npm - @backstage/plugin-auth-backend - Versions diffs - 0.10.1 → 0.12.0 - Mend

@backstage/plugin-auth-backend 0.10.1 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,908 @@
+/// <reference types="node" />
+import express from 'express';
+import { Logger } from 'winston';
+import { Config } from '@backstage/config';
+import { TokenManager, PluginEndpointDiscovery, PluginDatabaseManager } from '@backstage/backend-common';
+import { CatalogApi } from '@backstage/catalog-client';
+import { BackstageSignInResult, BackstageIdentityResponse } from '@backstage/plugin-auth-node';
+import { Profile } from 'passport';
+import { UserEntity } from '@backstage/catalog-model';
+import { TokenSet, UserinfoResponse } from 'openid-client';
+import { JsonValue } from '@backstage/types';
+/** Represents any form of serializable JWK */
+interface AnyJWK extends Record<string, string> {
+    use: 'sig';
+    alg: string;
+    kid: string;
+    kty: string;
+}
+/** Parameters used to issue new ID Tokens */
+declare type TokenParams = {
+    /** The claims that will be embedded within the token */
+    claims: {
+        /** The token subject, i.e. User ID */
+        sub: string;
+        /** A list of entity references that the user claims ownership through */
+        ent?: string[];
+    };
+};
+/**
+ * A TokenIssuer is able to issue verifiable ID Tokens on demand.
+ */
+declare type TokenIssuer = {
+    /**
+     * Issues a new ID Token
+     */
+    issueToken(params: TokenParams): Promise<string>;
+    /**
+     * List all public keys that are currently being used to sign tokens, or have been used
+     * in the past within the token expiration time, including a grace period.
+     */
+    listPublicKeys(): Promise<{
+        keys: AnyJWK[];
+    }>;
+};
+/**
+ * Common options for passport.js-based OAuth providers
+ */
+declare type OAuthProviderOptions = {
+    /**
+     * Client ID of the auth provider.
+     */
+    clientId: string;
+    /**
+     * Client Secret of the auth provider.
+     */
+    clientSecret: string;
+    /**
+     * Callback URL to be passed to the auth provider to redirect to after the user signs in.
+     */
+    callbackUrl: string;
+};
+declare type OAuthResult = {
+    fullProfile: Profile;
+    params: {
+        id_token?: string;
+        scope: string;
+        expires_in: number;
+    };
+    accessToken: string;
+    refreshToken?: string;
+};
+/**
+ * The expected response from an OAuth flow.
+ *
+ * @public
+ */
+declare type OAuthResponse = {
+    profile: ProfileInfo;
+    providerInfo: OAuthProviderInfo;
+    backstageIdentity?: BackstageSignInResult;
+};
+declare type OAuthProviderInfo = {
+    /**
+     * An access token issued for the signed in user.
+     */
+    accessToken: string;
+    /**
+     * (Optional) Id token issued for the signed in user.
+     */
+    idToken?: string;
+    /**
+     * Expiry of the access token in seconds.
+     */
+    expiresInSeconds?: number;
+    /**
+     * Scopes granted for the access token.
+     */
+    scope: string;
+};
+declare type OAuthState = {
+    nonce: string;
+    env: string;
+    origin?: string;
+    scope?: string;
+};
+declare type OAuthStartRequest = express.Request<{}> & {
+    scope: string;
+    state: OAuthState;
+};
+declare type OAuthRefreshRequest = express.Request<{}> & {
+    scope: string;
+    refreshToken: string;
+};
+/**
+ * Any OAuth provider needs to implement this interface which has provider specific
+ * handlers for different methods to perform authentication, get access tokens,
+ * refresh tokens and perform sign out.
+ *
+ * @public
+ */
+interface OAuthHandlers {
+    /**
+     * Initiate a sign in request with an auth provider.
+     */
+    start(req: OAuthStartRequest): Promise<RedirectInfo>;
+    /**
+     * Handle the redirect from the auth provider when the user has signed in.
+     */
+    handler(req: express.Request): Promise<{
+        response: OAuthResponse;
+        refreshToken?: string;
+    }>;
+    /**
+     * (Optional) Given a refresh token and scope fetches a new access token from the auth provider.
