@backstage/plugin-auth-backend 0.12.3 → 0.13.0-next.2

package/dist/index.d.ts

@@ -1,12 +1,12 @@
 /// <reference types="node" />
 import express from 'express';
 import { Logger } from 'winston';
-import { Config } from '@backstage/config';
 import { TokenManager, PluginEndpointDiscovery, PluginDatabaseManager } from '@backstage/backend-common';
-import { CatalogApi } from '@backstage/catalog-client';
+import { CatalogApi, GetEntitiesRequest } from '@backstage/catalog-client';
+import { Config } from '@backstage/config';
 import { BackstageSignInResult, BackstageIdentityResponse } from '@backstage/plugin-auth-node';
 import { Profile } from 'passport';
-import { UserEntity } from '@backstage/catalog-model';
+import { UserEntity, Entity } from '@backstage/catalog-model';
 import { TokenSet, UserinfoResponse } from 'openid-client';
 import { JsonValue } from '@backstage/types';
 
@@ -17,7 +17,11 @@ interface AnyJWK extends Record<string, string> {
     kid: string;
     kty: string;
 }
-/** Parameters used to issue new ID Tokens */
+/**
+ * Parameters used to issue new ID Tokens
+ *
+ * @public
+ */
 declare type TokenParams = {
     /** The claims that will be embedded within the token */
     claims: {
@@ -29,6 +33,9 @@ declare type TokenParams = {
 };
 /**
  * A TokenIssuer is able to issue verifiable ID Tokens on demand.
+ *
+ * @public
+ * @deprecated This interface is deprecated and will be removed in a future release.
  */
 declare type TokenIssuer = {
     /**
@@ -178,17 +185,70 @@ declare class CatalogIdentityClient {
     resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
 }
 
+/**
+ * @deprecated use {@link getDefaultOwnershipEntityRefs} instead
+ */
 declare function getEntityClaims(entity: UserEntity): TokenParams['claims'];
 
