@backstage/plugin-auth-backend 0.20.0-next.1 → 0.20.0

package/CHANGELOG.md

@@ -1,5 +1,50 @@
 # @backstage/plugin-auth-backend
 
+## 0.20.0
+
+### Minor Changes
+
+- bdf08ad04a: Adds the StaticTokenIssuer and StaticKeyStore, an alternative token issuer that can be used to sign the Authorization header using a predefined public/private key pair.
+
+### Patch Changes
+
+- 243c655a68: JSDoc and Error message updates to handle `Azure Active Directory` re-brand to `Entra ID`
+- 013611b42e: `knex` has been bumped to major version 3 and `better-sqlite3` to major version 9, which deprecate node 16 support.
+- f2fc5acca6: Added an optional `additionalScopes` configuration parameter to `okta` providers, that lets you add additional scopes on top of the default ones.
+- 96c4f54bf6: Reverted the Microsoft auth provider to the previous implementation.
+- Updated dependencies
+  - @backstage/plugin-catalog-node@1.5.0
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.4
+  - @backstage/backend-common@0.19.9
+  - @backstage/backend-plugin-api@0.6.7
+  - @backstage/catalog-client@1.4.6
+  - @backstage/catalog-model@1.4.3
+  - @backstage/config@1.1.1
+  - @backstage/errors@1.2.3
+  - @backstage/types@1.1.1
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.1
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.4
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.4
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.4
+  - @backstage/plugin-auth-node@0.4.1
+
+## 0.20.0-next.2
+
+### Patch Changes
+
+- [#20570](https://github.com/backstage/backstage/pull/20570) [`013611b42e`](https://github.com/backstage/backstage/commit/013611b42ed457fefa9bb85fddf416cf5e0c1f76) Thanks [@freben](https://github.com/freben)! - `knex` has been bumped to major version 3 and `better-sqlite3` to major version 9, which deprecate node 16 support.
+
+- Updated dependencies
+  - @backstage/backend-plugin-api@0.6.7-next.2
+  - @backstage/backend-common@0.19.9-next.2
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.1-next.2
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.4-next.2
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.4-next.2
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.4-next.2
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.4-next.2
+  - @backstage/plugin-auth-node@0.4.1-next.2
+  - @backstage/plugin-catalog-node@1.5.0-next.2
+
 ## 0.20.0-next.1
 
 ### Patch Changes

package/config.d.ts

@@ -146,6 +146,7 @@ export interface Config {
           authServerId?: string;
           idp?: string;
           callbackUrl?: string;
+          additionalScopes?: string;
         };
       };
       /** @visibility frontend */

package/dist/index.cjs.js

@@ -1960,6 +1960,7 @@ class OktaAuthProvider {
     __publicField$9(this, "signInResolver");
     __publicField$9(this, "authHandler");
     __publicField$9(this, "resolverContext");
+    __publicField$9(this, "additionalScopes");
     /**
      * Due to passport-okta-oauth forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -1979,6 +1980,7 @@ class OktaAuthProvider {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
+    this.additionalScopes = options.additionalScopes || "";
     this.strategy = new passportOktaOauth.Strategy(
       {
         clientID: options.clientId,
@@ -2007,11 +2009,18 @@ class OktaAuthProvider {
       }
     );
   }
+  combineScopeStrings(scopesA, scopesB) {
+    const scopesAArray = scopesA.split(" ");
+    const scopesBArray = scopesB.split(" ");
+    const combinedScopes = /* @__PURE__ */ new Set([...scopesAArray, ...scopesBArray]);
+    return Array.from(combinedScopes).join(" ");
+  }
   async start(req) {
+    const scope = this.combineScopeStrings(req.scope, this.additionalScopes);
     return await executeRedirectStrategy(req, this.strategy, {
       accessType: "offline",
       prompt: "consent",
-      scope: req.scope,
+      scope,
       state: encodeState(req.state)
     });
   }
@@ -2023,11 +2032,8 @@ class OktaAuthProvider {
     };
   }
   async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(
-      this.strategy,
-      req.refreshToken,
-      req.scope
-    );
+    const scope = this.combineScopeStrings(req.scope, this.additionalScopes);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this.strategy, req.refreshToken, scope);
     const fullProfile = await executeFetchUserProfileStrategy(
       this.strategy,
       accessToken
@@ -2075,6 +2081,7 @@ const okta = createAuthProviderIntegration({
       const idp = envConfig.getOptionalString("idp");
       const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
       const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const additionalScopes = envConfig.getOptionalString("additionalScopes");
       if (!audience.startsWith("https://")) {
         throw new Error("URL for 'audience' must start with 'https://'.");
       }
@@ -2090,7 +2097,8 @@ const okta = createAuthProviderIntegration({
         callbackUrl,
         authHandler,
         signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
-        resolverContext
+        resolverContext,
+        additionalScopes
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
         providerId,