@backstage/plugin-auth-backend 0.24.5 → 0.25.0-next.1

package/CHANGELOG.md

@@ -1,5 +1,66 @@
 # @backstage/plugin-auth-backend
 
+## 0.25.0-next.1
+
+### Patch Changes
+
+- 0d606ac: Added the configuration flag `auth.omitIdentityTokenOwnershipClaim` that causes issued user tokens to no longer contain the `ent` claim that represents the ownership references of the user.
+
+  The benefit of this new flag is that issued user tokens will be much smaller in
+  size, but they will no longer be self-contained. This means that any consumers
+  of the token that require access to the ownership claims now need to call the
+  `/api/auth/v1/userinfo` endpoint instead. Within the Backstage ecosystem this is
+  done automatically, as clients will still receive the full set of claims during
+  authentication, while plugin backends will need to use the `UserInfoService`
+  which already calls the user info endpoint if necessary.
+
+  When enabling this flag, it is important that any custom sign-in resolvers directly return the result of the sign-in method. For example, the following would not work:
+
+  ```ts
+  const { token } = await ctx.issueToken({
+    claims: { sub: entityRef, ent: [entityRef] },
+  });
+  return { token }; // WARNING: This will not work with the flag enabled
+  ```
+
+  Instead, the sign-in resolver should directly return the result:
+
+  ```ts
+  return ctx.issueToken({
+    claims: { sub: entityRef, ent: [entityRef] },
+  });
+  ```
+
+- 72d019d: Removed various typos
+- b128ed9: The `static` key store now issues tokens with the same structure as other key stores. Tokens now include the `typ` field in the header and the `uip` (user identity proof) in the payload.
+- Updated dependencies
+  - @backstage/plugin-catalog-node@1.17.0-next.1
+  - @backstage/plugin-auth-node@0.6.3-next.1
+  - @backstage/backend-plugin-api@1.3.1-next.1
+  - @backstage/catalog-model@1.7.3
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.1
+
+## 0.25.0-next.0
+
+### Minor Changes
+
+- 57221d9: **BREAKING**: Removed support for the old backend system, and removed all deprecated exports.
+
+  If you were using one of the deprecated imports from this package, you will have to follow the instructions in their respective deprecation notices before upgrading. Most of the general utilities are available from `@backstage/plugin-auth-node`, and the specific auth providers are available from dedicated packages such as for example `@backstage/plugin-auth-backend-module-github-provider`. See [the auth docs](https://backstage.io/docs/auth/) for specific instructions.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-catalog-node@1.17.0-next.0
+  - @backstage/backend-plugin-api@1.3.1-next.0
+  - @backstage/plugin-auth-node@0.6.3-next.0
+  - @backstage/catalog-model@1.7.3
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.1
+
 ## 0.24.5
 
 ### Patch Changes

package/config.d.ts

@@ -43,6 +43,15 @@ export interface Config {
      */
     identityTokenAlgorithm?: string;
 
+    /**
+     * Whether to omit the entity ownership references (`ent`) claim from the
+     * identity token. If this is enabled the `ent` claim will only be available
+     * via the user info endpoint and the `UserInfoService`.
+     *
+     * Defaults to `false`.
+     */
+    omitIdentityTokenOwnershipClaim?: boolean;
+
     /** To control how to store JWK data in auth-backend */
     keyStore?: {
       provider?: 'database' | 'memory' | 'firestore' | 'static';
@@ -84,64 +93,6 @@ export interface Config {
       };
     };
 
-    /**
-     * The available auth-provider options and attributes
-     * @additionalProperties true
-     */
-    providers?: {
-      /** @visibility frontend */
-      saml?: {
-        entryPoint: string;
-        logoutUrl?: string;
-        issuer: string;
-        /**
-         * @visibility secret
-         */
-        cert: string;
-        audience?: string;
-        /**
-         * @visibility secret
-         */
-        privateKey?: string;
-        authnContext?: string[];
-        identifierFormat?: string;
-        /**
-         * @visibility secret
-         */
-        decryptionPvk?: string;
-        signatureAlgorithm?: 'sha256' | 'sha512';
-        digestAlgorithm?: string;
-        acceptedClockSkewMs?: number;
-      };
-      /** @visibility frontend */
-      auth0?: {
-        [authEnv: string]: {
-          clientId: string;
-          /**
-           * @visibility secret
-           */
-          clientSecret: string;
-          domain: string;
-          callbackUrl?: string;
-          audience?: string;
-          connection?: string;
-          connectionScope?: string;
-        };
-      };
-      /** @visibility frontend */
-      onelogin?: {
-        [authEnv: string]: {
-          clientId: string;
-          /**
-           * @visibility secret
-           */
-          clientSecret: string;
-          issuer: string;
-          callbackUrl?: string;
-        };
-      };
-    };
-
     /**
      * The backstage token expiration.
      */

package/dist/authPlugin.cjs.js

@@ -2,7 +2,7 @@
 
 var backendPluginApi = require('@backstage/backend-plugin-api');
 var pluginAuthNode = require('@backstage/plugin-auth-node');
-var alpha = require('@backstage/plugin-catalog-node/alpha');
+var pluginCatalogNode = require('@backstage/plugin-catalog-node');
 var router = require('./service/router.cjs.js');
 
 const authPlugin = backendPluginApi.createBackendPlugin({
@@ -36,8 +36,7 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         database: backendPluginApi.coreServices.database,
         discovery: backendPluginApi.coreServices.discovery,
         auth: backendPluginApi.coreServices.auth,
-        httpAuth: backendPluginApi.coreServices.httpAuth,
-        catalogApi: alpha.catalogServiceRef
+        catalog: pluginCatalogNode.catalogServiceRef
       },
       async init({
         httpRouter,
@@ -46,8 +45,7 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         database,
         discovery,
         auth,
-        httpAuth,
-        catalogApi
+        catalog
       }) {
         const router$1 = await router.createRouter({
           logger,
@@ -55,10 +53,8 @@ const authPlugin = backendPluginApi.createBackendPlugin({
           database,
           discovery,
           auth,
-          httpAuth,
-          catalogApi,
+          catalog,
           providerFactories: Object.fromEntries(providers),
-          disableDefaultProviderFactories: true,
           ownershipResolver
         });
         httpRouter.addAuthPolicy({

