@backstage/backend-app-api 0.7.6-next.3 → 0.7.6

package/dist/index.cjs.js

@@ -1,11 +1,11 @@
 'use strict';
 
+var configLoader = require('@backstage/config-loader');
+var getPackages = require('@manypkg/get-packages');
 var path = require('path');
 var parseArgs = require('minimist');
 var cliCommon = require('@backstage/cli-common');
-var configLoader = require('@backstage/config-loader');
 var config = require('@backstage/config');
-var getPackages = require('@manypkg/get-packages');
 var http = require('http');
 var https = require('https');
 var stoppableServer = require('stoppable');
@@ -19,24 +19,25 @@ var kebabCase = require('lodash/kebabCase');
 var minimatch = require('minimatch');
 var errors = require('@backstage/errors');
 var crypto = require('crypto');
+var backendPluginApi = require('@backstage/backend-plugin-api');
 var winston = require('winston');
 var tripleBeam = require('triple-beam');
-var backendPluginApi = require('@backstage/backend-plugin-api');
 var alpha = require('@backstage/backend-plugin-api/alpha');
-var luxon = require('luxon');
-var jose = require('jose');
-var uuid = require('uuid');
+var backendCommon = require('@backstage/backend-common');
 var pluginAuthNode = require('@backstage/plugin-auth-node');
+var pluginPermissionNode = require('@backstage/plugin-permission-node');
+var jose = require('jose');
 var types = require('@backstage/types');
-var backendCommon = require('@backstage/backend-common');
-var backendAppApi = require('@backstage/backend-app-api');
+var uuid = require('uuid');
+var luxon = require('luxon');
+var fs$1 = require('fs');
 var cookie = require('cookie');
 var Router = require('express-promise-router');
 var pathToRegexp = require('path-to-regexp');
-var pluginPermissionNode = require('@backstage/plugin-permission-node');
 var express = require('express');
 var trimEnd = require('lodash/trimEnd');
 var backendTasks = require('@backstage/backend-tasks');
+var fetch$1 = require('node-fetch');
 
 function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
 
@@ -72,6 +73,33 @@ var kebabCase__default = /*#__PURE__*/_interopDefaultCompat(kebabCase);
 var Router__default = /*#__PURE__*/_interopDefaultCompat(Router);
 var express__default = /*#__PURE__*/_interopDefaultCompat(express);
 var trimEnd__default = /*#__PURE__*/_interopDefaultCompat(trimEnd);
+var fetch__default = /*#__PURE__*/_interopDefaultCompat(fetch$1);
+
+async function createConfigSecretEnumerator$1(options) {
+  const { logger, dir = process.cwd() } = options;
+  const { packages } = await getPackages.getPackages(dir);
+  const schema = options.schema ?? await configLoader.loadConfigSchema({
+    dependencies: packages.map((p) => p.packageJson.name)
+  });
+  return (config) => {
+    const [secretsData] = schema.process(
+      [{ data: config.getOptional() ?? {}, context: "schema-enumerator" }],
+      {
+        visibility: ["secret"],
+        ignoreSchemaErrors: true
+      }
+    );
+    const secrets = /* @__PURE__ */ new Set();
+    JSON.parse(
+      JSON.stringify(secretsData.data),
+      (_, v) => typeof v === "string" && secrets.add(v)
+    );
+    logger.info(
+      `Found ${secrets.size} new secrets in config that will be redacted`
+    );
+    return secrets;
+  };
+}
 
 class ObservableConfigProxy {
   constructor(parent, parentKey) {
@@ -181,31 +209,7 @@ function isValidUrl(url) {
   }
 }
 
-async function createConfigSecretEnumerator(options) {
-  const { logger, dir = process.cwd() } = options;
-  const { packages } = await getPackages.getPackages(dir);
-  const schema = options.schema ?? await configLoader.loadConfigSchema({
-    dependencies: packages.map((p) => p.packageJson.name)
-  });
-  return (config) => {
-    const [secretsData] = schema.process(
-      [{ data: config.getOptional() ?? {}, context: "schema-enumerator" }],
-      {
-        visibility: ["secret"],
-        ignoreSchemaErrors: true
-      }
-    );
-    const secrets = /* @__PURE__ */ new Set();
-    JSON.parse(
-      JSON.stringify(secretsData.data),
-      (_, v) => typeof v === "string" && secrets.add(v)
-    );
-    logger.info(
-      `Found ${secrets.size} new secrets in config that will be redacted`
-    );
-    return secrets;
-  };
-}
+const createConfigSecretEnumerator = createConfigSecretEnumerator$1;
 async function loadBackendConfig(options) {
   const args = parseArgs__default.default(options.argv);
   const configTargets = [args.config ?? []].flat().map((arg) => isValidUrl(arg) ? { url: arg } : { path: path.resolve(arg) });
@@ -251,7 +255,7 @@ async function loadBackendConfig(options) {
 
 const DEFAULT_PORT = 7007;
 const DEFAULT_HOST = "";
-function readHttpServerOptions(config) {
+function readHttpServerOptions$1(config) {
   return {
     listen: readHttpListenOptions(config),
     https: readHttpsOptions(config)
@@ -426,7 +430,7 @@ async function generateCertificate(hostname) {
   );
 }
 
-async function createHttpServer(listener, options, deps) {
+async function createHttpServer$1(listener, options, deps) {
   const server = await createServer(listener, options, deps);
   const stopper = stoppableServer__default.default(server, 0);
   const stopServer = stopper.stop.bind(stopper);
@@ -481,7 +485,7 @@ async function createServer(listener, options, deps) {
   return http__namespace.createServer(listener);
 }
 
-function readHelmetOptions(config) {
+function readHelmetOptions$1(config) {
   const cspOptions = readCspDirectives(config);
   return {
     contentSecurityPolicy: {
@@ -530,7 +534,7 @@ function applyCspDirectives(directives) {
   return result;
 }
 
-function readCorsOptions(config) {
+function readCorsOptions$1(config) {
   const cc = config?.getOptionalConfig("cors");
   if (!cc) {
     return { origin: false };
@@ -596,7 +600,7 @@ function applyInternalErrorFilter(error, logger) {
   return error;
 }
 
-class MiddlewareFactory {
+let MiddlewareFactory$1 = class MiddlewareFactory {
   #config;
   #logger;
   /**
@@ -671,7 +675,7 @@ class MiddlewareFactory {
    * @returns An Express request handler
    */
   helmet() {
-    return helmet__default.default(readHelmetOptions(this.#config.getOptionalConfig("backend")));
+    return helmet__default.default(readHelmetOptions$1(this.#config.getOptionalConfig("backend")));
   }
   /**
    * Returns a middleware that implements the cors library.
@@ -686,7 +690,7 @@ class MiddlewareFactory {
    * @returns An Express request handler
    */
   cors() {
-    return cors__default.default(readCorsOptions(this.#config.getOptionalConfig("backend")));
+    return cors__default.default(readCorsOptions$1(this.#config.getOptionalConfig("backend")));
   }
   /**
    * Express middleware to handle errors during request processing.
@@ -731,7 +735,7 @@ class MiddlewareFactory {
       res.status(statusCode).json(body);
     };
   }
-}
+};
 function getStatusCode(error) {
   const knownStatusCodeFields = ["statusCode", "status"];
   for (const field of knownStatusCodeFields) {
@@ -762,11 +766,17 @@ function getStatusCode(error) {
   return 500;
 }
 
+const readHttpServerOptions = readHttpServerOptions$1;
+const createHttpServer = createHttpServer$1;
+const readCorsOptions = readCorsOptions$1;
+const readHelmetOptions = readHelmetOptions$1;
+const MiddlewareFactory = MiddlewareFactory$1;
+
 const escapeRegExp = (text) => {
   return text.replace(/[.*+?^${}(\)|[\]\\]/g, "\\$&");
 };
 
-class WinstonLogger {
+let WinstonLogger$1 = class WinstonLogger {
   #winston;
   #addRedactions;
   /**
@@ -870,6 +880,69 @@ class WinstonLogger {
   addRedactions(redactions) {
     this.#addRedactions?.(redactions);
   }
+};
+
+const rootLoggerServiceFactory$1 = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.rootLogger,
+  deps: {
+    config: backendPluginApi.coreServices.rootConfig
+  },
+  async factory({ config }) {
+    const logger = WinstonLogger$1.create({
+      meta: {
+        service: "backstage"
+      },
+      level: process.env.LOG_LEVEL || "info",
+      format: process.env.NODE_ENV === "production" ? winston.format.json() : WinstonLogger$1.colorFormat(),
+      transports: [new winston.transports.Console()]
+    });
+    const secretEnumerator = await createConfigSecretEnumerator$1({ logger });
+    logger.addRedactions(secretEnumerator(config));
+    config.subscribe?.(() => logger.addRedactions(secretEnumerator(config)));
+    return logger;
+  }
+});
+
+class WinstonLogger {
+  constructor(impl) {
+    this.impl = impl;
+  }
+  /**
+   * Creates a {@link WinstonLogger} instance.
+   */
+  static create(options) {
+    return new WinstonLogger(WinstonLogger$1.create(options));
+  }
+  /**
+   * Creates a winston log formatter for redacting secrets.
+   */
+  static redacter() {
+    return WinstonLogger$1.redacter();
+  }
+  /**
+   * Creates a pretty printed winston log formatter.
+   */
+  static colorFormat() {
+    return WinstonLogger$1.colorFormat();
+  }
+  error(message, meta) {
+    this.impl.error(message, meta);
+  }
+  warn(message, meta) {
+    this.impl.warn(message, meta);
+  }
+  info(message, meta) {
+    this.impl.info(message, meta);
+  }
+  debug(message, meta) {
+    this.impl.debug(message, meta);
+  }
+  child(meta) {
+    return this.impl.child(meta);
+  }
+  addRedactions(redactions) {
+    this.impl.addRedactions(redactions);
+  }
 }
 
 class Node {
@@ -1633,102 +1706,417 @@ function createSpecializedBackend(options) {
   return new BackstageBackend(services);
 }
 
-const MIGRATIONS_TABLE = "backstage_backend_public_keys__knex_migrations";
-const TABLE = "backstage_backend_public_keys__keys";
-function applyDatabaseMigrations(knex) {
-  const migrationsDir = backendPluginApi.resolvePackagePath(
-    "@backstage/backend-app-api",
-    "migrations"
-  );
-  return knex.migrate.latest({
-    directory: migrationsDir,
-    tableName: MIGRATIONS_TABLE
-  });
-}
-class DatabaseKeyStore {
-  constructor(client, logger) {
-    this.client = client;
-    this.logger = logger;
-  }
-  static async create(options) {
-    const { database, logger } = options;
-    const client = await database.getClient();
-    if (!database.migrations?.skip) {
-      await applyDatabaseMigrations(client);
-    }
-    return new DatabaseKeyStore(client, logger);
-  }
-  async addKey(options) {
-    await this.client(TABLE).insert({
-      id: options.key.kid,
-      key: JSON.stringify(options.key),
-      expires_at: options.expiresAt.toISOString()
-    });
+const cacheServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.cache,
+  deps: {
+    config: backendPluginApi.coreServices.rootConfig,
+    logger: backendPluginApi.coreServices.rootLogger,
+    plugin: backendPluginApi.coreServices.pluginMetadata
+  },
+  async createRootContext({ config, logger }) {
+    return backendCommon.CacheManager.fromConfig(config, { logger });
+  },
+  async factory({ plugin }, manager) {
+    return manager.forPlugin(plugin.getId()).getClient();
   }
-  async listKeys() {
-    const rows = await this.client(TABLE).select();
-    const keys = rows.map((row) => ({
-      id: row.id,
-      key: JSON.parse(row.key),
-      expiresAt: new Date(row.expires_at)
-    }));
-    const validKeys = [];
-    const expiredKeys = [];
-    for (const key of keys) {
-      if (luxon.DateTime.fromJSDate(key.expiresAt) < luxon.DateTime.local()) {
-        expiredKeys.push(key);
-      } else {
-        validKeys.push(key);
-      }
-    }
-    if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({ key }) => key.kid);
-      this.logger.info(
-        `Removing expired plugin service keys, '${kids.join("', '")}'`
-      );
-      this.client(TABLE).delete().whereIn("id", kids).catch((error) => {
-        this.logger.error(
-          "Failed to remove expired plugin service keys",
-          error
-        );
+});
+
+const rootConfigServiceFactory = backendPluginApi.createServiceFactory(
+  (options) => ({
+    service: backendPluginApi.coreServices.rootConfig,
+    deps: {},
+    async factory() {
+      const source = configLoader.ConfigSources.default({
+        argv: options?.argv,
+        remote: options?.remote,
+        watch: options?.watch
       });
+      console.log(`Loading config from ${source}`);
+      return await configLoader.ConfigSources.toConfig(source);
     }
-    return { keys: validKeys };
+  })
+);
+
+const databaseServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.database,
+  deps: {
+    config: backendPluginApi.coreServices.rootConfig,
+    lifecycle: backendPluginApi.coreServices.lifecycle,
+    pluginMetadata: backendPluginApi.coreServices.pluginMetadata
+  },
+  async createRootContext({ config: config$1 }) {
+    return config$1.getOptional("backend.database") ? backendCommon.DatabaseManager.fromConfig(config$1) : backendCommon.DatabaseManager.fromConfig(
+      new config.ConfigReader({
+        backend: {
+          database: { client: "better-sqlite3", connection: ":memory:" }
+        }
+      })
+    );
+  },
+  async factory({ pluginMetadata, lifecycle }, databaseManager) {
+    return databaseManager.forPlugin(pluginMetadata.getId(), {
+      pluginMetadata,
+      lifecycle
+    });
   }
-}
+});
 