+     */
+    refresh?(req: OAuthRefreshRequest): Promise<{
+        response: OAuthResponse;
+        refreshToken?: string;
+    }>;
+    /**
+     * (Optional) Sign out of the auth provider.
+     */
+    logout?(): Promise<void>;
+}
+declare type UserQuery = {
+    annotations: Record<string, string>;
+};
+declare type MemberClaimQuery = {
+    entityRefs: string[];
+    logger?: Logger;
+};
+/**
+ * A catalog client tailored for reading out identity data from the catalog.
+ */
+declare class CatalogIdentityClient {
+    private readonly catalogApi;
+    private readonly tokenManager;
+    constructor(options: {
+        catalogApi: CatalogApi;
+        tokenManager: TokenManager;
+    });
+    /**
+     * Looks up a single user using a query.
+     *
+     * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
+     */
+    findUser(query: UserQuery): Promise<UserEntity>;
+    /**
+     * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
+     * to be used within a `signInResolver` where additional entity claims might be provided, but
+     * group membership and transient group membership lean on imported catalog relations.
+     *
+     * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
+     */
+    resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
+}
+declare function getEntityClaims(entity: UserEntity): TokenParams['claims'];
+/**
+ * The context that is used for auth processing.
+ *
+ * @public
+ */
+declare type AuthResolverContext = {
+    tokenIssuer: TokenIssuer;
+    catalogIdentityClient: CatalogIdentityClient;
+    logger: Logger;
+};
+/**
+ * The callback used to resolve the cookie configuration for auth providers that use cookies.
+ * @public
+ */
+declare type CookieConfigurer = (ctx: {
+    /** ID of the auth provider that this configuration applies to */
+    providerId: string;
+    /** The externally reachable base URL of the auth-backend plugin */
+    baseUrl: string;
+    /** The configured callback URL of the auth provider */
+    callbackUrl: string;
+}) => {
+    domain: string;
+    path: string;
+    secure: boolean;
+};
+declare type AuthProviderConfig = {
+    /**
+     * The protocol://domain[:port] where the app is hosted. This is used to construct the
+     * callbackURL to redirect to once the user signs in to the auth provider.
+     */
+    baseUrl: string;
+    /**
+     * The base URL of the app as provided by app.baseUrl
+     */
+    appUrl: string;
+    /**
+     * A function that is called to check whether an origin is allowed to receive the authentication result.
+     */
+    isOriginAllowed: (origin: string) => boolean;
+    /**
+     * The function used to resolve cookie configuration based on the auth provider options.
+     */
+    cookieConfigurer?: CookieConfigurer;
+};
+declare type RedirectInfo = {
+    /**
+     * URL to redirect to
+     */
+    url: string;
+    /**
+     * Status code to use for the redirect
+     */
+    status?: number;
+};
+/**
+ * Any Auth provider needs to implement this interface which handles the routes in the
+ * auth backend. Any auth API requests from the frontend reaches these methods.
+ *
+ * The routes in the auth backend API are tied to these methods like below
+ *
+ * `/auth/[provider]/start -> start`
+ * `/auth/[provider]/handler/frame -> frameHandler`
+ * `/auth/[provider]/refresh -> refresh`
+ * `/auth/[provider]/logout -> logout`
+ */
+interface AuthProviderRouteHandlers {
+    /**
+     * Handles the start route of the API. This initiates a sign in request with an auth provider.
+     *
+     * Request
+     * - scopes for the auth request (Optional)
+     * Response
+     * - redirect to the auth provider for the user to sign in or consent.
+     * - sets a nonce cookie and also pass the nonce as 'state' query parameter in the redirect request
+     */
+    start(req: express.Request, res: express.Response): Promise<void>;
+    /**
+     * Once the user signs in or consents in the OAuth screen, the auth provider redirects to the
+     * callbackURL which is handled by this method.
+     *
+     * Request
+     * - to contain a nonce cookie and a 'state' query parameter
+     * Response
+     * - postMessage to the window with a payload that contains accessToken, expiryInSeconds?, idToken? and scope.
