feat(userInfo): implement persisting user info to support limited tokens

Signed-off-by: Phil Kuang <pkuang@factset.com>

Author: kuangp

.changeset/cold-comics-rush.md

@@ -0,0 +1,6 @@
+---
+'@backstage/backend-app-api': patch
+'@backstage/plugin-auth-backend': patch
+---
+
+Limited user tokens will no longer include the `ent` field in its payload. Ownership claims will now be fetched from the user info service.

packages/backend-app-api/src/services/implementations/auth/DefaultAuthService.ts

@@ -49,8 +49,12 @@ export class DefaultAuthService implements AuthService {
     private readonly publicKeyStore: KeyStore,
   ) {}
 
-  // allowLimitedAccess is currently ignored, since we currently always use the full user tokens
-  async authenticate(token: string): Promise<BackstageCredentials> {
+  async authenticate(
+    token: string,
+    options?: {
+      allowLimitedAccess?: boolean;
+    },
+  ): Promise<BackstageCredentials> {
     const pluginResult = await this.pluginTokenHandler.verifyToken(token);
     if (pluginResult) {
       if (pluginResult.limitedUserToken) {
@@ -73,6 +77,13 @@ export class DefaultAuthService implements AuthService {
 
     const userResult = await this.userTokenHandler.verifyToken(token);
     if (userResult) {
+      if (
+        !options?.allowLimitedAccess &&
+        this.userTokenHandler.isLimitedUserToken(token)
+      ) {
+        throw new AuthenticationError('Illegal limited user token');
+      }
+
       return createCredentialsWithUserPrincipal(
         userResult.userEntityRef,
         token,

packages/backend-app-api/src/services/implementations/auth/authServiceFactory.test.ts

@@ -199,6 +199,17 @@ describe('authServiceFactory', () => {
   });
 
   it('should issue limited user tokens', async () => {
+    /* Corresponding private key in case this test needs to be updated in the future:
+     {
+       kty: 'EC',
+       x: 'c9cPvv_S7zETBKDlAa3oOjr7RvyUueIYIak0TRph7mg',
+       y: 'bKaxDRAWgmEJ9Ix8e85blH_IsnbQxX31x0oQTVwLZ2c',
+       crv: 'P-256',
+       d: '2eJlhCDdGx9fxKDL1D9BnY3CCTEKxL60Bkms0hmubmY',
+       kid: '8d01c3db-56f9-45f0-86dd-05b3c835b3d3',
+       alg: 'ES256'
+     }
+    */
     server.use(
       rest.get(
         'http://localhost:7007/api/auth/.well-known/jwks.json',
@@ -208,8 +219,8 @@ describe('authServiceFactory', () => {
               keys: [
                 {
                   kty: 'EC',
-                  x: '78-Ei1H3nKM23ZpGMMzte2mVoYCcnfnSiLTm1P7vZM0',
-                  y: 'Z9-PjG_EU598tLLUc2f8sCqxT7bjs8WpoV-lHm9GJHY',
+                  x: 'c9cPvv_S7zETBKDlAa3oOjr7RvyUueIYIak0TRph7mg',
+                  y: 'bKaxDRAWgmEJ9Ix8e85blH_IsnbQxX31x0oQTVwLZ2c',
                   crv: 'P-256',
                   kid: '8d01c3db-56f9-45f0-86dd-05b3c835b3d3',
                   alg: 'ES256',
@@ -234,7 +245,7 @@ describe('authServiceFactory', () => {
     const catalogAuth = await tester.get('catalog');
 
