@backstage/plugin-auth-backend 0.7.0-next.0 → 0.9.0-next.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +74 -0
- package/dist/index.cjs.js +154 -85
- package/dist/index.cjs.js.map +1 -1
- package/dist/index.d.ts +42 -37
- package/package.json +10 -10
package/dist/index.cjs.js
CHANGED
|
@@ -149,6 +149,16 @@ const verifyNonce = (req, providerId) => {
|
|
|
149
149
|
throw new Error("Invalid nonce");
|
|
150
150
|
}
|
|
151
151
|
};
|
|
152
|
+
const getCookieConfig = (authUrl, providerId) => {
|
|
153
|
+
const { hostname: cookieDomain, pathname, protocol } = authUrl;
|
|
154
|
+
const secure = protocol === "https:";
|
|
155
|
+
const cookiePath = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
|
|
156
|
+
return {
|
|
157
|
+
cookieDomain,
|
|
158
|
+
cookiePath,
|
|
159
|
+
secure
|
|
160
|
+
};
|
|
161
|
+
};
|
|
152
162
|
|
|
153
163
|
class OAuthEnvironmentHandler {
|
|
154
164
|
constructor(handlers) {
|
|
@@ -245,6 +255,10 @@ function parseJwtPayload(token) {
|
|
|
245
255
|
}
|
|
246
256
|
function prepareBackstageIdentityResponse(result) {
|
|
247
257
|
const { sub, ent } = parseJwtPayload(result.token);
|
|
258
|
+
const userEntityRef = catalogModel.stringifyEntityRef(catalogModel.parseEntityRef(sub, {
|
|
259
|
+
defaultKind: "user",
|
|
260
|
+
defaultNamespace: catalogModel.ENTITY_DEFAULT_NAMESPACE
|
|
261
|
+
}));
|
|
248
262
|
return {
|
|
249
263
|
...{
|
|
250
264
|
idToken: result.token,
|
|
@@ -252,7 +266,7 @@ function prepareBackstageIdentityResponse(result) {
|
|
|
252
266
|
},
|
|
253
267
|
identity: {
|
|
254
268
|
type: "user",
|
|
255
|
-
userEntityRef
|
|
269
|
+
userEntityRef,
|
|
256
270
|
ownershipEntityRefs: ent != null ? ent : []
|
|
257
271
|
}
|
|
258
272
|
};
|
|
@@ -267,56 +281,48 @@ class OAuthAdapter {
|
|
|
267
281
|
this.setNonceCookie = (res, nonce) => {
|
|
268
282
|
res.cookie(`${this.options.providerId}-nonce`, nonce, {
|
|
269
283
|
maxAge: TEN_MINUTES_MS,
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
domain: this.options.cookieDomain,
|
|
273
|
-
path: `${this.options.cookiePath}/handler`,
|
|
274
|
-
httpOnly: true
|
|
284
|
+
...this.baseCookieOptions,
|
|
285
|
+
path: `${this.options.cookiePath}/handler`
|
|
275
286
|
});
|
|
276
287
|
};
|
|
277
|
-
this.
|
|
278
|
-
res.cookie(`${this.options.providerId}-scope`, scope, {
|
|
279
|
-
maxAge:
|
|
280
|
-
|
|
281
|
-
sameSite: "lax",
|
|
282
|
-
domain: this.options.cookieDomain,
|
|
283
|
-
path: `${this.options.cookiePath}/handler`,
|
|
284
|
-
httpOnly: true
|
|
288
|
+
this.setGrantedScopeCookie = (res, scope) => {
|
|
289
|
+
res.cookie(`${this.options.providerId}-granted-scope`, scope, {
|
|
290
|
+
maxAge: THOUSAND_DAYS_MS,
|
|
291
|
+
...this.baseCookieOptions
|
|
285
292
|
});
|
|
286
293
|
};
|
|
287
|
-
this.
