Add oidcLdapUuidMatchingAnnotation sign in resolver (#2937)

Signed-off-by: Jessica He <jhe@redhat.com>

Author: JessicaJHee

packages/backend/src/modules/authProvidersModule.ts

@@ -70,7 +70,8 @@ import {
 } from '@backstage/plugin-auth-node';
 
 import { TransitiveGroupOwnershipResolver } from '../transitiveGroupOwnershipResolver';
-import { rhdhSignInResolvers } from './authResolvers';
+import { trySignInResolvers } from './resolverUtils';
+import { rhdhSignInResolvers } from './rhdhSignInResolvers';
 
 function getAuthProviderFactory(providerId: string): AuthProviderFactory {
   switch (providerId) {
@@ -183,12 +184,17 @@ function getAuthProviderFactory(providerId: string): AuthProviderFactory {
     case 'oidc':
       return createOAuthProviderFactory({
         authenticator: oidcAuthenticator,
-        signInResolver: rhdhSignInResolvers.oidcSubClaimMatchingIdPUserId(),
+        signInResolver: trySignInResolvers([
+          rhdhSignInResolvers.oidcSubClaimMatchingKeycloakUserId(),
+          rhdhSignInResolvers.oidcLdapUuidMatchingAnnotation(),
+        ]),
         signInResolverFactories: {
           oidcSubClaimMatchingKeycloakUserId:
             rhdhSignInResolvers.oidcSubClaimMatchingKeycloakUserId,
           oidcSubClaimMatchingPingIdentityUserId:
             rhdhSignInResolvers.oidcSubClaimMatchingPingIdentityUserId,
+          oidcLdapUuidMatchingAnnotation:
+            rhdhSignInResolvers.oidcLdapUuidMatchingAnnotation,
           ...oidcSignInResolvers,
           ...commonSignInResolvers,
         },

packages/backend/src/modules/authResolvers.ts

@@ -0,0 +1,90 @@
+import type { OidcAuthResult } from '@backstage/plugin-auth-backend-module-oidc-provider';
+import {
+  AuthResolverContext,
+  createSignInResolverFactory,
+  OAuthAuthenticatorResult,
+  SignInInfo,
+  SignInResolver,
+} from '@backstage/plugin-auth-node';
+
+import { decodeJwt } from 'jose';
+import { z } from 'zod';
+
+export type OidcProviderInfo = {
+  userIdKey: string;
+  providerName: string;
+};
+
+/**
+ * Creates an OIDC sign-in resolver that looks up the user using a specific annotation key.
+ *
+ * @param userIdKey - The annotation key to match the user's `sub` claim.
+ * @param providerName - The name of the identity provider to report in error message if the `sub` claim is missing.
+ */
+export const createOidcSubClaimResolver = (provider: OidcProviderInfo) =>
+  createSignInResolverFactory({
+    optionsSchema: z
+      .object({
+        dangerouslyAllowSignInWithoutUserInCatalog: z.boolean().optional(),
+      })
+      .optional(),
+    create(options) {
+      return async (
+        info: SignInInfo<OAuthAuthenticatorResult<OidcAuthResult>>,
+        ctx: AuthResolverContext,
+      ) => {
+        const sub = info.result.fullProfile.userinfo.sub;
+        if (!sub) {
+          throw new Error(
+            `The user profile from ${provider.providerName} is missing a 'sub' claim, likely due to a misconfiguration in the provider. Please contact your system administrator for assistance.`,
+          );
+        }
+
+        const idToken = info.result.fullProfile.tokenset.id_token;
+        if (!idToken) {
+          throw new Error(
+            `The user ID token from ${provider.providerName} is missing. Please contact your system administrator for assistance.`,
+          );
+        }
+
+        const subFromIdToken = decodeJwt(idToken)?.sub;
+        if (sub !== subFromIdToken) {
+          throw new Error(
+            `There was a problem verifying your identity with ${provider.providerName} due to a mismatching 'sub' claim. Please contact your system administrator for assistance.`,
+          );
+        }
+
+        return await ctx.signInWithCatalogUser(
+          {
+            annotations: { [provider.userIdKey]: sub },
+          },
+          sub,
+          options?.dangerouslyAllowSignInWithoutUserInCatalog,
+        );
+      };
+    },
+  });
+
+/**
+ * Creates a sign in resolver that tries the provided list of sign in resolvers
+ *
+ * @param signInResolvers list of sign in resolvers to try
+ */
+export function trySignInResolvers<TAuthResult>(
+  signInResolvers: SignInResolver<TAuthResult>[],
+): SignInResolver<TAuthResult> {
+  return async (profile, context) => {
+    for (const resolver of Object.values(signInResolvers)) {
+      try {
+        return await resolver(profile, context);
+      } catch (error) {
+        continue;
+      }
+    }
+
+    // same error message as in upstream readDeclarativeSignInResolver
+    throw new Error(
+      'Failed to sign-in, unable to resolve user identity. Please verify that your catalog contains the expected User entities that would match your configured sign-in resolver.',
+    );
+  };
+}