-function createCredentialsWithServicePrincipal(sub, token, accessRestrictions) {
-  return {
-    $$type: "@backstage/BackstageCredentials",
-    version: "v1",
-    token,
-    principal: {
-      type: "service",
-      subject: sub,
-      accessRestrictions
-    }
-  };
-}
-function createCredentialsWithUserPrincipal(sub, token, expiresAt) {
-  return {
-    $$type: "@backstage/BackstageCredentials",
-    version: "v1",
-    token,
-    expiresAt,
-    principal: {
-      type: "user",
-      userEntityRef: sub
-    }
-  };
-}
-function createCredentialsWithNonePrincipal() {
-  return {
-    $$type: "@backstage/BackstageCredentials",
-    version: "v1",
-    principal: {
-      type: "none"
-    }
-  };
+let HostDiscovery$1 = class HostDiscovery {
+  constructor(internalBaseUrl, externalBaseUrl, discoveryConfig) {
+    this.internalBaseUrl = internalBaseUrl;
+    this.externalBaseUrl = externalBaseUrl;
+    this.discoveryConfig = discoveryConfig;
+  }
+  /**
+   * Creates a new HostDiscovery discovery instance by reading
+   * from the `backend` config section, specifically the `.baseUrl` for
+   * discovering the external URL, and the `.listen` and `.https` config
+   * for the internal one.
+   *
+   * Can be overridden in config by providing a target and corresponding plugins in `discovery.endpoints`.
+   * eg.
+   * ```yaml
+   * discovery:
+   *  endpoints:
+   *    - target: https://internal.example.com/internal-catalog
+   *      plugins: [catalog]
+   *    - target: https://internal.example.com/secure/api/{{pluginId}}
+   *      plugins: [auth, permission]
+   *    - target:
+   *        internal: https://internal.example.com/search
+   *        external: https://example.com/search
+   *      plugins: [search]
+   * ```
+   *
+   * The basePath defaults to `/api`, meaning the default full internal
+   * path for the `catalog` plugin will be `http://localhost:7007/api/catalog`.
+   */
+  static fromConfig(config, options) {
+    const basePath = options?.basePath ?? "/api";
+    const externalBaseUrl = config.getString("backend.baseUrl").replace(/\/+$/, "");
+    const {
+      listen: { host: listenHost = "::", port: listenPort }
+    } = readHttpServerOptions$1(config.getConfig("backend"));
+    const protocol = config.has("backend.https") ? "https" : "http";
+    let host = listenHost;
+    if (host === "::" || host === "") {
+      host = "localhost";
+    } else if (host === "0.0.0.0") {
+      host = "127.0.0.1";
+    }
+    if (host.includes(":")) {
+      host = `[${host}]`;
+    }
+    const internalBaseUrl = `${protocol}://${host}:${listenPort}`;
+    return new HostDiscovery(
+      internalBaseUrl + basePath,
+      externalBaseUrl + basePath,
+      config.getOptionalConfig("discovery")
+    );
+  }
+  getTargetFromConfig(pluginId, type) {
+    const endpoints = this.discoveryConfig?.getOptionalConfigArray("endpoints");
+    const target = endpoints?.find((endpoint) => endpoint.getStringArray("plugins").includes(pluginId))?.get("target");
+    if (!target) {
+      const baseUrl = type === "external" ? this.externalBaseUrl : this.internalBaseUrl;
+      return `${baseUrl}/${encodeURIComponent(pluginId)}`;
+    }
+    if (typeof target === "string") {
+      return target.replace(
+        /\{\{\s*pluginId\s*\}\}/g,
+        encodeURIComponent(pluginId)
+      );
+    }
+    return target[type].replace(
+      /\{\{\s*pluginId\s*\}\}/g,
+      encodeURIComponent(pluginId)
+    );
+  }
+  async getBaseUrl(pluginId) {
+    return this.getTargetFromConfig(pluginId, "internal");
+  }
+  async getExternalBaseUrl(pluginId) {
+    return this.getTargetFromConfig(pluginId, "external");
+  }
+};
+
+backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.discovery,
+  deps: {
+    config: backendPluginApi.coreServices.rootConfig
+  },
+  async factory({ config }) {
+    return HostDiscovery$1.fromConfig(config);
+  }
+});
+
+class HostDiscovery {
+  constructor(impl) {
+    this.impl = impl;
+  }
+  /**
+   * Creates a new HostDiscovery discovery instance by reading
+   * from the `backend` config section, specifically the `.baseUrl` for
+   * discovering the external URL, and the `.listen` and `.https` config
+   * for the internal one.
+   *
+   * Can be overridden in config by providing a target and corresponding plugins in `discovery.endpoints`.
+   * eg.
+   * ```yaml
+   * discovery:
+   *  endpoints:
+   *    - target: https://internal.example.com/internal-catalog
+   *      plugins: [catalog]
+   *    - target: https://internal.example.com/secure/api/{{pluginId}}
+   *      plugins: [auth, permission]
+   *    - target:
+   *        internal: https://internal.example.com/search
+   *        external: https://example.com/search
+   *      plugins: [search]
+   * ```
+   *
+   * The basePath defaults to `/api`, meaning the default full internal
+   * path for the `catalog` plugin will be `http://localhost:7007/api/catalog`.
+   */
+  static fromConfig(config, options) {
+    return new HostDiscovery(HostDiscovery$1.fromConfig(config, options));
+  }
+  async getBaseUrl(pluginId) {
+    return this.impl.getBaseUrl(pluginId);
+  }
+  async getExternalBaseUrl(pluginId) {
+    return this.impl.getExternalBaseUrl(pluginId);
+  }
+}
+
+const discoveryServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.discovery,
+  deps: {
+    config: backendPluginApi.coreServices.rootConfig
+  },
+  async factory({ config }) {
+    return HostDiscovery.fromConfig(config);
+  }
+});
+
+const identityServiceFactory = backendPluginApi.createServiceFactory(
+  (options) => ({
+    service: backendPluginApi.coreServices.identity,
+    deps: {
+      discovery: backendPluginApi.coreServices.discovery
+    },
+    async factory({ discovery }) {
+      return pluginAuthNode.DefaultIdentityClient.create({ discovery, ...options });
+    }
+  })
+);
+
+class BackendPluginLifecycleImpl {
+  constructor(logger, rootLifecycle, pluginMetadata) {
+    this.logger = logger;
+    this.rootLifecycle = rootLifecycle;
+    this.pluginMetadata = pluginMetadata;
+  }
+  #hasStarted = false;
+  #startupTasks = [];
+  addStartupHook(hook, options) {
+    if (this.#hasStarted) {
+      throw new Error("Attempted to add startup hook after startup");
+    }
+    this.#startupTasks.push({ hook, options });
+  }
+  async startup() {
+    if (this.#hasStarted) {
+      return;
+    }
+    this.#hasStarted = true;
+    this.logger.debug(
+      `Running ${this.#startupTasks.length} plugin startup tasks...`
+    );
+    await Promise.all(
+      this.#startupTasks.map(async ({ hook, options }) => {
+        const logger = options?.logger ?? this.logger;
+        try {
+          await hook();
+          logger.debug(`Plugin startup hook succeeded`);
+        } catch (error) {
+          logger.error(`Plugin startup hook failed, ${error}`);
+        }
+      })
+    );
+  }
+  addShutdownHook(hook, options) {
+    const plugin = this.pluginMetadata.getId();
+    this.rootLifecycle.addShutdownHook(hook, {
+      logger: options?.logger?.child({ plugin }) ?? this.logger
+    });
+  }
+}
+const lifecycleServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.lifecycle,
+  deps: {
+    logger: backendPluginApi.coreServices.logger,
+    rootLifecycle: backendPluginApi.coreServices.rootLifecycle,
+    pluginMetadata: backendPluginApi.coreServices.pluginMetadata
+  },
+  async factory({ rootLifecycle, logger, pluginMetadata }) {
+    return new BackendPluginLifecycleImpl(
+      logger,
+      rootLifecycle,
+      pluginMetadata
+    );
+  }
+});
+
+const permissionsServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.permissions,
+  deps: {
+    auth: backendPluginApi.coreServices.auth,
+    config: backendPluginApi.coreServices.rootConfig,
+    discovery: backendPluginApi.coreServices.discovery,
+    tokenManager: backendPluginApi.coreServices.tokenManager
+  },
+  async factory({ auth, config, discovery, tokenManager }) {
+    return pluginPermissionNode.ServerPermissionClient.fromConfig(config, {
+      auth,
+      discovery,
+      tokenManager
+    });
+  }
+});
+
+class BackendLifecycleImpl {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  #hasStarted = false;
+  #startupTasks = [];
+  addStartupHook(hook, options) {
+    if (this.#hasStarted) {
+      throw new Error("Attempted to add startup hook after startup");
+    }
+    this.#startupTasks.push({ hook, options });
+  }
+  async startup() {
+    if (this.#hasStarted) {
+      return;
+    }
+    this.#hasStarted = true;
+    this.logger.debug(`Running ${this.#startupTasks.length} startup tasks...`);
+    await Promise.all(
+      this.#startupTasks.map(async ({ hook, options }) => {
+        const logger = options?.logger ?? this.logger;
+        try {
+          await hook();
+          logger.debug(`Startup hook succeeded`);
+        } catch (error) {
+          logger.error(`Startup hook failed, ${error}`);
+        }
+      })
+    );
+  }
+  #hasShutdown = false;
+  #shutdownTasks = [];
+  addShutdownHook(hook, options) {
+    if (this.#hasShutdown) {
+      throw new Error("Attempted to add shutdown hook after shutdown");
+    }
+    this.#shutdownTasks.push({ hook, options });
+  }
+  async shutdown() {
+    if (this.#hasShutdown) {
+      return;
+    }
+    this.#hasShutdown = true;
+    this.logger.debug(
+      `Running ${this.#shutdownTasks.length} shutdown tasks...`
+    );
+    await Promise.all(
+      this.#shutdownTasks.map(async ({ hook, options }) => {
+        const logger = options?.logger ?? this.logger;
+        try {
+          await hook();
+          logger.debug(`Shutdown hook succeeded`);
+        } catch (error) {
+          logger.error(`Shutdown hook failed, ${error}`);
+        }
+      })
+    );
+  }
+}
+const rootLifecycleServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.rootLifecycle,
+  deps: {
+    logger: backendPluginApi.coreServices.rootLogger
+  },
+  async factory({ logger }) {
+    return new BackendLifecycleImpl(logger);
+  }
+});
+
+const tokenManagerServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.tokenManager,
+  deps: {
+    config: backendPluginApi.coreServices.rootConfig,
+    logger: backendPluginApi.coreServices.rootLogger
+  },
+  createRootContext({ config, logger }) {
+    return backendCommon.ServerTokenManager.fromConfig(config, {
+      logger,
+      allowDisabledTokenManager: true
+    });
+  },
+  async factory(_deps, tokenManager) {
+    return tokenManager;
+  }
+});
+
+const urlReaderServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.urlReader,
+  deps: {
+    config: backendPluginApi.coreServices.rootConfig,
+    logger: backendPluginApi.coreServices.logger
+  },
+  async factory({ config, logger }) {
+    return backendCommon.UrlReaders.default({
+      config,
+      logger
+    });
+  }
+});
+
+function createCredentialsWithServicePrincipal(sub, token, accessRestrictions) {
+  return {
+    $$type: "@backstage/BackstageCredentials",
+    version: "v1",
+    token,
+    principal: {
+      type: "service",
+      subject: sub,
+      accessRestrictions
+    }
+  };
+}
+function createCredentialsWithUserPrincipal(sub, token, expiresAt) {
+  return {
+    $$type: "@backstage/BackstageCredentials",
+    version: "v1",
+    token,
+    expiresAt,
+    principal: {
+      type: "user",
+      userEntityRef: sub
+    }
+  };
+}
+function createCredentialsWithNonePrincipal() {
+  return {
+    $$type: "@backstage/BackstageCredentials",
+    version: "v1",
+    principal: {
+      type: "none"
+    }
+  };
 }
 function toInternalBackstageCredentials(credentials) {
   if (credentials.$$type !== "@backstage/BackstageCredentials") {
@@ -1744,17 +2132,16 @@ function toInternalBackstageCredentials(credentials) {
 }
 
