@backstage/plugin-auth-backend 0.8.0 → 0.9.0-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +32 -0
  2. package/dist/index.cjs.js +43 -24
  3. package/dist/index.cjs.js.map +1 -1
  4. package/dist/index.d.ts +36 -34
  5. package/package.json +4 -4
package/CHANGELOG.md CHANGED
@@ -1,5 +1,37 @@
1
1
  # @backstage/plugin-auth-backend
2
2
 
3
+ ## 0.9.0-next.0
4
+
5
+ ### Minor Changes
6
+
7
+ - cef64b1561: **BREAKING** Added `tokenManager` as a required property for the auth-backend `createRouter` function. This dependency is used to issue server tokens that are used by the `CatalogIdentityClient` when looking up users and their group membership during authentication.
8
+
9
+ These changes are **required** to `packages/backend/src/plugins/auth.ts`:
10
+
11
+ ```diff
12
+ export default async function createPlugin({
13
+ logger,
14
+ database,
15
+ config,
16
+ discovery,
17
+ + tokenManager,
18
+ }: PluginEnvironment): Promise<Router> {
19
+ return await createRouter({
20
+ logger,
21
+ config,
22
+ database,
23
+ discovery,
24
+ + tokenManager,
25
+ });
26
+ }
27
+ ```
28
+
29
+ **BREAKING** The `CatalogIdentityClient` constructor now expects a `TokenManager` instead of a `TokenIssuer`. The `TokenManager` interface is used to generate a server token when [resolving a user's identity and membership through the catalog](https://backstage.io/docs/auth/identity-resolver). Using server tokens for these requests allows the auth-backend to bypass authorization checks when permissions are enabled for Backstage. This change will break apps that rely on the user tokens that were previously used by the client. Refer to the ["Backend-to-backend Authentication" tutorial](https://backstage.io/docs/tutorials/backend-to-backend-auth) for more information on server token usage.
30
+
31
+ ### Patch Changes
32
+
33
+ - 28a5f9d0b1: chore(deps): bump `passport` from 0.4.1 to 0.5.2
34
+
3
35
  ## 0.8.0
4
36
 
5
37
  ### Minor Changes
package/dist/index.cjs.js CHANGED
@@ -560,7 +560,7 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
560
560
  class CatalogIdentityClient {
561
561
  constructor(options) {
562
562
  this.catalogApi = options.catalogApi;
563
- this.tokenIssuer = options.tokenIssuer;
563
+ this.tokenManager = options.tokenManager;
564
564
  }
565
565
  async findUser(query) {
566
566
  const filter = {
@@ -569,9 +569,7 @@ class CatalogIdentityClient {
569
569
  for (const [key, value] of Object.entries(query.annotations)) {
570
570
  filter[`metadata.annotations.${key}`] = value;
571
571
  }
572
- const token = await this.tokenIssuer.issueToken({
573
- claims: { sub: "backstage.io/auth-backend" }
574
- });
572
+ const { token } = await this.tokenManager.getToken();
575
573
  const { items } = await this.catalogApi.getEntities({ filter }, { token });
576
574
  if (items.length !== 1) {
577
575
  if (items.length > 1) {
@@ -601,7 +599,8 @@ class CatalogIdentityClient {
601
599
  "metadata.namespace": ref.namespace,
602
600
  "metadata.name": ref.name
603
601
  }));
604
- const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
602
+ const { token } = await this.tokenManager.getToken();
603
+ const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
605
604
  if (entityRefs.length !== entities.length) {
606
605
  const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
607
606
  const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
@@ -711,6 +710,7 @@ const createAtlassianProvider = (options) => {
711
710
  globalConfig,
712
711
  config,
713
712
  tokenIssuer,
713
+ tokenManager,
714
714
  catalogApi,
715
715
  logger
716
716
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -721,7 +721,7 @@ const createAtlassianProvider = (options) => {
721
721
  const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
722
722
  const catalogIdentityClient = new CatalogIdentityClient({
723
723
  catalogApi,
724
- tokenIssuer
724
+ tokenManager
725
725
  });
726
726
  const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
727
727
  const provider = new AtlassianAuthProvider({
@@ -846,6 +846,7 @@ const createAuth0Provider = (options) => {
846
846
  globalConfig,
847
847
  config,
848
848
  tokenIssuer,
849
+ tokenManager,
849
850
  catalogApi,
850
851
  logger
851
852
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -856,7 +857,7 @@ const createAuth0Provider = (options) => {
856
857
  const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
857
858
  const catalogIdentityClient = new CatalogIdentityClient({
858
859
  catalogApi,
859
- tokenIssuer
860
+ tokenManager
860
861
  });
861
862
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
862
863
  profile: makeProfileInfo(fullProfile, params.id_token)