+/**
+ * A query for a single user in the catalog.
+ *
+ * If `entityRef` is used, the default kind is `'User'`.
+ *
+ * If `annotations` are used, all annotations must be present and
+ * match the provided value exactly. Only entities of kind `'User'` will be considered.
+ *
+ * If `filter` are used they are passed on as they are to the `CatalogApi`.
+ *
+ * Regardless of the query method, the query must match exactly one entity
+ * in the catalog, or an error will be thrown.
+ *
+ * @public
+ */
+declare type AuthResolverCatalogUserQuery = {
+    entityRef: string | {
+        kind?: string;
+        namespace?: string;
+        name: string;
+    };
+} | {
+    annotations: Record<string, string>;
+} | {
+    filter: Exclude<GetEntitiesRequest['filter'], undefined>;
+};
 /**
  * The context that is used for auth processing.
  *
  * @public
  */
 declare type AuthResolverContext = {
+    /** @deprecated Will be removed from the context, access it via a closure instead if needed */
+    logger: Logger;
+    /** @deprecated Use the `issueToken` method instead */
     tokenIssuer: TokenIssuer;
+    /** @deprecated Use the `findCatalogUser` and `signInWithCatalogUser` methods instead, and the `getDefaultOwnershipEntityRefs` helper */
     catalogIdentityClient: CatalogIdentityClient;
-    logger: Logger;
+    /**
+     * Issues a Backstage token using the provided parameters.
+     */
+    issueToken(params: TokenParams): Promise<{
+        token: string;
+    }>;
+    /**
+     * Finds a single user in the catalog using the provided query.
+     *
+     * See {@link AuthResolverCatalogUserQuery} for details.
+     */
+    findCatalogUser(query: AuthResolverCatalogUserQuery): Promise<{
+        entity: Entity;
+    }>;
+    /**
+     * Finds a single user in the catalog using the provided query, and then
+     * issues an identity for that user using default ownership resolution.
+     *
+     * See {@link AuthResolverCatalogUserQuery} for details.
+     */
+    signInWithCatalogUser(query: AuthResolverCatalogUserQuery): Promise<BackstageSignInResult>;
 };
 /**
  * The callback used to resolve the cookie configuration for auth providers that use cookies.
@@ -206,6 +266,7 @@ declare type CookieConfigurer = (ctx: {
     path: string;
     secure: boolean;
 };
+/** @public */
 declare type AuthProviderConfig = {
     /**
      * The protocol://domain[:port] where the app is hosted. This is used to construct the
@@ -286,6 +347,9 @@ interface AuthProviderRouteHandlers {
      */
     logout?(req: express.Request, res: express.Response): Promise<void>;
 }
+/**
+ * @deprecated This type is deprecated and will be removed in a future release.
+ */
 declare type AuthProviderFactoryOptions = {
     providerId: string;
     globalConfig: AuthProviderConfig;
@@ -296,7 +360,22 @@ declare type AuthProviderFactoryOptions = {
     discovery: PluginEndpointDiscovery;
     catalogApi: CatalogApi;
 };
-declare type AuthProviderFactory = (options: AuthProviderFactoryOptions) => AuthProviderRouteHandlers;
+declare type AuthProviderFactory = (options: {
+    providerId: string;
+    globalConfig: AuthProviderConfig;
+    config: Config;
+    logger: Logger;
+    resolverContext: AuthResolverContext;
+    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
+    tokenManager: TokenManager;
+    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
+    tokenIssuer: TokenIssuer;
+    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
+    discovery: PluginEndpointDiscovery;
+    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
+    catalogApi: CatalogApi;
+}) => AuthProviderRouteHandlers;
+/** @public */
 declare type AuthResponse<ProviderInfo> = {
     providerInfo: ProviderInfo;
     profile: ProfileInfo;
@@ -373,6 +452,7 @@ declare type AuthHandlerResult = {
  * @public
  */
 declare type AuthHandler<TAuthResult> = (input: TAuthResult, context: AuthResolverContext) => Promise<AuthHandlerResult>;
+/** @public */
 declare type StateEncoder = (req: OAuthStartRequest) => Promise<{
     encodedState: string;
 }>;
@@ -397,7 +477,8 @@ declare type Options = {
     cookieDomain: string;
     cookiePath: string;
     appOrigin: string;
-    tokenIssuer: TokenIssuer;
+    /** @deprecated This option is no longer needed */
+    tokenIssuer?: TokenIssuer;
     isOriginAllowed: (origin: string) => boolean;
     callbackUrl: string;
 };
@@ -431,17 +512,13 @@ declare type AtlassianAuthProviderOptions = OAuthProviderOptions & {
     scopes: string;
     signInResolver?: SignInResolver<OAuthResult>;
     authHandler: AuthHandler<OAuthResult>;
-    tokenIssuer: TokenIssuer;
-    catalogIdentityClient: CatalogIdentityClient;
-    logger: Logger;
+    resolverContext: AuthResolverContext;
 };
 declare class AtlassianAuthProvider implements OAuthHandlers {
     private readonly _strategy;
     private readonly signInResolver?;
     private readonly authHandler;
-    private readonly tokenIssuer;
-    private readonly catalogIdentityClient;
-    private readonly logger;
+    private readonly resolverContext;
     constructor(options: AtlassianAuthProviderOptions);
     start(req: OAuthStartRequest): Promise<RedirectInfo>;
     handler(req: express.Request): Promise<{
@@ -454,6 +531,10 @@ declare class AtlassianAuthProvider implements OAuthHandlers {
         refreshToken: string | undefined;
     }>;
 }
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type AtlassianProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -467,9 +548,28 @@ declare type AtlassianProviderOptions = {
         resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createAtlassianProvider: (options?: AtlassianProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.atlassian.create` instead
+ */
+declare const createAtlassianProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
 
-/** @public */
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type Auth0ProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -486,14 +586,37 @@ declare type Auth0ProviderOptions = {
         resolver: SignInResolver<OAuthResult>;
     };
 };
-/** @public */
-declare const createAuth0Provider: (options?: Auth0ProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.auth0.create` instead.
+ */
+declare const createAuth0Provider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
 
