@backstage/backend-defaults/dist/entrypoints/auth/external/jwks.cjs.js

Backend defaults used by Backstage backend apps

'use strict';

var jose = require('jose');
var helpers = require('./helpers.cjs.js');

const jwksTokenHandler = helpers.createExternalTokenHandler({
  type: "jwks",
  initialize({ options }) {
    if (!options.getString("url").match(/^\S+$/)) {
      throw new Error(
        "Illegal JWKS URL, must be a set of non-space characters"
      );
    }
    const algorithms = helpers.readStringOrStringArrayFromConfig(options, "algorithm");
    const issuers = helpers.readStringOrStringArrayFromConfig(options, "issuer");
    const audiences = helpers.readStringOrStringArrayFromConfig(options, "audience");
    const subjectPrefix = options.getOptionalString("subjectPrefix");
    const url = new URL(options.getString("url"));
    const jwks = jose.createRemoteJWKSet(url);
    const allAccessRestrictions = helpers.readAccessRestrictionsFromConfig(options);
    return {
      algorithms,
      audiences,
      issuers,
      jwks,
      subjectPrefix,
      url,
      allAccessRestrictions
    };
  },
  async verifyToken(token, context) {
    try {
      const {
        payload: { sub }
      } = await jose.jwtVerify(token, context.jwks, {
        algorithms: context.algorithms,
        issuer: context.issuers,
        audience: context.audiences
      });
      if (sub) {
        const prefix = context.subjectPrefix ? `external:${context.subjectPrefix}:` : "external:";
        return {
          subject: `${prefix}${sub}`
        };
      }
    } catch {
      return void 0;
    }
    return void 0;
  }
});

exports.jwksTokenHandler = jwksTokenHandler;
//# sourceMappingURL=jwks.cjs.js.map