|
|
288
|
-
return req.cookies[`${providerId}-scope`];
|
|
294
|
+
this.getGrantedScopeFromCookie = (req) => {
|
|
295
|
+
return req.cookies[`${this.options.providerId}-granted-scope`];
|
|
289
296
|
};
|
|
290
297
|
this.setRefreshTokenCookie = (res, refreshToken) => {
|
|
291
298
|
res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
|
|
292
299
|
maxAge: THOUSAND_DAYS_MS,
|
|
293
|
-
|
|
294
|
-
sameSite: "lax",
|
|
295
|
-
domain: this.options.cookieDomain,
|
|
296
|
-
path: this.options.cookiePath,
|
|
297
|
-
httpOnly: true
|
|
300
|
+
...this.baseCookieOptions
|
|
298
301
|
});
|
|
299
302
|
};
|
|
300
303
|
this.removeRefreshTokenCookie = (res) => {
|
|
301
304
|
res.cookie(`${this.options.providerId}-refresh-token`, "", {
|
|
302
305
|
maxAge: 0,
|
|
303
|
-
|
|
304
|
-
sameSite: "lax",
|
|
305
|
-
domain: this.options.cookieDomain,
|
|
306
|
-
path: this.options.cookiePath,
|
|
307
|
-
httpOnly: true
|
|
306
|
+
...this.baseCookieOptions
|
|
308
307
|
});
|
|
309
308
|
};
|
|
309
|
+
this.baseCookieOptions = {
|
|
310
|
+
httpOnly: true,
|
|
311
|
+
sameSite: "lax",
|
|
312
|
+
secure: this.options.secure,
|
|
313
|
+
path: this.options.cookiePath,
|
|
314
|
+
domain: this.options.cookieDomain
|
|
315
|
+
};
|
|
310
316
|
}
|
|
311
317
|
static fromConfig(config, handlers, options) {
|
|
318
|
+
var _a;
|
|
312
319
|
const { origin: appOrigin } = new url.URL(config.appUrl);
|
|
313
|
-
const
|
|
314
|
-
const
|
|
315
|
-
const cookiePath = `${url$1.pathname}/${options.providerId}`;
|
|
320
|
+
const authUrl = new url.URL((_a = options.callbackUrl) != null ? _a : config.baseUrl);
|
|
321
|
+
const { cookieDomain, cookiePath, secure } = getCookieConfig(authUrl, options.providerId);
|
|
316
322
|
return new OAuthAdapter(handlers, {
|
|
317
323
|
...options,
|
|
318
324
|
appOrigin,
|
|
319
|
-
cookieDomain
|
|
325
|
+
cookieDomain,
|
|
320
326
|
cookiePath,
|
|
321
327
|
secure,
|
|
322
328
|
isOriginAllowed: config.isOriginAllowed
|
|
@@ -330,12 +336,12 @@ class OAuthAdapter {
|
|
|
330
336
|
if (!env) {
|
|
331
337
|
throw new errors.InputError("No env provided in request query parameters");
|
|
332
338
|
}
|
|
333
|
-
if (this.options.persistScopes) {
|
|
334
|
-
this.setScopesCookie(res, scope);
|
|
335
|
-
}
|
|
336
339
|
const nonce = crypto__default["default"].randomBytes(16).toString("base64");
|
|
337
340
|
this.setNonceCookie(res, nonce);
|
|
338
341
|
const state = { nonce, env, origin };
|
|
342
|
+
if (this.options.persistScopes) {
|
|
343
|
+
state.scope = scope;
|
|
344
|
+
}
|
|
339
345
|
const forwardReq = Object.assign(req, { scope, state });
|
|
340
346
|
const { url, status } = await this.handlers.start(forwardReq);
|
|
341
347
|
res.statusCode = status || 302;
|
|
@@ -360,9 +366,9 @@ class OAuthAdapter {
|
|
|
360
366
|
}
|
|
361
367
|
verifyNonce(req, this.options.providerId);
|
|
362
368
|
const { response, refreshToken } = await this.handlers.handler(req);
|
|
363
|
-
if (this.options.persistScopes) {
|
|
364
|
-
|
|
365
|
-
response.providerInfo.scope =
|
|
369
|
+
if (this.options.persistScopes && state.scope) {
|
|
370
|
+
this.setGrantedScopeCookie(res, state.scope);
|
|
371
|
+
response.providerInfo.scope = state.scope;
|
|
366
372
|
}
|
|
367
373
|
if (refreshToken && !this.options.disableRefresh) {
|
|
368
374
|
this.setRefreshTokenCookie(res, refreshToken);
|
|
@@ -400,7 +406,10 @@ class OAuthAdapter {
|
|
|
400
406
|
if (!refreshToken) {
|
|
401
407
|
throw new errors.InputError("Missing session cookie");
|
|
402
408
|
}
|
|
403
|
-
|
|
409
|
+
let scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
|
|
410
|
+
if (this.options.persistScopes) {
|
|
411
|
+
scope = this.getGrantedScopeFromCookie(req);
|
|
412
|
+
}
|
|
404
413
|
const forwardReq = Object.assign(req, { scope, refreshToken });
|
|
405
414
|
const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
|
|
406
415
|
const backstageIdentity = await this.populateIdentity(response.backstageIdentity);
|
|
@@ -546,7 +555,7 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
|
|
|
546
555
|
class CatalogIdentityClient {
|
|
547
556
|
constructor(options) {
|
|
548
557
|
this.catalogApi = options.catalogApi;
|
|
549
|
-
this.
