@backstage/plugin-auth-backend 0.9.0-next.1 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +37 -0
  2. package/dist/index.cjs.js +40 -20
  3. package/dist/index.cjs.js.map +1 -1
  4. package/package.json +5 -5
package/CHANGELOG.md CHANGED
@@ -1,5 +1,42 @@
1
1
  # @backstage/plugin-auth-backend
2
2
 
3
+ ## 0.9.0
4
+
5
+ ### Minor Changes
6
+
7
+ - cef64b1561: **BREAKING** Added `tokenManager` as a required property for the auth-backend `createRouter` function. This dependency is used to issue server tokens that are used by the `CatalogIdentityClient` when looking up users and their group membership during authentication.
8
+
9
+ These changes are **required** to `packages/backend/src/plugins/auth.ts`:
10
+
11
+ ```diff
12
+ export default async function createPlugin({
13
+ logger,
14
+ database,
15
+ config,
16
+ discovery,
17
+ + tokenManager,
18
+ }: PluginEnvironment): Promise<Router> {
19
+ return await createRouter({
20
+ logger,
21
+ config,
22
+ database,
23
+ discovery,
24
+ + tokenManager,
25
+ });
26
+ }
27
+ ```
28
+
29
+ **BREAKING** The `CatalogIdentityClient` constructor now expects a `TokenManager` instead of a `TokenIssuer`. The `TokenManager` interface is used to generate a server token when [resolving a user's identity and membership through the catalog](https://backstage.io/docs/auth/identity-resolver). Using server tokens for these requests allows the auth-backend to bypass authorization checks when permissions are enabled for Backstage. This change will break apps that rely on the user tokens that were previously used by the client. Refer to the ["Backend-to-backend Authentication" tutorial](https://backstage.io/docs/tutorials/backend-to-backend-auth) for more information on server token usage.
30
+
31
+ ### Patch Changes
32
+
33
+ - 9d75a939b6: Fixed a bug where providers that tracked the granted scopes through a cookie would not take failed authentication attempts into account.
34
+ - 28a5f9d0b1: chore(deps): bump `passport` from 0.4.1 to 0.5.2
35
+ - 5d09bdd1de: Added custom `callbackUrl` support for multiple providers. `v0.8.0` introduced this change for `github`, and now we're adding the same capability to the following providers: `atlassian, auth0, bitbucket, gitlab, google, microsoft, oauth2, oidc, okta, onelogin`.
36
+ - 648606b3ac: Added support for storing static GitHub access tokens in cookies and using them to refresh the Backstage session.
37
+ - Updated dependencies
38
+ - @backstage/backend-common@0.10.6
39
+
3
40
  ## 0.9.0-next.1
4
41
 
5
42
  ### Patch Changes
package/dist/index.cjs.js CHANGED
@@ -713,7 +713,8 @@ const createAtlassianProvider = (options) => {
713
713
  const clientId = envConfig.getString("clientId");
714
714
  const clientSecret = envConfig.getString("clientSecret");
715
715
  const scopes = envConfig.getString("scopes");
716
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
716
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
717
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
717
718
  const catalogIdentityClient = new CatalogIdentityClient({
718
719
  catalogApi,
719
720
  tokenManager
@@ -733,7 +734,8 @@ const createAtlassianProvider = (options) => {
733
734
  return OAuthAdapter.fromConfig(globalConfig, provider, {
734
735
  disableRefresh: true,
735
736
  providerId,
736
- tokenIssuer
737
+ tokenIssuer,
738
+ callbackUrl
737
739
  });
738
740
  });
739
741
  };
@@ -849,7 +851,8 @@ const createAuth0Provider = (options) => {
849
851
  const clientId = envConfig.getString("clientId");
850
852
  const clientSecret = envConfig.getString("clientSecret");
851
853
  const domain = envConfig.getString("domain");
852
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
854
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
855
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
853
856
  const catalogIdentityClient = new CatalogIdentityClient({
854
857
  catalogApi,
855
858
  tokenManager
@@ -872,7 +875,8 @@ const createAuth0Provider = (options) => {
872
875
  return OAuthAdapter.fromConfig(globalConfig, provider, {
873
876
  disableRefresh: true,
874
877
  providerId,
875
- tokenIssuer
878
+ tokenIssuer,
879
+ callbackUrl
876
880
  });
877
881
  });
878
882
  };
@@ -1123,7 +1127,8 @@ const createBitbucketProvider = (options) => {
1123
1127
  var _a;
1124
1128
  const clientId = envConfig.getString("clientId");
1125
1129
  const clientSecret = envConfig.getString("clientSecret");
1126
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1130
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
1131
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1127
1132
  const catalogIdentityClient = new CatalogIdentityClient({
1128
1133
  catalogApi,
1129
1134
  tokenManager
@@ -1144,7 +1149,8 @@ const createBitbucketProvider = (options) => {
1144
1149
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1145
1150
  disableRefresh: false,
1146
1151
  providerId,
1147
- tokenIssuer
1152
+ tokenIssuer,
1153
+ callbackUrl
1148
1154
  });
1149
1155
  });
1150
1156
  };
@@ -1418,7 +1424,8 @@ const createGitlabProvider = (options) => {
1418
1424
  const clientSecret = envConfig.getString("clientSecret");
1419
1425
  const audience = envConfig.getOptionalString("audience");
1420
1426
  const baseUrl = audience || "https://gitlab.com";
1421
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1427
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
1428
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1422
1429
  const catalogIdentityClient = new CatalogIdentityClient({
1423
1430
  catalogApi,
1424
1431
  tokenManager
