auth: add oauth2 provider module

Signed-off-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com>
2023-08-31 07:47:44 -05:00
parent 1ba6884412
commit 101cf1d13b
14 changed files with 477 additions and 0 deletions
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-backend-module-oauth2-provider': patch
+---
+
+New module for `@backstage/plugin-auth-backend` that adds a `oauth2` auth provider.
@@ -0,0 +1 @@
+module.exports = require('@backstage/cli/config/eslint-factory')(__dirname);
@@ -0,0 +1,8 @@
+# Auth Module: oauth2 Provider
+
+This module provides an oauth2 auth provider implementation for `@backstage/plugin-auth-backend`.
+
+## Links
+
+- [Repository](https://oauth2.com/backstage/backstage/tree/master/plugins/auth-backend-module-oauth2-provider)
+- [Backstage Project Homepage](https://backstage.io)
@@ -0,0 +1,29 @@
+## API Report File for "@backstage/plugin-auth-backend-module-oauth2-provider"
+
+> Do not edit this file. It is a report generated by [API Extractor](https://api-extractor.com/).
+
+```ts
+import { BackendFeature } from '@backstage/backend-plugin-api';
+import { OAuthAuthenticator } from '@backstage/plugin-auth-node';
+import { OAuthAuthenticatorResult } from '@backstage/plugin-auth-node';
+import { PassportOAuthAuthenticatorHelper } from '@backstage/plugin-auth-node';
+import { PassportProfile } from '@backstage/plugin-auth-node';
+import { SignInResolverFactory } from '@backstage/plugin-auth-node';
+
+// @public (undocumented)
+export const authModuleoauth2Provider: () => BackendFeature;
+
+// @public (undocumented)
+export const oauth2Authenticator: OAuthAuthenticator<
+  PassportOAuthAuthenticatorHelper,
+  PassportProfile
+>;
+
+// @public
+export namespace oauth2SignInResolvers {
+  const usernameMatchingUserEntityName: SignInResolverFactory<
+    OAuthAuthenticatorResult<PassportProfile>,
+    unknown
+  >;
+}
+```
@@ -0,0 +1,10 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: backstage-plugin-auth-backend-module-oauth2-provider
+  title: '@backstage/plugin-auth-backend-module-oauth2-provider'
+  description: The oauth2-provider backend module for the auth plugin.
+spec:
+  lifecycle: experimental
+  type: backstage-backend-plugin-module
+  owner: maintainers
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2020 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export interface Config {
+  auth?: {
+    providers?: {
+      /** @visibility frontend */
+      oauth2?: {
+        [authEnv: string]: {
+          clientId: string;
+          /**
+           * @visibility secret
+           */
+          clientSecret: string;
+          authorizationUrl: string;
+          tokenUrl: string;
+          scope?: string;
+          disableRefresh?: boolean;
+          includeBasicAuth?: boolean;
+        };
+      };
+    };
+  };
+}
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { createBackend } from '@backstage/backend-defaults';
+import { authPlugin } from '@backstage/plugin-auth-backend';
+import { authModuleOauth2Provider } from '../src';
+
+const backend = createBackend();
+
+backend.add(authPlugin);
+backend.add(authModuleOauth2Provider);
+
+backend.start();
@@ -0,0 +1,45 @@
+{
+  "name": "@backstage/plugin-auth-backend-module-oauth2-provider",
+  "description": "The oauth2-provider backend module for the auth plugin.",
+  "version": "0.0.0",
+  "main": "src/index.ts",
+  "types": "src/index.ts",
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "types": "dist/index.d.ts"
+  },
+  "backstage": {
+    "role": "backend-plugin-module"
+  },
+  "scripts": {
+    "start": "backstage-cli package start",
+    "build": "backstage-cli package build",
+    "lint": "backstage-cli package lint",
+    "test": "backstage-cli package test",
+    "clean": "backstage-cli package clean",
+    "prepack": "backstage-cli package prepack",
+    "postpack": "backstage-cli package postpack"
+  },
+  "dependencies": {
+    "@backstage/backend-common": "workspace:^",
+    "@backstage/backend-plugin-api": "workspace:^",
+    "@backstage/plugin-auth-node": "workspace:^",
+    "express": "^4.18.2",
+    "passport": "^0.6.0",