|
|
558
|
+
this.tokenManager = options.tokenManager;
|
|
550
559
|
}
|
|
551
560
|
async findUser(query) {
|
|
552
561
|
const filter = {
|
|
@@ -555,9 +564,7 @@ class CatalogIdentityClient {
|
|
|
555
564
|
for (const [key, value] of Object.entries(query.annotations)) {
|
|
556
565
|
filter[`metadata.annotations.${key}`] = value;
|
|
557
566
|
}
|
|
558
|
-
const token = await this.
|
|
559
|
-
claims: { sub: "backstage.io/auth-backend" }
|
|
560
|
-
});
|
|
567
|
+
const { token } = await this.tokenManager.getToken();
|
|
561
568
|
const { items } = await this.catalogApi.getEntities({ filter }, { token });
|
|
562
569
|
if (items.length !== 1) {
|
|
563
570
|
if (items.length > 1) {
|
|
@@ -587,7 +594,8 @@ class CatalogIdentityClient {
|
|
|
587
594
|
"metadata.namespace": ref.namespace,
|
|
588
595
|
"metadata.name": ref.name
|
|
589
596
|
}));
|
|
590
|
-
const
|
|
597
|
+
const { token } = await this.tokenManager.getToken();
|
|
598
|
+
const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
|
|
591
599
|
if (entityRefs.length !== entities.length) {
|
|
592
600
|
const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
|
|
593
601
|
const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
|
|
@@ -697,6 +705,7 @@ const createAtlassianProvider = (options) => {
|
|
|
697
705
|
globalConfig,
|
|
698
706
|
config,
|
|
699
707
|
tokenIssuer,
|
|
708
|
+
tokenManager,
|
|
700
709
|
catalogApi,
|
|
701
710
|
logger
|
|
702
711
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -707,7 +716,7 @@ const createAtlassianProvider = (options) => {
|
|
|
707
716
|
const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
708
717
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
709
718
|
catalogApi,
|
|
710
|
-
|
|
719
|
+
tokenManager
|
|
711
720
|
});
|
|
712
721
|
const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
|
|
713
722
|
const provider = new AtlassianAuthProvider({
|
|
@@ -832,6 +841,7 @@ const createAuth0Provider = (options) => {
|
|
|
832
841
|
globalConfig,
|
|
833
842
|
config,
|
|
834
843
|
tokenIssuer,
|
|
844
|
+
tokenManager,
|
|
835
845
|
catalogApi,
|
|
836
846
|
logger
|
|
837
847
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -842,7 +852,7 @@ const createAuth0Provider = (options) => {
|
|
|
842
852
|
const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
843
853
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
844
854
|
catalogApi,
|
|
845
|
-
|
|
855
|
+
tokenManager
|
|
846
856
|
});
|
|
847
857
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
|
|
848
858
|
profile: makeProfileInfo(fullProfile, params.id_token)
|
|
@@ -970,7 +980,7 @@ class AwsAlbAuthProvider {
|
|
|
970
980
|
}
|
|
971
981
|
}
|
|
972
982
|
const createAwsAlbProvider = (options) => {
|
|
973
|
-
return ({ config, tokenIssuer, catalogApi, logger }) => {
|
|
983
|
+
return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
|
|
974
984
|
const region = config.getString("region");
|
|
975
985
|
const issuer = config.getOptionalString("iss");
|
|
976
986
|
if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
|
|
@@ -978,7 +988,7 @@ const createAwsAlbProvider = (options) => {
|
|
|
978
988
|
}
|
|
979
989
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
980
990
|
catalogApi,
|
|
981
|
-
|
|
991
|
+
tokenManager
|
|
982
992
|
});
|
|
983
993