+     * - sets a refresh token cookie if the auth provider supports refresh tokens
+     */
+    frameHandler(req: express.Request, res: express.Response): Promise<void>;
+    /**
+     * (Optional) If the auth provider supports refresh tokens then this method handles
+     * requests to get a new access token.
+     *
+     * Request
+     * - to contain a refresh token cookie and scope (Optional) query parameter.
+     * Response
+     * - payload with accessToken, expiryInSeconds?, idToken?, scope and user profile information.
+     */
+    refresh?(req: express.Request, res: express.Response): Promise<void>;
+    /**
+     * (Optional) Handles sign out requests
+     *
+     * Response
+     * - removes the refresh token cookie
+     */
+    logout?(req: express.Request, res: express.Response): Promise<void>;
+}
+declare type AuthProviderFactoryOptions = {
+    providerId: string;
+    globalConfig: AuthProviderConfig;
+    config: Config;
+    logger: Logger;
+    tokenManager: TokenManager;
+    tokenIssuer: TokenIssuer;
+    discovery: PluginEndpointDiscovery;
+    catalogApi: CatalogApi;
+};
+declare type AuthProviderFactory = (options: AuthProviderFactoryOptions) => AuthProviderRouteHandlers;
+declare type AuthResponse<ProviderInfo> = {
+    providerInfo: ProviderInfo;
+    profile: ProfileInfo;
+    backstageIdentity?: BackstageIdentityResponse;
+};
+/**
+ * Used to display login information to user, i.e. sidebar popup.
+ *
+ * It is also temporarily used as the profile of the signed-in user's Backstage
+ * identity, but we want to replace that with data from identity and/org catalog
+ * service
+ *
+ * @public
+ */
+declare type ProfileInfo = {
+    /**
+     * Email ID of the signed in user.
+     */
+    email?: string;
+    /**
+     * Display name that can be presented to the signed in user.
+     */
+    displayName?: string;
+    /**
+     * URL to an image that can be used as the display image or avatar of the
+     * signed in user.
+     */
+    picture?: string;
+};
+/**
+ * Type of sign in information context. Includes the profile information and
+ * authentication result which contains auth related information.
+ *
+ * @public
+ */
+declare type SignInInfo<TAuthResult> = {
+    /**
+     * The simple profile passed down for use in the frontend.
+     */
+    profile: ProfileInfo;
+    /**
+     * The authentication result that was received from the authentication
+     * provider.
+     */
+    result: TAuthResult;
+};
+/**
+ * Describes the function which handles the result of a successful
+ * authentication. Must return a valid {@link @backstage/plugin-auth-node#BackstageSignInResult}.
+ *
+ * @public
+ */
+declare type SignInResolver<TAuthResult> = (info: SignInInfo<TAuthResult>, context: AuthResolverContext) => Promise<BackstageSignInResult>;
+/**
+ * The return type of an authentication handler. Must contain valid profile
+ * information.
+ *
+ * @public
+ */
+declare type AuthHandlerResult = {
+    profile: ProfileInfo;
+};
+/**
+ * The AuthHandler function is called every time the user authenticates using
+ * the provider.
+ *
+ * The handler should return a profile that represents the session for the user
+ * in the frontend.
+ *
+ * Throwing an error in the function will cause the authentication to fail,
+ * making it possible to use this function as a way to limit access to a certain
+ * group of users.
