Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
91 KiB
@backstage/plugin-auth-backend
0.19.0
Minor Changes
-
71114ac50e: BREAKING: The export for the new backend system has been moved to be thedefaultexport.For example, if you are currently importing the plugin using the following pattern:
import { examplePlugin } from '@backstage/plugin-example-backend'; backend.add(examplePlugin);It should be migrated to this:
backend.add(import('@backstage/plugin-example-backend'));
Patch Changes
080cc77947: Migrated the GitLab auth provider to be implemented using the new@backstage/plugin-auth-backend-module-gitlab-providermodule.7944d43f47: AddedauthPluginexport for the new backend system. The plugin does not include any built-in auth providers, they must instead be added by installing additional modules, for exampleauthModuleGoogleProviderfrom@backstage/plugin-auth-backend-module-google-provider.8513cd7d00: Deprecated several exports that are now available from@backstage/plugin-auth-nodeinstead.7944d43f47: Added the ability to disable the built-in auth providers by passingdisableDefaultProviderFactoriestocreateRouter.7944d43f47: The algorithm used when generating Backstage tokens can be configured viaauth.identityTokenAlgorithm.- Updated dependencies
- @backstage/plugin-auth-backend-module-gcp-iap-provider@0.1.0
- @backstage/plugin-auth-backend-module-github-provider@0.1.0
- @backstage/plugin-auth-backend-module-gitlab-provider@0.1.0
- @backstage/plugin-auth-backend-module-google-provider@0.1.0
- @backstage/plugin-auth-backend-module-oauth2-provider@0.1.0
- @backstage/backend-common@0.19.5
- @backstage/plugin-auth-node@0.3.0
- @backstage/config@1.1.0
- @backstage/catalog-client@1.4.4
- @backstage/catalog-model@1.4.2
- @backstage/errors@1.2.2
- @backstage/types@1.1.1
- @backstage/backend-plugin-api@0.6.3
- @backstage/plugin-catalog-node@1.4.4
0.19.0-next.3
Minor Changes
-
71114ac50e: BREAKING: The export for the new backend system has been moved to be thedefaultexport.For example, if you are currently importing the plugin using the following pattern:
import { examplePlugin } from '@backstage/plugin-example-backend'; backend.add(examplePlugin);It should be migrated to this:
backend.add(import('@backstage/plugin-example-backend'));
Patch Changes
- Updated dependencies
- @backstage/plugin-auth-backend-module-gcp-iap-provider@0.1.0-next.3
- @backstage/plugin-auth-backend-module-github-provider@0.1.0-next.3
- @backstage/plugin-auth-backend-module-gitlab-provider@0.1.0-next.2
- @backstage/plugin-auth-backend-module-google-provider@0.1.0-next.3
- @backstage/plugin-auth-backend-module-oauth2-provider@0.1.0-next.0
- @backstage/catalog-client@1.4.4-next.2
- @backstage/catalog-model@1.4.2-next.2
- @backstage/config@1.1.0-next.2
- @backstage/errors@1.2.2-next.0
- @backstage/types@1.1.1-next.0
- @backstage/backend-plugin-api@0.6.3-next.3
- @backstage/backend-common@0.19.5-next.3
- @backstage/plugin-auth-node@0.3.0-next.3
- @backstage/plugin-catalog-node@1.4.4-next.3
0.18.9-next.2
Patch Changes
- Updated dependencies
- @backstage/config@1.1.0-next.1
- @backstage/backend-common@0.19.5-next.2
- @backstage/plugin-auth-backend-module-gcp-iap-provider@0.1.0-next.2
- @backstage/plugin-auth-backend-module-github-provider@0.1.0-next.2
- @backstage/plugin-auth-backend-module-gitlab-provider@0.1.0-next.1
- @backstage/plugin-auth-backend-module-google-provider@0.1.0-next.2
- @backstage/plugin-auth-node@0.3.0-next.2
- @backstage/plugin-catalog-node@1.4.4-next.2
- @backstage/backend-plugin-api@0.6.3-next.2
- @backstage/catalog-model@1.4.2-next.1
- @backstage/catalog-client@1.4.4-next.1
- @backstage/errors@1.2.1
- @backstage/types@1.1.0
0.18.9-next.1
Patch Changes
080cc77947: Migrated the GitLab auth provider to be implemented using the new@backstage/plugin-auth-backend-module-gitlab-providermodule.- Updated dependencies
- @backstage/config@1.1.0-next.0
- @backstage/plugin-auth-backend-module-gitlab-provider@0.1.0-next.0
- @backstage/plugin-auth-backend-module-github-provider@0.1.0-next.1
- @backstage/plugin-auth-backend-module-google-provider@0.1.0-next.1
- @backstage/backend-common@0.19.5-next.1
- @backstage/backend-plugin-api@0.6.3-next.1
- @backstage/catalog-model@1.4.2-next.0
- @backstage/plugin-auth-node@0.3.0-next.1
- @backstage/plugin-catalog-node@1.4.4-next.1
- @backstage/plugin-auth-backend-module-gcp-iap-provider@0.1.0-next.1
- @backstage/catalog-client@1.4.4-next.0
- @backstage/errors@1.2.1
- @backstage/types@1.1.0
0.18.8-next.0
Patch Changes
7944d43f47: AddedauthPluginexport for the new backend system. The plugin does not include any built-in auth providers, they must instead be added by installing additional modules, for exampleauthModuleGoogleProviderfrom@backstage/plugin-auth-backend-module-google-provider.8513cd7d00: Deprecated several exports that are now available from@backstage/plugin-auth-nodeinstead.7944d43f47: Added the ability to disable the built-in auth providers by passingdisableDefaultProviderFactoriestocreateRouter.7944d43f47: The algorithm used when generating Backstage tokens can be configured viaauth.identityTokenAlgorithm.- Updated dependencies
- @backstage/plugin-auth-backend-module-gcp-iap-provider@0.1.0-next.0
- @backstage/plugin-auth-node@0.3.0-next.0
- @backstage/backend-common@0.19.4-next.0
- @backstage/plugin-auth-backend-module-google-provider@0.1.0-next.0
- @backstage/plugin-auth-backend-module-github-provider@0.1.0-next.0
- @backstage/backend-plugin-api@0.6.2-next.0
- @backstage/catalog-client@1.4.3
- @backstage/catalog-model@1.4.1
- @backstage/config@1.0.8
- @backstage/errors@1.2.1
- @backstage/types@1.1.0
- @backstage/plugin-catalog-node@1.4.3-next.0
0.18.6
Patch Changes
16452cd007: UpdatedframeHandlerto returnundefinedwhen using the redirect flow instead of returningpostMessageReponsewhich was causing errors9dad4b0e61: Updated config schema to match what was being used in codebb70a9c388: Add frontend visibility to provider objects inauthconfig.- Updated dependencies
- @backstage/backend-common@0.19.2
- @backstage/plugin-auth-node@0.2.17
- @backstage/catalog-client@1.4.3
- @backstage/catalog-model@1.4.1
- @backstage/config@1.0.8
- @backstage/errors@1.2.1
- @backstage/types@1.1.0
0.18.6-next.2
Patch Changes
16452cd007: UpdatedframeHandlerto returnundefinedwhen using the redirect flow instead of returningpostMessageReponsewhich was causing errorsbb70a9c388: Add frontend visibility to provider objects inauthconfig.- Updated dependencies
- @backstage/backend-common@0.19.2-next.2
- @backstage/plugin-auth-node@0.2.17-next.2
0.18.6-next.1
Patch Changes
9dad4b0e61: Updated config schema to match what was being used in code- Updated dependencies
- @backstage/backend-common@0.19.2-next.1
- @backstage/plugin-auth-node@0.2.17-next.1
- @backstage/catalog-client@1.4.3
- @backstage/catalog-model@1.4.1
- @backstage/config@1.0.8
- @backstage/errors@1.2.1
- @backstage/types@1.1.0
0.18.6-next.0
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.19.2-next.0
- @backstage/catalog-client@1.4.3
- @backstage/catalog-model@1.4.1
- @backstage/config@1.0.8
- @backstage/errors@1.2.1
- @backstage/types@1.1.0
- @backstage/plugin-auth-node@0.2.17-next.0
0.18.5
Patch Changes
c27ae5004f: Support for Token Endpoint Auth Method for OIDC Provider- Updated dependencies
- @backstage/errors@1.2.1
- @backstage/backend-common@0.19.1
- @backstage/catalog-client@1.4.3
- @backstage/catalog-model@1.4.1
- @backstage/config@1.0.8
- @backstage/types@1.1.0
- @backstage/plugin-auth-node@0.2.16
0.18.5-next.1
Patch Changes
c27ae5004f: Support for Token Endpoint Auth Method for OIDC Provider- Updated dependencies
- @backstage/config@1.0.8
0.18.5-next.0
Patch Changes
- Updated dependencies
- @backstage/errors@1.2.1-next.0
- @backstage/backend-common@0.19.1-next.0
- @backstage/catalog-client@1.4.3-next.0
- @backstage/catalog-model@1.4.1-next.0
- @backstage/config@1.0.8
- @backstage/types@1.1.0
- @backstage/plugin-auth-node@0.2.16-next.0
0.18.4
Patch Changes
d0f5b0c886: Set the expiration time of oidcidTokento be less than backstage session expiration time.- Updated dependencies
- @backstage/backend-common@0.19.0
- @backstage/catalog-client@1.4.2
- @backstage/types@1.1.0
- @backstage/catalog-model@1.4.0
- @backstage/errors@1.2.0
- @backstage/plugin-auth-node@0.2.15
- @backstage/config@1.0.8
0.18.4-next.3
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.19.0-next.2
- @backstage/catalog-model@1.4.0-next.1
- @backstage/catalog-client@1.4.2-next.2
- @backstage/config@1.0.7
- @backstage/errors@1.2.0-next.0
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.15-next.2
0.18.4-next.2
Patch Changes
d0f5b0c886: Set the expiration time of oidcidTokento be less than backstage session expiration time.- Updated dependencies
- @backstage/config@1.0.7
0.18.4-next.1
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.19.0-next.1
- @backstage/errors@1.2.0-next.0
- @backstage/catalog-model@1.4.0-next.0
- @backstage/plugin-auth-node@0.2.15-next.1
- @backstage/catalog-client@1.4.2-next.1
- @backstage/config@1.0.7
- @backstage/types@1.0.2
0.18.4-next.0
Patch Changes
- Updated dependencies
- @backstage/catalog-client@1.4.2-next.0
- @backstage/backend-common@0.18.6-next.0
- @backstage/config@1.0.7
- @backstage/catalog-model@1.3.0
- @backstage/errors@1.1.5
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.15-next.0
0.18.3
Patch Changes
7c116bcac7: Fixed the way that some request errors are thrown473db605a4: Fix config schema definition.3ffcdac7d0: Added a persistent session store through the database- Updated dependencies
- @backstage/backend-common@0.18.5
- @backstage/plugin-auth-node@0.2.14
- @backstage/catalog-client@1.4.1
- @backstage/catalog-model@1.3.0
- @backstage/config@1.0.7
- @backstage/errors@1.1.5
- @backstage/types@1.0.2
0.18.3-next.2
Patch Changes
3ffcdac7d0: Added a persistent session store through the database- Updated dependencies
- @backstage/config@1.0.7
0.18.3-next.1
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.18.5-next.1
- @backstage/plugin-auth-node@0.2.14-next.1
- @backstage/config@1.0.7
0.18.3-next.0
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.18.5-next.0
- @backstage/plugin-auth-node@0.2.14-next.0
- @backstage/catalog-client@1.4.1
- @backstage/catalog-model@1.3.0
- @backstage/config@1.0.7
- @backstage/errors@1.1.5
- @backstage/types@1.0.2
0.18.2
Patch Changes
-
d8f774c30d: Enforce the secret visibility of certificates and client secrets in the auth backend. Also, document all known options for each auth plugin. -
7908d72e03: Introduce a new global config parameter,auth.enableExperimentalRedirectFlow. When enabled, auth will happen with an in-window redirect flow rather than through a popup window. -