package/dist/authPlugin.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"authPlugin.cjs.js","sources":["../src/authPlugin.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport {\n  authOwnershipResolutionExtensionPoint,\n  AuthOwnershipResolver,\n  AuthProviderFactory,\n  authProvidersExtensionPoint,\n} from '@backstage/plugin-auth-node';\nimport { catalogServiceRef } from '@backstage/plugin-catalog-node/alpha';\nimport { createRouter } from './service/router';\n\n/**\n * Auth plugin\n *\n * @public\n */\nexport const authPlugin = createBackendPlugin({\n  pluginId: 'auth',\n  register(reg) {\n    const providers = new Map<string, AuthProviderFactory>();\n    let ownershipResolver: AuthOwnershipResolver | undefined = undefined;\n\n    reg.registerExtensionPoint(authProvidersExtensionPoint, {\n      registerProvider({ providerId, factory }) {\n        if (providers.has(providerId)) {\n          throw new Error(\n            `Auth provider '${providerId}' was already registered`,\n          );\n        }\n        providers.set(providerId, factory);\n      },\n    });\n\n    reg.registerExtensionPoint(authOwnershipResolutionExtensionPoint, {\n      setAuthOwnershipResolver(resolver) {\n        if (ownershipResolver) {\n          throw new Error('Auth ownership resolver is already set');\n        }\n        ownershipResolver = resolver;\n      },\n    });\n\n    reg.registerInit({\n      deps: {\n        httpRouter: coreServices.httpRouter,\n        logger: coreServices.logger,\n        config: coreServices.rootConfig,\n        database: coreServices.database,\n        discovery: coreServices.discovery,\n        auth: coreServices.auth,\n        httpAuth: coreServices.httpAuth,\n        catalogApi: catalogServiceRef,\n      },\n      async init({\n        httpRouter,\n        logger,\n        config,\n        database,\n        discovery,\n        auth,\n        httpAuth,\n        catalogApi,\n      }) {\n        const router = await createRouter({\n          logger,\n          config,\n          database,\n          discovery,\n          auth,\n          httpAuth,\n          catalogApi,\n          providerFactories: Object.fromEntries(providers),\n          disableDefaultProviderFactories: true,\n          ownershipResolver,\n        });\n        httpRouter.addAuthPolicy({\n          path: '/',\n          allow: 'unauthenticated',\n        });\n        httpRouter.use(router);\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","authProvidersExtensionPoint","authOwnershipResolutionExtensionPoint","coreServices","catalogServiceRef","router","createRouter"],"mappings":";;;;;;;AAkCO,MAAM,aAAaA,oCAAoB,CAAA;AAAA,EAC5C,QAAU,EAAA,MAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAM,MAAA,SAAA,uBAAgB,GAAiC,EAAA;AACvD,IAAA,IAAI,iBAAuD,GAAA,KAAA,CAAA;AAE3D,IAAA,GAAA,CAAI,uBAAuBC,0CAA6B,EAAA;AAAA,MACtD,gBAAiB,CAAA,EAAE,UAAY,EAAA,OAAA,EAAW,EAAA;AACxC,QAAI,IAAA,SAAA,CAAU,GAAI,CAAA,UAAU,CAAG,EAAA;AAC7B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,kBAAkB,UAAU,CAAA,wBAAA;AAAA,WAC9B;AAAA;AAEF,QAAU,SAAA,CAAA,GAAA,CAAI,YAAY,OAAO,CAAA;AAAA;AACnC,KACD,CAAA;AAED,IAAA,GAAA,CAAI,uBAAuBC,oDAAuC,EAAA;AAAA,MAChE,yBAAyB,QAAU,EAAA;AACjC,QAAA,IAAI,iBAAmB,EAAA;AACrB,UAAM,MAAA,IAAI,MAAM,wCAAwC,CAAA;AAAA;AAE1D,QAAoB,iBAAA,GAAA,QAAA;AAAA;AACtB,KACD,CAAA;AAED,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,YAAYC,6BAAa,CAAA,UAAA;AAAA,QACzB,QAAQA,6BAAa,CAAA,MAAA;AAAA,QACrB,QAAQA,6BAAa,CAAA,UAAA;AAAA,QACrB,UAAUA,6BAAa,CAAA,QAAA;AAAA,QACvB,WAAWA,6BAAa,CAAA,SAAA;AAAA,QACxB,MAAMA,6BAAa,CAAA,IAAA;AAAA,QACnB,UAAUA,6BAAa,CAAA,QAAA;AAAA,QACvB,UAAY,EAAAC;AAAA,OACd;AAAA,MACA,MAAM,IAAK,CAAA;AAAA,QACT,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACC,EAAA;AACD,QAAM,MAAAC,QAAA,GAAS,MAAMC,mBAAa,CAAA;AAAA,UAChC,MAAA;AAAA,UACA,MAAA;AAAA,UACA,QAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA;AAAA,UACA,QAAA;AAAA,UACA,UAAA;AAAA,UACA,iBAAA,EAAmB,MAAO,CAAA,WAAA,CAAY,SAAS,CAAA;AAAA,UAC/C,+BAAiC,EAAA,IAAA;AAAA,UACjC;AAAA,SACD,CAAA;AACD,QAAA,UAAA,CAAW,aAAc,CAAA;AAAA,UACvB,IAAM,EAAA,GAAA;AAAA,UACN,KAAO,EAAA;AAAA,SACR,CAAA;AACD,QAAA,UAAA,CAAW,IAAID,QAAM,CAAA;AAAA;AACvB,KACD,CAAA;AAAA;AAEL,CAAC;;;;"}
+{"version":3,"file":"authPlugin.cjs.js","sources":["../src/authPlugin.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport {\n  authOwnershipResolutionExtensionPoint,\n  AuthOwnershipResolver,\n  AuthProviderFactory,\n  authProvidersExtensionPoint,\n} from '@backstage/plugin-auth-node';\nimport { catalogServiceRef } from '@backstage/plugin-catalog-node';\nimport { createRouter } from './service/router';\n\n/**\n * Auth plugin\n *\n * @public\n */\nexport const authPlugin = createBackendPlugin({\n  pluginId: 'auth',\n  register(reg) {\n    const providers = new Map<string, AuthProviderFactory>();\n    let ownershipResolver: AuthOwnershipResolver | undefined = undefined;\n\n    reg.registerExtensionPoint(authProvidersExtensionPoint, {\n      registerProvider({ providerId, factory }) {\n        if (providers.has(providerId)) {\n          throw new Error(\n            `Auth provider '${providerId}' was already registered`,\n          );\n        }\n        providers.set(providerId, factory);\n      },\n    });\n\n    reg.registerExtensionPoint(authOwnershipResolutionExtensionPoint, {\n      setAuthOwnershipResolver(resolver) {\n        if (ownershipResolver) {\n          throw new Error('Auth ownership resolver is already set');\n        }\n        ownershipResolver = resolver;\n      },\n    });\n\n    reg.registerInit({\n      deps: {\n        httpRouter: coreServices.httpRouter,\n        logger: coreServices.logger,\n        config: coreServices.rootConfig,\n        database: coreServices.database,\n        discovery: coreServices.discovery,\n        auth: coreServices.auth,\n        catalog: catalogServiceRef,\n      },\n      async init({\n        httpRouter,\n        logger,\n        config,\n        database,\n        discovery,\n        auth,\n        catalog,\n      }) {\n        const router = await createRouter({\n          logger,\n          config,\n          database,\n          discovery,\n          auth,\n          catalog,\n          providerFactories: Object.fromEntries(providers),\n          ownershipResolver,\n        });\n        httpRouter.addAuthPolicy({\n          path: '/',\n          allow: 'unauthenticated',\n        });\n        httpRouter.use(router);\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","authProvidersExtensionPoint","authOwnershipResolutionExtensionPoint","coreServices","catalogServiceRef","router","createRouter"],"mappings":";;;;;;;AAkCO,MAAM,aAAaA,oCAAoB,CAAA;AAAA,EAC5C,QAAU,EAAA,MAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAM,MAAA,SAAA,uBAAgB,GAAiC,EAAA;AACvD,IAAA,IAAI,iBAAuD,GAAA,KAAA,CAAA;AAE3D,IAAA,GAAA,CAAI,uBAAuBC,0CAA6B,EAAA;AAAA,MACtD,gBAAiB,CAAA,EAAE,UAAY,EAAA,OAAA,EAAW,EAAA;AACxC,QAAI,IAAA,SAAA,CAAU,GAAI,CAAA,UAAU,CAAG,EAAA;AAC7B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,kBAAkB,UAAU,CAAA,wBAAA;AAAA,WAC9B;AAAA;AAEF,QAAU,SAAA,CAAA,GAAA,CAAI,YAAY,OAAO,CAAA;AAAA;AACnC,KACD,CAAA;AAED,IAAA,GAAA,CAAI,uBAAuBC,oDAAuC,EAAA;AAAA,MAChE,yBAAyB,QAAU,EAAA;AACjC,QAAA,IAAI,iBAAmB,EAAA;AACrB,UAAM,MAAA,IAAI,MAAM,wCAAwC,CAAA;AAAA;AAE1D,QAAoB,iBAAA,GAAA,QAAA;AAAA;AACtB,KACD,CAAA;AAED,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,YAAYC,6BAAa,CAAA,UAAA;AAAA,QACzB,QAAQA,6BAAa,CAAA,MAAA;AAAA,QACrB,QAAQA,6BAAa,CAAA,UAAA;AAAA,QACrB,UAAUA,6BAAa,CAAA,QAAA;AAAA,QACvB,WAAWA,6BAAa,CAAA,SAAA;AAAA,QACxB,MAAMA,6BAAa,CAAA,IAAA;AAAA,QACnB,OAAS,EAAAC;AAAA,OACX;AAAA,MACA,MAAM,IAAK,CAAA;AAAA,QACT,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA;AAAA,OACC,EAAA;AACD,QAAM,MAAAC,QAAA,GAAS,MAAMC,mBAAa,CAAA;AAAA,UAChC,MAAA;AAAA,UACA,MAAA;AAAA,UACA,QAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA;AAAA,UACA,OAAA;AAAA,UACA,iBAAA,EAAmB,MAAO,CAAA,WAAA,CAAY,SAAS,CAAA;AAAA,UAC/C;AAAA,SACD,CAAA;AACD,QAAA,UAAA,CAAW,aAAc,CAAA;AAAA,UACvB,IAAM,EAAA,GAAA;AAAA,UACN,KAAO,EAAA;AAAA,SACR,CAAA;AACD,QAAA,UAAA,CAAW,IAAID,QAAM,CAAA;AAAA;AACvB,KACD,CAAA;AAAA;AAEL,CAAC;;;;"}

package/dist/database/AuthDatabase.cjs.js

@@ -1,8 +1,6 @@
 'use strict';
 
-var backendCommon = require('@backstage/backend-common');
 var backendPluginApi = require('@backstage/backend-plugin-api');
-var config = require('@backstage/config');
 
 const migrationsDir = backendPluginApi.resolvePackagePath(
   "@backstage/plugin-auth-backend",
@@ -14,20 +12,6 @@ class AuthDatabase {
   static create(database) {
     return new AuthDatabase(database);
   }
-  /** @internal */
-  static forTesting() {
-    const config$1 = new config.ConfigReader({
-      backend: {
-        database: {
-          client: "better-sqlite3",
-          connection: ":memory:",
-          useNullAsDefault: true
-        }
-      }
-    });
-    const database = backendCommon.DatabaseManager.fromConfig(config$1).forPlugin("auth");
-    return new AuthDatabase(database);
-  }
   static async runMigrations(knex) {
     await knex.migrate.latest({
       directory: migrationsDir

