@backstage/plugin-auth-backend 0.19.3 → 0.19.4

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @backstage/plugin-auth-backend
 
+## 0.19.4
+
+### Patch Changes
+
+- bbbacb66f8e4: Reverted the Microsoft auth provider to the previous implementation.
+- Updated dependencies
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.3
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.3
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.3
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.3
+
 ## 0.19.3
 
 ### Patch Changes

package/config.d.ts

@@ -179,6 +179,18 @@ export interface Config {
         };
       };
       /** @visibility frontend */
+      microsoft?: {
+        [authEnv: string]: {
+          clientId: string;
+          /**
+           * @visibility secret
+           */
+          clientSecret: string;
+          tenantId: string;
+          callbackUrl?: string;
+        };
+      };
+      /** @visibility frontend */
       onelogin?: {
         [authEnv: string]: {
           clientId: string;

package/dist/index.cjs.js

@@ -22,7 +22,7 @@ var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-back
 var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
 var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-backend-module-gitlab-provider');
 var pluginAuthBackendModuleGoogleProvider = require('@backstage/plugin-auth-backend-module-google-provider');
-var pluginAuthBackendModuleMicrosoftProvider = require('@backstage/plugin-auth-backend-module-microsoft-provider');
+var passportMicrosoft = require('passport-microsoft');
 var pluginAuthBackendModuleOauth2Provider = require('@backstage/plugin-auth-backend-module-oauth2-provider');
 var openidClient = require('openid-client');
 var passportOktaOauth = require('@davidzemon/passport-okta-oauth');
@@ -75,10 +75,10 @@ var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
 
-var __defProp$g = Object.defineProperty;
-var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$g = (obj, key, value) => {
-  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$h = Object.defineProperty;
+var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$h = (obj, key, value) => {
+  __defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const defaultScopes = ["offline_access", "read:me"];
@@ -95,7 +95,7 @@ class AtlassianStrategy extends OAuth2Strategy__default["default"] {
       scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
     };
     super(optionsWithURLs, verify);
-    __publicField$g(this, "profileURL");
+    __publicField$h(this, "profileURL");
     this.profileURL = "https://api.atlassian.com/me";
     this.name = "atlassian";
     this._oauth2.useAuthorizationHeaderforGET(true);
@@ -210,10 +210,10 @@ const ensuresXRequestedWith = (req) => {
 
 const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
 
-var __defProp$f = Object.defineProperty;
-var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$f = (obj, key, value) => {
-  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$g = Object.defineProperty;
+var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$g = (obj, key, value) => {
+  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -222,8 +222,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$f(this, "baseCookieOptions");
-    __publicField$f(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$g(this, "baseCookieOptions");
+    __publicField$g(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -231,34 +231,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$f(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$g(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$f(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$g(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$f(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$g(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$f(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$g(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$f(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$g(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$f(this, "getCookieConfig", (origin) => {
+    __publicField$g(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -564,10 +564,10 @@ function createAuthProviderIntegration(config) {
   });
 }
 
-var __defProp$e = Object.defineProperty;
-var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$e = (obj, key, value) => {
-  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$f = Object.defineProperty;
+var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$f = (obj, key, value) => {
+  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const atlassianDefaultAuthHandler = async ({
@@ -578,10 +578,10 @@ const atlassianDefaultAuthHandler = async ({
 });
 class AtlassianAuthProvider {
   constructor(options) {
-    __publicField$e(this, "_strategy");
-    __publicField$e(this, "signInResolver");
-    __publicField$e(this, "authHandler");
-    __publicField$e(this, "resolverContext");
+    __publicField$f(this, "_strategy");
+    __publicField$f(this, "signInResolver");
+    __publicField$f(this, "authHandler");
+    __publicField$f(this, "resolverContext");
     this.resolverContext = options.resolverContext;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -699,21 +699,21 @@ class Auth0Strategy extends Auth0InternalStrategy__default["default"] {
   }
 }
 