     const fullToken =
-      'eyJ0eXAiOiJ2bmQuYmFja3N0YWdlLnVzZXIiLCJhbGciOiJFUzI1NiIsImtpZCI6IjhkMDFjM2RiLTU2ZjktNDVmMC04NmRkLTA1YjNjODM1YjNkMyJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjcwMDcvYXBpL2F1dGgiLCJzdWIiOiJ1c2VyOmRldmVsb3BtZW50L2d1ZXN0IiwiZW50IjpbInVzZXI6ZGV2ZWxvcG1lbnQvZ3Vlc3QiLCJncm91cDpkZWZhdWx0L3RlYW0tYSJdLCJhdWQiOiJiYWNrc3RhZ2UiLCJpYXQiOjE3MTIwNzE3MTQsImV4cCI6MTcxMjA3NTMxNCwidWlwIjoiMDFBUUJfSWpHTXRWc2gyWmgzZEg1NXhOX29pSVlhQ1F3ODJjeDZ5M1BQMXlpTjM4eGMzMVpMS2U0YVNDQlJTTy10cjFzZFUzT29ELUxJYV8tNV9RVUEifQ.mjIrZGqbZ2t68fS4U3crlGw-bYJZnMlhMHf-YL7q_u1HfaLr4NMTcHkxdnNS2wfJxCmUBxRfUS8b3nSAKsxcHA';
+      'eyJ0eXAiOiJ2bmQuYmFja3N0YWdlLnVzZXIiLCJhbGciOiJFUzI1NiIsImtpZCI6IjhkMDFjM2RiLTU2ZjktNDVmMC04NmRkLTA1YjNjODM1YjNkMyJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjcwMDcvYXBpL2F1dGgiLCJzdWIiOiJ1c2VyOmRldmVsb3BtZW50L2d1ZXN0IiwiZW50IjpbInVzZXI6ZGV2ZWxvcG1lbnQvZ3Vlc3QiLCJncm91cDpkZWZhdWx0L3RlYW0tYSJdLCJhdWQiOiJiYWNrc3RhZ2UiLCJpYXQiOjE3MTIwNzE3MTQsImV4cCI6MTcxMjA3NTMxNCwidWlwIjoiSmwxVEpycG9VUjR1NENjUE9nalJMeHpEMi1FMGZPR3ptSm81UWI2eS1aN19meG5oVVBEdWVWRE1CS0l6WF9pc0lvSDhlZm9EUFA5bG9aQnpPblB5Z2cifQ.1gVMq1ofO8PzRctu72D6c4IMqXuIabT79WdGEhW6vIrBRs_qhuWAa94Wvz_KYKpBTb2nxgzXJ5OeddeoYApMyQ';
 
     const credentials = await catalogAuth.authenticate(fullToken);
     if (!catalogAuth.isPrincipal(credentials, 'user')) {
@@ -256,7 +267,6 @@ describe('authServiceFactory', () => {
     const expectedTokenPayload = base64url.encode(
       JSON.stringify({
         sub: 'user:development/guest',
-        ent: ['user:development/guest', 'group:default/team-a'],
         iat: expectedIssuedAt,
         exp: expectedExpiresAt,
       }),
@@ -293,6 +303,17 @@ describe('authServiceFactory', () => {
     const catalogAuth = await tester.get('catalog');
     const permissionAuth = await tester.get('permission');
 
+    /* Corresponding private key in case this test needs to be updated in the future:
+     {
+       kty: 'EC',
+       x: 'c9cPvv_S7zETBKDlAa3oOjr7RvyUueIYIak0TRph7mg',
+       y: 'bKaxDRAWgmEJ9Ix8e85blH_IsnbQxX31x0oQTVwLZ2c',
+       crv: 'P-256',
+       d: '2eJlhCDdGx9fxKDL1D9BnY3CCTEKxL60Bkms0hmubmY',
+       kid: '8d01c3db-56f9-45f0-86dd-05b3c835b3d3',
+       alg: 'ES256'
+     }
+    */
     server.use(
       rest.get(
         'http://localhost:7007/api/auth/.well-known/jwks.json',
@@ -302,8 +323,8 @@ describe('authServiceFactory', () => {
               keys: [
                 {
                   kty: 'EC',
-                  x: '78-Ei1H3nKM23ZpGMMzte2mVoYCcnfnSiLTm1P7vZM0',
-                  y: 'Z9-PjG_EU598tLLUc2f8sCqxT7bjs8WpoV-lHm9GJHY',
+                  x: 'c9cPvv_S7zETBKDlAa3oOjr7RvyUueIYIak0TRph7mg',
+                  y: 'bKaxDRAWgmEJ9Ix8e85blH_IsnbQxX31x0oQTVwLZ2c',
                   crv: 'P-256',
                   kid: '8d01c3db-56f9-45f0-86dd-05b3c835b3d3',
                   alg: 'ES256',
@@ -341,7 +362,7 @@ describe('authServiceFactory', () => {
     });
 