 class DefaultAuthService {
-  constructor(userTokenHandler, pluginTokenHandler, externalTokenHandler, tokenManager, pluginId, disableDefaultAuthPolicy, publicKeyStore) {
+  constructor(userTokenHandler, pluginTokenHandler, externalTokenHandler, tokenManager, pluginId, disableDefaultAuthPolicy, pluginKeySource) {
     this.userTokenHandler = userTokenHandler;
     this.pluginTokenHandler = pluginTokenHandler;
     this.externalTokenHandler = externalTokenHandler;
     this.tokenManager = tokenManager;
     this.pluginId = pluginId;
     this.disableDefaultAuthPolicy = disableDefaultAuthPolicy;
-    this.publicKeyStore = publicKeyStore;
+    this.pluginKeySource = pluginKeySource;
   }
-  // allowLimitedAccess is currently ignored, since we currently always use the full user tokens
-  async authenticate(token) {
+  async authenticate(token, options) {
     const pluginResult = await this.pluginTokenHandler.verifyToken(token);
     if (pluginResult) {
       if (pluginResult.limitedUserToken) {
@@ -1776,6 +2163,9 @@ class DefaultAuthService {
     }
     const userResult = await this.userTokenHandler.verifyToken(token);
     if (userResult) {
+      if (!options?.allowLimitedAccess && this.userTokenHandler.isLimitedUserToken(token)) {
+        throw new errors.AuthenticationError("Illegal limited user token");
+      }
       return createCredentialsWithUserPrincipal(
         userResult.userEntityRef,
         token,
@@ -1788,920 +2178,972 @@ class DefaultAuthService {
         externalResult.subject,
         void 0,
         externalResult.accessRestrictions
-      );
-    }
-    throw new errors.AuthenticationError("Illegal token");
-  }
-  isPrincipal(credentials, type) {
-    const principal = credentials.principal;
-    if (type === "unknown") {
-      return true;
-    }
-    if (principal.type !== type) {
-      return false;
-    }
-    return true;
-  }
-  async getNoneCredentials() {
-    return createCredentialsWithNonePrincipal();
-  }
-  async getOwnServiceCredentials() {
-    return createCredentialsWithServicePrincipal(`plugin:${this.pluginId}`);
-  }
-  async getPluginRequestToken(options) {
-    const { targetPluginId } = options;
-    const internalForward = toInternalBackstageCredentials(options.onBehalfOf);
-    const { type } = internalForward.principal;
-    if (type === "none" && this.disableDefaultAuthPolicy) {
-      return { token: "" };
-    }
-    const targetSupportsNewAuth = await this.pluginTokenHandler.isTargetPluginSupported(targetPluginId);
-    switch (type) {
-      case "service":
-        if (targetSupportsNewAuth) {
-          return this.pluginTokenHandler.issueToken({
-            pluginId: this.pluginId,
-            targetPluginId
-          });
-        }
-        return this.tokenManager.getToken().catch((error) => {
-          throw new errors.ForwardedError(
-            `Unable to generate legacy token for communication with the '${targetPluginId}' plugin. You will typically encounter this error when attempting to call a plugin that does not exist, or is deployed with an old version of Backstage`,
-            error
-          );
-        });
-      case "user": {
-        const { token } = internalForward;
-        if (!token) {
-          throw new Error("User credentials is unexpectedly missing token");
-        }
-        if (targetSupportsNewAuth) {
-          const onBehalfOf = await this.userTokenHandler.createLimitedUserToken(
-            token
-          );
-          return this.pluginTokenHandler.issueToken({
-            pluginId: this.pluginId,
-            targetPluginId,
-            onBehalfOf
-          });
-        }
-        if (this.userTokenHandler.isLimitedUserToken(token)) {
-          throw new errors.AuthenticationError(
-            `Unable to call '${targetPluginId}' plugin on behalf of user, because the target plugin does not support on-behalf-of tokens or the plugin doesn't exist`
-          );
-        }
-        return { token };
-      }
-      default:
-        throw new errors.AuthenticationError(
-          `Refused to issue service token for credential type '${type}'`
-        );
-    }
-  }
-  async getLimitedUserToken(credentials) {
-    const { token: backstageToken } = toInternalBackstageCredentials(credentials);
-    if (!backstageToken) {
-      throw new errors.AuthenticationError(
-        "User credentials is unexpectedly missing token"
-      );
-    }
-    return this.userTokenHandler.createLimitedUserToken(backstageToken);
-  }
-  async listPublicServiceKeys() {
-    const { keys } = await this.publicKeyStore.listKeys();
-    return { keys: keys.map(({ key }) => key) };
-  }
-  #getJwtExpiration(token) {
-    const { exp } = jose.decodeJwt(token);
-    if (!exp) {
-      throw new errors.AuthenticationError("User token is missing expiration");
-    }
-    return new Date(exp * 1e3);
-  }
-}
-
-const CLOCK_MARGIN_S = 10;
-class JwksClient {
-  constructor(getEndpoint) {
-    this.getEndpoint = getEndpoint;
-  }
-  #keyStore;
-  #keyStoreUpdated = 0;
-  get getKey() {
-    if (!this.#keyStore) {
-      throw new errors.AuthenticationError(
-        "refreshKeyStore must be called before jwksClient.getKey"
-      );
-    }
-    return this.#keyStore;
-  }
-  /**
-   * If the last keystore refresh is stale, update the keystore URL to the latest
-   */
-  async refreshKeyStore(rawJwtToken) {
-    const payload = await jose.decodeJwt(rawJwtToken);
-    const header = await jose.decodeProtectedHeader(rawJwtToken);
-    let keyStoreHasKey;
-    try {
-      if (this.#keyStore) {
-        const [_, rawPayload, rawSignature] = rawJwtToken.split(".");
-        keyStoreHasKey = await this.#keyStore(header, {
-          payload: rawPayload,
-          signature: rawSignature
-        });
-      }
-    } catch (error) {
-      keyStoreHasKey = false;
-    }
-    const issuedAfterLastRefresh = payload?.iat && payload.iat > this.#keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!this.#keyStore || !keyStoreHasKey && issuedAfterLastRefresh) {
-      const endpoint = await this.getEndpoint();
-      this.#keyStore = jose.createRemoteJWKSet(endpoint);
-      this.#keyStoreUpdated = Date.now() / 1e3;
-    }
-  }
-}
-
-const KEY_EXPIRATION_MARGIN_FACTOR = 3;
-const SECONDS_IN_MS = 1e3;
-const ALLOWED_PLUGIN_ID_PATTERN = /^[a-z0-9_-]+$/i;
-class PluginTokenHandler {
-  constructor(logger, ownPluginId, publicKeyStore, keyDurationSeconds, algorithm, discovery) {
-    this.logger = logger;
-    this.ownPluginId = ownPluginId;
-    this.publicKeyStore = publicKeyStore;
-    this.keyDurationSeconds = keyDurationSeconds;
-    this.algorithm = algorithm;
-    this.discovery = discovery;
-  }
-  privateKeyPromise;
-  keyExpiry;
-  jwksMap = /* @__PURE__ */ new Map();
-  // Tracking state for isTargetPluginSupported
-  supportedTargetPlugins = /* @__PURE__ */ new Set();
-  targetPluginInflightChecks = /* @__PURE__ */ new Map();
-  static create(options) {
-    return new PluginTokenHandler(
-      options.logger,
-      options.ownPluginId,
-      options.publicKeyStore,
-      Math.round(types.durationToMilliseconds(options.keyDuration) / 1e3),
-      options.algorithm ?? "ES256",
-      options.discovery
-    );
-  }
-  async verifyToken(token) {
-    try {
-      const { typ } = jose.decodeProtectedHeader(token);
-      if (typ !== pluginAuthNode.tokenTypes.plugin.typParam) {
-        return void 0;
-      }
-    } catch {
-      return void 0;
-    }
-    const pluginId = String(jose.decodeJwt(token).sub);
-    if (!pluginId) {
-      throw new errors.AuthenticationError("Invalid plugin token: missing subject");
-    }
-    if (!ALLOWED_PLUGIN_ID_PATTERN.test(pluginId)) {
-      throw new errors.AuthenticationError(
-        "Invalid plugin token: forbidden subject format"
-      );
-    }
-    const jwksClient = await this.getJwksClient(pluginId);
-    await jwksClient.refreshKeyStore(token);
-    const { payload } = await jose.jwtVerify(
-      token,
-      jwksClient.getKey,
-      {
-        typ: pluginAuthNode.tokenTypes.plugin.typParam,
-        audience: this.ownPluginId,
-        requiredClaims: ["iat", "exp", "sub", "aud"]
-      }
-    ).catch((e) => {
-      throw new errors.AuthenticationError("Invalid plugin token", e);
-    });
-    return { subject: `plugin:${payload.sub}`, limitedUserToken: payload.obo };
-  }
-  async issueToken(options) {
-    const { pluginId, targetPluginId, onBehalfOf } = options;
-    const key = await this.getKey();
-    const sub = pluginId;
-    const aud = targetPluginId;
-    const iat = Math.floor(Date.now() / SECONDS_IN_MS);
-    const ourExp = iat + this.keyDurationSeconds;
-    const exp = onBehalfOf ? Math.min(
-      ourExp,
-      Math.floor(onBehalfOf.expiresAt.getTime() / SECONDS_IN_MS)
-    ) : ourExp;
-    const claims = { sub, aud, iat, exp, obo: onBehalfOf?.token };
-    const token = await new jose.SignJWT(claims).setProtectedHeader({
-      typ: pluginAuthNode.tokenTypes.plugin.typParam,
-      alg: this.algorithm,
-      kid: key.kid
-    }).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
-    return { token };
+      );
+    }
+    throw new errors.AuthenticationError("Illegal token");
   }
-  async isTargetPluginSupported(targetPluginId) {
-    if (this.supportedTargetPlugins.has(targetPluginId)) {
+  isPrincipal(credentials, type) {
+    const principal = credentials.principal;
+    if (type === "unknown") {
       return true;
     }
-    const inFlight = this.targetPluginInflightChecks.get(targetPluginId);
-    if (inFlight) {
-      return inFlight;
+    if (principal.type !== type) {
+      return false;
     }
-    const doCheck = async () => {
-      try {
-        const res = await fetch(
-          `${await this.discovery.getBaseUrl(
+    return true;
+  }
+  async getNoneCredentials() {
+    return createCredentialsWithNonePrincipal();
+  }
+  async getOwnServiceCredentials() {
+    return createCredentialsWithServicePrincipal(`plugin:${this.pluginId}`);
+  }
+  async getPluginRequestToken(options) {
+    const { targetPluginId } = options;
+    const internalForward = toInternalBackstageCredentials(options.onBehalfOf);
+    const { type } = internalForward.principal;
+    if (type === "none" && this.disableDefaultAuthPolicy) {
+      return { token: "" };
+    }
+    const targetSupportsNewAuth = await this.pluginTokenHandler.isTargetPluginSupported(targetPluginId);
+    switch (type) {
+      case "service":
+        if (targetSupportsNewAuth) {
+          return this.pluginTokenHandler.issueToken({
+            pluginId: this.pluginId,
             targetPluginId
-          )}/.backstage/auth/v1/jwks.json`
-        );
-        if (res.status === 404) {
-          return false;
+          });
         }
-        if (!res.ok) {
-          throw new Error(`Failed to fetch jwks.json, ${res.status}`);
+        return this.tokenManager.getToken().catch((error) => {
+          throw new errors.ForwardedError(
+            `Unable to generate legacy token for communication with the '${targetPluginId}' plugin. You will typically encounter this error when attempting to call a plugin that does not exist, or is deployed with an old version of Backstage`,
+            error
+          );
+        });
+      case "user": {
+        const { token } = internalForward;
+        if (!token) {
+          throw new Error("User credentials is unexpectedly missing token");
         }
-        const data = await res.json();
-        if (!data.keys) {
-          throw new Error(`Invalid jwks.json response, missing keys`);
+        if (targetSupportsNewAuth) {
+          const onBehalfOf = await this.userTokenHandler.createLimitedUserToken(
+            token
+          );
+          return this.pluginTokenHandler.issueToken({
+            pluginId: this.pluginId,
+            targetPluginId,
+            onBehalfOf
+          });
         }
-        this.supportedTargetPlugins.add(targetPluginId);
-        return true;
-      } catch (error) {
-        this.logger.error("Unexpected failure for target JWKS check", error);
-        return false;
-      } finally {
-        this.targetPluginInflightChecks.delete(targetPluginId);
+        if (this.userTokenHandler.isLimitedUserToken(token)) {
+          throw new errors.AuthenticationError(
+            `Unable to call '${targetPluginId}' plugin on behalf of user, because the target plugin does not support on-behalf-of tokens or the plugin doesn't exist`
+          );
+        }
+        return { token };
       }
-    };
-    const check = doCheck();
-    this.targetPluginInflightChecks.set(targetPluginId, check);
-    return check;
-  }
-  async getJwksClient(pluginId) {
-    const client = this.jwksMap.get(pluginId);
-    if (client) {
-      return client;
+      default:
+        throw new errors.AuthenticationError(
+          `Refused to issue service token for credential type '${type}'`
+        );
     }
-    if (!await this.isTargetPluginSupported(pluginId)) {
+  }
+  async getLimitedUserToken(credentials) {
+    const { token: backstageToken } = toInternalBackstageCredentials(credentials);
+    if (!backstageToken) {
       throw new errors.AuthenticationError(
-        `Received a plugin token where the source '${pluginId}' plugin unexpectedly does not have a JWKS endpoint`
+        "User credentials is unexpectedly missing token"
       );
     }
-    const newClient = new JwksClient(async () => {
-      return new URL(
-        `${await this.discovery.getBaseUrl(
-          pluginId
-        )}/.backstage/auth/v1/jwks.json`
+    return this.userTokenHandler.createLimitedUserToken(backstageToken);
+  }
+  async listPublicServiceKeys() {
+    const { keys } = await this.pluginKeySource.listKeys();
+    return { keys: keys.map(({ key }) => key) };
+  }
+  #getJwtExpiration(token) {
+    const { exp } = jose.decodeJwt(token);
+    if (!exp) {
+      throw new errors.AuthenticationError("User token is missing expiration");
+    }
+    return new Date(exp * 1e3);
+  }
+}
+
+function readAccessRestrictionsFromConfig(externalAccessEntryConfig) {
+  const configs = externalAccessEntryConfig.getOptionalConfigArray("accessRestrictions") ?? [];
+  const result = /* @__PURE__ */ new Map();
+  for (const config of configs) {
+    const validKeys = ["plugin", "permission", "permissionAttribute"];
+    for (const key of config.keys()) {
+      if (!validKeys.includes(key)) {
+        const valid = validKeys.map((k) => `'${k}'`).join(", ");
+        throw new Error(
+          `Invalid key '${key}' in 'accessRestrictions' config, expected one of ${valid}`
+        );
+      }
+    }
+    const pluginId = config.getString("plugin");
+    const permissionNames = readPermissionNames(config);
+    const permissionAttributes = readPermissionAttributes(config);
+    if (result.has(pluginId)) {
+      throw new Error(
+        `Attempted to declare 'accessRestrictions' twice for plugin '${pluginId}', which is not permitted`
       );
+    }
+    result.set(pluginId, {
+      ...permissionNames ? { permissionNames } : {},
+      ...permissionAttributes ? { permissionAttributes } : {}
     });
-    this.jwksMap.set(pluginId, newClient);
-    return newClient;
   }
-  async getKey() {
-    if (this.privateKeyPromise) {
-      if (this.keyExpiry && this.keyExpiry.getTime() > Date.now()) {
-        return this.privateKeyPromise;
+  return result.size ? result : void 0;
+}
+function readStringOrStringArrayFromConfig(root, key, validValues) {
+  if (!root.has(key)) {
+    return void 0;
+  }
+  const rawValues = Array.isArray(root.get(key)) ? root.getStringArray(key) : [root.getString(key)];
+  const values = [
+    ...new Set(
+      rawValues.map((v) => v.split(/[ ,]/)).flat().filter(Boolean)
+    )
+  ];
+  if (!values.length) {
+    return void 0;
+  }
+  if (validValues?.length) {
+    for (const value of values) {
+      if (!validValues.includes(value)) {
+        const valid = validValues.map((k) => `'${k}'`).join(", ");
+        throw new Error(
+          `Invalid value '${value}' at '${key}' in 'permissionAttributes' config, valid values are ${valid}`
+        );
       }
-      this.logger.info(`Signing key has expired, generating new key`);
-      delete this.privateKeyPromise;
     }
-    this.keyExpiry = new Date(
-      Date.now() + this.keyDurationSeconds * SECONDS_IN_MS
-    );
-    const promise = (async () => {
-      const kid = uuid.v4();
-      const key = await jose.generateKeyPair(this.algorithm);
-      const publicKey = await jose.exportJWK(key.publicKey);
-      const privateKey = await jose.exportJWK(key.privateKey);
-      publicKey.kid = privateKey.kid = kid;
-      publicKey.alg = privateKey.alg = this.algorithm;
-      this.logger.info(`Created new signing key ${kid}`);
-      await this.publicKeyStore.addKey({
-        id: kid,
-        key: publicKey,
-        expiresAt: new Date(
-          Date.now() + this.keyDurationSeconds * SECONDS_IN_MS * KEY_EXPIRATION_MARGIN_FACTOR
-        )
-      });
-      return privateKey;
-    })();
-    this.privateKeyPromise = promise;
-    try {
-      await promise;
-    } catch (error) {
-      this.logger.error(`Failed to generate new signing key, ${error}`);
-      delete this.keyExpiry;
-      delete this.privateKeyPromise;
+  }
+  return values;
+}
+function readPermissionNames(externalAccessEntryConfig) {
+  return readStringOrStringArrayFromConfig(
+    externalAccessEntryConfig,
+    "permission"
+  );
+}
+function readPermissionAttributes(externalAccessEntryConfig) {
+  const config = externalAccessEntryConfig.getOptionalConfig(
+    "permissionAttribute"
+  );
+  if (!config) {
+    return void 0;
+  }
+  const validKeys = ["action"];
+  for (const key of config.keys()) {
+    if (!validKeys.includes(key)) {
+      const valid = validKeys.map((k) => `'${k}'`).join(", ");
+      throw new Error(
+        `Invalid key '${key}' in 'permissionAttribute' config, expected ${valid}`
+      );
     }
-    return promise;
   }
+  const action = readStringOrStringArrayFromConfig(config, "action", [
+    "create",
+    "read",
+    "update",
+    "delete"
+  ]);
+  const result = {
+    ...action ? { action } : {}
+  };
+  return Object.keys(result).length ? result : void 0;
 }
 
