@backstage/plugin-auth-backend 0.13.0-next.1 → 0.13.1-next.0

package/dist/index.cjs.js

@@ -11,7 +11,6 @@ var pickBy = require('lodash/pickBy');
 var crypto = require('crypto');
 var url = require('url');
 var jwtDecoder = require('jwt-decode');
-var catalogModel = require('@backstage/catalog-model');
 var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
@@ -29,6 +28,7 @@ var googleAuthLibrary = require('google-auth-library');
 var catalogClient = require('@backstage/catalog-client');
 var uuid = require('uuid');
 var luxon = require('luxon');
+var catalogModel = require('@backstage/catalog-model');
 var backendCommon = require('@backstage/backend-common');
 var firestore = require('@google-cloud/firestore');
 var lodash = require('lodash');
@@ -542,75 +542,12 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
   });
 };
 
-class CatalogIdentityClient {
-  constructor(options) {
-    this.catalogApi = options.catalogApi;
-    this.tokenManager = options.tokenManager;
-  }
-  async findUser(query) {
-    const filter = {
-      kind: "user"
-    };
-    for (const [key, value] of Object.entries(query.annotations)) {
-      filter[`metadata.annotations.${key}`] = value;
-    }
-    const { token } = await this.tokenManager.getToken();
-    const { items } = await this.catalogApi.getEntities({ filter }, { token });
-    if (items.length !== 1) {
-      if (items.length > 1) {
-        throw new errors.ConflictError("User lookup resulted in multiple matches");
-      } else {
-        throw new errors.NotFoundError("User not found");
-      }
-    }
-    return items[0];
-  }
-  async resolveCatalogMembership(query) {
-    const { entityRefs, logger } = query;
-    const resolvedEntityRefs = entityRefs.map((ref) => {
-      try {
-        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
-          defaultKind: "user",
-          defaultNamespace: "default"
-        });
-        return parsedRef;
-      } catch {
-        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
-        return null;
-      }
-    }).filter((ref) => ref !== null);
-    const filter = resolvedEntityRefs.map((ref) => ({
-      kind: ref.kind,
-      "metadata.namespace": ref.namespace,
-      "metadata.name": ref.name
-    }));
-    const { token } = await this.tokenManager.getToken();
-    const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
-    if (entityRefs.length !== entities.length) {
-      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
-      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
-      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
-    }
-    const memberOf = entities.flatMap((e) => {
-      var _a, _b;
-      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.targetRef)) != null ? _b : [];
-    });
-    const newEntityRefs = [
-      ...new Set(resolvedEntityRefs.map(catalogModel.stringifyEntityRef).concat(memberOf))
-    ];
-    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
-    return newEntityRefs;
-  }
-}
-
-function getEntityClaims(entity) {
-  var _a, _b;
-  const userRef = catalogModel.stringifyEntityRef(entity);
-  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")).map((r) => r.targetRef)) != null ? _b : [];
-  return {
-    sub: userRef,
-    ent: [userRef, ...membershipRefs]
-  };
+function createAuthProviderIntegration(config) {
+  var _a;
+  return Object.freeze({
+    ...config,
+    resolvers: Object.freeze((_a = config.resolvers) != null ? _a : {})
+  });
 }
 
 const atlassianDefaultAuthHandler = async ({
@@ -621,9 +558,7 @@ const atlassianDefaultAuthHandler = async ({
 });
 class AtlassianAuthProvider {
   constructor(options) {
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
+    this.resolverContext = options.resolverContext;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
     this._strategy = new AtlassianStrategy({
@@ -653,12 +588,7 @@ class AtlassianAuthProvider {
     };
   }
   async handleResult(result) {
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -672,7 +602,7 @@ class AtlassianAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
@@ -689,45 +619,33 @@ class AtlassianAuthProvider {
     };
   }
 }
-const createAtlassianProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const scopes = envConfig.getString("scopes");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
-    const provider = new AtlassianAuthProvider({
-      clientId,
-      clientSecret,
-      scopes,
-      callbackUrl,
-      authHandler,
-      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
-      catalogIdentityClient,
-      logger,
-      tokenIssuer
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      providerId,
-      tokenIssuer,
-      callbackUrl
+const atlassian = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a, _b;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const scopes = envConfig.getString("scopes");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
+      const provider = new AtlassianAuthProvider({
+        clientId,
+        clientSecret,
+        scopes,
+        callbackUrl,
+        authHandler,
+        signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        providerId,
+        callbackUrl
+      });
     });
-  });
-};
+  }
+});
+const createAtlassianProvider = atlassian.create;
 
 class Auth0Strategy extends OAuth2Strategy__default["default"] {
   constructor(options, verify) {
@@ -746,9 +664,7 @@ class Auth0AuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
     this._strategy = new Auth0Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
@@ -794,12 +710,7 @@ class Auth0AuthProvider {
     };
   }
   async handleResult(result) {
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -813,78 +724,52 @@ class Auth0AuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
 }
-const defaultSignInResolver$1 = async (info) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Profile does not contain an email");
-  }
-  const id = profile.email.split("@")[0];
-  return { id, token: "" };
-};
-const createAuth0Provider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const domain = envConfig.getString("domain");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver$1;
-    const provider = new Auth0AuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      domain,
-      authHandler,
-      signInResolver,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
-      providerId,
-      tokenIssuer,
-      callbackUrl
+const auth0 = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const domain = envConfig.getString("domain");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+        profile: makeProfileInfo(fullProfile, params.id_token)
+      });
+      const signInResolver = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver;
+      const provider = new Auth0AuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        domain,
+        authHandler,
+        signInResolver,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        disableRefresh: true,
+        providerId,
+        callbackUrl
+      });
     });
-  });
-};
+  }
+});
+const createAuth0Provider = auth0.create;
 
