@backstage/plugin-auth-backend 0.0.0-nightly-20220208022044 → 0.0.0-nightly-20220212022325

package/dist/index.cjs.js

@@ -20,17 +20,18 @@ var passportGithub2 = require('passport-github2');
 var passportGitlab2 = require('passport-gitlab2');
 var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
-var uuid = require('uuid');
-var luxon = require('luxon');
-var backendCommon = require('@backstage/backend-common');
-var firestore = require('@google-cloud/firestore');
-var lodash = require('lodash');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
 var openidClient = require('openid-client');
 var passportOktaOauth = require('passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('passport-saml');
 var googleAuthLibrary = require('google-auth-library');
 var catalogClient = require('@backstage/catalog-client');
+var uuid = require('uuid');
+var luxon = require('luxon');
+var backendCommon = require('@backstage/backend-common');
+var firestore = require('@google-cloud/firestore');
+var lodash = require('lodash');
 var session = require('express-session');
 var passport = require('passport');
 var minimatch = require('minimatch');
@@ -735,7 +736,6 @@ const createAtlassianProvider = (options) => {
       tokenIssuer
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
       providerId,
       tokenIssuer,
       callbackUrl
@@ -1935,461 +1935,121 @@ const createOAuth2Provider = (options) => {
   });
 };
 
-function createOidcRouter(options) {
-  const { baseUrl, tokenIssuer } = options;
-  const router = Router__default["default"]();
-  const config = {
-    issuer: baseUrl,
-    token_endpoint: `${baseUrl}/v1/token`,
-    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
-    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
-    response_types_supported: ["id_token"],
-    subject_types_supported: ["public"],
-    id_token_signing_alg_values_supported: ["RS256"],
-    scopes_supported: ["openid"],
-    token_endpoint_auth_methods_supported: [],
-    claims_supported: ["sub"],
-    grant_types_supported: []
-  };
-  router.get("/.well-known/openid-configuration", (_req, res) => {
-    res.json(config);
-  });
-  router.get("/.well-known/jwks.json", async (_req, res) => {
-    const { keys } = await tokenIssuer.listPublicKeys();
-    res.json({ keys });
-  });
-  router.get("/v1/token", (_req, res) => {
-    res.status(501).send("Not Implemented");
-  });
-  router.get("/v1/userinfo", (_req, res) => {
-    res.status(501).send("Not Implemented");
-  });
-  return router;
-}
-
-const CLOCK_MARGIN_S = 10;
-class IdentityClient {
+const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
+class Oauth2ProxyAuthProvider {
   constructor(options) {
-    this.discovery = options.discovery;
-    this.issuer = options.issuer;
-    this.keyStore = new jose.JWKS.KeyStore();
-    this.keyStoreUpdated = 0;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
   }
-  async authenticate(token) {
-    var _a;
-    if (!token) {
-      throw new errors.AuthenticationError("No token specified");
-    }
-    const key = await this.getKey(token);
-    if (!key) {
-      throw new errors.AuthenticationError("No signing key matching token found");
-    }
-    const decoded = jose.JWT.IdToken.verify(token, key, {
-      algorithms: ["ES256"],
-      audience: "backstage",
-      issuer: this.issuer
-    });
-    if (!decoded.sub) {
-      throw new errors.AuthenticationError("No user sub found in token");
-    }
-    const user = {
-      id: decoded.sub,
-      token,
-      identity: {
-        type: "user",
-        userEntityRef: decoded.sub,
-        ownershipEntityRefs: (_a = decoded.ent) != null ? _a : []
-      }
-    };
-    return user;
+  frameHandler() {
+    return Promise.resolve(void 0);
   }
-  static getBearerToken(authorizationHeader) {
-    if (typeof authorizationHeader !== "string") {
-      return void 0;
+  async refresh(req, res) {
+    try {
+      const result = this.getResult(req);
+      const response = await this.handleResult(result);
+      res.json(response);
+    } catch (e) {
+      this.logger.error(`Exception occurred during ${OAUTH2_PROXY_JWT_HEADER} refresh`, e);
+      res.status(401);
+      res.end();
     }
-    const matches = authorizationHeader.match(/Bearer\s+(\S+)/i);
-    return matches == null ? void 0 : matches[1];
   }
-  async getKey(rawJwtToken) {
-    const { header, payload } = jose.JWT.decode(rawJwtToken, {
