npm - @backstage/plugin-auth-backend - Versions diffs - 0.13.0-next.0 → 0.13.0 - Mend

@backstage/plugin-auth-backend 0.13.0-next.0 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,12 +1,12 @@
 /// <reference types="node" />
 import express from 'express';
 import { Logger } from 'winston';
-import { Config } from '@backstage/config';
 import { TokenManager, PluginEndpointDiscovery, PluginDatabaseManager } from '@backstage/backend-common';
-import { CatalogApi } from '@backstage/catalog-client';
+import { CatalogApi, GetEntitiesRequest } from '@backstage/catalog-client';
+import { Config } from '@backstage/config';
 import { BackstageSignInResult, BackstageIdentityResponse } from '@backstage/plugin-auth-node';
 import { Profile } from 'passport';
-import { UserEntity } from '@backstage/catalog-model';
+import { UserEntity, Entity } from '@backstage/catalog-model';
 import { TokenSet, UserinfoResponse } from 'openid-client';
 import { JsonValue } from '@backstage/types';
@@ -17,7 +17,11 @@ interface AnyJWK extends Record<string, string> {
     kid: string;
     kty: string;
 }
-/** Parameters used to issue new ID Tokens */
+/**
+ * Parameters used to issue new ID Tokens
+ *
+ * @public
+ */
 declare type TokenParams = {
     /** The claims that will be embedded within the token */
     claims: {
@@ -29,6 +33,9 @@ declare type TokenParams = {
 };
 /**
  * A TokenIssuer is able to issue verifiable ID Tokens on demand.
+ *
+ * @public
+ * @deprecated This interface is deprecated and will be removed in a future release.
  */
 declare type TokenIssuer = {
     /**
@@ -178,17 +185,70 @@ declare class CatalogIdentityClient {
     resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
 }
+/**
+ * @deprecated use {@link getDefaultOwnershipEntityRefs} instead
+ */
 declare function getEntityClaims(entity: UserEntity): TokenParams['claims'];
+/**
+ * A query for a single user in the catalog.
+ *
+ * If `entityRef` is used, the default kind is `'User'`.
+ *
+ * If `annotations` are used, all annotations must be present and
+ * match the provided value exactly. Only entities of kind `'User'` will be considered.
+ *
+ * If `filter` are used they are passed on as they are to the `CatalogApi`.
+ *
+ * Regardless of the query method, the query must match exactly one entity
+ * in the catalog, or an error will be thrown.
+ *
+ * @public
+ */
+declare type AuthResolverCatalogUserQuery = {
+    entityRef: string | {
+        kind?: string;
+        namespace?: string;
+        name: string;
+    };
+} | {
+    annotations: Record<string, string>;
+} | {
+    filter: Exclude<GetEntitiesRequest['filter'], undefined>;
+};
 /**
  * The context that is used for auth processing.
  *
  * @public
  */
 declare type AuthResolverContext = {
+    /** @deprecated Will be removed from the context, access it via a closure instead if needed */
+    logger: Logger;
+    /** @deprecated Use the `issueToken` method instead */
     tokenIssuer: TokenIssuer;
+    /** @deprecated Use the `findCatalogUser` and `signInWithCatalogUser` methods instead, and the `getDefaultOwnershipEntityRefs` helper */
     catalogIdentityClient: CatalogIdentityClient;
-    logger: Logger;
+    /**
+     * Issues a Backstage token using the provided parameters.
+     */
+    issueToken(params: TokenParams): Promise<{
+        token: string;
+    }>;
+    /**
+     * Finds a single user in the catalog using the provided query.
+     *
+     * See {@link AuthResolverCatalogUserQuery} for details.
+     */
+    findCatalogUser(query: AuthResolverCatalogUserQuery): Promise<{
+        entity: Entity;
+    }>;
+    /**
+     * Finds a single user in the catalog using the provided query, and then
+     * issues an identity for that user using default ownership resolution.
+     *
+     * See {@link AuthResolverCatalogUserQuery} for details.
+     */
+    signInWithCatalogUser(query: AuthResolverCatalogUserQuery): Promise<BackstageSignInResult>;
 };
 /**
  * The callback used to resolve the cookie configuration for auth providers that use cookies.
