("Token Store is not enabled");
+  }
+}
 const providers = Object.freeze({
   atlassian,
   auth0,
@@ -2951,7 +3070,8 @@ const providers = Object.freeze({
   oidc,
   okta,
   onelogin,
-  saml
+  saml,
+  easyAuth
 });
 const defaultAuthProviderFactories = {
   google: google.create(),
@@ -2961,6 +3081,7 @@ const defaultAuthProviderFactories = {
   okta: okta.create(),
   auth0: auth0.create(),
   microsoft: microsoft.create(),
+  easyAuth: easyAuth.create(),
   oauth2: oauth2.create(),
   oidc: oidc.create(),
   onelogin: onelogin.create(),