     const fullToken =
-      'eyJ0eXAiOiJ2bmQuYmFja3N0YWdlLnVzZXIiLCJhbGciOiJFUzI1NiIsImtpZCI6IjhkMDFjM2RiLTU2ZjktNDVmMC04NmRkLTA1YjNjODM1YjNkMyJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjcwMDcvYXBpL2F1dGgiLCJzdWIiOiJ1c2VyOmRldmVsb3BtZW50L2d1ZXN0IiwiZW50IjpbInVzZXI6ZGV2ZWxvcG1lbnQvZ3Vlc3QiLCJncm91cDpkZWZhdWx0L3RlYW0tYSJdLCJhdWQiOiJiYWNrc3RhZ2UiLCJpYXQiOjE3MTIwNzE3MTQsImV4cCI6MTcxMjA3NTMxNCwidWlwIjoiMDFBUUJfSWpHTXRWc2gyWmgzZEg1NXhOX29pSVlhQ1F3ODJjeDZ5M1BQMXlpTjM4eGMzMVpMS2U0YVNDQlJTTy10cjFzZFUzT29ELUxJYV8tNV9RVUEifQ.mjIrZGqbZ2t68fS4U3crlGw-bYJZnMlhMHf-YL7q_u1HfaLr4NMTcHkxdnNS2wfJxCmUBxRfUS8b3nSAKsxcHA';
+      'eyJ0eXAiOiJ2bmQuYmFja3N0YWdlLnVzZXIiLCJhbGciOiJFUzI1NiIsImtpZCI6IjhkMDFjM2RiLTU2ZjktNDVmMC04NmRkLTA1YjNjODM1YjNkMyJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjcwMDcvYXBpL2F1dGgiLCJzdWIiOiJ1c2VyOmRldmVsb3BtZW50L2d1ZXN0IiwiZW50IjpbInVzZXI6ZGV2ZWxvcG1lbnQvZ3Vlc3QiLCJncm91cDpkZWZhdWx0L3RlYW0tYSJdLCJhdWQiOiJiYWNrc3RhZ2UiLCJpYXQiOjE3MTIwNzE3MTQsImV4cCI6MTcxMjA3NTMxNCwidWlwIjoiSmwxVEpycG9VUjR1NENjUE9nalJMeHpEMi1FMGZPR3ptSm81UWI2eS1aN19meG5oVVBEdWVWRE1CS0l6WF9pc0lvSDhlZm9EUFA5bG9aQnpPblB5Z2cifQ.1gVMq1ofO8PzRctu72D6c4IMqXuIabT79WdGEhW6vIrBRs_qhuWAa94Wvz_KYKpBTb2nxgzXJ5OeddeoYApMyQ';
 
     const credentials = await searchAuth.authenticate(fullToken);
     if (!searchAuth.isPrincipal(credentials, 'user')) {

packages/backend-app-api/src/services/implementations/auth/user/UserTokenHandler.test.ts