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
|
|
984
994
|
profile: makeProfileInfo(fullProfile)
|
|
@@ -1106,6 +1116,7 @@ const createBitbucketProvider = (options) => {
|
|
|
1106
1116
|
globalConfig,
|
|
1107
1117
|
config,
|
|
1108
1118
|
tokenIssuer,
|
|
1119
|
+
tokenManager,
|
|
1109
1120
|
catalogApi,
|
|
1110
1121
|
logger
|
|
1111
1122
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -1115,7 +1126,7 @@ const createBitbucketProvider = (options) => {
|
|
|
1115
1126
|
const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
1116
1127
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
1117
1128
|
catalogApi,
|
|
1118
|
-
|
|
1129
|
+
tokenManager
|
|
1119
1130
|
});
|
|
1120
1131
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
|
|
1121
1132
|
profile: makeProfileInfo(fullProfile, params.id_token)
|
|
@@ -1138,6 +1149,8 @@ const createBitbucketProvider = (options) => {
|
|
|
1138
1149
|
});
|
|
1139
1150
|
};
|
|
1140
1151
|
|
|
1152
|
+
const ACCESS_TOKEN_PREFIX = "access-token.";
|
|
1153
|
+
const BACKSTAGE_SESSION_EXPIRATION = 3600;
|
|
1141
1154
|
class GithubAuthProvider {
|
|
1142
1155
|
constructor(options) {
|
|
1143
1156
|
this.signInResolver = options.signInResolver;
|
|
@@ -1165,21 +1178,43 @@ class GithubAuthProvider {
|
|
|
1165
1178
|
}
|
|
1166
1179
|
async handler(req) {
|
|
1167
1180
|
const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
|
|
1181
|
+
let refreshToken = privateInfo.refreshToken;
|
|
1182
|
+
if (!refreshToken && !result.params.expires_in) {
|
|
1183
|
+
refreshToken = ACCESS_TOKEN_PREFIX + result.accessToken;
|
|
1184
|
+
}
|
|
1168
1185
|
return {
|
|
1169
1186
|
response: await this.handleResult(result),
|
|
1170
|
-
refreshToken
|
|
1187
|
+
refreshToken
|
|
1171
1188
|
};
|
|
1172
1189
|
}
|
|
1173
1190
|
async refresh(req) {
|
|
1174
|
-
const {
|
|
1175
|
-
|
|
1191
|
+
const { scope, refreshToken } = req;
|
|
1192
|
+
if (refreshToken == null ? void 0 : refreshToken.startsWith(ACCESS_TOKEN_PREFIX)) {
|
|
1193
|
+
const accessToken = refreshToken.slice(ACCESS_TOKEN_PREFIX.length);
|
|
1194
|
+
const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken).catch((error) => {
|
|
1195
|
+
var _a;
|
|
1196
|
+
if (((_a = error.oauthError) == null ? void 0 : _a.statusCode) === 401) {
|
|
1197
|
+
throw new Error("Invalid access token");
|
|
1198
|
+
}
|
|
1199
|
+
throw error;
|
|
1200
|
+
});
|
|
1201
|
+
return {
|
|
1202
|
+
response: await this.handleResult({
|
|
1203
|
+
fullProfile,
|
|
1204
|
+
params: { scope },
|
|
1205
|
+
accessToken
|
|
1206
|
+
}),
|
|
1207
|
+
refreshToken
|
|
1208
|
+
};
|
|
1209
|
+
}
|
|
1210
|
+
const result = await executeRefreshTokenStrategy(this._strategy, refreshToken, scope);
|
|
1176
1211
|
return {
|
|
1177
1212
|
response: await this.handleResult({
|
|
1178
|
-
fullProfile,
|
|
1179
|
-
params,
|
|
1180
|
-
accessToken
|
|
1213
|
+
fullProfile: await executeFetchUserProfileStrategy(this._strategy, result.accessToken),
|
|
1214
|
+
params: { ...result.params, scope },
|
|
1215
|
+
accessToken: result.accessToken
|
|
1181
1216
|
}),
|
|
1182
|
-
refreshToken
|
|
1217
|
+
refreshToken: result.refreshToken
|
|
1183
1218
|
};
|
|
1184
1219
|
}
|
|
1185
1220
|
async handleResult(result) {
|
|
@@ -1190,28 +1225,38 @@ class GithubAuthProvider {
|
|
|
1190
1225
|