@@ -206,6 +266,7 @@ declare type CookieConfigurer = (ctx: {
     path: string;
     secure: boolean;
 };
+/** @public */
 declare type AuthProviderConfig = {
     /**
      * The protocol://domain[:port] where the app is hosted. This is used to construct the
@@ -286,6 +347,9 @@ interface AuthProviderRouteHandlers {
      */
     logout?(req: express.Request, res: express.Response): Promise<void>;
 }
+/**
+ * @deprecated This type is deprecated and will be removed in a future release.
+ */
 declare type AuthProviderFactoryOptions = {
     providerId: string;
     globalConfig: AuthProviderConfig;
@@ -296,7 +360,22 @@ declare type AuthProviderFactoryOptions = {
     discovery: PluginEndpointDiscovery;
     catalogApi: CatalogApi;
 };
-declare type AuthProviderFactory = (options: AuthProviderFactoryOptions) => AuthProviderRouteHandlers;
+declare type AuthProviderFactory = (options: {
+    providerId: string;
+    globalConfig: AuthProviderConfig;
+    config: Config;
+    logger: Logger;
+    resolverContext: AuthResolverContext;
+    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
+    tokenManager: TokenManager;
+    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
+    tokenIssuer: TokenIssuer;
+    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
+    discovery: PluginEndpointDiscovery;
+    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
+    catalogApi: CatalogApi;
+}) => AuthProviderRouteHandlers;
+/** @public */
 declare type AuthResponse<ProviderInfo> = {
     providerInfo: ProviderInfo;
     profile: ProfileInfo;
@@ -373,6 +452,7 @@ declare type AuthHandlerResult = {
  * @public
  */
 declare type AuthHandler<TAuthResult> = (input: TAuthResult, context: AuthResolverContext) => Promise<AuthHandlerResult>;
+/** @public */
 declare type StateEncoder = (req: OAuthStartRequest) => Promise<{
     encodedState: string;
 }>;
@@ -432,17 +512,13 @@ declare type AtlassianAuthProviderOptions = OAuthProviderOptions & {
     scopes: string;
     signInResolver?: SignInResolver<OAuthResult>;
     authHandler: AuthHandler<OAuthResult>;
-    tokenIssuer: TokenIssuer;
-    catalogIdentityClient: CatalogIdentityClient;
-    logger: Logger;
+    resolverContext: AuthResolverContext;
 };
 declare class AtlassianAuthProvider implements OAuthHandlers {
     private readonly _strategy;
     private readonly signInResolver?;
     private readonly authHandler;
-    private readonly tokenIssuer;
-    private readonly catalogIdentityClient;
-    private readonly logger;
+    private readonly resolverContext;
     constructor(options: AtlassianAuthProviderOptions);
     start(req: OAuthStartRequest): Promise<RedirectInfo>;
     handler(req: express.Request): Promise<{
@@ -455,6 +531,10 @@ declare class AtlassianAuthProvider implements OAuthHandlers {
         refreshToken: string | undefined;
     }>;
 }
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type AtlassianProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -468,9 +548,28 @@ declare type AtlassianProviderOptions = {
         resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createAtlassianProvider: (options?: AtlassianProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.atlassian.create` instead
+ */
+declare const createAtlassianProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
-/** @public */
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type Auth0ProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -487,14 +586,37 @@ declare type Auth0ProviderOptions = {
         resolver: SignInResolver<OAuthResult>;
     };
 };
-/** @public */
-declare const createAuth0Provider: (options?: Auth0ProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.auth0.create` instead.
