/* * Copyright 2020 The Backstage Authors * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ import { HumanDuration } from '@backstage/types'; export interface Config { /** Configuration options for the auth plugin */ auth?: { /** * The 'environment' attribute * @visibility frontend */ environment?: string; session?: { /** * The secret attribute of session object. * @visibility secret */ secret?: string; }; /** * JWS "alg" (Algorithm) Header Parameter value. Defaults to ES256. * Must match one of the algorithms defined for IdentityClient. * When setting a different algorithm, check if the `key` field * of the `signing_keys` table can fit the length of the generated keys. * If not, add a knex migration file in the migrations folder. * More info on supported algorithms: https://github.com/panva/jose */ identityTokenAlgorithm?: string; /** * Whether to omit the entity ownership references (`ent`) claim from the * identity token. If this is enabled the `ent` claim will only be available * via the user info endpoint and the `UserInfoService`. * * Defaults to `false`. */ omitIdentityTokenOwnershipClaim?: boolean; /** To control how to store JWK data in auth-backend */ keyStore?: { provider?: 'database' | 'memory' | 'firestore' | 'static'; firestore?: { /** The host to connect to */ host?: string; /** The port to connect to */ port?: number; /** Whether to use SSL when connecting. */ ssl?: boolean; /** The Google Cloud Project ID */ projectId?: string; /** * Local file containing the Service Account credentials. * You can omit this value to automatically read from * GOOGLE_APPLICATION_CREDENTIALS env which is useful for local * development. */ keyFilename?: string; /** The path to use for the collection. Defaults to 'sessions' */ path?: string; /** Timeout used for database operations. Defaults to 10000ms */ timeout?: number; }; static?: { /** Must be declared at least once and the first one will be used for signing */ keys: Array<{ /** Path to the public key file in the SPKI format */ publicKeyFile: string; /** Path to the matching private key file in the PKCS#8 format */ privateKeyFile: string; /** id to uniquely identify this key within the JWK set */ keyId: string; /** JWS "alg" (Algorithm) Header Parameter value. Defaults to ES256. * Must match the algorithm used to generate the keys in the provided files */ algorithm?: string; }>; }; }; /** * The backstage token expiration. */ backstageTokenExpiration?: HumanDuration | string; /** * Configuration for refresh tokens (offline access) * @visibility backend */ experimentalRefreshToken?: { /** * Whether to enable refresh tokens * @default false * @visibility backend */ enabled?: boolean; /** * Token lifetime before rotation required * @default '30 days' * @visibility backend */ tokenLifetime?: HumanDuration | string; /** * Maximum session lifetime across all rotations * @default '1 year' * @visibility backend */ maxRotationLifetime?: HumanDuration | string; /** * Maximum number of refresh tokens per user * @default 20 * @visibility backend */ maxTokensPerUser?: number; }; /** * Additional app origins to allow for authenticating */ experimentalExtraAllowedOrigins?: string[]; /** * Configuration for dynamic client registration */ experimentalDynamicClientRegistration?: { /** * Whether to enable dynamic client registration * Defaults to false */ enabled?: boolean; /** * A list of allowed URI patterns to use for redirect URIs during * dynamic client registration. Defaults to '[*]' which allows any redirect URI. */ allowedRedirectUriPatterns?: string[]; }; /** * Configuration for Client ID Metadata Documents (CIMD) * * @see https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/ */ experimentalClientIdMetadataDocuments?: { /** * Whether to enable Client ID Metadata Documents support * Defaults to false */ enabled?: boolean; /** * A list of allowed URI patterns for client_id URLs. * Uses glob-style pattern matching where `*` matches any characters. * Defaults to ['*'] which allows any client_id URL. * * @example ['https://example.com/*', 'https://*.trusted-domain.com/*'] */ allowedClientIdPatterns?: string[]; /** * A list of allowed URI patterns for redirect URIs. * Uses glob-style pattern matching where `*` matches any characters. * Defaults to ['*'] which allows any redirect URI. * * @example ['http://localhost:*', 'http://127.0.0.1:*\/callback'] */ allowedRedirectUriPatterns?: string[]; }; }; }