+/** @public */
 declare type AwsAlbResult = {
     fullProfile: Profile;
     expiresInSeconds?: number;
     accessToken: string;
 };
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type AwsAlbProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -510,7 +633,26 @@ declare type AwsAlbProviderOptions = {
         resolver: SignInResolver<AwsAlbResult>;
     };
 };
-declare const createAwsAlbProvider: (options?: AwsAlbProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.awsAlb.create` instead
+ */
+declare const createAwsAlbProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<AwsAlbResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<AwsAlbResult>;
+    };
+} | undefined) => AuthProviderFactory;
 
 declare type BitbucketOAuthResult = {
     fullProfile: BitbucketPassportProfile;
@@ -535,8 +677,10 @@ declare type BitbucketPassportProfile = Profile & {
         };
     };
 };
-declare const bitbucketUsernameSignInResolver: SignInResolver<BitbucketOAuthResult>;
-declare const bitbucketUserIdSignInResolver: SignInResolver<BitbucketOAuthResult>;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type BitbucketProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -553,7 +697,36 @@ declare type BitbucketProviderOptions = {
         resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createBitbucketProvider: (options?: BitbucketProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.bitbucket.create` instead
+ */
+declare const createBitbucketProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.bitbucket.resolvers.usernameMatchingUserEntityAnnotation()` instead.
+ */
+declare const bitbucketUsernameSignInResolver: SignInResolver<OAuthResult>;
+/**
+ * @public
+ * @deprecated Use `providers.bitbucket.resolvers.userIdMatchingUserEntityAnnotation()` instead.
+ */
+declare const bitbucketUserIdSignInResolver: SignInResolver<OAuthResult>;
 
 declare type GithubOAuthResult = {
     fullProfile: Profile;
@@ -565,6 +738,10 @@ declare type GithubOAuthResult = {
     accessToken: string;
     refreshToken?: string;
 };
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type GithubProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -578,7 +755,7 @@ declare type GithubProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<GithubOAuthResult>;
+        resolver: SignInResolver<GithubOAuthResult>;
     };
     /**
      * The state encoder used to encode the 'state' parameter on the OAuth request.
@@ -598,8 +775,48 @@ declare type GithubProviderOptions = {
      */
     stateEncoder?: StateEncoder;
 };
-declare const createGithubProvider: (options?: GithubProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.github.create` instead
+ */
+declare const createGithubProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<GithubOAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<GithubOAuthResult>;
+    } | undefined;
+    /**
+     * The state encoder used to encode the 'state' parameter on the OAuth request.
+     *
+     * It should return a string that takes the state params (from the request), url encodes the params
+     * and finally base64 encodes them.
+     *
+     * Providing your own stateEncoder will allow you to add addition parameters to the state field.
+     *
+     * It is typed as follows:
+     *   `export type StateEncoder = (input: OAuthState) => Promise<{encodedState: string}>;`
+     *
+     * Note: the stateEncoder must encode a 'nonce' value and an 'env' value. Without this, the OAuth flow will fail
+     * (These two values will be set by the req.state by default)
+     *
+     * For more information, please see the helper module in ../../oauth/helpers #readState
+     */
+    stateEncoder?: StateEncoder | undefined;
+} | undefined) => AuthProviderFactory;
 
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type GitlabProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -616,12 +833,31 @@ declare type GitlabProviderOptions = {
      * the catalog for a single user entity that has a matching `microsoft.com/email` annotation.
      */
     signIn?: {
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createGitlabProvider: (options?: GitlabProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.gitlab.create` instead
+ */
+declare const createGitlabProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
 
-declare const googleEmailSignInResolver: SignInResolver<OAuthResult>;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type GoogleProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -635,12 +871,39 @@ declare type GoogleProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createGoogleProvider: (options?: GoogleProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.google.create` instead.
+ */
+declare const createGoogleProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.google.resolvers.emailMatchingUserEntityAnnotation()` instead.
+ */
+declare const googleEmailSignInResolver: SignInResolver<OAuthResult>;
 