+ */
+declare const createAuth0Provider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/** @public */
 declare type AwsAlbResult = {
     fullProfile: Profile;
     expiresInSeconds?: number;
     accessToken: string;
 };
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type AwsAlbProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -511,7 +633,26 @@ declare type AwsAlbProviderOptions = {
         resolver: SignInResolver<AwsAlbResult>;
     };
 };
-declare const createAwsAlbProvider: (options?: AwsAlbProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.awsAlb.create` instead
+ */
+declare const createAwsAlbProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<AwsAlbResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<AwsAlbResult>;
+    };
+} | undefined) => AuthProviderFactory;
 declare type BitbucketOAuthResult = {
     fullProfile: BitbucketPassportProfile;
@@ -536,8 +677,10 @@ declare type BitbucketPassportProfile = Profile & {
         };
     };
 };
-declare const bitbucketUsernameSignInResolver: SignInResolver<BitbucketOAuthResult>;
-declare const bitbucketUserIdSignInResolver: SignInResolver<BitbucketOAuthResult>;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type BitbucketProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -554,7 +697,36 @@ declare type BitbucketProviderOptions = {
         resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createBitbucketProvider: (options?: BitbucketProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.bitbucket.create` instead
+ */
+declare const createBitbucketProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.bitbucket.resolvers.usernameMatchingUserEntityAnnotation()` instead.
+ */
+declare const bitbucketUsernameSignInResolver: SignInResolver<OAuthResult>;
+/**
+ * @public
+ * @deprecated Use `providers.bitbucket.resolvers.userIdMatchingUserEntityAnnotation()` instead.
+ */
+declare const bitbucketUserIdSignInResolver: SignInResolver<OAuthResult>;
 declare type GithubOAuthResult = {
     fullProfile: Profile;
@@ -566,6 +738,10 @@ declare type GithubOAuthResult = {
     accessToken: string;
     refreshToken?: string;
 };
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type GithubProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -579,7 +755,7 @@ declare type GithubProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<GithubOAuthResult>;
+        resolver: SignInResolver<GithubOAuthResult>;
     };
     /**
      * The state encoder used to encode the 'state' parameter on the OAuth request.
@@ -599,8 +775,48 @@ declare type GithubProviderOptions = {
      */
     stateEncoder?: StateEncoder;
 };
-declare const createGithubProvider: (options?: GithubProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.github.create` instead
+ */
+declare const createGithubProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<GithubOAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<GithubOAuthResult>;
+    } | undefined;
+    /**
+     * The state encoder used to encode the 'state' parameter on the OAuth request.
+     *
+     * It should return a string that takes the state params (from the request), url encodes the params
+     * and finally base64 encodes them.
+     *
+     * Providing your own stateEncoder will allow you to add addition parameters to the state field.
+     *
+     * It is typed as follows:
+     *   `export type StateEncoder = (input: OAuthState) => Promise<{encodedState: string}>;`
+     *
+     * Note: the stateEncoder must encode a 'nonce' value and an 'env' value. Without this, the OAuth flow will fail
+     * (These two values will be set by the req.state by default)
+     *
+     * For more information, please see the helper module in ../../oauth/helpers #readState
+     */
+    stateEncoder?: StateEncoder | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type GitlabProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -617,12 +833,31 @@ declare type GitlabProviderOptions = {
      * the catalog for a single user entity that has a matching `microsoft.com/email` annotation.
      */
     signIn?: {
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createGitlabProvider: (options?: GitlabProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.gitlab.create` instead
+ */
+declare const createGitlabProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
-declare const googleEmailSignInResolver: SignInResolver<OAuthResult>;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type GoogleProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -636,12 +871,39 @@ declare type GoogleProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createGoogleProvider: (options?: GoogleProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.google.create` instead.
+ */
+declare const createGoogleProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.google.resolvers.emailMatchingUserEntityAnnotation()` instead.
+ */
+declare const googleEmailSignInResolver: SignInResolver<OAuthResult>;
-declare const microsoftEmailSignInResolver: SignInResolver<OAuthResult>;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type MicrosoftProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -655,18 +917,55 @@ declare type MicrosoftProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createMicrosoftProvider: (options?: MicrosoftProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.microsoft.create` instead
+ */
+declare const createMicrosoftProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.microsoft.resolvers.emailMatchingUserEntityAnnotation()` instead.