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
-const getJWTHeaders = (input) => {
-  const encoded = input.split(".")[0];
-  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
-};
 class AwsAlbAuthProvider {
   constructor(options) {
     this.region = options.region;
     this.issuer = options.issuer;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
     this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
   }
   frameHandler() {
@@ -896,9 +781,7 @@ class AwsAlbAuthProvider {
       const response = await this.handleResult(result);
       res.json(response);
     } catch (e) {
-      this.logger.error("Exception occurred during AWS ALB token refresh", e);
-      res.status(401);
-      res.end();
+      throw new errors.AuthenticationError("Exception occurred during AWS ALB token refresh", e);
     }
   }
   start() {
@@ -914,9 +797,8 @@ class AwsAlbAuthProvider {
       throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`);
     }
     try {
-      const headers = getJWTHeaders(jwt);
-      const key = await this.getKey(headers.kid);
-      const claims = jose.JWT.verify(jwt, key);
+      const verifyResult = await jose.jwtVerify(jwt, this.getKey);
+      const claims = verifyResult.payload;
       if (this.issuer && claims.iss !== this.issuer) {
         throw new errors.AuthenticationError("Issuer mismatch on JWT token");
       }
@@ -942,16 +824,11 @@ class AwsAlbAuthProvider {
     }
   }
   async handleResult(result) {
-    const context = {
-      tokenIssuer: this.tokenIssuer,
-      catalogIdentityClient: this.catalogIdentityClient,
-      logger: this.logger
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const backstageIdentity = await this.signInResolver({
       result,
       profile
-    }, context);
+    }, this.resolverContext);
     return {
       providerInfo: {
         accessToken: result.accessToken,
@@ -961,51 +838,48 @@ class AwsAlbAuthProvider {
       profile
     };
   }
-  async getKey(keyId) {
-    const optionalCacheKey = this.keyCache.get(keyId);
+  async getKey(header) {
+    if (!header.kid) {
+      throw new errors.AuthenticationError("No key id was specified in header");
+    }
+    const optionalCacheKey = this.keyCache.get(header.kid);
     if (optionalCacheKey) {
       return crypto__namespace.createPublicKey(optionalCacheKey);
     }
-    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
+    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${encodeURIComponent(this.region)}.amazonaws.com/${encodeURIComponent(header.kid)}`).then((response) => response.text());
     const keyValue = crypto__namespace.createPublicKey(keyText);
-    this.keyCache.set(keyId, keyValue.export({ format: "pem", type: "spki" }));
+    this.keyCache.set(header.kid, keyValue.export({ format: "pem", type: "spki" }));
     return keyValue;
   }
 }
-const createAwsAlbProvider = (options) => {
-  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
-    const region = config.getString("region");
-    const issuer = config.getOptionalString("iss");
-    if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
-      throw new Error("SignInResolver is required to use this authentication provider");
-    }
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-      profile: makeProfileInfo(fullProfile)
-    });
-    const signInResolver = options == null ? void 0 : options.signIn.resolver;
-    return new AwsAlbAuthProvider({
-      region,
-      issuer,
-      signInResolver,
-      authHandler,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-  };
-};
+const awsAlb = createAuthProviderIntegration({
+  create(options) {
+    return ({ config, resolverContext }) => {
+      const region = config.getString("region");
+      const issuer = config.getOptionalString("iss");
+      if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
+        throw new Error("SignInResolver is required to use this authentication provider");
+      }
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+        profile: makeProfileInfo(fullProfile)
+      });
+      return new AwsAlbAuthProvider({
+        region,
+        issuer,
+        signInResolver: options == null ? void 0 : options.signIn.resolver,
+        authHandler,
+        resolverContext
+      });
+    };
+  }
+});
+const createAwsAlbProvider = awsAlb.create;
 
 class BitbucketAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
     this._strategy = new passportBitbucketOauth2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
@@ -1051,12 +925,7 @@ class BitbucketAuthProvider {
   }
   async handleResult(result) {
     result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1070,79 +939,69 @@ class BitbucketAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
 }
-const bitbucketUsernameSignInResolver = async (info, ctx) => {
-  const { result } = info;
-  if (!result.fullProfile.username) {
-    throw new Error("Bitbucket profile contained no Username");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "bitbucket.org/username": result.fullProfile.username
+const bitbucket = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+        profile: makeProfileInfo(fullProfile, params.id_token)
+      });
+      const provider = new BitbucketAuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+        authHandler,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        disableRefresh: false,
+        providerId,
+        callbackUrl
+      });
+    });
+  },
+  resolvers: {
+    usernameMatchingUserEntityAnnotation() {
+      return async (info, ctx) => {
+        const { result } = info;
+        if (!result.fullProfile.username) {
+          throw new Error("Bitbucket profile contained no Username");
+        }
+        return ctx.signInWithCatalogUser({
+          annotations: {
+            "bitbucket.org/username": result.fullProfile.username
+          }
+        });
+      };
+    },
+    userIdMatchingUserEntityAnnotation() {
+      return async (info, ctx) => {
+        const { result } = info;
+        if (!result.fullProfile.id) {
+          throw new Error("Bitbucket profile contained no User ID");
+        }
+        return ctx.signInWithCatalogUser({
+          annotations: {
+            "bitbucket.org/user-id": result.fullProfile.id
+          }
+        });
+      };
     }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const bitbucketUserIdSignInResolver = async (info, ctx) => {
-  const { result } = info;
-  if (!result.fullProfile.id) {
-    throw new Error("Bitbucket profile contained no User ID");
   }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "bitbucket.org/user-id": result.fullProfile.id
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const createBitbucketProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const provider = new BitbucketAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
-      authHandler,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer,
-      callbackUrl
-    });
-  });
-};
+});
+const createBitbucketProvider = bitbucket.create;
+const bitbucketUsernameSignInResolver = bitbucket.resolvers.usernameMatchingUserEntityAnnotation();
+const bitbucketUserIdSignInResolver = bitbucket.resolvers.userIdMatchingUserEntityAnnotation();
 
