Commit Graph

962 Commits

Author SHA1 Message Date
Patrik Oldsberg c9212bf4ce auth-backend: remove unused isCimdUrl function (#33882)
The function was a thin wrapper around validateCimdUrl that caught errors
and returned a boolean. It was never imported by any production code —
only by test files. Tests now use validateCimdUrl directly.


Made-with: Cursor

Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
2026-04-13 23:43:26 +02:00
Patrik Oldsberg b2319ffe45 errors: add toError utility and migrate assertError usages
Add a `toError` utility function to `@backstage/errors` that converts
unknown values to `ErrorLike` objects. If the value is already error-like
it is returned as-is. Strings are used directly as the error message, and
other values are stringified with a fallback to JSON.stringify to avoid
unhelpful `[object Object]` messages.

Non-error causes passed to `CustomErrorBase` are now converted and stored
using `toError` rather than discarded. Existing `assertError` call sites
across the codebase are migrated to `toError`.

Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
2026-04-03 10:16:23 +02:00
Ben Lambert 2e753eefb6 fix(auth-backend): allow any port for loopback redirect URIs per RFC 8252 (#33508)
For CIMD clients using loopback redirect URIs (localhost/127.0.0.1),
match by scheme, hostname, and path only, ignoring the port. Native
CLI apps like Claude Code use ephemeral ports for OAuth callbacks.

Signed-off-by: benjdlambert <ben@blam.sh>
2026-03-21 23:19:38 +00:00
Fredrik Adelöw d7c67cddf5 switch omitIdentityTokenOwnershipClaim to true
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
2026-03-18 22:10:50 +01:00
Gabriel Dugny ffaded0b30 chore: lint & changeset
Signed-off-by: Gabriel Dugny <gabriel.dugny@believe.com>
2026-03-17 16:48:43 +01:00
Gabriel Dugny 49171c9de4 chore: Update all imports to zod/v3
Signed-off-by: Gabriel Dugny <gabriel.dugny@believe.com>
2026-03-17 16:48:42 +01:00
Patrik Oldsberg aba94d2b27 Merge pull request #33385 from drodil/auth_mem_leaks
fix(auth): memory leaks
2026-03-17 11:03:20 +01:00
Hellgren Heikki 634ededdc9 fix(auth): memory leaks
alb-provider: JWT verification block was wrapped in generic error
that turned 401 to 500 causing clients to retry the login

cimd: cimd clients are not registered in oidc_clients table
so inserting offline sessions for them violates the foreign key
constraint. dropping the fk.

offline: return access token even when refresh token issuing fails.
if the refresh token issue fails for some reason, it will return
500 which will then cause client to retry even it can get valid
access token without refresh token.

closes #33329
Signed-off-by: Hellgren Heikki <heikki.hellgren@op.fi>
2026-03-17 10:52:40 +02:00
benjdlambert 26b5f7a5f9 chore: fix main build
Signed-off-by: benjdlambert <ben@blam.sh>
2026-03-11 13:41:01 +01:00
Ben Lambert e9b6e978f1 Merge commit from fork
* fix: prevent SSRF via redirect in CIMD metadata fetch

* fix: prevent SSRF via redirect in CIMD metadata fetch

* fix: add redirect target listener to SSRF redirect test
2026-03-11 13:34:25 +01:00
Ben Lambert 0f9d673e82 Merge commit from fork
* Fix redirect URI allowlist bypass via URL userinfo syntax

* Validate redirect URIs against normalized origin+pathname
2026-03-11 13:33:00 +01:00
Ben Lambert d0f4cd215b feat(cli): add auth commands for OIDC login (#32920)
* feat(cli): add auth commands for OIDC login

Signed-off-by: benjdlambert <ben@blam.sh>

* address PR review feedback

- move CIMD check before callback server start
- add try/finally for callback server cleanup
- validate URLs with human-readable errors
- deduplicate config URL candidates
- preserve selected flag on re-authentication
- delete accessToken on logout
- log token refresh to stderr in show command
- fix command descriptions to reference CIMD not DCR
- type keytar as optionalDependency, rename storage paths
- add auth-backend changeset

Signed-off-by: benjdlambert <ben@blam.sh>

* migrate auth module from yargs to cleye pattern

Signed-off-by: benjdlambert <ben@blam.sh>

* address PR review feedback

- consolidate storage imports in auth.ts
- add withMetadataLock to setSelectedInstance
- skip file permission tests on Windows
- clarify changeset endpoint path

Signed-off-by: benjdlambert <ben@blam.sh>

* address review feedback from Rugvip and Copilot

- use stdout for user-facing messages instead of stderr
- remove clientSecret remnants from logout
- make refresh_token optional in token response schema
- add timeout to CIMD metadata fetch
- pass same state to callback server and authorize URL
- remove inaccurate test comment

Signed-off-by: benjdlambert <ben@blam.sh>

* validate state in callback server, add CIMD endpoint tests

- localServer now validates the OAuth state parameter in the request
  handler and returns 400 on mismatch
- Added tests for the CIMD metadata endpoint in OidcRouter covering
  both disabled and enabled cases