-class UserTokenHandler {
-  constructor(jwksClient) {
-    this.jwksClient = jwksClient;
+class LegacyTokenHandler {
+  #entries = new Array();
+  add(config) {
+    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
+    this.#doAdd(
+      config.getString("options.secret"),
+      config.getString("options.subject"),
+      allAccessRestrictions
+    );
   }
-  static create(options) {
-    const jwksClient = new JwksClient(async () => {
-      const url = await options.discovery.getBaseUrl("auth");
-      return new URL(`${url}/.well-known/jwks.json`);
-    });
-    return new UserTokenHandler(jwksClient);
+  // used only for the old backend.auth.keys array
+  addOld(config) {
+    this.#doAdd(config.getString("secret"), "external:backstage-plugin");
   }
-  async verifyToken(token) {
-    const verifyOpts = this.#getTokenVerificationOptions(token);
-    if (!verifyOpts) {
-      return void 0;
+  #doAdd(secret, subject, allAccessRestrictions) {
+    if (!secret.match(/^\S+$/)) {
+      throw new Error("Illegal secret, must be a valid base64 string");
+    } else if (!subject.match(/^\S+$/)) {
+      throw new Error("Illegal subject, must be a set of non-space characters");
     }
-    await this.jwksClient.refreshKeyStore(token);
-    const { payload } = await jose.jwtVerify(
-      token,
-      this.jwksClient.getKey,
-      verifyOpts
-    ).catch((e) => {
-      throw new errors.AuthenticationError("Invalid token", e);
-    });
-    const userEntityRef = payload.sub;
-    if (!userEntityRef) {
-      throw new errors.AuthenticationError("No user sub found in token");
+    let key;
+    try {
+      key = jose.base64url.decode(secret);
+    } catch {
+      throw new Error("Illegal secret, must be a valid base64 string");
     }
-    return { userEntityRef };
+    if (this.#entries.some((e) => e.key === key)) {
+      throw new Error(
+        "Legacy externalAccess token was declared more than once"
+      );
+    }
+    this.#entries.push({
+      key,
+      result: {
+        subject,
+        allAccessRestrictions
+      }
+    });
   }
-  #getTokenVerificationOptions(token) {
+  async verifyToken(token) {
     try {
-      const { typ } = jose.decodeProtectedHeader(token);
-      if (typ === pluginAuthNode.tokenTypes.user.typParam) {
-        return {
-          requiredClaims: ["iat", "exp", "sub"],
-          typ: pluginAuthNode.tokenTypes.user.typParam
-        };
+      const { alg } = jose.decodeProtectedHeader(token);
+      if (alg !== "HS256") {
+        return void 0;
       }
-      if (typ === pluginAuthNode.tokenTypes.limitedUser.typParam) {
-        return {
-          requiredClaims: ["iat", "exp", "sub"],
-          typ: pluginAuthNode.tokenTypes.limitedUser.typParam
-        };
+      const { sub, aud } = jose.decodeJwt(token);
+      if (sub !== "backstage-server" || aud) {
+        return void 0;
       }
-      const { aud } = jose.decodeJwt(token);
-      if (aud === pluginAuthNode.tokenTypes.user.audClaim) {
-        return {
-          audience: pluginAuthNode.tokenTypes.user.audClaim
-        };
+    } catch (e) {
+      return void 0;
+    }
+    for (const { key, result } of this.#entries) {
+      try {
+        await jose.jwtVerify(token, key);
+        return result;
+      } catch (e) {
+        if (e.code !== "ERR_JWS_SIGNATURE_VERIFICATION_FAILED") {
+          throw e;
+        }
       }
-    } catch {
     }
     return void 0;
   }
-  createLimitedUserToken(backstageToken) {
-    const [headerRaw, payloadRaw] = backstageToken.split(".");
-    const header = JSON.parse(
-      new TextDecoder().decode(jose.base64url.decode(headerRaw))
-    );
-    const payload = JSON.parse(
-      new TextDecoder().decode(jose.base64url.decode(payloadRaw))
-    );
-    const tokenType = header.typ;
-    if (!tokenType || tokenType === pluginAuthNode.tokenTypes.limitedUser.typParam) {
-      return { token: backstageToken, expiresAt: new Date(payload.exp * 1e3) };
+}
+
+const MIN_TOKEN_LENGTH = 8;
+class StaticTokenHandler {
+  #entries = /* @__PURE__ */ new Map();
+  add(config) {
+    const token = config.getString("options.token");
+    const subject = config.getString("options.subject");
+    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
+    if (!token.match(/^\S+$/)) {
+      throw new Error("Illegal token, must be a set of non-space characters");
+    } else if (token.length < MIN_TOKEN_LENGTH) {
+      throw new Error(
+        `Illegal token, must be at least ${MIN_TOKEN_LENGTH} characters length`
+      );
+    } else if (!subject.match(/^\S+$/)) {
+      throw new Error("Illegal subject, must be a set of non-space characters");
+    } else if (this.#entries.has(token)) {
+      throw new Error(
+        "Static externalAccess token was declared more than once"
+      );
     }
-    if (tokenType !== pluginAuthNode.tokenTypes.user.typParam) {
-      throw new errors.AuthenticationError(
-        "Failed to create limited user token, invalid token type"
+    this.#entries.set(token, { subject, allAccessRestrictions });
+  }
+  async verifyToken(token) {
+    return this.#entries.get(token);
+  }
+}
+
+class JWKSHandler {
+  #entries = [];
+  add(config) {
+    if (!config.getString("options.url").match(/^\S+$/)) {
+      throw new Error(
+        "Illegal JWKS URL, must be a set of non-space characters"
       );
     }
-    const limitedUserToken = [
-      jose.base64url.encode(
-        JSON.stringify({
-          typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
-          alg: header.alg,
-          kid: header.kid
-        })
-      ),
-      jose.base64url.encode(
-        JSON.stringify({
-          sub: payload.sub,
-          ent: payload.ent,
-          iat: payload.iat,
-          exp: payload.exp
-        })
-      ),
-      payload.uip
-    ].join(".");
-    return { token: limitedUserToken, expiresAt: new Date(payload.exp * 1e3) };
+    const algorithms = readStringOrStringArrayFromConfig(
+      config,
+      "options.algorithm"
+    );
+    const issuers = readStringOrStringArrayFromConfig(config, "options.issuer");
+    const audiences = readStringOrStringArrayFromConfig(
+      config,
+      "options.audience"
+    );
+    const subjectPrefix = config.getOptionalString("options.subjectPrefix");
+    const url = new URL(config.getString("options.url"));
+    const jwks = jose.createRemoteJWKSet(url);
+    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
+    this.#entries.push({
+      algorithms,
+      audiences,
+      issuers,
+      jwks,
+      subjectPrefix,
+      url,
+      allAccessRestrictions
+    });
   }
-  isLimitedUserToken(token) {
-    try {
-      const { typ } = jose.decodeProtectedHeader(token);
-      return typ === pluginAuthNode.tokenTypes.limitedUser.typParam;
-    } catch {
-      return false;
+  async verifyToken(token) {
+    for (const entry of this.#entries) {
+      try {
+        const {
+          payload: { sub }
+        } = await jose.jwtVerify(token, entry.jwks, {
+          algorithms: entry.algorithms,
+          issuer: entry.issuers,
+          audience: entry.audiences
+        });
+        if (sub) {
+          const prefix = entry.subjectPrefix ? `external:${entry.subjectPrefix}:` : "external:";
+          return {
+            subject: `${prefix}${sub}`,
+            allAccessRestrictions: entry.allAccessRestrictions
+          };
+        }
+      } catch {
+        continue;
+      }
     }
+    return void 0;
   }
 }
 