};
|
|
1191
1226
|
const { profile } = await this.authHandler(result, context);
|
|
1192
1227
|
const expiresInStr = result.params.expires_in;
|
|
1193
|
-
|
|
1228
|
+
let expiresInSeconds = expiresInStr === void 0 ? void 0 : Number(expiresInStr);
|
|
1229
|
+
let backstageIdentity = void 0;
|
|
1230
|
+
if (this.signInResolver) {
|
|
1231
|
+
backstageIdentity = await this.signInResolver({
|
|
1232
|
+
result,
|
|
1233
|
+
profile
|
|
1234
|
+
}, context);
|
|
1235
|
+
if (expiresInSeconds) {
|
|
1236
|
+
expiresInSeconds = Math.min(expiresInSeconds, BACKSTAGE_SESSION_EXPIRATION);
|
|
1237
|
+
} else {
|
|
1238
|
+
expiresInSeconds = BACKSTAGE_SESSION_EXPIRATION;
|
|
1239
|
+
}
|
|
1240
|
+
}
|
|
1241
|
+
return {
|
|
1242
|
+
backstageIdentity,
|
|
1194
1243
|
providerInfo: {
|
|
1195
1244
|
accessToken: result.accessToken,
|
|
1196
1245
|
scope: result.params.scope,
|
|
1197
|
-
expiresInSeconds
|
|
1246
|
+
expiresInSeconds
|
|
1198
1247
|
},
|
|
1199
1248
|
profile
|
|
1200
1249
|
};
|
|
1201
|
-
if (this.signInResolver) {
|
|
1202
|
-
response.backstageIdentity = await this.signInResolver({
|
|
1203
|
-
result,
|
|
1204
|
-
profile
|
|
1205
|
-
}, context);
|
|
1206
|
-
}
|
|
1207
|
-
return response;
|
|
1208
1250
|
}
|
|
1209
1251
|
}
|
|
1210
1252
|
const githubDefaultSignInResolver = async (info, ctx) => {
|
|
1211
1253
|
const { fullProfile } = info.result;
|
|
1212
1254
|
const userId = fullProfile.username || fullProfile.id;
|
|
1213
1255
|
const token = await ctx.tokenIssuer.issueToken({
|
|
1214
|
-
claims: {
|
|
1256
|
+
claims: {
|
|
1257
|
+
sub: `user:default/${userId}`,
|
|
1258
|
+
ent: [`user:default/${userId}`]
|
|
1259
|
+
}
|
|
1215
1260
|
});
|
|
1216
1261
|
return { id: userId, token };
|
|
1217
1262
|
};
|
|
@@ -1221,6 +1266,7 @@ const createGithubProvider = (options) => {
|
|
|
1221
1266
|
globalConfig,
|
|
1222
1267
|
config,
|
|
1223
1268
|
tokenIssuer,
|
|
1269
|
+
tokenManager,
|
|
1224
1270
|
catalogApi,
|
|
1225
1271
|
logger
|
|
1226
1272
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -1235,7 +1281,7 @@ const createGithubProvider = (options) => {
|
|
|
1235
1281
|
const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
1236
1282
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
1237
1283
|
catalogApi,
|
|
1238
|
-
|
|
1284
|
+
tokenManager
|
|
1239
1285
|
});
|
|
1240
1286
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
|
|
1241
1287
|
profile: makeProfileInfo(fullProfile)
|
|
@@ -1266,7 +1312,8 @@ const createGithubProvider = (options) => {
|
|
|
1266
1312
|
return OAuthAdapter.fromConfig(globalConfig, provider, {
|
|
1267
1313
|
persistScopes: true,
|
|
1268
1314
|
providerId,
|
|
1269
|
-
tokenIssuer
|
|
1315
|
+
tokenIssuer,
|
|
1316
|
+
callbackUrl
|
|
1270
1317
|
});
|
|
1271
1318
|
});
|
|
1272
1319
|
};
|
|
@@ -1278,7 +1325,7 @@ const gitlabDefaultSignInResolver = async (info, ctx) => {
|
|
|
1278
1325
|
id = profile.email.split("@")[0];
|
|
1279
1326
|
}
|
|
1280
1327
|
const token = await ctx.tokenIssuer.issueToken({
|
|
1281
|
-
claims: { sub: id
|
|
1328
|
+
claims: { sub: `user:default/${id}`, ent: [`user:default/${id}`] }
|
|
1282
1329
|
});
|
|
1283
1330
|
return { id, token };
|
|
1284
1331
|
};
|
|
@@ -1362,6 +1409,7 @@ const createGitlabProvider = (options) => {
|
|
|
1362
1409
|
globalConfig,
