@backstage/plugin-auth-backend 0.14.1 → 0.15.0-next.2

package/dist/index.d.ts

@@ -1,23 +1,16 @@
 /// <reference types="node" />
 import express from 'express';
 import { Logger } from 'winston';
-import { TokenManager, PluginEndpointDiscovery, PluginDatabaseManager } from '@backstage/backend-common';
-import { CatalogApi, GetEntitiesRequest } from '@backstage/catalog-client';
+import { GetEntitiesRequest, CatalogApi } from '@backstage/catalog-client';
+import { Entity, UserEntity } from '@backstage/catalog-model';
 import { Config } from '@backstage/config';
 import { BackstageSignInResult, BackstageIdentityResponse } from '@backstage/plugin-auth-node';
 import { Profile } from 'passport';
-import { UserEntity, Entity } from '@backstage/catalog-model';
+import { PluginDatabaseManager, PluginEndpointDiscovery, TokenManager } from '@backstage/backend-common';
 import { IncomingHttpHeaders } from 'http';
 import { TokenSet, UserinfoResponse } from 'openid-client';
 import { JsonValue } from '@backstage/types';
 
-/** Represents any form of serializable JWK */
-interface AnyJWK extends Record<string, string> {
-    use: 'sig';
-    alg: string;
-    kid: string;
-    kty: string;
-}
 /**
  * Parameters used to issue new ID Tokens
  *
@@ -32,25 +25,6 @@ declare type TokenParams = {
         ent?: string[];
     };
 };
-/**
- * A TokenIssuer is able to issue verifiable ID Tokens on demand.
- *
- * @public
- * @deprecated This interface is deprecated and will be removed in a future release.
- */
-declare type TokenIssuer = {
-    /**
-     * Issues a new ID Token
-     */
-    issueToken(params: TokenParams): Promise<string>;
-    /**
-     * List all public keys that are currently being used to sign tokens, or have been used
-     * in the past within the token expiration time, including a grace period.
-     */
-    listPublicKeys(): Promise<{
-        keys: AnyJWK[];
-    }>;
-};
 
 /**
  * Common options for passport.js-based OAuth providers
@@ -153,44 +127,6 @@ interface OAuthHandlers {
     logout?(): Promise<void>;
 }
 