@@ -1444,7 +1451,8 @@ const createGitlabProvider = (options) => {
1444
1451
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1445
1452
  disableRefresh: false,
1446
1453
  providerId,
1447
- tokenIssuer
1454
+ tokenIssuer,
1455
+ callbackUrl
1448
1456
  });
1449
1457
  });
1450
1458
  };
@@ -1573,7 +1581,8 @@ const createGoogleProvider = (options) => {
1573
1581
  var _a, _b;
1574
1582
  const clientId = envConfig.getString("clientId");
1575
1583
  const clientSecret = envConfig.getString("clientSecret");
1576
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1584
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
1585
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1577
1586
  const catalogIdentityClient = new CatalogIdentityClient({
1578
1587
  catalogApi,
1579
1588
  tokenManager
@@ -1600,7 +1609,8 @@ const createGoogleProvider = (options) => {
1600
1609
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1601
1610
  disableRefresh: false,
1602
1611
  providerId,
1603
- tokenIssuer
1612
+ tokenIssuer,
1613
+ callbackUrl
1604
1614
  });
1605
1615
  });
1606
1616
  };
@@ -1732,7 +1742,8 @@ const createMicrosoftProvider = (options) => {
1732
1742
  const clientId = envConfig.getString("clientId");
1733
1743
  const clientSecret = envConfig.getString("clientSecret");
1734
1744
  const tenantId = envConfig.getString("tenantId");
1735
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1745
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
1746
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1736
1747
  const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
1737
1748
  const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
1738
1749
  const catalogIdentityClient = new CatalogIdentityClient({
@@ -1763,7 +1774,8 @@ const createMicrosoftProvider = (options) => {
1763
1774
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1764
1775
  disableRefresh: false,
1765
1776
  providerId,
1766
- tokenIssuer
1777
+ tokenIssuer,
1778
+ callbackUrl
1767
1779
  });
1768
1780
  });
1769
1781
  };
@@ -1877,7 +1889,8 @@ const createOAuth2Provider = (options) => {
1877
1889
  var _a, _b, _c;
1878
1890
  const clientId = envConfig.getString("clientId");
1879
1891
  const clientSecret = envConfig.getString("clientSecret");
1880
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1892
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
1893
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
1881
1894
  const authorizationUrl = envConfig.getString("authorizationUrl");
1882
1895
  const tokenUrl = envConfig.getString("tokenUrl");
1883
1896
  const scope = envConfig.getOptionalString("scope");
@@ -1913,7 +1926,8 @@ const createOAuth2Provider = (options) => {
1913
1926
  return OAuthAdapter.fromConfig(globalConfig, provider, {
1914
1927
  disableRefresh,
1915
1928
  providerId,
1916
- tokenIssuer
1929
+ tokenIssuer,
1930
+ callbackUrl
1917
1931
  });
1918
1932
  });
1919
1933
  };
@@ -2452,7 +2466,8 @@ const createOidcProvider = (options) => {
2452
2466
  var _a, _b;
2453
2467
  const clientId = envConfig.getString("clientId");
2454
2468
  const clientSecret = envConfig.getString("clientSecret");
2455
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
2469
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
2470
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
2456
2471
  const metadataUrl = envConfig.getString("metadataUrl");
2457
2472
  const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
2458
2473
  const scope = envConfig.getOptionalString("scope");
@@ -2491,7 +2506,8 @@ const createOidcProvider = (options) => {
2491
2506
  return OAuthAdapter.fromConfig(globalConfig, provider, {
2492
2507
  disableRefresh: false,
2493
2508
  providerId,
2494
- tokenIssuer
2509
+ tokenIssuer,
2510
+ callbackUrl
2495
2511
  });
2496
2512
  });
2497
2513
  };
@@ -2621,7 +2637,8 @@ const createOktaProvider = (_options) => {
2621
2637
  const clientId = envConfig.getString("clientId");
2622
2638
  const clientSecret = envConfig.getString("clientSecret");
2623
2639
  const audience = envConfig.getString("audience");
2624
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
2640
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
2641
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
2625
2642
  if (!audience.startsWith("https://")) {
2626
2643
  throw new Error("URL for 'audience' must start with 'https://'.");
2627
2644
  }
@@ -2652,7 +2669,8 @@ const createOktaProvider = (_options) => {
2652
2669
  return OAuthAdapter.fromConfig(globalConfig, provider, {
2653
2670
  disableRefresh: false,
2654
2671
  providerId,
2655
- tokenIssuer
2672
+ tokenIssuer,
2673
+ callbackUrl
2656
2674
  });
2657
2675
  });
2658
2676
  };
@@ -2755,7 +2773,8 @@ const createOneLoginProvider = (options) => {
2755
2773
  const clientId = envConfig.getString("clientId");
2756
2774
  const clientSecret = envConfig.getString("clientSecret");
2757
2775
  const issuer = envConfig.getString("issuer");
2758
- const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
2776
+ const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
2777
+ const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
2759
2778
  const catalogIdentityClient = new CatalogIdentityClient({
2760
2779
  catalogApi,
2761
2780
  tokenManager
@@ -2778,7 +2797,8 @@ const createOneLoginProvider = (options) => {
2778
2797
  return OAuthAdapter.fromConfig(globalConfig, provider, {
2779
2798
  disableRefresh: false,
2780
2799
  providerId,
2781
- tokenIssuer
2800
+ tokenIssuer,
2801
+ callbackUrl
2782
2802
  });
2783
2803
  });
2784
2804
  };