 const ACCESS_TOKEN_PREFIX = "access-token.";
 const BACKSTAGE_SESSION_EXPIRATION = 3600;
@@ -1151,9 +1010,7 @@ class GithubAuthProvider {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.stateEncoder = options.stateEncoder;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
     this._strategy = new passportGithub2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
@@ -1213,12 +1070,7 @@ class GithubAuthProvider {
     };
   }
   async handleResult(result) {
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const expiresInStr = result.params.expires_in;
     let expiresInSeconds = expiresInStr === void 0 ? void 0 : Number(expiresInStr);
     let backstageIdentity = void 0;
@@ -1226,7 +1078,7 @@ class GithubAuthProvider {
       backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
       if (expiresInSeconds) {
         expiresInSeconds = Math.min(expiresInSeconds, BACKSTAGE_SESSION_EXPIRATION);
       } else {
@@ -1244,99 +1096,58 @@ class GithubAuthProvider {
     };
   }
 }
-const githubDefaultSignInResolver = async (info, ctx) => {
-  const { fullProfile } = info.result;
-  const userId = fullProfile.username || fullProfile.id;
-  const entityRef = catalogModel.stringifyEntityRef({
-    kind: "User",
-    namespace: catalogModel.DEFAULT_NAMESPACE,
-    name: userId
-  });
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {
-      sub: entityRef,
-      ent: [entityRef]
-    }
-  });
-  return { id: userId, token };
-};
-const createGithubProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c, _d;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const enterpriseInstanceUrl = (_a = envConfig.getOptionalString("enterpriseInstanceUrl")) == null ? void 0 : _a.replace(/\/$/, "");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
-    const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
-    const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-      profile: makeProfileInfo(fullProfile)
-    });
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : githubDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const stateEncoder = (_d = options == null ? void 0 : options.stateEncoder) != null ? _d : async (req) => {
-      return { encodedState: encodeState(req.state) };
-    };
-    const provider = new GithubAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      tokenUrl,
-      userProfileUrl,
-      authorizationUrl,
-      signInResolver,
-      authHandler,
-      tokenIssuer,
-      catalogIdentityClient,
-      stateEncoder,
-      logger
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      persistScopes: true,
-      providerId,
-      tokenIssuer,
-      callbackUrl
+const github = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a, _b, _c;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const enterpriseInstanceUrl = (_a = envConfig.getOptionalString("enterpriseInstanceUrl")) == null ? void 0 : _a.replace(/\/$/, "");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
+      const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
+      const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+        profile: makeProfileInfo(fullProfile)
+      });
+      const stateEncoder = (_b = options == null ? void 0 : options.stateEncoder) != null ? _b : async (req) => {
+        return { encodedState: encodeState(req.state) };
+      };
+      const provider = new GithubAuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        tokenUrl,
+        userProfileUrl,
+        authorizationUrl,
+        signInResolver: (_c = options == null ? void 0 : options.signIn) == null ? void 0 : _c.resolver,
+        authHandler,
+        stateEncoder,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        persistScopes: true,
+        providerId,
+        callbackUrl
+      });
     });
-  });
-};
-
-const gitlabDefaultSignInResolver = async (info, ctx) => {
-  const { profile, result } = info;
-  let id = result.fullProfile.id;
-  if (profile.email) {
-    id = profile.email.split("@")[0];
-  }
-  const entityRef = catalogModel.stringifyEntityRef({
-    kind: "User",
-    namespace: catalogModel.DEFAULT_NAMESPACE,
-    name: id
-  });
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {
-      sub: entityRef,
-      ent: [entityRef]
+  },
+  resolvers: {
+    usernameMatchingUserEntityName: () => {
+      return async (info, ctx) => {
+        const { fullProfile } = info.result;
+        const userId = fullProfile.username;
+        if (!userId) {
+          throw new Error(`GitHub user profile does not contain a username`);
+        }
+        return ctx.signInWithCatalogUser({ entityRef: { name: userId } });
+      };
     }
-  });
-  return { id, token };
-};
+  }
+});
+const createGithubProvider = github.create;
+
 const gitlabDefaultAuthHandler = async ({
   fullProfile,
   params
@@ -1345,9 +1156,7 @@ const gitlabDefaultAuthHandler = async ({
 });
 class GitlabAuthProvider {
   constructor(options) {
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
+    this.resolverContext = options.resolverContext;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
     this._strategy = new passportGitlab2.Strategy({
@@ -1387,12 +1196,7 @@ class GitlabAuthProvider {
     };
   }
   async handleResult(result) {
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1406,67 +1210,69 @@ class GitlabAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
 }
-const createGitlabProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getOptionalString("audience");
-    const baseUrl = audience || "https://gitlab.com";
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const provider = new GitlabAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      baseUrl,
-      authHandler,
-      signInResolver,
-      catalogIdentityClient,
-      logger,
-      tokenIssuer
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer,
-      callbackUrl
+const gitlab = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a, _b;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const audience = envConfig.getOptionalString("audience");
+      const baseUrl = audience || "https://gitlab.com";
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
+      const provider = new GitlabAuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        baseUrl,
+        authHandler,
+        signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        disableRefresh: false,
+        providerId,
+        callbackUrl
+      });
     });
+  }
+});
+const createGitlabProvider = gitlab.create;
+
+const commonByEmailLocalPartResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Login failed, user profile does not contain an email");
+  }
+  const [localPart] = profile.email.split("@");
+  return ctx.signInWithCatalogUser({
+    entityRef: { name: localPart }
+  });
+};
+const commonByEmailResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Login failed, user profile does not contain an email");
+  }
+  return ctx.signInWithCatalogUser({
+    filter: {
+      "spec.profile.email": profile.email
+    }
   });
 };
 