-var __defProp$d = Object.defineProperty;
-var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$d = (obj, key, value) => {
-  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$e = Object.defineProperty;
+var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$e = (obj, key, value) => {
+  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$d(this, "_strategy");
-    __publicField$d(this, "signInResolver");
-    __publicField$d(this, "authHandler");
-    __publicField$d(this, "resolverContext");
-    __publicField$d(this, "audience");
-    __publicField$d(this, "connection");
-    __publicField$d(this, "connectionScope");
+    __publicField$e(this, "_strategy");
+    __publicField$e(this, "signInResolver");
+    __publicField$e(this, "authHandler");
+    __publicField$e(this, "resolverContext");
+    __publicField$e(this, "audience");
+    __publicField$e(this, "connection");
+    __publicField$e(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -722,7 +722,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$d(this, "store", {
+    __publicField$e(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -863,23 +863,23 @@ const auth0 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$d = Object.defineProperty;
+var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$d = (obj, key, value) => {
+  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
 class AwsAlbAuthProvider {
   constructor(options) {
-    __publicField$c(this, "region");
-    __publicField$c(this, "issuer");
-    __publicField$c(this, "resolverContext");
-    __publicField$c(this, "keyCache");
-    __publicField$c(this, "authHandler");
-    __publicField$c(this, "signInResolver");
-    __publicField$c(this, "getKey", async (header) => {
+    __publicField$d(this, "region");
+    __publicField$d(this, "issuer");
+    __publicField$d(this, "resolverContext");
+    __publicField$d(this, "keyCache");
+    __publicField$d(this, "authHandler");
+    __publicField$d(this, "signInResolver");
+    __publicField$d(this, "getKey", async (header) => {
       if (!header.kid) {
         throw new errors.AuthenticationError("No key id was specified in header");
       }
@@ -1007,18 +1007,18 @@ const awsAlb = createAuthProviderIntegration({
   }
 });
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class BitbucketAuthProvider {
   constructor(options) {
-    __publicField$b(this, "_strategy");
-    __publicField$b(this, "signInResolver");
-    __publicField$b(this, "authHandler");
-    __publicField$b(this, "resolverContext");
+    __publicField$c(this, "_strategy");
+    __publicField$c(this, "signInResolver");
+    __publicField$c(this, "authHandler");
+    __publicField$c(this, "resolverContext");
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
@@ -1186,10 +1186,10 @@ const commonByEmailResolver = async (info, ctx) => {
   });
 };
 
-var __defProp$a = Object.defineProperty;
-var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$a = (obj, key, value) => {
-  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$b = Object.defineProperty;
+var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$b = (obj, key, value) => {
+  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const CF_JWT_HEADER = "cf-access-jwt-assertion";
@@ -1197,12 +1197,12 @@ const COOKIE_AUTH_NAME = "CF_Authorization";
 const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
 class CloudflareAccessAuthProvider {
   constructor(options) {
-    __publicField$a(this, "teamName");
-    __publicField$a(this, "resolverContext");
-    __publicField$a(this, "authHandler");
-    __publicField$a(this, "signInResolver");
-    __publicField$a(this, "jwtKeySet");
-    __publicField$a(this, "cache");
+    __publicField$b(this, "teamName");
+    __publicField$b(this, "resolverContext");
+    __publicField$b(this, "authHandler");
+    __publicField$b(this, "signInResolver");
+    __publicField$b(this, "jwtKeySet");
+    __publicField$b(this, "cache");
     this.teamName = options.teamName;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -1496,20 +1496,184 @@ const google = createAuthProviderIntegration({
   })
 });
 