+ *
+ * @public
+ */
+declare type AuthHandler<TAuthResult> = (input: TAuthResult, context: AuthResolverContext) => Promise<AuthHandlerResult>;
+declare type StateEncoder = (req: OAuthStartRequest) => Promise<{
+    encodedState: string;
+}>;
+declare class OAuthEnvironmentHandler implements AuthProviderRouteHandlers {
+    private readonly handlers;
+    static mapConfig(config: Config, factoryFunc: (envConfig: Config) => AuthProviderRouteHandlers): OAuthEnvironmentHandler;
+    constructor(handlers: Map<string, AuthProviderRouteHandlers>);
+    start(req: express.Request, res: express.Response): Promise<void>;
+    frameHandler(req: express.Request, res: express.Response): Promise<void>;
+    refresh(req: express.Request, res: express.Response): Promise<void>;
+    logout(req: express.Request, res: express.Response): Promise<void>;
+    private getRequestFromEnv;
+    private getProviderForEnv;
+}
+declare type Options = {
+    providerId: string;
+    secure: boolean;
+    disableRefresh?: boolean;
+    persistScopes?: boolean;
+    cookieDomain: string;
+    cookiePath: string;
+    appOrigin: string;
+    tokenIssuer: TokenIssuer;
+    isOriginAllowed: (origin: string) => boolean;
+    callbackUrl: string;
+};
+declare class OAuthAdapter implements AuthProviderRouteHandlers {
+    private readonly handlers;
+    private readonly options;
+    static fromConfig(config: AuthProviderConfig, handlers: OAuthHandlers, options: Pick<Options, 'providerId' | 'persistScopes' | 'disableRefresh' | 'tokenIssuer' | 'callbackUrl'>): OAuthAdapter;
+    private readonly baseCookieOptions;
+    constructor(handlers: OAuthHandlers, options: Options);
+    start(req: express.Request, res: express.Response): Promise<void>;
+    frameHandler(req: express.Request, res: express.Response): Promise<void>;
+    logout(req: express.Request, res: express.Response): Promise<void>;
+    refresh(req: express.Request, res: express.Response): Promise<void>;
+    /**
+     * If the response from the OAuth provider includes a Backstage identity, we
+     * make sure it's populated with all the information we can derive from the user ID.
+     */
+    private populateIdentity;
+    private setNonceCookie;
+    private setGrantedScopeCookie;
+    private getGrantedScopeFromCookie;
+    private setRefreshTokenCookie;
+    private removeRefreshTokenCookie;
+}
+declare const readState: (stateString: string) => OAuthState;
+declare const encodeState: (state: OAuthState) => string;
+declare const verifyNonce: (req: express.Request, providerId: string) => void;
+declare type AtlassianAuthProviderOptions = OAuthProviderOptions & {
+    scopes: string;
+    signInResolver?: SignInResolver<OAuthResult>;
+    authHandler: AuthHandler<OAuthResult>;
+    tokenIssuer: TokenIssuer;
+    catalogIdentityClient: CatalogIdentityClient;
+    logger: Logger;
+};
+declare class AtlassianAuthProvider implements OAuthHandlers {
+    private readonly _strategy;
+    private readonly signInResolver?;
+    private readonly authHandler;
+    private readonly tokenIssuer;
+    private readonly catalogIdentityClient;
+    private readonly logger;
+    constructor(options: AtlassianAuthProviderOptions);
+    start(req: OAuthStartRequest): Promise<RedirectInfo>;
+    handler(req: express.Request): Promise<{
+        response: OAuthResponse;
+        refreshToken: string | undefined;
+    }>;
+    private handleResult;
+    refresh(req: OAuthRefreshRequest): Promise<{
+        response: OAuthResponse;
+        refreshToken: string | undefined;
+    }>;
+}
+declare type AtlassianProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        resolver: SignInResolver<OAuthResult>;
+    };
+};
+declare const createAtlassianProvider: (options?: AtlassianProviderOptions | undefined) => AuthProviderFactory;
+/** @public */
+declare type Auth0ProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    };
+};
+/** @public */
+declare const createAuth0Provider: (options?: Auth0ProviderOptions | undefined) => AuthProviderFactory;
+declare type AwsAlbResult = {
+    fullProfile: Profile;
+    expiresInSeconds?: number;
+    accessToken: string;
+};
+declare type AwsAlbProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<AwsAlbResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<AwsAlbResult>;
+    };
+};
+declare const createAwsAlbProvider: (options?: AwsAlbProviderOptions | undefined) => AuthProviderFactory;
+declare type BitbucketOAuthResult = {
+    fullProfile: BitbucketPassportProfile;
+    params: {
+        id_token?: string;
+        scope: string;
+        expires_in: number;
+    };
+    accessToken: string;
+    refreshToken?: string;
+};
+declare type BitbucketPassportProfile = Profile & {
+    id?: string;
+    displayName?: string;
+    username?: string;
+    avatarUrl?: string;
+    _json?: {
+        links?: {
+            avatar?: {
+                href?: string;
+            };
+        };
+    };
+};
+declare const bitbucketUsernameSignInResolver: SignInResolver<BitbucketOAuthResult>;
+declare const bitbucketUserIdSignInResolver: SignInResolver<BitbucketOAuthResult>;
+declare type BitbucketProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    };
+};
+declare const createBitbucketProvider: (options?: BitbucketProviderOptions | undefined) => AuthProviderFactory;
+declare type GithubOAuthResult = {
+    fullProfile: Profile;
+    params: {
+        scope: string;
+        expires_in?: string;
+        refresh_token_expires_in?: string;
+    };
+    accessToken: string;
+    refreshToken?: string;
+};
+declare type GithubProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<GithubOAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver?: SignInResolver<GithubOAuthResult>;
+    };
+    /**
+     * The state encoder used to encode the 'state' parameter on the OAuth request.