 class GoogleAuthProvider {
   constructor(options) {
-    this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this._strategy = new passportGoogleOauth20.Strategy({
+    this.signInResolver = options.signInResolver;
+    this.resolverContext = options.resolverContext;
+    this.strategy = new passportGoogleOauth20.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
@@ -1483,7 +1289,7 @@ class GoogleAuthProvider {
     });
   }
   async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
+    return await executeRedirectStrategy(req, this.strategy, {
       accessType: "offline",
       prompt: "consent",
       scope: req.scope,
@@ -1491,15 +1297,15 @@ class GoogleAuthProvider {
     });
   }
   async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this.strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this.strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this.strategy, accessToken);
     return {
       response: await this.handleResult({
         fullProfile,
@@ -1510,12 +1316,7 @@ class GoogleAuthProvider {
     };
   }
   async handleResult(result) {
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1529,109 +1330,64 @@ class GoogleAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
 }
-const googleEmailSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Google profile contained no email");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "google.com/email": profile.email
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const googleDefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Google profile contained no email");
-  }
-  let userId;
-  try {
-    const entity = await ctx.catalogIdentityClient.findUser({
-      annotations: {
-        "google.com/email": profile.email
-      }
+const google = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+        profile: makeProfileInfo(fullProfile, params.id_token)
+      });
+      const provider = new GoogleAuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+        authHandler,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        disableRefresh: false,
+        providerId,
+        callbackUrl
+      });
     });
-    userId = entity.metadata.name;
-  } catch (error) {
-    ctx.logger.warn(`Failed to look up user, ${error}, falling back to allowing login based on email pattern, this will probably break in the future`);
-    userId = profile.email.split("@")[0];
-  }
-  const entityRef = catalogModel.stringifyEntityRef({
-    kind: "User",
-    namespace: catalogModel.DEFAULT_NAMESPACE,
-    name: userId
-  });
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {
-      sub: entityRef,
-      ent: [entityRef]
+  },
+  resolvers: {
+    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
+    emailMatchingUserEntityAnnotation() {
+      return async (info, ctx) => {
+        const { profile } = info;
+        if (!profile.email) {
+          throw new Error("Google profile contained no email");
+        }
+        return ctx.signInWithCatalogUser({
+          annotations: {
+            "google.com/email": profile.email
+          }
+        });
+      };
     }
-  });
-  return { id: userId, token };
-};
-const createGoogleProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : googleDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const provider = new GoogleAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      signInResolver,
-      authHandler,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer,
-      callbackUrl
-    });
-  });
-};
+  }
+});
+const createGoogleProvider = google.create;
+const googleEmailSignInResolver = google.resolvers.emailMatchingUserEntityAnnotation();
 
 class MicrosoftAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
     this.logger = options.logger;
-    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.resolverContext = options.resolverContext;
     this._strategy = new passportMicrosoft.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
@@ -1671,12 +1427,7 @@ class MicrosoftAuthProvider {
   async handleResult(result) {
     const photo = await this.getUserPhoto(result.accessToken);
     result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1690,118 +1441,83 @@ class MicrosoftAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
-  getUserPhoto(accessToken) {
-    return new Promise((resolve) => {
-      fetch__default["default"]("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
+  async getUserPhoto(accessToken) {
+    try {
+      const res = await fetch__default["default"]("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
         headers: {
           Authorization: `Bearer ${accessToken}`
         }
-      }).then((response) => response.arrayBuffer()).then((arrayBuffer) => {
-        const imageUrl = `data:image/jpeg;base64,${Buffer.from(arrayBuffer).toString("base64")}`;
-        resolve(imageUrl);
-      }).catch((error) => {
-        this.logger.warn(`Could not retrieve user profile photo from Microsoft Graph API: ${error}`);
-        resolve(void 0);
       });
-    });
+      const data = await res.buffer();
+      return `data:image/jpeg;base64,${data.toString("base64")}`;
+    } catch (error) {
+      this.logger.warn(`Could not retrieve user profile photo from Microsoft Graph API: ${error}`);
+      return void 0;
+    }
   }
 }
-const microsoftEmailSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Microsoft profile contained no email");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "microsoft.com/email": profile.email
+const microsoft = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, logger, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const tenantId = envConfig.getString("tenantId");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
+      const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+        profile: makeProfileInfo(fullProfile, params.id_token)
+      });
+      const provider = new MicrosoftAuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        authorizationUrl,
+        tokenUrl,
+        authHandler,
+        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+        logger,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        disableRefresh: false,
+        providerId,
+        callbackUrl
+      });
+    });
+  },
+  resolvers: {
+    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
+    emailMatchingUserEntityAnnotation() {
+      return async (info, ctx) => {
+        const { profile } = info;
+        if (!profile.email) {
+          throw new Error("Microsoft profile contained no email");
+        }
+        return ctx.signInWithCatalogUser({
+          annotations: {
+            "microsoft.com/email": profile.email
+          }
+        });
+      };
     }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const microsoftDefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Profile contained no email");
   }
-  const userId = profile.email.split("@")[0];
-  const entityRef = catalogModel.stringifyEntityRef({
-    kind: "User",
-    namespace: catalogModel.DEFAULT_NAMESPACE,
-    name: userId
-  });
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {
-      sub: entityRef,
-      ent: [entityRef]
-    }
-  });
-  return { id: userId, token };
-};
-const createMicrosoftProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const tenantId = envConfig.getString("tenantId");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
-    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const provider = new MicrosoftAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      authorizationUrl,
-      tokenUrl,
-      authHandler,
-      signInResolver,
-      catalogIdentityClient,
-      logger,
-      tokenIssuer
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer,
-      callbackUrl
-    });
-  });
-};
+});
+const createMicrosoftProvider = microsoft.create;
+const microsoftEmailSignInResolver = microsoft.resolvers.emailMatchingUserEntityAnnotation();
 