475abd1dc3: Themicrosoft(i.e. Azure) auth provider now supports negotiating tokens for Azure resources besides Microsoft Graph (e.g. AKS, Virtual Machines, Machine Learning Services, etc.). When the/frame/handlerendpoint is called with an authorization code for a non-Microsoft Graph scope, the user profile will not be fetched. Similarly no user profile or photo data will be fetched by the backend if the/refreshendpoint is called with thescopequery parameter strictly containing scopes for resources besides Microsoft Graph.Furthermore, the
offline_accessscope will be requested by default, even when it is not mentioned in the argument togetAccessToken. This means that any Azure access token can be automatically refreshed, even if the user has not signed in via Azure. -
6a90095133: Add common identify resolvers foroidcauth provider. -
a0ef1ec734: Export Azure Easy Auth provider so it can actually be used. -
e0c6e8b9c3: Update peer dependencies -
Updated dependencies
- @backstage/backend-common@0.18.4
- @backstage/catalog-client@1.4.1
- @backstage/catalog-model@1.3.0
- @backstage/plugin-auth-node@0.2.13
- @backstage/config@1.0.7
- @backstage/errors@1.1.5
- @backstage/types@1.0.2
0.18.2-next.3
Patch Changes
-
475abd1dc3: Themicrosoft(i.e. Azure) auth provider now supports negotiating tokens for Azure resources besides Microsoft Graph (e.g. AKS, Virtual Machines, Machine Learning Services, etc.). When the/frame/handlerendpoint is called with an authorization code for a non-Microsoft Graph scope, the user profile will not be fetched. Similarly no user profile or photo data will be fetched by the backend if the/refreshendpoint is called with thescopequery parameter strictly containing scopes for resources besides Microsoft Graph.Furthermore, the
offline_accessscope will be requested by default, even when it is not mentioned in the argument togetAccessToken. This means that any Azure access token can be automatically refreshed, even if the user has not signed in via Azure. -
6a90095133: Add common identify resolvers foroidcauth provider. -
a0ef1ec734: Export Azure Easy Auth provider so it can actually be used. -
Updated dependencies
- @backstage/catalog-model@1.3.0-next.0
- @backstage/backend-common@0.18.4-next.2
- @backstage/catalog-client@1.4.1-next.1
- @backstage/config@1.0.7
- @backstage/errors@1.1.5
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.13-next.2
0.18.2-next.2
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.18.4-next.2
- @backstage/catalog-client@1.4.1-next.0
- @backstage/catalog-model@1.2.1
- @backstage/config@1.0.7
- @backstage/errors@1.1.5
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.13-next.2
0.18.2-next.1
Patch Changes
e0c6e8b9c3: Update peer dependencies- Updated dependencies
- @backstage/backend-common@0.18.4-next.1
- @backstage/catalog-client@1.4.0
- @backstage/catalog-model@1.2.1
- @backstage/config@1.0.7
- @backstage/errors@1.1.5
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.13-next.1
0.18.2-next.0
Patch Changes
d8f774c30d: Enforce the secret visibility of certificates and client secrets in the auth backend. Also, document all known options for each auth plugin.7908d72e03: Introduce a new global config parameter,auth.enableExperimentalRedirectFlow. When enabled, auth will happen with an in-window redirect flow rather than through a popup window.- Updated dependencies
- @backstage/backend-common@0.18.4-next.0
- @backstage/config@1.0.7
- @backstage/catalog-client@1.4.0
- @backstage/catalog-model@1.2.1
- @backstage/errors@1.1.5
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.13-next.0
0.18.1
Patch Changes
e262738b8a: Handle difference in expiration time between Microsoft session and Backstage session which caused the Backstage token to be invalid during a time frame.86cece2c1f: Updated dependency@types/passport-microsoftto^1.0.0.52b0022dab: Updated dependencymswto^1.0.0.529de8c421: Added authentication provider for Azure Easy Authentication.- Updated dependencies
- @backstage/catalog-client@1.4.0
- @backstage/plugin-auth-node@0.2.12
- @backstage/backend-common@0.18.3
- @backstage/errors@1.1.5
- @backstage/catalog-model@1.2.1
- @backstage/config@1.0.7
- @backstage/types@1.0.2
0.18.1-next.2
Patch Changes
- Updated dependencies
- @backstage/plugin-auth-node@0.2.12-next.2
- @backstage/backend-common@0.18.3-next.2
- @backstage/config@1.0.7-next.0
0.18.1-next.1
Patch Changes
86cece2c1f: Updated dependency@types/passport-microsoftto^1.0.0.52b0022dab: Updated dependencymswto^1.0.0.- Updated dependencies
- @backstage/errors@1.1.5-next.0
- @backstage/backend-common@0.18.3-next.1
- @backstage/catalog-client@1.4.0-next.1
- @backstage/plugin-auth-node@0.2.12-next.1
- @backstage/config@1.0.7-next.0
- @backstage/catalog-model@1.2.1-next.1
- @backstage/types@1.0.2
0.18.1-next.0
Patch Changes
529de8c421: Added authentication provider for Azure Easy Authentication.- Updated dependencies
- @backstage/catalog-client@1.4.0-next.0
- @backstage/backend-common@0.18.3-next.0
- @backstage/catalog-model@1.2.1-next.0
- @backstage/config@1.0.6
- @backstage/errors@1.1.4
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.12-next.0
0.18.0
Minor Changes
db10b6ef65: Added a Bitbucket Server Auth Provider and added its API to the app defaults
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.18.2
- @backstage/catalog-model@1.2.0
- @backstage/catalog-client@1.3.1
- @backstage/config@1.0.6
- @backstage/errors@1.1.4
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.11
0.17.5-next.2
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.18.2-next.2
- @backstage/catalog-model@1.2.0-next.1
- @backstage/plugin-auth-node@0.2.11-next.2
- @backstage/catalog-client@1.3.1-next.1
- @backstage/config@1.0.6
- @backstage/errors@1.1.4
- @backstage/types@1.0.2
0.17.5-next.1
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.18.2-next.1
- @backstage/catalog-client@1.3.1-next.0
- @backstage/catalog-model@1.1.6-next.0
- @backstage/config@1.0.6
- @backstage/errors@1.1.4
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.11-next.1
0.17.5-next.0
Patch Changes
- Updated dependencies
- @backstage/catalog-model@1.1.6-next.0
- @backstage/backend-common@0.18.2-next.0
- @backstage/catalog-client@1.3.1-next.0
- @backstage/plugin-auth-node@0.2.11-next.0
0.17.3
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.18.0
- @backstage/catalog-model@1.1.5
- @backstage/catalog-client@1.3.0
- @backstage/config@1.0.6
- @backstage/errors@1.1.4
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.9
0.17.3-next.2
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.18.0-next.1
- @backstage/catalog-client@1.3.0-next.2
- @backstage/plugin-auth-node@0.2.9-next.1
- @backstage/catalog-model@1.1.5-next.1
- @backstage/config@1.0.6-next.0
- @backstage/errors@1.1.4
- @backstage/types@1.0.2
0.17.3-next.1
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.18.0-next.0
- @backstage/config@1.0.6-next.0
- @backstage/catalog-client@1.3.0-next.1
- @backstage/catalog-model@1.1.5-next.1
- @backstage/errors@1.1.4
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.9-next.0
0.17.3-next.0
Patch Changes
- Updated dependencies
- @backstage/catalog-model@1.1.5-next.0
- @backstage/catalog-client@1.3.0-next.0
- @backstage/backend-common@0.17.0
- @backstage/config@1.0.5
- @backstage/errors@1.1.4
- @backstage/types@1.0.2
- @backstage/plugin-auth-node@0.2.8
0.17.2
Patch Changes
3280711113: Updated dependencymswto^0.49.0.- Updated dependencies
- @backstage/catalog-client@1.2.0
- @backstage/backend-common@0.17.0
- @backstage/errors@1.1.4
- @backstage/plugin-auth-node@0.2.8
- @backstage/types@1.0.2
- @backstage/catalog-model@1.1.4
- @backstage/config@1.0.5
0.17.2-next.3
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.17.0-next.3
- @backstage/catalog-client@1.2.0-next.1
- @backstage/catalog-model@1.1.4-next.1
- @backstage/config@1.0.5-next.1
- @backstage/errors@1.1.4-next.1
- @backstage/types@1.0.2-next.1
- @backstage/plugin-auth-node@0.2.8-next.3
0.17.2-next.2
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.17.0-next.2
- @backstage/plugin-auth-node@0.2.8-next.2
- @backstage/catalog-client@1.2.0-next.1
- @backstage/catalog-model@1.1.4-next.1
- @backstage/config@1.0.5-next.1
- @backstage/errors@1.1.4-next.1
- @backstage/types@1.0.2-next.1
0.17.2-next.1
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.17.0-next.1
- @backstage/types@1.0.2-next.1
- @backstage/plugin-auth-node@0.2.8-next.1
- @backstage/config@1.0.5-next.1
- @backstage/catalog-client@1.2.0-next.1
- @backstage/catalog-model@1.1.4-next.1
- @backstage/errors@1.1.4-next.1
0.17.2-next.0
Patch Changes
3280711113: Updated dependencymswto^0.49.0.- Updated dependencies
- @backstage/catalog-client@1.2.0-next.0
- @backstage/backend-common@0.16.1-next.0
- @backstage/plugin-auth-node@0.2.8-next.0
- @backstage/types@1.0.2-next.0
- @backstage/catalog-model@1.1.4-next.0
- @backstage/config@1.0.5-next.0
- @backstage/errors@1.1.4-next.0
0.17.1
Patch Changes
0d6837ca4e: Fix wrong GitHub callback URL documentationcbe11d1e23: Tweak README89d705e806: Add support for custom JWT header name in GCP IAP auth.abaed9770e: Improve loggingd80833fe0c: Inject optionalCatalogApiinto auth-backendcreateRouterfunction. This will enable developers to use customizedCatalogApiwhen creating the router.- Updated dependencies
- @backstage/backend-common@0.16.0
- @backstage/catalog-model@1.1.3
- @backstage/plugin-auth-node@0.2.7
- @backstage/types@1.0.1
- @backstage/catalog-client@1.1.2
- @backstage/config@1.0.4
- @backstage/errors@1.1.3
0.17.1-next.1
Patch Changes
0d6837ca4e: Fix wrong GitHub callback URL documentationabaed9770e: Improve logging- Updated dependencies
- @backstage/backend-common@0.16.0-next.1
- @backstage/plugin-auth-node@0.2.7-next.1
- @backstage/catalog-client@1.1.2-next.0
- @backstage/catalog-model@1.1.3-next.0
- @backstage/config@1.0.4-next.0
- @backstage/errors@1.1.3-next.0
- @backstage/types@1.0.1-next.0
0.17.1-next.0
Patch Changes
cbe11d1e23: Tweak README- Updated dependencies
- @backstage/backend-common@0.16.0-next.0
- @backstage/catalog-model@1.1.3-next.0
- @backstage/plugin-auth-node@0.2.7-next.0
- @backstage/types@1.0.1-next.0
- @backstage/catalog-client@1.1.2-next.0
- @backstage/config@1.0.4-next.0
- @backstage/errors@1.1.3-next.0
0.17.0
Minor Changes
-
e2dc42e9f0: Google OAuth refresh tokens will now be revoked on logout by calling Google's API -
5fa831ce55: CookieConfigurer can optionally return theSameSitecookie attribute. CookieConfigurer now requires an additional argumentappOrigin- the origin URL of the app - which is used to calculate theSameSiteattribute. defaultCookieConfigurer returns theSameSiteattribute which defaults toLax. In cases where an auth-backend is running on a different domain than the App,SameSite=Noneis used - but only for secure contexts. This is so that cookies can be included in third-party requests.OAuthAdapterOptions has been modified to require additional arguments,
baseUrl, andcookieConfigurer. OAuthAdapter now resolves cookie configuration using its supplied CookieConfigurer for each request to make sure that the proper attributes always are set.
