@backstage/plugin-auth-node 0.2.15 → 0.2.16

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @backstage/plugin-auth-node
 
+## 0.2.16
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/errors@1.2.1
+  - @backstage/backend-common@0.19.1
+  - @backstage/config@1.0.8
+
+## 0.2.16-next.0
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/errors@1.2.1-next.0
+  - @backstage/backend-common@0.19.1-next.0
+  - @backstage/config@1.0.8
+
 ## 0.2.15
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -13,10 +13,20 @@ function getBearerTokenFromAuthorizationHeader(authorizationHeader) {
   return matches == null ? void 0 : matches[1];
 }
 
+var __defProp$1 = Object.defineProperty;
+var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$1 = (obj, key, value) => {
+  __defNormalProp$1(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
 const CLOCK_MARGIN_S = 10;
 class DefaultIdentityClient {
   constructor(options) {
-    this.keyStoreUpdated = 0;
+    __publicField$1(this, "discovery");
+    __publicField$1(this, "issuer");
+    __publicField$1(this, "algorithms");
+    __publicField$1(this, "keyStore");
+    __publicField$1(this, "keyStoreUpdated", 0);
     this.discovery = options.discovery;
     this.issuer = options.issuer;
     this.algorithms = options.hasOwnProperty("algorithms") ? options.algorithms : ["ES256"];
@@ -104,13 +114,20 @@ class DefaultIdentityClient {
   }
 }
 
+var __defProp = Object.defineProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField = (obj, key, value) => {
+  __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
 class IdentityClient {
-  static create(options) {
-    return new IdentityClient(DefaultIdentityClient.create(options));
-  }
   constructor(defaultIdentityClient) {
+    __publicField(this, "defaultIdentityClient");
     this.defaultIdentityClient = defaultIdentityClient;
   }
+  static create(options) {
+    return new IdentityClient(DefaultIdentityClient.create(options));
+  }
   /**
    * Verifies the given backstage identity token
    * Returns a BackstageIdentity (user) matching the token.

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/getBearerTokenFromAuthorizationHeader.ts","../src/DefaultIdentityClient.ts","../src/IdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n *\n * @remarks\n *\n * This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n *\n * @public\n */\nexport function getBearerTokenFromAuthorizationHeader(\n  authorizationHeader: unknown,\n): string | undefined {\n  if (typeof authorizationHeader !== 'string') {\n    return undefined;\n  }\n  const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n  return matches?.[1];\n}\n","/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n  createRemoteJWKSet,\n  decodeJwt,\n  decodeProtectedHeader,\n  FlattenedJWSInput,\n  JWSHeaderParameters,\n  jwtVerify,\n} from 'jose';\nimport { GetKeyFunction } from 'jose/dist/types/types';\nimport {\n  BackstageIdentityResponse,\n  IdentityApiGetIdentityRequest,\n} from './types';\nimport { getBearerTokenFromAuthorizationHeader } from './getBearerTokenFromAuthorizationHeader';\nimport { IdentityApi } from './IdentityApi';\n\nconst CLOCK_MARGIN_S = 10;\n\n/**\n * An identity client options object which allows extra configurations\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport type IdentityClientOptions = {\n  discovery: PluginEndpointDiscovery;\n  issuer?: string;\n\n  /** JWS \"alg\" (Algorithm) Header Parameter values. Defaults to an array containing just ES256.