 class OAuth2AuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
     this._strategy = new OAuth2Strategy.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
@@ -1853,12 +1569,7 @@ class OAuth2AuthProvider {
     };
   }
   async handleResult(result) {
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1872,7 +1583,7 @@ class OAuth2AuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
@@ -1880,87 +1591,48 @@ class OAuth2AuthProvider {
     return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
   }
 }
-const oAuth2DefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Profile contained no email");
-  }
-  const userId = profile.email.split("@")[0];
-  const entityRef = catalogModel.stringifyEntityRef({
-    kind: "User",
-    namespace: catalogModel.DEFAULT_NAMESPACE,
-    name: userId
-  });
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {
-      sub: entityRef,
-      ent: [entityRef]
-    }
-  });
-  return { id: userId, token };
-};
-const createOAuth2Provider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = envConfig.getString("authorizationUrl");
-    const tokenUrl = envConfig.getString("tokenUrl");
-    const scope = envConfig.getOptionalString("scope");
-    const includeBasicAuth = envConfig.getOptionalBoolean("includeBasicAuth");
-    const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const provider = new OAuth2AuthProvider({
-      clientId,
-      clientSecret,
-      tokenIssuer,
-      catalogIdentityClient,
-      callbackUrl,
-      signInResolver,
-      authHandler,
-      authorizationUrl,
-      tokenUrl,
-      scope,
-      logger,
-      includeBasicAuth
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh,
-      providerId,
-      tokenIssuer,
-      callbackUrl
+const oauth2 = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a, _b;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authorizationUrl = envConfig.getString("authorizationUrl");
+      const tokenUrl = envConfig.getString("tokenUrl");
+      const scope = envConfig.getOptionalString("scope");
+      const includeBasicAuth = envConfig.getOptionalBoolean("includeBasicAuth");
+      const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+        profile: makeProfileInfo(fullProfile, params.id_token)
+      });
+      const provider = new OAuth2AuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+        authHandler,
+        authorizationUrl,
+        tokenUrl,
+        scope,
+        includeBasicAuth,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        disableRefresh,
+        providerId,
+        callbackUrl
+      });
     });
-  });
-};
+  }
+});
+const createOAuth2Provider = oauth2.create;
 
 const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
 class Oauth2ProxyAuthProvider {
   constructor(options) {
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
+    this.resolverContext = options.resolverContext;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
   }
@@ -1973,25 +1645,18 @@ class Oauth2ProxyAuthProvider {
       const response = await this.handleResult(result);
       res.json(response);
     } catch (e) {
-      this.logger.error(`Exception occurred during ${OAUTH2_PROXY_JWT_HEADER} refresh`, e);
-      res.status(401);
-      res.end();
+      throw new errors.AuthenticationError("Refresh failed", e);
     }
   }
   start() {
     return Promise.resolve(void 0);
   }
   async handleResult(result) {
-    const ctx = {
-      logger: this.logger,
-      tokenIssuer: this.tokenIssuer,
-      catalogIdentityClient: this.catalogIdentityClient
-    };
-    const { profile } = await this.authHandler(result, ctx);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const backstageSignInResult = await this.signInResolver({
       result,
       profile
-    }, ctx);
+    }, this.resolverContext);
     return {
       providerInfo: {
         accessToken: result.accessToken
@@ -2006,28 +1671,27 @@ class Oauth2ProxyAuthProvider {
     if (!jwt) {
       throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
     }
-    const decodedJWT = jose.JWT.decode(jwt);
+    const decodedJWT = jose.decodeJwt(jwt);
     return {
       fullProfile: decodedJWT,
       accessToken: jwt
     };
   }
 }
-const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
-  const signInResolver = options.signIn.resolver;
-  const authHandler = options.authHandler;
-  const catalogIdentityClient = new CatalogIdentityClient({
-    catalogApi,
-    tokenManager
-  });
-  return new Oauth2ProxyAuthProvider({
-    logger,
-    signInResolver,
-    authHandler,
-    tokenIssuer,
-    catalogIdentityClient
-  });
-};
+const oauth2Proxy = createAuthProviderIntegration({
+  create(options) {
+    return ({ resolverContext }) => {
+      const signInResolver = options.signIn.resolver;
+      const authHandler = options.authHandler;
+      return new Oauth2ProxyAuthProvider({
+        resolverContext,
+        signInResolver,
+        authHandler
+      });
+    };
+  }
+});
+const createOauth2ProxyProvider = oauth2Proxy.create;
 
 class OidcAuthProvider {
   constructor(options) {
@@ -2036,9 +1700,7 @@ class OidcAuthProvider {
     this.prompt = options.prompt;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
   }
   async start(req) {
     const { strategy } = await this.implementation;
@@ -2098,12 +1760,7 @@ class OidcAuthProvider {
     return { strategy, client };
   }
   async handleResult(result) {
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.tokenset.id_token,
@@ -2117,92 +1774,55 @@ class OidcAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
 }
-const oidcDefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Profile contained no email");
-  }
-  const userId = profile.email.split("@")[0];
-  const entityRef = catalogModel.stringifyEntityRef({
-    kind: "User",
-    namespace: catalogModel.DEFAULT_NAMESPACE,
-    name: userId
-  });
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {
-      sub: entityRef,
-      ent: [entityRef]
-    }
-  });
-  return { id: userId, token };
-};
-const createOidcProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const metadataUrl = envConfig.getString("metadataUrl");
-    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
-    const scope = envConfig.getOptionalString("scope");
-    const prompt = envConfig.getOptionalString("prompt");
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
-      profile: {
-        displayName: userinfo.name,
-        email: userinfo.email,
-        picture: userinfo.picture
-      }
-    });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oidcDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const provider = new OidcAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      tokenSignedResponseAlg,
-      metadataUrl,
-      scope,
-      prompt,
-      signInResolver,
-      authHandler,
-      logger,
-      tokenIssuer,
-      catalogIdentityClient
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer,
-      callbackUrl
+const oidc = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const metadataUrl = envConfig.getString("metadataUrl");
+      const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
+      const scope = envConfig.getOptionalString("scope");
+      const prompt = envConfig.getOptionalString("prompt");
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
+        profile: {
+          displayName: userinfo.name,
+          email: userinfo.email,
+          picture: userinfo.picture
+        }
+      });
+      const provider = new OidcAuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        tokenSignedResponseAlg,
+        metadataUrl,
+        scope,
+        prompt,
+        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+        authHandler,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        disableRefresh: false,
+        providerId,
+        callbackUrl
+      });
     });
-  });
-};
+  }
+});
+const createOidcProvider = oidc.create;
 
