@backstage/plugin-auth-backend 0.24.5 → 0.25.0-next.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. package/CHANGELOG.md +61 -0
  2. package/config.d.ts +9 -58
  3. package/dist/authPlugin.cjs.js +4 -8
  4. package/dist/authPlugin.cjs.js.map +1 -1
  5. package/dist/database/AuthDatabase.cjs.js +0 -16
  6. package/dist/database/AuthDatabase.cjs.js.map +1 -1
  7. package/dist/identity/StaticTokenIssuer.cjs.js +14 -21
  8. package/dist/identity/StaticTokenIssuer.cjs.js.map +1 -1
  9. package/dist/identity/TokenFactory.cjs.js +11 -76
  10. package/dist/identity/TokenFactory.cjs.js.map +1 -1
  11. package/dist/identity/issueUserToken.cjs.js +98 -0
  12. package/dist/identity/issueUserToken.cjs.js.map +1 -0
  13. package/dist/index.cjs.js +0 -26
  14. package/dist/index.cjs.js.map +1 -1
  15. package/dist/index.d.ts +1 -850
  16. package/dist/lib/catalog/CatalogIdentityClient.cjs.js +11 -20
  17. package/dist/lib/catalog/CatalogIdentityClient.cjs.js.map +1 -1
  18. package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js +16 -21
  19. package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js.map +1 -1
  20. package/dist/providers/router.cjs.js +2 -9
  21. package/dist/providers/router.cjs.js.map +1 -1
  22. package/dist/service/router.cjs.js +13 -18
  23. package/dist/service/router.cjs.js.map +1 -1
  24. package/package.json +16 -58
  25. package/dist/lib/flow/authFlowHelpers.cjs.js +0 -43
  26. package/dist/lib/flow/authFlowHelpers.cjs.js.map +0 -1
  27. package/dist/lib/legacy/adaptLegacyOAuthHandler.cjs.js +0 -20
  28. package/dist/lib/legacy/adaptLegacyOAuthHandler.cjs.js.map +0 -1
  29. package/dist/lib/legacy/adaptLegacyOAuthSignInResolver.cjs.js +0 -24
  30. package/dist/lib/legacy/adaptLegacyOAuthSignInResolver.cjs.js.map +0 -1
  31. package/dist/lib/legacy/adaptOAuthSignInResolverToLegacy.cjs.js +0 -29
  32. package/dist/lib/legacy/adaptOAuthSignInResolverToLegacy.cjs.js.map +0 -1
  33. package/dist/lib/oauth/OAuthAdapter.cjs.js +0 -220
  34. package/dist/lib/oauth/OAuthAdapter.cjs.js.map +0 -1
  35. package/dist/lib/oauth/OAuthEnvironmentHandler.cjs.js +0 -8
  36. package/dist/lib/oauth/OAuthEnvironmentHandler.cjs.js.map +0 -1
  37. package/dist/lib/oauth/helpers.cjs.js +0 -40
  38. package/dist/lib/oauth/helpers.cjs.js.map +0 -1
  39. package/dist/lib/passport/PassportStrategyHelper.cjs.js +0 -49
  40. package/dist/lib/passport/PassportStrategyHelper.cjs.js.map +0 -1
  41. package/dist/providers/atlassian/provider.cjs.js +0 -20
  42. package/dist/providers/atlassian/provider.cjs.js.map +0 -1
  43. package/dist/providers/auth0/provider.cjs.js +0 -20
  44. package/dist/providers/auth0/provider.cjs.js.map +0 -1
  45. package/dist/providers/aws-alb/provider.cjs.js +0 -18
  46. package/dist/providers/aws-alb/provider.cjs.js.map +0 -1
  47. package/dist/providers/azure-easyauth/provider.cjs.js +0 -18
  48. package/dist/providers/azure-easyauth/provider.cjs.js.map +0 -1