-declare const microsoftEmailSignInResolver: SignInResolver<OAuthResult>;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type MicrosoftProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -654,18 +917,55 @@ declare type MicrosoftProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createMicrosoftProvider: (options?: MicrosoftProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.microsoft.create` instead
+ */
+declare const createMicrosoftProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.microsoft.resolvers.emailMatchingUserEntityAnnotation()` instead.
+ */
+declare const microsoftEmailSignInResolver: SignInResolver<OAuthResult>;
 
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type OAuth2ProviderOptions = {
     authHandler?: AuthHandler<OAuthResult>;
     signIn?: {
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createOAuth2Provider: (options?: OAuth2ProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.oauth2.create` instead
+ */
+declare const createOAuth2Provider: (options?: {
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    signIn?: {
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
 
 /**
  * JWT header extraction result, containing the raw value and the parsed JWT
@@ -684,9 +984,8 @@ declare type OAuth2ProxyResult<JWTPayload> = {
     accessToken: string;
 };
 /**
- * Options for the oauth2-proxy provider factory
- *
  * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
  */
 declare type Oauth2ProxyProviderOptions<JWTPayload> = {
     /**
@@ -704,11 +1003,24 @@ declare type Oauth2ProxyProviderOptions<JWTPayload> = {
     };
 };
 /**
- * Factory function for oauth2-proxy auth provider
- *
  * @public
+ * @deprecated Use `providers.oauth2Proxy.create` instead
  */
-declare const createOauth2ProxyProvider: <JWTPayload>(options: Oauth2ProxyProviderOptions<JWTPayload>) => AuthProviderFactory;
+declare const createOauth2ProxyProvider: (options: {
+    /**
+     * Configure an auth handler to generate a profile for the user.
+     */
+    authHandler: AuthHandler<OAuth2ProxyResult<unknown>>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuth2ProxyResult<unknown>>;
+    };
+}) => AuthProviderFactory;
 
 /**
  * authentication result for the OIDC which includes the token set and user information (a profile response sent by OIDC server)
@@ -719,26 +1031,30 @@ declare type OidcAuthResult = {
     userinfo: UserinfoResponse;
 };
 /**
- * OIDC provider callback options. An auth handler and a sign in resolver
- * can be passed while creating a OIDC provider.
- *
- * authHandler : called after sign in was successful, a new object must be returned which includes a profile
- * signInResolver: called after sign in was successful, expects to return a new {@link @backstage/plugin-auth-node#BackstageSignInResult}
- *
- * Both options are optional. There is fallback for authHandler where the default handler expect an e-mail explicitly
- * otherwise it throws an error
- *
  * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
  */
 declare type OidcProviderOptions = {
     authHandler?: AuthHandler<OidcAuthResult>;
     signIn?: {
-        resolver?: SignInResolver<OidcAuthResult>;
+        resolver: SignInResolver<OidcAuthResult>;
     };
 };
-declare const createOidcProvider: (options?: OidcProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.oidc.create` instead
+ */
+declare const createOidcProvider: (options?: {
+    authHandler?: AuthHandler<OidcAuthResult> | undefined;
+    signIn?: {
+        resolver: SignInResolver<OidcAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
 
-declare const oktaEmailSignInResolver: SignInResolver<OAuthResult>;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type OktaProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -752,12 +1068,39 @@ declare type OktaProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createOktaProvider: (_options?: OktaProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.okta.create` instead
+ */
+declare const createOktaProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.okta.resolvers.emailMatchingUserEntityAnnotation()` instead.
+ */
+declare const oktaEmailSignInResolver: SignInResolver<OAuthResult>;
 
-/** @public */
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type OneLoginProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -774,14 +1117,35 @@ declare type OneLoginProviderOptions = {
         resolver: SignInResolver<OAuthResult>;
     };
 };
-/** @public */
-declare const createOneLoginProvider: (options?: OneLoginProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.onelogin.create` instead
+ */
+declare const createOneLoginProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
 