-      complete: true
-    });
-    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });
-    const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!keyStoreHasKey && issuedAfterLastRefresh) {
-      await this.refreshKeyStore();
-    }
-    return this.keyStore.get({ kid: header.kid });
+  start() {
+    return Promise.resolve(void 0);
   }
-  async listPublicKeys() {
-    const url = `${await this.discovery.getBaseUrl("auth")}/.well-known/jwks.json`;
-    const response = await fetch__default["default"](url);
-    if (!response.ok) {
-      const payload = await response.text();
-      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;
-      throw new Error(message);
-    }
-    const publicKeys = await response.json();
-    return publicKeys;
+  async handleResult(result) {
+    const ctx = {
+      logger: this.logger,
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient
+    };
+    const { profile } = await this.authHandler(result, ctx);
+    const backstageSignInResult = await this.signInResolver({
+      result,
+      profile
+    }, ctx);
+    return {
+      providerInfo: {
+        accessToken: result.accessToken
+      },
+      backstageIdentity: prepareBackstageIdentityResponse(backstageSignInResult),
+      profile
+    };
   }
-  async refreshKeyStore() {
-    const now = Date.now() / 1e3;
-    const publicKeys = await this.listPublicKeys();
-    this.keyStore = jose.JWKS.asKeyStore({
-      keys: publicKeys.keys.map((key) => key)
-    });
-    this.keyStoreUpdated = now;
+  getResult(req) {
+    const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
+    const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
+    if (!jwt) {
+      throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
+    }
+    const decodedJWT = jose.JWT.decode(jwt);
+    return {
+      fullProfile: decodedJWT,
+      accessToken: jwt
+    };
   }
 }
+const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
+  const signInResolver = options.signIn.resolver;
+  const authHandler = options.authHandler;
+  const catalogIdentityClient = new CatalogIdentityClient({
+    catalogApi,
+    tokenManager
+  });
+  return new Oauth2ProxyAuthProvider({
+    logger,
+    signInResolver,
+    authHandler,
+    tokenIssuer,
+    catalogIdentityClient
+  });
+};
 
-const MS_IN_S = 1e3;
-class TokenFactory {
+class OidcAuthProvider {
   constructor(options) {
-    this.issuer = options.issuer;
+    this.implementation = this.setupStrategy(options);
+    this.scope = options.scope;
+    this.prompt = options.prompt;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.keyStore = options.keyStore;
-    this.keyDurationSeconds = options.keyDurationSeconds;
-  }
-  async issueToken(params) {
-    const key = await this.getKey();
-    const iss = this.issuer;
-    const sub = params.claims.sub;
-    const ent = params.claims.ent;
-    const aud = "backstage";
-    const iat = Math.floor(Date.now() / MS_IN_S);
-    const exp = iat + this.keyDurationSeconds;
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
-    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
-      alg: key.alg,
-      kid: key.kid
-    });
-  }
-  async listPublicKeys() {
-    const { items: keys } = await this.keyStore.listKeys();
-    const validKeys = [];
-    const expiredKeys = [];
-    for (const key of keys) {
-      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
-        seconds: 3 * this.keyDurationSeconds
-      });
-      if (expireAt < luxon.DateTime.local()) {
-        expiredKeys.push(key);
-      } else {
-        validKeys.push(key);
-      }
-    }
-    if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({ key }) => key.kid);
-      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
-      this.keyStore.removeKeys(kids).catch((error) => {
-        this.logger.error(`Failed to remove expired keys, ${error}`);
-      });
-    }
-    return { keys: validKeys.map(({ key }) => key) };
   }
-  async getKey() {
-    if (this.privateKeyPromise) {
-      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
-        return this.privateKeyPromise;
-      }
-      this.logger.info(`Signing key has expired, generating new key`);
-      delete this.privateKeyPromise;
-    }
-    this.keyExpiry = luxon.DateTime.utc().plus({
-      seconds: this.keyDurationSeconds
-    }).toJSDate();
-    const promise = (async () => {
-      const key = await jose.JWK.generate("EC", "P-256", {