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithms?: string[];\n};\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport class DefaultIdentityClient implements IdentityApi {\n  private readonly discovery: PluginEndpointDiscovery;\n  private readonly issuer?: string;\n  private readonly algorithms?: string[];\n  private keyStore?: GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;\n  private keyStoreUpdated: number = 0;\n\n  /**\n   * Create a new {@link DefaultIdentityClient} instance.\n   */\n  static create(options: IdentityClientOptions): DefaultIdentityClient {\n    return new DefaultIdentityClient(options);\n  }\n\n  private constructor(options: IdentityClientOptions) {\n    this.discovery = options.discovery;\n    this.issuer = options.issuer;\n    this.algorithms = options.hasOwnProperty('algorithms')\n      ? options.algorithms\n      : ['ES256'];\n  }\n\n  async getIdentity(options: IdentityApiGetIdentityRequest) {\n    const {\n      request: { headers },\n    } = options;\n    if (!headers.authorization) {\n      return undefined;\n    }\n    try {\n      return await this.authenticate(\n        getBearerTokenFromAuthorizationHeader(headers.authorization),\n      );\n    } catch (e) {\n      throw new AuthenticationError(e.message);\n    }\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   *\n   * @deprecated You should start to use getIdentity instead of authenticate to retrieve the user\n   * identity.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    // Extract token from header\n    if (!token) {\n      throw new AuthenticationError('No token specified');\n    }\n\n    // Verify token claims and signature\n    // Note: Claims must match those set by TokenFactory when issuing tokens\n    // Note: verify throws if verification fails\n    // Check if the keystore needs to be updated\n    await this.refreshKeyStore(token);\n    if (!this.keyStore) {\n      throw new AuthenticationError('No keystore exists');\n    }\n    const decoded = await jwtVerify(token, this.keyStore, {\n      algorithms: this.algorithms,\n      audience: 'backstage',\n      issuer: this.issuer,\n    });\n    // Verified, return the matching user as BackstageIdentity\n    // TODO: Settle internal user format/properties\n    if (!decoded.payload.sub) {\n      throw new AuthenticationError('No user sub found in token');\n    }\n\n    const user: BackstageIdentityResponse = {\n      token,\n      identity: {\n        type: 'user',\n        userEntityRef: decoded.payload.sub,\n        ownershipEntityRefs: decoded.payload.ent\n          ? (decoded.payload.ent as string[])\n          : [],\n      },\n    };\n    return user;\n  }\n\n  /**\n   * If the last keystore refresh is stale, update the keystore URL to the latest\n   */\n  private async refreshKeyStore(rawJwtToken: string): Promise<void> {\n    const payload = await decodeJwt(rawJwtToken);\n    const header = await decodeProtectedHeader(rawJwtToken);\n\n    // Refresh public keys if needed\n    let keyStoreHasKey;\n    try {\n      if (this.keyStore) {\n        // Check if the key is present in