packages/backend/src/modules/resolverUtils.ts

@@ -0,0 +1,121 @@
+import type { OAuth2ProxyResult } from '@backstage/plugin-auth-backend-module-oauth2-proxy-provider';
+import type { OidcAuthResult } from '@backstage/plugin-auth-backend-module-oidc-provider';
+import {
+  AuthResolverContext,
+  createSignInResolverFactory,
+  OAuthAuthenticatorResult,
+  SignInInfo,
+} from '@backstage/plugin-auth-node';
+
+import { decodeJwt } from 'jose';
+import { z } from 'zod';
+
+import { createOidcSubClaimResolver, OidcProviderInfo } from './resolverUtils';
+
+const KEYCLOAK_INFO: OidcProviderInfo = {
+  userIdKey: 'keycloak.org/id',
+  providerName: 'Keycloak',
+};
+
+const PING_IDENTITY_INFO: OidcProviderInfo = {
+  userIdKey: 'pingidentity.org/id',
+  providerName: 'Ping Identity',
+};
+
+const LDAP_UUID_ANNOTATION = 'backstage.io/ldap-uuid';
+
+/**
+ * Additional RHDH specific sign-in resolvers.
+ *
+ * @public
+ */
+export namespace rhdhSignInResolvers {
+  /**
+   * An OIDC resolver that looks up the user using their Keycloak user ID.
+   */
+  export const oidcSubClaimMatchingKeycloakUserId =
+    createOidcSubClaimResolver(KEYCLOAK_INFO);
+
+  /**
+   * An OIDC resolver that looks up the user using their Ping Identity user ID.
+   */
+  export const oidcSubClaimMatchingPingIdentityUserId =
+    createOidcSubClaimResolver(PING_IDENTITY_INFO);
+
+  /**
+   * An oauth2proxy resolver that looks up the user using the OAUTH_USER_HEADER environment variable,
+   * 'x-forwarded-preferred-username' or 'x-forwarded-user'.
+   */
+  export const oauth2ProxyUserHeaderMatchingUserEntityName =
+    createSignInResolverFactory({
+      optionsSchema: z
+        .object({
+          dangerouslyAllowSignInWithoutUserInCatalog: z.boolean().optional(),
+        })
+        .optional(),
+      create(options) {
+        return async (
+          info: SignInInfo<OAuth2ProxyResult>,
+          ctx: AuthResolverContext,
+        ) => {
+          const name = process.env.OAUTH_USER_HEADER
+            ? info.result.getHeader(process.env.OAUTH_USER_HEADER)
+            : info.result.getHeader('x-forwarded-preferred-username') ||
+              info.result.getHeader('x-forwarded-user');
+          if (!name) {
+            throw new Error('Request did not contain a user');
+          }
+          return ctx.signInWithCatalogUser(
+            {
+              entityRef: { name },
+            },
+            name,
+            options?.dangerouslyAllowSignInWithoutUserInCatalog,
+          );
+        };
+      },
+    });
+
+  export const oidcLdapUuidMatchingAnnotation = createSignInResolverFactory({
+    optionsSchema: z
+      .object({
+        dangerouslyAllowSignInWithoutUserInCatalog: z.boolean().optional(),
+      })
+      .optional(),
+    create(options) {
+      return async (
+        info: SignInInfo<OAuthAuthenticatorResult<OidcAuthResult>>,
+        ctx: AuthResolverContext,
+      ) => {
+        const uuid = info.result.fullProfile.userinfo.ldap_uuid as string;
+        if (!uuid) {
+          throw new Error(
+            `The user profile from LDAP is missing the UUID, likely due to a misconfiguration in the provider. Please contact your system administrator for assistance.`,
+          );
+        }
+
+        const idToken = info.result.fullProfile.tokenset.id_token;
+        if (!idToken) {
+          throw new Error(
+            `The user ID token from LDAP is missing. Please contact your system administrator for assistance.`,
+          );
+        }
+
+        const uuidFromIdToken = decodeJwt(idToken)?.ldap_uuid;
+        if (uuid !== uuidFromIdToken) {
+          throw new Error(
+            `There was a problem verifying your identity with LDAP due to mismatching UUID. Please contact your system administrator for assistance.`,
+          );
+        }
+
+        return ctx.signInWithCatalogUser(
+          {
+            annotations: { [LDAP_UUID_ANNOTATION]: uuid },
+          },
+          uuid,
+          options?.dangerouslyAllowSignInWithoutUserInCatalog,
+        );
+      };
+    },
+  });
+}