-function readAccessRestrictionsFromConfig(externalAccessEntryConfig) {
-  const configs = externalAccessEntryConfig.getOptionalConfigArray("accessRestrictions") ?? [];
-  const result = /* @__PURE__ */ new Map();
-  for (const config of configs) {
-    const validKeys = ["plugin", "permission", "permissionAttribute"];
-    for (const key of config.keys()) {
-      if (!validKeys.includes(key)) {
-        const valid = validKeys.map((k) => `'${k}'`).join(", ");
+const NEW_CONFIG_KEY = "backend.auth.externalAccess";
+const OLD_CONFIG_KEY = "backend.auth.keys";
+let loggedDeprecationWarning = false;
+class ExternalTokenHandler {
+  constructor(ownPluginId, handlers) {
+    this.ownPluginId = ownPluginId;
+    this.handlers = handlers;
+  }
+  static create(options) {
+    const { ownPluginId, config, logger } = options;
+    const staticHandler = new StaticTokenHandler();
+    const legacyHandler = new LegacyTokenHandler();
+    const jwksHandler = new JWKSHandler();
+    const handlers = {
+      static: staticHandler,
+      legacy: legacyHandler,
+      jwks: jwksHandler
+    };
+    const handlerConfigs = config.getOptionalConfigArray(NEW_CONFIG_KEY) ?? [];
+    for (const handlerConfig of handlerConfigs) {
+      const type = handlerConfig.getString("type");
+      const handler = handlers[type];
+      if (!handler) {
+        const valid = Object.keys(handlers).map((k) => `'${k}'`).join(", ");
         throw new Error(
-          `Invalid key '${key}' in 'accessRestrictions' config, expected one of ${valid}`
+          `Unknown type '${type}' in ${NEW_CONFIG_KEY}, expected one of ${valid}`
         );
       }
+      handler.add(handlerConfig);
     }
-    const pluginId = config.getString("plugin");
-    const permissionNames = readPermissionNames(config);
-    const permissionAttributes = readPermissionAttributes(config);
-    if (result.has(pluginId)) {
-      throw new Error(
-        `Attempted to declare 'accessRestrictions' twice for plugin '${pluginId}', which is not permitted`
+    const legacyConfigs = config.getOptionalConfigArray(OLD_CONFIG_KEY) ?? [];
+    if (legacyConfigs.length && !loggedDeprecationWarning) {
+      loggedDeprecationWarning = true;
+      logger.warn(
+        `DEPRECATION WARNING: The ${OLD_CONFIG_KEY} config has been replaced by ${NEW_CONFIG_KEY}, see https://backstage.io/docs/auth/service-to-service-auth`
       );
     }
-    result.set(pluginId, {
-      ...permissionNames ? { permissionNames } : {},
-      ...permissionAttributes ? { permissionAttributes } : {}
-    });
+    for (const handlerConfig of legacyConfigs) {
+      legacyHandler.addOld(handlerConfig);
+    }
+    return new ExternalTokenHandler(ownPluginId, Object.values(handlers));
+  }
+  async verifyToken(token) {
+    for (const handler of this.handlers) {
+      const result = await handler.verifyToken(token);
+      if (result) {
+        const { allAccessRestrictions, ...rest } = result;
+        if (allAccessRestrictions) {
+          const accessRestrictions = allAccessRestrictions.get(
+            this.ownPluginId
+          );
+          if (!accessRestrictions) {
+            const valid = [...allAccessRestrictions.keys()].map((k) => `'${k}'`).join(", ");
+            throw new errors.NotAllowedError(
+              `This token's access is restricted to plugin(s) ${valid}`
+            );
+          }
+          return {
+            ...rest,
+            accessRestrictions
+          };
+        }
+        return rest;
+      }
+    }
+    return void 0;
   }
-  return result.size ? result : void 0;
 }
-function readStringOrStringArrayFromConfig(root, key, validValues) {
-  if (!root.has(key)) {
-    return void 0;
+
+const CLOCK_MARGIN_S = 10;
+class JwksClient {
+  constructor(getEndpoint) {
+    this.getEndpoint = getEndpoint;
   }
-  const rawValues = Array.isArray(root.get(key)) ? root.getStringArray(key) : [root.getString(key)];
-  const values = [
-    ...new Set(
-      rawValues.map((v) => v.split(/[ ,]/)).flat().filter(Boolean)
-    )
-  ];
-  if (!values.length) {
-    return void 0;
+  #keyStore;
+  #keyStoreUpdated = 0;
+  get getKey() {
+    if (!this.#keyStore) {
+      throw new errors.AuthenticationError(
+        "refreshKeyStore must be called before jwksClient.getKey"
+      );
+    }
+    return this.#keyStore;
   }
-  if (validValues?.length) {
-    for (const value of values) {
-      if (!validValues.includes(value)) {
-        const valid = validValues.map((k) => `'${k}'`).join(", ");
-        throw new Error(
-          `Invalid value '${value}' at '${key}' in 'permissionAttributes' config, valid values are ${valid}`
-        );
+  /**
+   * If the last keystore refresh is stale, update the keystore URL to the latest
+   */
+  async refreshKeyStore(rawJwtToken) {
+    const payload = await jose.decodeJwt(rawJwtToken);
+    const header = await jose.decodeProtectedHeader(rawJwtToken);
+    let keyStoreHasKey;
+    try {
+      if (this.#keyStore) {
+        const [_, rawPayload, rawSignature] = rawJwtToken.split(".");
+        keyStoreHasKey = await this.#keyStore(header, {
+          payload: rawPayload,
+          signature: rawSignature
+        });
       }
+    } catch (error) {
+      keyStoreHasKey = false;
     }
-  }
-  return values;
-}
-function readPermissionNames(externalAccessEntryConfig) {
-  return readStringOrStringArrayFromConfig(
-    externalAccessEntryConfig,
-    "permission"
-  );
-}
-function readPermissionAttributes(externalAccessEntryConfig) {
-  const config = externalAccessEntryConfig.getOptionalConfig(
-    "permissionAttribute"
-  );
-  if (!config) {
-    return void 0;
-  }
-  const validKeys = ["action"];
-  for (const key of config.keys()) {
-    if (!validKeys.includes(key)) {
-      const valid = validKeys.map((k) => `'${k}'`).join(", ");
-      throw new Error(
-        `Invalid key '${key}' in 'permissionAttribute' config, expected ${valid}`
-      );
+    const issuedAfterLastRefresh = payload?.iat && payload.iat > this.#keyStoreUpdated - CLOCK_MARGIN_S;
+    if (!this.#keyStore || !keyStoreHasKey && issuedAfterLastRefresh) {
+      const endpoint = await this.getEndpoint();
+      this.#keyStore = jose.createRemoteJWKSet(endpoint);
+      this.#keyStoreUpdated = Date.now() / 1e3;
     }
   }
-  const action = readStringOrStringArrayFromConfig(config, "action", [
-    "create",
-    "read",
-    "update",
-    "delete"
-  ]);
-  const result = {
-    ...action ? { action } : {}
-  };
-  return Object.keys(result).length ? result : void 0;
 }
 
-class LegacyTokenHandler {
-  #entries = new Array();
-  add(config) {
-    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
-    this.#doAdd(
-      config.getString("options.secret"),
-      config.getString("options.subject"),
-      allAccessRestrictions
-    );
+const SECONDS_IN_MS$2 = 1e3;
+const ALLOWED_PLUGIN_ID_PATTERN = /^[a-z0-9_-]+$/i;
+class PluginTokenHandler {
+  constructor(logger, ownPluginId, keySource, algorithm, keyDurationSeconds, discovery) {
+    this.logger = logger;
+    this.ownPluginId = ownPluginId;
+    this.keySource = keySource;
+    this.algorithm = algorithm;
+    this.keyDurationSeconds = keyDurationSeconds;
+    this.discovery = discovery;
   }
-  // used only for the old backend.auth.keys array
-  addOld(config) {
-    this.#doAdd(config.getString("secret"), "external:backstage-plugin");
+  jwksMap = /* @__PURE__ */ new Map();
+  // Tracking state for isTargetPluginSupported
+  supportedTargetPlugins = /* @__PURE__ */ new Set();
+  targetPluginInflightChecks = /* @__PURE__ */ new Map();
+  static create(options) {
+    return new PluginTokenHandler(
+      options.logger,
+      options.ownPluginId,
+      options.keySource,
+      options.algorithm ?? "ES256",
+      Math.round(types.durationToMilliseconds(options.keyDuration) / 1e3),
+      options.discovery
+    );
   }
-  #doAdd(secret, subject, allAccessRestrictions) {
-    if (!secret.match(/^\S+$/)) {
-      throw new Error("Illegal secret, must be a valid base64 string");
-    } else if (!subject.match(/^\S+$/)) {
-      throw new Error("Illegal subject, must be a set of non-space characters");
-    }
-    let key;
+  async verifyToken(token) {
     try {
-      key = jose.base64url.decode(secret);
+      const { typ } = jose.decodeProtectedHeader(token);
+      if (typ !== pluginAuthNode.tokenTypes.plugin.typParam) {
+        return void 0;
+      }
     } catch {
-      throw new Error("Illegal secret, must be a valid base64 string");
+      return void 0;
     }
-    if (this.#entries.some((e) => e.key === key)) {
-      throw new Error(
-        "Legacy externalAccess token was declared more than once"
+    const pluginId = String(jose.decodeJwt(token).sub);
+    if (!pluginId) {
+      throw new errors.AuthenticationError("Invalid plugin token: missing subject");
+    }
+    if (!ALLOWED_PLUGIN_ID_PATTERN.test(pluginId)) {
+      throw new errors.AuthenticationError(
+        "Invalid plugin token: forbidden subject format"
       );
     }
-    this.#entries.push({
-      key,
-      result: {
-        subject,
-        allAccessRestrictions
+    const jwksClient = await this.getJwksClient(pluginId);
+    await jwksClient.refreshKeyStore(token);
+    const { payload } = await jose.jwtVerify(
+      token,
+      jwksClient.getKey,
+      {
+        typ: pluginAuthNode.tokenTypes.plugin.typParam,
+        audience: this.ownPluginId,
+        requiredClaims: ["iat", "exp", "sub", "aud"]
       }
+    ).catch((e) => {
+      throw new errors.AuthenticationError("Invalid plugin token", e);
     });
+    return { subject: `plugin:${payload.sub}`, limitedUserToken: payload.obo };
   }
-  async verifyToken(token) {
-    try {
-      const { alg } = jose.decodeProtectedHeader(token);
-      if (alg !== "HS256") {
-        return void 0;
-      }
-      const { sub, aud } = jose.decodeJwt(token);
-      if (sub !== "backstage-server" || aud) {
-        return void 0;
-      }
-    } catch (e) {
-      return void 0;
+  async issueToken(options) {
+    const { pluginId, targetPluginId, onBehalfOf } = options;
+    const key = await this.keySource.getPrivateSigningKey();
+    const sub = pluginId;
+    const aud = targetPluginId;
+    const iat = Math.floor(Date.now() / SECONDS_IN_MS$2);
+    const ourExp = iat + this.keyDurationSeconds;
+    const exp = onBehalfOf ? Math.min(
+      ourExp,
+      Math.floor(onBehalfOf.expiresAt.getTime() / SECONDS_IN_MS$2)
+    ) : ourExp;
+    const claims = { sub, aud, iat, exp, obo: onBehalfOf?.token };
+    const token = await new jose.SignJWT(claims).setProtectedHeader({
+      typ: pluginAuthNode.tokenTypes.plugin.typParam,
+      alg: this.algorithm,
+      kid: key.kid
+    }).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    return { token };
+  }
+  async isTargetPluginSupported(targetPluginId) {
+    if (this.supportedTargetPlugins.has(targetPluginId)) {
+      return true;
     }
-    for (const { key, result } of this.#entries) {
+    const inFlight = this.targetPluginInflightChecks.get(targetPluginId);
+    if (inFlight) {
+      return inFlight;
+    }
+    const doCheck = async () => {
       try {
-        await jose.jwtVerify(token, key);
-        return result;
-      } catch (e) {
-        if (e.code !== "ERR_JWS_SIGNATURE_VERIFICATION_FAILED") {
-          throw e;
+        const res = await fetch(
+          `${await this.discovery.getBaseUrl(
+            targetPluginId
+          )}/.backstage/auth/v1/jwks.json`
+        );
+        if (res.status === 404) {
+          return false;
+        }
+        if (!res.ok) {
+          throw new Error(`Failed to fetch jwks.json, ${res.status}`);
+        }
+        const data = await res.json();
+        if (!data.keys) {
+          throw new Error(`Invalid jwks.json response, missing keys`);
         }
+        this.supportedTargetPlugins.add(targetPluginId);
+        return true;
+      } catch (error) {
+        this.logger.error("Unexpected failure for target JWKS check", error);
+        return false;
+      } finally {
+        this.targetPluginInflightChecks.delete(targetPluginId);
       }
-    }
-    return void 0;
+    };
+    const check = doCheck();
+    this.targetPluginInflightChecks.set(targetPluginId, check);
+    return check;
   }
-}
-
-const MIN_TOKEN_LENGTH = 8;
-class StaticTokenHandler {
-  #entries = /* @__PURE__ */ new Map();
-  add(config) {
-    const token = config.getString("options.token");
-    const subject = config.getString("options.subject");
-    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
-    if (!token.match(/^\S+$/)) {
-      throw new Error("Illegal token, must be a set of non-space characters");
-    } else if (token.length < MIN_TOKEN_LENGTH) {
-      throw new Error(
-        `Illegal token, must be at least ${MIN_TOKEN_LENGTH} characters length`
-      );
-    } else if (!subject.match(/^\S+$/)) {
-      throw new Error("Illegal subject, must be a set of non-space characters");
-    } else if (this.#entries.has(token)) {
-      throw new Error(
-        "Static externalAccess token was declared more than once"
+  async getJwksClient(pluginId) {
+    const client = this.jwksMap.get(pluginId);
+    if (client) {
+      return client;
+    }
+    if (!await this.isTargetPluginSupported(pluginId)) {
+      throw new errors.AuthenticationError(
+        `Received a plugin token where the source '${pluginId}' plugin unexpectedly does not have a JWKS endpoint`
       );
     }
-    this.#entries.set(token, { subject, allAccessRestrictions });
-  }
-  async verifyToken(token) {
-    return this.#entries.get(token);
+    const newClient = new JwksClient(async () => {
+      return new URL(
+        `${await this.discovery.getBaseUrl(
+          pluginId
+        )}/.backstage/auth/v1/jwks.json`
+      );
+    });
+    this.jwksMap.set(pluginId, newClient);
+    return newClient;
   }
 }
 
