@backstage/plugin-auth-backend 0.20.4-next.1 → 0.21.0-next.3

package/CHANGELOG.md

@@ -1,5 +1,73 @@
 # @backstage/plugin-auth-backend
 
+## 0.21.0-next.3
+
+### Patch Changes
+
+- 8321c97: Added `experimentalExtraAllowedOrigins` to config
+- Updated dependencies
+  - @backstage/backend-common@0.21.0-next.3
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.1.0-next.3
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.2-next.3
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.1.2-next.3
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.5-next.3
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.7-next.3
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.7-next.3
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.7-next.3
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.3-next.3
+  - @backstage/plugin-catalog-node@1.6.2-next.3
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.0-next.2
+  - @backstage/plugin-auth-node@0.4.4-next.3
+  - @backstage/backend-plugin-api@0.6.10-next.3
+  - @backstage/catalog-client@1.6.0-next.1
+  - @backstage/catalog-model@1.4.4-next.0
+  - @backstage/config@1.1.1
+  - @backstage/errors@1.2.3
+  - @backstage/types@1.1.1
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.4-next.3
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.7-next.3
+
+## 0.21.0-next.2
+
+### Minor Changes
+
+- 7dd8463: **BREAKING**: The `saml` provider has been migrated from `passport-saml` to `@node-saml/passport-saml`.
+
+  This comes with breaking changes to config options:
+
+  - `audience` is now mandatory
+  - `wantAuthnResponseSigned` is now exposed and defaults to `true`
+  - `wantAssertionsSigned` is now exposed and defaults to `true`
+
+### Patch Changes
+
+- 97f8724: Support additional algorithms in the `/.well-known/openid-configuration` endpoint.
+- a9e0107: The auth backend will now refuse to issue user tokens are excessively large.
+- d4cc552: The helper function `makeProfileInfo` and `PassportHelpers.transformProfile`
+  were refactored to use the `jose` library.
+- 8e8a25d: Ability for user to configure backstage token expiration
+- Updated dependencies
+  - @backstage/backend-common@0.21.0-next.2
+  - @backstage/backend-plugin-api@0.6.10-next.2
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.0-next.1
+  - @backstage/plugin-auth-node@0.4.4-next.2
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.1.2-next.2
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.7-next.2
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.7-next.2
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.7-next.2
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.5-next.2
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.7-next.2
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.1.0-next.2
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.3-next.2
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.4-next.2
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.2-next.2
+  - @backstage/plugin-catalog-node@1.6.2-next.2
+  - @backstage/config@1.1.1
+  - @backstage/catalog-client@1.6.0-next.1
+  - @backstage/catalog-model@1.4.4-next.0
+  - @backstage/errors@1.2.3
+  - @backstage/types@1.1.1
+
 ## 0.20.4-next.1
 
 ### Patch Changes

package/README.md

@@ -165,3 +165,14 @@ To try out SAML, you can use the mock identity provider:
 ## Links
 
 - [The Backstage homepage](https://backstage.io)
+
+## Configuring Token Expiration in App Config
+
+If you need to change Backstage token expiration from the default value of one hour you can do so through configuration. Note that this is **not** the session duration, but rather the duration that the short-term cryptographic tokens are valid for. The expiration can not be set lower than 10 minutes or above 24 hours.
+
+This is what the configuration looks like:
+
+```
+auth:
+   backstageTokenExpiration: { minutes: <user_defined_value> }
+```

package/config.d.ts

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+import { HumanDuration } from '@backstage/types';
+
 export interface Config {
   /** Configuration options for the auth plugin */
   auth?: {
@@ -184,6 +186,14 @@ export interface Config {
       cfaccess?: {
         teamName: string;
       };
+      /**
+       * The backstage token expiration.
+       */
+      backstageTokenExpiration?: HumanDuration;
     };
+    /**
+     * Additional app origins to allow for authenticating
+     */
+    experimentalExtraAllowedOrigins?: string[];
   };
 }