 class OktaAuthProvider {
   constructor(options) {
-    this._store = {
+    this.store = {
       store(_req, cb) {
         cb(null, null);
       },
@@ -2210,18 +1830,16 @@ class OktaAuthProvider {
         cb(null, true);
       }
     };
-    this._signInResolver = options.signInResolver;
-    this._authHandler = options.authHandler;
-    this._tokenIssuer = options.tokenIssuer;
-    this._catalogIdentityClient = options.catalogIdentityClient;
-    this._logger = options.logger;
-    this._strategy = new passportOktaOauth.Strategy({
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.resolverContext = options.resolverContext;
+    this.strategy = new passportOktaOauth.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
       audience: options.audience,
       passReqToCallback: false,
-      store: this._store,
+      store: this.store,
       response_type: "code"
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
@@ -2235,7 +1853,7 @@ class OktaAuthProvider {
     });
   }
   async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
+    return await executeRedirectStrategy(req, this.strategy, {
       accessType: "offline",
       prompt: "consent",
       scope: req.scope,
@@ -2243,15 +1861,15 @@ class OktaAuthProvider {
     });
   }
   async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this.strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this.strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this.strategy, accessToken);
     return {
       response: await this.handleResult({
         fullProfile,
@@ -2262,12 +1880,7 @@ class OktaAuthProvider {
     };
   }
   async handleResult(result) {
-    const context = {
-      logger: this._logger,
-      catalogIdentityClient: this._catalogIdentityClient,
-      tokenIssuer: this._tokenIssuer
-    };
-    const { profile } = await this._authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -2277,107 +1890,72 @@ class OktaAuthProvider {
       },
       profile
     };
-    if (this._signInResolver) {
-      response.backstageIdentity = await this._signInResolver({
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
 }
-const oktaEmailSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Okta profile contained no email");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "okta.com/email": profile.email
+const okta = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const audience = envConfig.getString("audience");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      if (!audience.startsWith("https://")) {
+        throw new Error("URL for 'audience' must start with 'https://'.");
+      }
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+        profile: makeProfileInfo(fullProfile, params.id_token)
+      });
+      const provider = new OktaAuthProvider({
+        audience,
+        clientId,
+        clientSecret,
+        callbackUrl,
+        authHandler,
+        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        disableRefresh: false,
+        providerId,
+        callbackUrl
+      });
+    });
+  },
+  resolvers: {
+    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
+    emailMatchingUserEntityAnnotation() {
+      return async (info, ctx) => {
+        const { profile } = info;
+        if (!profile.email) {
+          throw new Error("Okta profile contained no email");
+        }
+        return ctx.signInWithCatalogUser({
+          annotations: {
+            "okta.com/email": profile.email
+          }
+        });
+      };
     }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const oktaDefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Okta profile contained no email");
   }
-  const userId = profile.email.split("@")[0];
-  const entityRef = catalogModel.stringifyEntityRef({
-    kind: "User",
-    namespace: catalogModel.DEFAULT_NAMESPACE,
-    name: userId
-  });
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {
-      sub: entityRef,
-      ent: [entityRef]
-    }
-  });
-  return { id: userId, token };
-};
-const createOktaProvider = (_options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getString("audience");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    if (!audience.startsWith("https://")) {
-      throw new Error("URL for 'audience' must start with 'https://'.");
-    }
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const provider = new OktaAuthProvider({
-      audience,
-      clientId,
-      clientSecret,
-      callbackUrl,
-      authHandler,
-      signInResolver,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer,
-      callbackUrl
-    });
-  });
-};
+});
+const createOktaProvider = okta.create;
+const oktaEmailSignInResolver = okta.resolvers.emailMatchingUserEntityAnnotation();
 
 class OneLoginProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
     this._strategy = new passportOneloginOauth.Strategy({
       issuer: options.issuer,
       clientID: options.clientId,
@@ -2423,12 +2001,7 @@ class OneLoginProvider {
     };
   }
   async handleResult(result) {
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -2442,71 +2015,48 @@ class OneLoginProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, context);
+      }, this.resolverContext);
     }
     return response;
   }
 }
-const defaultSignInResolver = async (info) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("OIDC profile contained no email");
-  }
-  const id = profile.email.split("@")[0];
-  return { id, token: "" };
-};
-const createOneLoginProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const issuer = envConfig.getString("issuer");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver;
-    const provider = new OneLoginProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      issuer,
-      authHandler,
-      signInResolver,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer,
-      callbackUrl
+const onelogin = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const issuer = envConfig.getString("issuer");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+        profile: makeProfileInfo(fullProfile, params.id_token)
+      });
+      const provider = new OneLoginProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        issuer,
+        authHandler,
+        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        disableRefresh: false,
+        providerId,
+        callbackUrl
+      });
     });
-  });
-};
+  }
+});
+const createOneLoginProvider = onelogin.create;
 