-class JWKSHandler {
-  #entries = [];
-  add(config) {
-    if (!config.getString("options.url").match(/^\S+$/)) {
-      throw new Error(
-        "Illegal JWKS URL, must be a set of non-space characters"
-      );
-    }
-    const algorithms = readStringOrStringArrayFromConfig(
-      config,
-      "options.algorithm"
-    );
-    const issuers = readStringOrStringArrayFromConfig(config, "options.issuer");
-    const audiences = readStringOrStringArrayFromConfig(
-      config,
-      "options.audience"
-    );
-    const subjectPrefix = config.getOptionalString("options.subjectPrefix");
-    const url = new URL(config.getString("options.url"));
-    const jwks = jose.createRemoteJWKSet(url);
-    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
-    this.#entries.push({
-      algorithms,
-      audiences,
-      issuers,
-      jwks,
-      subjectPrefix,
-      url,
-      allAccessRestrictions
-    });
+const MIGRATIONS_TABLE = "backstage_backend_public_keys__knex_migrations";
+const TABLE = "backstage_backend_public_keys__keys";
+function applyDatabaseMigrations(knex) {
+  const migrationsDir = backendPluginApi.resolvePackagePath(
+    "@backstage/backend-defaults",
+    "migrations/auth"
+  );
+  return knex.migrate.latest({
+    directory: migrationsDir,
+    tableName: MIGRATIONS_TABLE
+  });
+}
+class DatabaseKeyStore {
+  constructor(client, logger) {
+    this.client = client;
+    this.logger = logger;
   }
-  async verifyToken(token) {
-    for (const entry of this.#entries) {
-      try {
-        const {
-          payload: { sub }
-        } = await jose.jwtVerify(token, entry.jwks, {
-          algorithms: entry.algorithms,
-          issuer: entry.issuers,
-          audience: entry.audiences
-        });
-        if (sub) {
-          const prefix = entry.subjectPrefix ? `external:${entry.subjectPrefix}:` : "external:";
-          return {
-            subject: `${prefix}${sub}`,
-            allAccessRestrictions: entry.allAccessRestrictions
-          };
-        }
-      } catch {
-        continue;
-      }
+  static async create(options) {
+    const { database, logger } = options;
+    const client = await database.getClient();
+    if (!database.migrations?.skip) {
+      await applyDatabaseMigrations(client);
     }
-    return void 0;
+    return new DatabaseKeyStore(client, logger);
   }
-}
-
-const NEW_CONFIG_KEY = "backend.auth.externalAccess";
-const OLD_CONFIG_KEY = "backend.auth.keys";
-let loggedDeprecationWarning = false;
-class ExternalTokenHandler {
-  constructor(ownPluginId, handlers) {
-    this.ownPluginId = ownPluginId;
-    this.handlers = handlers;
+  async addKey(options) {
+    await this.client(TABLE).insert({
+      id: options.key.kid,
+      key: JSON.stringify(options.key),
+      expires_at: options.expiresAt.toISOString()
+    });
   }
-  static create(options) {
-    const { ownPluginId, config, logger } = options;
-    const staticHandler = new StaticTokenHandler();
-    const legacyHandler = new LegacyTokenHandler();
-    const jwksHandler = new JWKSHandler();
-    const handlers = {
-      static: staticHandler,
-      legacy: legacyHandler,
-      jwks: jwksHandler
-    };
-    const handlerConfigs = config.getOptionalConfigArray(NEW_CONFIG_KEY) ?? [];
-    for (const handlerConfig of handlerConfigs) {
-      const type = handlerConfig.getString("type");
-      const handler = handlers[type];
-      if (!handler) {
-        const valid = Object.keys(handlers).map((k) => `'${k}'`).join(", ");
-        throw new Error(
-          `Unknown type '${type}' in ${NEW_CONFIG_KEY}, expected one of ${valid}`
-        );
+  async listKeys() {
+    const rows = await this.client(TABLE).select();
+    const keys = rows.map((row) => ({
+      id: row.id,
+      key: JSON.parse(row.key),
+      expiresAt: new Date(row.expires_at)
+    }));
+    const validKeys = [];
+    const expiredKeys = [];
+    for (const key of keys) {
+      if (luxon.DateTime.fromJSDate(key.expiresAt) < luxon.DateTime.local()) {
+        expiredKeys.push(key);
+      } else {
+        validKeys.push(key);
       }
-      handler.add(handlerConfig);
     }
-    const legacyConfigs = config.getOptionalConfigArray(OLD_CONFIG_KEY) ?? [];
-    if (legacyConfigs.length && !loggedDeprecationWarning) {
-      loggedDeprecationWarning = true;
-      logger.warn(
-        `DEPRECATION WARNING: The ${OLD_CONFIG_KEY} config has been replaced by ${NEW_CONFIG_KEY}, see https://backstage.io/docs/auth/service-to-service-auth`
+    if (expiredKeys.length > 0) {
+      const kids = expiredKeys.map(({ key }) => key.kid);
+      this.logger.info(
+        `Removing expired plugin service keys, '${kids.join("', '")}'`
       );
+      this.client(TABLE).delete().whereIn("id", kids).catch((error) => {
+        this.logger.error(
+          "Failed to remove expired plugin service keys",
+          error
+        );
+      });
     }
-    for (const handlerConfig of legacyConfigs) {
-      legacyHandler.addOld(handlerConfig);
-    }
-    return new ExternalTokenHandler(ownPluginId, Object.values(handlers));
-  }
-  async verifyToken(token) {
-    for (const handler of this.handlers) {
-      const result = await handler.verifyToken(token);
-      if (result) {
-        const { allAccessRestrictions, ...rest } = result;
-        if (allAccessRestrictions) {
-          const accessRestrictions = allAccessRestrictions.get(
-            this.ownPluginId
-          );
-          if (!accessRestrictions) {
-            const valid = [...allAccessRestrictions.keys()].map((k) => `'${k}'`).join(", ");
-            throw new errors.NotAllowedError(
-              `This token's access is restricted to plugin(s) ${valid}`
-            );
-          }
-          return {
-            ...rest,
-            accessRestrictions
-          };
-        }
-        return rest;
-      }
-    }
-    return void 0;
+    return { keys: validKeys };
   }
 }
 
-const authServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.auth,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    logger: backendPluginApi.coreServices.rootLogger,
-    discovery: backendPluginApi.coreServices.discovery,
-    plugin: backendPluginApi.coreServices.pluginMetadata,
-    database: backendPluginApi.coreServices.database,
-    // Re-using the token manager makes sure that we use the same generated keys for
-    // development as plugins that have not yet been migrated. It's important that this
-    // keeps working as long as there are plugins that have not been migrated to the
-    // new auth services in the new backend system.
-    tokenManager: backendPluginApi.coreServices.tokenManager
-  },
-  async factory({ config, discovery, plugin, tokenManager, logger, database }) {
-    const disableDefaultAuthPolicy = Boolean(
-      config.getOptionalBoolean(
-        "backend.auth.dangerouslyDisableDefaultAuthPolicy"
-      )
-    );
-    const publicKeyStore = await DatabaseKeyStore.create({
-      database,
-      logger
-    });
-    const userTokens = UserTokenHandler.create({
-      discovery
-    });
-    const pluginTokens = PluginTokenHandler.create({
-      ownPluginId: plugin.getId(),
-      keyDuration: { hours: 1 },
-      logger,
-      publicKeyStore,
-      discovery
-    });
-    const externalTokens = ExternalTokenHandler.create({
-      ownPluginId: plugin.getId(),
-      config,
-      logger
+const SECONDS_IN_MS$1 = 1e3;
+const KEY_EXPIRATION_MARGIN_FACTOR = 3;
+class DatabasePluginKeySource {
+  constructor(keyStore, logger, keyDurationSeconds, algorithm) {
+    this.keyStore = keyStore;
+    this.logger = logger;
+    this.keyDurationSeconds = keyDurationSeconds;
+    this.algorithm = algorithm;
+  }
+  privateKeyPromise;
+  keyExpiry;
+  static async create(options) {
+    const keyStore = await DatabaseKeyStore.create({
+      database: options.database,
+      logger: options.logger
     });
-    return new DefaultAuthService(
-      userTokens,
-      pluginTokens,
-      externalTokens,
-      tokenManager,
-      plugin.getId(),
-      disableDefaultAuthPolicy,
-      publicKeyStore
+    return new DatabasePluginKeySource(
+      keyStore,
+      options.logger,
+      Math.round(types.durationToMilliseconds(options.keyDuration) / 1e3),
+      options.algorithm ?? "ES256"
+    );
+  }
+  async getPrivateSigningKey() {
+    if (this.privateKeyPromise) {
+      if (this.keyExpiry && this.keyExpiry.getTime() > Date.now()) {
+        return this.privateKeyPromise;
+      }
+      this.logger.info(`Signing key has expired, generating new key`);
+      delete this.privateKeyPromise;
+    }
+    this.keyExpiry = new Date(
+      Date.now() + this.keyDurationSeconds * SECONDS_IN_MS$1
     );
+    const promise = (async () => {
+      const kid = uuid.v4();
+      const key = await jose.generateKeyPair(this.algorithm);
+      const publicKey = await jose.exportJWK(key.publicKey);
+      const privateKey = await jose.exportJWK(key.privateKey);
+      publicKey.kid = privateKey.kid = kid;
+      publicKey.alg = privateKey.alg = this.algorithm;
+      this.logger.info(`Created new signing key ${kid}`);
+      await this.keyStore.addKey({
+        id: kid,
+        key: publicKey,
+        expiresAt: new Date(
+          Date.now() + this.keyDurationSeconds * SECONDS_IN_MS$1 * KEY_EXPIRATION_MARGIN_FACTOR
+        )
+      });
+      return privateKey;
+    })();
+    this.privateKeyPromise = promise;
+    try {
+      await promise;
+    } catch (error) {
+      this.logger.error(`Failed to generate new signing key, ${error}`);
+      delete this.keyExpiry;
+      delete this.privateKeyPromise;
+    }
+    return promise;
   }
-});
-
-const cacheServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.cache,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    logger: backendPluginApi.coreServices.rootLogger,
-    plugin: backendPluginApi.coreServices.pluginMetadata
-  },
-  async createRootContext({ config, logger }) {
-    return backendCommon.CacheManager.fromConfig(config, { logger });
-  },
-  async factory({ plugin }, manager) {
-    return manager.forPlugin(plugin.getId()).getClient();
+  listKeys() {
+    return this.keyStore.listKeys();
   }
-});
+}
 
