diff --git a/.changeset/tender-clouds-promise.md b/.changeset/tender-clouds-promise.md new file mode 100644 index 0000000000..171ffb0174 --- /dev/null +++ b/.changeset/tender-clouds-promise.md @@ -0,0 +1,5 @@ +--- +'@backstage/plugin-auth-backend': minor +--- + +Support for Token Endpoint Auth Method for OIDC Provider diff --git a/app-config.yaml b/app-config.yaml index a4a332efdc..2b562ee689 100644 --- a/app-config.yaml +++ b/app-config.yaml @@ -354,6 +354,7 @@ auth: clientSecret: ${AUTH_OIDC_CLIENT_SECRET} authorizationUrl: ${AUTH_OIDC_AUTH_URL} tokenUrl: ${AUTH_OIDC_TOKEN_URL} + tokenEndpointAuthMethod: ${AUTH_OIDC_TOKEN_ENDPOINT_AUTH_METHOD} # default='client_secret_basic' tokenSignedResponseAlg: ${AUTH_OIDC_TOKEN_SIGNED_RESPONSE_ALG} # default='RS256' scope: ${AUTH_OIDC_SCOPE} # default='openid profile email' prompt: ${AUTH_OIDC_PROMPT} # default=none (allowed values: auto, none, consent, login) diff --git a/docs/auth/oidc.md b/docs/auth/oidc.md index 9c681b7360..39c18ce0aa 100644 --- a/docs/auth/oidc.md +++ b/docs/auth/oidc.md @@ -237,7 +237,7 @@ check the App Registration you created: - `metadataUrl`: In Overview > Endpoints tab, grab OpenID Connect metadata document URL. - `authorizationUrl` and `tokenUrl`: Open the `metadataUrl` in a browser, that json will hold these 2 urls somewhere in there. -- `tokenSignedResponseAlg`: Don't define it, use the default unless you know what it does. +- `tokenEndpointAuthMethod` and `tokenSignedResponseAlg`: Don't define it, use the default unless you know what it does. - `scope`: Only used if we didn't specify `defaultScopes` in the provider's factory, basically the same thing. - `prompt`: Recommended to use `auto` so the browser will request login to the IDP if the diff --git a/plugins/auth-backend/src/providers/oidc/provider.test.ts b/plugins/auth-backend/src/providers/oidc/provider.test.ts index 2285b60ed0..7161ef1d6b 100644 --- a/plugins/auth-backend/src/providers/oidc/provider.test.ts +++ b/plugins/auth-backend/src/providers/oidc/provider.test.ts @@ -53,6 +53,7 @@ const clientMetadata: Options = { clientId: 'testclientid', clientSecret: 'testclientsecret', metadataUrl: 'https://oidc.test/.well-known/openid-configuration', + tokenEndpointAuthMethod: 'none', tokenSignedResponseAlg: 'none', }; diff --git a/plugins/auth-backend/src/providers/oidc/provider.ts b/plugins/auth-backend/src/providers/oidc/provider.ts index ed59611f21..73c5feef4b 100644 --- a/plugins/auth-backend/src/providers/oidc/provider.ts +++ b/plugins/auth-backend/src/providers/oidc/provider.ts @@ -17,6 +17,7 @@ import express from 'express'; import { Client, + ClientAuthMethod, Issuer, Strategy as OidcStrategy, TokenSet, @@ -72,6 +73,7 @@ export type Options = OAuthProviderOptions & { metadataUrl: string; scope?: string; prompt?: string; + tokenEndpointAuthMethod?: ClientAuthMethod; tokenSignedResponseAlg?: string; signInResolver?: SignInResolver; authHandler: AuthHandler; @@ -144,6 +146,8 @@ export class OidcAuthProvider implements OAuthHandlers { client_secret: options.clientSecret, redirect_uris: [options.callbackUrl], response_types: ['code'], + token_endpoint_auth_method: + options.tokenEndpointAuthMethod || 'client_secret_basic', id_token_signed_response_alg: options.tokenSignedResponseAlg || 'RS256', scope: options.scope || '', }); @@ -232,6 +236,9 @@ export const oidc = createAuthProviderIntegration({ customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`; const metadataUrl = envConfig.getString('metadataUrl'); + const tokenEndpointAuthMethod = envConfig.getOptional( + 'tokenEndpointAuthMethod', + ); const tokenSignedResponseAlg = envConfig.getOptionalString( 'tokenSignedResponseAlg', ); @@ -252,6 +259,7 @@ export const oidc = createAuthProviderIntegration({ clientId, clientSecret, callbackUrl, + tokenEndpointAuthMethod, tokenSignedResponseAlg, metadataUrl, scope,