@@ -984,7 +985,7 @@ class AwsAlbAuthProvider {
984
985
  }
985
986
  }
986
987
  const createAwsAlbProvider = (options) => {
987
- return ({ config, tokenIssuer, catalogApi, logger }) => {
988
+ return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
988
989
  const region = config.getString("region");
989
990
  const issuer = config.getOptionalString("iss");
990
991
  if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
@@ -992,7 +993,7 @@ const createAwsAlbProvider = (options) => {
992
993
  }
993
994
  const catalogIdentityClient = new CatalogIdentityClient({
994
995
  catalogApi,
995
- tokenIssuer
996
+ tokenManager
996
997
  });
997
998
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
998
999
  profile: makeProfileInfo(fullProfile)
@@ -1120,6 +1121,7 @@ const createBitbucketProvider = (options) => {
1120
1121
  globalConfig,
1121
1122
  config,
1122
1123
  tokenIssuer,
1124
+ tokenManager,
1123
1125
  catalogApi,
1124
1126
  logger
1125
1127
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1129,7 +1131,7 @@ const createBitbucketProvider = (options) => {
1129
1131
  const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1130
1132
  const catalogIdentityClient = new CatalogIdentityClient({
1131
1133
  catalogApi,
1132
- tokenIssuer
1134
+ tokenManager
1133
1135
  });
1134
1136
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
1135
1137
  profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1238,6 +1240,7 @@ const createGithubProvider = (options) => {
1238
1240
  globalConfig,
1239
1241
  config,
1240
1242
  tokenIssuer,
1243
+ tokenManager,
1241
1244
  catalogApi,
1242
1245
  logger
1243
1246
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1252,7 +1255,7 @@ const createGithubProvider = (options) => {
1252
1255
  const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1253
1256
  const catalogIdentityClient = new CatalogIdentityClient({
1254
1257
  catalogApi,
1255
- tokenIssuer
1258
+ tokenManager
1256
1259
  });
1257
1260
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
1258
1261
  profile: makeProfileInfo(fullProfile)
@@ -1380,6 +1383,7 @@ const createGitlabProvider = (options) => {
1380
1383
  globalConfig,
1381
1384
  config,
1382
1385
  tokenIssuer,
1386
+ tokenManager,
1383
1387
  catalogApi,
1384
1388
  logger
1385
1389
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1391,7 +1395,7 @@ const createGitlabProvider = (options) => {
1391
1395
  const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1392
1396
  const catalogIdentityClient = new CatalogIdentityClient({
1393
1397
  catalogApi,
1394
- tokenIssuer
1398
+ tokenManager
1395
1399
  });
1396
1400
  const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
1397
1401
  const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
@@ -1536,6 +1540,7 @@ const createGoogleProvider = (options) => {
1536
1540
  globalConfig,
1537
1541
  config,
1538
1542
  tokenIssuer,
1543
+ tokenManager,
1539
1544
  catalogApi,
1540
1545
  logger
1541
1546
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1545,7 +1550,7 @@ const createGoogleProvider = (options) => {
1545
1550
  const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1546
1551
  const catalogIdentityClient = new CatalogIdentityClient({
1547
1552
  catalogApi,
1548
- tokenIssuer
1553
+ tokenManager
1549
1554
  });
1550
1555
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
1551
1556
  profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1693,6 +1698,7 @@ const createMicrosoftProvider = (options) => {
1693
1698
  globalConfig,
1694
1699
  config,
1695
1700
  tokenIssuer,
1701
+ tokenManager,
1696
1702
  catalogApi,
1697
1703
  logger
1698
1704
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1705,7 +1711,7 @@ const createMicrosoftProvider = (options) => {
1705
1711
  const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
1706
1712
  const catalogIdentityClient = new CatalogIdentityClient({
1707
1713
  catalogApi,
1708
- tokenIssuer
1714
+ tokenManager
1709
1715
  });
1710
1716
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
1711
1717
  profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1838,6 +1844,7 @@ const createOAuth2Provider = (options) => {
1838
1844
  globalConfig,
1839
1845
  config,
1840
1846
  tokenIssuer,
1847
+ tokenManager,
1841
1848
  catalogApi,
1842
1849
  logger
1843
1850
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1852,7 +1859,7 @@ const createOAuth2Provider = (options) => {
1852
1859
  const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
1853
1860
  const catalogIdentityClient = new CatalogIdentityClient({
1854
1861
  catalogApi,
1855
- tokenIssuer
1862
+ tokenManager
1856
1863
  });
1857
1864