-        use: "sig",
-        kid: uuid.v4(),
-        alg: "ES256"
-      });
-      this.logger.info(`Created new signing key ${key.kid}`);
-      await this.keyStore.addKey(key.toJWK(false));
-      return key;
-    })();
-    this.privateKeyPromise = promise;
-    try {
-      await promise;
-    } catch (error) {
-      this.logger.error(`Failed to generate new signing key, ${error}`);
-      delete this.keyExpiry;
-      delete this.privateKeyPromise;
+  async start(req) {
+    const { strategy } = await this.implementation;
+    const options = {
+      scope: req.scope || this.scope || "openid profile email",
+      state: encodeState(req.state)
+    };
+    const prompt = this.prompt || "none";
+    if (prompt !== "auto") {
+      options.prompt = prompt;
     }
-    return promise;
-  }
-}
-
-const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
-const TABLE = "signing_keys";
-const parseDate = (date) => {
-  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
-  if (!parsedDate.isValid) {
-    throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
-  }
-  return parsedDate.toJSDate();
-};
-class DatabaseKeyStore {
-  static async create(options) {
-    const { database } = options;
-    await database.migrate.latest({
-      directory: migrationsDir
-    });
-    return new DatabaseKeyStore(options);
-  }
-  constructor(options) {
-    this.database = options.database;
+    return await executeRedirectStrategy(req, strategy, options);
   }
-  async addKey(key) {
-    await this.database(TABLE).insert({
-      kid: key.kid,
-      key: JSON.stringify(key)
-    });
+  async handler(req) {
+    const { strategy } = await this.implementation;
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
   }
-  async listKeys() {
-    const rows = await this.database(TABLE).select();
+  async refresh(req) {
+    const { client } = await this.implementation;
+    const tokenset = await client.refresh(req.refreshToken);
+    if (!tokenset.access_token) {
+      throw new Error("Refresh failed");
+    }
+    const userinfo = await client.userinfo(tokenset.access_token);
     return {
-      items: rows.map((row) => ({
-        key: JSON.parse(row.key),
-        createdAt: parseDate(row.created_at)
-      }))
-    };
-  }
-  async removeKeys(kids) {
-    await this.database(TABLE).delete().whereIn("kid", kids);
-  }
-}
-
-class MemoryKeyStore {
-  constructor() {
-    this.keys = /* @__PURE__ */ new Map();
-  }
-  async addKey(key) {
-    this.keys.set(key.kid, {
-      createdAt: luxon.DateTime.utc().toJSDate(),
-      key: JSON.stringify(key)
-    });
-  }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      this.keys.delete(kid);
-    }
-  }
-  async listKeys() {
-    return {
-      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
-        createdAt,
-        key: JSON.parse(keyStr)
-      }))
-    };
-  }
-}
-
-const DEFAULT_TIMEOUT_MS = 1e4;
-const DEFAULT_DOCUMENT_PATH = "sessions";
-class FirestoreKeyStore {
-  constructor(database, path, timeout) {
-    this.database = database;
-    this.path = path;
-    this.timeout = timeout;
-  }
-  static async create(settings) {
-    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
-    const database = new firestore.Firestore(firestoreSettings);
-    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
-  }
-  static async verifyConnection(keyStore, logger) {
-    try {
-      await keyStore.verify();
-    } catch (error) {
-      if (process.env.NODE_ENV !== "development") {
-        throw new Error(`Failed to connect to database: ${error.message}`);
-      }
-      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
-    }
-  }
-  async addKey(key) {
-    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
-      kid: key.kid,
-      key: JSON.stringify(key)
-    }));
-  }
-  async listKeys() {
-    const keys = await this.withTimeout(this.database.collection(this.path).get());
-    return {
-      items: keys.docs.map((key) => ({
-        key: key.data(),
-        createdAt: key.createTime.toDate()
-      }))
-    };
-  }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
-    }
-  }
-  async withTimeout(operation) {
-    const timer = new Promise((_, reject) => setTimeout(() => {
-      reject(new Error(`Operation timed out after ${this.timeout}ms`));
-    }, this.timeout));
-    return Promise.race([operation, timer]);
-  }
-  async verify() {
-    await this.withTimeout(this.database.collection(this.path).limit(1).get());