Patch Changes
b5c126010c: Auth0 provider now supports optionalconnectionandconnectionScopeparameters to configure social identity providers.8c6ec175bf: Fix GitLab provider setup so that it supports GitLab installations with a path in the URL.- Updated dependencies
- @backstage/catalog-model@1.1.2
- @backstage/backend-common@0.15.2
- @backstage/plugin-auth-node@0.2.6
- @backstage/catalog-client@1.1.1
- @backstage/config@1.0.3
- @backstage/errors@1.1.2
- @backstage/types@1.0.0
0.17.0-next.2
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.15.2-next.2
- @backstage/plugin-auth-node@0.2.6-next.2
- @backstage/catalog-client@1.1.1-next.2
- @backstage/catalog-model@1.1.2-next.2
- @backstage/config@1.0.3-next.2
- @backstage/errors@1.1.2-next.2
- @backstage/types@1.0.0
0.17.0-next.1
Minor Changes
e2dc42e9f0: Google OAuth refresh tokens will now be revoked on logout by calling Google's API
Patch Changes
b5c126010c: Auth0 provider now supports optionalconnectionandconnectionScopeparameters to configure social identity providers.- Updated dependencies
- @backstage/catalog-client@1.1.1-next.1
- @backstage/backend-common@0.15.2-next.1
- @backstage/catalog-model@1.1.2-next.1
- @backstage/config@1.0.3-next.1
- @backstage/errors@1.1.2-next.1
- @backstage/types@1.0.0
- @backstage/plugin-auth-node@0.2.6-next.1
0.17.0-next.0
Minor Changes
-
5fa831ce55: CookieConfigurer can optionally return theSameSitecookie attribute. CookieConfigurer now requires an additional argumentappOrigin- the origin URL of the app - which is used to calculate theSameSiteattribute. defaultCookieConfigurer returns theSameSiteattribute which defaults toLax. In cases where an auth-backend is running on a different domain than the App,SameSite=Noneis used - but only for secure contexts. This is so that cookies can be included in third-party requests.OAuthAdapterOptions has been modified to require additional arguments,
baseUrl, andcookieConfigurer. OAuthAdapter now resolves cookie configuration using its supplied CookieConfigurer for each request to make sure that the proper attributes always are set.
Patch Changes
8c6ec175bf: Fix GitLab provider setup so that it supports GitLab installations with a path in the URL.- Updated dependencies
- @backstage/catalog-model@1.1.2-next.0
- @backstage/catalog-client@1.1.1-next.0
- @backstage/backend-common@0.15.2-next.0
- @backstage/plugin-auth-node@0.2.6-next.0
- @backstage/config@1.0.3-next.0
- @backstage/errors@1.1.2-next.0
- @backstage/types@1.0.0
0.16.0
Minor Changes
-
2fc41ebf07: Removed the previously deprecated classAtlassianAuthProvider. Please useproviders.atlassian.create(...)instead. -
a291688bc5: Renamed theRedirectInfotype toOAuthStartResponse -
8600855fbf: The auth0 integration is updated to use thepassport-auth0library. The configuration underauth.providers.auth0.\*now supports an optionalaudienceparameter; providing that allows you to connect to the correct API to get permissions, access tokens, and full profile information.
Patch Changes
5b011fb2e6: Allow adding misc claims to JWTd669d89206: Minor API signatures cleanup667d917488: Updated dependencymswto^0.47.0.87ec2ba4d6: Updated dependencymswto^0.46.0.bf5e9030eb: Updated dependencymswto^0.45.0.e1ebaeb332: Cloudflare Access Provider: Add JWT to CloudflareAccessResult- Updated dependencies
- @backstage/backend-common@0.15.1
- @backstage/plugin-auth-node@0.2.5
- @backstage/catalog-client@1.1.0
- @backstage/catalog-model@1.1.1
- @backstage/config@1.0.2
- @backstage/errors@1.1.1
0.16.0-next.3
Minor Changes
-
8600855fbf: The auth0 integration is updated to use thepassport-auth0library. The configuration underauth.providers.auth0.\*now supports an optionalaudienceparameter; providing that allows you to connect to the correct API to get permissions, access tokens, and full profile information.
Patch Changes
- Updated dependencies
- @backstage/catalog-client@1.1.0-next.2
- @backstage/catalog-model@1.1.1-next.0
- @backstage/config@1.0.2-next.0
- @backstage/errors@1.1.1-next.0
- @backstage/backend-common@0.15.1-next.3
- @backstage/plugin-auth-node@0.2.5-next.3
0.16.0-next.2
Patch Changes
667d917488: Updated dependencymswto^0.47.0.87ec2ba4d6: Updated dependencymswto^0.46.0.- Updated dependencies
- @backstage/backend-common@0.15.1-next.2
- @backstage/plugin-auth-node@0.2.5-next.2
- @backstage/catalog-client@1.0.5-next.1
0.16.0-next.1
Minor Changes
2fc41ebf07: Removed the previously deprecated classAtlassianAuthProvider. Please useproviders.atlassian.create(...)instead.a291688bc5: Renamed theRedirectInfotype toOAuthStartResponse
Patch Changes
d669d89206: Minor API signatures cleanupe1ebaeb332: Cloudflare Access Provider: Add JWT to CloudflareAccessResult- Updated dependencies
- @backstage/plugin-auth-node@0.2.5-next.1
- @backstage/backend-common@0.15.1-next.1
0.15.2-next.0
Patch Changes
bf5e9030eb: Updated dependencymswto^0.45.0.- Updated dependencies
- @backstage/backend-common@0.15.1-next.0
- @backstage/catalog-client@1.0.5-next.0
- @backstage/plugin-auth-node@0.2.5-next.0
0.15.1
Patch Changes
c676a9e07b: Fixed a bug in auth plugin on the backend where it ignores the skip migration database options when using the database provider.2d7d6028e1: Updated dependency@google-cloud/firestoreto^6.0.0.- Updated dependencies
- @backstage/backend-common@0.15.0
- @backstage/plugin-auth-node@0.2.4
0.15.1-next.1
Patch Changes
2d7d6028e1: Updated dependency@google-cloud/firestoreto^6.0.0.
0.15.1-next.0
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.15.0-next.0
- @backstage/plugin-auth-node@0.2.4-next.0
0.15.0
Minor Changes
-
9d4040777e: BREAKING: Removed all directly exported auth provider factories, option types, and sign-in resolvers. For example:AwsAlbProviderOptions,bitbucketUserIdSignInResolver,createGithubProvider. These are all still accessible via theprovidersexport. For example, useproviders.github.create()rather thancreateGithubProvider(), andproviders.bitbucket.resolvers.userIdMatchingUserEntityAnnotation()rather thanbitbucketUserIdSignInResolver.BREAKING: Removed the exported
AuthProviderFactoryOptionstype as well as the deprecated option fields of theAuthProviderFactorycallback. This includes thetokenManager,tokenIssuer,discovery, andcatalogApifields. Existing usage of these should be replaced with the new utilities in theresolverContextfield. The deprecatedTokenIssuertype is now also removed, since it is no longer used.BREAKING: Removed
getEntityClaims, usegetDefaultOwnershipEntityRefsinstead.DEPRECATION: Deprecated
AtlassianAuthProvideras it was unintentionally exported. -
fe8e025af5: Allowed post method on /refresh path
Patch Changes
3cedfd8365: add Cloudflare Access auth provider to auth-backendf2cf79d62e: Added an option for the auth backend router to select the algorithm for the JWT token signing keys8e03db907a: Auth provider now also export createAuthProviderIntegrationa70869e775: Updated dependencymswto^0.43.0.4e9a90e307: Updated dependencyluxonto^3.0.0.8006d0f9bf: Updated dependencymswto^0.44.0.679b32172e: Updated dependencyknexto^2.0.0.859346bfbb: Updated dependencygoogle-auth-libraryto^8.0.0.3a014730dc: Add new config option for okta auth server and IDP- Updated dependencies
- @backstage/backend-common@0.14.1
- @backstage/catalog-model@1.1.0
- @backstage/catalog-client@1.0.4
- @backstage/plugin-auth-node@0.2.3
- @backstage/errors@1.1.0
0.15.0-next.3
Minor Changes
fe8e025af5: Allowed post method on /refresh path
Patch Changes
a70869e775: Updated dependencymswto^0.43.0.4e9a90e307: Updated dependencyluxonto^3.0.0.3a014730dc: Add new config option for okta auth server and IDP- Updated dependencies
- @backstage/backend-common@0.14.1-next.3
- @backstage/catalog-client@1.0.4-next.2
- @backstage/plugin-auth-node@0.2.3-next.2
- @backstage/catalog-model@1.1.0-next.3
0.15.0-next.2
Patch Changes
8e03db907a: Auth provider now also export createAuthProviderIntegration679b32172e: Updated dependencyknexto^2.0.0.- Updated dependencies
- @backstage/catalog-model@1.1.0-next.2
- @backstage/backend-common@0.14.1-next.2
0.15.0-next.1
Minor Changes
-
9d4040777e: BREAKING: Removed all directly exported auth provider factories, option types, and sign-in resolvers. For example:AwsAlbProviderOptions,bitbucketUserIdSignInResolver,createGithubProvider. These are all still accessible via theprovidersexport. For example, useproviders.github.create()rather thancreateGithubProvider(), andproviders.bitbucket.resolvers.userIdMatchingUserEntityAnnotation()rather thanbitbucketUserIdSignInResolver.BREAKING: Removed the exported
AuthProviderFactoryOptionstype as well as the deprecated option fields of theAuthProviderFactorycallback. This includes thetokenManager,tokenIssuer,discovery, andcatalogApifields. Existing usage of these should be replaced with the new utilities in theresolverContextfield. The deprecatedTokenIssuertype is now also removed, since it is no longer used.BREAKING: Removed
getEntityClaims, usegetDefaultOwnershipEntityRefsinstead.DEPRECATION: Deprecated
AtlassianAuthProvideras it was unintentionally exported.