the keystore\n        const [_, rawPayload, rawSignature] = rawJwtToken.split('.');\n        keyStoreHasKey = await this.keyStore(header, {\n          payload: rawPayload,\n          signature: rawSignature,\n        });\n      }\n    } catch (error) {\n      keyStoreHasKey = false;\n    }\n    // Refresh public key URL if needed\n    // Add a small margin in case clocks are out of sync\n    const issuedAfterLastRefresh =\n      payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n    if (!this.keyStore || (!keyStoreHasKey && issuedAfterLastRefresh)) {\n      const url = await this.discovery.getBaseUrl('auth');\n      const endpoint = new URL(`${url}/.well-known/jwks.json`);\n      this.keyStore = createRemoteJWKSet(endpoint);\n      this.keyStoreUpdated = Date.now() / 1000;\n    }\n  }\n}\n","/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DefaultIdentityClient,\n  IdentityClientOptions,\n} from './DefaultIdentityClient';\nimport { BackstageIdentityResponse } from './types';\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @public\n * @experimental This is not a stable API yet\n * @deprecated Please migrate to the DefaultIdentityClient.\n */\nexport class IdentityClient {\n  private readonly defaultIdentityClient: DefaultIdentityClient;\n  static create(options: IdentityClientOptions): IdentityClient {\n    return new IdentityClient(DefaultIdentityClient.create(options));\n  }\n\n  private constructor(defaultIdentityClient: DefaultIdentityClient) {\n    this.defaultIdentityClient = defaultIdentityClient;\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   *\n   * @deprecated You should start to use IdentityApi#getIdentity instead of authenticate\n   * to retrieve the user identity.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    return await this.defaultIdentityClient.authenticate(token);\n  }\n}\n"],"names":["AuthenticationError","jwtVerify","decodeJwt","decodeProtectedHeader","createRemoteJWKSet"],"mappings":";;;;;;;AA4BO,SAAS,sCACd,mBACoB,EAAA;AACpB,EAAI,IAAA,OAAO,wBAAwB,QAAU,EAAA;AAC3C,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AACA,EAAM,MAAA,OAAA,GAAU,mBAAoB,CAAA,KAAA,CAAM,oBAAoB,CAAA,CAAA;AAC9D,EAAA,OAAO,OAAU,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,CAAA,CAAA,CAAA;AACnB;;ACFA,MAAM,cAAiB,GAAA,EAAA,CAAA;AAwBhB,MAAM,qBAA6C,CAAA;AAAA,EAchD,YAAY,OAAgC,EAAA;AATpD,IAAA,IAAA,CAAQ,eAA0B,GAAA,CAAA,CAAA;AAUhC,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AACzB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA,CAAA;AACtB,IAAK,IAAA,CAAA,UAAA,GAAa,QAAQ,cAAe,CAAA,YAAY,IACjD,OAAQ,CAAA,UAAA,GACR,CAAC,OAAO,CAAA,CAAA;AAAA,GACd;AAAA;AAAA;AAAA;AAAA,EAVA,OAAO,OAAO,OAAuD,EAAA;AACnE,IAAO,OAAA,IAAI,sBAAsB,OAAO,CAAA,CAAA;AAAA,GAC1C;AAAA,EAUA,MAAM,YAAY,OAAwC,EAAA;AACxD,IAAM,MAAA;AAAA,MACJ,OAAA,EAAS,EAAE,OAAQ,EAAA;AAAA,KACjB,GAAA,OAAA,CAAA;AACJ,IAAI,IAAA,CAAC,QAAQ,aAAe,EAAA;AAC1B,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AACA,IAAI,IAAA;AACF,MAAA,OAAO,MAAM,IAAK,CAAA,YAAA;AAAA,QAChB,qCAAA,CAAsC,QAAQ,aAAa,CAAA;AAAA,OAC7D,CAAA;AAAA,aACO,CAAP,EAAA;AACA,MAAM,MAAA,IAAIA,0BAAoB,CAAA,CAAA,CAAE,OAAO,CAAA,CAAA;AAAA,KACzC;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,aACJ,KACoC,EAAA;AAEpC,IAAA,IAAI,CAAC,KAAO,EAAA;AACV,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AAMA,IAAM,MAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,CAAA;AAChC,IAAI,IAAA,CAAC,KAAK,QAAU,EAAA;AAClB,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AACA,IAAA,MAAM,OAAU,GAAA,MAAMC,cAAU,CAAA,KAAA,EAAO,KAAK,QAAU,EAAA;AAAA,MACpD,YAAY,IAAK,CAAA,UAAA;AAAA,MACjB,QAAU,EAAA,WAAA;AAAA,MACV,QAAQ,IAAK,CAAA,MAAA;AAAA,KACd,CAAA,CAAA;AAGD,IAAI,IAAA,CAAC,OAAQ,CAAA,OAAA,CAAQ,GAAK,EAAA;AACxB,MAAM,MAAA,IAAID,2BAAoB,4BAA4B,CAAA,CAAA;AAAA,KAC5D;AAEA,IAAA,MAAM,IAAkC,GAAA;AAAA,MACtC,KAAA;AAAA,MACA,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,QAAQ,OAAQ,CAAA,GAAA;AAAA,QAC/B,qBAAqB,OAAQ,CAAA,OAAA,CAAQ,MAChC,OAAQ,CAAA,OAAA,CAAQ,MACjB,EAAC;AAAA,OACP;AAAA,KACF,CAAA;AACA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBAAgB,WAAoC,EAAA;AAChE,IAAM,MAAA,OAAA,GAAU,MAAME,cAAA,CAAU,WAAW,CAAA,CAAA;AAC3C,IAAM,MAAA,MAAA,GAAS,MAAMC,0BAAA,CAAsB,WAAW,CAAA,CAAA;AAGtD,IAAI,IAAA,cAAA,CAAA;AACJ,IAAI,IAAA;AACF,MAAA,IAAI,KAAK,QAAU,EAAA;AAEjB,QAAA,MAAM,CAAC,CAAG,EAAA,UAAA,EAAY,YAAY,CAAI,GAAA,WAAA,CAAY,MAAM,GAAG,CAAA,CAAA;AAC3D,QAAiB,cAAA,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,MAAQ,EAAA;AAAA,UAC3C,OAAS,EAAA,UAAA;AAAA,UACT,SAAW,EAAA,YAAA;AAAA,SACZ,CAAA,CAAA;AAAA,OACH;AAAA,aACO,KAAP,EAAA;AACA,MAAiB,cAAA,GAAA,KAAA,CAAA;AAAA,KACnB;AAGA,IAAA,MAAM,0BACJ,OAAS,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,GAAA,KAAO,OAAQ,CAAA,GAAA,GAAM,KAAK,eAAkB,GAAA,cAAA,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,CAAK,QAAa,IAAA,CAAC,kBAAkB,sBAAyB,EAAA;AACjE,MAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,MAAM,CAAA,CAAA;AAClD,MAAA,MAAM,QAAW,GAAA,IAAI,GAAI,CAAA,CAAA,EAAG,GAA2B,CAAA,sBAAA,CAAA,CAAA,CAAA;AACvD,MAAK,IAAA,CAAA,QAAA,GAAWC,wBAAmB,QAAQ,CAAA,CAAA;AAC3C,MAAK,IAAA,CAAA,eAAA,GAAkB,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAA,CAAA;AAAA,KACtC;AAAA,GACF;AACF;;AClJO,MAAM,cAAe,CAAA;AAAA,EAE1B,OAAO,OAAO,OAAgD,EAAA;AAC5D,IAAA,OAAO,IAAI,cAAA,CAAe,qBAAsB,CAAA,MAAA,CAAO,OAAO,CAAC,CAAA,CAAA;AAAA,GACjE;AAAA,EAEQ,YAAY,qBAA8C,EAAA;AAChE,IAAA,IAAA,CAAK,qBAAwB,GAAA,qBAAA,CAAA;AAAA,GAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,aACJ,KACoC,EAAA;AACpC,IAAA,OAAO,MAAM,IAAA,CAAK,qBAAsB,CAAA,YAAA,CAAa,KAAK,CAAA,CAAA;AAAA,GAC5D;AACF;;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":["../src/getBearerTokenFromAuthorizationHeader.ts","../src/DefaultIdentityClient.ts","../src/IdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n *\n * @remarks\n *\n * This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n *\n * @public\n */\nexport function getBearerTokenFromAuthorizationHeader(\n  authorizationHeader: unknown,\n): string | undefined {\n  if (typeof authorizationHeader !== 'string') {\n    return undefined;\n  }\n  const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n  return matches?.[1];\n}\n","/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n  createRemoteJWKSet,\n  decodeJwt,\n  decodeProtectedHeader,\n  FlattenedJWSInput,\n  JWSHeaderParameters,\n  jwtVerify,\n} from 'jose';\nimport { GetKeyFunction } from 'jose/dist/types/types';\nimport {\n  BackstageIdentityResponse,\n  IdentityApiGetIdentityRequest,\n} from './types';\nimport { getBearerTokenFromAuthorizationHeader } from './getBearerTokenFromAuthorizationHeader';\nimport { IdentityApi } from './IdentityApi';\n\nconst CLOCK_MARGIN_S = 10;\n\n/**\n * An identity client options object which allows extra configurations\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport type IdentityClientOptions = {\n  discovery: PluginEndpointDiscovery;\n  issuer?: string;\n\n  /** JWS \"alg\" (Algorithm) Header Parameter values. Defaults to an array containing just ES256.