-  }
-}
-
-class KeyStores {
-  static async fromConfig(config, options) {
-    var _a;
-    const { logger, database } = options != null ? options : {};
-    const ks = config.getOptionalConfig("auth.keyStore");
-    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
-    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
-    if (provider === "database") {
-      if (!database) {
-        throw new Error("This KeyStore provider requires a database");
-      }
-      return await DatabaseKeyStore.create({
-        database: await database.getClient()
-      });
-    }
-    if (provider === "memory") {
-      return new MemoryKeyStore();
-    }
-    if (provider === "firestore") {
-      const settings = ks == null ? void 0 : ks.getConfig(provider);
-      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
-        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
-        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
-        host: settings == null ? void 0 : settings.getOptionalString("host"),
-        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
-        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
-        path: settings == null ? void 0 : settings.getOptionalString("path"),
-        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
-      }, (value) => value !== void 0));
-      await FirestoreKeyStore.verifyConnection(keyStore, logger);
-      return keyStore;
-    }
-    throw new Error(`Unknown KeyStore provider: ${provider}`);
-  }
-}
-
-const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
-class Oauth2ProxyAuthProvider {
-  constructor(options) {
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    try {
-      const result = this.getResult(req);
-      const response = await this.handleResult(result);
-      res.json(response);
-    } catch (e) {
-      this.logger.error(`Exception occurred during ${OAUTH2_PROXY_JWT_HEADER} refresh`, e);
-      res.status(401);
-      res.end();
-    }
-  }
-  start() {
-    return Promise.resolve(void 0);
-  }
-  async handleResult(result) {
-    const ctx = {
-      logger: this.logger,
-      tokenIssuer: this.tokenIssuer,
-      catalogIdentityClient: this.catalogIdentityClient
-    };
-    const { profile } = await this.authHandler(result, ctx);
-    const backstageSignInResult = await this.signInResolver({
-      result,
-      profile
-    }, ctx);
-    return {
-      providerInfo: {
-        accessToken: result.accessToken
-      },
-      backstageIdentity: prepareBackstageIdentityResponse(backstageSignInResult),
-      profile
-    };
-  }
-  getResult(req) {
-    const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
-    const jwt = IdentityClient.getBearerToken(authHeader);
-    if (!jwt) {
-      throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
-    }
-    const decodedJWT = jose.JWT.decode(jwt);
-    return {
-      fullProfile: decodedJWT,
-      accessToken: jwt
-    };
-  }
-}
-const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
-  const signInResolver = options.signIn.resolver;
-  const authHandler = options.authHandler;
-  const catalogIdentityClient = new CatalogIdentityClient({
-    catalogApi,
-    tokenManager
-  });
-  return new Oauth2ProxyAuthProvider({
-    logger,
-    signInResolver,
-    authHandler,
-    tokenIssuer,
-    catalogIdentityClient
-  });
-};
-
-class OidcAuthProvider {
-  constructor(options) {
-    this.implementation = this.setupStrategy(options);
-    this.scope = options.scope;
-    this.prompt = options.prompt;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-  }
-  async start(req) {
-    const { strategy } = await this.implementation;
-    const options = {
-      scope: req.scope || this.scope || "openid profile email",
-      state: encodeState(req.state)
-    };
-    const prompt = this.prompt || "none";
-    if (prompt !== "auto") {
-      options.prompt = prompt;
-    }
-    return await executeRedirectStrategy(req, strategy, options);
-  }
-  async handler(req) {
-    const { strategy } = await this.implementation;
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const { client } = await this.implementation;
-    const tokenset = await client.refresh(req.refreshToken);
-    if (!tokenset.access_token) {
-      throw new Error("Refresh failed");
-    }
-    const userinfo = await client.userinfo(tokenset.access_token);
-    return {