+    "passport-oauth2": "^1.6.1"
+  },
+  "devDependencies": {
+    "@backstage/backend-defaults": "workspace:^",
+    "@backstage/backend-test-utils": "workspace:^",
+    "@backstage/cli": "workspace:^",
+    "@backstage/plugin-auth-backend": "workspace:^",
+    "supertest": "^6.3.3"
+  },
+  "configSchema": "config.d.ts",
+  "files": [
+    "dist",
+    "config.d.ts"
+  ]
+}
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { Strategy as Oauth2Strategy } from 'passport-oauth2';
+import {
+  createOAuthAuthenticator,
+  PassportOAuthAuthenticatorHelper,
+  PassportOAuthDoneCallback,
+  PassportProfile,
+} from '@backstage/plugin-auth-node';
+
+/** @public */
+export const oauth2Authenticator = createOAuthAuthenticator({
+  defaultProfileTransform:
+    PassportOAuthAuthenticatorHelper.defaultProfileTransform,
+  initialize({ callbackUrl, config }) {
+    const clientId = config.getString('clientId');
+    const clientSecret = config.getString('clientSecret');
+    const authorizationUrl = config.getString('authorizationUrl');
+    const tokenUrl = config.getString('tokenUrl');
+    const scope = config.getOptionalString('scope');
+    const includeBasicAuth = config.getOptionalBoolean('includeBasicAuth');
+
+    return PassportOAuthAuthenticatorHelper.from(
+      new Oauth2Strategy(
+        {
+          clientID: clientId,
+          clientSecret: clientSecret,
+          callbackURL: callbackUrl,
+          authorizationURL: authorizationUrl,
+          tokenURL: tokenUrl,
+          passReqToCallback: false,
+          scope: scope,
+          customHeaders: includeBasicAuth
+            ? {
+                Authorization: `Basic ${encodeClientCredentials(
+                  clientId,
+                  clientSecret,
+                )}`,
+              }
+            : undefined,
+        },
+        (
+          accessToken: any,
+          refreshToken: any,
+          params: any,
+          fullProfile: PassportProfile,
+          done: PassportOAuthDoneCallback,
+        ) => {
+          done(
+            undefined,
+            { fullProfile, params, accessToken },
+            { refreshToken },
+          );
+        },
+      ),
+    );
+  },
+
+  async start(input, helper) {
+    return helper.start(input, {
+      accessType: 'offline',
+      prompt: 'consent',
+    });
+  },
+
+  async authenticate(input, helper) {
+    return helper.authenticate(input);
+  },
+
+  async refresh(input, helper) {
+    return helper.refresh(input);
+  },
+});
+
+/** @private */
+function encodeClientCredentials(
+  clientID: string,
+  clientSecret: string,
+): string {
+  return Buffer.from(`${clientID}:${clientSecret}`).toString('base64');
+}
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * The oauth2-provider backend module for the auth plugin.
+ *
+ * @packageDocumentation
+ */
+
+export { oauth2Authenticator } from './authenticator';
+export { authModuleOauth2Provider } from './module';
+export { oauth2SignInResolvers } from './resolvers';
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { mockServices, startTestBackend } from '@backstage/backend-test-utils';
+import { authPlugin } from '@backstage/plugin-auth-backend';
+import { authModuleOauth2Provider } from './module';
+import request from 'supertest';
+import { decodeOAuthState } from '@backstage/plugin-auth-node';
+
+describe('authModuleOauth2Provider', () => {
+  it('should start', async () => {
+    const { server } = await startTestBackend({
+      features: [
+        authPlugin,
+        authModuleOauth2Provider,
+        mockServices.rootConfig.factory({
+          data: {
+            app: {
+              baseUrl: 'http://localhost:3000',
+            },
+            auth: {
+              providers: {
+                oauth2: {
+                  development: {
+                    clientId: 'my-client-id',
+                    clientSecret: 'my-client-secret',
+                    authorizationUrl: 'https://oauth2.com/authorize',
+                    tokenUrl: 'https://oauth2.com/token',
+                  },
+                },
+              },
+            },
+          },
