Commit Graph

16 Commits

Author SHA1 Message Date
Daniel Doberenz 3637d507d4 Merge branch 'backstage:master' into Extend-microsoft-auth-provider 2024-01-17 14:59:00 +01:00
Andre Wanlin e508999a63 Adjustment based on feedback
Signed-off-by: Andre Wanlin <awanlin@spotify.com>
2024-01-10 16:22:33 -06:00
Andre Wanlin 25b2d72238 Updated so a breaking change is not needed
Signed-off-by: Andre Wanlin <awanlin@spotify.com>
2024-01-10 15:31:24 -06:00
Andre Wanlin 928efbc54a Updated auth module default export
Signed-off-by: Andre Wanlin <awanlin@spotify.com>
2024-01-10 15:31:24 -06:00
Daniel Doberenz 8462a2e3d0 Use loadash instead of own implementation and fixed documentation.
Signed-off-by: Daniel Doberenz <daniel.doberenz@lichtblick.de>
2023-12-05 13:07:03 +01:00
Daniel Doberenz ab8ad0f983 Extended test cases to validate the use of additionalScopes
Signed-off-by: Daniel Doberenz <daniel.doberenz@lichtblick.de>
2023-11-23 10:10:37 +01:00
Daniel Doberenz 4248af8b47 Fixed yarn lint error.
Signed-off-by: Daniel Doberenz <daniel.doberenz@lichtblick.de>
2023-11-15 08:53:22 +01:00
Daniel Doberenz abfaf8c502 Changed the configuration property to additionalScopes and added a tested helper function to combine lists of scopes.
Signed-off-by: Daniel Doberenz <daniel.doberenz@lichtblick.de>
2023-11-15 07:18:13 +01:00
Daniel Doberenz 1ff268479e Added the possibility to use custom scopes for performing login with Microsoft EntraID.
Signed-off-by: Daniel Doberenz <daniel.doberenz@lichtblick.de>
2023-11-14 09:45:55 +01:00
Patrick Jungermann fde212dd10 fix(auth/microsoft): fix missing profile photo and access token for foreign scopes
This change re-adds the loading of the logged-in user's profile picture
as well as the "skip profile" logic for foreign scopes
which got lost while migrating the Microsoft auth provider to the new module.

Additionally, it uses the 96x96 size instead of 48x48.
The image is used on the profile card on the settings page (`/settings`)
rendered as 96x96 and was blurry due to the upscaling.

Replaces the `types.d.ts` file with type declarations with the use of
`@types/passport-microsoft`.

Closes: #20677
Closes: #20699
Signed-off-by: Patrick Jungermann <Patrick.Jungermann@gmail.com>
2023-11-07 09:19:26 +01:00
Alex Crome d7def5d0cb PR Feedback
* Tidy up passing of domain hint from initalisation to later methods
* Tidy up change set

Signed-off-by: Alex Crome <afscrome@users.noreply.github.com>
2023-10-25 21:49:23 +01:00
Alex Crome 3979524c74 Add domain_hint support to Entra ID login
When a user is logged in to multiple microsoft accounts, there can be be a little bit of friction in the Entra login process as users will be asked to select the account to login with.

Scenarios in which a user may have multiple microsoft accounts

1. Someone logged in to your work Entra ID account, and a personal microsoft account
2. A consultant who has an Entra ID account at both their employer, as well as the company they're contracted out to.
3. A user has a regular account, as well as one or more high priviliged accounts.

When a domain hint is provided, Entra will filter out all the accounts which don't belong to the tenant specified on the `domain_hint`.
In many cases, this will filter to a single account, avoiding the need to select an account at all (e.g. scenario 1 & 2).
This won't always happen (e.g. scenario 3).
Additionally in the case a tenant has been configured to federate authentication elsewhere (e.g. to an on premise AD FS), setting the domain hint means entra can send the user straight to the federated authentication soruce, removing further steps

If backstage is allowign authentication from multiple tenants, this field should be left blank.

For more details, see https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/home-realm-discovery-policy

99% of the time, this value should be the same as the tenantId, so we could get rid of hte domain hint, and set it to the same value as the tenant id automatically.
We'd need to provide a config option (e.g. `isMultiTenant: true`) to opt out of this.
For those edge cases, this would be a breaking change.

I decided to go with specifying the `domain_hint` seperatly for now just in case my assumptions are wrong and there are more cases wher ehte `domain_hint` will get in the way.
We can always make this the default behaviour later on.

Signed-off-by: Alex Crome <afscrome@users.noreply.github.com>
2023-10-19 23:01:14 +01:00
Chris Gemmell 19b6c0ed2a oops, forgot to change the module test
Signed-off-by: Chris Gemmell <chris.gemmell8@gmail.com>
2023-10-19 01:12:14 +11:00
Chris Gemmell 2cd0b072b8 removing consent prompt
Signed-off-by: Chris Gemmell <chris.gemmell8@gmail.com>
2023-10-19 01:12:13 +11:00
Chris Gemmell 2dfeb4b612 fixed
Signed-off-by: Chris Gemmell <chris.gemmell8@gmail.com>
2023-09-23 16:42:43 +10:00
Chris 2d8f7e82c1 auth-backend: migrate microsoft provider to separate module
Signed-off-by: Chris Gemmell <chris.gemmell8@gmail.com>
2023-09-23 15:26:40 +10:00