+     *
+     * It should return a string that takes the state params (from the request), url encodes the params
+     * and finally base64 encodes them.
+     *
+     * Providing your own stateEncoder will allow you to add addition parameters to the state field.
+     *
+     * It is typed as follows:
+     *   `export type StateEncoder = (input: OAuthState) => Promise<{encodedState: string}>;`
+     *
+     * Note: the stateEncoder must encode a 'nonce' value and an 'env' value. Without this, the OAuth flow will fail
+     * (These two values will be set by the req.state by default)
+     *
+     * For more information, please see the helper module in ../../oauth/helpers #readState
+     */
+    stateEncoder?: StateEncoder;
+};
+declare const createGithubProvider: (options?: GithubProviderOptions | undefined) => AuthProviderFactory;
+declare type GitlabProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    /**
+     * Maps an auth result to a Backstage identity for the user.
+     *
+     * Set to `'email'` to use the default email-based sign in resolver, which will search
+     * the catalog for a single user entity that has a matching `microsoft.com/email` annotation.
+     */
+    signIn?: {
+        resolver?: SignInResolver<OAuthResult>;
+    };
+};
+declare const createGitlabProvider: (options?: GitlabProviderOptions | undefined) => AuthProviderFactory;
+declare const googleEmailSignInResolver: SignInResolver<OAuthResult>;
+declare type GoogleProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver?: SignInResolver<OAuthResult>;
+    };
+};
+declare const createGoogleProvider: (options?: GoogleProviderOptions | undefined) => AuthProviderFactory;
+declare const microsoftEmailSignInResolver: SignInResolver<OAuthResult>;
+declare type MicrosoftProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver?: SignInResolver<OAuthResult>;
+    };
+};
+declare const createMicrosoftProvider: (options?: MicrosoftProviderOptions | undefined) => AuthProviderFactory;
+declare type OAuth2ProviderOptions = {
+    authHandler?: AuthHandler<OAuthResult>;
+    signIn?: {
+        resolver?: SignInResolver<OAuthResult>;
+    };
+};
+declare const createOAuth2Provider: (options?: OAuth2ProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * JWT header extraction result, containing the raw value and the parsed JWT
+ * payload.
+ *
+ * @public
+ */
+declare type OAuth2ProxyResult<JWTPayload> = {
+    /**
+     * Parsed and decoded JWT payload.
+     */
+    fullProfile: JWTPayload;
+    /**
+     * Raw JWT token
+     */
+    accessToken: string;
+};
+/**
+ * Options for the oauth2-proxy provider factory
+ *
+ * @public
+ */
+declare type Oauth2ProxyProviderOptions<JWTPayload> = {
+    /**
+     * Configure an auth handler to generate a profile for the user.
+     */
+    authHandler: AuthHandler<OAuth2ProxyResult<JWTPayload>>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuth2ProxyResult<JWTPayload>>;
+    };
+};
+/**
+ * Factory function for oauth2-proxy auth provider
+ *
+ * @public
+ */
+declare const createOauth2ProxyProvider: <JWTPayload>(options: Oauth2ProxyProviderOptions<JWTPayload>) => AuthProviderFactory;
+/**
+ * authentication result for the OIDC which includes the token set and user information (a profile response sent by OIDC server)
+ * @public
+ */
+declare type OidcAuthResult = {
+    tokenset: TokenSet;
+    userinfo: UserinfoResponse;
+};
+/**
+ * OIDC provider callback options. An auth handler and a sign in resolver
+ * can be passed while creating a OIDC provider.
