Commit Graph

14 Commits

Author SHA1 Message Date
Jessica He c30d1a9963 introduce dangerouslyAllowSignInWithoutUserInCatalog auth resolver config
Signed-off-by: Jessica He <jhe@redhat.com>
2025-04-30 10:35:39 +09:00
Jonathan Roebuck 612d1fdaa9 Use correct config definitions in MS related modules
Signed-off-by: Jonathan Roebuck <jroebuck@spotify.com>
2025-02-24 16:09:55 +00:00
Jessica He 61f464e864 support user configuration of auth cookie max age
Signed-off-by: Jessica He <jhe@redhat.com>
2025-01-28 12:07:03 -05:00
Patrik Oldsberg 7fd7280e36 Merge pull request #26969 from backstage/rugvip/harden
Update docs to be more strict around sign-in resolvers + remove insecure sign-in resolver
2024-10-08 11:53:37 +02:00
Patrik Oldsberg 217458a9a8 auth-node: add allowedDomains options for emailLocalPartMatchingUserEntityName + fixes
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
2024-10-08 01:12:10 +02:00
Jordan Slott daa02d6e64 Fixes #26503 Add skipUserProfile flag to Microsoft authenticator
Signed-off-by: Jordan Slott <jordan.slott@twosigma.com>
2024-10-01 09:33:27 -04:00
Boris Bera c8f1cae0ef Add signIn.resolvers to auth providers config schema
Signed-off-by: Boris Bera <bbera@coveo.com>
2024-07-17 11:33:29 -04:00
Patrik Oldsberg 8efc6cf0d4 auth-backend-module-*: update OAuth providers to use new scope handling
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
2024-06-11 12:49:14 +02:00
Daniel Doberenz abfaf8c502 Changed the configuration property to additionalScopes and added a tested helper function to combine lists of scopes.
Signed-off-by: Daniel Doberenz <daniel.doberenz@lichtblick.de>
2023-11-15 07:18:13 +01:00
Daniel Doberenz 1ff268479e Added the possibility to use custom scopes for performing login with Microsoft EntraID.
Signed-off-by: Daniel Doberenz <daniel.doberenz@lichtblick.de>
2023-11-14 09:45:55 +01:00
Fredrik Adelöw b42109f05a Merge pull request #20694 from afscrome/entra-domain-hint
Add `domain_hint` support to Entra ID login
2023-10-26 17:07:24 +02:00
Fredrik Adelöw 5aeb14f035 mistakenly changed secret marker
Signed-off-by: Fredrik Adelöw <freben@gmail.com>
2023-10-25 15:33:14 +02:00
Alex Crome 3979524c74 Add domain_hint support to Entra ID login
When a user is logged in to multiple microsoft accounts, there can be be a little bit of friction in the Entra login process as users will be asked to select the account to login with.

Scenarios in which a user may have multiple microsoft accounts

1. Someone logged in to your work Entra ID account, and a personal microsoft account
2. A consultant who has an Entra ID account at both their employer, as well as the company they're contracted out to.
3. A user has a regular account, as well as one or more high priviliged accounts.

When a domain hint is provided, Entra will filter out all the accounts which don't belong to the tenant specified on the `domain_hint`.
In many cases, this will filter to a single account, avoiding the need to select an account at all (e.g. scenario 1 & 2).
This won't always happen (e.g. scenario 3).
Additionally in the case a tenant has been configured to federate authentication elsewhere (e.g. to an on premise AD FS), setting the domain hint means entra can send the user straight to the federated authentication soruce, removing further steps

If backstage is allowign authentication from multiple tenants, this field should be left blank.

For more details, see https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/home-realm-discovery-policy

99% of the time, this value should be the same as the tenantId, so we could get rid of hte domain hint, and set it to the same value as the tenant id automatically.
We'd need to provide a config option (e.g. `isMultiTenant: true`) to opt out of this.
For those edge cases, this would be a breaking change.

I decided to go with specifying the `domain_hint` seperatly for now just in case my assumptions are wrong and there are more cases wher ehte `domain_hint` will get in the way.
We can always make this the default behaviour later on.

Signed-off-by: Alex Crome <afscrome@users.noreply.github.com>
2023-10-19 23:01:14 +01:00
Chris 2d8f7e82c1 auth-backend: migrate microsoft provider to separate module
Signed-off-by: Chris Gemmell <chris.gemmell8@gmail.com>
2023-09-23 15:26:40 +10:00