paulononato/backstage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added the possibility to use custom scopes for performing login with Microsoft EntraID.

Browse Source 
Signed-off-by: Daniel Doberenz <daniel.doberenz@lichtblick.de>
This commit is contained in:
Daniel Doberenz
2023-11-14 09:45:55 +01:00
parent 80d023a175
commit 1ff268479e
4 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.changeset/rotten-lemons-cry.md
+5
View File
@@ -0,0 +1,5 @@
---
'@backstage/plugin-auth-backend-module-microsoft-provider': minor
---
Added the possibility to use custom scopes for performing login with Microsoft EntraID.
docs/auth/microsoft/provider.md
+4
View File
@@ -28,6 +28,7 @@ On the **API permissions** tab, click on `Add Permission`, then add the followin
- `openid`
- `profile`
- `User.Read`
- Optional custom permissions you defined in the configuration file
Your company may require you to grant [admin consent](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/user-admin-consent-overview) for these permissions.
Even if your company doesn't require admin consent, you may wish to do so as it means users don't need to individually consent the first time they access backstage.
@@ -54,6 +55,8 @@ auth:
clientSecret: ${AZURE_CLIENT_SECRET}
tenantId: ${AZURE_TENANT_ID}
domainHint: ${AZURE_TENANT_ID}
scope:
- user.read
```
The Microsoft provider is a structure with three mandatory configuration keys:
@@ -65,6 +68,7 @@ The Microsoft provider is a structure with three mandatory configuration keys:
Leave blank if your app registration is multi tenant.
When specified, this reduces login friction for users with accounts in multiple tenants by automatically filtering away accounts from other tenants.
For more details, see [Home Realm Discovery](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/home-realm-discovery-policy)
- `scope` (optional): List of scopes for the App Registration. The default and mandatory value is ['user.read'].
## Adding the provider to the Backstage frontend
plugins/auth-backend-module-microsoft-provider/config.d.ts
Vendored
+1
View File
@@ -28,6 +28,7 @@ export interface Config {
clientSecret: string;
domainHint?: string;
callbackUrl?: string;
scope?: string[];
};
};
};
plugins/auth-backend-module-microsoft-provider/src/authenticator.ts
+4 -1
View File
@@ -31,6 +31,9 @@ export const microsoftAuthenticator = createOAuthAuthenticator({
const clientSecret = config.getString('clientSecret');
const tenantId = config.getString('tenantId');
const domainHint = config.getOptionalString('domainHint');
const scope: string[] = config.getOptionalStringArray('scope') || [
'user.read',
];
const helper = PassportOAuthAuthenticatorHelper.from(
new ExtendedMicrosoftStrategy(
@@ -39,7 +42,7 @@ export const microsoftAuthenticator = createOAuthAuthenticator({
clientSecret: clientSecret,
callbackURL: callbackUrl,
tenant: tenantId,
scope: ['user.read'],
scope: scope,
},
(
accessToken: string,