  49. package/dist/providers/bitbucket/provider.cjs.js +0 -25
  50. package/dist/providers/bitbucket/provider.cjs.js.map +0 -1
  51. package/dist/providers/bitbucketServer/provider.cjs.js +0 -46
  52. package/dist/providers/bitbucketServer/provider.cjs.js.map +0 -1
  53. package/dist/providers/cloudflare-access/provider.cjs.js +0 -22
  54. package/dist/providers/cloudflare-access/provider.cjs.js.map +0 -1
  55. package/dist/providers/createAuthProviderIntegration.cjs.js +0 -11
  56. package/dist/providers/createAuthProviderIntegration.cjs.js.map +0 -1
  57. package/dist/providers/gcp-iap/provider.cjs.js +0 -18
  58. package/dist/providers/gcp-iap/provider.cjs.js.map +0 -1
  59. package/dist/providers/github/provider.cjs.js +0 -61
  60. package/dist/providers/github/provider.cjs.js.map +0 -1
  61. package/dist/providers/gitlab/provider.cjs.js +0 -20
  62. package/dist/providers/gitlab/provider.cjs.js.map +0 -1
  63. package/dist/providers/google/provider.cjs.js +0 -26
  64. package/dist/providers/google/provider.cjs.js.map +0 -1
  65. package/dist/providers/microsoft/provider.cjs.js +0 -27
  66. package/dist/providers/microsoft/provider.cjs.js.map +0 -1
  67. package/dist/providers/oauth2/provider.cjs.js +0 -20
  68. package/dist/providers/oauth2/provider.cjs.js.map +0 -1
  69. package/dist/providers/oauth2-proxy/provider.cjs.js +0 -18
  70. package/dist/providers/oauth2-proxy/provider.cjs.js.map +0 -1
  71. package/dist/providers/oidc/provider.cjs.js +0 -37
  72. package/dist/providers/oidc/provider.cjs.js.map +0 -1
  73. package/dist/providers/okta/provider.cjs.js +0 -47
  74. package/dist/providers/okta/provider.cjs.js.map +0 -1
  75. package/dist/providers/onelogin/provider.cjs.js +0 -20
  76. package/dist/providers/onelogin/provider.cjs.js.map +0 -1
  77. package/dist/providers/prepareBackstageIdentityResponse.cjs.js +0 -8
  78. package/dist/providers/prepareBackstageIdentityResponse.cjs.js.map +0 -1
  79. package/dist/providers/providers.cjs.js +0 -62
  80. package/dist/providers/providers.cjs.js.map +0 -1
  81. package/dist/providers/resolvers.cjs.js +0 -27
  82. package/dist/providers/resolvers.cjs.js.map +0 -1
  83. package/dist/providers/saml/provider.cjs.js +0 -121
  84. package/dist/providers/saml/provider.cjs.js.map +0 -1
package/dist/identity/issueUserToken.cjs.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"issueUserToken.cjs.js","sources":["../../src/identity/issueUserToken.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n BackstageSignInResult,\n TokenParams,\n tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { omit } from 'lodash';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { GeneralSign, importJWK, JWK, KeyLike, SignJWT } from 'jose';\nimport { BackstageTokenPayload } from './TokenFactory';\n\nconst MS_IN_S = 1000;\nconst MAX_TOKEN_LENGTH = 32768; // At 64 bytes per entity ref this still leaves room for about 500 entities\n\nexport async function issueUserToken({\n issuer,\n key,\n