package/dist/index.cjs.js

@@ -13,11 +13,10 @@ var Auth0InternalStrategy = require('passport-auth0');
 var crypto = require('crypto');
 var url = require('url');
 var errors = require('@backstage/errors');
-var jwtDecoder = require('jwt-decode');
+var jose = require('jose');
 var pluginAuthBackendModuleAwsAlbProvider = require('@backstage/plugin-auth-backend-module-aws-alb-provider');
 var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
 var fetch = require('node-fetch');
-var jose = require('jose');
 var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-backend-module-gcp-iap-provider');
 var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
 var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-backend-module-gitlab-provider');
@@ -28,7 +27,7 @@ var pluginAuthBackendModuleOauth2ProxyProvider = require('@backstage/plugin-auth
 var pluginAuthBackendModuleOidcProvider = require('@backstage/plugin-auth-backend-module-oidc-provider');
 var pluginAuthBackendModuleOktaProvider = require('@backstage/plugin-auth-backend-module-okta-provider');
 var passportOneloginOauth = require('passport-onelogin-oauth');
-var passportSaml = require('passport-saml');
+var passportSaml = require('@node-saml/passport-saml');
 var passportOauth2 = require('passport-oauth2');
 var catalogClient = require('@backstage/catalog-client');
 var catalogModel = require('@backstage/catalog-model');
@@ -43,6 +42,7 @@ var passport = require('passport');
 var minimatch = require('minimatch');
 var backendCommon = require('@backstage/backend-common');
 var config = require('@backstage/config');
+var types = require('@backstage/types');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
@@ -51,7 +51,6 @@ var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
 var Auth0InternalStrategy__default = /*#__PURE__*/_interopDefaultLegacy(Auth0InternalStrategy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
-var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
@@ -450,7 +449,7 @@ const makeProfileInfo = (profile, idToken) => {
   let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
   if ((!email || !picture || !displayName) && idToken) {
     try {
-      const decoded = jwtDecoder__default["default"](idToken);
+      const decoded = jose.decodeJwt(idToken);
       if (!email && decoded.email) {
         email = decoded.email;
       }
@@ -1412,9 +1411,10 @@ class SamlAuthProvider {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
-    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
-      done(void 0, { fullProfile });
-    });
+    const verifier = (profile, done) => {
+      done(null, { fullProfile: profile });
+    };
+    this.strategy = new passportSaml.Strategy(options, verifier, verifier);
   }
   async start(req, res) {
     const { url } = await executeRedirectStrategy(req, this.strategy, {});
@@ -1471,7 +1471,7 @@ const saml = createAuthProviderIntegration({
         callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
         entryPoint: config.getString("entryPoint"),
         logoutUrl: config.getOptionalString("logoutUrl"),
-        audience: config.getOptionalString("audience"),
+        audience: config.getString("audience"),
         issuer: config.getString("issuer"),
         cert: config.getString("cert"),
         privateKey: config.getOptionalString("privateKey"),
@@ -1481,6 +1481,10 @@ const saml = createAuthProviderIntegration({
         signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
         digestAlgorithm: config.getOptionalString("digestAlgorithm"),
         acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
+        wantAuthnResponseSigned: config.getOptionalBoolean(
+          "wantAuthnResponseSigned"
+        ),
+        wantAssertionsSigned: config.getOptionalBoolean("wantAssertionsSigned"),
         appUrl: globalConfig.appUrl,
         authHandler,
         signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
@@ -1838,7 +1842,18 @@ function createOidcRouter(options) {
     jwks_uri: `${baseUrl}/.well-known/jwks.json`,
     response_types_supported: ["id_token"],
     subject_types_supported: ["public"],
-    id_token_signing_alg_values_supported: ["RS256"],
+    id_token_signing_alg_values_supported: [
+      "RS256",
+      "RS384",
+      "RS512",
+      "ES256",
+      "ES384",
+      "ES512",
+      "PS256",
+      "PS384",
+      "PS512",
+      "EdDSA"
+    ],
     scopes_supported: ["openid"],
     token_endpoint_auth_methods_supported: [],
     claims_supported: ["sub"],
@@ -1867,6 +1882,7 @@ var __publicField$4 = (obj, key, value) => {
   return value;
 };
 const MS_IN_S$1 = 1e3;
+const MAX_TOKEN_LENGTH = 32768;
 class TokenFactory {
   constructor(options) {
     __publicField$4(this, "issuer");
@@ -1901,7 +1917,16 @@ class TokenFactory {
     if (!key.alg) {
       throw new errors.AuthenticationError("No algorithm was provided in the key");
     }
-    return new jose.SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    const claims = { ...additionalClaims, iss, sub, ent, aud, iat, exp };
+    const token = await new jose.SignJWT(claims).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    if (token.length > MAX_TOKEN_LENGTH) {
+      throw new Error(
+        `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
+          claims
+        )}'`
+      );
+    }
+    return token;
   }
   // This will be called by other services that want to verify ID tokens.
   // It is important that it returns a list of all public keys that could
@@ -2478,7 +2503,25 @@ _database = new WeakMap();
 _promise = new WeakMap();
 let AuthDatabase = _AuthDatabase;
 
-const BACKSTAGE_SESSION_EXPIRATION = 3600;
+const TOKEN_EXP_DEFAULT_S = 3600;
+const TOKEN_EXP_MIN_S = 600;
+const TOKEN_EXP_MAX_S = 86400;
+function readBackstageTokenExpiration(config$1) {
+  const processingIntervalKey = "auth.backstageTokenExpiration";
+  if (!config$1.has(processingIntervalKey)) {
+    return TOKEN_EXP_DEFAULT_S;
+  }
+  const duration = config.readDurationFromConfig(config$1, {
+    key: processingIntervalKey
+  });
+  const durationS = Math.round(types.durationToMilliseconds(duration) / 1e3);
+  if (durationS < TOKEN_EXP_MIN_S) {
+    return TOKEN_EXP_MIN_S;
+  } else if (durationS > TOKEN_EXP_MAX_S) {
+    return TOKEN_EXP_MAX_S;
+  }
+  return durationS;
+}
 
 var __defProp = Object.defineProperty;
 var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
@@ -2545,8 +2588,8 @@ async function createRouter(options) {
   const router = Router__default["default"]();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
+  const backstageTokenExpiration = readBackstageTokenExpiration(config);
   const authDb = AuthDatabase.create(database);
-  const sessionExpirationSeconds = BACKSTAGE_SESSION_EXPIRATION;
   const keyStore = await KeyStores.fromConfig(config, {
     logger,
     database: authDb
@@ -2557,7 +2600,7 @@ async function createRouter(options) {
       {
         logger: logger.child({ component: "token-factory" }),
         issuer: authUrl,
-        sessionExpirationSeconds
+        sessionExpirationSeconds: backstageTokenExpiration
       },
       keyStore
     );
@@ -2565,7 +2608,7 @@ async function createRouter(options) {
     tokenIssuer = new TokenFactory({
       issuer: authUrl,
       keyStore,
-      keyDurationSeconds: sessionExpirationSeconds,
+      keyDurationSeconds: backstageTokenExpiration,
       logger: logger.child({ component: "token-factory" }),
       algorithm: tokenFactoryAlgorithm != null ? tokenFactoryAlgorithm : config.getOptionalString("auth.identityTokenAlgorithm")
     });