package/dist/database/AuthDatabase.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"AuthDatabase.cjs.js","sources":["../../src/database/AuthDatabase.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { DatabaseManager } from '@backstage/backend-common';\nimport {\n  DatabaseService,\n  resolvePackagePath,\n} from '@backstage/backend-plugin-api';\nimport { ConfigReader } from '@backstage/config';\nimport { Knex } from 'knex';\n\nconst migrationsDir = resolvePackagePath(\n  '@backstage/plugin-auth-backend',\n  'migrations',\n);\n\n/**\n * Ensures that a database connection is established exactly once and only when\n * asked for, and runs migrations.\n */\nexport class AuthDatabase {\n  readonly #database: DatabaseService;\n  #promise: Promise<Knex> | undefined;\n\n  static create(database: DatabaseService): AuthDatabase {\n    return new AuthDatabase(database);\n  }\n\n  /** @internal */\n  static forTesting(): AuthDatabase {\n    const config = new ConfigReader({\n      backend: {\n        database: {\n          client: 'better-sqlite3',\n          connection: ':memory:',\n          useNullAsDefault: true,\n        },\n      },\n    });\n    const database = DatabaseManager.fromConfig(config).forPlugin('auth');\n    return new AuthDatabase(database);\n  }\n\n  static async runMigrations(knex: Knex): Promise<void> {\n    await knex.migrate.latest({\n      directory: migrationsDir,\n    });\n  }\n\n  private constructor(database: DatabaseService) {\n    this.#database = database;\n  }\n\n  get(): Promise<Knex> {\n    this.#promise ??= this.#database.getClient().then(async client => {\n      if (!this.#database.migrations?.skip) {\n        await AuthDatabase.runMigrations(client);\n      }\n      return client;\n    });\n\n    return this.#promise;\n  }\n}\n"],"names":["resolvePackagePath","config","ConfigReader","DatabaseManager"],"mappings":";;;;;;AAwBA,MAAM,aAAgB,GAAAA,mCAAA;AAAA,EACpB,gCAAA;AAAA,EACA;AACF,CAAA;AAMO,MAAM,YAAa,CAAA;AAAA,EACf,SAAA;AAAA,EACT,QAAA;AAAA,EAEA,OAAO,OAAO,QAAyC,EAAA;AACrD,IAAO,OAAA,IAAI,aAAa,QAAQ,CAAA;AAAA;AAClC;AAAA,EAGA,OAAO,UAA2B,GAAA;AAChC,IAAM,MAAAC,QAAA,GAAS,IAAIC,mBAAa,CAAA;AAAA,MAC9B,OAAS,EAAA;AAAA,QACP,QAAU,EAAA;AAAA,UACR,MAAQ,EAAA,gBAAA;AAAA,UACR,UAAY,EAAA,UAAA;AAAA,UACZ,gBAAkB,EAAA;AAAA;AACpB;AACF,KACD,CAAA;AACD,IAAA,MAAM,WAAWC,6BAAgB,CAAA,UAAA,CAAWF,QAAM,CAAA,CAAE,UAAU,MAAM,CAAA;AACpE,IAAO,OAAA,IAAI,aAAa,QAAQ,CAAA;AAAA;AAClC,EAEA,aAAa,cAAc,IAA2B,EAAA;AACpD,IAAM,MAAA,IAAA,CAAK,QAAQ,MAAO,CAAA;AAAA,MACxB,SAAW,EAAA;AAAA,KACZ,CAAA;AAAA;AACH,EAEQ,YAAY,QAA2B,EAAA;AAC7C,IAAA,IAAA,CAAK,SAAY,GAAA,QAAA;AAAA;AACnB,EAEA,GAAqB,GAAA;AACnB,IAAA,IAAA,CAAK,aAAa,IAAK,CAAA,SAAA,CAAU,WAAY,CAAA,IAAA,CAAK,OAAM,MAAU,KAAA;AAChE,MAAA,IAAI,CAAC,IAAA,CAAK,SAAU,CAAA,UAAA,EAAY,IAAM,EAAA;AACpC,QAAM,MAAA,YAAA,CAAa,cAAc,MAAM,CAAA;AAAA;AAEzC,MAAO,OAAA,MAAA;AAAA,KACR,CAAA;AAED,IAAA,OAAO,IAAK,CAAA,QAAA;AAAA;AAEhB;;;;"}
+{"version":3,"file":"AuthDatabase.cjs.js","sources":["../../src/database/AuthDatabase.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DatabaseService,\n  resolvePackagePath,\n} from '@backstage/backend-plugin-api';\nimport { Knex } from 'knex';\n\nconst migrationsDir = resolvePackagePath(\n  '@backstage/plugin-auth-backend',\n  'migrations',\n);\n\n/**\n * Ensures that a database connection is established exactly once and only when\n * asked for, and runs migrations.\n */\nexport class AuthDatabase {\n  readonly #database: DatabaseService;\n  #promise: Promise<Knex> | undefined;\n\n  static create(database: DatabaseService): AuthDatabase {\n    return new AuthDatabase(database);\n  }\n\n  static async runMigrations(knex: Knex): Promise<void> {\n    await knex.migrate.latest({\n      directory: migrationsDir,\n    });\n  }\n\n  private constructor(database: DatabaseService) {\n    this.#database = database;\n  }\n\n  get(): Promise<Knex> {\n    this.#promise ??= this.#database.getClient().then(async client => {\n      if (!this.#database.migrations?.skip) {\n        await AuthDatabase.runMigrations(client);\n      }\n      return client;\n    });\n\n    return this.#promise;\n  }\n}\n"],"names":["resolvePackagePath"],"mappings":";;;;AAsBA,MAAM,aAAgB,GAAAA,mCAAA;AAAA,EACpB,gCAAA;AAAA,EACA;AACF,CAAA;AAMO,MAAM,YAAa,CAAA;AAAA,EACf,SAAA;AAAA,EACT,QAAA;AAAA,EAEA,OAAO,OAAO,QAAyC,EAAA;AACrD,IAAO,OAAA,IAAI,aAAa,QAAQ,CAAA;AAAA;AAClC,EAEA,aAAa,cAAc,IAA2B,EAAA;AACpD,IAAM,MAAA,IAAA,CAAK,QAAQ,MAAO,CAAA;AAAA,MACxB,SAAW,EAAA;AAAA,KACZ,CAAA;AAAA;AACH,EAEQ,YAAY,QAA2B,EAAA;AAC7C,IAAA,IAAA,CAAK,SAAY,GAAA,QAAA;AAAA;AACnB,EAEA,GAAqB,GAAA;AACnB,IAAA,IAAA,CAAK,aAAa,IAAK,CAAA,SAAA,CAAU,WAAY,CAAA,IAAA,CAAK,OAAM,MAAU,KAAA;AAChE,MAAA,IAAI,CAAC,IAAA,CAAK,SAAU,CAAA,UAAA,EAAY,IAAM,EAAA;AACpC,QAAM,MAAA,YAAA,CAAa,cAAc,MAAM,CAAA;AAAA;AAEzC,MAAO,OAAA,MAAA;AAAA,KACR,CAAA;AAED,IAAA,OAAO,IAAK,CAAA,QAAA;AAAA;AAEhB;;;;"}

package/dist/identity/StaticTokenIssuer.cjs.js

@@ -1,40 +1,33 @@
 'use strict';
 
-var jose = require('jose');
-var catalogModel = require('@backstage/catalog-model');
-var errors = require('@backstage/errors');
+var issueUserToken = require('./issueUserToken.cjs.js');
 
-const MS_IN_S = 1e3;
 class StaticTokenIssuer {
   issuer;
   logger;
   keyStore;
   sessionExpirationSeconds;
+  omitClaimsFromToken;
+  userInfoDatabaseHandler;
   constructor(options, keyStore) {
     this.issuer = options.issuer;
     this.logger = options.logger;
     this.sessionExpirationSeconds = options.sessionExpirationSeconds;
     this.keyStore = keyStore;
+    this.omitClaimsFromToken = options.omitClaimsFromToken;
+    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;
   }
   async issueToken(params) {
     const key = await this.getSigningKey();
-    const iss = this.issuer;
-    const { sub, ent, ...additionalClaims } = params.claims;
-    const aud = "backstage";
-    const iat = Math.floor(Date.now() / MS_IN_S);
-    const exp = iat + this.sessionExpirationSeconds;
-    try {
-      catalogModel.parseEntityRef(sub);
-    } catch (error) {
-      throw new Error(
-        '"sub" claim provided by the auth resolver is not a valid EntityRef.'
-      );
-    }
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent ?? []}`);
-    if (!key.alg) {
-      throw new errors.AuthenticationError("No algorithm was provided in the key");
-    }
-    return new jose.SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    return issueUserToken.issueUserToken({
+      issuer: this.issuer,
+      key,
+      keyDurationSeconds: this.sessionExpirationSeconds,
+      logger: this.logger,
+      omitClaimsFromToken: this.omitClaimsFromToken,
+      params,
+      userInfoDatabaseHandler: this.userInfoDatabaseHandler
+    });
   }
   async getSigningKey() {
     const { items: keys } = await this.keyStore.listKeys();