|
|
1363
1410
|
config,
|
|
1364
1411
|
tokenIssuer,
|
|
1412
|
+
tokenManager,
|
|
1365
1413
|
catalogApi,
|
|
1366
1414
|
logger
|
|
1367
1415
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -1373,7 +1421,7 @@ const createGitlabProvider = (options) => {
|
|
|
1373
1421
|
const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
1374
1422
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
1375
1423
|
catalogApi,
|
|
1376
|
-
|
|
1424
|
+
tokenManager
|
|
1377
1425
|
});
|
|
1378
1426
|
const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
|
|
1379
1427
|
const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
|
|
@@ -1508,7 +1556,7 @@ const googleDefaultSignInResolver = async (info, ctx) => {
|
|
|
1508
1556
|
userId = profile.email.split("@")[0];
|
|
1509
1557
|
}
|
|
1510
1558
|
const token = await ctx.tokenIssuer.issueToken({
|
|
1511
|
-
claims: { sub: userId
|
|
1559
|
+
claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
|
|
1512
1560
|
});
|
|
1513
1561
|
return { id: userId, token };
|
|
1514
1562
|
};
|
|
@@ -1518,6 +1566,7 @@ const createGoogleProvider = (options) => {
|
|
|
1518
1566
|
globalConfig,
|
|
1519
1567
|
config,
|
|
1520
1568
|
tokenIssuer,
|
|
1569
|
+
tokenManager,
|
|
1521
1570
|
catalogApi,
|
|
1522
1571
|
logger
|
|
1523
1572
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -1527,7 +1576,7 @@ const createGoogleProvider = (options) => {
|
|
|
1527
1576
|
const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
1528
1577
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
1529
1578
|
catalogApi,
|
|
1530
|
-
|
|
1579
|
+
tokenManager
|
|
1531
1580
|
});
|
|
1532
1581
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
|
|
1533
1582
|
profile: makeProfileInfo(fullProfile, params.id_token)
|
|
@@ -1662,7 +1711,10 @@ const microsoftDefaultSignInResolver = async (info, ctx) => {
|
|
|
1662
1711
|
}
|
|
1663
1712
|
const userId = profile.email.split("@")[0];
|
|
1664
1713
|
const token = await ctx.tokenIssuer.issueToken({
|
|
1665
|
-
claims: {
|
|
1714
|
+
claims: {
|
|
1715
|
+
sub: `user:default/${userId}`,
|
|
1716
|
+
ent: [`user:default/${userId}`]
|
|
1717
|
+
}
|
|
1666
1718
|
});
|
|
1667
1719
|
return { id: userId, token };
|
|
1668
1720
|
};
|
|
@@ -1672,6 +1724,7 @@ const createMicrosoftProvider = (options) => {
|
|
|
1672
1724
|
globalConfig,
|
|
1673
1725
|
config,
|
|
1674
1726
|
tokenIssuer,
|
|
1727
|
+
tokenManager,
|
|
1675
1728
|
catalogApi,
|
|
1676
1729
|
logger
|
|
1677
1730
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -1684,7 +1737,7 @@ const createMicrosoftProvider = (options) => {
|
|
|
1684
1737
|
const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
|
|
1685
1738
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
1686
1739
|
catalogApi,
|
|
1687
|
-
|
|
1740
|
+
tokenManager
|
|
1688
1741
|
});
|
|
1689
1742
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
|
|
1690
1743
|
profile: makeProfileInfo(fullProfile, params.id_token)
|
|
@@ -1807,7 +1860,7 @@ const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
|
|
|
1807
1860
|
}
|
|
1808
1861
|
const userId = profile.email.split("@")[0];
|
|
1809
1862
|
const token = await ctx.tokenIssuer.issueToken({
|
|
1810
|
-
claims: { sub: userId
|
|
1863
|
+
claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
|
|
1811