+        }),
+      ],
+    });
+
+    const agent = request.agent(server);
+
+    const res = await agent.get('/api/auth/oauth2/start?env=development');
+
+    expect(res.status).toEqual(302);
+
+    const nonceCookie = agent.jar.getCookie('oauth2-nonce', {
+      domain: 'localhost',
+      path: '/api/auth/oauth2/handler',
+      script: false,
+      secure: false,
+    });
+    expect(nonceCookie).toBeDefined();
+
+    const startUrl = new URL(res.get('location'));
+    expect(startUrl.origin).toBe('https://oauth2.com');
+    expect(startUrl.pathname).toBe('/authorize');
+    expect(Object.fromEntries(startUrl.searchParams)).toEqual({
+      response_type: 'code',
+      client_id: 'my-client-id',
+      redirect_uri: `http://localhost:${server.port()}/api/auth/oauth2/handler/frame`,
+      state: expect.any(String),
+    });
+
+    expect(decodeOAuthState(startUrl.searchParams.get('state')!)).toEqual({
+      env: 'development',
+      nonce: decodeURIComponent(nonceCookie.value),
+    });
+  });
+});
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { createBackendModule } from '@backstage/backend-plugin-api';
+import {
+  authProvidersExtensionPoint,
+  commonSignInResolvers,
+  createOAuthProviderFactory,
+} from '@backstage/plugin-auth-node';
+import { oauth2Authenticator } from './authenticator';
+import { oauth2SignInResolvers } from './resolvers';
+
+/** @public */
+export const authModuleOauth2Provider = createBackendModule({
+  pluginId: 'auth',
+  moduleId: 'oauth2-provider',
+  register(reg) {
+    reg.registerInit({
+      deps: {
+        providers: authProvidersExtensionPoint,
+      },
+      async init({ providers }) {
+        providers.registerProvider({
+          providerId: 'oauth2',
+          factory: createOAuthProviderFactory({
+            authenticator: oauth2Authenticator,
+            signInResolverFactories: {
+              ...oauth2SignInResolvers,
+              ...commonSignInResolvers,
+            },
+          }),
+        });
+      },
+    });
+  },
+});
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {
+  createSignInResolverFactory,
+  OAuthAuthenticatorResult,
+  PassportProfile,
+  SignInInfo,
+} from '@backstage/plugin-auth-node';
+
+/**
+ * Available sign-in resolvers for the oauth2 auth provider.
+ *
+ * @public
+ */
+export namespace oauth2SignInResolvers {
+  /**
+   * Looks up the user by matching their oauth2 username to the entity name.
+   */
+  export const usernameMatchingUserEntityName = createSignInResolverFactory({
+    create() {
+      return async (
+        info: SignInInfo<OAuthAuthenticatorResult<PassportProfile>>,
+        ctx,
+      ) => {
+        const { result } = info;
+
+        const id = result.fullProfile.username;
+        if (!id) {
+          throw new Error(`Oauth2 user profile does not contain a username`);
+        }
+
+        return ctx.signInWithCatalogUser({ entityRef: { name: id } });
+      };
+    },
+  });
+}
@@ -4926,6 +4926,24 @@ __metadata:
  languageName: unknown
  linkType: soft

+"@backstage/plugin-auth-backend-module-oauth2-provider@workspace:plugins/auth-backend-module-oauth2-provider":
+  version: 0.0.0-use.local
+  resolution: "@backstage/plugin-auth-backend-module-oauth2-provider@workspace:plugins/auth-backend-module-oauth2-provider"
+  dependencies:
+    "@backstage/backend-common": "workspace:^"
+    "@backstage/backend-defaults": "workspace:^"
+    "@backstage/backend-plugin-api": "workspace:^"
+    "@backstage/backend-test-utils": "workspace:^"
+    "@backstage/cli": "workspace:^"
+    "@backstage/plugin-auth-backend": "workspace:^"
+    "@backstage/plugin-auth-node": "workspace:^"
+    express: ^4.18.2
+    passport: ^0.6.0
+    passport-oauth2: ^1.6.1
+    supertest: ^6.3.3
+  languageName: unknown
+  linkType: soft
+
 "@backstage/plugin-auth-backend@workspace:^, @backstage/plugin-auth-backend@workspace:plugins/auth-backend":
  version: 0.0.0-use.local
  resolution: "@backstage/plugin-auth-backend@workspace:plugins/auth-backend"
				`@@ -0,0 +1 @@`
				`module.exports = require('@backstage/cli/config/eslint-factory')(__dirname);`