keyDurationSeconds,\n logger,\n omitClaimsFromToken,\n params,\n userInfoDatabaseHandler,\n}: {\n issuer: string;\n key: JWK;\n keyDurationSeconds: number;\n logger: LoggerService;\n omitClaimsFromToken?: string[];\n params: TokenParams;\n userInfoDatabaseHandler: UserInfoDatabaseHandler;\n}): Promise<BackstageSignInResult> {\n const { sub, ent = [sub], ...additionalClaims } = params.claims;\n const aud = tokenTypes.user.audClaim;\n const iat = Math.floor(Date.now() / MS_IN_S);\n const exp = iat + keyDurationSeconds;\n\n try {\n // The subject must be a valid entity ref\n parseEntityRef(sub);\n } catch (error) {\n throw new Error(\n '\"sub\" claim provided by the auth resolver is not a valid EntityRef.',\n );\n }\n\n if (!key.alg) {\n throw new AuthenticationError('No algorithm was provided in the key');\n }\n\n logger.info(`Issuing token for ${sub}, with entities ${ent}`);\n\n const signingKey = await importJWK(key);\n\n const uip = await createUserIdentityClaim({\n header: {\n typ: tokenTypes.limitedUser.typParam,\n alg: key.alg,\n kid: key.kid,\n },\n payload: { sub, iat, exp },\n key: signingKey,\n });\n\n const claims: BackstageTokenPayload = {\n ...additionalClaims,\n iss: issuer,\n sub,\n ent,\n aud,\n iat,\n exp,\n uip,\n };\n\n const tokenClaims = omitClaimsFromToken\n ? omit(claims, omitClaimsFromToken)\n : claims;\n const token = await new SignJWT(tokenClaims)\n .setProtectedHeader({\n typ: tokenTypes.user.typParam,\n alg: key.alg,\n kid: key.kid,\n })\n .sign(signingKey);\n\n if (token.length > MAX_TOKEN_LENGTH) {\n throw new Error(\n `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(\n tokenClaims,\n )}'`,\n );\n }\n\n // Store the user info in the database upon successful token\n // issuance so that it can be retrieved later by limited user tokens\n await userInfoDatabaseHandler.addUserInfo({\n claims: omit(claims, ['aud', 'iat', 'iss', 'uip']),\n });\n\n return {\n token,\n identity: {\n type: 'user',\n userEntityRef: sub,\n ownershipEntityRefs: ent,\n },\n };\n}\n\n/**\n * The payload contents of a valid Backstage user identity claim token\n *\n * @internal\n */\ninterface BackstageUserIdentityProofPayload {\n /**\n * The entity ref of the user\n */\n sub: string;\n\n /**\n * Standard expiry in epoch seconds\n */\n exp: number;\n\n /**\n * Standard issue time in epoch seconds\n */\n iat: number;\n}\n\n/**\n * Creates a string claim that can be used as part of reconstructing a limited\n * user token. The output of this function is only the signature part of a JWS.\n */\nasync function createUserIdentityClaim(options: {\n header: {\n typ: string;\n alg: string;\n kid?: string;\n };\n payload: BackstageUserIdentityProofPayload;\n key: KeyLike | Uint8Array;\n}): Promise<string> {\n // NOTE: We reconstruct the header and payload structures carefully to\n // perfectly guarantee ordering. The reason for this is that we store only\n // the signature part of these to reduce duplication within the Backstage\n // token. Anyone who wants to make an actual JWT based on all this must be\n // able to do the EXACT reconstruction of the header and payload parts, to\n // then append the signature.