 class SamlAuthProvider {
   constructor(options) {
     this.appUrl = options.appUrl;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
     this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
       done(void 0, { fullProfile });
     });
@@ -2517,13 +2067,8 @@ class SamlAuthProvider {
   }
   async frameHandler(req, res) {
     try {
-      const context = {
-        logger: this.logger,
-        catalogIdentityClient: this.catalogIdentityClient,
-        tokenIssuer: this.tokenIssuer
-      };
       const { result } = await executeFrameHandlerStrategy(req, this.strategy);
-      const { profile } = await this.authHandler(result, context);
+      const { profile } = await this.authHandler(result, this.resolverContext);
       const response = {
         profile,
         providerInfo: {}
@@ -2532,7 +2077,7 @@ class SamlAuthProvider {
         const signInResponse = await this.signInResolver({
           result,
           profile
-        }, context);
+        }, this.resolverContext);
         response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
       }
       return postMessageResponse(res, this.appUrl, {
@@ -2551,71 +2096,53 @@ class SamlAuthProvider {
     res.end();
   }
 }
-const samlDefaultSignInResolver = async (info, ctx) => {
-  const id = info.result.fullProfile.nameID;
-  const entityRef = catalogModel.stringifyEntityRef({
-    kind: "User",
-    namespace: catalogModel.DEFAULT_NAMESPACE,
-    name: id
-  });
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {
-      sub: entityRef,
-      ent: [entityRef]
+const saml = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => {
+      var _a;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+        profile: {
+          email: fullProfile.email,
+          displayName: fullProfile.displayName
+        }
+      });
+      return new SamlAuthProvider({
+        callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
+        entryPoint: config.getString("entryPoint"),
+        logoutUrl: config.getOptionalString("logoutUrl"),
+        audience: config.getOptionalString("audience"),
+        issuer: config.getString("issuer"),
+        cert: config.getString("cert"),
+        privateKey: config.getOptionalString("privateKey"),
+        authnContext: config.getOptionalStringArray("authnContext"),
+        identifierFormat: config.getOptionalString("identifierFormat"),
+        decryptionPvk: config.getOptionalString("decryptionPvk"),
+        signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
+        digestAlgorithm: config.getOptionalString("digestAlgorithm"),
+        acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
+        appUrl: globalConfig.appUrl,
+        authHandler,
+        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+        resolverContext
+      });
+    };
+  },
+  resolvers: {
+    nameIdMatchingUserEntityName() {
+      return async (info, ctx) => {
+        const id = info.result.fullProfile.nameID;
+        if (!id) {
+          throw new errors.AuthenticationError("No nameID found in SAML response");
+        }
+        return ctx.signInWithCatalogUser({
+          entityRef: { name: id }
+        });
+      };
     }
-  });
-  return { id, token };
-};
-const createSamlProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => {
-    var _a, _b;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-      profile: {
-        email: fullProfile.email,
-        displayName: fullProfile.displayName
-      }
-    });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : samlDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    return new SamlAuthProvider({
-      callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
-      entryPoint: config.getString("entryPoint"),
-      logoutUrl: config.getOptionalString("logoutUrl"),
-      audience: config.getOptionalString("audience"),
-      issuer: config.getString("issuer"),
-      cert: config.getString("cert"),
-      privateKey: config.getOptionalString("privateKey"),
-      authnContext: config.getOptionalStringArray("authnContext"),
-      identifierFormat: config.getOptionalString("identifierFormat"),
-      decryptionPvk: config.getOptionalString("decryptionPvk"),
-      signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
-      digestAlgorithm: config.getOptionalString("digestAlgorithm"),
-      acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
-      tokenIssuer,
-      appUrl: globalConfig.appUrl,
-      authHandler,
-      signInResolver,
-      logger,
-      catalogIdentityClient
-    });
-  };
-};
+  }
+});
+const createSamlProvider = saml.create;
+const samlNameIdEntityNameSignInResolver = saml.resolvers.nameIdMatchingUserEntityName();
 
 const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
 
@@ -2661,9 +2188,7 @@ class GcpIapProvider {
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
     this.tokenValidator = options.tokenValidator;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.resolverContext = options.resolverContext;
   }
   async start() {
   }
@@ -2671,13 +2196,8 @@ class GcpIapProvider {
   }
   async refresh(req, res) {
     const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
-    const backstageIdentity = await this.signInResolver({ profile, result }, context);
+    const { profile } = await this.authHandler(result, this.resolverContext);
+    const backstageIdentity = await this.signInResolver({ profile, result }, this.resolverContext);
     const response = {
       providerInfo: { iapToken: result.iapToken },
       profile,
@@ -2686,27 +2206,42 @@ class GcpIapProvider {
     res.json(response);
   }
 }
-function createGcpIapProvider(options) {
-  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
-    var _a;
-    const audience = config.getString("audience");
-    const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
-    const signInResolver = options.signIn.resolver;
-    const tokenValidator = createTokenValidator(audience);
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    return new GcpIapProvider({
-      authHandler,
-      signInResolver,
-      tokenValidator,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-  };
-}
+const gcpIap = createAuthProviderIntegration({
+  create(options) {
+    return ({ config, resolverContext }) => {
+      var _a;
+      const audience = config.getString("audience");
+      const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
+      const signInResolver = options.signIn.resolver;
+      const tokenValidator = createTokenValidator(audience);
+      return new GcpIapProvider({
+        authHandler,
+        signInResolver,
+        tokenValidator,
+        resolverContext
+      });
+    };
+  }
+});
+const createGcpIapProvider = gcpIap.create;
+
+const providers = Object.freeze({
+  atlassian,
+  auth0,
+  awsAlb,
+  bitbucket,
+  gcpIap,
+  github,
+  gitlab,
+  google,
+  microsoft,
+  oauth2,
+  oauth2Proxy,
+  oidc,
+  okta,
+  onelogin,
+  saml
+});
 
 const factories = {
   google: createGoogleProvider(),
@@ -2778,10 +2313,10 @@ class TokenFactory {
       throw new Error('"sub" claim provided by the auth resolver is not a valid EntityRef.');
     }
     this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
-    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
-      alg: key.alg,
-      kid: key.kid
-    });
+    if (!key.alg) {
+      throw new errors.AuthenticationError("No algorithm was provided in the key");
+    }
+    return new jose.SignJWT({ iss, sub, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
   }
   async listPublicKeys() {
     const { items: keys } = await this.keyStore.listKeys();
@@ -2818,14 +2353,14 @@ class TokenFactory {
       seconds: this.keyDurationSeconds
     }).toJSDate();
     const promise = (async () => {
-      const key = await jose.JWK.generate("EC", "P-256", {
-        use: "sig",
-        kid: uuid.v4(),
-        alg: "ES256"
-      });
-      this.logger.info(`Created new signing key ${key.kid}`);
-      await this.keyStore.addKey(key.toJWK(false));
-      return key;
+      const key = await jose.generateKeyPair("ES256");
+      const publicKey = await jose.exportJWK(key.publicKey);
+      const privateKey = await jose.exportJWK(key.privateKey);
+      publicKey.kid = privateKey.kid = uuid.v4();
+      publicKey.alg = privateKey.alg = "ES256";
+      this.logger.info(`Created new signing key ${publicKey.kid}`);
+      await this.keyStore.addKey(publicKey);
+      return privateKey;
     })();
     this.privateKeyPromise = promise;
     try {
@@ -2994,6 +2529,149 @@ class KeyStores {
   }
 }
 