Patch Changes
f2cf79d62e: Added an option for the auth backend router to select the algorithm for the JWT token signing keys- Updated dependencies
- @backstage/catalog-model@1.1.0-next.1
- @backstage/backend-common@0.14.1-next.1
- @backstage/errors@1.1.0-next.0
- @backstage/catalog-client@1.0.4-next.1
- @backstage/plugin-auth-node@0.2.3-next.1
0.14.2-next.0
Patch Changes
859346bfbb: Updated dependencygoogle-auth-libraryto^8.0.0.- Updated dependencies
- @backstage/backend-common@0.14.1-next.0
- @backstage/catalog-model@1.1.0-next.0
- @backstage/plugin-auth-node@0.2.3-next.0
- @backstage/catalog-client@1.0.4-next.0
0.14.1
Patch Changes
5e055079f0: Increased key field size for signing_keys table to account for larger signature keysf6aae90e4e: Added configurable algorithm field for TokenFactory8f7b1835df: Updated dependencymswto^0.41.0.bc6fb57094: Updated dependencypassportto^0.6.0.467facc6ea: Fix improper binding of 'this' in ALB Auth provider- Updated dependencies
- @backstage/backend-common@0.14.0
- @backstage/plugin-auth-node@0.2.2
- @backstage/catalog-client@1.0.3
- @backstage/catalog-model@1.0.3
0.14.1-next.2
Patch Changes
bc6fb57094: Updated dependencypassportto^0.6.0.- Updated dependencies
- @backstage/backend-common@0.14.0-next.2
- @backstage/plugin-auth-node@0.2.2-next.2
0.14.1-next.1
Patch Changes
5e055079f0: Increased key field size for signing_keys table to account for larger signature keys8f7b1835df: Updated dependencymswto^0.41.0.467facc6ea: Fix improper binding of 'this' in ALB Auth provider- Updated dependencies
- @backstage/backend-common@0.13.6-next.1
- @backstage/catalog-client@1.0.3-next.0
- @backstage/plugin-auth-node@0.2.2-next.1
- @backstage/catalog-model@1.0.3-next.0
0.14.1-next.0
Patch Changes
f6aae90e4e: Added configurable algorithm field for TokenFactory- Updated dependencies
- @backstage/backend-common@0.13.6-next.0
- @backstage/plugin-auth-node@0.2.2-next.0
0.14.0
Minor Changes
2df2f01a29: Removed the explicitdisableRefreshoption fromOAuthAdapter. Refresh can still be disabled for a provider by not implementing therefreshmethod.
Patch Changes
-
cac3ba68a2: Fixed a bug that was introduced in0.13.1-next.0which caused theentclaim of issued tokens to be dropped. -
5d268623dd: Updates the OAuth2 Proxy provider to require less infrastructure configuration.The auth result object of the OAuth2 Proxy now provides access to the request headers, both through the
headersobject as well asgetHeadermethod. The existing logic that parses and extracts the user information from ID tokens is deprecated and will be removed in a future release. See the OAuth2 Proxy provider documentation for more details.The OAuth2 Proxy provider now also has a default
authHandlerimplementation that reads the display name and email from the incoming request headers. -
2df2f01a29: The Auth0 adapter no longer disables session refreshing. -
cfc0f19699: Updated dependencyfs-extrato10.1.0. -
787ae0d541: Add more common predefined sign-in resolvers to auth providers.Add the existing resolver to more providers (already available at
google):providers.microsoft.resolvers.emailLocalPartMatchingUserEntityName()providers.okta.resolvers.emailLocalPartMatchingUserEntityName()
Add a new resolver for simple email-to-email matching:
providers.google.resolvers.emailMatchingUserEntityProfileEmail()providers.microsoft.resolvers.emailMatchingUserEntityProfileEmail()providers.okta.resolvers.emailMatchingUserEntityProfileEmail()
-
9ec4e0613e: Update tojose4.6.0 -
Updated dependencies
- @backstage/backend-common@0.13.3
- @backstage/config@1.0.1
- @backstage/plugin-auth-node@0.2.1
- @backstage/catalog-client@1.0.2
- @backstage/catalog-model@1.0.2
0.13.1-next.2
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.13.3-next.2
- @backstage/config@1.0.1-next.0
- @backstage/catalog-model@1.0.2-next.0
- @backstage/plugin-auth-node@0.2.1-next.1
- @backstage/catalog-client@1.0.2-next.0
0.13.1-next.1
Patch Changes
-
cac3ba68a2: Fixed a bug that was introduced in0.13.1-next.0which caused theentclaim of issued tokens to be dropped. -
5d268623dd: Updates the OAuth2 Proxy provider to require less infrastructure configuration.The auth result object of the OAuth2 Proxy now provides access to the request headers, both through the
headersobject as well asgetHeadermethod. The existing logic that parses and extracts the user information from ID tokens is deprecated and will be removed in a future release. See the OAuth2 Proxy provider documentation for more details.The OAuth2 Proxy provider now also has a default
authHandlerimplementation that reads the display name and email from the incoming request headers. -
Updated dependencies
- @backstage/backend-common@0.13.3-next.1
0.13.1-next.0
Patch Changes
-
cfc0f19699: Updated dependencyfs-extrato10.1.0. -
787ae0d541: Add more common predefined sign-in resolvers to auth providers.Add the existing resolver to more providers (already available at
google):providers.microsoft.resolvers.emailLocalPartMatchingUserEntityName()providers.okta.resolvers.emailLocalPartMatchingUserEntityName()
Add a new resolver for simple email-to-email matching:
providers.google.resolvers.emailMatchingUserEntityProfileEmail()providers.microsoft.resolvers.emailMatchingUserEntityProfileEmail()providers.okta.resolvers.emailMatchingUserEntityProfileEmail()
-
9ec4e0613e: Update tojose4.6.0 -
Updated dependencies
- @backstage/backend-common@0.13.3-next.0
- @backstage/plugin-auth-node@0.2.1-next.0
0.13.0
Minor Changes
15d3a3c39a: BREAKING: All sign-in resolvers must now return atokenin their sign-in result. Returning anidis no longer supported.c5aeaf339d: BREAKING: All auth providers have had their default sign-in resolvers removed. This means that if you want to use a particular provider for sign-in, you must provide an explicit sign-in resolver. For more information on how to configure sign-in resolvers, see the sign-in resolver documentation.
Patch Changes
-
c5aeaf339d: DEPRECATION: TheAuthProviderFactoryOptionstype has been deprecated, as the options are now instead inlined in theAuthProviderFactorytype. This will make it possible to more easily introduce new options in the future without a possibly breaking change. -
794f7542b6: Updated openid-client from 4.1.2 to 5.1.3 -
c5aeaf339d: DEPRECATION: ThegetEntityClaimshelper has been deprecated, withgetDefaultOwnershipEntityRefsbeing added to replace it. -
de231e5b06: Declare oauth2clientSecretwith visibility secret -
c5aeaf339d: DEPRECATION: Allcreate<Provider>Providerand<provider>*SignInResolverhave been deprecated. Instead, a singleprovidersobject is exported which contains all built-in auth providers.If you have a setup that currently looks for example like this:
import { createRouter, defaultAuthProviderFactories, createGoogleProvider, googleEmailSignInResolver, } from '@backstage/plugin-auth-backend'; import { Router } from 'express'; import { PluginEnvironment } from '../types'; export default async function createPlugin( env: PluginEnvironment, ): Promise<Router> { return await createRouter({ ...env, providerFactories: { ...defaultAuthProviderFactories, google: createGoogleProvider({ signIn: { resolver: googleEmailSignInResolver, }, }), }, }); }You would migrate it to something like this:
import { createRouter, providers, defaultAuthProviderFactories, } from '@backstage/plugin-auth-backend'; import { Router } from 'express'; import { PluginEnvironment } from '../types'; export default async function createPlugin( env: PluginEnvironment, ): Promise<Router> { return await createRouter({ ...env, providerFactories: { ...defaultAuthProviderFactories, google: providers.google.create({ signIn: { resolver: providers.google.resolvers.emailMatchingUserEntityAnnotation(), }, }), }, }); } -
2cc1d1b235: Applied the fix from version 0.12.3 of this package, which is part of the v1.0.1 release of Backstage. -
c5aeaf339d: DEPRECATION TheAuthResolverContexthas received a number of changes, which is the context used by auth handlers and sign-in resolvers.The following fields deprecated:
logger,tokenIssuer,catalogIdentityClient. If you need to access thelogger, you can do so through a closure instead. ThetokenIssuerhas been replaced with anissueTokenmethod, which is available directory on the context. ThecatalogIdentityClienthas been replaced by thesignInWithCatalogUsermethod, as well as the lower levelfindCatalogUsermethod andgetDefaultOwnershipEntityRefshelper.It should be possible to migrate most sign-in resolvers to more or less only use
signInWithCatalogUser, for example an email lookup resolver like this one:async ({ profile }, ctx) => { if (!profile.email) { throw new Error('Profile contained no email'); } const entity = await ctx.catalogIdentityClient.findUser({ annotations: { 'acme.org/email': profile.email, }, }); const claims = getEntityClaims(entity); const token = await ctx.tokenIssuer.issueToken({ claims }); return { id: entity.metadata.name, entity, token }; };can be migrated to the following:
async ({ profile }, ctx) => { if (!profile.email) { throw new Error('Profile contained no email'); } return ctx.signInWithCatalogUser({ annotations: { 'acme.org/email': profile.email, }, }); };While a direct entity name lookup using a user ID might look like this:
async ({ result: { fullProfile } }, ctx) => { return ctx.signInWithCatalogUser({ entityRef: { name: fullProfile.userId, }, }); };If you want more control over the way that users are looked up, ownership is assigned, or tokens are issued, you can use a combination of the
findCatalogUser,getDefaultOwnershipEntityRefs, andissueTokeninstead. -
f4cdf4cac1: Defensively encode URL parameters when fetching ELB keys -
6ee04078e1: DEPRECATION: ThetokenIssueroption forOAuthAdapteris no longer needed and has been deprecated. -
a45bce06e3: Handle trailing slashes on GitHubenterpriseInstanceUrlsettings -
45f7a261c7: Bumped passport-microsoft to resolve CVE-2021-41580 -
c5aeaf339d: Added exports of the following types:AuthProviderConfig,StateEncoder,TokenParams,AwsAlbResult. -
Updated dependencies
- @backstage/catalog-model@1.0.1
- @backstage/plugin-auth-node@0.2.0
- @backstage/backend-common@0.13.2
- @backstage/catalog-client@1.0.1
0.13.0-next.2
Minor Changes
c5aeaf339d: BREAKING: All auth providers have had their default sign-in resolvers removed. This means that if you want to use a particular provider for sign-in, you must provide an explicit sign-in resolver. For more information on how to configure sign-in resolvers, see the sign-in resolver documentation.