-      response: await this.handleResult({ tokenset, userinfo }),
-      refreshToken: tokenset.refresh_token
+      response: await this.handleResult({ tokenset, userinfo }),
+      refreshToken: tokenset.refresh_token
     };
   }
   async setupStrategy(options) {
@@ -3023,6 +2683,271 @@ const factories = {
   atlassian: createAtlassianProvider()
 };
 
+function createOidcRouter(options) {
+  const { baseUrl, tokenIssuer } = options;
+  const router = Router__default["default"]();
+  const config = {
+    issuer: baseUrl,
+    token_endpoint: `${baseUrl}/v1/token`,
+    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
+    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+    response_types_supported: ["id_token"],
+    subject_types_supported: ["public"],
+    id_token_signing_alg_values_supported: ["RS256"],
+    scopes_supported: ["openid"],
+    token_endpoint_auth_methods_supported: [],
+    claims_supported: ["sub"],
+    grant_types_supported: []
+  };
+  router.get("/.well-known/openid-configuration", (_req, res) => {
+    res.json(config);
+  });
+  router.get("/.well-known/jwks.json", async (_req, res) => {
+    const { keys } = await tokenIssuer.listPublicKeys();
+    res.json({ keys });
+  });
+  router.get("/v1/token", (_req, res) => {
+    res.status(501).send("Not Implemented");
+  });
+  router.get("/v1/userinfo", (_req, res) => {
+    res.status(501).send("Not Implemented");
+  });
+  return router;
+}
+
+const MS_IN_S = 1e3;
+class TokenFactory {
+  constructor(options) {
+    this.issuer = options.issuer;
+    this.logger = options.logger;
+    this.keyStore = options.keyStore;
+    this.keyDurationSeconds = options.keyDurationSeconds;
+  }
+  async issueToken(params) {
+    const key = await this.getKey();
+    const iss = this.issuer;
+    const sub = params.claims.sub;
+    const ent = params.claims.ent;
+    const aud = "backstage";
+    const iat = Math.floor(Date.now() / MS_IN_S);
+    const exp = iat + this.keyDurationSeconds;
+    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
+    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
+      alg: key.alg,
+      kid: key.kid
+    });
+  }
+  async listPublicKeys() {
+    const { items: keys } = await this.keyStore.listKeys();
+    const validKeys = [];
+    const expiredKeys = [];
+    for (const key of keys) {
+      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
+        seconds: 3 * this.keyDurationSeconds
+      });
+      if (expireAt < luxon.DateTime.local()) {
+        expiredKeys.push(key);
+      } else {
+        validKeys.push(key);
+      }
+    }
+    if (expiredKeys.length > 0) {
+      const kids = expiredKeys.map(({ key }) => key.kid);
+      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
+      this.keyStore.removeKeys(kids).catch((error) => {
+        this.logger.error(`Failed to remove expired keys, ${error}`);
+      });
+    }
+    return { keys: validKeys.map(({ key }) => key) };
+  }
+  async getKey() {
+    if (this.privateKeyPromise) {
+      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
+        return this.privateKeyPromise;
+      }
+      this.logger.info(`Signing key has expired, generating new key`);
+      delete this.privateKeyPromise;
+    }
+    this.keyExpiry = luxon.DateTime.utc().plus({
+      seconds: this.keyDurationSeconds
+    }).toJSDate();
+    const promise = (async () => {
+      const key = await jose.JWK.generate("EC", "P-256", {
+        use: "sig",
+        kid: uuid.v4(),
+        alg: "ES256"
+      });
+      this.logger.info(`Created new signing key ${key.kid}`);
+      await this.keyStore.addKey(key.toJWK(false));
+      return key;
+    })();
+    this.privateKeyPromise = promise;
+    try {
+      await promise;
+    } catch (error) {
+      this.logger.error(`Failed to generate new signing key, ${error}`);
+      delete this.keyExpiry;
+      delete this.privateKeyPromise;
+    }
+    return promise;
+  }
+}
+
+const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
+const TABLE = "signing_keys";
+const parseDate = (date) => {
+  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
+  if (!parsedDate.isValid) {
+    throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
+  }
+  return parsedDate.toJSDate();
+};
+class DatabaseKeyStore {
+  static async create(options) {
+    const { database } = options;
+    await database.migrate.latest({
+      directory: migrationsDir
+    });
+    return new DatabaseKeyStore(options);
