algorithms field is now array for IdentityClient
Signed-off-by: Manuel Scurti <manuel.scurti@agilelab.it>
This commit is contained in:
Manuel Scurti
@@ -1,6 +1,5 @@
|
||||
---
|
||||
'@backstage/plugin-auth-backend': minor
|
||||
'@backstage/plugin-auth-node': minor
|
||||
'@backstage/plugin-auth-backend': patch
|
||||
---
|
||||
|
||||
Added configurable algorithm field for IdentityClient and TokenFactory
|
||||
Added configurable algorithm field for TokenFactory
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
'@backstage/plugin-auth-node': patch
|
||||
---
|
||||
|
||||
Added configurable algorithms array for IdentityClient
|
||||
@@ -33,7 +33,7 @@ type Options = {
|
||||
/** Expiration time of signing keys in seconds */
|
||||
keyDurationSeconds: number;
|
||||
/** JWS "alg" (Algorithm) Header Parameter value. Defaults to ES256.
|
||||
* Must match the algorithm defined in IdentityClient.
|
||||
* Must match one of the algorithms defined for IdentityClient.
|
||||
* More info on supported algorithms: https://github.com/panva/jose */
|
||||
algorithm?: string;
|
||||
};
|
||||
|
||||
@@ -146,11 +146,24 @@ describe('IdentityClient', () => {
|
||||
});
|
||||
});
|
||||
|
||||
it('should throw error on empty algorithms array', async () => {
|
||||
const identityClient = IdentityClient.create({
|
||||
discovery,
|
||||
issuer: mockBaseUrl,
|
||||
algorithms: [''],
|
||||
});
|
||||
|
||||
const token = await factory.issueToken({ claims: { sub: 'foo' } });
|
||||
return expect(
|
||||
async () => await identityClient.authenticate(token),
|
||||
).rejects.toThrow();
|
||||
});
|
||||
|
||||
it('should throw error on empty algorithm string', async () => {
|
||||
const identityClient = IdentityClient.create({
|
||||
discovery,
|
||||
issuer: mockBaseUrl,
|
||||
algorithm: '',
|
||||
algorithms: [],
|
||||
});
|
||||
|
||||
const token = await factory.issueToken({ claims: { sub: 'foo' } });
|
||||
|
||||
@@ -33,10 +33,9 @@ export type IdentityClientOptions = {
|
||||
discovery: PluginEndpointDiscovery;
|
||||
issuer: string;
|
||||
|
||||
/** JWS "alg" (Algorithm) Header Parameter value. Defaults to ES256.
|
||||
* Must match the algorithm defined in TokenFactory.
|
||||
/** JWS "alg" (Algorithm) Header Parameter values. Defaults to an array containing just ES256.
|
||||
* More info on supported algorithms: https://github.com/panva/jose */
|
||||
algorithm?: string;
|
||||
algorithms?: string[];
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -49,7 +48,7 @@ export type IdentityClientOptions = {
|
||||
export class IdentityClient {
|
||||
private readonly discovery: PluginEndpointDiscovery;
|
||||
private readonly issuer: string;
|
||||
private readonly algorithm: string;
|
||||
private readonly algorithms: string[];
|
||||
private keyStore?: GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;
|
||||
private keyStoreUpdated: number = 0;
|
||||
|
||||
@@ -63,7 +62,7 @@ export class IdentityClient {
|
||||
private constructor(options: IdentityClientOptions) {
|
||||
this.discovery = options.discovery;
|
||||
this.issuer = options.issuer;
|
||||
this.algorithm = options.algorithm ?? 'ES256';
|
||||
this.algorithms = options.algorithms ?? ['ES256'];
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -88,7 +87,7 @@ export class IdentityClient {
|
||||
throw new AuthenticationError('No keystore exists');
|
||||
}
|
||||
const decoded = await jwtVerify(token, this.keyStore, {
|
||||
algorithms: [this.algorithm],
|
||||
algorithms: this.algorithms,
|
||||
audience: 'backstage',
|
||||
issuer: this.issuer,
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user