Patch Changes
-
c5aeaf339d: DEPRECATION: TheAuthProviderFactoryOptionstype has been deprecated, as the options are now instead inlined in theAuthProviderFactorytype. This will make it possible to more easily introduce new options in the future without a possibly breaking change. -
794f7542b6: Updated openid-client from 4.1.2 to 5.1.3 -
c5aeaf339d: DEPRECATION: ThegetEntityClaimshelper has been deprecated, withgetDefaultOwnershipEntityRefsbeing added to replace it. -
de231e5b06: Declare oauth2clientSecretwith visibility secret -
c5aeaf339d: DEPRECATION: Allcreate<Provider>Providerand<provider>*SignInResolverhave been deprecated. Instead, a singleprovidersobject is exported which contains all built-in auth providers.If you have a setup that currently looks for example like this:
import { createRouter, defaultAuthProviderFactories, createGoogleProvider, googleEmailSignInResolver, } from '@backstage/plugin-auth-backend'; import { Router } from 'express'; import { PluginEnvironment } from '../types'; export default async function createPlugin( env: PluginEnvironment, ): Promise<Router> { return await createRouter({ ...env, providerFactories: { ...defaultAuthProviderFactories, google: createGoogleProvider({ signIn: { resolver: googleEmailSignInResolver, }, }), }, }); }You would migrate it to something like this:
import { createRouter, providers, defaultAuthProviderFactories, } from '@backstage/plugin-auth-backend'; import { Router } from 'express'; import { PluginEnvironment } from '../types'; export default async function createPlugin( env: PluginEnvironment, ): Promise<Router> { return await createRouter({ ...env, providerFactories: { ...defaultAuthProviderFactories, google: providers.google.create({ signIn: { resolver: providers.google.resolvers.emailMatchingUserEntityAnnotation(), }, }), }, }); } -
c5aeaf339d: DEPRECATION TheAuthResolverContexthas received a number of changes, which is the context used by auth handlers and sign-in resolvers.The following fields deprecated:
logger,tokenIssuer,catalogIdentityClient. If you need to access thelogger, you can do so through a closure instead. ThetokenIssuerhas been replaced with anissueTokenmethod, which is available directory on the context. ThecatalogIdentityClienthas been replaced by thesignInWithCatalogUsermethod, as well as the lower levelfindCatalogUsermethod andgetDefaultOwnershipEntityRefshelper.It should be possible to migrate most sign-in resolvers to more or less only use
signInWithCatalogUser, for example an email lookup resolver like this one:async ({ profile }, ctx) => { if (!profile.email) { throw new Error('Profile contained no email'); } const entity = await ctx.catalogIdentityClient.findUser({ annotations: { 'acme.org/email': profile.email, }, }); const claims = getEntityClaims(entity); const token = await ctx.tokenIssuer.issueToken({ claims }); return { id: entity.metadata.name, entity, token }; };can be migrated to the following:
async ({ profile }, ctx) => { if (!profile.email) { throw new Error('Profile contained no email'); } return ctx.signInWithCatalogUser({ annotations: { 'acme.org/email': profile.email, }, }); };While a direct entity name lookup using a user ID might look like this:
async ({ result: { fullProfile } }, ctx) => { return ctx.signInWithCatalogUser({ entityRef: { name: fullProfile.userId, }, }); };If you want more control over the way that users are looked up, ownership is assigned, or tokens are issued, you can use a combination of the
findCatalogUser,getDefaultOwnershipEntityRefs, andissueTokeninstead. -
f4cdf4cac1: Defensively encode URL parameters when fetching ELB keys -
c5aeaf339d: Added exports of the following types:AuthProviderConfig,StateEncoder,TokenParams,AwsAlbResult. -
Updated dependencies
- @backstage/backend-common@0.13.2-next.2
0.13.0-next.1
Patch Changes
a45bce06e3: Handle trailing slashes on GitHubenterpriseInstanceUrlsettings- Updated dependencies
- @backstage/backend-common@0.13.2-next.1
0.13.0-next.0
Minor Changes
15d3a3c39a: BREAKING: All sign-in resolvers must now return atokenin their sign-in result. Returning anidis no longer supported.
Patch Changes
2cc1d1b235: Applied the fix from version 0.12.3 of this package, which is part of the v1.0.1 release of Backstage.6ee04078e1: DEPRECATION: ThetokenIssueroption forOAuthAdapteris no longer needed and has been deprecated.- Updated dependencies
- @backstage/catalog-model@1.0.1-next.0
- @backstage/plugin-auth-node@0.2.0-next.0
- @backstage/backend-common@0.13.2-next.0
- @backstage/catalog-client@1.0.1-next.0
0.12.3
Patch Changes
-
Fix migrations to do the right thing on sqlite databases, and reapply the column type fix for those who are not on sqlite databases.
Reconstruction of #10317 in the form of a patch release instead.
0.12.2
Patch Changes
efc73db10c: Usebetter-sqlite3instead of@vscode/sqlite3- Updated dependencies
- @backstage/backend-common@0.13.1
- @backstage/catalog-model@1.0.0
- @backstage/catalog-client@1.0.0
- @backstage/config@1.0.0
- @backstage/errors@1.0.0
- @backstage/types@1.0.0
- @backstage/plugin-auth-node@0.1.6
0.12.1
Patch Changes
ab7cd7d70e: Do some groundwork for supporting thebetter-sqlite3driver, to maybe eventually replace@vscode/sqlite3(#9912)e0a69ba49f: build(deps): bumpfs-extrafrom 9.1.0 to 10.0.1bf95bb806c: Remove usages of now-removedCatalogApi.getEntityByName3c2bc73901: UsesetupRequestMockHandlersfrom@backstage/backend-test-utils- Updated dependencies
- @backstage/backend-common@0.13.0
- @backstage/catalog-model@0.13.0
- @backstage/catalog-client@0.9.0
- @backstage/plugin-auth-node@0.1.5
0.12.1-next.0
Patch Changes
ab7cd7d70e: Do some groundwork for supporting thebetter-sqlite3driver, to maybe eventually replace@vscode/sqlite3(#9912)e0a69ba49f: build(deps): bumpfs-extrafrom 9.1.0 to 10.0.1bf95bb806c: Remove usages of now-removedCatalogApi.getEntityByName3c2bc73901: UsesetupRequestMockHandlersfrom@backstage/backend-test-utils- Updated dependencies
- @backstage/backend-common@0.13.0-next.0
- @backstage/catalog-model@0.13.0-next.0
- @backstage/catalog-client@0.9.0-next.0
- @backstage/plugin-auth-node@0.1.5-next.0
0.12.0
Minor Changes
0c8ba31d72: BREAKING: TheTokenFactory.issueTokenused by custom sign-in resolvers now ensures that the sub claim given is a full entity reference of the format<kind>:<namespace>/<name>. Any existing custom sign-in resolver functions that do not supply a full entity reference must be updated.
Patch Changes
899f196af5: UsegetEntityByRefinstead ofgetEntityByNamein the catalog client36aa63022b: UseCompoundEntityRefinstead ofEntityName, andgetCompoundEntityRefinstead ofgetEntityName, from@backstage/catalog-model.- Updated dependencies
- @backstage/catalog-model@0.12.0
- @backstage/catalog-client@0.8.0
- @backstage/backend-common@0.12.0
- @backstage/plugin-auth-node@0.1.4
0.11.0
Minor Changes
-
3884bf0348: BREAKING: The default sign-in resolvers for all providers, if you choose to use them, now emit the tokensubandentclaims on the standard, all-lowercase form, instead of the mixed-case form. The mixed-case form causes problems for implementations that naively do string comparisons on refs. The end result is that you may for example see your Backstage tokensubclaim now become'user:default/my-id'instead of'user:default/My-ID'.On a related note, specifically the SAML provider now correctly issues both
subandentclaims, and on the full entity ref form instead of the short form with only the ID.NOTE: For a long time, it has been strongly recommended that you provide your own sign-in resolver instead of using the builtin ones, and that will become mandatory in the future.
Patch Changes
d64b8d3678: chore(deps): bumpminimatchfrom 3.0.4 to 5.0.06e1cbc12a6: Updated according to the newgetEntityFacetscatalog API method919cf2f836: Minor updates to match the newtargetReffield of relations, and to stop consuming thetargetfield- Updated dependencies
- @backstage/backend-common@0.11.0
- @backstage/catalog-model@0.11.0
- @backstage/catalog-client@0.7.2
- @backstage/plugin-auth-node@0.1.3
0.10.2
Patch Changes
- Fix for the previous release with missing type declarations.
- Updated dependencies
- @backstage/backend-common@0.10.9
- @backstage/catalog-client@0.7.1
- @backstage/catalog-model@0.10.1
- @backstage/config@0.1.15
- @backstage/errors@0.2.2
- @backstage/types@0.1.3
- @backstage/plugin-auth-node@0.1.2
0.10.1
Patch Changes
1ed305728b: Bumpnode-fetchto version 2.6.7 andcross-fetchto version 3.1.5c77c5c7eb6: Addedbackstage.roletopackage.jsona31559d1f5: Bumppassport-oauth2to version 1.6.1deaf6065db: Adapt to the newCatalogApi.getLocationByRef1433045c08: Removed unusedhelmetdependency.7aeb491394: Replace use of deprecatedENTITY_DEFAULT_NAMESPACEconstant withDEFAULT_NAMESPACE.- Updated dependencies
- @backstage/backend-common@0.10.8
- @backstage/catalog-client@0.7.0
- @backstage/errors@0.2.1
- @backstage/plugin-auth-node@0.1.1
- @backstage/catalog-model@0.10.0
- @backstage/config@0.1.14
- @backstage/types@0.1.2
0.10.0
Minor Changes
-
08fcda13ef: ThecallbackUrloption ofOAuthAdapteris now required. -
6bc86fcf2d: The following breaking changes were made, which may imply specifically needing to make small adjustments in your custom auth providers.- BREAKING: Moved
IdentityClient,BackstageSignInResult,BackstageIdentityResponse, andBackstageUserIdentityto@backstage/plugin-auth-node. - BREAKING: Removed deprecated type
BackstageIdentity, please useBackstageSignInResultfrom@backstage/plugin-auth-nodeinstead.
While moving over,
IdentityClientwas also changed in the following ways:- BREAKING: Made
IdentityClient.listPublicKeysprivate. It was only used in tests, and should not be part of the API surface of that class. - BREAKING: Removed the static
IdentityClient.getBearerToken. It is now replaced bygetBearerTokenFromAuthorizationHeaderfrom@backstage/plugin-auth-node. - BREAKING: Removed the constructor. Please use the
IdentityClient.createstatic method instead.
Since the
IdentityClientinterface is marked as experimental, this is a breaking change without a deprecation period.In your auth providers, you may need to update your imports and usages as follows (example code; yours may be slightly different):
-import { IdentityClient } from '@backstage/plugin-auth-backend'; +import { + IdentityClient, + getBearerTokenFromAuthorizationHeader +} from '@backstage/plugin-auth-node'; // ... - const identity = new IdentityClient({ + const identity = IdentityClient.create({ discovery, issuer: await discovery.getExternalBaseUrl('auth'), });``` // ... const token = - IdentityClient.getBearerToken(req.headers.authorization) || + getBearerTokenFromAuthorizationHeader(req.headers.authorization) || req.cookies['token']; - BREAKING: Moved
Patch Changes
-
2441d1cf59: chore(deps): bumpknexfrom 0.95.6 to 1.0.2This also replaces
sqlite3with@vscode/sqlite35.0.7 -
3396bc5973: Enabled refresh for the Atlassian provider. -
08fcda13ef: Added a newcookieConfigureroption toAuthProviderConfigthat makes it possible to override the default logic for configuring OAuth provider cookies. -
Updated dependencies
- @backstage/catalog-client@0.6.0
- @backstage/backend-common@0.10.7
- @backstage/plugin-auth-node@0.1.0
0.10.0-next.0
Minor Changes
08fcda13ef: ThecallbackUrloption ofOAuthAdapteris now required.
Patch Changes
-
2441d1cf59: chore(deps): bumpknexfrom 0.95.6 to 1.0.2This also replaces
sqlite3with@vscode/sqlite35.0.7 -
3396bc5973: Enabled refresh for the Atlassian provider. -
08fcda13ef: Added a newcookieConfigureroption toAuthProviderConfigthat makes it possible to override the default logic for configuring OAuth provider cookies. -
Updated dependencies
- @backstage/backend-common@0.10.7-next.0
0.9.0
Minor Changes
-
cef64b1561: BREAKING AddedtokenManageras a required property for the auth-backendcreateRouterfunction. This dependency is used to issue server tokens that are used by theCatalogIdentityClientwhen looking up users and their group membership during authentication.These changes are required to
packages/backend/src/plugins/auth.ts:export default async function createPlugin({ logger, database, config, discovery, + tokenManager, }: PluginEnvironment): Promise<Router> { return await createRouter({ logger, config, database, discovery, + tokenManager, }); }BREAKING The
CatalogIdentityClientconstructor now expects aTokenManagerinstead of aTokenIssuer. TheTokenManagerinterface is used to generate a server token when resolving a user's identity and membership through the catalog. Using server tokens for these requests allows the auth-backend to bypass authorization checks when permissions are enabled for Backstage. This change will break apps that rely on the user tokens that were previously used by the client. Refer to the "Backend-to-backend Authentication" tutorial for more information on server token usage.
Patch Changes
9d75a939b6: Fixed a bug where providers that tracked the granted scopes through a cookie would not take failed authentication attempts into account.28a5f9d0b1: chore(deps): bumppassportfrom 0.4.1 to 0.5.25d09bdd1de: Added customcallbackUrlsupport for multiple providers.v0.8.0introduced this change forgithub, and now we're adding the same capability to the following providers:atlassian, auth0, bitbucket, gitlab, google, microsoft, oauth2, oidc, okta, onelogin.648606b3ac: Added support for storing static GitHub access tokens in cookies and using them to refresh the Backstage session.- Updated dependencies
0.9.0-next.1
Patch Changes
9d75a939b6: Fixed a bug where providers that tracked the granted scopes through a cookie would not take failed authentication attempts into account.648606b3ac: Added support for storing static GitHub access tokens in cookies and using them to refresh the Backstage session.- Updated dependencies
- @backstage/backend-common@0.10.6-next.0
0.9.0-next.0
Minor Changes
-
cef64b1561: BREAKING AddedtokenManageras a required property for the auth-backendcreateRouterfunction. This dependency is used to issue server tokens that are used by theCatalogIdentityClientwhen looking up users and their group membership during authentication.These changes are required to
packages/backend/src/plugins/auth.ts:export default async function createPlugin({ logger, database, config, discovery, + tokenManager, }: PluginEnvironment): Promise<Router> { return await createRouter({ logger, config, database, discovery, + tokenManager, }); }BREAKING The
CatalogIdentityClientconstructor now expects aTokenManagerinstead of aTokenIssuer. TheTokenManagerinterface is used to generate a server token when resolving a user's identity and membership through the catalog. Using server tokens for these requests allows the auth-backend to bypass authorization checks when permissions are enabled for Backstage. This change will break apps that rely on the user tokens that were previously used by the client. Refer to the "Backend-to-backend Authentication" tutorial for more information on server token usage.
Patch Changes
28a5f9d0b1: chore(deps): bumppassportfrom 0.4.1 to 0.5.2
0.8.0
Minor Changes
67349916ac: Thesubclaim in Backstage tokens generated by the default Google and OIDC sign-in resolvers are now full entity references of the format<kind>:<namespace>/<name>.
Patch Changes
033493a8af: Running theauth-backendon multiple domains, perhaps different domains depending on theauth.environment, was previously not possible as thedomainname of the cookie was taken frombackend.baseUrl. This prevented any cookies to be set in the start of the auth flow as the domain of the cookie would not match the domain of the callbackUrl configured in the OAuth app. This change checks if a provider supports customcallbackUrl's to be configured in the application configuration and uses the domain from that, allowing thedomain's to match and the cookie to be set.- Updated dependencies
0.7.0
Minor Changes
-
6e92ee6267: Add new authentication provider to support the oauth2-proxy.BREAKING The
AuthHandlerrequires now anAuthResolverContextparameter. This aligns with the behavior of theSignInResolver. -
f8496730ab: Switched the handling of theBackstageIdentityResponseso that the returnedidentity.userEntityRefis always a full entity reference. IfuserEntityRefwas previously set tojane, it will now beuser:default/jane. TheuserEntityRefin the response is parsed from thesubclaim in the payload of the Backstage token. -
a53d7d8143: Update provider subs to return full entity ref.
Patch Changes
f815b7e4a4: build(deps): bump@google-cloud/firestorefrom 4.15.1 to 5.0.2- Updated dependencies
- @backstage/backend-common@0.10.4
- @backstage/config@0.1.13
- @backstage/catalog-model@0.9.10
- @backstage/catalog-client@0.5.5
0.7.0-next.0
Minor Changes
-
6e92ee6267: Add new authentication provider to support the oauth2-proxy.BREAKING The
AuthHandlerrequires now anAuthResolverContextparameter. This aligns with the behavior of theSignInResolver.
Patch Changes
- Updated dependencies
- @backstage/backend-common@0.10.4-next.0
- @backstage/config@0.1.13-next.0
- @backstage/catalog-model@0.9.10-next.0
- @backstage/catalog-client@0.5.5-next.0
0.6.2
Patch Changes
-
5333451def: Cleaned up API exports -
da9c59d6e0: Removed@backstage/test-utilsdependency. -
20ca7cfa5f: Switched the secure cookie mode set on theexpress-sessionto use'auto'rather thantrue. This works around an issue where cookies would not be set if TLS termination was handled in a proxy rather than having the backend served directly with HTTPS.The downside of this change is that secure cookies won't be used unless the backend is directly served with HTTPS. This will be remedied in a future update that allows the backend to configured for trusted proxy mode.
-
Updated dependencies
- @backstage/config@0.1.12
- @backstage/backend-common@0.10.3
- @backstage/errors@0.2.0
- @backstage/catalog-client@0.5.4
- @backstage/catalog-model@0.9.9
0.6.1
Patch Changes
e0e57817d2: Added Google Cloud Identity-Aware Proxy as an identity provider.- Updated dependencies
0.6.0
Minor Changes
-
c88cdacc1a: Avoid ever returning OAuth refresh tokens back to the client, and always exchange refresh tokens for a new one when available for all providers.This comes with a breaking change to the TypeScript API for custom auth providers. The
refreshmethod ofOAuthHandlersimplementation must now return a{ response, refreshToken }object rather than a direct response. Existingrefreshimplementations are typically migrated by changing an existing return expression that looks like this:return await this.handleResult({ fullProfile, params, accessToken, refreshToken, });Into the following:
return { response: await this.handleResult({ fullProfile, params, accessToken, }), refreshToken, };
Patch Changes
f0f81f6cc7: Replaces the usage ofgotwithnode-fetchin thegetUserPhotomethod of the Microsoft provider2f26120a36: Updateauth0andoneloginproviders to allow forauthHandlerandsignIn.resolverconfiguration.a9abafa9df: Fixed bug on refresh token on Okta provider, now it gets the refresh token and it sends it into providerInfoeb48e78886: Enforce cookie SSL protection when in production for auth-backend sessions- Updated dependencies
- @backstage/test-utils@0.2.1
- @backstage/backend-common@0.10.1
0.5.2
Patch Changes
24a67e3e2e: Fixed the fallback identity population to correctly generate an entity reference foruserEntityRefif no token is provided.- Updated dependencies
- @backstage/backend-common@0.10.0
- @backstage/test-utils@0.2.0
- @backstage/catalog-client@0.5.3
0.5.1
Patch Changes
699c2e9ddc: export minimal typescript types for OIDC provider- Updated dependencies
- @backstage/backend-common@0.9.14
- @backstage/catalog-model@0.9.8
0.5.0
Minor Changes
-
a036b65c2f: BREAKING CHANGE TheidTokenfield ofBackstageIdentityhas been removed, with thetokentaking its place. This means you may need to update existingsignIn.resolverimplementations to return antokenrather than anidToken. This also applies to custom auth providers.The
BackstageIdentitytype has been deprecated and will be removed in the future. Taking its place is the newBackstageSignInResulttype with the same shape.This change also introduces the new
BackstageIdentityResponsethat mirrors the type with the same name from@backstage/core-plugin-api. TheBackstageIdentityResponsetype is different from theBackstageSignInResultin that it also has aidentityfield which is of typeBackstageUserIdentityand is a decoded version of the information within the token.When implementing a custom auth provider that is not based on the
OAuthAdapteryou may need to convertBackstageSignInResultinto aBackstageIdentityResponse, this can be done using the newprepareBackstageIdentityResponsefunction.
Patch Changes
8f461e6043: Fixes potential bug introduced in0.4.10which causesOAuth2AuthProviderto authenticate using credentials in both POST payload and headers. This might break some stricter OAuth2 implementations so there is now aincludeBasicAuthconfig option that can manually be set totrueto enable this behavior.dcd1a0c3f4: Minor improvement to the API reports, by not unpacking arguments directly- Updated dependencies
- @backstage/test-utils@0.1.24
- @backstage/backend-common@0.9.13
0.4.10
Patch Changes
4bf4111902: Migrated the SAML provider to implement theauthHandlerandsignIn.resolveroptions.b055a6addc: Align on usage ofcross-fetchvsnode-fetchin frontend vs backend packages, and remove some unnecessary imports of either one of them36fa32216f: Added signIn and authHandler resolver for oidc provider7071dce02d: Expose catalog lib in plugin-auth-backend, i.eCatalogIdentityClientclass is exposed now.1b69ed44f2: Added custom OAuth2.0 authorization header for generic oauth2 provider.- Updated dependencies
- @backstage/backend-common@0.9.12
0.4.9
Patch Changes
-
9312572360: Switched to using the standardized JSON error responses for all provider endpoints. -
bab752e2b3: Change default port of backend from 7000 to 7007.This is due to the AirPlay Receiver process occupying port 7000 and preventing local Backstage instances on MacOS to start.
