@backstage/plugin-auth-backend 0.18.6 → 0.18.8-next.0

package/dist/index.cjs.js

@@ -2,26 +2,27 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
+var backendPluginApi = require('@backstage/backend-plugin-api');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var alpha = require('@backstage/plugin-catalog-node/alpha');
 var express = require('express');
 var Router = require('express-promise-router');
 var cookieParser = require('cookie-parser');
 var OAuth2Strategy = require('passport-oauth2');
-var errors = require('@backstage/errors');
-var pickBy = require('lodash/pickBy');
 var crypto = require('crypto');
 var url = require('url');
+var errors = require('@backstage/errors');
 var jwtDecoder = require('jwt-decode');
 var Auth0InternalStrategy = require('passport-auth0');
 var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
 var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
-var googleAuthLibrary = require('google-auth-library');
-var passportGithub2 = require('passport-github2');
+var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-backend-module-gcp-iap-provider');
+var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
 var passportGitlab2 = require('passport-gitlab2');
-var passportGoogleOauth20 = require('passport-google-oauth20');
+var pluginAuthBackendModuleGoogleProvider = require('@backstage/plugin-auth-backend-module-google-provider');
 var passportMicrosoft = require('passport-microsoft');
-var pluginAuthNode = require('@backstage/plugin-auth-node');
 var openidClient = require('openid-client');
 var passportOktaOauth = require('@davidzemon/passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
@@ -63,7 +64,6 @@ var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
 var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
-var pickBy__default = /*#__PURE__*/_interopDefaultLegacy(pickBy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
 var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
 var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
@@ -74,10 +74,10 @@ var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
 
-var __defProp$m = Object.defineProperty;
-var __defNormalProp$m = (obj, key, value) => key in obj ? __defProp$m(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$m = (obj, key, value) => {
-  __defNormalProp$m(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$j = Object.defineProperty;
+var __defNormalProp$j = (obj, key, value) => key in obj ? __defProp$j(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$j = (obj, key, value) => {
+  __defNormalProp$j(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const defaultScopes = ["offline_access", "read:me"];
@@ -94,7 +94,7 @@ class AtlassianStrategy extends OAuth2Strategy__default["default"] {
       scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
     };
     super(optionsWithURLs, verify);
-    __publicField$m(this, "profileURL");
+    __publicField$j(this, "profileURL");
     this.profileURL = "https://api.atlassian.com/me";
     this.name = "atlassian";
     this._oauth2.useAuthorizationHeaderforGET(true);
@@ -142,22 +142,10 @@ class AtlassianStrategy extends OAuth2Strategy__default["default"] {
   }
 }
 
-const readState = (stateString) => {
-  var _a, _b;
-  const state = Object.fromEntries(
-    new URLSearchParams(Buffer.from(stateString, "hex").toString("utf-8"))
-  );
-  if (!state.nonce || !state.env || ((_a = state.nonce) == null ? void 0 : _a.length) === 0 || ((_b = state.env) == null ? void 0 : _b.length) === 0) {
-    throw Error(`Invalid state passed via request`);
-  }
-  return state;
-};
-const encodeState = (state) => {
-  const stateString = new URLSearchParams(
-    pickBy__default["default"](state, (value) => value !== void 0)
-  ).toString();
-  return Buffer.from(stateString, "utf-8").toString("hex");
-};
+const OAuthEnvironmentHandler = pluginAuthNode.OAuthEnvironmentHandler;
+
+const readState = pluginAuthNode.decodeOAuthState;
+const encodeState = pluginAuthNode.encodeOAuthState;
 const verifyNonce = (req, providerId) => {
   var _a, _b;
   const cookieNonce = req.cookies[`${providerId}-nonce`];
@@ -188,66 +176,6 @@ const defaultCookieConfigurer = ({
   return { domain, path, secure, sameSite };
 };
 
-class OAuthEnvironmentHandler {
-  constructor(handlers) {
-    this.handlers = handlers;
-  }
-  static mapConfig(config, factoryFunc) {
-    const envs = config.keys();
-    const handlers = /* @__PURE__ */ new Map();
-    for (const env of envs) {
-      const envConfig = config.getConfig(env);
-      const handler = factoryFunc(envConfig);
-      handlers.set(env, handler);
-    }
-    return new OAuthEnvironmentHandler(handlers);
-  }
-  async start(req, res) {
-    const provider = this.getProviderForEnv(req);
-    await provider.start(req, res);
-  }
-  async frameHandler(req, res) {
-    const provider = this.getProviderForEnv(req);
-    await provider.frameHandler(req, res);
-  }
-  async refresh(req, res) {
-    var _a;
-    const provider = this.getProviderForEnv(req);
-    await ((_a = provider.refresh) == null ? void 0 : _a.call(provider, req, res));
-  }
-  async logout(req, res) {
-    var _a;
-    const provider = this.getProviderForEnv(req);
-    await ((_a = provider.logout) == null ? void 0 : _a.call(provider, req, res));
-  }
-  getRequestFromEnv(req) {
-    var _a, _b;
-    const reqEnv = (_a = req.query.env) == null ? void 0 : _a.toString();
-    if (reqEnv) {
-      return reqEnv;
-    }
-    const stateParams = (_b = req.query.state) == null ? void 0 : _b.toString();
-    if (!stateParams) {
-      return void 0;
-    }
-    const env = readState(stateParams).env;
-    return env;
-  }
-  getProviderForEnv(req) {
-    const env = this.getRequestFromEnv(req);
-    if (!env) {
-      throw new errors.InputError(`Must specify 'env' query to select environment`);
-    }
-    const handler = this.handlers.get(env);
-    if (!handler) {
-      throw new errors.NotFoundError(
-        `No configuration available for the '${env}' environment of this provider.`
-      );
-    }
-    return handler;
-  }
-}
-
 const safelyEncodeURIComponent = (value) => {
   return encodeURIComponent(value).replace(/'/g, "%27");
 };
@@ -279,26 +207,12 @@ const ensuresXRequestedWith = (req) => {
   return true;
 };
 
-function parseJwtPayload(token) {
-  const [_header, payload, _signature] = token.split(".");
-  return JSON.parse(Buffer.from(payload, "base64").toString());
-}
-function prepareBackstageIdentityResponse(result) {
-  const { sub, ent } = parseJwtPayload(result.token);
-  return {
-    ...result,
-    identity: {
-      type: "user",
-      userEntityRef: sub,
-      ownershipEntityRefs: ent != null ? ent : []
-    }
-  };
-}
+const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
 
-var __defProp$l = Object.defineProperty;
-var __defNormalProp$l = (obj, key, value) => key in obj ? __defProp$l(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$l = (obj, key, value) => {
-  __defNormalProp$l(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$i = Object.defineProperty;
+var __defNormalProp$i = (obj, key, value) => key in obj ? __defProp$i(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$i = (obj, key, value) => {
+  __defNormalProp$i(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -307,8 +221,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$l(this, "baseCookieOptions");
-    __publicField$l(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$i(this, "baseCookieOptions");
+    __publicField$i(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -316,34 +230,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$l(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$i(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$l(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$i(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$l(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$i(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$l(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$i(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$l(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$i(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$l(this, "getCookieConfig", (origin) => {
+    __publicField$i(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -649,10 +563,10 @@ function createAuthProviderIntegration(config) {
   });
 }
 
-var __defProp$k = Object.defineProperty;
-var __defNormalProp$k = (obj, key, value) => key in obj ? __defProp$k(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$k = (obj, key, value) => {
-  __defNormalProp$k(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$h = Object.defineProperty;
+var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$h = (obj, key, value) => {
+  __defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const atlassianDefaultAuthHandler = async ({
@@ -663,10 +577,10 @@ const atlassianDefaultAuthHandler = async ({
 });
 class AtlassianAuthProvider {
   constructor(options) {
-    __publicField$k(this, "_strategy");
-    __publicField$k(this, "signInResolver");
-    __publicField$k(this, "authHandler");
-    __publicField$k(this, "resolverContext");
+    __publicField$h(this, "_strategy");
+    __publicField$h(this, "signInResolver");
+    __publicField$h(this, "authHandler");
+    __publicField$h(this, "resolverContext");
     this.resolverContext = options.resolverContext;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -784,21 +698,21 @@ class Auth0Strategy extends Auth0InternalStrategy__default["default"] {
   }
 }
 
