Validate that Okta audience config is an absolute URL

Add a check in the Okta auth provider initialization that ensures
the provided audience is an absolute URL with an http(s) scheme,
and throws a descriptive error if not.

Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>

.changeset/okta-audience-url-validation.md

@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-backend-module-okta-provider': patch
+---
+
+Added a validation check that rejects `audience` configuration values that are not absolute URLs (i.e. missing `https://` or `http://` prefix).

plugins/auth-backend-module-okta-provider/src/authenticator.ts

@@ -33,6 +33,11 @@ export const oktaAuthenticator = createOAuthAuthenticator({
     const clientId = config.getString('clientId');
     const clientSecret = config.getString('clientSecret');
     const audience = config.getOptionalString('audience') || 'https://okta.com';
+    if (!audience.match(/^https?:\/\//)) {
+      throw new Error(
+        `The provided audience "${audience}" is not a valid URL. It must start with "https://" or "http://".`,
+      );
+    }
     const authServerId = config.getOptionalString('authServerId');
     const idp = config.getOptionalString('idp');
 

plugins/auth-backend-module-okta-provider/src/module.test.ts

@@ -76,4 +76,35 @@ describe('authModuleOktaProvider', () => {
       nonce: decodeURIComponent(nonceCookie.value),
     });
   });
+
+  it('should reject a relative audience URL', async () => {
+    await expect(
+      startTestBackend({
+        features: [
+          import('@backstage/plugin-auth-backend'),
+          authModuleOktaProvider,
+          mockServices.rootConfig.factory({
+            data: {
+              app: {
+                baseUrl: 'http://localhost:3000',
+              },
+              auth: {
+                providers: {
+                  okta: {
+                    development: {
+                      clientId: 'my-client-id',
+                      clientSecret: 'my-client-secret',
+                      audience: 'example.okta.com',
+                    },
+                  },
+                },
+              },
+            },
+          }),
+        ],
+      }),
+    ).rejects.toThrow(
+      'The provided audience "example.okta.com" is not a valid URL. It must start with "https://" or "http://".',
+    );
+  });
 });