+ *
+ * authHandler : called after sign in was successful, a new object must be returned which includes a profile
+ * signInResolver: called after sign in was successful, expects to return a new {@link @backstage/plugin-auth-node#BackstageSignInResult}
+ *
+ * Both options are optional. There is fallback for authHandler where the default handler expect an e-mail explicitly
+ * otherwise it throws an error
+ *
+ * @public
+ */
+declare type OidcProviderOptions = {
+    authHandler?: AuthHandler<OidcAuthResult>;
+    signIn?: {
+        resolver?: SignInResolver<OidcAuthResult>;
+    };
+};
+declare const createOidcProvider: (options?: OidcProviderOptions | undefined) => AuthProviderFactory;
+declare const oktaEmailSignInResolver: SignInResolver<OAuthResult>;
+declare type OktaProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver?: SignInResolver<OAuthResult>;
+    };
+};
+declare const createOktaProvider: (_options?: OktaProviderOptions | undefined) => AuthProviderFactory;
+/** @public */
+declare type OneLoginProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    };
+};
+/** @public */
+declare const createOneLoginProvider: (options?: OneLoginProviderOptions | undefined) => AuthProviderFactory;
+/** @public */
+declare type SamlAuthResult = {
+    fullProfile: any;
+};
+/** @public */
+declare type SamlProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<SamlAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver?: SignInResolver<SamlAuthResult>;
+    };
+};
+/** @public */
+declare const createSamlProvider: (options?: SamlProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * The data extracted from an IAP token.
+ *
+ * @public
+ */
+declare type GcpIapTokenInfo = {
+    /**
+     * The unique, stable identifier for the user.
+     */
+    sub: string;
+    /**
+     * User email address.
+     */
+    email: string;
+    /**
+     * Other fields.
+     */
+    [key: string]: JsonValue;
+};
+/**
+ * The result of the initial auth challenge. This is the input to the auth
+ * callbacks.
+ *
+ * @public
+ */
+declare type GcpIapResult = {
+    /**
+     * The data extracted from the IAP token header.
+     */
+    iapToken: GcpIapTokenInfo;
+};
+/**
+ * Options for {@link createGcpIapProvider}.
+ *
+ * @public
+ */
+declare type GcpIapProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth
+     * response into the profile that will be presented to the user. The default
+     * implementation just provides the authenticated email that the IAP
+     * presented.
+     */
+    authHandler?: AuthHandler<GcpIapResult>;
+    /**
+     * Configures sign-in for this provider.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<GcpIapResult>;
+    };
+};
+/**
+ * Creates an auth provider for Google Identity-Aware Proxy.
+ *
+ * @public
+ */
+declare function createGcpIapProvider(options: GcpIapProviderOptions): AuthProviderFactory;
+declare const factories: {
+    [providerId: string]: AuthProviderFactory;
+};
+/**
+ * Parses a Backstage-issued token and decorates the
+ * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the
+ * token.
+ *
+ * @public
+ */
+declare function prepareBackstageIdentityResponse(result: BackstageSignInResult): BackstageIdentityResponse;
+declare type ProviderFactories = {
+    [s: string]: AuthProviderFactory;
+};
+interface RouterOptions {
+    logger: Logger;
+    database: PluginDatabaseManager;
+    config: Config;
+    discovery: PluginEndpointDiscovery;
+    tokenManager: TokenManager;
+    providerFactories?: ProviderFactories;
+}
+declare function createRouter(options: RouterOptions): Promise<express.Router>;
+declare function createOriginFilter(config: Config): (origin: string) => boolean;
+/**
+ * Payload sent as a post message after the auth request is complete.
+ * If successful then has a valid payload with Auth information else contains an error.
+ */
+declare type WebMessageResponse = {
+    type: 'authorization_response';
+    response: AuthResponse<unknown>;
+} | {
+    type: 'authorization_response';
+    error: Error;
+};
+declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
+declare const ensuresXRequestedWith: (req: express.Request) => boolean;
+export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, CookieConfigurer, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };