@backstage/plugin-auth-backend 0.18.5-next.0 → 0.18.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +22 -0
  2. package/dist/index.cjs.js +264 -25
  3. package/dist/index.cjs.js.map +1 -1
  4. package/package.json +8 -8
package/CHANGELOG.md CHANGED
@@ -1,5 +1,27 @@
1
1
  # @backstage/plugin-auth-backend
2
2
 
3
+ ## 0.18.5
4
+
5
+ ### Patch Changes
6
+
7
+ - c27ae5004fc2: Support for Token Endpoint Auth Method for OIDC Provider
8
+ - Updated dependencies
9
+ - @backstage/errors@1.2.1
10
+ - @backstage/backend-common@0.19.1
11
+ - @backstage/catalog-client@1.4.3
12
+ - @backstage/catalog-model@1.4.1
13
+ - @backstage/config@1.0.8
14
+ - @backstage/types@1.1.0
15
+ - @backstage/plugin-auth-node@0.2.16
16
+
17
+ ## 0.18.5-next.1
18
+
19
+ ### Patch Changes
20
+
21
+ - c27ae5004fc2: Support for Token Endpoint Auth Method for OIDC Provider
22
+ - Updated dependencies
23
+ - @backstage/config@1.0.8
24
+
3
25
  ## 0.18.5-next.0
4
26
 
5
27
  ### Patch Changes
package/dist/index.cjs.js CHANGED
@@ -74,6 +74,12 @@ var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
74
74
  var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
75
75
  var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
76
76
 
77
+ var __defProp$m = Object.defineProperty;
78
+ var __defNormalProp$m = (obj, key, value) => key in obj ? __defProp$m(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
79
+ var __publicField$m = (obj, key, value) => {
80
+ __defNormalProp$m(obj, typeof key !== "symbol" ? key + "" : key, value);
81
+ return value;
82
+ };
77
83
  const defaultScopes = ["offline_access", "read:me"];
78
84
  class AtlassianStrategy extends OAuth2Strategy__default["default"] {
79
85
  constructor(options, verify) {
@@ -88,6 +94,7 @@ class AtlassianStrategy extends OAuth2Strategy__default["default"] {
88
94
  scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
89
95
  };
90
96
  super(optionsWithURLs, verify);
97
+ __publicField$m(this, "profileURL");
91
98
  this.profileURL = "https://api.atlassian.com/me";
92
99
  this.name = "atlassian";
93
100
  this._oauth2.useAuthorizationHeaderforGET(true);
@@ -288,55 +295,62 @@ function prepareBackstageIdentityResponse(result) {
288
295
  };
289
296
  }
290
297
 
298
+ var __defProp$l = Object.defineProperty;
299
+ var __defNormalProp$l = (obj, key, value) => key in obj ? __defProp$l(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
300
+ var __publicField$l = (obj, key, value) => {
301
+ __defNormalProp$l(obj, typeof key !== "symbol" ? key + "" : key, value);
302
+ return value;
303
+ };
291
304
  const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
292
305
  const TEN_MINUTES_MS = 600 * 1e3;
293
306
  class OAuthAdapter {
294
307
  constructor(handlers, options) {
295
308
  this.handlers = handlers;
296
309
  this.options = options;
297
- this.setNonceCookie = (res, nonce, cookieConfig) => {
310
+ __publicField$l(this, "baseCookieOptions");
311
+ __publicField$l(this, "setNonceCookie", (res, nonce, cookieConfig) => {
298
312
  res.cookie(`${this.options.providerId}-nonce`, nonce, {
299
313
  maxAge: TEN_MINUTES_MS,
300
314
  ...this.baseCookieOptions,
301
315
  ...cookieConfig,
302
316
  path: `${cookieConfig.path}/handler`
303
317
  });
304
- };
305
- this.setGrantedScopeCookie = (res, scope, cookieConfig) => {
318
+ });
319
+ __publicField$l(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
306
320
  res.cookie(`${this.options.providerId}-granted-scope`, scope, {
307
321
  maxAge: THOUSAND_DAYS_MS,
308
322
  ...this.baseCookieOptions,
309
323
  ...cookieConfig
310
324
  });
311
- };
312
- this.getRefreshTokenFromCookie = (req) => {
325
+ });
326
+ __publicField$l(this, "getRefreshTokenFromCookie", (req) => {
313
327
  return req.cookies[`${this.options.providerId}-refresh-token`];
314
- };
315
- this.getGrantedScopeFromCookie = (req) => {
328
+ });
329
+ __publicField$l(this, "getGrantedScopeFromCookie", (req) => {
316
330
  return req.cookies[`${this.options.providerId}-granted-scope`];
317
- };
318
- this.setRefreshTokenCookie = (res, refreshToken, cookieConfig) => {
331
+ });
332
+ __publicField$l(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
319
333
  res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
320
334
  maxAge: THOUSAND_DAYS_MS,
321
335
  ...this.baseCookieOptions,
322
336
  ...cookieConfig
323
337
  });
324
- };
325
- this.removeRefreshTokenCookie = (res, cookieConfig) => {
338
+ });
339
+ __publicField$l(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
326
340
  res.cookie(`${this.options.providerId}-refresh-token`, "", {
327
341
  maxAge: 0,
328
342
  ...this.baseCookieOptions,
329
343
  ...cookieConfig
330
344
  });
331
- };
332
- this.getCookieConfig = (origin) => {
345
+ });
346
+ __publicField$l(this, "getCookieConfig", (origin) => {
333
347
  return this.options.cookieConfigurer({
334
348
  providerId: this.options.providerId,
335
349
  baseUrl: this.options.baseUrl,
336
350
  callbackUrl: this.options.callbackUrl,
337
351
  appOrigin: origin != null ? origin : this.options.appOrigin
338
352
  });
339
- };
353
+ });
340
354
  this.baseCookieOptions = {
341
355
  httpOnly: true,
342
356
  sameSite: "lax"
@@ -634,6 +648,12 @@ function createAuthProviderIntegration(config) {
634
648
  });
635
649
  }
636
650
 
651
+ var __defProp$k = Object.defineProperty;
652
+ var __defNormalProp$k = (obj, key, value) => key in obj ? __defProp$k(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
653
+ var __publicField$k = (obj, key, value) => {
654
+ __defNormalProp$k(obj, typeof key !== "symbol" ? key + "" : key, value);
655
+ return value;
656
+ };
637
657
  const atlassianDefaultAuthHandler = async ({
638
658
  fullProfile,
639
659
  params
@@ -642,6 +662,10 @@ const atlassianDefaultAuthHandler = async ({
642
662
  });
643
663
  class AtlassianAuthProvider {
644
664
  constructor(options) {
665
+ __publicField$k(this, "_strategy");
666
+ __publicField$k(this, "signInResolver");
667
+ __publicField$k(this, "authHandler");
668
+ __publicField$k(this, "resolverContext");
645
669
  this.resolverContext = options.resolverContext;
646
670
  this.authHandler = options.authHandler;
647
671
  this.signInResolver = options.signInResolver;
@@ -759,8 +783,21 @@ class Auth0Strategy extends Auth0InternalStrategy__default["default"] {
759
783
  }
760
784
  }
761
785
 