+  }
+  constructor(options) {
+    this.database = options.database;
+  }
+  async addKey(key) {
+    await this.database(TABLE).insert({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    });
+  }
+  async listKeys() {
+    const rows = await this.database(TABLE).select();
+    return {
+      items: rows.map((row) => ({
+        key: JSON.parse(row.key),
+        createdAt: parseDate(row.created_at)
+      }))
+    };
+  }
+  async removeKeys(kids) {
+    await this.database(TABLE).delete().whereIn("kid", kids);
+  }
+}
+
+class MemoryKeyStore {
+  constructor() {
+    this.keys = /* @__PURE__ */ new Map();
+  }
+  async addKey(key) {
+    this.keys.set(key.kid, {
+      createdAt: luxon.DateTime.utc().toJSDate(),
+      key: JSON.stringify(key)
+    });
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      this.keys.delete(kid);
+    }
+  }
+  async listKeys() {
+    return {
+      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
+        createdAt,
+        key: JSON.parse(keyStr)
+      }))
+    };
+  }
+}
+
+const DEFAULT_TIMEOUT_MS = 1e4;
+const DEFAULT_DOCUMENT_PATH = "sessions";
+class FirestoreKeyStore {
+  constructor(database, path, timeout) {
+    this.database = database;
+    this.path = path;
+    this.timeout = timeout;
+  }
+  static async create(settings) {
+    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
+    const database = new firestore.Firestore(firestoreSettings);
+    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
+  }
+  static async verifyConnection(keyStore, logger) {
+    try {
+      await keyStore.verify();
+    } catch (error) {
+      if (process.env.NODE_ENV !== "development") {
+        throw new Error(`Failed to connect to database: ${error.message}`);
+      }
+      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
+    }
+  }
+  async addKey(key) {
+    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    }));
+  }
+  async listKeys() {
+    const keys = await this.withTimeout(this.database.collection(this.path).get());
+    return {
+      items: keys.docs.map((key) => ({
+        key: key.data(),
+        createdAt: key.createTime.toDate()
+      }))
+    };
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
+    }
+  }
+  async withTimeout(operation) {
+    const timer = new Promise((_, reject) => setTimeout(() => {
+      reject(new Error(`Operation timed out after ${this.timeout}ms`));
+    }, this.timeout));
+    return Promise.race([operation, timer]);
+  }
+  async verify() {
+    await this.withTimeout(this.database.collection(this.path).limit(1).get());
+  }
+}
+
+class KeyStores {
+  static async fromConfig(config, options) {
+    var _a;
+    const { logger, database } = options != null ? options : {};
+    const ks = config.getOptionalConfig("auth.keyStore");
+    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
+    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
+    if (provider === "database") {
+      if (!database) {
+        throw new Error("This KeyStore provider requires a database");
+      }
+      return await DatabaseKeyStore.create({
+        database: await database.getClient()
+      });
+    }
+    if (provider === "memory") {
+      return new MemoryKeyStore();
+    }
+    if (provider === "firestore") {
+      const settings = ks == null ? void 0 : ks.getConfig(provider);
+      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
+        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
+        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
+        host: settings == null ? void 0 : settings.getOptionalString("host"),
+        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
+        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
+        path: settings == null ? void 0 : settings.getOptionalString("path"),
+        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
+      }, (value) => value !== void 0));
+      await FirestoreKeyStore.verifyConnection(keyStore, logger);
+      return keyStore;
+    }
+    throw new Error(`Unknown KeyStore provider: ${provider}`);
+  }
+}
+
 async function createRouter(options) {
   const {
     logger,
@@ -3138,7 +3063,6 @@ function createOriginFilter(config) {
 }
 
 exports.CatalogIdentityClient = CatalogIdentityClient;
-exports.IdentityClient = IdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
 exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;