-declare type UserQuery = {
-    annotations: Record<string, string>;
-};
-declare type MemberClaimQuery = {
-    entityRefs: string[];
-    logger?: Logger;
-};
-/**
- * A catalog client tailored for reading out identity data from the catalog.
- */
-declare class CatalogIdentityClient {
-    private readonly catalogApi;
-    private readonly tokenManager;
-    constructor(options: {
-        catalogApi: CatalogApi;
-        tokenManager: TokenManager;
-    });
-    /**
-     * Looks up a single user using a query.
-     *
-     * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
-     */
-    findUser(query: UserQuery): Promise<UserEntity>;
-    /**
-     * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
-     * to be used within a `signInResolver` where additional entity claims might be provided, but
-     * group membership and transient group membership lean on imported catalog relations.
-     *
-     * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
-     */
-    resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
-}
-
-/**
- * @deprecated use {@link getDefaultOwnershipEntityRefs} instead
- */
-declare function getEntityClaims(entity: UserEntity): TokenParams['claims'];
-
 /**
  * A query for a single user in the catalog.
  *
@@ -223,12 +159,6 @@ declare type AuthResolverCatalogUserQuery = {
  * @public
  */
 declare type AuthResolverContext = {
-    /** @deprecated Will be removed from the context, access it via a closure instead if needed */
-    logger: Logger;
-    /** @deprecated Use the `issueToken` method instead */
-    tokenIssuer: TokenIssuer;
-    /** @deprecated Use the `findCatalogUser` and `signInWithCatalogUser` methods instead, and the `getDefaultOwnershipEntityRefs` helper */
-    catalogIdentityClient: CatalogIdentityClient;
     /**
      * Issues a Backstage token using the provided parameters.
      */
@@ -348,33 +278,12 @@ interface AuthProviderRouteHandlers {
      */
     logout?(req: express.Request, res: express.Response): Promise<void>;
 }
-/**
- * @deprecated This type is deprecated and will be removed in a future release.
- */
-declare type AuthProviderFactoryOptions = {
-    providerId: string;
-    globalConfig: AuthProviderConfig;
-    config: Config;
-    logger: Logger;
-    tokenManager: TokenManager;
-    tokenIssuer: TokenIssuer;
-    discovery: PluginEndpointDiscovery;
-    catalogApi: CatalogApi;
-};
 declare type AuthProviderFactory = (options: {
     providerId: string;
     globalConfig: AuthProviderConfig;
     config: Config;
     logger: Logger;
     resolverContext: AuthResolverContext;
-    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
-    tokenManager: TokenManager;
-    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
-    tokenIssuer: TokenIssuer;
-    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
-    discovery: PluginEndpointDiscovery;
-    /** @deprecated This field has been deprecated and needs to be passed directly to the auth provider instead */
-    catalogApi: CatalogApi;
 }) => AuthProviderRouteHandlers;
 /** @public */
 declare type AuthResponse<ProviderInfo> = {
@@ -477,15 +386,13 @@ declare type Options = {
     cookieDomain: string;
     cookiePath: string;
     appOrigin: string;
-    /** @deprecated This option is no longer needed */
-    tokenIssuer?: TokenIssuer;
     isOriginAllowed: (origin: string) => boolean;
     callbackUrl: string;
 };
 declare class OAuthAdapter implements AuthProviderRouteHandlers {
     private readonly handlers;
     private readonly options;
-    static fromConfig(config: AuthProviderConfig, handlers: OAuthHandlers, options: Pick<Options, 'providerId' | 'persistScopes' | 'tokenIssuer' | 'callbackUrl'>): OAuthAdapter;
+    static fromConfig(config: AuthProviderConfig, handlers: OAuthHandlers, options: Pick<Options, 'providerId' | 'persistScopes' | 'callbackUrl'>): OAuthAdapter;
     private readonly baseCookieOptions;
     constructor(handlers: OAuthHandlers, options: Options);
     start(req: express.Request, res: express.Response): Promise<void>;
@@ -514,6 +421,10 @@ declare type AtlassianAuthProviderOptions = OAuthProviderOptions & {
     authHandler: AuthHandler<OAuthResult>;
     resolverContext: AuthResolverContext;
 };
+/**
+ * @public
+ * @deprecated This export is deprecated and will be removed in the future.
+ */
 declare class AtlassianAuthProvider implements OAuthHandlers {
     private readonly _strategy;
     private readonly signInResolver?;
@@ -531,81 +442,6 @@ declare class AtlassianAuthProvider implements OAuthHandlers {
         refreshToken: string | undefined;
     }>;
 }
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type AtlassianProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        resolver: SignInResolver<OAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.atlassian.create` instead
- */
-declare const createAtlassianProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        resolver: SignInResolver<OAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
-
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type Auth0ProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.auth0.create` instead.
- */
-declare const createAuth0Provider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
 
 /** @public */
 declare type AwsAlbResult = {
@@ -613,46 +449,6 @@ declare type AwsAlbResult = {
     expiresInSeconds?: number;
     accessToken: string;
 };
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type AwsAlbProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<AwsAlbResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<AwsAlbResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.awsAlb.create` instead
- */
-declare const createAwsAlbProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<AwsAlbResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<AwsAlbResult>;
-    };
-} | undefined) => AuthProviderFactory;
 
 declare type BitbucketOAuthResult = {
     fullProfile: BitbucketPassportProfile;
@@ -677,56 +473,6 @@ declare type BitbucketPassportProfile = Profile & {
         };
     };
 };
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type BitbucketProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.bitbucket.create` instead
- */
-declare const createBitbucketProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
-/**
- * @public
- * @deprecated Use `providers.bitbucket.resolvers.usernameMatchingUserEntityAnnotation()` instead.
- */
-declare const bitbucketUsernameSignInResolver: SignInResolver<OAuthResult>;
-/**
- * @public
- * @deprecated Use `providers.bitbucket.resolvers.userIdMatchingUserEntityAnnotation()` instead.
- */
-declare const bitbucketUserIdSignInResolver: SignInResolver<OAuthResult>;
 