Signed-off-by: benjdlambert <ben@blam.sh>

* revert validateRequest to use Zod error details

Signed-off-by: benjdlambert <ben@blam.sh>

* fix callback server hanging by closing keep-alive connections

Signed-off-by: benjdlambert <ben@blam.sh>

* rename secret store service prefix to backstage-cli:auth-instance

Signed-off-by: benjdlambert <ben@blam.sh>

---------

Signed-off-by: benjdlambert <ben@blam.sh>
2026-03-10 13:28:25 +00:00
Ben Lambert 1ccad86e35 feat(auth-backend): add who-am-i action to actions registry (#33046)
Signed-off-by: benjdlambert <ben@blam.sh>
2026-02-28 10:08:46 +01:00
benjdlambert 7dc3dfe5cb Revert configurable DCR token expiration (#31278)
Signed-off-by: benjdlambert <ben@blam.sh>
2026-02-17 17:07:24 +01:00
Ben Lambert 31de2c9b3a feat(auth-backend): add experimental CIMD support (#32307)
Signed-off-by: benjdlambert <ben@blam.sh>
2026-02-17 17:00:49 +01:00
Ben Lambert d0786b968e auth-backend: add experimental refresh token support (#32695)
* auth-backend: add experimental refresh token support

Signed-off-by: benjdlambert <ben@blam.sh>

* auth-backend: refresh token review fixes

Signed-off-by: benjdlambert <ben@blam.sh>

* auth-backend: address PR review feedback for refresh tokens

Signed-off-by: benjdlambert <ben@blam.sh>

---------

Signed-off-by: benjdlambert <ben@blam.sh>
2026-02-10 17:00:51 +01:00
Fredrik Adelöw 7455dae884 require the use of node prefix on native imports
Signed-off-by: Fredrik Adelöw <freben@gmail.com>
2026-01-26 13:22:53 +01:00
benjdlambert eb279cbe7b chore: codereview comments
Signed-off-by: benjdlambert <ben@blam.sh>
2025-11-18 11:12:37 +01:00
benjdlambert 986bf8f3aa feat: set state column to text instead of varchar
Signed-off-by: benjdlambert <ben@blam.sh>
2025-11-18 11:03:39 +01:00
Ben Lambert f70ad4b1c2 Merge pull request #31278 from drodil/dynamic_client_reg_expires_in
feat(auth): allow configuring DCR token expiration
2025-11-04 09:52:11 +01:00
Andre Wanlin d57b13b2d4 Version Policy Update - Postgres 18 to 14
Signed-off-by: Andre Wanlin <awanlin@spotify.com>
2025-10-16 18:44:29 -05:00
Hellgren Heikki 51ff7d8e46 feat(auth): allow configuring DCR token expiration
this adds a new config value for exprimental dynamic client registration
feature that allows configuring the token expiration.

added also missing config values to the config schema for this feature.

Signed-off-by: Hellgren Heikki <heikki.hellgren@op.fi>
2025-10-14 16:31:09 +03:00
Paul Schultz 05f60e1e0a refactor: convert constructor parameter properties for erasableSyntaxOnly compatibility
Signed-off-by: Paul Schultz <pschultz@pobox.com>
2025-10-14 08:29:21 -05:00
benjdlambert c2afe12dfd chore: cleanup a little bit more 🎉
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-09 14:32:51 +02:00
benjdlambert ec6cb6bce2 chore: code review comments
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-09 13:17:00 +02:00
benjdlambert c9f1fb203a chore: cleanup
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-09 10:46:45 +02:00
benjdlambert ff15f30329 feat: implementing fixes for wildcard matching for callback URLs
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 17:48:33 +02:00
benjdlambert a4b9f94d4f chore: fix experimental flag
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 15:14:05 +02:00
benjdlambert 75b5880cb7 chore: Fixing changesets ]
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 15:09:30 +02:00
benjdlambert 225cdf5bdf chore: wrap up things in a feature flag
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 14:27:05 +02:00
benjdlambert 025fdd20ea chore: clientId and clientSecret are not to be passed to the token endpoint
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 13:12:36 +02:00
benjdlambert 838429ac89 chore: fix some more typescript errors
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 11:38:46 +02:00
benjdlambert e81f461ed8 chore: fix support for returning
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:35:41 +02:00
benjdlambert 75e0cdbc0b chore: when session has been accepted or approved it should return not found from apio
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:44 +02:00
benjdlambert 1122bb29ac feat: add sqlreports and fixing up
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:44 +02:00
benjdlambert bf372ab53f chore: cleanup and simplify
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:44 +02:00
benjdlambert 0d320ca888 chore: added some tests for oidcrouter and refactor
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:44 +02:00
benjdlambert ebe65724e4 chore: added some tests for oidcservice
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:44 +02:00
benjdlambert e31a1e2c0c chore: fixing redirect path
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:44 +02:00
benjdlambert ff251064ae chore: implementing the routers
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:44 +02:00
benjdlambert eb2297fe6d chore: updating the oidc service to handle consent
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:43 +02:00
benjdlambert 5b084e7223 chore: reworking the API for oidc-database
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:43 +02:00
benjdlambert e0473b52e9 chore: little cleanup
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:43 +02:00
benjdlambert 0d142d95ec chore: implementing the register and code exchange
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:43 +02:00
benjdlambert 628322d19b chore: issue a token for guest entity ref
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:43 +02:00
benjdlambert bbda7485f6 feat: adding client register
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:43 +02:00
benjdlambert ac54ac21d3 chore: implementing access token management
Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:43 +02:00
benjdlambert 64dc5463ba feat: started to add some tests for the oidc database
Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>
2025-09-08 10:17:43 +02:00
benjdlambert 04b1769ae9 chore: fix mysql tests
Signed-off-by: benjdlambert <ben@blam.sh>
2025-07-08 11:27:00 +02:00
benjdlambert bb1939b834 chore: issue token first before saving userInfo
Signed-off-by: benjdlambert <ben@blam.sh>
2025-07-08 10:52:32 +02:00