\n\n const header = {\n typ: options.header.typ,\n alg: options.header.alg,\n ...(options.header.kid ? { kid: options.header.kid } : {}),\n };\n\n const payload = {\n sub: options.payload.sub,\n iat: options.payload.iat,\n exp: options.payload.exp,\n };\n\n const jws = await new GeneralSign(\n new TextEncoder().encode(JSON.stringify(payload)),\n )\n .addSignature(options.key)\n .setProtectedHeader(header)\n .done()\n .sign();\n\n return jws.signatures[0].signature;\n}\n"],"names":["tokenTypes","parseEntityRef","AuthenticationError","importJWK","omit","SignJWT","GeneralSign"],"mappings":";;;;;;;;AA6BA,MAAM,OAAU,GAAA,GAAA;AAChB,MAAM,gBAAmB,GAAA,KAAA;AAEzB,eAAsB,cAAe,CAAA;AAAA,EACnC,MAAA;AAAA,EACA,GAAA;AAAA,EACA,kBAAA;AAAA,EACA,MAAA;AAAA,EACA,mBAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF,CAQmC,EAAA;AACjC,EAAM,MAAA,EAAE,KAAK,GAAM,GAAA,CAAC,GAAG,CAAG,EAAA,GAAG,gBAAiB,EAAA,GAAI,MAAO,CAAA,MAAA;AACzD,EAAM,MAAA,GAAA,GAAMA,0BAAW,IAAK,CAAA,QAAA;AAC5B,EAAA,MAAM,MAAM,IAAK,CAAA,KAAA,CAAM,IAAK,CAAA,GAAA,KAAQ,OAAO,CAAA;AAC3C,EAAA,MAAM,MAAM,GAAM,GAAA,kBAAA;AAElB,EAAI,IAAA;AAEF,IAAAC,2BAAA,CAAe,GAAG,CAAA;AAAA,WACX,KAAO,EAAA;AACd,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA;AAGF,EAAI,IAAA,CAAC,IAAI,GAAK,EAAA;AACZ,IAAM,MAAA,IAAIC,2BAAoB,sCAAsC,CAAA;AAAA;AAGtE,EAAA,MAAA,CAAO,IAAK,CAAA,CAAA,kBAAA,EAAqB,GAAG,CAAA,gBAAA,EAAmB,GAAG,CAAE,CAAA,CAAA;AAE5D,EAAM,MAAA,UAAA,GAAa,MAAMC,cAAA,CAAU,GAAG,CAAA;AAEtC,EAAM,MAAA,GAAA,GAAM,MAAM,uBAAwB,CAAA;AAAA,IACxC,MAAQ,EAAA;AAAA,MACN,GAAA,EAAKH,0BAAW,WAAY,CAAA,QAAA;AAAA,MAC5B,KAAK,GAAI,CAAA,GAAA;AAAA,MACT,KAAK,GAAI,CAAA;AAAA,KACX;AAAA,IACA,OAAS,EAAA,EAAE,GAAK,EAAA,GAAA,EAAK,GAAI,EAAA;AAAA,IACzB,GAAK,EAAA;AAAA,GACN,CAAA;AAED,EAAA,MAAM,MAAgC,GAAA;AAAA,IACpC,GAAG,gBAAA;AAAA,IACH,GAAK,EAAA,MAAA;AAAA,IACL,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,WAAc,GAAA,mBAAA,GAChBI,WAAK,CAAA,MAAA,EAAQ,mBAAmB,CAChC,GAAA,MAAA;AACJ,EAAA,MAAM,QAAQ,MAAM,IAAIC,YAAQ,CAAA,WAAW,EACxC,kBAAmB,CAAA;AAAA,IAClB,GAAA,EAAKL,0BAAW,IAAK,CAAA,QAAA;AAAA,IACrB,KAAK,GAAI,CAAA,GAAA;AAAA,IACT,KAAK,GAAI,CAAA;AAAA,GACV,CACA,CAAA,IAAA,CAAK,UAAU,CAAA;AAElB,EAAI,IAAA,KAAA,CAAM,SAAS,gBAAkB,EAAA;AACnC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,6PAA6P,IAAK,CAAA,SAAA;AAAA,QAChQ;AAAA,OACD,CAAA,CAAA;AAAA,KACH;AAAA;AAKF,EAAA,MAAM,wBAAwB,WAAY,CAAA;AAAA,IACxC,MAAA,EAAQI,YAAK,MAAQ,EAAA,CAAC,OAAO,KAAO,EAAA,KAAA,EAAO,KAAK,CAAC;AAAA,GAClD,CAAA;AAED,EAAO,OAAA;AAAA,IACL,KAAA;AAAA,IACA,QAAU,EAAA;AAAA,MACR,IAAM,EAAA,MAAA;AAAA,MACN,aAAe,EAAA,GAAA;AAAA,MACf,mBAAqB,EAAA;AAAA;AACvB,GACF;AACF;AA4BA,eAAe,wBAAwB,OAQnB,EAAA;AAQlB,EAAA,MAAM,MAAS,GAAA;AAAA,IACb,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,IACpB,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,IACpB,GAAI,OAAQ,CAAA,MAAA,CAAO,GAAM,GAAA,EAAE,KAAK,OAAQ,CAAA,MAAA,CAAO,GAAI,EAAA,GAAI;AAAC,GAC1D;AAEA,EAAA,MAAM,OAAU,GAAA;AAAA,IACd,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,IACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,IACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA;AAAA,GACvB;AAEA,EAAM,MAAA,GAAA,GAAM,MAAM,IAAIE,gBAAA;AAAA,IACpB,IAAI,WAAY,EAAA,CAAE,OAAO,IAAK,CAAA,SAAA,CAAU,OAAO,CAAC;AAAA,GAClD,CACG,YAAa,CAAA,OAAA,CAAQ,GAAG,CAAA,CACxB,mBAAmB,MAAM,CAAA,CACzB,IAAK,EAAA,CACL,IAAK,EAAA;AAER,EAAO,OAAA,GAAA,CAAI,UAAW,CAAA,CAAC,CAAE,CAAA,SAAA;AAC3B;;;;"}
package/dist/index.cjs.js CHANGED
@@ -3,34 +3,8 @@
3
3
  Object.defineProperty(exports, '__esModule', { value: true });
4
4
 
5
5
  var authPlugin = require('./authPlugin.cjs.js');
6
- var router = require('./service/router.cjs.js');
7
- var providers = require('./providers/providers.cjs.js');
8
- var router$1 = require('./providers/router.cjs.js');
9
- var createAuthProviderIntegration = require('./providers/createAuthProviderIntegration.cjs.js');
10
- var prepareBackstageIdentityResponse = require('./providers/prepareBackstageIdentityResponse.cjs.js');
11
- var authFlowHelpers = require('./lib/flow/authFlowHelpers.cjs.js');
12
- var OAuthEnvironmentHandler = require('./lib/oauth/OAuthEnvironmentHandler.cjs.js');
13
- var OAuthAdapter = require('./lib/oauth/OAuthAdapter.cjs.js');
14
- var helpers = require('./lib/oauth/helpers.cjs.js');
15
- var CatalogIdentityClient = require('./lib/catalog/CatalogIdentityClient.cjs.js');
16
- var CatalogAuthResolverContext = require('./lib/resolvers/CatalogAuthResolverContext.cjs.js');
17
6
 
18
7
 
19
8
 
20
9
  exports.default = authPlugin.authPlugin;
21
- exports.createRouter = router.createRouter;
22
- exports.defaultAuthProviderFactories = providers.defaultAuthProviderFactories;
23
- exports.providers = providers.providers;
24
- exports.createOriginFilter = router$1.createOriginFilter;
25
- exports.createAuthProviderIntegration = createAuthProviderIntegration.createAuthProviderIntegration;
26
- exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse.prepareBackstageIdentityResponse;
27
- exports.ensuresXRequestedWith = authFlowHelpers.ensuresXRequestedWith;
28
- exports.postMessageResponse = authFlowHelpers.postMessageResponse;
29
- exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler.OAuthEnvironmentHandler;
30
- exports.OAuthAdapter = OAuthAdapter.OAuthAdapter;
31
- exports.encodeState = helpers.encodeState;
32
- exports.readState = helpers.readState;
33
- exports.verifyNonce = helpers.verifyNonce;
34
- exports.CatalogIdentityClient = CatalogIdentityClient.CatalogIdentityClient;
35
- exports.getDefaultOwnershipEntityRefs = CatalogAuthResolverContext.getDefaultOwnershipEntityRefs;
36
10
  //# sourceMappingURL=index.cjs.js.map
package/dist/index.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.cjs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}
1
+ {"version":3,"file":"index.cjs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;"}