+ */
+declare const microsoftEmailSignInResolver: SignInResolver<OAuthResult>;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type OAuth2ProviderOptions = {
     authHandler?: AuthHandler<OAuthResult>;
     signIn?: {
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createOAuth2Provider: (options?: OAuth2ProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.oauth2.create` instead
+ */
+declare const createOAuth2Provider: (options?: {
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    signIn?: {
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
 /**
  * JWT header extraction result, containing the raw value and the parsed JWT
@@ -685,9 +984,8 @@ declare type OAuth2ProxyResult<JWTPayload> = {
     accessToken: string;
 };
 /**
- * Options for the oauth2-proxy provider factory
- *
  * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
  */
 declare type Oauth2ProxyProviderOptions<JWTPayload> = {
     /**
@@ -705,11 +1003,24 @@ declare type Oauth2ProxyProviderOptions<JWTPayload> = {
     };
 };
 /**
- * Factory function for oauth2-proxy auth provider
- *
  * @public
+ * @deprecated Use `providers.oauth2Proxy.create` instead
  */
-declare const createOauth2ProxyProvider: <JWTPayload>(options: Oauth2ProxyProviderOptions<JWTPayload>) => AuthProviderFactory;
+declare const createOauth2ProxyProvider: (options: {
+    /**
+     * Configure an auth handler to generate a profile for the user.
+     */
+    authHandler: AuthHandler<OAuth2ProxyResult<unknown>>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuth2ProxyResult<unknown>>;
+    };
+}) => AuthProviderFactory;
 /**
  * authentication result for the OIDC which includes the token set and user information (a profile response sent by OIDC server)
@@ -720,26 +1031,30 @@ declare type OidcAuthResult = {
     userinfo: UserinfoResponse;
 };
 /**
- * OIDC provider callback options. An auth handler and a sign in resolver
- * can be passed while creating a OIDC provider.
- *
- * authHandler : called after sign in was successful, a new object must be returned which includes a profile
- * signInResolver: called after sign in was successful, expects to return a new {@link @backstage/plugin-auth-node#BackstageSignInResult}
- *
- * Both options are optional. There is fallback for authHandler where the default handler expect an e-mail explicitly
- * otherwise it throws an error
- *
  * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
  */
 declare type OidcProviderOptions = {
     authHandler?: AuthHandler<OidcAuthResult>;
     signIn?: {
-        resolver?: SignInResolver<OidcAuthResult>;
+        resolver: SignInResolver<OidcAuthResult>;
     };
 };
-declare const createOidcProvider: (options?: OidcProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.oidc.create` instead
+ */
+declare const createOidcProvider: (options?: {
+    authHandler?: AuthHandler<OidcAuthResult> | undefined;
+    signIn?: {
+        resolver: SignInResolver<OidcAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
-declare const oktaEmailSignInResolver: SignInResolver<OAuthResult>;
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type OktaProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -753,12 +1068,39 @@ declare type OktaProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<OAuthResult>;
+        resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createOktaProvider: (_options?: OktaProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.okta.create` instead
+ */
+declare const createOktaProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.okta.resolvers.emailMatchingUserEntityAnnotation()` instead.
+ */
+declare const oktaEmailSignInResolver: SignInResolver<OAuthResult>;
-/** @public */
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type OneLoginProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -775,14 +1117,35 @@ declare type OneLoginProviderOptions = {
         resolver: SignInResolver<OAuthResult>;
     };
 };
-/** @public */
-declare const createOneLoginProvider: (options?: OneLoginProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.onelogin.create` instead
+ */
+declare const createOneLoginProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
 /** @public */
 declare type SamlAuthResult = {
     fullProfile: any;
 };
-/** @public */
+/**
+ * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
+ */
 declare type SamlProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
@@ -796,11 +1159,34 @@ declare type SamlProviderOptions = {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<SamlAuthResult>;
+        resolver: SignInResolver<SamlAuthResult>;
     };
 };
-/** @public */
-declare const createSamlProvider: (options?: SamlProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.saml.create` instead
+ */
+declare const createSamlProvider: (options?: {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<SamlAuthResult> | undefined;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<SamlAuthResult>;
+    } | undefined;
+} | undefined) => AuthProviderFactory;
+/**
+ * @public
+ * @deprecated Use `providers.saml.resolvers.nameIdMatchingUserEntityName()` instead.