786
+ var __defProp$j = Object.defineProperty;
787
+ var __defNormalProp$j = (obj, key, value) => key in obj ? __defProp$j(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
788
+ var __publicField$j = (obj, key, value) => {
789
+ __defNormalProp$j(obj, typeof key !== "symbol" ? key + "" : key, value);
790
+ return value;
791
+ };
762
792
  class Auth0AuthProvider {
763
793
  constructor(options) {
794
+ __publicField$j(this, "_strategy");
795
+ __publicField$j(this, "signInResolver");
796
+ __publicField$j(this, "authHandler");
797
+ __publicField$j(this, "resolverContext");
798
+ __publicField$j(this, "audience");
799
+ __publicField$j(this, "connection");
800
+ __publicField$j(this, "connectionScope");
764
801
  /**
765
802
  * Due to passport-auth0 forcing options.state = true,
766
803
  * passport-oauth2 requires express-session to be installed
@@ -769,14 +806,14 @@ class Auth0AuthProvider {
769
806
  * passport-oauth2, which is the StateStore implementation used when options.state = false,
770
807
  * allowing us to avoid using express-session in order to integrate with auth0.
771
808
  */
772
- this.store = {
809
+ __publicField$j(this, "store", {
773
810
  store(_req, cb) {
774
811
  cb(null, null);
775
812
  },
776
813
  verify(_req, _state, cb) {
777
814
  cb(null, true);
778
815
  }
779
- };
816
+ });
780
817
  this.signInResolver = options.signInResolver;
781
818
  this.authHandler = options.authHandler;
782
819
  this.resolverContext = options.resolverContext;
@@ -910,11 +947,23 @@ const auth0 = createAuthProviderIntegration({
910
947
  }
911
948
  });
912
949
 
950
+ var __defProp$i = Object.defineProperty;
951
+ var __defNormalProp$i = (obj, key, value) => key in obj ? __defProp$i(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
952
+ var __publicField$i = (obj, key, value) => {
953
+ __defNormalProp$i(obj, typeof key !== "symbol" ? key + "" : key, value);
954
+ return value;
955
+ };
913
956
  const ALB_JWT_HEADER = "x-amzn-oidc-data";
914
957
  const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
915
958
  class AwsAlbAuthProvider {
916
959
  constructor(options) {
917
- this.getKey = async (header) => {
960
+ __publicField$i(this, "region");
961
+ __publicField$i(this, "issuer");
962
+ __publicField$i(this, "resolverContext");
963
+ __publicField$i(this, "keyCache");
964
+ __publicField$i(this, "authHandler");
965
+ __publicField$i(this, "signInResolver");
966
+ __publicField$i(this, "getKey", async (header) => {
918
967
  if (!header.kid) {
919
968
  throw new errors.AuthenticationError("No key id was specified in header");
920
969
  }
@@ -933,7 +982,7 @@ class AwsAlbAuthProvider {
933
982
  keyValue.export({ format: "pem", type: "spki" })
934
983
  );
935
984
  return keyValue;
936
- };
985
+ });
937
986
  this.region = options.region;
938
987
  this.issuer = options.issuer;
939
988
  this.authHandler = options.authHandler;
@@ -1042,8 +1091,18 @@ const awsAlb = createAuthProviderIntegration({
1042
1091
  }
1043
1092
  });
1044
1093
 
1094
+ var __defProp$h = Object.defineProperty;
1095
+ var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
1096
+ var __publicField$h = (obj, key, value) => {
1097
+ __defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
1098
+ return value;
1099
+ };
1045
1100
  class BitbucketAuthProvider {
1046
1101
  constructor(options) {
1102
+ __publicField$h(this, "_strategy");
1103
+ __publicField$h(this, "signInResolver");
1104
+ __publicField$h(this, "authHandler");
1105
+ __publicField$h(this, "resolverContext");
1047
1106
  this.signInResolver = options.signInResolver;
1048
1107
  this.authHandler = options.authHandler;
1049
1108
  this.resolverContext = options.resolverContext;
@@ -1211,11 +1270,23 @@ const commonByEmailResolver = async (info, ctx) => {
1211
1270
  });
1212
1271
  };
1213
1272
 