 /** @public */
 declare type SamlAuthResult = {
     fullProfile: any;
 };
-/** @public */
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type SamlProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -795,11 +1159,34 @@ declare type SamlProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<SamlAuthResult>;
+        resolver: SignInResolver<SamlAuthResult>;
     };
 };
-/** @public */
-declare const createSamlProvider: (options?: SamlProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.saml.create` instead
+ */
+declare const createSamlProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<SamlAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<SamlAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.saml.resolvers.nameIdMatchingUserEntityName()` instead.
+ */
+declare const samlNameIdEntityNameSignInResolver: SignInResolver<SamlAuthResult>;
 
 /**
  * The data extracted from an IAP token.
@@ -833,9 +1220,8 @@ declare type GcpIapResult = {
     iapToken: GcpIapTokenInfo;
 };
 /**
- * Options for {@link createGcpIapProvider}.
- *
  * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
  */
 declare type GcpIapProviderOptions = {
     /**
@@ -857,11 +1243,185 @@ declare type GcpIapProviderOptions = {
 };
 
 /**
- * Creates an auth provider for Google Identity-Aware Proxy.
+ * @public
+ * @deprecated Use `providers.gcpIap.create` instead
+ */
+declare const createGcpIapProvider: (options: {
+    /**
+     * The profile transformation function used to verify and convert the auth
+     * response into the profile that will be presented to the user. The default
+     * implementation just provides the authenticated email that the IAP
+     * presented.
+     */
+    authHandler?: AuthHandler<GcpIapResult> | undefined;
+    /**
+     * Configures sign-in for this provider.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<GcpIapResult>;
+    };
+}) => AuthProviderFactory;
+
+/**
+ * All built-in auth provider integrations.
  *
  * @public
  */
-declare function createGcpIapProvider(options: GcpIapProviderOptions): AuthProviderFactory;
+declare const providers: Readonly<{
+    atlassian: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    auth0: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    awsAlb: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<AwsAlbResult> | undefined;
+            signIn: {
+                resolver: SignInResolver<AwsAlbResult>;
+            };
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    bitbucket: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            usernameMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+            userIdMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+        }>;
+    }>;
+    gcpIap: Readonly<{
+        create: (options: {
+            authHandler?: AuthHandler<GcpIapResult> | undefined;
+            signIn: {
+                resolver: SignInResolver<GcpIapResult>;
+            };
+        }) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    github: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<GithubOAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<GithubOAuthResult>;
+            } | undefined;
+            stateEncoder?: StateEncoder | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            usernameMatchingUserEntityName: () => SignInResolver<GithubOAuthResult>;
+        }>;
+    }>;
+    gitlab: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    google: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
+            emailMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+        }>;
+    }>;
+    microsoft: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            emailMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+        }>;
+    }>;
+    oauth2: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    oauth2Proxy: Readonly<{
+        create: (options: {
+            authHandler: AuthHandler<OAuth2ProxyResult<unknown>>;
+            signIn: {
+                resolver: SignInResolver<OAuth2ProxyResult<unknown>>;
+            };
+        }) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    oidc: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OidcAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OidcAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    okta: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            emailMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+        }>;
+    }>;
+    onelogin: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    saml: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<SamlAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<SamlAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            nameIdMatchingUserEntityName(): SignInResolver<SamlAuthResult>;
+        }>;
+    }>;
+}>;
 
 declare const factories: {
     [providerId: string]: AuthProviderFactory;
@@ -905,4 +1465,14 @@ declare type WebMessageResponse = {
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
 
-export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, CookieConfigurer, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };
+/**
+ * Uses the default ownership resolution logic to return an array
+ * of entity refs that the provided entity claims ownership through.
+ *
+ * A reference to the entity itself will also be included in the returned array.
+ *
+ * @public
+ */
+declare function getDefaultOwnershipEntityRefs(entity: Entity): string[];
+
+export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderConfig, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverCatalogUserQuery, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, AwsAlbResult, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, CookieConfigurer, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, StateEncoder, TokenIssuer, TokenParams, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getDefaultOwnershipEntityRefs, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, providers, readState, samlNameIdEntityNameSignInResolver, verifyNonce };