+class CatalogIdentityClient {
+  constructor(options) {
+    this.catalogApi = options.catalogApi;
+    this.tokenManager = options.tokenManager;
+  }
+  async findUser(query) {
+    const filter = {
+      kind: "user"
+    };
+    for (const [key, value] of Object.entries(query.annotations)) {
+      filter[`metadata.annotations.${key}`] = value;
+    }
+    const { token } = await this.tokenManager.getToken();
+    const { items } = await this.catalogApi.getEntities({ filter }, { token });
+    if (items.length !== 1) {
+      if (items.length > 1) {
+        throw new errors.ConflictError("User lookup resulted in multiple matches");
+      } else {
+        throw new errors.NotFoundError("User not found");
+      }
+    }
+    return items[0];
+  }
+  async resolveCatalogMembership(query) {
+    const { entityRefs, logger } = query;
+    const resolvedEntityRefs = entityRefs.map((ref) => {
+      try {
+        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
+          defaultKind: "user",
+          defaultNamespace: "default"
+        });
+        return parsedRef;
+      } catch {
+        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
+        return null;
+      }
+    }).filter((ref) => ref !== null);
+    const filter = resolvedEntityRefs.map((ref) => ({
+      kind: ref.kind,
+      "metadata.namespace": ref.namespace,
+      "metadata.name": ref.name
+    }));
+    const { token } = await this.tokenManager.getToken();
+    const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
+    if (entityRefs.length !== entities.length) {
+      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
+      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
+      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+    }
+    const memberOf = entities.flatMap((e) => {
+      var _a, _b;
+      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.targetRef)) != null ? _b : [];
+    });
+    const newEntityRefs = [
+      ...new Set(resolvedEntityRefs.map(catalogModel.stringifyEntityRef).concat(memberOf))
+    ];
+    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
+    return newEntityRefs;
+  }
+}
+
+function getEntityClaims(entity) {
+  var _a, _b;
+  const userRef = catalogModel.stringifyEntityRef(entity);
+  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")).map((r) => r.targetRef)) != null ? _b : [];
+  return {
+    sub: userRef,
+    ent: [userRef, ...membershipRefs]
+  };
+}
+
+function getDefaultOwnershipEntityRefs(entity) {
+  var _a, _b;
+  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")).map((r) => r.targetRef)) != null ? _b : [];
+  return Array.from(/* @__PURE__ */ new Set([catalogModel.stringifyEntityRef(entity), ...membershipRefs]));
+}
+class CatalogAuthResolverContext {
+  constructor(logger, tokenIssuer, catalogIdentityClient, catalogApi, tokenManager) {
+    this.logger = logger;
+    this.tokenIssuer = tokenIssuer;
+    this.catalogIdentityClient = catalogIdentityClient;
+    this.catalogApi = catalogApi;
+    this.tokenManager = tokenManager;
+  }
+  static create(options) {
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi: options.catalogApi,
+      tokenManager: options.tokenManager
+    });
+    return new CatalogAuthResolverContext(options.logger, options.tokenIssuer, catalogIdentityClient, options.catalogApi, options.tokenManager);
+  }
+  async issueToken(params) {
+    const token = await this.tokenIssuer.issueToken(params);
+    return { token };
+  }
+  async findCatalogUser(query) {
+    let result = void 0;
+    const { token } = await this.tokenManager.getToken();
+    if ("entityRef" in query) {
+      const entityRef = catalogModel.parseEntityRef(query.entityRef, {
+        defaultKind: "User",
+        defaultNamespace: catalogModel.DEFAULT_NAMESPACE
+      });
+      result = await this.catalogApi.getEntityByRef(entityRef, { token });
+    } else if ("annotations" in query) {
+      const filter = {
+        kind: "user"
+      };
+      for (const [key, value] of Object.entries(query.annotations)) {
+        filter[`metadata.annotations.${key}`] = value;
+      }
+      const res = await this.catalogApi.getEntities({ filter }, { token });
+      result = res.items;
+    } else if ("filter" in query) {
+      const res = await this.catalogApi.getEntities({ filter: query.filter }, { token });
+      result = res.items;
+    } else {
+      throw new errors.InputError("Invalid user lookup query");
+    }
+    if (Array.isArray(result)) {
+      if (result.length > 1) {
+        throw new errors.ConflictError("User lookup resulted in multiple matches");
+      }
+      result = result[0];
+    }
+    if (!result) {
+      throw new errors.NotFoundError("User not found");
+    }
+    return { entity: result };
+  }
+  async signInWithCatalogUser(query) {
+    const { entity } = await this.findCatalogUser(query);
+    const ownershipRefs = getDefaultOwnershipEntityRefs(entity);
+    const token = await this.tokenIssuer.issueToken({
+      claims: {
+        sub: catalogModel.stringifyEntityRef(entity),
+        ent: ownershipRefs
+      }
+    });
+    return { token };
+  }
+}
+
 async function createRouter(options) {
   const {
     logger,
@@ -3055,7 +2733,13 @@ async function createRouter(options) {
           tokenManager,
           tokenIssuer,
           discovery,
-          catalogApi
+          catalogApi,
+          resolverContext: CatalogAuthResolverContext.create({
+            logger,
+            catalogApi,
+            tokenIssuer,
+            tokenManager
+          })
         });
         const r = Router__default["default"]();
         r.get("/start", provider.start.bind(provider));
@@ -3133,12 +2817,15 @@ exports.createSamlProvider = createSamlProvider;
 exports.defaultAuthProviderFactories = factories;
 exports.encodeState = encodeState;
 exports.ensuresXRequestedWith = ensuresXRequestedWith;
+exports.getDefaultOwnershipEntityRefs = getDefaultOwnershipEntityRefs;
 exports.getEntityClaims = getEntityClaims;
 exports.googleEmailSignInResolver = googleEmailSignInResolver;
 exports.microsoftEmailSignInResolver = microsoftEmailSignInResolver;
 exports.oktaEmailSignInResolver = oktaEmailSignInResolver;
 exports.postMessageResponse = postMessageResponse;
 exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse;
+exports.providers = providers;
 exports.readState = readState;
+exports.samlNameIdEntityNameSignInResolver = samlNameIdEntityNameSignInResolver;
 exports.verifyNonce = verifyNonce;
 //# sourceMappingURL=index.cjs.js.map