1273
+ var __defProp$g = Object.defineProperty;
1274
+ var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
1275
+ var __publicField$g = (obj, key, value) => {
1276
+ __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
1277
+ return value;
1278
+ };
1214
1279
  const CF_JWT_HEADER = "cf-access-jwt-assertion";
1215
1280
  const COOKIE_AUTH_NAME = "CF_Authorization";
1216
1281
  const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
1217
1282
  class CloudflareAccessAuthProvider {
1218
1283
  constructor(options) {
1284
+ __publicField$g(this, "teamName");
1285
+ __publicField$g(this, "resolverContext");
1286
+ __publicField$g(this, "authHandler");
1287
+ __publicField$g(this, "signInResolver");
1288
+ __publicField$g(this, "jwtKeySet");
1289
+ __publicField$g(this, "cache");
1219
1290
  this.teamName = options.teamName;
1220
1291
  this.authHandler = options.authHandler;
1221
1292
  this.signInResolver = options.signInResolver;
@@ -1399,8 +1470,19 @@ const defaultAuthHandler$1 = async ({
1399
1470
 
1400
1471
  const DEFAULT_IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
1401
1472
 
1473
+ var __defProp$f = Object.defineProperty;
1474
+ var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
1475
+ var __publicField$f = (obj, key, value) => {
1476
+ __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
1477
+ return value;
1478
+ };
1402
1479
  class GcpIapProvider {
1403
1480
  constructor(options) {
1481
+ __publicField$f(this, "authHandler");
1482
+ __publicField$f(this, "signInResolver");
1483
+ __publicField$f(this, "tokenValidator");
1484
+ __publicField$f(this, "resolverContext");
1485
+ __publicField$f(this, "jwtHeader");
1404
1486
  this.authHandler = options.authHandler;
1405
1487
  this.signInResolver = options.signInResolver;
1406
1488
  this.tokenValidator = options.tokenValidator;
@@ -1451,9 +1533,20 @@ const gcpIap = createAuthProviderIntegration({
1451
1533
 
1452
1534
  const BACKSTAGE_SESSION_EXPIRATION = 3600;
1453
1535
 
1536
+ var __defProp$e = Object.defineProperty;
1537
+ var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
1538
+ var __publicField$e = (obj, key, value) => {
1539
+ __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
1540
+ return value;
1541
+ };
1454
1542
  const ACCESS_TOKEN_PREFIX = "access-token.";
1455
1543
  class GithubAuthProvider {
1456
1544
  constructor(options) {
1545
+ __publicField$e(this, "_strategy");
1546
+ __publicField$e(this, "signInResolver");
1547
+ __publicField$e(this, "authHandler");
1548
+ __publicField$e(this, "resolverContext");
1549
+ __publicField$e(this, "stateEncoder");
1457
1550
  this.signInResolver = options.signInResolver;
1458
1551
  this.authHandler = options.authHandler;
1459
1552
  this.stateEncoder = options.stateEncoder;
@@ -1616,6 +1709,12 @@ const github = createAuthProviderIntegration({
1616
1709
  }
1617
1710
  });
1618
1711
 
1712
+ var __defProp$d = Object.defineProperty;
1713
+ var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
1714
+ var __publicField$d = (obj, key, value) => {
1715
+ __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
1716
+ return value;
1717
+ };
1619
1718
  const gitlabDefaultAuthHandler = async ({
1620
1719
  fullProfile,
1621
1720
  params
@@ -1624,6 +1723,10 @@ const gitlabDefaultAuthHandler = async ({
1624
1723
  });
1625
1724
  class GitlabAuthProvider {
1626
1725
  constructor(options) {
1726
+ __publicField$d(this, "_strategy");
1727
+ __publicField$d(this, "signInResolver");
1728
+ __publicField$d(this, "authHandler");
1729
+ __publicField$d(this, "resolverContext");
1627
1730
  this.resolverContext = options.resolverContext;
1628
1731
  this.authHandler = options.authHandler;
1629
1732
  this.signInResolver = options.signInResolver;
@@ -1731,8 +1834,18 @@ const gitlab = createAuthProviderIntegration({
1731
1834
  }
1732
1835
  });
1733
1836
 