+const BACKSTAGE_SESSION_EXPIRATION = 3600;
+
+var __defProp$a = Object.defineProperty;
+var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$a = (obj, key, value) => {
+  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
+class MicrosoftAuthProvider {
+  constructor(options) {
+    __publicField$a(this, "_strategy");
+    __publicField$a(this, "signInResolver");
+    __publicField$a(this, "authHandler");
+    __publicField$a(this, "logger");
+    __publicField$a(this, "resolverContext");
+    __publicField$a(this, "skipUserProfile", (accessToken) => {
+      const { aud, scp } = jose.decodeJwt(accessToken);
+      const hasGraphReadScope = aud === "00000003-0000-0000-c000-000000000000" && scp.split(" ").map((s) => s.toLowerCase()).includes("user.read");
+      return !hasGraphReadScope;
+    });
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
+    this._strategy = new passportMicrosoft.Strategy(
+      {
+        clientID: options.clientId,
+        clientSecret: options.clientSecret,
+        callbackURL: options.callbackUrl,
+        authorizationURL: options.authorizationUrl,
+        tokenURL: options.tokenUrl,
+        passReqToCallback: false,
+        skipUserProfile: (accessToken, done) => {
+          done(null, this.skipUserProfile(accessToken));
+        }
+      },
+      (accessToken, refreshToken, params, fullProfile, done) => {
+        done(void 0, { fullProfile, accessToken, params }, { refreshToken });
+      }
+    );
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      scope: req.scope,
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(
+      this._strategy,
+      req.refreshToken,
+      req.scope
+    );
+    return {
+      response: await this.handleResult({
+        params,
+        accessToken,
+        ...!this.skipUserProfile(accessToken) && {
+          fullProfile: await executeFetchUserProfileStrategy(
+            this._strategy,
+            accessToken
+          )
+        }
+      }),
+      refreshToken
+    };
+  }
+  async handleResult(result) {
+    let profile = {};
+    if (result.fullProfile) {
+      const photo = await this.getUserPhoto(result.accessToken);
+      result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
+      ({ profile } = await this.authHandler(
+        result,
+        this.resolverContext
+      ));
+    }
+    const expiresInSeconds = result.params.expires_in === void 0 ? BACKSTAGE_SESSION_EXPIRATION : Math.min(result.params.expires_in, BACKSTAGE_SESSION_EXPIRATION);
+    return {
+      providerInfo: {
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds,
+        ...{ idToken: result.params.id_token }
+      },
+      profile,
+      ...result.fullProfile && this.signInResolver && {
+        backstageIdentity: await this.signInResolver(
+          { result, profile },
+          this.resolverContext
+        )
+      }
+    };
+  }
+  async getUserPhoto(accessToken) {
+    try {
+      const res = await fetch__default["default"](
+        "https://graph.microsoft.com/v1.0/me/photos/48x48/$value",
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`
+          }
+        }
+      );
+      const data = await res.buffer();
+      return `data:image/jpeg;base64,${data.toString("base64")}`;
+    } catch (error) {
+      this.logger.warn(
+        `Could not retrieve user profile photo from Microsoft Graph API: ${error}`
+      );
+      return void 0;
+    }
+  }
+}
 const microsoft = createAuthProviderIntegration({
   create(options) {
-    var _a;
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleMicrosoftProvider.microsoftAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options == null ? void 0 : options.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver((_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver)
+    return ({ providerId, globalConfig, config, logger, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const tenantId = envConfig.getString("tenantId");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
+      const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+        profile: makeProfileInfo(fullProfile != null ? fullProfile : {}, params.id_token)
+      });
+      const provider = new MicrosoftAuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        authorizationUrl,
+        tokenUrl,
+        authHandler,
+        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+        logger,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        providerId,
+        callbackUrl
+      });
     });
   },
-  resolvers: adaptOAuthSignInResolverToLegacy({
-    emailLocalPartMatchingUserEntityName: pluginAuthNode.commonSignInResolvers.emailLocalPartMatchingUserEntityName(),
-    emailMatchingUserEntityProfileEmail: pluginAuthNode.commonSignInResolvers.emailMatchingUserEntityProfileEmail(),
-    emailMatchingUserEntityAnnotation: pluginAuthBackendModuleMicrosoftProvider.microsoftSignInResolvers.emailMatchingUserEntityAnnotation()
-  })
+  resolvers: {
+    /**
+     * Looks up the user by matching their email local part to the entity name.
+     */
+    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
+    /**
+     * Looks up the user by matching their email to the entity email.
+     */
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
+    /**
+     * Looks up the user by matching their email to the `microsoft.com/email` annotation.
+     */
+    emailMatchingUserEntityAnnotation() {
+      return async (info, ctx) => {
+        const { profile } = info;
+        if (!profile.email) {
+          throw new Error("Microsoft profile contained no email");
+        }
+        return ctx.signInWithCatalogUser({
+          annotations: {
+            "microsoft.com/email": profile.email
+          }
+        });
+      };
+    }
+  }
 });
 
 const oauth2 = createAuthProviderIntegration({
@@ -1609,8 +1773,6 @@ const oauth2Proxy = createAuthProviderIntegration({
   }
 });
 
-const BACKSTAGE_SESSION_EXPIRATION = 3600;
-
 var __defProp$8 = Object.defineProperty;
 var __defNormalProp$8 = (obj, key, value) => key in obj ? __defProp$8(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __publicField$8 = (obj, key, value) => {