 declare type GithubOAuthResult = {
     fullProfile: Profile;
@@ -738,234 +484,6 @@ declare type GithubOAuthResult = {
     accessToken: string;
     refreshToken?: string;
 };
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type GithubProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<GithubOAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<GithubOAuthResult>;
-    };
-    /**
-     * The state encoder used to encode the 'state' parameter on the OAuth request.
-     *
-     * It should return a string that takes the state params (from the request), url encodes the params
-     * and finally base64 encodes them.
-     *
-     * Providing your own stateEncoder will allow you to add addition parameters to the state field.
-     *
-     * It is typed as follows:
-     *   `export type StateEncoder = (input: OAuthState) => Promise<{encodedState: string}>;`
-     *
-     * Note: the stateEncoder must encode a 'nonce' value and an 'env' value. Without this, the OAuth flow will fail
-     * (These two values will be set by the req.state by default)
-     *
-     * For more information, please see the helper module in ../../oauth/helpers #readState
-     */
-    stateEncoder?: StateEncoder;
-};
-/**
- * @public
- * @deprecated Use `providers.github.create` instead
- */
-declare const createGithubProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<GithubOAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<GithubOAuthResult>;
-    } | undefined;
-    /**
-     * The state encoder used to encode the 'state' parameter on the OAuth request.
-     *
-     * It should return a string that takes the state params (from the request), url encodes the params
-     * and finally base64 encodes them.
-     *
-     * Providing your own stateEncoder will allow you to add addition parameters to the state field.
-     *
-     * It is typed as follows:
-     *   `export type StateEncoder = (input: OAuthState) => Promise<{encodedState: string}>;`
-     *
-     * Note: the stateEncoder must encode a 'nonce' value and an 'env' value. Without this, the OAuth flow will fail
-     * (These two values will be set by the req.state by default)
-     *
-     * For more information, please see the helper module in ../../oauth/helpers #readState
-     */
-    stateEncoder?: StateEncoder | undefined;
-} | undefined) => AuthProviderFactory;
-
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type GitlabProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    /**
-     * Maps an auth result to a Backstage identity for the user.
-     *
-     * Set to `'email'` to use the default email-based sign in resolver, which will search
-     * the catalog for a single user entity that has a matching `microsoft.com/email` annotation.
-     */
-    signIn?: {
-        resolver: SignInResolver<OAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.gitlab.create` instead
- */
-declare const createGitlabProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        resolver: SignInResolver<OAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
-
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type GoogleProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.google.create` instead.
- */
-declare const createGoogleProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
-/**
- * @public
- * @deprecated Use `providers.google.resolvers.emailMatchingUserEntityAnnotation()` instead.
- */
-declare const googleEmailSignInResolver: SignInResolver<OAuthResult>;
-
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type MicrosoftProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.microsoft.create` instead
- */
-declare const createMicrosoftProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
-/**
- * @public
- * @deprecated Use `providers.microsoft.resolvers.emailMatchingUserEntityAnnotation()` instead.
- */
-declare const microsoftEmailSignInResolver: SignInResolver<OAuthResult>;
-
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type OAuth2ProviderOptions = {
-    authHandler?: AuthHandler<OAuthResult>;
-    signIn?: {
-        resolver: SignInResolver<OAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.oauth2.create` instead
- */
-declare const createOAuth2Provider: (options?: {
-    authHandler?: AuthHandler<OAuthResult> | undefined;
-    signIn?: {
-        resolver: SignInResolver<OAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
 
