Support for configuring the desired Client Authentication Method for the token endpoint for the OIDC Provider
Signed-off-by: Karthik Prabhu K <karthik.prabhu.k@dell.com>
This commit is contained in:
@@ -0,0 +1,5 @@
|
||||
---
|
||||
'@backstage/plugin-auth-backend': minor
|
||||
---
|
||||
|
||||
Support for Token Endpoint Auth Method for OIDC Provider
|
||||
@@ -354,6 +354,7 @@ auth:
|
||||
clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
|
||||
authorizationUrl: ${AUTH_OIDC_AUTH_URL}
|
||||
tokenUrl: ${AUTH_OIDC_TOKEN_URL}
|
||||
tokenEndpointAuthMethod: ${AUTH_OIDC_TOKEN_ENDPOINT_AUTH_METHOD} # default='client_secret_basic'
|
||||
tokenSignedResponseAlg: ${AUTH_OIDC_TOKEN_SIGNED_RESPONSE_ALG} # default='RS256'
|
||||
scope: ${AUTH_OIDC_SCOPE} # default='openid profile email'
|
||||
prompt: ${AUTH_OIDC_PROMPT} # default=none (allowed values: auto, none, consent, login)
|
||||
|
||||
+1
-1
@@ -237,7 +237,7 @@ check the App Registration you created:
|
||||
- `metadataUrl`: In Overview > Endpoints tab, grab OpenID Connect metadata document URL.
|
||||
- `authorizationUrl` and `tokenUrl`: Open the `metadataUrl` in a browser, that json will
|
||||
hold these 2 urls somewhere in there.
|
||||
- `tokenSignedResponseAlg`: Don't define it, use the default unless you know what it does.
|
||||
- `tokenEndpointAuthMethod` and `tokenSignedResponseAlg`: Don't define it, use the default unless you know what it does.
|
||||
- `scope`: Only used if we didn't specify `defaultScopes` in the provider's factory,
|
||||
basically the same thing.
|
||||
- `prompt`: Recommended to use `auto` so the browser will request login to the IDP if the
|
||||
|
||||
@@ -53,6 +53,7 @@ const clientMetadata: Options = {
|
||||
clientId: 'testclientid',
|
||||
clientSecret: 'testclientsecret',
|
||||
metadataUrl: 'https://oidc.test/.well-known/openid-configuration',
|
||||
tokenEndpointAuthMethod: 'none',
|
||||
tokenSignedResponseAlg: 'none',
|
||||
};
|
||||
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
import express from 'express';
|
||||
import {
|
||||
Client,
|
||||
ClientAuthMethod,
|
||||
Issuer,
|
||||
Strategy as OidcStrategy,
|
||||
TokenSet,
|
||||
@@ -72,6 +73,7 @@ export type Options = OAuthProviderOptions & {
|
||||
metadataUrl: string;
|
||||
scope?: string;
|
||||
prompt?: string;
|
||||
tokenEndpointAuthMethod?: ClientAuthMethod;
|
||||
tokenSignedResponseAlg?: string;
|
||||
signInResolver?: SignInResolver<OidcAuthResult>;
|
||||
authHandler: AuthHandler<OidcAuthResult>;
|
||||
@@ -144,6 +146,8 @@ export class OidcAuthProvider implements OAuthHandlers {
|
||||
client_secret: options.clientSecret,
|
||||
redirect_uris: [options.callbackUrl],
|
||||
response_types: ['code'],
|
||||
token_endpoint_auth_method:
|
||||
options.tokenEndpointAuthMethod || 'client_secret_basic',
|
||||
id_token_signed_response_alg: options.tokenSignedResponseAlg || 'RS256',
|
||||
scope: options.scope || '',
|
||||
});
|
||||
@@ -232,6 +236,9 @@ export const oidc = createAuthProviderIntegration({
|
||||
customCallbackUrl ||
|
||||
`${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
||||
const metadataUrl = envConfig.getString('metadataUrl');
|
||||
const tokenEndpointAuthMethod = envConfig.getOptional<ClientAuthMethod>(
|
||||
'tokenEndpointAuthMethod',
|
||||
);
|
||||
const tokenSignedResponseAlg = envConfig.getOptionalString(
|
||||
'tokenSignedResponseAlg',
|
||||
);
|
||||
@@ -252,6 +259,7 @@ export const oidc = createAuthProviderIntegration({
|
||||
clientId,
|
||||
clientSecret,
|
||||
callbackUrl,
|
||||
tokenEndpointAuthMethod,
|
||||
tokenSignedResponseAlg,
|
||||
metadataUrl,
|
||||
scope,
|
||||
|
||||
Reference in New Issue
Block a user