1864
|
});
|
|
1812
1865
|
return { id: userId, token };
|
|
1813
1866
|
};
|
|
@@ -1817,6 +1870,7 @@ const createOAuth2Provider = (options) => {
|
|
|
1817
1870
|
globalConfig,
|
|
1818
1871
|
config,
|
|
1819
1872
|
tokenIssuer,
|
|
1873
|
+
tokenManager,
|
|
1820
1874
|
catalogApi,
|
|
1821
1875
|
logger
|
|
1822
1876
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -1831,7 +1885,7 @@ const createOAuth2Provider = (options) => {
|
|
|
1831
1885
|
const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
|
|
1832
1886
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
1833
1887
|
catalogApi,
|
|
1834
|
-
|
|
1888
|
+
tokenManager
|
|
1835
1889
|
});
|
|
1836
1890
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
|
|
1837
1891
|
profile: makeProfileInfo(fullProfile, params.id_token)
|
|
@@ -2262,12 +2316,12 @@ class Oauth2ProxyAuthProvider {
|
|
|
2262
2316
|
};
|
|
2263
2317
|
}
|
|
2264
2318
|
}
|
|
2265
|
-
const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer }) => {
|
|
2319
|
+
const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
|
|
2266
2320
|
const signInResolver = options.signIn.resolver;
|
|
2267
2321
|
const authHandler = options.authHandler;
|
|
2268
2322
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
2269
2323
|
catalogApi,
|
|
2270
|
-
|
|
2324
|
+
tokenManager
|
|
2271
2325
|
});
|
|
2272
2326
|
return new Oauth2ProxyAuthProvider({
|
|
2273
2327
|
logger,
|
|
@@ -2378,7 +2432,10 @@ const oAuth2DefaultSignInResolver = async (info, ctx) => {
|
|
|
2378
2432
|
}
|
|
2379
2433
|
const userId = profile.email.split("@")[0];
|
|
2380
2434
|
const token = await ctx.tokenIssuer.issueToken({
|
|
2381
|
-
claims: {
|
|
2435
|
+
claims: {
|
|
2436
|
+
sub: `user:default/${userId}`,
|
|
2437
|
+
ent: [`user:default/${userId}`]
|
|
2438
|
+
}
|
|
2382
2439
|
});
|
|
2383
2440
|
return { id: userId, token };
|
|
2384
2441
|
};
|
|
@@ -2388,6 +2445,7 @@ const createOidcProvider = (options) => {
|
|
|
2388
2445
|
globalConfig,
|
|
2389
2446
|
config,
|
|
2390
2447
|
tokenIssuer,
|
|
2448
|
+
tokenManager,
|
|
2391
2449
|
catalogApi,
|
|
2392
2450
|
logger
|
|
2393
2451
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -2401,7 +2459,7 @@ const createOidcProvider = (options) => {
|
|
|
2401
2459
|
const prompt = envConfig.getOptionalString("prompt");
|
|
2402
2460
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
2403
2461
|
catalogApi,
|
|
2404
|
-
|
|
2462
|
+
tokenManager
|
|
2405
2463
|
});
|
|
2406
2464
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
|
|
2407
2465
|
profile: {
|
|
@@ -2545,7 +2603,7 @@ const oktaDefaultSignInResolver = async (info, ctx) => {
|
|
|
2545
2603
|
}
|
|
2546
2604
|
const userId = profile.email.split("@")[0];
|
|
2547
2605
|
const token = await ctx.tokenIssuer.issueToken({
|
|
2548
|
-
claims: { sub: userId
|
|
2606
|
+
claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
|
|
2549
2607
|
});
|
|
2550
2608
|
return { id: userId, token };
|
|
2551
2609
|
};
|
|
@@ -2555,6 +2613,7 @@ const createOktaProvider = (_options) => {
|
|
|
2555
2613
|
globalConfig,
|
|
2556
2614
|
config,
|
|
2557
2615
|
tokenIssuer,
|
|
2616
|
+
tokenManager,
|
|
2558
2617
|
catalogApi,
|
|
2559
2618
|
logger
|
|
2560
2619
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -2568,7 +2627,7 @@ const createOktaProvider = (_options) => {