1837
+ var __defProp$c = Object.defineProperty;
1838
+ var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
1839
+ var __publicField$c = (obj, key, value) => {
1840
+ __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
1841
+ return value;
1842
+ };
1734
1843
  class GoogleAuthProvider {
1735
1844
  constructor(options) {
1845
+ __publicField$c(this, "strategy");
1846
+ __publicField$c(this, "signInResolver");
1847
+ __publicField$c(this, "authHandler");
1848
+ __publicField$c(this, "resolverContext");
1736
1849
  this.authHandler = options.authHandler;
1737
1850
  this.signInResolver = options.signInResolver;
1738
1851
  this.resolverContext = options.resolverContext;
@@ -1873,13 +1986,24 @@ const google = createAuthProviderIntegration({
1873
1986
  }
1874
1987
  });
1875
1988
 
1989
+ var __defProp$b = Object.defineProperty;
1990
+ var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
1991
+ var __publicField$b = (obj, key, value) => {
1992
+ __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
1993
+ return value;
1994
+ };
1876
1995
  class MicrosoftAuthProvider {
1877
1996
  constructor(options) {
1878
- this.skipUserProfile = (accessToken) => {
1997
+ __publicField$b(this, "_strategy");
1998
+ __publicField$b(this, "signInResolver");
1999
+ __publicField$b(this, "authHandler");
2000
+ __publicField$b(this, "logger");
2001
+ __publicField$b(this, "resolverContext");
2002
+ __publicField$b(this, "skipUserProfile", (accessToken) => {
1879
2003
  const { aud, scp } = jose.decodeJwt(accessToken);
1880
2004
  const hasGraphReadScope = aud === "00000003-0000-0000-c000-000000000000" && scp.split(" ").map((s) => s.toLowerCase()).includes("user.read");
1881
2005
  return !hasGraphReadScope;
1882
- };
2006
+ });
1883
2007
  this.signInResolver = options.signInResolver;
1884
2008
  this.authHandler = options.authHandler;
1885
2009
  this.logger = options.logger;
@@ -2040,8 +2164,19 @@ const microsoft = createAuthProviderIntegration({
2040
2164
  }
2041
2165
  });
2042
2166
 
2167
+ var __defProp$a = Object.defineProperty;
2168
+ var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
2169
+ var __publicField$a = (obj, key, value) => {
2170
+ __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
2171
+ return value;
2172
+ };
2043
2173
  class OAuth2AuthProvider {
2044
2174
  constructor(options) {
2175
+ __publicField$a(this, "_strategy");
2176
+ __publicField$a(this, "signInResolver");
2177
+ __publicField$a(this, "authHandler");
2178
+ __publicField$a(this, "resolverContext");
2179
+ __publicField$a(this, "disableRefresh");
2045
2180
  var _a;
2046
2181
  this.signInResolver = options.signInResolver;
2047
2182
  this.authHandler = options.authHandler;
@@ -2180,9 +2315,18 @@ const oauth2 = createAuthProviderIntegration({
2180
2315
  }
2181
2316
  });
2182
2317
 
2318
+ var __defProp$9 = Object.defineProperty;
2319
+ var __defNormalProp$9 = (obj, key, value) => key in obj ? __defProp$9(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
2320
+ var __publicField$9 = (obj, key, value) => {
2321
+ __defNormalProp$9(obj, typeof key !== "symbol" ? key + "" : key, value);
2322
+ return value;
2323
+ };
2183
2324
  const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
2184
2325
  class Oauth2ProxyAuthProvider {
2185
2326
  constructor(options) {
2327
+ __publicField$9(this, "resolverContext");
2328
+ __publicField$9(this, "signInResolver");
2329
+ __publicField$9(this, "authHandler");
2186
2330
  this.resolverContext = options.resolverContext;
2187
2331
  this.signInResolver = options.signInResolver;
2188
2332
  this.authHandler = options.authHandler;
@@ -2257,8 +2401,20 @@ const oauth2Proxy = createAuthProviderIntegration({
2257
2401
  }
2258
2402
  });
2259
2403
 