 /**
  * JWT header extraction result, containing the raw value and the parsed JWT
@@ -1006,48 +524,6 @@ declare type OAuth2ProxyResult<JWTPayload = {}> = {
      */
     getHeader(name: string): string | undefined;
 };
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type Oauth2ProxyProviderOptions<JWTPayload> = {
-    /**
-     * Configure an auth handler to generate a profile for the user.
-     */
-    authHandler: AuthHandler<OAuth2ProxyResult<JWTPayload>>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuth2ProxyResult<JWTPayload>>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.oauth2Proxy.create` instead
- */
-declare const createOauth2ProxyProvider: (options: {
-    /**
-     * Configure an auth handler to generate a profile for the user.
-     *
-     * The default implementation uses the value of the `X-Forwarded-Preferred-Username`
-     * header as the display name, falling back to `X-Forwarded-User`, and the value of
-     * the `X-Forwarded-Email` header as the email address.
-     */
-    authHandler?: AuthHandler<OAuth2ProxyResult<unknown>> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuth2ProxyResult<unknown>>;
-    };
-}) => AuthProviderFactory;
 
 /**
  * authentication result for the OIDC which includes the token set and user information (a profile response sent by OIDC server)
@@ -1057,163 +533,11 @@ declare type OidcAuthResult = {
     tokenset: TokenSet;
     userinfo: UserinfoResponse;
 };
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type OidcProviderOptions = {
-    authHandler?: AuthHandler<OidcAuthResult>;
-    signIn?: {
-        resolver: SignInResolver<OidcAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.oidc.create` instead
- */
-declare const createOidcProvider: (options?: {
-    authHandler?: AuthHandler<OidcAuthResult> | undefined;
-    signIn?: {
-        resolver: SignInResolver<OidcAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
-
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type OktaProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.okta.create` instead
- */
-declare const createOktaProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
-/**
- * @public
- * @deprecated Use `providers.okta.resolvers.emailMatchingUserEntityAnnotation()` instead.
- */
-declare const oktaEmailSignInResolver: SignInResolver<OAuthResult>;
-
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type OneLoginProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.onelogin.create` instead
- */
-declare const createOneLoginProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<OAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<OAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
 
 /** @public */
 declare type SamlAuthResult = {
     fullProfile: any;
 };
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type SamlProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<SamlAuthResult>;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<SamlAuthResult>;
-    };
-};
-/**
- * @public
- * @deprecated Use `providers.saml.create` instead
- */
-declare const createSamlProvider: (options?: {
-    /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
-     */
-    authHandler?: AuthHandler<SamlAuthResult> | undefined;
-    /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
-     */
-    signIn?: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<SamlAuthResult>;
-    } | undefined;
-} | undefined) => AuthProviderFactory;
-/**
- * @public
- * @deprecated Use `providers.saml.resolvers.nameIdMatchingUserEntityName()` instead.
- */
-declare const samlNameIdEntityNameSignInResolver: SignInResolver<SamlAuthResult>;
 
 /**
  * The data extracted from an IAP token.
@@ -1246,51 +570,6 @@ declare type GcpIapResult = {
      */
     iapToken: GcpIapTokenInfo;
 };
-/**
- * @public
- * @deprecated This type has been inlined into the create method and will be removed.
- */
-declare type GcpIapProviderOptions = {
-    /**
-     * The profile transformation function used to verify and convert the auth
-     * response into the profile that will be presented to the user. The default
-     * implementation just provides the authenticated email that the IAP
-     * presented.
-     */
-    authHandler?: AuthHandler<GcpIapResult>;
-    /**
-     * Configures sign-in for this provider.
-     */
-    signIn: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<GcpIapResult>;
-    };
-};
-
-/**
- * @public
- * @deprecated Use `providers.gcpIap.create` instead
- */
-declare const createGcpIapProvider: (options: {
-    /**
-     * The profile transformation function used to verify and convert the auth
-     * response into the profile that will be presented to the user. The default
-     * implementation just provides the authenticated email that the IAP
-     * presented.
-     */
-    authHandler?: AuthHandler<GcpIapResult> | undefined;
-    /**
-     * Configures sign-in for this provider.
-     */
-    signIn: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<GcpIapResult>;
-    };
-}) => AuthProviderFactory;
 