@@ -346,7 +346,6 @@ describe('UserTokenHandler', () => {
           header: { typ: 'vnd.backstage.limited-user', alg: 'ES256' },
           payload: {
             sub: 'mock',
-            ent: ['mock'],
             iat: 1,
             exp: 2,
           },
@@ -384,7 +383,6 @@ describe('UserTokenHandler', () => {
         new TextEncoder().encode(
           JSON.stringify({
             sub: parts.payload.sub,
-            ent: parts.payload.ent,
             iat: parts.payload.iat,
             exp: parts.payload.exp,
           }),

packages/backend-app-api/src/services/implementations/auth/user/UserTokenHandler.ts

@@ -137,7 +137,6 @@ export class UserTokenHandler {
       base64url.encode(
         JSON.stringify({
           sub: payload.sub,
-          ent: payload.ent,
           iat: payload.iat,
           exp: payload.exp,
         }),

packages/backend-app-api/src/services/implementations/userInfo/userInfoServiceFactory.ts

@@ -19,13 +19,24 @@ import {
   BackstageUserInfo,
   coreServices,
   createServiceFactory,
+  DiscoveryService,
   BackstageCredentials,
 } from '@backstage/backend-plugin-api';
+import { ResponseError } from '@backstage/errors';
 import { decodeJwt } from 'jose';
 import { toInternalBackstageCredentials } from '../auth/helpers';
 
-// TODO: The intention is for this to eventually be replaced by a call to the auth-backend
+type Options = {
+  discovery: DiscoveryService;
+};
+
 export class DefaultUserInfoService implements UserInfoService {
+  private readonly discovery: DiscoveryService;
+
+  constructor(options: Options) {
+    this.discovery = options.discovery;
+  }
+
   async getUserInfo(
     credentials: BackstageCredentials,
   ): Promise<BackstageUserInfo> {
@@ -36,29 +47,48 @@ export class DefaultUserInfoService implements UserInfoService {
     if (!internalCredentials.token) {
       throw new Error('User credentials is unexpectedly missing token');
     }
-    const { sub: userEntityRef, ent: ownershipEntityRefs = [] } = decodeJwt(
+    const { sub: userEntityRef, ent: ownershipEntityRefs } = decodeJwt(
       internalCredentials.token,
     );
 
     if (typeof userEntityRef !== 'string') {
       throw new Error('User entity ref must be a string');
     }
+
+    // Return user info if it's already available in the token (ie. it is a full token)
     if (
-      !Array.isArray(ownershipEntityRefs) ||
-      ownershipEntityRefs.some(ref => typeof ref !== 'string')
+      Array.isArray(ownershipEntityRefs) &&
+      ownershipEntityRefs.every(ref => typeof ref === 'string')
     ) {
-      throw new Error('Ownership entity refs must be an array of strings');
+      return { userEntityRef, ownershipEntityRefs };
     }
 
-    return { userEntityRef, ownershipEntityRefs };
+    const userInfoResp = await fetch(
+      `${await this.discovery.getBaseUrl('auth')}/v1/userinfo`,
+      {
+        headers: {
+          Authorization: `Bearer ${internalCredentials.token}`,
+        },
+      },
+    );
+
+    if (!userInfoResp.ok) {
+      throw await ResponseError.fromResponse(userInfoResp);
+    }
+
+    const { sub, ent } = await userInfoResp.json();
+
+    return { userEntityRef: sub, ownershipEntityRefs: ent };
   }
 }
 
 /** @public */
 export const userInfoServiceFactory = createServiceFactory({
   service: coreServices.userInfo,
-  deps: {},
-  async factory() {
-    return new DefaultUserInfoService();
+  deps: {
+    discovery: coreServices.discovery,
+  },
+  async factory({ discovery }) {
+    return new DefaultUserInfoService({ discovery });
   },
 });

plugins/auth-backend/migrations/20240510120825_user_info.js

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2024 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// @ts-check
+
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.up = async function up(knex) {
+  await knex.schema.createTable('user_info', table => {
+    table.comment('User information');
+
+    table
+      .string('user_entity_ref')
+      .primary()
+      .notNullable()
+      .comment('User entity reference');
+
+    table
+      .text('user_info', 'longtext')
+      .notNullable()
+      .comment('User info blob, JSON serialized');
+  });
+};
+
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.down = async function down(knex) {
+  await knex.schema.dropTable('user_info');
+};