2404
+ var __defProp$8 = Object.defineProperty;
2405
+ var __defNormalProp$8 = (obj, key, value) => key in obj ? __defProp$8(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
2406
+ var __publicField$8 = (obj, key, value) => {
2407
+ __defNormalProp$8(obj, typeof key !== "symbol" ? key + "" : key, value);
2408
+ return value;
2409
+ };
2260
2410
  class OidcAuthProvider {
2261
2411
  constructor(options) {
2412
+ __publicField$8(this, "implementation");
2413
+ __publicField$8(this, "scope");
2414
+ __publicField$8(this, "prompt");
2415
+ __publicField$8(this, "signInResolver");
2416
+ __publicField$8(this, "authHandler");
2417
+ __publicField$8(this, "resolverContext");
2262
2418
  this.implementation = this.setupStrategy(options);
2263
2419
  this.scope = options.scope;
2264
2420
  this.prompt = options.prompt;
@@ -2307,6 +2463,7 @@ class OidcAuthProvider {
2307
2463
  client_secret: options.clientSecret,
2308
2464
  redirect_uris: [options.callbackUrl],
2309
2465
  response_types: ["code"],
2466
+ token_endpoint_auth_method: options.tokenEndpointAuthMethod || "client_secret_basic",
2310
2467
  id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
2311
2468
  scope: options.scope || ""
2312
2469
  });
@@ -2369,6 +2526,9 @@ const oidc = createAuthProviderIntegration({
2369
2526
  const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
2370
2527
  const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
2371
2528
  const metadataUrl = envConfig.getString("metadataUrl");
2529
+ const tokenEndpointAuthMethod = envConfig.getOptionalString(
2530
+ "tokenEndpointAuthMethod"
2531
+ );
2372
2532
  const tokenSignedResponseAlg = envConfig.getOptionalString(
2373
2533
  "tokenSignedResponseAlg"
2374
2534
  );
@@ -2385,6 +2545,7 @@ const oidc = createAuthProviderIntegration({
2385
2545
  clientId,
2386
2546
  clientSecret,
2387
2547
  callbackUrl,
2548
+ tokenEndpointAuthMethod,
2388
2549
  tokenSignedResponseAlg,
2389
2550
  metadataUrl,
2390
2551
  scope,
@@ -2411,8 +2572,18 @@ const oidc = createAuthProviderIntegration({
2411
2572
  }
2412
2573
  });
2413
2574
 
2575
+ var __defProp$7 = Object.defineProperty;
2576
+ var __defNormalProp$7 = (obj, key, value) => key in obj ? __defProp$7(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
2577
+ var __publicField$7 = (obj, key, value) => {
2578
+ __defNormalProp$7(obj, typeof key !== "symbol" ? key + "" : key, value);
2579
+ return value;
2580
+ };
2414
2581
  class OktaAuthProvider {
2415
2582
  constructor(options) {
2583
+ __publicField$7(this, "strategy");
2584
+ __publicField$7(this, "signInResolver");
2585
+ __publicField$7(this, "authHandler");
2586
+ __publicField$7(this, "resolverContext");
2416
2587
  /**
2417
2588
  * Due to passport-okta-oauth forcing options.state = true,
2418
2589
  * passport-oauth2 requires express-session to be installed
@@ -2421,14 +2592,14 @@ class OktaAuthProvider {
2421
2592
  * passport-oauth2, which is the StateStore implementation used when options.state = false,
2422
2593
  * allowing us to avoid using express-session in order to integrate with Okta.
2423
2594
  */
2424
- this.store = {
2595
+ __publicField$7(this, "store", {
2425
2596
  store(_req, cb) {
2426
2597
  cb(null, null);
2427
2598
  },
2428
2599
  verify(_req, _state, cb) {
2429
2600
  cb(null, true);
2430
2601
  }
2431
- };
2602
+ });
2432
2603
  this.signInResolver = options.signInResolver;
2433
2604
  this.authHandler = options.authHandler;
2434
2605
  this.resolverContext = options.resolverContext;
@@ -2579,8 +2750,18 @@ const okta = createAuthProviderIntegration({
2579
2750
  }
2580
2751
  });
2581
2752
 