package/dist/identity/StaticTokenIssuer.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"StaticTokenIssuer.cjs.js","sources":["../../src/identity/StaticTokenIssuer.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AnyJWK, TokenIssuer } from './types';\nimport { SignJWT, importJWK, JWK } from 'jose';\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport { AuthenticationError } from '@backstage/errors';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { StaticKeyStore } from './StaticKeyStore';\nimport { TokenParams } from '@backstage/plugin-auth-node';\n\nconst MS_IN_S = 1000;\n\nexport type Config = {\n  publicKeyFile: string;\n  privateKeyFile: string;\n  keyId: string;\n  algorithm?: string;\n};\n\nexport type Options = {\n  logger: LoggerService;\n  /** Value of the issuer claim in issued tokens */\n  issuer: string;\n  /** Expiration time of the JWT in seconds */\n  sessionExpirationSeconds: number;\n};\n\n/**\n * A token issuer that issues tokens from predefined\n * public/private key pair stored in the static key store.\n */\nexport class StaticTokenIssuer implements TokenIssuer {\n  private readonly issuer: string;\n  private readonly logger: LoggerService;\n  private readonly keyStore: StaticKeyStore;\n  private readonly sessionExpirationSeconds: number;\n\n  public constructor(options: Options, keyStore: StaticKeyStore) {\n    this.issuer = options.issuer;\n    this.logger = options.logger;\n    this.sessionExpirationSeconds = options.sessionExpirationSeconds;\n    this.keyStore = keyStore;\n  }\n\n  public async issueToken(params: TokenParams): Promise<string> {\n    const key = await this.getSigningKey();\n\n    // TODO: code shared with TokenFactory.ts\n    const iss = this.issuer;\n    const { sub, ent, ...additionalClaims } = params.claims;\n    const aud = 'backstage';\n    const iat = Math.floor(Date.now() / MS_IN_S);\n    const exp = iat + this.sessionExpirationSeconds;\n\n    // Validate that the subject claim is a valid EntityRef\n    try {\n      parseEntityRef(sub);\n    } catch (error) {\n      throw new Error(\n        '\"sub\" claim provided by the auth resolver is not a valid EntityRef.',\n      );\n    }\n\n    this.logger.info(`Issuing token for ${sub}, with entities ${ent ?? []}`);\n\n    if (!key.alg) {\n      throw new AuthenticationError('No algorithm was provided in the key');\n    }\n\n    return new SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp })\n      .setProtectedHeader({ alg: key.alg, kid: key.kid })\n      .setIssuer(iss)\n      .setAudience(aud)\n      .setSubject(sub)\n      .setIssuedAt(iat)\n      .setExpirationTime(exp)\n      .sign(await importJWK(key));\n  }\n\n  private async getSigningKey(): Promise<JWK> {\n    const { items: keys } = await this.keyStore.listKeys();\n    if (keys.length >= 1) {\n      return this.keyStore.getPrivateKey(keys[0].key.kid);\n    }\n    throw new Error('Keystore should hold at least 1 key');\n  }\n\n  public async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n    const { items: keys } = await this.keyStore.listKeys();\n    return { keys: keys.map(({ key }) => key) };\n  }\n}\n"],"names":["parseEntityRef","AuthenticationError","SignJWT","importJWK"],"mappings":";;;;;;AAwBA,MAAM,OAAU,GAAA,GAAA;AAqBT,MAAM,iBAAyC,CAAA;AAAA,EACnC,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,wBAAA;AAAA,EAEV,WAAA,CAAY,SAAkB,QAA0B,EAAA;AAC7D,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,2BAA2B,OAAQ,CAAA,wBAAA;AACxC,IAAA,IAAA,CAAK,QAAW,GAAA,QAAA;AAAA;AAClB,EAEA,MAAa,WAAW,MAAsC,EAAA;AAC5D,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,aAAc,EAAA;AAGrC,IAAA,MAAM,MAAM,IAAK,CAAA,MAAA;AACjB,IAAA,MAAM,EAAE,GAAK,EAAA,GAAA,EAAK,GAAG,gBAAA,KAAqB,MAAO,CAAA,MAAA;AACjD,IAAA,MAAM,GAAM,GAAA,WAAA;AACZ,IAAA,MAAM,MAAM,IAAK,CAAA,KAAA,CAAM,IAAK,CAAA,GAAA,KAAQ,OAAO,CAAA;AAC3C,IAAM,MAAA,GAAA,GAAM,MAAM,IAAK,CAAA,wBAAA;AAGvB,IAAI,IAAA;AACF,MAAAA,2BAAA,CAAe,GAAG,CAAA;AAAA,aACX,KAAO,EAAA;AACd,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AAGF,IAAK,IAAA,CAAA,MAAA,CAAO,KAAK,CAAqB,kBAAA,EAAA,GAAG,mBAAmB,GAAO,IAAA,EAAE,CAAE,CAAA,CAAA;AAEvE,IAAI,IAAA,CAAC,IAAI,GAAK,EAAA;AACZ,MAAM,MAAA,IAAIC,2BAAoB,sCAAsC,CAAA;AAAA;AAGtE,IAAA,OAAO,IAAIC,YAAQ,CAAA,EAAE,GAAG,gBAAkB,EAAA,GAAA,EAAK,KAAK,GAAK,EAAA,GAAA,EAAK,KAAK,GAAI,EAAC,EACrE,kBAAmB,CAAA,EAAE,KAAK,GAAI,CAAA,GAAA,EAAK,KAAK,GAAI,CAAA,GAAA,EAAK,CAAA,CACjD,UAAU,GAAG,CAAA,CACb,YAAY,GAAG,CAAA,CACf,WAAW,GAAG,CAAA,CACd,YAAY,GAAG,CAAA,CACf,kBAAkB,GAAG,CAAA,CACrB,KAAK,MAAMC,cAAA,CAAU,GAAG,CAAC,CAAA;AAAA;AAC9B,EAEA,MAAc,aAA8B,GAAA;AAC1C,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AACrD,IAAI,IAAA,IAAA,CAAK,UAAU,CAAG,EAAA;AACpB,MAAA,OAAO,KAAK,QAAS,CAAA,aAAA,CAAc,KAAK,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAAA;AAEpD,IAAM,MAAA,IAAI,MAAM,qCAAqC,CAAA;AAAA;AACvD,EAEA,MAAa,cAA8C,GAAA;AACzD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AACrD,IAAO,OAAA,EAAE,MAAM,IAAK,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AAE9C;;;;"}
+{"version":3,"file":"StaticTokenIssuer.cjs.js","sources":["../../src/identity/StaticTokenIssuer.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AnyJWK, TokenIssuer } from './types';\nimport { JWK } from 'jose';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { StaticKeyStore } from './StaticKeyStore';\nimport {\n  BackstageSignInResult,\n  TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\nimport { issueUserToken } from './issueUserToken';\n\nexport type Config = {\n  publicKeyFile: string;\n  privateKeyFile: string;\n  keyId: string;\n  algorithm?: string;\n};\n\nexport type Options = {\n  logger: LoggerService;\n  /** Value of the issuer claim in issued tokens */\n  issuer: string;\n  /** Expiration time of the JWT in seconds */\n  sessionExpirationSeconds: number;\n  /**\n   * A list of claims to omit from issued tokens and only store in the user info database\n   */\n  omitClaimsFromToken?: string[];\n  userInfoDatabaseHandler: UserInfoDatabaseHandler;\n};\n\n/**\n * A token issuer that issues tokens from predefined\n * public/private key pair stored in the static key store.\n */\nexport class StaticTokenIssuer implements TokenIssuer {\n  private readonly issuer: string;\n  private readonly logger: LoggerService;\n  private readonly keyStore: StaticKeyStore;\n  private readonly sessionExpirationSeconds: number;\n  private readonly omitClaimsFromToken?: string[];\n  private readonly userInfoDatabaseHandler: UserInfoDatabaseHandler;\n\n  public constructor(options: Options, keyStore: StaticKeyStore) {\n    this.issuer = options.issuer;\n    this.logger = options.logger;\n    this.sessionExpirationSeconds = options.sessionExpirationSeconds;\n    this.keyStore = keyStore;\n    this.omitClaimsFromToken = options.omitClaimsFromToken;\n    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;\n  }\n\n  public async issueToken(params: TokenParams): Promise<BackstageSignInResult> {\n    const key = await this.getSigningKey();\n\n    return issueUserToken({\n      issuer: this.issuer,\n      key,\n      keyDurationSeconds: this.sessionExpirationSeconds,\n      logger: this.logger,\n      omitClaimsFromToken: this.omitClaimsFromToken,\n      params,\n      userInfoDatabaseHandler: this.userInfoDatabaseHandler,\n    });\n  }\n\n  private async getSigningKey(): Promise<JWK> {\n    const { items: keys } = await this.keyStore.listKeys();\n    if (keys.length >= 1) {\n      return this.keyStore.getPrivateKey(keys[0].key.kid);\n    }\n    throw new Error('Keystore should hold at least 1 key');\n  }\n\n  public async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n    const { items: keys } = await this.keyStore.listKeys();\n    return { keys: keys.map(({ key }) => key) };\n  }\n}\n"],"names":["issueUserToken"],"mappings":";;;;AAmDO,MAAM,iBAAyC,CAAA;AAAA,EACnC,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,wBAAA;AAAA,EACA,mBAAA;AAAA,EACA,uBAAA;AAAA,EAEV,WAAA,CAAY,SAAkB,QAA0B,EAAA;AAC7D,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,2BAA2B,OAAQ,CAAA,wBAAA;AACxC,IAAA,IAAA,CAAK,QAAW,GAAA,QAAA;AAChB,IAAA,IAAA,CAAK,sBAAsB,OAAQ,CAAA,mBAAA;AACnC,IAAA,IAAA,CAAK,0BAA0B,OAAQ,CAAA,uBAAA;AAAA;AACzC,EAEA,MAAa,WAAW,MAAqD,EAAA;AAC3E,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,aAAc,EAAA;AAErC,IAAA,OAAOA,6BAAe,CAAA;AAAA,MACpB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,IAAK,CAAA,wBAAA;AAAA,MACzB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,qBAAqB,IAAK,CAAA,mBAAA;AAAA,MAC1B,MAAA;AAAA,MACA,yBAAyB,IAAK,CAAA;AAAA,KAC/B,CAAA;AAAA;AACH,EAEA,MAAc,aAA8B,GAAA;AAC1C,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AACrD,IAAI,IAAA,IAAA,CAAK,UAAU,CAAG,EAAA;AACpB,MAAA,OAAO,KAAK,QAAS,CAAA,aAAA,CAAc,KAAK,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAAA;AAEpD,IAAM,MAAA,IAAI,MAAM,qCAAqC,CAAA;AAAA;AACvD,EAEA,MAAa,cAA8C,GAAA;AACzD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AACrD,IAAO,OAAA,EAAE,MAAM,IAAK,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AAE9C;;;;"}

package/dist/identity/TokenFactory.cjs.js

@@ -1,21 +1,17 @@
 'use strict';
 
-var catalogModel = require('@backstage/catalog-model');
-var errors = require('@backstage/errors');
 var jose = require('jose');
-var lodash = require('lodash');
 var luxon = require('luxon');
 var uuid = require('uuid');
-var pluginAuthNode = require('@backstage/plugin-auth-node');
+var issueUserToken = require('./issueUserToken.cjs.js');
 