-var __defProp$j = Object.defineProperty;
-var __defNormalProp$j = (obj, key, value) => key in obj ? __defProp$j(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$j = (obj, key, value) => {
-  __defNormalProp$j(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$g = Object.defineProperty;
+var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$g = (obj, key, value) => {
+  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$j(this, "_strategy");
-    __publicField$j(this, "signInResolver");
-    __publicField$j(this, "authHandler");
-    __publicField$j(this, "resolverContext");
-    __publicField$j(this, "audience");
-    __publicField$j(this, "connection");
-    __publicField$j(this, "connectionScope");
+    __publicField$g(this, "_strategy");
+    __publicField$g(this, "signInResolver");
+    __publicField$g(this, "authHandler");
+    __publicField$g(this, "resolverContext");
+    __publicField$g(this, "audience");
+    __publicField$g(this, "connection");
+    __publicField$g(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -807,7 +721,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$j(this, "store", {
+    __publicField$g(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -948,23 +862,23 @@ const auth0 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$i = Object.defineProperty;
-var __defNormalProp$i = (obj, key, value) => key in obj ? __defProp$i(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$i = (obj, key, value) => {
-  __defNormalProp$i(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$f = Object.defineProperty;
+var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$f = (obj, key, value) => {
+  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
 class AwsAlbAuthProvider {
   constructor(options) {
-    __publicField$i(this, "region");
-    __publicField$i(this, "issuer");
-    __publicField$i(this, "resolverContext");
-    __publicField$i(this, "keyCache");
-    __publicField$i(this, "authHandler");
-    __publicField$i(this, "signInResolver");
-    __publicField$i(this, "getKey", async (header) => {
+    __publicField$f(this, "region");
+    __publicField$f(this, "issuer");
+    __publicField$f(this, "resolverContext");
+    __publicField$f(this, "keyCache");
+    __publicField$f(this, "authHandler");
+    __publicField$f(this, "signInResolver");
+    __publicField$f(this, "getKey", async (header) => {
       if (!header.kid) {
         throw new errors.AuthenticationError("No key id was specified in header");
       }
@@ -1092,18 +1006,18 @@ const awsAlb = createAuthProviderIntegration({
   }
 });
 
-var __defProp$h = Object.defineProperty;
-var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$h = (obj, key, value) => {
-  __defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$e = Object.defineProperty;
+var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$e = (obj, key, value) => {
+  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class BitbucketAuthProvider {
   constructor(options) {
-    __publicField$h(this, "_strategy");
-    __publicField$h(this, "signInResolver");
-    __publicField$h(this, "authHandler");
-    __publicField$h(this, "resolverContext");
+    __publicField$e(this, "_strategy");
+    __publicField$e(this, "signInResolver");
+    __publicField$e(this, "authHandler");
+    __publicField$e(this, "resolverContext");
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
@@ -1271,10 +1185,10 @@ const commonByEmailResolver = async (info, ctx) => {
   });
 };
 
-var __defProp$g = Object.defineProperty;
-var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$g = (obj, key, value) => {
-  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$d = Object.defineProperty;
+var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$d = (obj, key, value) => {
+  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const CF_JWT_HEADER = "cf-access-jwt-assertion";
@@ -1282,12 +1196,12 @@ const COOKIE_AUTH_NAME = "CF_Authorization";
 const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
 class CloudflareAccessAuthProvider {
   constructor(options) {
-    __publicField$g(this, "teamName");
-    __publicField$g(this, "resolverContext");
-    __publicField$g(this, "authHandler");
-    __publicField$g(this, "signInResolver");
-    __publicField$g(this, "jwtKeySet");
-    __publicField$g(this, "cache");
+    __publicField$d(this, "teamName");
+    __publicField$d(this, "resolverContext");
+    __publicField$d(this, "authHandler");
+    __publicField$d(this, "signInResolver");
+    __publicField$d(this, "jwtKeySet");
+    __publicField$d(this, "cache");
     this.teamName = options.teamName;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -1425,272 +1339,52 @@ const cfAccess = createAuthProviderIntegration({
   }
 });
 
