Support for configuring the desired Client Authentication Method for the token endpoint for the OIDC Provider

Signed-off-by: Karthik Prabhu K <karthik.prabhu.k@dell.com>
This commit is contained in:
Karthik Prabhu K
2023-06-29 22:00:57 +05:30
parent 02f9d469d0
commit c27ae5004f
5 changed files with 16 additions and 1 deletions
+5
View File
@@ -0,0 +1,5 @@
---
'@backstage/plugin-auth-backend': minor
---
Support for Token Endpoint Auth Method for OIDC Provider
+1
View File
@@ -354,6 +354,7 @@ auth:
clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
authorizationUrl: ${AUTH_OIDC_AUTH_URL}
tokenUrl: ${AUTH_OIDC_TOKEN_URL}
tokenEndpointAuthMethod: ${AUTH_OIDC_TOKEN_ENDPOINT_AUTH_METHOD} # default='client_secret_basic'
tokenSignedResponseAlg: ${AUTH_OIDC_TOKEN_SIGNED_RESPONSE_ALG} # default='RS256'
scope: ${AUTH_OIDC_SCOPE} # default='openid profile email'
prompt: ${AUTH_OIDC_PROMPT} # default=none (allowed values: auto, none, consent, login)
+1 -1
View File
@@ -237,7 +237,7 @@ check the App Registration you created:
- `metadataUrl`: In Overview > Endpoints tab, grab OpenID Connect metadata document URL.
- `authorizationUrl` and `tokenUrl`: Open the `metadataUrl` in a browser, that json will
hold these 2 urls somewhere in there.
- `tokenSignedResponseAlg`: Don't define it, use the default unless you know what it does.
- `tokenEndpointAuthMethod` and `tokenSignedResponseAlg`: Don't define it, use the default unless you know what it does.
- `scope`: Only used if we didn't specify `defaultScopes` in the provider's factory,
basically the same thing.
- `prompt`: Recommended to use `auto` so the browser will request login to the IDP if the
@@ -53,6 +53,7 @@ const clientMetadata: Options = {
clientId: 'testclientid',
clientSecret: 'testclientsecret',
metadataUrl: 'https://oidc.test/.well-known/openid-configuration',
tokenEndpointAuthMethod: 'none',
tokenSignedResponseAlg: 'none',
};
@@ -17,6 +17,7 @@
import express from 'express';
import {
Client,
ClientAuthMethod,
Issuer,
Strategy as OidcStrategy,
TokenSet,
@@ -72,6 +73,7 @@ export type Options = OAuthProviderOptions & {
metadataUrl: string;
scope?: string;
prompt?: string;
tokenEndpointAuthMethod?: ClientAuthMethod;
tokenSignedResponseAlg?: string;
signInResolver?: SignInResolver<OidcAuthResult>;
authHandler: AuthHandler<OidcAuthResult>;
@@ -144,6 +146,8 @@ export class OidcAuthProvider implements OAuthHandlers {
client_secret: options.clientSecret,
redirect_uris: [options.callbackUrl],
response_types: ['code'],
token_endpoint_auth_method:
options.tokenEndpointAuthMethod || 'client_secret_basic',
id_token_signed_response_alg: options.tokenSignedResponseAlg || 'RS256',
scope: options.scope || '',
});
@@ -232,6 +236,9 @@ export const oidc = createAuthProviderIntegration({
customCallbackUrl ||
`${globalConfig.baseUrl}/${providerId}/handler/frame`;
const metadataUrl = envConfig.getString('metadataUrl');
const tokenEndpointAuthMethod = envConfig.getOptional<ClientAuthMethod>(
'tokenEndpointAuthMethod',
);
const tokenSignedResponseAlg = envConfig.getOptionalString(
'tokenSignedResponseAlg',
);
@@ -252,6 +259,7 @@ export const oidc = createAuthProviderIntegration({
clientId,
clientSecret,
callbackUrl,
tokenEndpointAuthMethod,
tokenSignedResponseAlg,
metadataUrl,
scope,