-const MS_IN_S = 1e3;
-const MAX_TOKEN_LENGTH = 32768;
 class TokenFactory {
   issuer;
   logger;
   keyStore;
   keyDurationSeconds;
   algorithm;
+  omitClaimsFromToken;
   userInfoDatabaseHandler;
   keyExpiry;
   privateKeyPromise;
@@ -25,62 +21,20 @@ class TokenFactory {
     this.keyStore = options.keyStore;
     this.keyDurationSeconds = options.keyDurationSeconds;
     this.algorithm = options.algorithm ?? "ES256";
+    this.omitClaimsFromToken = options.omitClaimsFromToken;
     this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;
   }
   async issueToken(params) {
     const key = await this.getKey();
-    const iss = this.issuer;
-    const { sub, ent = [sub], ...additionalClaims } = params.claims;
-    const aud = pluginAuthNode.tokenTypes.user.audClaim;
-    const iat = Math.floor(Date.now() / MS_IN_S);
-    const exp = iat + this.keyDurationSeconds;
-    try {
-      catalogModel.parseEntityRef(sub);
-    } catch (error) {
-      throw new Error(
-        '"sub" claim provided by the auth resolver is not a valid EntityRef.'
-      );
-    }
-    if (!key.alg) {
-      throw new errors.AuthenticationError("No algorithm was provided in the key");
-    }
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);
-    const signingKey = await jose.importJWK(key);
-    const uip = await this.createUserIdentityClaim({
-      header: {
-        typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
-        alg: key.alg,
-        kid: key.kid
-      },
-      payload: { sub, iat, exp },
-      key: signingKey
+    return issueUserToken.issueUserToken({
+      issuer: this.issuer,
+      key,
+      keyDurationSeconds: this.keyDurationSeconds,
+      logger: this.logger,
+      omitClaimsFromToken: this.omitClaimsFromToken,
+      params,
+      userInfoDatabaseHandler: this.userInfoDatabaseHandler
     });
-    const claims = {
-      ...additionalClaims,
-      iss,
-      sub,
-      ent,
-      aud,
-      iat,
-      exp,
-      uip
-    };
-    const token = await new jose.SignJWT(claims).setProtectedHeader({
-      typ: pluginAuthNode.tokenTypes.user.typParam,
-      alg: key.alg,
-      kid: key.kid
-    }).sign(signingKey);
-    if (token.length > MAX_TOKEN_LENGTH) {
-      throw new Error(
-        `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
-          claims
-        )}'`
-      );
-    }
-    await this.userInfoDatabaseHandler.addUserInfo({
-      claims: lodash.omit(claims, ["aud", "iat", "iss", "uip"])
-    });
-    return token;
   }
   // This will be called by other services that want to verify ID tokens.
   // It is important that it returns a list of all public keys that could
@@ -139,25 +93,6 @@ class TokenFactory {
     }
     return promise;
   }
-  // Creates a string claim that can be used as part of reconstructing a limited
-  // user token. The output of this function is only the signature part of a
-  // JWS.
-  async createUserIdentityClaim(options) {
-    const header = {
-      typ: options.header.typ,
-      alg: options.header.alg,
-      ...options.header.kid ? { kid: options.header.kid } : {}
-    };
-    const payload = {
-      sub: options.payload.sub,
-      iat: options.payload.iat,
-      exp: options.payload.exp
-    };
-    const jws = await new jose.GeneralSign(
-      new TextEncoder().encode(JSON.stringify(payload))
-    ).addSignature(options.key).setProtectedHeader(header).done().sign();
-    return jws.signatures[0].signature;
-  }
 }
 
 exports.TokenFactory = TokenFactory;