You can change the port back to 7000 or any other value by providing an
app-config.yamlwith the following values:backend: listen: 0.0.0.0:7123 baseUrl: http://localhost:7123More information can be found here: https://backstage.io/docs/conf/writing
-
Updated dependencies
- @backstage/errors@0.1.5
- @backstage/backend-common@0.9.11
- @backstage/test-utils@0.1.23
0.4.8
Patch Changes
892c1d9202: Update OAuthAdapter to create identity.token from identity.idToken if it does not exist, and prevent overwrites to identity.toke. Update login page commonProvider to prefer .token over .idToken- Updated dependencies
- @backstage/catalog-client@0.5.2
- @backstage/catalog-model@0.9.7
- @backstage/backend-common@0.9.10
- @backstage/test-utils@0.1.22
0.4.7
Patch Changes
5ee31f860b: Only use settings that have a value when creating a new FirestoreKeyStore instance3e0e2f09d5: Added forwarding of theaudienceoption for the SAML provider, making it possible to enableaudienceverification.- Updated dependencies
- @backstage/backend-common@0.9.9
- @backstage/test-utils@0.1.21
- @backstage/catalog-client@0.5.1
0.4.6
Patch Changes
3b767f19c9: Allow OAuth state to be encoded by a stateEncoder.- Updated dependencies
- @backstage/test-utils@0.1.20
- @backstage/config@0.1.11
- @backstage/errors@0.1.4
- @backstage/backend-common@0.9.8
- @backstage/catalog-model@0.9.6
0.4.5
Patch Changes
-
9322e632e9: Require that audience URLs for Okta authentication start with https -
de3e26aecc: Fix a bug preventing an access token to be refreshed a second time with the GitHub provider. -
ab9b4a6ea6: Add Firestore as key-store provider. Addauth.keyStoresection to application config. -
202f322927: Atlassian auth provider- AtlassianAuth added to core-app-api
- Atlassian provider added to plugin-auth-backend
- Updated user-settings with Atlassian connection
-
36e67d2f24: Internal updates to apply more strict checks to throw errors. -
Updated dependencies
- @backstage/backend-common@0.9.7
- @backstage/errors@0.1.3
- @backstage/catalog-model@0.9.5
0.4.4
Patch Changes
-
0cfeea8f8f: AWS-ALB: update provider to the latest changes described here.This removes the
ExperimentalIdentityResolvertype in favor ofSignInResolverandAuthHandler. The AWS ALB provider can now be configured in the same way as the Google provider in the example. -
defae8f579: Added extra configuration parameters for active directory file system identity -
Updated dependencies
- @backstage/test-utils@0.1.19
0.4.3
Patch Changes
-
4c3eea7788: Bitbucket Cloud authentication - based on the existing GitHub authentication + changes around BB apis and updated scope.- BitbucketAuth added to core-app-api.
- Bitbucket provider added to plugin-auth-backend.
- Cosmetic entry for Bitbucket connection in user-settings Authentication Providers tab.
-
Updated dependencies
- @backstage/test-utils@0.1.18
- @backstage/catalog-model@0.9.4
- @backstage/backend-common@0.9.6
- @backstage/catalog-client@0.5.0
0.4.2
Patch Changes
88622e6422: Allow users to override callback url of GitHub providerc46396ebb0: Update OAuth refresh handler to pass updated refresh token to ensure cookie is updated with new value.- Updated dependencies
- @backstage/backend-common@0.9.5
0.4.1
Patch Changes
- Updated dependencies
- @backstage/catalog-client@0.4.0
- @backstage/catalog-model@0.9.3
- @backstage/backend-common@0.9.4
- @backstage/config@0.1.10
0.4.0
Minor Changes
-
19f45179a5: Bumppassport-samlto version 3. This is a breaking change, in that it now requires theauth.saml.certparameter to be set. If you are not using SAML auth, you can ignore this.To update your settings, add something similar to the following to your app-config:
auth: saml: # ... other settings ... cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='For more information, see the library README.
Patch Changes
560d6810f0: Fix a bug preventing an access token to be refreshed a second time with the GitLab provider.de5717872d: Use a more informative error message if the configured OIDC identity provider does not provide auserinfo_endpointin its metadata.- Updated dependencies
- @backstage/backend-common@0.9.3
0.3.24
Patch Changes
-
2a105f451: Add a warning log message thatpassport-samlwill require acertconfig parameter imminently.We intend to upgrade this package soon, past the point where we will start to strictly require the
auth.saml.certconfiguration parameter to be present. To avoid issues starting your auth backend, please -
31892ee25: typo fixtenentIdin Azure auth provider docs -
e9b1e2a9f: Added signIn and authHandler resolver for oAuth2 provider -
ca45b169d: Export GitHub to allow use with Identity resolver -
Updated dependencies
- @backstage/catalog-model@0.9.1
- @backstage/backend-common@0.9.1
0.3.23
Patch Changes
-
392b36fa1: Added support for using authenticating via GitHub Apps in addition to GitHub OAuth Apps. It used to be possible to use GitHub Apps, but they did not handle session refresh correctly.Note that GitHub Apps handle OAuth scope at the app installation level, meaning that the
scopeparameter forgetAccessTokenhas no effect. When callinggetAccessTokenin open source plugins, one should still include the appropriate scope, but also document in the plugin README what scopes are required in the case of GitHub Apps.In addition, the
authHandlerandsignInResolveroptions have been implemented for the GitHub provider in the auth backend. -
ea9fe9567: Fixed a bug where OAuth state parameters would be serialized as the string'undefined'. -
39fc3d7f8: Add Sign In and Handler resolver for GitLab provider -
Updated dependencies
- @backstage/backend-common@0.9.0
- @backstage/config@0.1.8
0.3.22
Patch Changes
79d24a966: Fix an issue where the default app origin was not allowed to authenticate users.
0.3.21
Patch Changes
72a31c29a: Add support for additional app origins- Updated dependencies
- @backstage/backend-common@0.8.10
- @backstage/config@0.1.7
0.3.20
Patch Changes
29f7cfffb: AddedresolveCatalogMembershiputility to query the catalog for additional authentication claims within sign-in resolvers.8bedb75ae: Update Luxon dependency to 2.xbfe0ff93f: Add Sign In and Handler resolver for Okta provider- Updated dependencies
- @backstage/backend-common@0.8.9
- @backstage/test-utils@0.1.17
0.3.19
Patch Changes
4edca1bd0: Allow to configure SAML authacceptedClockSkewMsb68f2c83c: Added thedisableRefreshoption to theOAuth2config- Updated dependencies
- @backstage/test-utils@0.1.16
- @backstage/catalog-client@0.3.18
0.3.18
Patch Changes
2567c066d: TokenIssuer is now exported so it may be used by auth providers that are not bundled with Backstage- Updated dependencies
- @backstage/catalog-client@0.3.17
- @backstage/backend-common@0.8.7
- @backstage/test-utils@0.1.15
0.3.17
Patch Changes
40b3c60e2: Configuration updates for theOpenID Connectauth provider to allowpromptconfiguration and some sensible defaults.f55f9df10: Add Sign In and Handler resolver for Microsoft providerae84b20cf: Revert the upgrade tofs-extra@10.0.0as that seemed to have broken all installs inexplicably.- Updated dependencies
- @backstage/backend-common@0.8.6
0.3.16
Patch Changes
- Updated dependencies
- @backstage/catalog-model@0.9.0
- @backstage/backend-common@0.8.5
- @backstage/catalog-client@0.3.16
0.3.15
Patch Changes
6ca29b66c: Unbreak.well-knownOIDC routes72574ac4d: Show better error message when configs defined under auth.providers. are undefined.- Updated dependencies
- @backstage/backend-common@0.8.4
- @backstage/catalog-client@0.3.15
0.3.14
Patch Changes
-
36e9a4084: Don't export thedefaultGoogleAuthProvider -
c467cc4b9: Adds support for custom sign-in resolvers and profile transformations for the Google auth provider.Adds an
entclaim in Backstage tokens, with a list of entity references related to your signed-in user's identities and groups across multiple systems.Adds an optional
providerFactoriesargument to thecreateRouterexported by theauth-backendplugin.Updates
BackstageIdentityso thatidTokenis deprecated in favor oftoken- An optional
entityfield is added which represents the entity that the user is represented by within Backstage.
More information:
- The identity resolver documentation explains the concepts and shows how to implement your own.