2753
+ var __defProp$6 = Object.defineProperty;
2754
+ var __defNormalProp$6 = (obj, key, value) => key in obj ? __defProp$6(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
2755
+ var __publicField$6 = (obj, key, value) => {
2756
+ __defNormalProp$6(obj, typeof key !== "symbol" ? key + "" : key, value);
2757
+ return value;
2758
+ };
2582
2759
  class OneLoginProvider {
2583
2760
  constructor(options) {
2761
+ __publicField$6(this, "_strategy");
2762
+ __publicField$6(this, "signInResolver");
2763
+ __publicField$6(this, "authHandler");
2764
+ __publicField$6(this, "resolverContext");
2584
2765
  this.signInResolver = options.signInResolver;
2585
2766
  this.authHandler = options.authHandler;
2586
2767
  this.resolverContext = options.resolverContext;
@@ -2694,8 +2875,19 @@ const onelogin = createAuthProviderIntegration({
2694
2875
  }
2695
2876
  });
2696
2877
 
2878
+ var __defProp$5 = Object.defineProperty;
2879
+ var __defNormalProp$5 = (obj, key, value) => key in obj ? __defProp$5(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
2880
+ var __publicField$5 = (obj, key, value) => {
2881
+ __defNormalProp$5(obj, typeof key !== "symbol" ? key + "" : key, value);
2882
+ return value;
2883
+ };
2697
2884
  class SamlAuthProvider {
2698
2885
  constructor(options) {
2886
+ __publicField$5(this, "strategy");
2887
+ __publicField$5(this, "signInResolver");
2888
+ __publicField$5(this, "authHandler");
2889
+ __publicField$5(this, "resolverContext");
2890
+ __publicField$5(this, "appUrl");
2699
2891
  this.appUrl = options.appUrl;
2700
2892
  this.signInResolver = options.signInResolver;
2701
2893
  this.authHandler = options.authHandler;
@@ -2794,8 +2986,19 @@ const saml = createAuthProviderIntegration({
2794
2986
  }
2795
2987
  });
2796
2988
 
2989
+ var __defProp$4 = Object.defineProperty;
2990
+ var __defNormalProp$4 = (obj, key, value) => key in obj ? __defProp$4(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
2991
+ var __publicField$4 = (obj, key, value) => {
2992
+ __defNormalProp$4(obj, typeof key !== "symbol" ? key + "" : key, value);
2993
+ return value;
2994
+ };
2797
2995
  class BitbucketServerAuthProvider {
2798
2996
  constructor(options) {
2997
+ __publicField$4(this, "signInResolver");
2998
+ __publicField$4(this, "authHandler");
2999
+ __publicField$4(this, "resolverContext");
3000
+ __publicField$4(this, "strategy");
3001
+ __publicField$4(this, "host");
2799
3002
  this.signInResolver = options.signInResolver;
2800
3003
  this.authHandler = options.authHandler;
2801
3004
  this.resolverContext = options.resolverContext;
@@ -2960,10 +3163,19 @@ const bitbucketServer = createAuthProviderIntegration({
2960
3163
  }
2961
3164
  });
2962
3165
 
3166
+ var __defProp$3 = Object.defineProperty;
3167
+ var __defNormalProp$3 = (obj, key, value) => key in obj ? __defProp$3(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
3168
+ var __publicField$3 = (obj, key, value) => {
3169
+ __defNormalProp$3(obj, typeof key !== "symbol" ? key + "" : key, value);
3170
+ return value;
3171
+ };
2963
3172
  const ID_TOKEN_HEADER = "x-ms-token-aad-id-token";
2964
3173
  const ACCESS_TOKEN_HEADER = "x-ms-token-aad-access-token";
2965
3174
  class EasyAuthAuthProvider {
2966
3175
  constructor(options) {
3176
+ __publicField$3(this, "resolverContext");
3177
+ __publicField$3(this, "authHandler");
3178
+ __publicField$3(this, "signInResolver");
2967
3179
  this.authHandler = options.authHandler;
2968
3180
  this.signInResolver = options.signInResolver;
2969
3181
  this.resolverContext = options.resolverContext;
@@ -3128,9 +3340,22 @@ function createOidcRouter(options) {
3128
3340
  return router;
3129
3341
  }
3130
3342
 