+ */
+declare const samlNameIdEntityNameSignInResolver: SignInResolver<SamlAuthResult>;
 /**
  * The data extracted from an IAP token.
@@ -834,9 +1220,8 @@ declare type GcpIapResult = {
     iapToken: GcpIapTokenInfo;
 };
 /**
- * Options for {@link createGcpIapProvider}.
- *
  * @public
+ * @deprecated This type has been inlined into the create method and will be removed.
  */
 declare type GcpIapProviderOptions = {
     /**
@@ -858,11 +1243,185 @@ declare type GcpIapProviderOptions = {
 };
 /**
- * Creates an auth provider for Google Identity-Aware Proxy.
+ * @public
+ * @deprecated Use `providers.gcpIap.create` instead
+ */
+declare const createGcpIapProvider: (options: {
+    /**
+     * The profile transformation function used to verify and convert the auth
+     * response into the profile that will be presented to the user. The default
+     * implementation just provides the authenticated email that the IAP
+     * presented.
+     */
+    authHandler?: AuthHandler<GcpIapResult> | undefined;
+    /**
+     * Configures sign-in for this provider.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<GcpIapResult>;
+    };
+}) => AuthProviderFactory;
+/**
+ * All built-in auth provider integrations.
  *
  * @public
  */
-declare function createGcpIapProvider(options: GcpIapProviderOptions): AuthProviderFactory;
+declare const providers: Readonly<{
+    atlassian: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    auth0: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    awsAlb: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<AwsAlbResult> | undefined;
+            signIn: {
+                resolver: SignInResolver<AwsAlbResult>;
+            };
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    bitbucket: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            usernameMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+            userIdMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+        }>;
+    }>;
+    gcpIap: Readonly<{
+        create: (options: {
+            authHandler?: AuthHandler<GcpIapResult> | undefined;
+            signIn: {
+                resolver: SignInResolver<GcpIapResult>;
+            };
+        }) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    github: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<GithubOAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<GithubOAuthResult>;
+            } | undefined;
+            stateEncoder?: StateEncoder | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            usernameMatchingUserEntityName: () => SignInResolver<GithubOAuthResult>;
+        }>;
+    }>;
+    gitlab: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    google: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
+            emailMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+        }>;
+    }>;
+    microsoft: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            emailMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+        }>;
+    }>;
+    oauth2: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    oauth2Proxy: Readonly<{
+        create: (options: {
+            authHandler: AuthHandler<OAuth2ProxyResult<unknown>>;
+            signIn: {
+                resolver: SignInResolver<OAuth2ProxyResult<unknown>>;
+            };
+        }) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    oidc: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OidcAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OidcAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    okta: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            emailMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+        }>;
+    }>;
+    onelogin: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<OAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<OAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: never;
+    }>;
+    saml: Readonly<{
+        create: (options?: {
+            authHandler?: AuthHandler<SamlAuthResult> | undefined;
+            signIn?: {
+                resolver: SignInResolver<SamlAuthResult>;
+            } | undefined;
+        } | undefined) => AuthProviderFactory;
+        resolvers: Readonly<{
+            nameIdMatchingUserEntityName(): SignInResolver<SamlAuthResult>;
+        }>;
+    }>;
+}>;
 declare const factories: {
     [providerId: string]: AuthProviderFactory;
@@ -906,4 +1465,14 @@ declare type WebMessageResponse = {
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
-export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, CookieConfigurer, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };
+/**
+ * Uses the default ownership resolution logic to return an array
+ * of entity refs that the provided entity claims ownership through.
+ *
+ * A reference to the entity itself will also be included in the returned array.
+ *
+ * @public
+ */
+declare function getDefaultOwnershipEntityRefs(entity: Entity): string[];
+export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderConfig, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverCatalogUserQuery, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, AwsAlbResult, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, CookieConfigurer, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, StateEncoder, TokenIssuer, TokenParams, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getDefaultOwnershipEntityRefs, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, providers, readState, samlNameIdEntityNameSignInResolver, verifyNonce };