npm - @backstage/plugin-auth-backend - Versions diffs - 0.22.3 → 0.22.4-next.1 - Mend

@backstage/plugin-auth-backend 0.22.3 → 0.22.4-next.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,59 @@
 # @backstage/plugin-auth-backend
+## 0.22.4-next.1
+### Patch Changes
+- d62bc51: Added token type header parameter and user identity proof to issued user tokens.
+- bf4d71a: Initial implementation of the `/v1/userinfo` endpoint, which is now able to parse and return the `sub` and `ent` claims from a Backstage user token.
+- Updated dependencies
+  - @backstage/backend-common@0.21.7-next.1
+  - @backstage/backend-plugin-api@0.6.17-next.1
+  - @backstage/plugin-auth-node@0.4.12-next.1
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.9-next.1
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.1.8-next.1
+  - @backstage/catalog-client@1.6.4-next.0
+  - @backstage/catalog-model@1.4.5
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.1.9-next.1
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.12-next.1
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.14-next.1
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.14-next.1
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.14-next.1
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.12-next.1
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.14-next.1
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.10-next.1
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.10-next.1
+  - @backstage/plugin-catalog-node@1.11.1-next.1
+## 0.22.4-next.0
+### Patch Changes
+- Updated dependencies
+  - @backstage/backend-common@0.21.7-next.0
+  - @backstage/backend-plugin-api@0.6.17-next.0
+  - @backstage/catalog-client@1.6.3
+  - @backstage/catalog-model@1.4.5
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.1.9-next.0
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.9-next.0
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.12-next.0
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.14-next.0
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.14-next.0
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.14-next.0
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.12-next.0
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.14-next.0
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.10-next.0
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.1.8-next.0
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.10-next.0
+  - @backstage/plugin-auth-node@0.4.12-next.0
+  - @backstage/plugin-catalog-node@1.11.1-next.0
 ## 0.22.3
 ### Patch Changes

package/dist/index.cjs.js CHANGED Viewed

@@ -2156,7 +2156,7 @@ function createOriginFilter(config) {
 }
 function bindOidcRouter(targetRouter, options) {
-  const { baseUrl, tokenIssuer } = options;
+  const { baseUrl, auth, tokenIssuer } = options;
   const router = Router__default.default();
   targetRouter.use(router);
   const config = {
@@ -2180,7 +2180,7 @@ function bindOidcRouter(targetRouter, options) {
     ],
     scopes_supported: ["openid"],
     token_endpoint_auth_methods_supported: [],
-    claims_supported: ["sub"],
+    claims_supported: ["sub", "ent"],
     grant_types_supported: []
   };
   router.get("/.well-known/openid-configuration", (_req, res) => {
@@ -2193,8 +2193,31 @@ function bindOidcRouter(targetRouter, options) {
   router.get("/v1/token", (_req, res) => {
     res.status(501).send("Not Implemented");
   });
-  router.get("/v1/userinfo", (_req, res) => {
-    res.status(501).send("Not Implemented");
+  router.get("/v1/userinfo", async (req, res) => {
+    var _a;
+    const matches = (_a = req.headers.authorization) == null ? void 0 : _a.match(/^Bearer[ ]+(\S+)$/i);
+    const token = matches == null ? void 0 : matches[1];
+    if (!token) {
+      throw new errors.AuthenticationError("No token provided");
+    }
+    const credentials = await auth.authenticate(token, {
+      allowLimitedAccess: true
+    });
+    if (!auth.isPrincipal(credentials, "user")) {
+      throw new errors.InputError(
+        "Userinfo endpoint must be called with a token that represents a user principal"
+      );
+    }
+    const { sub: userEntityRef, ent: ownershipEntityRefs = [] } = jose.decodeJwt(token);
+    if (typeof userEntityRef !== "string") {
+      throw new Error("Invalid user token, user entity ref must be a string");
+    }
+    if (!Array.isArray(ownershipEntityRefs) || ownershipEntityRefs.some((ref) => typeof ref !== "string")) {
+      throw new Error(
+        "Invalid user token, ownership entity refs must be an array of strings"
+      );
+    }
+    res.json({ sub: userEntityRef, ent: ownershipEntityRefs });
   });
 }
@@ -2225,8 +2248,8 @@ class TokenFactory {
   async issueToken(params) {
     const key = await this.getKey();
     const iss = this.issuer;
-    const { sub, ent, ...additionalClaims } = params.claims;
-    const aud = "backstage";
+    const { sub, ent = [sub], ...additionalClaims } = params.claims;
+    const aud = pluginAuthNode.tokenTypes.user.audClaim;
     const iat = Math.floor(Date.now() / MS_IN_S$1);
     const exp = iat + this.keyDurationSeconds;
     try {
@@ -2236,12 +2259,35 @@ class TokenFactory {
         '"sub" claim provided by the auth resolver is not a valid EntityRef.'
       );
     }
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
     if (!key.alg) {
       throw new errors.AuthenticationError("No algorithm was provided in the key");
     }
-    const claims = { ...additionalClaims, iss, sub, ent, aud, iat, exp };
-    const token = await new jose.SignJWT(claims).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);
+    const signingKey = await jose.importJWK(key);
+    const uip = await this.createUserIdentityClaim({
+      header: {
+        typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
+        alg: key.alg,
+        kid: key.kid
+      },
+      payload: { sub, ent, iat, exp },
+      key: signingKey
+    });
+    const claims = {
+      ...additionalClaims,
+      iss,
+      sub,
+      ent,
+      aud,
+      iat,
+      exp,
+      uip
+    };
+    const token = await new jose.SignJWT(claims).setProtectedHeader({
+      typ: pluginAuthNode.tokenTypes.user.typParam,
+      alg: key.alg,
+      kid: key.kid
+    }).sign(signingKey);
     if (token.length > MAX_TOKEN_LENGTH) {
       throw new Error(
         `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
@@ -2308,6 +2354,26 @@ class TokenFactory {
     }
     return promise;
   }
+  // Creates a string claim that can be used as part of reconstructing a limited
+  // user token. The output of this function is only the signature part of a
+  // JWS.
+  async createUserIdentityClaim(options) {
+    const header = {
+      typ: options.header.typ,
+      alg: options.header.alg,
+      ...options.header.kid ? { kid: options.header.kid } : {}
+    };
+    const payload = {
+      sub: options.payload.sub,
+      ent: options.payload.ent,
+      iat: options.payload.iat,
+      exp: options.payload.exp
+    };
+    const jws = await new jose.GeneralSign(
+      new TextEncoder().encode(JSON.stringify(payload))
+    ).addSignature(options.key).setProtectedHeader(header).done().sign();
+    return jws.signatures[0].signature;
+  }
 }
 const TABLE = "signing_keys";
@@ -2807,6 +2873,7 @@ async function createRouter(options) {
     httpAuth
   });
   bindOidcRouter(router, {
+    auth,
     tokenIssuer,
     baseUrl: authUrl
   });
@@ -2839,6 +2906,8 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         database: backendPluginApi.coreServices.database,
         discovery: backendPluginApi.coreServices.discovery,
         tokenManager: backendPluginApi.coreServices.tokenManager,
+        auth: backendPluginApi.coreServices.auth,
+        httpAuth: backendPluginApi.coreServices.httpAuth,
         catalogApi: alpha.catalogServiceRef
       },
       async init({
@@ -2848,6 +2917,8 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         database,
         discovery,
         tokenManager,
+        auth,
+        httpAuth,
         catalogApi
       }) {
         const router = await createRouter({
@@ -2856,6 +2927,8 @@ const authPlugin = backendPluginApi.createBackendPlugin({
           database,
           discovery,
           tokenManager,
+          auth,
+          httpAuth,
           catalogApi,
           providerFactories: Object.fromEntries(providers),
           disableDefaultProviderFactories: true