 /**
  * All built-in auth provider integrations.
@@ -1454,11 +733,32 @@ declare const providers: Readonly<{
         }>;
     }>;
 }>;
-
-declare const factories: {
+/**
+ * All auth provider factories that are installed by default.
+ *
+ * @public
+ */
+declare const defaultAuthProviderFactories: {
     [providerId: string]: AuthProviderFactory;
 };
 
+/**
+ * Creates a standardized representation of an integration with a third-party
+ * auth provider.
+ *
+ * The returned object facilitates the creation of provider instances, and
+ * supplies built-in sign-in resolvers for the specific provider.
+ */
+declare function createAuthProviderIntegration<TCreateOptions extends unknown[], TResolvers extends {
+    [name in string]: (...args: any[]) => SignInResolver<any>;
+}>(config: {
+    create: (...args: TCreateOptions) => AuthProviderFactory;
+    resolvers?: TResolvers;
+}): Readonly<{
+    create: (...args: TCreateOptions) => AuthProviderFactory;
+    resolvers: Readonly<string extends keyof TResolvers ? never : TResolvers>;
+}>;
+
 /**
  * Parses a Backstage-issued token and decorates the
  * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the
@@ -1477,6 +777,7 @@ interface RouterOptions {
     config: Config;
     discovery: PluginEndpointDiscovery;
     tokenManager: TokenManager;
+    tokenFactoryAlgorithm?: string;
     providerFactories?: ProviderFactories;
 }
 declare function createRouter(options: RouterOptions): Promise<express.Router>;
@@ -1497,6 +798,39 @@ declare type WebMessageResponse = {
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
 
+declare type UserQuery = {
+    annotations: Record<string, string>;
+};
+declare type MemberClaimQuery = {
+    entityRefs: string[];
+    logger?: Logger;
+};
+/**
+ * A catalog client tailored for reading out identity data from the catalog.
+ */
+declare class CatalogIdentityClient {
+    private readonly catalogApi;
+    private readonly tokenManager;
+    constructor(options: {
+        catalogApi: CatalogApi;
+        tokenManager: TokenManager;
+    });
+    /**
+     * Looks up a single user using a query.
+     *
+     * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
+     */
+    findUser(query: UserQuery): Promise<UserEntity>;
+    /**
+     * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
+     * to be used within a `signInResolver` where additional entity claims might be provided, but
+     * group membership and transient group membership lean on imported catalog relations.
+     *
+     * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
+     */
+    resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
+}
+
 /**
  * Uses the default ownership resolution logic to return an array
  * of entity refs that the provided entity claims ownership through.
@@ -1507,4 +841,4 @@ declare const ensuresXRequestedWith: (req: express.Request) => boolean;
  */
 declare function getDefaultOwnershipEntityRefs(entity: Entity): string[];
 
-export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderConfig, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverCatalogUserQuery, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, AwsAlbResult, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, CookieConfigurer, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, StateEncoder, TokenIssuer, TokenParams, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getDefaultOwnershipEntityRefs, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, providers, readState, samlNameIdEntityNameSignInResolver, verifyNonce };
+export { AtlassianAuthProvider, AuthHandler, AuthHandlerResult, AuthProviderConfig, AuthProviderFactory, AuthProviderRouteHandlers, AuthResolverCatalogUserQuery, AuthResolverContext, AuthResponse, AwsAlbResult, BitbucketOAuthResult, BitbucketPassportProfile, CatalogIdentityClient, CookieConfigurer, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, OidcAuthResult, ProfileInfo, RouterOptions, SamlAuthResult, SignInInfo, SignInResolver, StateEncoder, TokenParams, WebMessageResponse, createAuthProviderIntegration, createOriginFilter, createRouter, defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getDefaultOwnershipEntityRefs, postMessageResponse, prepareBackstageIdentityResponse, providers, readState, verifyNonce };