package/dist/identity/TokenFactory.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"TokenFactory.cjs.js","sources":["../../src/identity/TokenFactory.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n  exportJWK,\n  generateKeyPair,\n  importJWK,\n  JWK,\n  SignJWT,\n  GeneralSign,\n  KeyLike,\n} from 'jose';\nimport { omit } from 'lodash';\nimport { DateTime } from 'luxon';\nimport { v4 as uuid } from 'uuid';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { TokenParams, tokenTypes } from '@backstage/plugin-auth-node';\nimport { AnyJWK, KeyStore, TokenIssuer } from './types';\nimport { JsonValue } from '@backstage/types';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\n\nconst MS_IN_S = 1000;\nconst MAX_TOKEN_LENGTH = 32768; // At 64 bytes per entity ref this still leaves room for about 500 entities\n\n/**\n * The payload contents of a valid Backstage JWT token\n */\nexport interface BackstageTokenPayload {\n  /**\n   * The issuer of the token, currently the discovery URL of the auth backend\n   */\n  iss: string;\n\n  /**\n   * The entity ref of the user\n   */\n  sub: string;\n\n  /**\n   * The entity refs that the user claims ownership througg\n   */\n  ent: string[];\n\n  /**\n   * A hard coded audience string\n   */\n  aud: typeof tokenTypes.user.audClaim;\n\n  /**\n   * Standard expiry in epoch seconds\n   */\n  exp: number;\n\n  /**\n   * Standard issue time in epoch seconds\n   */\n  iat: number;\n\n  /**\n   * A separate user identity proof that the auth service can convert to a limited user token\n   */\n  uip: string;\n\n  /**\n   * Any other custom claims that the adopter may have added\n   */\n  [claim: string]: JsonValue;\n}\n\n/**\n * The payload contents of a valid Backstage user identity claim token\n *\n * @internal\n */\ninterface BackstageUserIdentityProofPayload {\n  /**\n   * The entity ref of the user\n   */\n  sub: string;\n\n  /**\n   * Standard expiry in epoch seconds\n   */\n  exp: number;\n\n  /**\n   * Standard issue time in epoch seconds\n   */\n  iat: number;\n}\n\ntype Options = {\n  logger: LoggerService;\n  /** Value of the issuer claim in issued tokens */\n  issuer: string;\n  /** Key store used for storing signing keys */\n  keyStore: KeyStore;\n  /** Expiration time of signing keys in seconds */\n  keyDurationSeconds: number;\n  /** JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256.\n   * Must match one of the algorithms defined for IdentityClient.\n   * When setting a different algorithm, check if the `key` field\n   * of the `signing_keys` table can fit the length of the generated keys.\n   * If not, add a knex migration file in the migrations folder.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithm?: string;\n  userInfoDatabaseHandler: UserInfoDatabaseHandler;\n};\n\n/**\n * A token issuer that is able to issue tokens in a distributed system\n * backed by a single database. Tokens are issued using lazily generated\n * signing keys, where each running instance of the auth service uses its own\n * signing key.\n *\n * The public parts of the keys are all stored in the shared key storage,\n * and any of the instances of the auth service will return the full list\n * of public keys that are currently in storage.\n *\n * Signing keys are automatically rotated at the same interval as the token\n * duration. Expired keys are kept in storage until there are no valid tokens\n * in circulation that could have been signed by that key.\n */\nexport class TokenFactory implements TokenIssuer {\n  private readonly issuer: string;\n  private readonly logger: LoggerService;\n  private readonly keyStore: KeyStore;\n  private readonly keyDurationSeconds: number;\n  private readonly algorithm: string;\n  private readonly userInfoDatabaseHandler: UserInfoDatabaseHandler;\n\n  private keyExpiry?: Date;\n  private privateKeyPromise?: Promise<JWK>;\n\n  constructor(options: Options) {\n    this.issuer = options.issuer;\n    this.logger = options.logger;\n    this.keyStore = options.keyStore;\n    this.keyDurationSeconds = options.keyDurationSeconds;\n    this.algorithm = options.algorithm ?? 'ES256';\n    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;\n  }\n\n  async issueToken(params: TokenParams): Promise<string> {\n    const key = await this.getKey();\n\n    const iss = this.issuer;\n    const { sub, ent = [sub], ...additionalClaims } = params.claims;\n    const aud = tokenTypes.user.audClaim;\n    const iat = Math.floor(Date.now() / MS_IN_S);\n    const exp = iat + this.keyDurationSeconds;\n\n    try {\n      // The subject must be a valid entity ref\n      parseEntityRef(sub);\n    } catch (error) {\n      throw new Error(\n        '\"sub\" claim provided by the auth resolver is not a valid EntityRef.',\n      );\n    }\n\n    if (!key.alg) {\n      throw new AuthenticationError('No algorithm was provided in the key');\n    }\n\n    this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);\n\n    const signingKey = await importJWK(key);\n\n    const uip = await this.createUserIdentityClaim({\n      header: {\n        typ: tokenTypes.limitedUser.typParam,\n        alg: key.alg,\n        kid: key.kid,\n      },\n      payload: { sub, iat, exp },\n      key: signingKey,\n    });\n\n    const claims: BackstageTokenPayload = {\n      ...additionalClaims,\n      iss,\n      sub,\n      ent,\n      aud,\n      iat,\n      exp,\n      uip,\n    };\n\n    const token = await new SignJWT(claims)\n      .setProtectedHeader({\n        typ: tokenTypes.user.typParam,\n        alg: key.alg,\n        kid: key.kid,\n      })\n      .sign(signingKey);\n\n    if (token.length > MAX_TOKEN_LENGTH) {\n      throw new Error(\n        `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(\n          claims,\n        )}'`,\n      );\n    }\n\n    // Store the user info in the database upon successful token\n    // issuance so that it can be retrieved later by limited user tokens\n    await this.userInfoDatabaseHandler.addUserInfo({\n      claims: omit(claims, ['aud', 'iat', 'iss', 'uip']),\n    });\n\n    return token;\n  }\n\n  // This will be called by other services that want to verify ID tokens.\n  // It is important that it returns a list of all public keys that could\n  // have been used to sign tokens that have not yet expired.\n  async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n    const { items: keys } = await this.keyStore.listKeys();\n\n    const validKeys = [];\n    const expiredKeys = [];\n\n    for (const key of keys) {\n      // Allow for a grace period of another full key duration before we remove the keys from the database\n      const expireAt = DateTime.fromJSDate(key.createdAt).plus({\n        seconds: 3 * this.keyDurationSeconds,\n      });\n      if (expireAt < DateTime.local()) {\n        expiredKeys.push(key);\n      } else {\n        validKeys.push(key);\n      }\n    }\n\n    // Lazily prune expired keys. This may cause duplicate removals if we have concurrent callers, but w/e\n    if (expiredKeys.length > 0) {\n      const kids = expiredKeys.map(({ key }) => key.kid);\n\n      this.logger.info(`Removing expired signing keys, '${kids.join(\"', '\")}'`);\n\n      // We don't await this, just let it run in the background\n      this.keyStore.removeKeys(kids).catch(error => {\n        this.logger.error(`Failed to remove expired keys, ${error}`);\n      });\n    }\n\n    // NOTE: we're currently only storing public keys, but if we start storing private keys we'd have to convert here\n    return { keys: validKeys.map(({ key }) => key) };\n  }\n\n  private async getKey(): Promise<JWK> {\n    // Make sure that we only generate one key at a time\n    if (this.privateKeyPromise) {\n      if (\n        this.keyExpiry &&\n        DateTime.fromJSDate(this.keyExpiry) > DateTime.local()\n      ) {\n        return this.privateKeyPromise;\n      }\n      this.logger.info(`Signing key has expired, generating new key`);\n      delete this.privateKeyPromise;\n    }\n\n    this.keyExpiry = DateTime.utc()\n      .plus({\n        seconds: this.keyDurationSeconds,\n      })\n      .toJSDate();\n    const promise = (async () => {\n      // This generates a new signing key to be used to sign tokens until the next key rotation\n      const key = await generateKeyPair(this.algorithm);\n      const publicKey = await exportJWK(key.publicKey);\n      const privateKey = await exportJWK(key.privateKey);\n      publicKey.kid = privateKey.kid = uuid();\n      publicKey.alg = privateKey.alg = this.algorithm;\n\n      // We're not allowed to use the key until it has been successfully stored\n      // TODO: some token verification implementations aggressively cache the list of keys, and\n      //       don't attempt to fetch new ones even if they encounter an unknown kid. Therefore we\n      //       may want to keep using the existing key for some period of time until we switch to\n      //       the new one. This also needs to be implemented cross-service though, meaning new services\n      //       that boot up need to be able to grab an existing key to use for signing.\n      this.logger.info(`Created new signing key ${publicKey.kid}`);\n      await this.keyStore.addKey(publicKey as AnyJWK);\n\n      // At this point we are allowed to start using the new key\n      return privateKey;\n    })();\n\n    this.privateKeyPromise = promise;\n\n    try {\n      // If we fail to generate a new key, we need to clear the state so that\n      // the next caller will try to generate another key.\n      await promise;\n    } catch (error) {\n      this.logger.error(`Failed to generate new signing key, ${error}`);\n      delete this.keyExpiry;\n      delete this.privateKeyPromise;\n    }\n\n    return promise;\n  }\n\n  // Creates a string claim that can be used as part of reconstructing a limited\n  // user token. The output of this function is only the signature part of a\n  // JWS.\n  private async createUserIdentityClaim(options: {\n    header: {\n      typ: string;\n      alg: string;\n      kid?: string;\n    };\n    payload: BackstageUserIdentityProofPayload;\n    key: KeyLike | Uint8Array;\n  }): Promise<string> {\n    // NOTE: We reconstruct the header and payload structures carefully to\n    // perfectly guarantee ordering. The reason for this is that we store only\n    // the signature part of these to reduce duplication within the Backstage\n    // token. Anyone who wants to make an actual JWT based on all this must be\n    // able to do the EXACT reconstruction of the header and payload parts, to\n    // then append the signature.\n\n    const header = {\n      typ: options.header.typ,\n      alg: options.header.alg,\n      ...(options.header.kid ? { kid: options.header.kid } : {}),\n    };\n\n    const payload = {\n      sub: options.payload.sub,\n      iat: options.payload.iat,\n      exp: options.payload.exp,\n    };\n\n    const jws = await new GeneralSign(\n      new TextEncoder().encode(JSON.stringify(payload)),\n    )\n      .addSignature(options.key)\n      .setProtectedHeader(header)\n      .done()\n      .sign();\n\n    return jws.signatures[0].signature;\n  }\n}\n"],"names":["tokenTypes","parseEntityRef","AuthenticationError","importJWK","SignJWT","omit","DateTime","generateKeyPair","exportJWK","uuid","GeneralSign"],"mappings":";;;;;;;;;;AAoCA,MAAM,OAAU,GAAA,GAAA;AAChB,MAAM,gBAAmB,GAAA,KAAA;AAqGlB,MAAM,YAAoC,CAAA;AAAA,EAC9B,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,uBAAA;AAAA,EAET,SAAA;AAAA,EACA,iBAAA;AAAA,EAER,YAAY,OAAkB,EAAA;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,WAAW,OAAQ,CAAA,QAAA;AACxB,IAAA,IAAA,CAAK,qBAAqB,OAAQ,CAAA,kBAAA;AAClC,IAAK,IAAA,CAAA,SAAA,GAAY,QAAQ,SAAa,IAAA,OAAA;AACtC,IAAA,IAAA,CAAK,0BAA0B,OAAQ,CAAA,uBAAA;AAAA;AACzC,EAEA,MAAM,WAAW,MAAsC,EAAA;AACrD,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,MAAO,EAAA;AAE9B,IAAA,MAAM,MAAM,IAAK,CAAA,MAAA;AACjB,IAAM,MAAA,EAAE,KAAK,GAAM,GAAA,CAAC,GAAG,CAAG,EAAA,GAAG,gBAAiB,EAAA,GAAI,MAAO,CAAA,MAAA;AACzD,IAAM,MAAA,GAAA,GAAMA,0BAAW,IAAK,CAAA,QAAA;AAC5B,IAAA,MAAM,MAAM,IAAK,CAAA,KAAA,CAAM,IAAK,CAAA,GAAA,KAAQ,OAAO,CAAA;AAC3C,IAAM,MAAA,GAAA,GAAM,MAAM,IAAK,CAAA,kBAAA;AAEvB,IAAI,IAAA;AAEF,MAAAC,2BAAA,CAAe,GAAG,CAAA;AAAA,aACX,KAAO,EAAA;AACd,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AAGF,IAAI,IAAA,CAAC,IAAI,GAAK,EAAA;AACZ,MAAM,MAAA,IAAIC,2BAAoB,sCAAsC,CAAA;AAAA;AAGtE,IAAA,IAAA,CAAK,OAAO,IAAK,CAAA,CAAA,kBAAA,EAAqB,GAAG,CAAA,gBAAA,EAAmB,GAAG,CAAE,CAAA,CAAA;AAEjE,IAAM,MAAA,UAAA,GAAa,MAAMC,cAAA,CAAU,GAAG,CAAA;AAEtC,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,uBAAwB,CAAA;AAAA,MAC7C,MAAQ,EAAA;AAAA,QACN,GAAA,EAAKH,0BAAW,WAAY,CAAA,QAAA;AAAA,QAC5B,KAAK,GAAI,CAAA,GAAA;AAAA,QACT,KAAK,GAAI,CAAA;AAAA,OACX;AAAA,MACA,OAAS,EAAA,EAAE,GAAK,EAAA,GAAA,EAAK,GAAI,EAAA;AAAA,MACzB,GAAK,EAAA;AAAA,KACN,CAAA;AAED,IAAA,MAAM,MAAgC,GAAA;AAAA,MACpC,GAAG,gBAAA;AAAA,MACH,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,QAAQ,MAAM,IAAII,YAAQ,CAAA,MAAM,EACnC,kBAAmB,CAAA;AAAA,MAClB,GAAA,EAAKJ,0BAAW,IAAK,CAAA,QAAA;AAAA,MACrB,KAAK,GAAI,CAAA,GAAA;AAAA,MACT,KAAK,GAAI,CAAA;AAAA,KACV,CACA,CAAA,IAAA,CAAK,UAAU,CAAA;AAElB,IAAI,IAAA,KAAA,CAAM,SAAS,gBAAkB,EAAA;AACnC,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,6PAA6P,IAAK,CAAA,SAAA;AAAA,UAChQ;AAAA,SACD,CAAA,CAAA;AAAA,OACH;AAAA;AAKF,IAAM,MAAA,IAAA,CAAK,wBAAwB,WAAY,CAAA;AAAA,MAC7C,MAAA,EAAQK,YAAK,MAAQ,EAAA,CAAC,OAAO,KAAO,EAAA,KAAA,EAAO,KAAK,CAAC;AAAA,KAClD,CAAA;AAED,IAAO,OAAA,KAAA;AAAA;AACT;AAAA;AAAA;AAAA,EAKA,MAAM,cAA8C,GAAA;AAClD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AAErD,IAAA,MAAM,YAAY,EAAC;AACnB,IAAA,MAAM,cAAc,EAAC;AAErB,IAAA,KAAA,MAAW,OAAO,IAAM,EAAA;AAEtB,MAAA,MAAM,WAAWC,cAAS,CAAA,UAAA,CAAW,GAAI,CAAA,SAAS,EAAE,IAAK,CAAA;AAAA,QACvD,OAAA,EAAS,IAAI,IAAK,CAAA;AAAA,OACnB,CAAA;AACD,MAAI,IAAA,QAAA,GAAWA,cAAS,CAAA,KAAA,EAAS,EAAA;AAC/B,QAAA,WAAA,CAAY,KAAK,GAAG,CAAA;AAAA,OACf,MAAA;AACL,QAAA,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA;AACpB;AAIF,IAAI,IAAA,WAAA,CAAY,SAAS,CAAG,EAAA;AAC1B,MAAM,MAAA,IAAA,GAAO,YAAY,GAAI,CAAA,CAAC,EAAE,GAAI,EAAA,KAAM,IAAI,GAAG,CAAA;AAEjD,MAAA,IAAA,CAAK,OAAO,IAAK,CAAA,CAAA,gCAAA,EAAmC,KAAK,IAAK,CAAA,MAAM,CAAC,CAAG,CAAA,CAAA,CAAA;AAGxE,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,CAAW,IAAI,CAAA,CAAE,MAAM,CAAS,KAAA,KAAA;AAC5C,QAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAkC,+BAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAAA,OAC5D,CAAA;AAAA;AAIH,IAAO,OAAA,EAAE,MAAM,SAAU,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AACjD,EAEA,MAAc,MAAuB,GAAA;AAEnC,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MACE,IAAA,IAAA,CAAK,aACLA,cAAS,CAAA,UAAA,CAAW,KAAK,SAAS,CAAA,GAAIA,cAAS,CAAA,KAAA,EAC/C,EAAA;AACA,QAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAEd,MAAK,IAAA,CAAA,MAAA,CAAO,KAAK,CAA6C,2CAAA,CAAA,CAAA;AAC9D,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAA,IAAA,CAAK,SAAY,GAAAA,cAAA,CAAS,GAAI,EAAA,CAC3B,IAAK,CAAA;AAAA,MACJ,SAAS,IAAK,CAAA;AAAA,KACf,EACA,QAAS,EAAA;AACZ,IAAA,MAAM,WAAW,YAAY;AAE3B,MAAA,MAAM,GAAM,GAAA,MAAMC,oBAAgB,CAAA,IAAA,CAAK,SAAS,CAAA;AAChD,MAAA,MAAM,SAAY,GAAA,MAAMC,cAAU,CAAA,GAAA,CAAI,SAAS,CAAA;AAC/C,MAAA,MAAM,UAAa,GAAA,MAAMA,cAAU,CAAA,GAAA,CAAI,UAAU,CAAA;AACjD,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAMC,OAAK,EAAA;AACtC,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAM,IAAK,CAAA,SAAA;AAQtC,MAAA,IAAA,CAAK,MAAO,CAAA,IAAA,CAAK,CAA2B,wBAAA,EAAA,SAAA,CAAU,GAAG,CAAE,CAAA,CAAA;AAC3D,MAAM,MAAA,IAAA,CAAK,QAAS,CAAA,MAAA,CAAO,SAAmB,CAAA;AAG9C,MAAO,OAAA,UAAA;AAAA,KACN,GAAA;AAEH,IAAA,IAAA,CAAK,iBAAoB,GAAA,OAAA;AAEzB,IAAI,IAAA;AAGF,MAAM,MAAA,OAAA;AAAA,aACC,KAAO,EAAA;AACd,MAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAuC,oCAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAChE,MAAA,OAAO,IAAK,CAAA,SAAA;AACZ,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAO,OAAA,OAAA;AAAA;AACT;AAAA;AAAA;AAAA,EAKA,MAAc,wBAAwB,OAQlB,EAAA;AAQlB,IAAA,MAAM,MAAS,GAAA;AAAA,MACb,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,MACpB,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,MACpB,GAAI,OAAQ,CAAA,MAAA,CAAO,GAAM,GAAA,EAAE,KAAK,OAAQ,CAAA,MAAA,CAAO,GAAI,EAAA,GAAI;AAAC,KAC1D;AAEA,IAAA,MAAM,OAAU,GAAA;AAAA,MACd,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,MACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,MACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA;AAAA,KACvB;AAEA,IAAM,MAAA,GAAA,GAAM,MAAM,IAAIC,gBAAA;AAAA,MACpB,IAAI,WAAY,EAAA,CAAE,OAAO,IAAK,CAAA,SAAA,CAAU,OAAO,CAAC;AAAA,KAClD,CACG,YAAa,CAAA,OAAA,CAAQ,GAAG,CAAA,CACxB,mBAAmB,MAAM,CAAA,CACzB,IAAK,EAAA,CACL,IAAK,EAAA;AAER,IAAO,OAAA,GAAA,CAAI,UAAW,CAAA,CAAC,CAAE,CAAA,SAAA;AAAA;AAE7B;;;;"}
+{"version":3,"file":"TokenFactory.cjs.js","sources":["../../src/identity/TokenFactory.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { exportJWK, generateKeyPair, JWK } from 'jose';\nimport { DateTime } from 'luxon';\nimport { v4 as uuid } from 'uuid';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport {\n  BackstageSignInResult,\n  TokenParams,\n  tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { AnyJWK, KeyStore, TokenIssuer } from './types';\nimport { JsonValue } from '@backstage/types';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\nimport { issueUserToken } from './issueUserToken';\n\n/**\n * The payload contents of a valid Backstage JWT token\n */\nexport interface BackstageTokenPayload {\n  /**\n   * The issuer of the token, currently the discovery URL of the auth backend\n   */\n  iss: string;\n\n  /**\n   * The entity ref of the user\n   */\n  sub: string;\n\n  /**\n   * The entity refs that the user claims ownership through\n   */\n  ent: string[];\n\n  /**\n   * A hard coded audience string\n   */\n  aud: typeof tokenTypes.user.audClaim;\n\n  /**\n   * Standard expiry in epoch seconds\n   */\n  exp: number;\n\n  /**\n   * Standard issue time in epoch seconds\n   */\n  iat: number;\n\n  /**\n   * A separate user identity proof that the auth service can convert to a limited user token\n   */\n  uip: string;\n\n  /**\n   * Any other custom claims that the adopter may have added\n   */\n  [claim: string]: JsonValue;\n}\n\ntype Options = {\n  logger: LoggerService;\n  /** Value of the issuer claim in issued tokens */\n  issuer: string;\n  /** Key store used for storing signing keys */\n  keyStore: KeyStore;\n  /** Expiration time of signing keys in seconds */\n  keyDurationSeconds: number;\n  /** JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256.\n   * Must match one of the algorithms defined for IdentityClient.\n   * When setting a different algorithm, check if the `key` field\n   * of the `signing_keys` table can fit the length of the generated keys.\n   * If not, add a knex migration file in the migrations folder.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithm?: string;\n  /**\n   * A list of claims to omit from issued tokens and only store in the user info database\n   */\n  omitClaimsFromToken?: string[];\n  userInfoDatabaseHandler: UserInfoDatabaseHandler;\n};\n\n/**\n * A token issuer that is able to issue tokens in a distributed system\n * backed by a single database. Tokens are issued using lazily generated\n * signing keys, where each running instance of the auth service uses its own\n * signing key.\n *\n * The public parts of the keys are all stored in the shared key storage,\n * and any of the instances of the auth service will return the full list\n * of public keys that are currently in storage.\n *\n * Signing keys are automatically rotated at the same interval as the token\n * duration. Expired keys are kept in storage until there are no valid tokens\n * in circulation that could have been signed by that key.\n */\nexport class TokenFactory implements TokenIssuer {\n  private readonly issuer: string;\n  private readonly logger: LoggerService;\n  private readonly keyStore: KeyStore;\n  private readonly keyDurationSeconds: number;\n  private readonly algorithm: string;\n  private readonly omitClaimsFromToken?: string[];\n  private readonly userInfoDatabaseHandler: UserInfoDatabaseHandler;\n\n  private keyExpiry?: Date;\n  private privateKeyPromise?: Promise<JWK>;\n\n  constructor(options: Options) {\n    this.issuer = options.issuer;\n    this.logger = options.logger;\n    this.keyStore = options.keyStore;\n    this.keyDurationSeconds = options.keyDurationSeconds;\n    this.algorithm = options.algorithm ?? 'ES256';\n    this.omitClaimsFromToken = options.omitClaimsFromToken;\n    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;\n  }\n\n  async issueToken(params: TokenParams): Promise<BackstageSignInResult> {\n    const key = await this.getKey();\n\n    return issueUserToken({\n      issuer: this.issuer,\n      key,\n      keyDurationSeconds: this.keyDurationSeconds,\n      logger: this.logger,\n      omitClaimsFromToken: this.omitClaimsFromToken,\n      params,\n      userInfoDatabaseHandler: this.userInfoDatabaseHandler,\n    });\n  }\n\n  // This will be called by other services that want to verify ID tokens.\n  // It is important that it returns a list of all public keys that could\n  // have been used to sign tokens that have not yet expired.\n  async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n    const { items: keys } = await this.keyStore.listKeys();\n\n    const validKeys = [];\n    const expiredKeys = [];\n\n    for (const key of keys) {\n      // Allow for a grace period of another full key duration before we remove the keys from the database\n      const expireAt = DateTime.fromJSDate(key.createdAt).plus({\n        seconds: 3 * this.keyDurationSeconds,\n      });\n      if (expireAt < DateTime.local()) {\n        expiredKeys.push(key);\n      } else {\n        validKeys.push(key);\n      }\n    }\n\n    // Lazily prune expired keys. This may cause duplicate removals if we have concurrent callers, but w/e\n    if (expiredKeys.length > 0) {\n      const kids = expiredKeys.map(({ key }) => key.kid);\n\n      this.logger.info(`Removing expired signing keys, '${kids.join(\"', '\")}'`);\n\n      // We don't await this, just let it run in the background\n      this.keyStore.removeKeys(kids).catch(error => {\n        this.logger.error(`Failed to remove expired keys, ${error}`);\n      });\n    }\n\n    // NOTE: we're currently only storing public keys, but if we start storing private keys we'd have to convert here\n    return { keys: validKeys.map(({ key }) => key) };\n  }\n\n  private async getKey(): Promise<JWK> {\n    // Make sure that we only generate one key at a time\n    if (this.privateKeyPromise) {\n      if (\n        this.keyExpiry &&\n        DateTime.fromJSDate(this.keyExpiry) > DateTime.local()\n      ) {\n        return this.privateKeyPromise;\n      }\n      this.logger.info(`Signing key has expired, generating new key`);\n      delete this.privateKeyPromise;\n    }\n\n    this.keyExpiry = DateTime.utc()\n      .plus({\n        seconds: this.keyDurationSeconds,\n      })\n      .toJSDate();\n    const promise = (async () => {\n      // This generates a new signing key to be used to sign tokens until the next key rotation\n      const key = await generateKeyPair(this.algorithm);\n      const publicKey = await exportJWK(key.publicKey);\n      const privateKey = await exportJWK(key.privateKey);\n      publicKey.kid = privateKey.kid = uuid();\n      publicKey.alg = privateKey.alg = this.algorithm;\n\n      // We're not allowed to use the key until it has been successfully stored\n      // TODO: some token verification implementations aggressively cache the list of keys, and\n      //       don't attempt to fetch new ones even if they encounter an unknown kid. Therefore we\n      //       may want to keep using the existing key for some period of time until we switch to\n      //       the new one. This also needs to be implemented cross-service though, meaning new services\n      //       that boot up need to be able to grab an existing key to use for signing.\n      this.logger.info(`Created new signing key ${publicKey.kid}`);\n      await this.keyStore.addKey(publicKey as AnyJWK);\n\n      // At this point we are allowed to start using the new key\n      return privateKey;\n    })();\n\n    this.privateKeyPromise = promise;\n\n    try {\n      // If we fail to generate a new key, we need to clear the state so that\n      // the next caller will try to generate another key.\n      await promise;\n    } catch (error) {\n      this.logger.error(`Failed to generate new signing key, ${error}`);\n      delete this.keyExpiry;\n      delete this.privateKeyPromise;\n    }\n\n    return promise;\n  }\n}\n"],"names":["issueUserToken","DateTime","generateKeyPair","exportJWK","uuid"],"mappings":";;;;;;;AA+GO,MAAM,YAAoC,CAAA;AAAA,EAC9B,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,mBAAA;AAAA,EACA,uBAAA;AAAA,EAET,SAAA;AAAA,EACA,iBAAA;AAAA,EAER,YAAY,OAAkB,EAAA;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,WAAW,OAAQ,CAAA,QAAA;AACxB,IAAA,IAAA,CAAK,qBAAqB,OAAQ,CAAA,kBAAA;AAClC,IAAK,IAAA,CAAA,SAAA,GAAY,QAAQ,SAAa,IAAA,OAAA;AACtC,IAAA,IAAA,CAAK,sBAAsB,OAAQ,CAAA,mBAAA;AACnC,IAAA,IAAA,CAAK,0BAA0B,OAAQ,CAAA,uBAAA;AAAA;AACzC,EAEA,MAAM,WAAW,MAAqD,EAAA;AACpE,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,MAAO,EAAA;AAE9B,IAAA,OAAOA,6BAAe,CAAA;AAAA,MACpB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,IAAK,CAAA,kBAAA;AAAA,MACzB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,qBAAqB,IAAK,CAAA,mBAAA;AAAA,MAC1B,MAAA;AAAA,MACA,yBAAyB,IAAK,CAAA;AAAA,KAC/B,CAAA;AAAA;AACH;AAAA;AAAA;AAAA,EAKA,MAAM,cAA8C,GAAA;AAClD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AAErD,IAAA,MAAM,YAAY,EAAC;AACnB,IAAA,MAAM,cAAc,EAAC;AAErB,IAAA,KAAA,MAAW,OAAO,IAAM,EAAA;AAEtB,MAAA,MAAM,WAAWC,cAAS,CAAA,UAAA,CAAW,GAAI,CAAA,SAAS,EAAE,IAAK,CAAA;AAAA,QACvD,OAAA,EAAS,IAAI,IAAK,CAAA;AAAA,OACnB,CAAA;AACD,MAAI,IAAA,QAAA,GAAWA,cAAS,CAAA,KAAA,EAAS,EAAA;AAC/B,QAAA,WAAA,CAAY,KAAK,GAAG,CAAA;AAAA,OACf,MAAA;AACL,QAAA,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA;AACpB;AAIF,IAAI,IAAA,WAAA,CAAY,SAAS,CAAG,EAAA;AAC1B,MAAM,MAAA,IAAA,GAAO,YAAY,GAAI,CAAA,CAAC,EAAE,GAAI,EAAA,KAAM,IAAI,GAAG,CAAA;AAEjD,MAAA,IAAA,CAAK,OAAO,IAAK,CAAA,CAAA,gCAAA,EAAmC,KAAK,IAAK,CAAA,MAAM,CAAC,CAAG,CAAA,CAAA,CAAA;AAGxE,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,CAAW,IAAI,CAAA,CAAE,MAAM,CAAS,KAAA,KAAA;AAC5C,QAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAkC,+BAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAAA,OAC5D,CAAA;AAAA;AAIH,IAAO,OAAA,EAAE,MAAM,SAAU,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AACjD,EAEA,MAAc,MAAuB,GAAA;AAEnC,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MACE,IAAA,IAAA,CAAK,aACLA,cAAS,CAAA,UAAA,CAAW,KAAK,SAAS,CAAA,GAAIA,cAAS,CAAA,KAAA,EAC/C,EAAA;AACA,QAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAEd,MAAK,IAAA,CAAA,MAAA,CAAO,KAAK,CAA6C,2CAAA,CAAA,CAAA;AAC9D,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAA,IAAA,CAAK,SAAY,GAAAA,cAAA,CAAS,GAAI,EAAA,CAC3B,IAAK,CAAA;AAAA,MACJ,SAAS,IAAK,CAAA;AAAA,KACf,EACA,QAAS,EAAA;AACZ,IAAA,MAAM,WAAW,YAAY;AAE3B,MAAA,MAAM,GAAM,GAAA,MAAMC,oBAAgB,CAAA,IAAA,CAAK,SAAS,CAAA;AAChD,MAAA,MAAM,SAAY,GAAA,MAAMC,cAAU,CAAA,GAAA,CAAI,SAAS,CAAA;AAC/C,MAAA,MAAM,UAAa,GAAA,MAAMA,cAAU,CAAA,GAAA,CAAI,UAAU,CAAA;AACjD,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAMC,OAAK,EAAA;AACtC,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAM,IAAK,CAAA,SAAA;AAQtC,MAAA,IAAA,CAAK,MAAO,CAAA,IAAA,CAAK,CAA2B,wBAAA,EAAA,SAAA,CAAU,GAAG,CAAE,CAAA,CAAA;AAC3D,MAAM,MAAA,IAAA,CAAK,QAAS,CAAA,MAAA,CAAO,SAAmB,CAAA;AAG9C,MAAO,OAAA,UAAA;AAAA,KACN,GAAA;AAEH,IAAA,IAAA,CAAK,iBAAoB,GAAA,OAAA;AAEzB,IAAI,IAAA;AAGF,MAAM,MAAA,OAAA;AAAA,aACC,KAAO,EAAA;AACd,MAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAuC,oCAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAChE,MAAA,OAAO,IAAK,CAAA,SAAA;AACZ,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAO,OAAA,OAAA;AAAA;AAEX;;;;"}