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
1858
1865
  profile: makeProfileInfo(fullProfile, params.id_token)
@@ -2283,12 +2290,12 @@ class Oauth2ProxyAuthProvider {
2283
2290
  };
2284
2291
  }
2285
2292
  }
2286
- const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer }) => {
2293
+ const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
2287
2294
  const signInResolver = options.signIn.resolver;
2288
2295
  const authHandler = options.authHandler;
2289
2296
  const catalogIdentityClient = new CatalogIdentityClient({
2290
2297
  catalogApi,
2291
- tokenIssuer
2298
+ tokenManager
2292
2299
  });
2293
2300
  return new Oauth2ProxyAuthProvider({
2294
2301
  logger,
@@ -2412,6 +2419,7 @@ const createOidcProvider = (options) => {
2412
2419
  globalConfig,
2413
2420
  config,
2414
2421
  tokenIssuer,
2422
+ tokenManager,
2415
2423
  catalogApi,
2416
2424
  logger
2417
2425
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -2425,7 +2433,7 @@ const createOidcProvider = (options) => {
2425
2433
  const prompt = envConfig.getOptionalString("prompt");
2426
2434
  const catalogIdentityClient = new CatalogIdentityClient({
2427
2435
  catalogApi,
2428
- tokenIssuer
2436
+ tokenManager
2429
2437
  });
2430
2438
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
2431
2439
  profile: {
@@ -2579,6 +2587,7 @@ const createOktaProvider = (_options) => {
2579
2587
  globalConfig,
2580
2588
  config,
2581
2589
  tokenIssuer,
2590
+ tokenManager,
2582
2591
  catalogApi,
2583
2592
  logger
2584
2593
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -2592,7 +2601,7 @@ const createOktaProvider = (_options) => {
2592
2601
  }
2593
2602
  const catalogIdentityClient = new CatalogIdentityClient({
2594
2603
  catalogApi,
2595
- tokenIssuer
2604
+ tokenManager
2596
2605
  });
2597
2606
  const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
2598
2607
  profile: makeProfileInfo(fullProfile, params.id_token)
@@ -2712,6 +2721,7 @@ const createOneLoginProvider = (options) => {
2712
2721
  globalConfig,
2713
2722
  config,
2714
2723
  tokenIssuer,
2724
+ tokenManager,
2715
2725
  catalogApi,
2716
2726
  logger
2717
2727
  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -2722,7 +2732,7 @@ const createOneLoginProvider = (options) => {
2722
2732
  const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
2723
2733
  const catalogIdentityClient = new CatalogIdentityClient({
2724
2734
  catalogApi,
2725
- tokenIssuer
2735
+ tokenManager
2726
2736
  });
2727
2737
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
2728
2738
  profile: makeProfileInfo(fullProfile, params.id_token)
@@ -2812,13 +2822,14 @@ const createSamlProvider = (options) => {
2812
2822
  globalConfig,
2813
2823
  config,
2814
2824
  tokenIssuer,
2825
+ tokenManager,
2815
2826
  catalogApi,
2816
2827
  logger
2817
2828
  }) => {
2818
2829
  var _a, _b;
2819
2830
  const catalogIdentityClient = new CatalogIdentityClient({
2820
2831
  catalogApi,
2821
- tokenIssuer
2832
+ tokenManager
2822
2833
  });
2823
2834
  const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
2824
2835
  profile: {
@@ -2926,7 +2937,7 @@ class GcpIapProvider {
2926
2937
  }
2927
2938
  }
2928
2939
  function createGcpIapProvider(options) {
2929
- return ({ config, tokenIssuer, catalogApi, logger }) => {
2940
+ return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
2930
2941
  var _a;
2931
2942
  const audience = config.getString("audience");
2932
2943
  const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
@@ -2934,7 +2945,7 @@ function createGcpIapProvider(options) {
2934
2945
  const tokenValidator = createTokenValidator(audience);
2935
2946
  const catalogIdentityClient = new CatalogIdentityClient({
2936
2947
  catalogApi,
2937
- tokenIssuer
2948
+ tokenManager
2938
2949
  });
2939
2950
  return new GcpIapProvider({
2940
2951
  authHandler,
@@ -2964,7 +2975,14 @@ const factories = {
2964
2975
  };
2965
2976
 
2966
2977
  async function createRouter(options) {
2967
- const { logger, config, discovery, database, providerFactories } = options;
2978
+ const {
2979
+ logger,
2980
+ config,
2981
+ discovery,
2982
+ database,
2983
+ tokenManager,
2984
+ providerFactories
2985
+ } = options;
2968
2986
  const router = Router__default["default"]();
2969
2987
  const appUrl = config.getString("app.baseUrl");
2970
2988
  const authUrl = await discovery.getExternalBaseUrl("auth");
@@ -3010,6 +3028,7 @@ async function createRouter(options) {
3010
3028
  globalConfig: { baseUrl: authUrl, appUrl, isOriginAllowed },
3011
3029
  config: providersConfig.getConfig(providerId),
3012
3030
  logger,
3031
+ tokenManager,
3013
3032
  tokenIssuer,
3014
3033
  discovery,
3015
3034
  catalogApi