plugins/auth-backend/src/identity/TokenFactory.test.ts

@@ -24,6 +24,7 @@ import {
 } from 'jose';
 import { MemoryKeyStore } from './MemoryKeyStore';
 import { TokenFactory } from './TokenFactory';
+import { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';
 import { tokenTypes } from '@backstage/plugin-auth-node';
 
 const logger = getVoidLogger();
@@ -43,13 +44,18 @@ const entityRef = stringifyEntityRef({
 });
 
 describe('TokenFactory', () => {
+  const mockUserInfoDatabaseHandler = {
+    addUserInfo: jest.fn().mockResolvedValue(undefined),
+  } as unknown as UserInfoDatabaseHandler;
+
   it('should issue valid tokens signed by a listed key', async () => {
     const keyDurationSeconds = 5;
     const factory = new TokenFactory({
       issuer: 'my-issuer',
       keyStore: new MemoryKeyStore(),
       keyDurationSeconds,
       logger,
+      userInfoDatabaseHandler: mockUserInfoDatabaseHandler,
     });
 
     await expect(factory.listPublicKeys()).resolves.toEqual({ keys: [] });
@@ -81,6 +87,11 @@ describe('TokenFactory', () => {
       verifyResult.payload.iat! + keyDurationSeconds,
     );
 
+    expect(mockUserInfoDatabaseHandler.addUserInfo).toHaveBeenCalledWith({
+      userEntityRef: entityRef,
+      ownershipEntityRefs: [entityRef],
+    });
+
     // Emulate the reconstruction of a limited user token
     const limitedUserToken = [
       base64url.encode(
@@ -93,7 +104,6 @@ describe('TokenFactory', () => {
       base64url.encode(
         JSON.stringify({
           sub: verifyResult.payload.sub,
-          ent: verifyResult.payload.ent,
           iat: verifyResult.payload.iat,
           exp: verifyResult.payload.exp,
         }),
@@ -107,7 +117,6 @@ describe('TokenFactory', () => {
     );
     expect(verifyProofResult.payload).toEqual({
       sub: entityRef,
-      ent: [entityRef],
       iat: expect.any(Number),
       exp: expect.any(Number),
     });
@@ -125,6 +134,7 @@ describe('TokenFactory', () => {
       keyStore: new MemoryKeyStore(),
       keyDurationSeconds: 5,
       logger,
+      userInfoDatabaseHandler: mockUserInfoDatabaseHandler,
     });
 
     const token1 = await factory.issueToken({
@@ -170,6 +180,7 @@ describe('TokenFactory', () => {
       keyStore: new MemoryKeyStore(),
       keyDurationSeconds,
       logger,
+      userInfoDatabaseHandler: mockUserInfoDatabaseHandler,
     });
 
     await expect(() => {
@@ -187,6 +198,7 @@ describe('TokenFactory', () => {
       keyDurationSeconds,
       logger,
       algorithm: '',
+      userInfoDatabaseHandler: mockUserInfoDatabaseHandler,
     });
 
     await expect(() => {
@@ -202,6 +214,7 @@ describe('TokenFactory', () => {
       keyStore: new MemoryKeyStore(),
       keyDurationSeconds: 5,
       logger,
+      userInfoDatabaseHandler: mockUserInfoDatabaseHandler,
     });
 
     await expect(() => {
@@ -220,6 +233,7 @@ describe('TokenFactory', () => {
       keyStore: new MemoryKeyStore(),
       keyDurationSeconds,
       logger,
+      userInfoDatabaseHandler: mockUserInfoDatabaseHandler,
     });
 
     const token = await factory.issueToken({