-const rootConfigServiceFactory = backendPluginApi.createServiceFactory(
-  (options) => ({
-    service: backendPluginApi.coreServices.rootConfig,
-    deps: {},
-    async factory() {
-      const source = configLoader.ConfigSources.default({
-        argv: options?.argv,
-        remote: options?.remote,
-        watch: options?.watch
-      });
-      console.log(`Loading config from ${source}`);
-      return await configLoader.ConfigSources.toConfig(source);
+const DEFAULT_ALGORITHM = "ES256";
+const SECONDS_IN_MS = 1e3;
+class StaticConfigPluginKeySource {
+  constructor(keyPairs, keyDurationSeconds) {
+    this.keyPairs = keyPairs;
+    this.keyDurationSeconds = keyDurationSeconds;
+  }
+  static async create(options) {
+    const keyConfigs = options.sourceConfig.getConfigArray("static.keys").map((c) => {
+      const staticKeyConfig = {
+        publicKeyFile: c.getString("publicKeyFile"),
+        privateKeyFile: c.getOptionalString("privateKeyFile"),
+        keyId: c.getString("keyId"),
+        algorithm: c.getOptionalString("algorithm") ?? DEFAULT_ALGORITHM
+      };
+      return staticKeyConfig;
+    });
+    const keyPairs = await Promise.all(
+      keyConfigs.map(async (k) => await this.loadKeyPair(k))
+    );
+    if (keyPairs.length < 1) {
+      throw new Error(
+        "At least one key pair must be provided in static.keys, when the static key store type is used"
+      );
+    } else if (!keyPairs[0].privateKey) {
+      throw new Error(
+        "Private key for signing must be provided in the first key pair in static.keys, when the static key store type is used"
+      );
     }
-  })
-);
-
-const databaseServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.database,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    lifecycle: backendPluginApi.coreServices.lifecycle,
-    pluginMetadata: backendPluginApi.coreServices.pluginMetadata
-  },
-  async createRootContext({ config: config$1 }) {
-    return config$1.getOptional("backend.database") ? backendCommon.DatabaseManager.fromConfig(config$1) : backendCommon.DatabaseManager.fromConfig(
-      new config.ConfigReader({
-        backend: {
-          database: { client: "better-sqlite3", connection: ":memory:" }
-        }
-      })
+    return new StaticConfigPluginKeySource(
+      keyPairs,
+      types.durationToMilliseconds(options.keyDuration) / SECONDS_IN_MS
     );
-  },
-  async factory({ pluginMetadata, lifecycle }, databaseManager) {
-    return databaseManager.forPlugin(pluginMetadata.getId(), {
-      pluginMetadata,
-      lifecycle
+  }
+  async getPrivateSigningKey() {
+    return this.keyPairs[0].privateKey;
+  }
+  async listKeys() {
+    const keys = this.keyPairs.map((k) => this.keyPairToStoredKey(k));
+    return { keys };
+  }
+  static async loadKeyPair(options) {
+    const algorithm = options.algorithm;
+    const keyId = options.keyId;
+    const publicKey = await this.loadPublicKeyFromFile(
+      options.publicKeyFile,
+      keyId,
+      algorithm
+    );
+    const privateKey = options.privateKeyFile ? await this.loadPrivateKeyFromFile(
+      options.privateKeyFile,
+      keyId,
+      algorithm
+    ) : void 0;
+    return { publicKey, privateKey, keyId };
+  }
+  static async loadPublicKeyFromFile(path, keyId, algorithm) {
+    return this.loadKeyFromFile(path, keyId, algorithm, jose.importSPKI);
+  }
+  static async loadPrivateKeyFromFile(path, keyId, algorithm) {
+    return this.loadKeyFromFile(path, keyId, algorithm, jose.importPKCS8);
+  }
+  static async loadKeyFromFile(path, keyId, algorithm, importer) {
+    const content = await fs$1.promises.readFile(path, { encoding: "utf8", flag: "r" });
+    const key = await importer(content, algorithm);
+    const jwk = await jose.exportJWK(key);
+    jwk.kid = keyId;
+    jwk.alg = algorithm;
+    return jwk;
+  }
+  keyPairToStoredKey(keyPair) {
+    const publicKey = {
+      ...keyPair.publicKey,
+      kid: keyPair.keyId
+    };
+    return {
+      key: publicKey,
+      id: keyPair.keyId,
+      expiresAt: new Date(Date.now() + this.keyDurationSeconds * SECONDS_IN_MS)
+    };
+  }
+}
+
+const CONFIG_ROOT_KEY = "backend.auth.pluginKeyStore";
+async function createPluginKeySource(options) {
+  const keyStoreConfig = options.config.getOptionalConfig(CONFIG_ROOT_KEY);
+  const type = keyStoreConfig?.getOptionalString("type") ?? "database";
+  if (!keyStoreConfig || type === "database") {
+    return DatabasePluginKeySource.create({
+      database: options.database,
+      logger: options.logger,
+      keyDuration: options.keyDuration,
+      algorithm: options.algorithm
+    });
+  } else if (type === "static") {
+    return StaticConfigPluginKeySource.create({
+      sourceConfig: keyStoreConfig,
+      keyDuration: options.keyDuration
     });
   }
-});
+  throw new Error(
+    `Unsupported config value ${CONFIG_ROOT_KEY}.type '${type}'; expected one of 'database', 'static'`
+  );
+}
 
-class HostDiscovery {
-  constructor(internalBaseUrl, externalBaseUrl, discoveryConfig) {
-    this.internalBaseUrl = internalBaseUrl;
-    this.externalBaseUrl = externalBaseUrl;
-    this.discoveryConfig = discoveryConfig;
+class UserTokenHandler {
+  constructor(jwksClient) {
+    this.jwksClient = jwksClient;
   }
-  /**
-   * Creates a new HostDiscovery discovery instance by reading
-   * from the `backend` config section, specifically the `.baseUrl` for
-   * discovering the external URL, and the `.listen` and `.https` config
-   * for the internal one.
-   *
-   * Can be overridden in config by providing a target and corresponding plugins in `discovery.endpoints`.
-   * eg.
-   * ```yaml
-   * discovery:
-   *  endpoints:
-   *    - target: https://internal.example.com/internal-catalog
-   *      plugins: [catalog]
-   *    - target: https://internal.example.com/secure/api/{{pluginId}}
-   *      plugins: [auth, permission]
-   *    - target:
-   *        internal: https://internal.example.com/search
-   *        external: https://example.com/search
-   *      plugins: [search]
-   * ```
-   *
-   * The basePath defaults to `/api`, meaning the default full internal
-   * path for the `catalog` plugin will be `http://localhost:7007/api/catalog`.
-   */
-  static fromConfig(config, options) {
-    const basePath = options?.basePath ?? "/api";
-    const externalBaseUrl = config.getString("backend.baseUrl").replace(/\/+$/, "");
-    const {
-      listen: { host: listenHost = "::", port: listenPort }
-    } = backendAppApi.readHttpServerOptions(config.getConfig("backend"));
-    const protocol = config.has("backend.https") ? "https" : "http";
-    let host = listenHost;
-    if (host === "::" || host === "") {
-      host = "localhost";
-    } else if (host === "0.0.0.0") {
-      host = "127.0.0.1";
+  static create(options) {
+    const jwksClient = new JwksClient(async () => {
+      const url = await options.discovery.getBaseUrl("auth");
+      return new URL(`${url}/.well-known/jwks.json`);
+    });
+    return new UserTokenHandler(jwksClient);
+  }
+  async verifyToken(token) {
+    const verifyOpts = this.#getTokenVerificationOptions(token);
+    if (!verifyOpts) {
+      return void 0;
     }
-    if (host.includes(":")) {
-      host = `[${host}]`;
+    await this.jwksClient.refreshKeyStore(token);
+    const { payload } = await jose.jwtVerify(
+      token,
+      this.jwksClient.getKey,
+      verifyOpts
+    ).catch((e) => {
+      throw new errors.AuthenticationError("Invalid token", e);
+    });
+    const userEntityRef = payload.sub;
+    if (!userEntityRef) {
+      throw new errors.AuthenticationError("No user sub found in token");
     }
-    const internalBaseUrl = `${protocol}://${host}:${listenPort}`;
-    return new HostDiscovery(
-      internalBaseUrl + basePath,
-      externalBaseUrl + basePath,
-      config.getOptionalConfig("discovery")
-    );
+    return { userEntityRef };
   }
-  getTargetFromConfig(pluginId, type) {
-    const endpoints = this.discoveryConfig?.getOptionalConfigArray("endpoints");
-    const target = endpoints?.find((endpoint) => endpoint.getStringArray("plugins").includes(pluginId))?.get("target");
-    if (!target) {
-      const baseUrl = type === "external" ? this.externalBaseUrl : this.internalBaseUrl;
-      return `${baseUrl}/${encodeURIComponent(pluginId)}`;
+  #getTokenVerificationOptions(token) {
+    try {
+      const { typ } = jose.decodeProtectedHeader(token);
+      if (typ === pluginAuthNode.tokenTypes.user.typParam) {
+        return {
+          requiredClaims: ["iat", "exp", "sub"],
+          typ: pluginAuthNode.tokenTypes.user.typParam
+        };
+      }
+      if (typ === pluginAuthNode.tokenTypes.limitedUser.typParam) {
+        return {
+          requiredClaims: ["iat", "exp", "sub"],
+          typ: pluginAuthNode.tokenTypes.limitedUser.typParam
+        };
+      }
+      const { aud } = jose.decodeJwt(token);
+      if (aud === pluginAuthNode.tokenTypes.user.audClaim) {
+        return {
+          audience: pluginAuthNode.tokenTypes.user.audClaim
+        };
+      }
+    } catch {
     }
-    if (typeof target === "string") {
-      return target.replace(
-        /\{\{\s*pluginId\s*\}\}/g,
-        encodeURIComponent(pluginId)
+    return void 0;
+  }
+  createLimitedUserToken(backstageToken) {
+    const [headerRaw, payloadRaw] = backstageToken.split(".");
+    const header = JSON.parse(
+      new TextDecoder().decode(jose.base64url.decode(headerRaw))
+    );
+    const payload = JSON.parse(
+      new TextDecoder().decode(jose.base64url.decode(payloadRaw))
+    );
+    const tokenType = header.typ;
+    if (!tokenType || tokenType === pluginAuthNode.tokenTypes.limitedUser.typParam) {
+      return { token: backstageToken, expiresAt: new Date(payload.exp * 1e3) };
+    }
+    if (tokenType !== pluginAuthNode.tokenTypes.user.typParam) {
+      throw new errors.AuthenticationError(
+        "Failed to create limited user token, invalid token type"
       );
     }
-    return target[type].replace(
-      /\{\{\s*pluginId\s*\}\}/g,
-      encodeURIComponent(pluginId)
-    );
-  }
-  async getBaseUrl(pluginId) {
-    return this.getTargetFromConfig(pluginId, "internal");
+    const limitedUserToken = [
+      jose.base64url.encode(
+        JSON.stringify({
+          typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
+          alg: header.alg,
+          kid: header.kid
+        })
+      ),
+      jose.base64url.encode(
+        JSON.stringify({
+          sub: payload.sub,
+          iat: payload.iat,
+          exp: payload.exp
+        })
+      ),
+      payload.uip
+    ].join(".");
+    return { token: limitedUserToken, expiresAt: new Date(payload.exp * 1e3) };
   }
-  async getExternalBaseUrl(pluginId) {
-    return this.getTargetFromConfig(pluginId, "external");
+  isLimitedUserToken(token) {
+    try {
+      const { typ } = jose.decodeProtectedHeader(token);
+      return typ === pluginAuthNode.tokenTypes.limitedUser.typParam;
+    } catch {
+      return false;
+    }
   }
 }
 
-const discoveryServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.discovery,
+const authServiceFactory$1 = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.auth,
   deps: {
-    config: backendPluginApi.coreServices.rootConfig
+    config: backendPluginApi.coreServices.rootConfig,
+    logger: backendPluginApi.coreServices.rootLogger,
+    discovery: backendPluginApi.coreServices.discovery,
+    plugin: backendPluginApi.coreServices.pluginMetadata,
+    database: backendPluginApi.coreServices.database,
+    // Re-using the token manager makes sure that we use the same generated keys for
+    // development as plugins that have not yet been migrated. It's important that this
+    // keeps working as long as there are plugins that have not been migrated to the
+    // new auth services in the new backend system.
+    tokenManager: backendPluginApi.coreServices.tokenManager
   },
-  async factory({ config }) {
-    return HostDiscovery.fromConfig(config);
+  async factory({ config, discovery, plugin, tokenManager, logger, database }) {
+    const disableDefaultAuthPolicy = config.getOptionalBoolean(
+      "backend.auth.dangerouslyDisableDefaultAuthPolicy"
+    ) ?? false;
+    const keyDuration = { hours: 1 };
+    const keySource = await createPluginKeySource({
+      config,
+      database,
+      logger,
+      keyDuration
+    });
+    const userTokens = UserTokenHandler.create({
+      discovery
+    });
+    const pluginTokens = PluginTokenHandler.create({
+      ownPluginId: plugin.getId(),
+      logger,
+      keySource,
+      keyDuration,
+      discovery
+    });
+    const externalTokens = ExternalTokenHandler.create({
+      ownPluginId: plugin.getId(),
+      config,
+      logger
+    });
+    return new DefaultAuthService(
+      userTokens,
+      pluginTokens,
+      externalTokens,
+      tokenManager,
+      plugin.getId(),
+      disableDefaultAuthPolicy,
+      keySource
+    );
   }
 });
 
+const authServiceFactory = authServiceFactory$1;
+
 const FIVE_MINUTES_MS = 5 * 60 * 1e3;
 const BACKSTAGE_AUTH_COOKIE = "backstage-auth";
 function getTokenFromRequest(req) {
@@ -2874,7 +3316,7 @@ class DefaultHttpAuthService {
     }
   }
 }
-const httpAuthServiceFactory = backendPluginApi.createServiceFactory({
+const httpAuthServiceFactory$1 = backendPluginApi.createServiceFactory({
   service: backendPluginApi.coreServices.httpAuth,
   deps: {
     auth: backendPluginApi.coreServices.auth,
@@ -2886,8 +3328,10 @@ const httpAuthServiceFactory = backendPluginApi.createServiceFactory({
   }
 });
 
+const httpAuthServiceFactory = httpAuthServiceFactory$1;
+
 const DEFAULT_TIMEOUT = { seconds: 5 };
-function createLifecycleMiddleware(options) {
+function createLifecycleMiddleware$1(options) {
   const { lifecycle, startupRequestPauseTimeout = DEFAULT_TIMEOUT } = options;
   let state = "init";
   const waiting = /* @__PURE__ */ new Set();
@@ -3011,7 +3455,7 @@ function createCookieAuthRefreshMiddleware(options) {
   return router;
 }
 
