From 9079a780789eb7fc94b79af9554f908d48659eca Mon Sep 17 00:00:00 2001 From: Manuel Scurti Date: Wed, 18 May 2022 11:31:29 +0200 Subject: [PATCH] algorithms field is now array for IdentityClient Signed-off-by: Manuel Scurti --- .changeset/polite-spiders-pay.md | 5 ++--- .changeset/tasty-snails-boil.md | 5 +++++ plugins/auth-backend/src/identity/TokenFactory.ts | 2 +- plugins/auth-node/src/IdentityClient.test.ts | 15 ++++++++++++++- plugins/auth-node/src/IdentityClient.ts | 11 +++++------ 5 files changed, 27 insertions(+), 11 deletions(-) create mode 100644 .changeset/tasty-snails-boil.md diff --git a/.changeset/polite-spiders-pay.md b/.changeset/polite-spiders-pay.md index 882172b4d9..41528aff6b 100644 --- a/.changeset/polite-spiders-pay.md +++ b/.changeset/polite-spiders-pay.md @@ -1,6 +1,5 @@ --- -'@backstage/plugin-auth-backend': minor -'@backstage/plugin-auth-node': minor +'@backstage/plugin-auth-backend': patch --- -Added configurable algorithm field for IdentityClient and TokenFactory +Added configurable algorithm field for TokenFactory diff --git a/.changeset/tasty-snails-boil.md b/.changeset/tasty-snails-boil.md new file mode 100644 index 0000000000..d5b73d3b1b --- /dev/null +++ b/.changeset/tasty-snails-boil.md @@ -0,0 +1,5 @@ +--- +'@backstage/plugin-auth-node': patch +--- + +Added configurable algorithms array for IdentityClient diff --git a/plugins/auth-backend/src/identity/TokenFactory.ts b/plugins/auth-backend/src/identity/TokenFactory.ts index c8e5feb81e..fe9d2a1b4f 100644 --- a/plugins/auth-backend/src/identity/TokenFactory.ts +++ b/plugins/auth-backend/src/identity/TokenFactory.ts @@ -33,7 +33,7 @@ type Options = { /** Expiration time of signing keys in seconds */ keyDurationSeconds: number; /** JWS "alg" (Algorithm) Header Parameter value. Defaults to ES256. - * Must match the algorithm defined in IdentityClient. + * Must match one of the algorithms defined for IdentityClient. * More info on supported algorithms: https://github.com/panva/jose */ algorithm?: string; }; diff --git a/plugins/auth-node/src/IdentityClient.test.ts b/plugins/auth-node/src/IdentityClient.test.ts index a773764e2d..5451bd3f9e 100644 --- a/plugins/auth-node/src/IdentityClient.test.ts +++ b/plugins/auth-node/src/IdentityClient.test.ts @@ -146,11 +146,24 @@ describe('IdentityClient', () => { }); }); + it('should throw error on empty algorithms array', async () => { + const identityClient = IdentityClient.create({ + discovery, + issuer: mockBaseUrl, + algorithms: [''], + }); + + const token = await factory.issueToken({ claims: { sub: 'foo' } }); + return expect( + async () => await identityClient.authenticate(token), + ).rejects.toThrow(); + }); + it('should throw error on empty algorithm string', async () => { const identityClient = IdentityClient.create({ discovery, issuer: mockBaseUrl, - algorithm: '', + algorithms: [], }); const token = await factory.issueToken({ claims: { sub: 'foo' } }); diff --git a/plugins/auth-node/src/IdentityClient.ts b/plugins/auth-node/src/IdentityClient.ts index d398ec4c9e..2da6ae31f1 100644 --- a/plugins/auth-node/src/IdentityClient.ts +++ b/plugins/auth-node/src/IdentityClient.ts @@ -33,10 +33,9 @@ export type IdentityClientOptions = { discovery: PluginEndpointDiscovery; issuer: string; - /** JWS "alg" (Algorithm) Header Parameter value. Defaults to ES256. - * Must match the algorithm defined in TokenFactory. + /** JWS "alg" (Algorithm) Header Parameter values. Defaults to an array containing just ES256. * More info on supported algorithms: https://github.com/panva/jose */ - algorithm?: string; + algorithms?: string[]; }; /** @@ -49,7 +48,7 @@ export type IdentityClientOptions = { export class IdentityClient { private readonly discovery: PluginEndpointDiscovery; private readonly issuer: string; - private readonly algorithm: string; + private readonly algorithms: string[]; private keyStore?: GetKeyFunction; private keyStoreUpdated: number = 0; @@ -63,7 +62,7 @@ export class IdentityClient { private constructor(options: IdentityClientOptions) { this.discovery = options.discovery; this.issuer = options.issuer; - this.algorithm = options.algorithm ?? 'ES256'; + this.algorithms = options.algorithms ?? ['ES256']; } /** @@ -88,7 +87,7 @@ export class IdentityClient { throw new AuthenticationError('No keystore exists'); } const decoded = await jwtVerify(token, this.keyStore, { - algorithms: [this.algorithm], + algorithms: this.algorithms, audience: 'backstage', issuer: this.issuer, });