package/dist/identity/issueUserToken.cjs.js

@@ -0,0 +1,98 @@
+'use strict';
+
+var catalogModel = require('@backstage/catalog-model');
+var errors = require('@backstage/errors');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var lodash = require('lodash');
+var jose = require('jose');
+
+const MS_IN_S = 1e3;
+const MAX_TOKEN_LENGTH = 32768;
+async function issueUserToken({
+  issuer,
+  key,
+  keyDurationSeconds,
+  logger,
+  omitClaimsFromToken,
+  params,
+  userInfoDatabaseHandler
+}) {
+  const { sub, ent = [sub], ...additionalClaims } = params.claims;
+  const aud = pluginAuthNode.tokenTypes.user.audClaim;
+  const iat = Math.floor(Date.now() / MS_IN_S);
+  const exp = iat + keyDurationSeconds;
+  try {
+    catalogModel.parseEntityRef(sub);
+  } catch (error) {
+    throw new Error(
+      '"sub" claim provided by the auth resolver is not a valid EntityRef.'
+    );
+  }
+  if (!key.alg) {
+    throw new errors.AuthenticationError("No algorithm was provided in the key");
+  }
+  logger.info(`Issuing token for ${sub}, with entities ${ent}`);
+  const signingKey = await jose.importJWK(key);
+  const uip = await createUserIdentityClaim({
+    header: {
+      typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
+      alg: key.alg,
+      kid: key.kid
+    },
+    payload: { sub, iat, exp },
+    key: signingKey
+  });
+  const claims = {
+    ...additionalClaims,
+    iss: issuer,
+    sub,
+    ent,
+    aud,
+    iat,
+    exp,
+    uip
+  };
+  const tokenClaims = omitClaimsFromToken ? lodash.omit(claims, omitClaimsFromToken) : claims;
+  const token = await new jose.SignJWT(tokenClaims).setProtectedHeader({
+    typ: pluginAuthNode.tokenTypes.user.typParam,
+    alg: key.alg,
+    kid: key.kid
+  }).sign(signingKey);
+  if (token.length > MAX_TOKEN_LENGTH) {
+    throw new Error(
+      `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
+        tokenClaims
+      )}'`
+    );
+  }
+  await userInfoDatabaseHandler.addUserInfo({
+    claims: lodash.omit(claims, ["aud", "iat", "iss", "uip"])
+  });
+  return {
+    token,
+    identity: {
+      type: "user",
+      userEntityRef: sub,
+      ownershipEntityRefs: ent
+    }
+  };
+}
+async function createUserIdentityClaim(options) {
+  const header = {
+    typ: options.header.typ,
+    alg: options.header.alg,
+    ...options.header.kid ? { kid: options.header.kid } : {}
+  };
+  const payload = {
+    sub: options.payload.sub,
+    iat: options.payload.iat,
+    exp: options.payload.exp
+  };
+  const jws = await new jose.GeneralSign(
+    new TextEncoder().encode(JSON.stringify(payload))
+  ).addSignature(options.key).setProtectedHeader(header).done().sign();
+  return jws.signatures[0].signature;
+}
+
+exports.issueUserToken = issueUserToken;
+//# sourceMappingURL=issueUserToken.cjs.js.map