|
|
|
2568
2627
|
}
|
|
2569
2628
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
2570
2629
|
catalogApi,
|
|
2571
|
-
|
|
2630
|
+
tokenManager
|
|
2572
2631
|
});
|
|
2573
2632
|
const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
|
|
2574
2633
|
profile: makeProfileInfo(fullProfile, params.id_token)
|
|
@@ -2688,6 +2747,7 @@ const createOneLoginProvider = (options) => {
|
|
|
2688
2747
|
globalConfig,
|
|
2689
2748
|
config,
|
|
2690
2749
|
tokenIssuer,
|
|
2750
|
+
tokenManager,
|
|
2691
2751
|
catalogApi,
|
|
2692
2752
|
logger
|
|
2693
2753
|
}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
@@ -2698,7 +2758,7 @@ const createOneLoginProvider = (options) => {
|
|
|
2698
2758
|
const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
2699
2759
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
2700
2760
|
catalogApi,
|
|
2701
|
-
|
|
2761
|
+
tokenManager
|
|
2702
2762
|
});
|
|
2703
2763
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
|
|
2704
2764
|
profile: makeProfileInfo(fullProfile, params.id_token)
|
|
@@ -2788,13 +2848,14 @@ const createSamlProvider = (options) => {
|
|
|
2788
2848
|
globalConfig,
|
|
2789
2849
|
config,
|
|
2790
2850
|
tokenIssuer,
|
|
2851
|
+
tokenManager,
|
|
2791
2852
|
catalogApi,
|
|
2792
2853
|
logger
|
|
2793
2854
|
}) => {
|
|
2794
2855
|
var _a, _b;
|
|
2795
2856
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
2796
2857
|
catalogApi,
|
|
2797
|
-
|
|
2858
|
+
tokenManager
|
|
2798
2859
|
});
|
|
2799
2860
|
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
|
|
2800
2861
|
profile: {
|
|
@@ -2902,7 +2963,7 @@ class GcpIapProvider {
|
|
|
2902
2963
|
}
|
|
2903
2964
|
}
|
|
2904
2965
|
function createGcpIapProvider(options) {
|
|
2905
|
-
return ({ config, tokenIssuer, catalogApi, logger }) => {
|
|
2966
|
+
return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
|
|
2906
2967
|
var _a;
|
|
2907
2968
|
const audience = config.getString("audience");
|
|
2908
2969
|
const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
|
|
@@ -2910,7 +2971,7 @@ function createGcpIapProvider(options) {
|
|
|
2910
2971
|
const tokenValidator = createTokenValidator(audience);
|
|
2911
2972
|
const catalogIdentityClient = new CatalogIdentityClient({
|
|
2912
2973
|
catalogApi,
|
|
2913
|
-
|
|
2974
|
+
tokenManager
|
|
2914
2975
|
});
|
|
2915
2976
|
return new GcpIapProvider({
|
|
2916
2977
|
authHandler,
|
|
@@ -2940,7 +3001,14 @@ const factories = {
|
|
|
2940
3001
|
};
|
|
2941
3002
|
|
|
2942
3003
|
async function createRouter(options) {
|
|
2943
|
-
const {
|
|
3004
|
+
const {
|
|
3005
|
+
logger,
|
|
3006
|
+
config,
|
|
3007
|
+
discovery,
|
|
3008
|
+
database,
|
|
3009
|
+
tokenManager,
|
|
3010
|
+
providerFactories
|
|
3011
|
+
} = options;
|
|
2944
3012
|
const router = Router__default["default"]();
|
|
2945
3013
|
const appUrl = config.getString("app.baseUrl");
|
|
2946
3014
|
const authUrl = await discovery.getExternalBaseUrl("auth");
|
|
@@ -2986,6 +3054,7 @@ async function createRouter(options) {
|
|
|
2986
3054
|
globalConfig: { baseUrl: authUrl, appUrl, isOriginAllowed },
|
|
2987
3055
|
config: providersConfig.getConfig(providerId),
|
|
2988
3056
|
logger,
|
|
3057
|
+
tokenManager,
|
|
2989
3058
|
tokenIssuer,
|
|
2990
3059
|
discovery,
|
|
2991
3060
|
catalogApi
|