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithms?: string[];\n};\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport class DefaultIdentityClient implements IdentityApi {\n  private readonly discovery: PluginEndpointDiscovery;\n  private readonly issuer?: string;\n  private readonly algorithms?: string[];\n  private keyStore?: GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;\n  private keyStoreUpdated: number = 0;\n\n  /**\n   * Create a new {@link DefaultIdentityClient} instance.\n   */\n  static create(options: IdentityClientOptions): DefaultIdentityClient {\n    return new DefaultIdentityClient(options);\n  }\n\n  private constructor(options: IdentityClientOptions) {\n    this.discovery = options.discovery;\n    this.issuer = options.issuer;\n    this.algorithms = options.hasOwnProperty('algorithms')\n      ? options.algorithms\n      : ['ES256'];\n  }\n\n  async getIdentity(options: IdentityApiGetIdentityRequest) {\n    const {\n      request: { headers },\n    } = options;\n    if (!headers.authorization) {\n      return undefined;\n    }\n    try {\n      return await this.authenticate(\n        getBearerTokenFromAuthorizationHeader(headers.authorization),\n      );\n    } catch (e) {\n      throw new AuthenticationError(e.message);\n    }\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   *\n   * @deprecated You should start to use getIdentity instead of authenticate to retrieve the user\n   * identity.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    // Extract token from header\n    if (!token) {\n      throw new AuthenticationError('No token specified');\n    }\n\n    // Verify token claims and signature\n    // Note: Claims must match those set by TokenFactory when issuing tokens\n    // Note: verify throws if verification fails\n    // Check if the keystore needs to be updated\n    await this.refreshKeyStore(token);\n    if (!this.keyStore) {\n      throw new AuthenticationError('No keystore exists');\n    }\n    const decoded = await jwtVerify(token, this.keyStore, {\n      algorithms: this.algorithms,\n      audience: 'backstage',\n      issuer: this.issuer,\n    });\n    // Verified, return the matching user as BackstageIdentity\n    // TODO: Settle internal user format/properties\n    if (!decoded.payload.sub) {\n      throw new AuthenticationError('No user sub found in token');\n    }\n\n    const user: BackstageIdentityResponse = {\n      token,\n      identity: {\n        type: 'user',\n        userEntityRef: decoded.payload.sub,\n        ownershipEntityRefs: decoded.payload.ent\n          ? (decoded.payload.ent as string[])\n          : [],\n      },\n    };\n    return user;\n  }\n\n  /**\n   * If the last keystore refresh is stale, update the keystore URL to the latest\n   */\n  private async refreshKeyStore(rawJwtToken: string): Promise<void> {\n    const payload = await decodeJwt(rawJwtToken);\n    const header = await decodeProtectedHeader(rawJwtToken);\n\n    // Refresh public keys if needed\n    let keyStoreHasKey;\n    try {\n      if (this.keyStore) {\n        // Check if the key is present in the keystore\n        const [_, rawPayload, rawSignature] = rawJwtToken.split('.');\n        keyStoreHasKey = await this.keyStore(header, {\n          payload: rawPayload,\n          signature: rawSignature,\n        });\n      }\n    } catch (error) {\n      keyStoreHasKey = false;\n    }\n    // Refresh public key URL if needed\n    // Add a small margin in case clocks are out of sync\n    const issuedAfterLastRefresh =\n      payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n    if (!this.keyStore || (!keyStoreHasKey && issuedAfterLastRefresh)) {\n      const url = await this.discovery.getBaseUrl('auth');\n      const endpoint = new URL(`${url}/.well-known/jwks.json`);\n      this.keyStore = createRemoteJWKSet(endpoint);\n      this.keyStoreUpdated = Date.now() / 1000;\n    }\n  }\n}\n","/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DefaultIdentityClient,\n  IdentityClientOptions,\n} from './DefaultIdentityClient';\nimport { BackstageIdentityResponse } from './types';\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @public\n * @experimental This is not a stable API yet\n * @deprecated Please migrate to the DefaultIdentityClient.\n */\nexport class IdentityClient {\n  private readonly defaultIdentityClient: DefaultIdentityClient;\n  static create(options: IdentityClientOptions): IdentityClient {\n    return new IdentityClient(DefaultIdentityClient.create(options));\n  }\n\n  private constructor(defaultIdentityClient: DefaultIdentityClient) {\n    this.defaultIdentityClient = defaultIdentityClient;\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   *\n   * @deprecated You should start to use IdentityApi#getIdentity instead of authenticate\n   * to retrieve the user identity.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    return await this.defaultIdentityClient.authenticate(token);\n  }\n}\n"],"names":["__publicField","AuthenticationError","jwtVerify","decodeJwt","decodeProtectedHeader","createRemoteJWKSet"],"mappings":";;;;;;;AA4BO,SAAS,sCACd,mBACoB,EAAA;AACpB,EAAI,IAAA,OAAO,wBAAwB,QAAU,EAAA;AAC3C,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AACA,EAAM,MAAA,OAAA,GAAU,mBAAoB,CAAA,KAAA,CAAM,oBAAoB,CAAA,CAAA;AAC9D,EAAA,OAAO,OAAU,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,CAAA,CAAA,CAAA;AACnB;;;;;;;;ACFA,MAAM,cAAiB,GAAA,EAAA,CAAA;AAwBhB,MAAM,qBAA6C,CAAA;AAAA,EAchD,YAAY,OAAgC,EAAA;AAbpD,IAAiBA,eAAA,CAAA,IAAA,EAAA,WAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,QAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,YAAA,CAAA,CAAA;AACjB,IAAQA,eAAA,CAAA,IAAA,EAAA,UAAA,CAAA,CAAA;AACR,IAAAA,eAAA,CAAA,IAAA,EAAQ,iBAA0B,EAAA,CAAA,CAAA,CAAA;AAUhC,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AACzB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA,CAAA;AACtB,IAAK,IAAA,CAAA,UAAA,GAAa,QAAQ,cAAe,CAAA,YAAY,IACjD,OAAQ,CAAA,UAAA,GACR,CAAC,OAAO,CAAA,CAAA;AAAA,GACd;AAAA;AAAA;AAAA;AAAA,EAVA,OAAO,OAAO,OAAuD,EAAA;AACnE,IAAO,OAAA,IAAI,sBAAsB,OAAO,CAAA,CAAA;AAAA,GAC1C;AAAA,EAUA,MAAM,YAAY,OAAwC,EAAA;AACxD,IAAM,MAAA;AAAA,MACJ,OAAA,EAAS,EAAE,OAAQ,EAAA;AAAA,KACjB,GAAA,OAAA,CAAA;AACJ,IAAI,IAAA,CAAC,QAAQ,aAAe,EAAA;AAC1B,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AACA,IAAI,IAAA;AACF,MAAA,OAAO,MAAM,IAAK,CAAA,YAAA;AAAA,QAChB,qCAAA,CAAsC,QAAQ,aAAa,CAAA;AAAA,OAC7D,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAM,MAAA,IAAIC,0BAAoB,CAAA,CAAA,CAAE,OAAO,CAAA,CAAA;AAAA,KACzC;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,aACJ,KACoC,EAAA;AAEpC,IAAA,IAAI,CAAC,KAAO,EAAA;AACV,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AAMA,IAAM,MAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,CAAA;AAChC,IAAI,IAAA,CAAC,KAAK,QAAU,EAAA;AAClB,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AACA,IAAA,MAAM,OAAU,GAAA,MAAMC,cAAU,CAAA,KAAA,EAAO,KAAK,QAAU,EAAA;AAAA,MACpD,YAAY,IAAK,CAAA,UAAA;AAAA,MACjB,QAAU,EAAA,WAAA;AAAA,MACV,QAAQ,IAAK,CAAA,MAAA;AAAA,KACd,CAAA,CAAA;AAGD,IAAI,IAAA,CAAC,OAAQ,CAAA,OAAA,CAAQ,GAAK,EAAA;AACxB,MAAM,MAAA,IAAID,2BAAoB,4BAA4B,CAAA,CAAA;AAAA,KAC5D;AAEA,IAAA,MAAM,IAAkC,GAAA;AAAA,MACtC,KAAA;AAAA,MACA,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,QAAQ,OAAQ,CAAA,GAAA;AAAA,QAC/B,qBAAqB,OAAQ,CAAA,OAAA,CAAQ,MAChC,OAAQ,CAAA,OAAA,CAAQ,MACjB,EAAC;AAAA,OACP;AAAA,KACF,CAAA;AACA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBAAgB,WAAoC,EAAA;AAChE,IAAM,MAAA,OAAA,GAAU,MAAME,cAAA,CAAU,WAAW,CAAA,CAAA;AAC3C,IAAM,MAAA,MAAA,GAAS,MAAMC,0BAAA,CAAsB,WAAW,CAAA,CAAA;AAGtD,IAAI,IAAA,cAAA,CAAA;AACJ,IAAI,IAAA;AACF,MAAA,IAAI,KAAK,QAAU,EAAA;AAEjB,QAAA,MAAM,CAAC,CAAG,EAAA,UAAA,EAAY,YAAY,CAAI,GAAA,WAAA,CAAY,MAAM,GAAG,CAAA,CAAA;AAC3D,QAAiB,cAAA,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,MAAQ,EAAA;AAAA,UAC3C,OAAS,EAAA,UAAA;AAAA,UACT,SAAW,EAAA,YAAA;AAAA,SACZ,CAAA,CAAA;AAAA,OACH;AAAA,aACO,KAAO,EAAA;AACd,MAAiB,cAAA,GAAA,KAAA,CAAA;AAAA,KACnB;AAGA,IAAA,MAAM,0BACJ,OAAS,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,GAAA,KAAO,OAAQ,CAAA,GAAA,GAAM,KAAK,eAAkB,GAAA,cAAA,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,CAAK,QAAa,IAAA,CAAC,kBAAkB,sBAAyB,EAAA;AACjE,MAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,MAAM,CAAA,CAAA;AAClD,MAAA,MAAM,QAAW,GAAA,IAAI,GAAI,CAAA,CAAA,EAAG,GAAG,CAAwB,sBAAA,CAAA,CAAA,CAAA;AACvD,MAAK,IAAA,CAAA,QAAA,GAAWC,wBAAmB,QAAQ,CAAA,CAAA;AAC3C,MAAK,IAAA,CAAA,eAAA,GAAkB,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAA,CAAA;AAAA,KACtC;AAAA,GACF;AACF;;;;;;;;AClJO,MAAM,cAAe,CAAA;AAAA,EAMlB,YAAY,qBAA8C,EAAA;AALlE,IAAiB,aAAA,CAAA,IAAA,EAAA,uBAAA,CAAA,CAAA;AAMf,IAAA,IAAA,CAAK,qBAAwB,GAAA,qBAAA,CAAA;AAAA,GAC/B;AAAA,EANA,OAAO,OAAO,OAAgD,EAAA;AAC5D,IAAA,OAAO,IAAI,cAAA,CAAe,qBAAsB,CAAA,MAAA,CAAO,OAAO,CAAC,CAAA,CAAA;AAAA,GACjE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,aACJ,KACoC,EAAA;AACpC,IAAA,OAAO,MAAM,IAAA,CAAK,qBAAsB,CAAA,YAAA,CAAa,KAAK,CAAA,CAAA;AAAA,GAC5D;AACF;;;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-node",
-  "version": "0.2.15",
+  "version": "0.2.16",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -22,9 +22,9 @@
     "start": "backstage-cli package start"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.19.0",
+    "@backstage/backend-common": "^0.19.1",
     "@backstage/config": "^1.0.8",
-    "@backstage/errors": "^1.2.0",
+    "@backstage/errors": "^1.2.1",
     "@types/express": "*",
     "express": "^4.17.1",
     "jose": "^4.6.0",
@@ -32,8 +32,8 @@
     "winston": "^3.2.1"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^0.1.38",
-    "@backstage/cli": "^0.22.8",
+    "@backstage/backend-test-utils": "^0.1.39",
+    "@backstage/cli": "^0.22.9",
     "lodash": "^4.17.21",
     "msw": "^1.0.0",
     "uuid": "^8.0.0"