-const httpRouterServiceFactory = backendPluginApi.createServiceFactory(
+const httpRouterServiceFactory$1 = backendPluginApi.createServiceFactory(
   (options) => ({
     service: backendPluginApi.coreServices.httpRouter,
     initialization: "always",
@@ -3047,7 +3491,7 @@ const httpRouterServiceFactory = backendPluginApi.createServiceFactory(
         config
       });
       router.use(createAuthIntegrationRouter({ auth }));
-      router.use(createLifecycleMiddleware({ lifecycle }));
+      router.use(createLifecycleMiddleware$1({ lifecycle }));
       router.use(credentialsBarrier.middleware);
       router.use(createCookieAuthRefreshMiddleware({ auth, httpAuth }));
       return {
@@ -3062,76 +3506,11 @@ const httpRouterServiceFactory = backendPluginApi.createServiceFactory(
   })
 );
 
-const identityServiceFactory = backendPluginApi.createServiceFactory(
-  (options) => ({
-    service: backendPluginApi.coreServices.identity,
-    deps: {
-      discovery: backendPluginApi.coreServices.discovery
-    },
-    async factory({ discovery }) {
-      return pluginAuthNode.DefaultIdentityClient.create({ discovery, ...options });
-    }
-  })
-);
+const httpRouterServiceFactory = httpRouterServiceFactory$1;
 
-class BackendPluginLifecycleImpl {
-  constructor(logger, rootLifecycle, pluginMetadata) {
-    this.logger = logger;
-    this.rootLifecycle = rootLifecycle;
-    this.pluginMetadata = pluginMetadata;
-  }
-  #hasStarted = false;
-  #startupTasks = [];
-  addStartupHook(hook, options) {
-    if (this.#hasStarted) {
-      throw new Error("Attempted to add startup hook after startup");
-    }
-    this.#startupTasks.push({ hook, options });
-  }
-  async startup() {
-    if (this.#hasStarted) {
-      return;
-    }
-    this.#hasStarted = true;
-    this.logger.debug(
-      `Running ${this.#startupTasks.length} plugin startup tasks...`
-    );
-    await Promise.all(
-      this.#startupTasks.map(async ({ hook, options }) => {
-        const logger = options?.logger ?? this.logger;
-        try {
-          await hook();
-          logger.debug(`Plugin startup hook succeeded`);
-        } catch (error) {
-          logger.error(`Plugin startup hook failed, ${error}`);
-        }
-      })
-    );
-  }
-  addShutdownHook(hook, options) {
-    const plugin = this.pluginMetadata.getId();
-    this.rootLifecycle.addShutdownHook(hook, {
-      logger: options?.logger?.child({ plugin }) ?? this.logger
-    });
-  }
-}
-const lifecycleServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.lifecycle,
-  deps: {
-    logger: backendPluginApi.coreServices.logger,
-    rootLifecycle: backendPluginApi.coreServices.rootLifecycle,
-    pluginMetadata: backendPluginApi.coreServices.pluginMetadata
-  },
-  async factory({ rootLifecycle, logger, pluginMetadata }) {
-    return new BackendPluginLifecycleImpl(
-      logger,
-      rootLifecycle,
-      pluginMetadata
-    );
-  }
-});
+const createLifecycleMiddleware = createLifecycleMiddleware$1;
 
-const loggerServiceFactory = backendPluginApi.createServiceFactory({
+const loggerServiceFactory$1 = backendPluginApi.createServiceFactory({
   service: backendPluginApi.coreServices.logger,
   deps: {
     rootLogger: backendPluginApi.coreServices.rootLogger,
@@ -3142,27 +3521,12 @@ const loggerServiceFactory = backendPluginApi.createServiceFactory({
   }
 });
 
-const permissionsServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.permissions,
-  deps: {
-    auth: backendPluginApi.coreServices.auth,
-    config: backendPluginApi.coreServices.rootConfig,
-    discovery: backendPluginApi.coreServices.discovery,
-    tokenManager: backendPluginApi.coreServices.tokenManager
-  },
-  async factory({ auth, config, discovery, tokenManager }) {
-    return pluginPermissionNode.ServerPermissionClient.fromConfig(config, {
-      auth,
-      discovery,
-      tokenManager
-    });
-  }
-});
+const loggerServiceFactory = loggerServiceFactory$1;
 
 function normalizePath(path) {
   return `${trimEnd__default.default(path, "/")}/`;
 }
-class DefaultRootHttpRouter {
+let DefaultRootHttpRouter$1 = class DefaultRootHttpRouter {
   #indexPath;
   #router = express.Router();
   #namedRoutes = express.Router();
@@ -3223,12 +3587,12 @@ class DefaultRootHttpRouter {
     }
     return void 0;
   }
-}
+};
 
 function defaultConfigure({ applyDefaults }) {
   applyDefaults();
 }
-const rootHttpRouterServiceFactory = backendPluginApi.createServiceFactory(
+const rootHttpRouterServiceFactory$1 = backendPluginApi.createServiceFactory(
   (options) => ({
     service: backendPluginApi.coreServices.rootHttpRouter,
     deps: {
@@ -3240,12 +3604,12 @@ const rootHttpRouterServiceFactory = backendPluginApi.createServiceFactory(
       const { indexPath, configure = defaultConfigure } = options ?? {};
       const logger = rootLogger.child({ service: "rootHttpRouter" });
       const app = express__default.default();
-      const router = DefaultRootHttpRouter.create({ indexPath });
-      const middleware = MiddlewareFactory.create({ config, logger });
+      const router = DefaultRootHttpRouter$1.create({ indexPath });
+      const middleware = MiddlewareFactory$1.create({ config, logger });
       const routes = router.handler();
-      const server = await createHttpServer(
+      const server = await createHttpServer$1(
         app,
-        readHttpServerOptions(config.getOptionalConfig("backend")),
+        readHttpServerOptions$1(config.getOptionalConfig("backend")),
         { logger }
       );
       configure({
@@ -3273,128 +3637,46 @@ const rootHttpRouterServiceFactory = backendPluginApi.createServiceFactory(
   })
 );
 
-class BackendLifecycleImpl {
-  constructor(logger) {
-    this.logger = logger;
-  }
-  #hasStarted = false;
-  #startupTasks = [];
-  addStartupHook(hook, options) {
-    if (this.#hasStarted) {
-      throw new Error("Attempted to add startup hook after startup");
-    }
-    this.#startupTasks.push({ hook, options });
+const rootHttpRouterServiceFactory = rootHttpRouterServiceFactory$1;
+
+class DefaultRootHttpRouter {
+  constructor(impl) {
+    this.impl = impl;
   }
-  async startup() {
-    if (this.#hasStarted) {
-      return;
-    }
-    this.#hasStarted = true;
-    this.logger.debug(`Running ${this.#startupTasks.length} startup tasks...`);
-    await Promise.all(
-      this.#startupTasks.map(async ({ hook, options }) => {
-        const logger = options?.logger ?? this.logger;
-        try {
-          await hook();
-          logger.debug(`Startup hook succeeded`);
-        } catch (error) {
-          logger.error(`Startup hook failed, ${error}`);
-        }
-      })
-    );
+  static create(options) {
+    return new DefaultRootHttpRouter(DefaultRootHttpRouter$1.create(options));
   }
-  #hasShutdown = false;
-  #shutdownTasks = [];
-  addShutdownHook(hook, options) {
-    if (this.#hasShutdown) {
-      throw new Error("Attempted to add shutdown hook after shutdown");
-    }
-    this.#shutdownTasks.push({ hook, options });
+  use(path, handler) {
+    this.impl.use(path, handler);
   }
-  async shutdown() {
-    if (this.#hasShutdown) {
-      return;
-    }
-    this.#hasShutdown = true;
-    this.logger.debug(
-      `Running ${this.#shutdownTasks.length} shutdown tasks...`
-    );
-    await Promise.all(
-      this.#shutdownTasks.map(async ({ hook, options }) => {
-        const logger = options?.logger ?? this.logger;
-        try {
-          await hook();
-          logger.debug(`Shutdown hook succeeded`);
-        } catch (error) {
-          logger.error(`Shutdown hook failed, ${error}`);
-        }
-      })
-    );
+  handler() {
+    return this.impl.handler();
   }
 }
-const rootLifecycleServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.rootLifecycle,
-  deps: {
-    logger: backendPluginApi.coreServices.rootLogger
-  },
-  async factory({ logger }) {
-    return new BackendLifecycleImpl(logger);
-  }
-});
-
-const rootLoggerServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.rootLogger,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig
-  },
-  async factory({ config }) {
-    const logger = WinstonLogger.create({
-      meta: {
-        service: "backstage"
-      },
-      level: process.env.LOG_LEVEL || "info",
-      format: process.env.NODE_ENV === "production" ? winston.format.json() : WinstonLogger.colorFormat(),
-      transports: [new winston.transports.Console()]
-    });
-    const secretEnumerator = await createConfigSecretEnumerator({ logger });
-    logger.addRedactions(secretEnumerator(config));
-    config.subscribe?.(() => logger.addRedactions(secretEnumerator(config)));
-    return logger;
-  }
-});
 
-const tokenManagerServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.tokenManager,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    logger: backendPluginApi.coreServices.rootLogger
-  },
-  createRootContext({ config, logger }) {
-    return backendCommon.ServerTokenManager.fromConfig(config, {
-      logger,
-      allowDisabledTokenManager: true
-    });
-  },
-  async factory(_deps, tokenManager) {
-    return tokenManager;
-  }
-});
+const rootLoggerServiceFactory = rootLoggerServiceFactory$1;
 
-const urlReaderServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.urlReader,
+const schedulerServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.scheduler,
   deps: {
-    config: backendPluginApi.coreServices.rootConfig,
+    plugin: backendPluginApi.coreServices.pluginMetadata,
+    databaseManager: backendPluginApi.coreServices.database,
     logger: backendPluginApi.coreServices.logger
   },
-  async factory({ config, logger }) {
-    return backendCommon.UrlReaders.default({
-      config,
+  async factory({ plugin, databaseManager, logger }) {
+    return backendTasks.TaskScheduler.forPlugin({
+      pluginId: plugin.getId(),
+      databaseManager,
       logger
     });
   }
 });
 
 class DefaultUserInfoService {
+  discovery;
+  constructor(options) {
+    this.discovery = options.discovery;
+  }
   async getUserInfo(credentials) {
     const internalCredentials = toInternalBackstageCredentials(credentials);
     if (internalCredentials.principal.type !== "user") {
@@ -3403,42 +3685,51 @@ class DefaultUserInfoService {
     if (!internalCredentials.token) {
       throw new Error("User credentials is unexpectedly missing token");
     }
-    const { sub: userEntityRef, ent: ownershipEntityRefs = [] } = jose.decodeJwt(
+    const { sub: userEntityRef, ent: tokenEnt } = jose.decodeJwt(
       internalCredentials.token
     );
     if (typeof userEntityRef !== "string") {
       throw new Error("User entity ref must be a string");
     }
-    if (!Array.isArray(ownershipEntityRefs) || ownershipEntityRefs.some((ref) => typeof ref !== "string")) {
+    let ownershipEntityRefs = tokenEnt;
+    if (!ownershipEntityRefs) {
+      const userInfoResp = await fetch__default.default(
+        `${await this.discovery.getBaseUrl("auth")}/v1/userinfo`,
+        {
+          headers: {
+            Authorization: `Bearer ${internalCredentials.token}`
+          }
+        }
+      );
+      if (!userInfoResp.ok) {
+        throw await errors.ResponseError.fromResponse(userInfoResp);
+      }
+      const {
+        claims: { ent }
+      } = await userInfoResp.json();
+      ownershipEntityRefs = ent;
+    }
+    if (!ownershipEntityRefs) {
+      throw new Error("Ownership entity refs can not be determined");
+    } else if (!Array.isArray(ownershipEntityRefs) || ownershipEntityRefs.some((ref) => typeof ref !== "string")) {
       throw new Error("Ownership entity refs must be an array of strings");
     }
     return { userEntityRef, ownershipEntityRefs };
   }
 }
-const userInfoServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.userInfo,
-  deps: {},
-  async factory() {
-    return new DefaultUserInfoService();
-  }
-});
 
-const schedulerServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.scheduler,
+const userInfoServiceFactory$1 = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.userInfo,
   deps: {
-    plugin: backendPluginApi.coreServices.pluginMetadata,
-    databaseManager: backendPluginApi.coreServices.database,
-    logger: backendPluginApi.coreServices.logger
+    discovery: backendPluginApi.coreServices.discovery
   },
-  async factory({ plugin, databaseManager, logger }) {
-    return backendTasks.TaskScheduler.forPlugin({
-      pluginId: plugin.getId(),
-      databaseManager,
-      logger
-    });
+  async factory({ discovery }) {
+    return new DefaultUserInfoService({ discovery });
   }
 });
 
+const userInfoServiceFactory = userInfoServiceFactory$1;
+
 exports.DefaultRootHttpRouter = DefaultRootHttpRouter;
 exports.HostDiscovery = HostDiscovery;
 exports.MiddlewareFactory = MiddlewareFactory;