3343
+ var __defProp$2 = Object.defineProperty;
3344
+ var __defNormalProp$2 = (obj, key, value) => key in obj ? __defProp$2(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
3345
+ var __publicField$2 = (obj, key, value) => {
3346
+ __defNormalProp$2(obj, typeof key !== "symbol" ? key + "" : key, value);
3347
+ return value;
3348
+ };
3131
3349
  const MS_IN_S = 1e3;
3132
3350
  class TokenFactory {
3133
3351
  constructor(options) {
3352
+ __publicField$2(this, "issuer");
3353
+ __publicField$2(this, "logger");
3354
+ __publicField$2(this, "keyStore");
3355
+ __publicField$2(this, "keyDurationSeconds");
3356
+ __publicField$2(this, "algorithm");
3357
+ __publicField$2(this, "keyExpiry");
3358
+ __publicField$2(this, "privateKeyPromise");
3134
3359
  var _a;
3135
3360
  this.issuer = options.issuer;
3136
3361
  this.logger = options.logger;
@@ -3251,9 +3476,15 @@ class DatabaseKeyStore {
3251
3476
  }
3252
3477
  }
3253
3478
 
3479
+ var __defProp$1 = Object.defineProperty;
3480
+ var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
3481
+ var __publicField$1 = (obj, key, value) => {
3482
+ __defNormalProp$1(obj, typeof key !== "symbol" ? key + "" : key, value);
3483
+ return value;
3484
+ };
3254
3485
  class MemoryKeyStore {
3255
3486
  constructor() {
3256
- this.keys = /* @__PURE__ */ new Map();
3487
+ __publicField$1(this, "keys", /* @__PURE__ */ new Map());
3257
3488
  }
3258
3489
  async addKey(key) {
3259
3490
  this.keys.set(key.kid, {
@@ -3400,8 +3631,16 @@ class KeyStores {
3400
3631
  }
3401
3632
  }
3402
3633
 
3634
+ var __defProp = Object.defineProperty;
3635
+ var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
3636
+ var __publicField = (obj, key, value) => {
3637
+ __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
3638
+ return value;
3639
+ };
3403
3640
  class CatalogIdentityClient {
3404
3641
  constructor(options) {
3642
+ __publicField(this, "catalogApi");
3643
+ __publicField(this, "tokenManager");
3405
3644
  this.catalogApi = options.catalogApi;
3406
3645
  this.tokenManager = options.tokenManager;
3407
3646
  }
@@ -3581,7 +3820,7 @@ const migrationsDir = backendCommon.resolvePackagePath(
3581
3820
  "@backstage/plugin-auth-backend",
3582
3821
  "migrations"
3583
3822
  );
3584
- const _AuthDatabase = class {
3823
+ const _AuthDatabase = class _AuthDatabase {
3585
3824
  constructor(database) {
3586
3825
  __privateAdd(this, _database, void 0);
3587
3826
  __privateAdd(this, _promise, void 0);
@@ -3621,9 +3860,9 @@ const _AuthDatabase = class {
3621
3860
  return __privateGet(this, _promise);
3622
3861
  }
3623
3862
  };
3624
- let AuthDatabase = _AuthDatabase;
3625
3863
  _database = new WeakMap();
3626
3864
  _promise = new WeakMap();
3865
+ let AuthDatabase = _AuthDatabase;
3627
3866
 
3628
3867
  async function createRouter(options) {
3629
3868
  const {