- The From Identity to Ownership RFC contains details about how this affects ownership in the catalog
-
Updated dependencies
- @backstage/catalog-client@0.3.14
- @backstage/catalog-model@0.8.4
- @backstage/test-utils@0.1.14
0.3.13
Patch Changes
1aa31f0af: Add support for refreshing GitLab auth sessions.- Updated dependencies
- @backstage/backend-common@0.8.3
- @backstage/catalog-model@0.8.3
0.3.12
Patch Changes
- Updated dependencies [
add62a455] - Updated dependencies [
704875e26]- @backstage/catalog-client@0.3.12
- @backstage/catalog-model@0.8.0
0.3.11
Patch Changes
65e6c4541: Remove circular dependencies- Updated dependencies [
f7f7783a3] - Updated dependencies [
c7dad9218] - Updated dependencies [
65e6c4541] - Updated dependencies [
68fdbf014] - Updated dependencies [
5001de908] - Updated dependencies [
61c3f927c]- @backstage/catalog-model@0.7.10
- @backstage/backend-common@0.8.1
- @backstage/test-utils@0.1.12
0.3.10
Patch Changes
- Updated dependencies [
062bbf90f] - Updated dependencies [
22fd8ce2a] - Updated dependencies [
10c008a3a] - Updated dependencies [
f9fb4a205] - Updated dependencies [
16be1d093]- @backstage/test-utils@0.1.11
- @backstage/backend-common@0.8.0
- @backstage/catalog-model@0.7.9
0.3.9
Patch Changes
- Updated dependencies [
e0bfd3d44] - Updated dependencies [
38ca05168] - Updated dependencies [
d8b81fd28] - Updated dependencies [
d1b1306d9]- @backstage/backend-common@0.7.0
- @backstage/catalog-model@0.7.8
- @backstage/config@0.1.5
- @backstage/catalog-client@0.3.11
0.3.8
Patch Changes
2b2b31186: When using OAuth2 authentication the name is now taken from the name property of the JWT instead of the email property- Updated dependencies [
97b60de98] - Updated dependencies [
ae6250ce3] - Updated dependencies [
98dd5da71] - Updated dependencies [
b779b5fee]- @backstage/catalog-model@0.7.6
- @backstage/test-utils@0.1.10
- @backstage/backend-common@0.6.2
0.3.7
Patch Changes
0d55dcc74: Fixes timezone bug for auth signing keys676ede643: Added thegetOriginLocationByEntityandremoveLocationByIdmethods to the catalog client- Updated dependencies [
676ede643] - Updated dependencies [
b196a4569] - Updated dependencies [
8488a1a96] - Updated dependencies [
37e3a69f5]- @backstage/catalog-client@0.3.9
- @backstage/catalog-model@0.7.5
- @backstage/backend-common@0.6.1
0.3.6
Patch Changes
-
449776cd6: Theauthconfig types now properly accept any declared auth environment. Previously onlydevelopmentwas accepted.The
audienceconfiguration is no longer required for GitLab auth; this will default tohttps://gitlab.com
0.3.5
Patch Changes
8686eb38c: Use errors from@backstage/errors8b5e59750: expose verifyNonce and readState publicly from auth-backend- Updated dependencies [
8686eb38c] - Updated dependencies [
8686eb38c] - Updated dependencies [
0434853a5] - Updated dependencies [
4e0b5055a] - Updated dependencies [
8686eb38c]- @backstage/catalog-client@0.3.8
- @backstage/backend-common@0.6.0
- @backstage/config@0.1.4
- @backstage/test-utils@0.1.9
0.3.4
Patch Changes
761698831: Bump to the latest version of the Knex library.5f1b7ea35: Change the JWKS url value for the oidc configuration endpoint- Updated dependencies [
d7245b733] - Updated dependencies [
0b42fff22] - Updated dependencies [
0b42fff22] - Updated dependencies [
761698831]- @backstage/backend-common@0.5.6
- @backstage/catalog-model@0.7.4
- @backstage/catalog-client@0.3.7
0.3.3
Patch Changes
f43192207: remove usage of res.send() for res.json() and res.end() to ensure content types are more consistently application/json on backend responses and error cases3af994c81: Expose a configuration option for the oidc scope- Updated dependencies [
12d8f27a6] - Updated dependencies [
497859088] - Updated dependencies [
8adb48df4]- @backstage/catalog-model@0.7.3
- @backstage/backend-common@0.5.5
0.3.2
Patch Changes
ec504e7b4: Fix for refresh token being lost during Microsoft login.- Updated dependencies [
bad21a085] - Updated dependencies [
a1f5e6545]- @backstage/catalog-model@0.7.2
- @backstage/config@0.1.3
0.3.1
Patch Changes
92f01d75c: Refactored auth provider factories to accept options along with other internal refactoring of the auth providers.d9687c524: Fixed parsing of OIDC key timestamps when using SQLite.3600ac3b0: Migrated the package from using moment to Luxon. #4278- Updated dependencies [
16fb1d03a] - Updated dependencies [
491f3a0ec] - Updated dependencies [
434b4e81a] - Updated dependencies [
fb28da212]- @backstage/backend-common@0.5.4
0.3.0
Minor Changes
-
1deb31141: Remove undocumented scope (default) from the OIDC auth provider which was breaking some identity services. If your app relied on this scope, you can manually specify it by adding a new factory inpackages/app/src/apis.ts:export const apis = [ createApiFactory({ api: oidcAuthApiRef, deps: { discoveryApi: discoveryApiRef, oauthRequestApi: oauthRequestApiRef, configApi: configApiRef, }, factory: ({ discoveryApi, oauthRequestApi, configApi }) => OAuth2.create({ discoveryApi, oauthRequestApi, provider: { id: 'oidc', title: 'Your Identity Provider', icon: OAuth2Icon, }, defaultScopes: [ 'default', 'openid', 'email', 'offline_access', ], environment: configApi.getOptionalString('auth.environment'), }), }), ];
Patch Changes
-
6ed2b47d6: Include Backstage identity token in requests to backend plugins. -
07bafa248: Add configurablescopefor oauth2 auth provider.Some OAuth2 providers require certain scopes to facilitate a user sign-in using the Authorization Code flow. This change adds the optional
scopekey to auth.providers.oauth2. An example is:auth: providers: oauth2: development: clientId: $env: DEV_OAUTH2_CLIENT_ID clientSecret: $env: DEV_OAUTH2_CLIENT_SECRET authorizationUrl: $env: DEV_OAUTH2_AUTH_URL tokenUrl: $env: DEV_OAUTH2_TOKEN_URL scope: saml-login-selector openid profile emailThis tells the OAuth 2.0 AS to perform a SAML login and return OIDC information include the
profileandemailclaims as part of the ID Token. -
Updated dependencies [
6ed2b47d6] -
Updated dependencies [
ffffea8e6] -
Updated dependencies [
82b2c11b6] -
Updated dependencies [
965e200c6] -
Updated dependencies [
72b96e880] -
Updated dependencies [
5a5163519]- @backstage/catalog-client@0.3.6
- @backstage/backend-common@0.5.3
0.2.12
Patch Changes
d7b1d317f: Fixed serialization issue with caching of public keys in AWS ALB auth provider39b05b9ae: Use .text instead of .json for ALB key response4eaa06057: Fix AWS ALB issuer check- Updated dependencies [
26a3a6cf0] - Updated dependencies [
664dd08c9] - Updated dependencies [
9dd057662]- @backstage/backend-common@0.5.1
0.2.11
Patch Changes
0643a3336: Add AWS ALB OIDC reverse proxy authentication providera2291d7cc: Optional identity token authorization of api requests- Updated dependencies [
def2307f3] - Updated dependencies [
0b135e7e0] - Updated dependencies [
294a70cab] - Updated dependencies [
0ea032763] - Updated dependencies [
5345a1f98] - Updated dependencies [
09a370426] - Updated dependencies [
a93f42213]- @backstage/catalog-model@0.7.0
- @backstage/backend-common@0.5.0
- @backstage/catalog-client@0.3.5
0.2.10
Patch Changes
468579734: Allow blank certificates and support logout URLs in the SAML provider.- Updated dependencies [
f3b064e1c] - Updated dependencies [
abbee6fff] - Updated dependencies [
147fadcb9]- @backstage/catalog-model@0.6.1
- @backstage/backend-common@0.4.3
0.2.9
Patch Changes
-
0289a059c: Add support for the majority of the Core configurations for Passport-SAML.These configuration keys are supported:
- entryPoint
- issuer
- cert
- privateKey
- decryptionPvk
- signatureAlgorithm
- digestAlgorithm
As part of this change, there is also a fix to the redirection behaviour when doing load balancing and HTTPS termination - the application's baseUrl is used to generate the callback URL. For properly configured Backstage installations, no changes are necessary, and the baseUrl is respected.
-
Updated dependencies [
5ecd50f8a] -
Updated dependencies [
00042e73c] -
Updated dependencies [
0829ff126] -
Updated dependencies [
036a84373]- @backstage/backend-common@0.4.2
0.2.8
Patch Changes
cc046682e: fix bug in token expiration date
0.2.7
Patch Changes
7b15cc271: Added configuration schema for the commonly used properties- Updated dependencies [
c911061b7] - Updated dependencies [
1d1c2860f] - Updated dependencies [
0e6298f7e] - Updated dependencies [
4eafdec4a] - Updated dependencies [
ac3560b42]- @backstage/catalog-model@0.6.0
- @backstage/backend-common@0.4.1
- @backstage/catalog-client@0.3.4
0.2.6
Patch Changes
- Updated dependencies [
38e24db00] - Updated dependencies [
e3bd9fc2f] - Updated dependencies [
12bbd748c] - Updated dependencies [
83b6e0c1f] - Updated dependencies [
e3bd9fc2f]- @backstage/backend-common@0.4.0
- @backstage/config@0.1.2
- @backstage/catalog-model@0.5.0
- @backstage/catalog-client@0.3.3
0.2.5
Patch Changes
- Updated dependencies [
612368274] - Updated dependencies [
08835a61d] - Updated dependencies [
a9fd599f7] - Updated dependencies [
bcc211a08]- @backstage/backend-common@0.3.3
- @backstage/catalog-model@0.4.0
- @backstage/catalog-client@0.3.2
0.2.4
Patch Changes
50eff1d00: Allow the backend to register custom AuthProviderFactories700a212b4: bug fix: issue 3223 - detect mismatching origin and indicate it in the message at auth failure- Updated dependencies [
3aa7efb3f] - Updated dependencies [
ab94c9542] - Updated dependencies [
2daf18e80] - Updated dependencies [
069cda35f] - Updated dependencies [
b3d4e4e57]- @backstage/backend-common@0.3.2
- @backstage/catalog-model@0.3.1
0.2.3
Patch Changes
- Updated dependencies [
1166fcc36] - Updated dependencies [
bff3305aa] - Updated dependencies [
1185919f3] - Updated dependencies [
b47dce06f]- @backstage/catalog-model@0.3.0
- @backstage/backend-common@0.3.1
- @backstage/catalog-client@0.3.1
0.2.2
Patch Changes
- Updated dependencies [
1722cb53c] - Updated dependencies [
1722cb53c] - Updated dependencies [
7b37e6834] - Updated dependencies [
8e2effb53] - Updated dependencies [
717e43de1]- @backstage/backend-common@0.3.0
- @backstage/catalog-client@0.3.0
0.2.1
Patch Changes
752808090: Handle non-7-bit safe characters in the posted message data462876399: Encode the OAuth state parameter using URL safe chars only, so that providers have an easier time forming the callback URL.- Updated dependencies [
33b7300eb]- @backstage/backend-common@0.2.1
0.2.0
Minor Changes
-
28edd7d29: Create backend plugin through CLI -
819a70229: Add SAML login to backstage -
6d29605db: Change the default backend plugin mount point to /api -
5249594c5: Add service discovery interface and implement for single host deploymentsFixes #1847, #2596
Went with an interface similar to the frontend DiscoveryApi, since it's dead simple but still provides a lot of flexibility in the implementation.
Also ended up with two different methods, one for internal endpoint discovery and one for external. The two use-cases are explained a bit more in the docs, but basically it's service-to-service vs callback URLs.
This did get me thinking about uniqueness and that we're heading towards a global namespace for backend plugin IDs. That's probably fine, but if we're happy with that we should leverage it a bit more to simplify the backend setup. For example we'd have each plugin provide its own ID and not manually mount on paths in the backend.
Draft until we're happy with the implementation, then I can add more docs and changelog entry. Also didn't go on a thorough hunt for places where discovery can be used, but I don't think there are many since it's been pretty awkward to do service-to-service communication.
-
6f1768c0f: Initial implementation of catalog user lookupThis adds a basic catalog client + method for the Google provider to look up users in the catalog. It expects to find a single user entity in the catalog with a google.com/email annotation that matches the email of the Google profile.
Right now it falls back to the old behavior of splitting the email, since I don't wanna break the sign-in flow for existing apps, not yet anyway x).
- Added "@backstage/catalog-model@^0.1.1-alpha.23" as a dependency
- Added "node-fetch@^2.6.1" as a dependency
-
1687b8fbb: Lookup user in Google Auth Provider
Patch Changes
b4e5466e1: Move auth provider router creation to routerb652bf2cc: Add OneLogin Identity Provider to Auth Backende142a2767: Better presentation of authentication errors- Updated dependencies [
3a4236570] - Updated dependencies [
e0be86b6f] - Updated dependencies [
f70a52868] - Updated dependencies [
12b5fe940] - Updated dependencies [
5249594c5] - Updated dependencies [
56e4eb589] - Updated dependencies [
e37c0a005] - Updated dependencies [
a768a07fb] - Updated dependencies [
f00ca3cb8] - Updated dependencies [
6579769df] - Updated dependencies [
5adfc005e] - Updated dependencies [
8c2b76e45] - Updated dependencies [
440a17b39] - Updated dependencies [
fa56f4615] - Updated dependencies [
8afce088a] - Updated dependencies [
b3d57961c] - Updated dependencies [
7bbeb049f]- @backstage/catalog-model@0.2.0
- @backstage/backend-common@0.2.0