-function createTokenValidator(audience, mockClient) {
-  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
-  return async function tokenValidator(token) {
-    const response = await client.getIapPublicKeys();
-    const ticket = await client.verifySignedJwtWithCertsAsync(
-      token,
-      response.pubkeys,
-      audience,
-      ["https://cloud.google.com/iap"]
-    );
-    const payload = ticket.getPayload();
-    if (!payload) {
-      throw new TypeError("Token had no payload");
-    }
-    return payload;
-  };
-}
-async function parseRequestToken(jwtToken, tokenValidator) {
-  if (typeof jwtToken !== "string" || !jwtToken) {
-    throw new errors.AuthenticationError("Missing Google IAP header");
-  }
-  let payload;
-  try {
-    payload = await tokenValidator(jwtToken);
-  } catch (e) {
-    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
-  }
-  if (!payload.sub || !payload.email) {
-    throw new errors.AuthenticationError(
-      "Google IAP token payload is missing sub and/or email claim"
-    );
-  }
-  return {
-    iapToken: {
-      ...payload,
-      sub: payload.sub,
-      email: payload.email
-    }
-  };
-}
-const defaultAuthHandler$1 = async ({
-  iapToken
-}) => ({ profile: { email: iapToken.email } });
-
-const DEFAULT_IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
-
-var __defProp$f = Object.defineProperty;
-var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$f = (obj, key, value) => {
-  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-class GcpIapProvider {
-  constructor(options) {
-    __publicField$f(this, "authHandler");
-    __publicField$f(this, "signInResolver");
-    __publicField$f(this, "tokenValidator");
-    __publicField$f(this, "resolverContext");
-    __publicField$f(this, "jwtHeader");
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.tokenValidator = options.tokenValidator;
-    this.resolverContext = options.resolverContext;
-    this.jwtHeader = (options == null ? void 0 : options.jwtHeader) || DEFAULT_IAP_JWT_HEADER;
-  }
-  async start() {
-  }
-  async frameHandler() {
-  }
-  async refresh(req, res) {
-    const result = await parseRequestToken(
-      req.header(this.jwtHeader),
-      this.tokenValidator
-    );
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageIdentity = await this.signInResolver(
-      { profile, result },
-      this.resolverContext
-    );
-    const response = {
-      providerInfo: { iapToken: result.iapToken },
-      profile,
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
-    };
-    res.json(response);
-  }
-}
 const gcpIap = createAuthProviderIntegration({
   create(options) {
-    return ({ config, resolverContext }) => {
-      var _a;
-      const audience = config.getString("audience");
-      const jwtHeader = config.getOptionalString("jwtHeader");
-      const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler$1;
-      const signInResolver = options.signIn.resolver;
-      const tokenValidator = createTokenValidator(audience);
-      return new GcpIapProvider({
-        authHandler,
-        signInResolver,
-        tokenValidator,
-        resolverContext,
-        jwtHeader
-      });
-    };
+    var _a;
+    return pluginAuthNode.createProxyAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleGcpIapProvider.gcpIapAuthenticator,
+      profileTransform: options == null ? void 0 : options.authHandler,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver
+    });
   }
 });
 
-const BACKSTAGE_SESSION_EXPIRATION = 3600;
-
-var __defProp$e = Object.defineProperty;
-var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$e = (obj, key, value) => {
-  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const ACCESS_TOKEN_PREFIX = "access-token.";
-class GithubAuthProvider {
-  constructor(options) {
-    __publicField$e(this, "_strategy");
-    __publicField$e(this, "signInResolver");
-    __publicField$e(this, "authHandler");
-    __publicField$e(this, "resolverContext");
-    __publicField$e(this, "stateEncoder");
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.stateEncoder = options.stateEncoder;
-    this.resolverContext = options.resolverContext;
-    this._strategy = new passportGithub2.Strategy(
-      {
-        clientID: options.clientId,
-        clientSecret: options.clientSecret,
-        callbackURL: options.callbackUrl,
-        tokenURL: options.tokenUrl,
-        userProfileURL: options.userProfileUrl,
-        authorizationURL: options.authorizationUrl
-      },
-      (accessToken, refreshToken, params, fullProfile, done) => {
-        done(void 0, { fullProfile, params, accessToken }, { refreshToken });
-      }
-    );
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      scope: req.scope,
-      state: (await this.stateEncoder(req)).encodedState
-    });
-  }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    let refreshToken = privateInfo.refreshToken;
-    if (!refreshToken && !result.params.expires_in) {
-      refreshToken = ACCESS_TOKEN_PREFIX + result.accessToken;
-    }
-    return {
-      response: await this.handleResult(result),
-      refreshToken
-    };
-  }
-  async refresh(req) {
-    const { scope, refreshToken } = req;
-    if (refreshToken == null ? void 0 : refreshToken.startsWith(ACCESS_TOKEN_PREFIX)) {
-      const accessToken = refreshToken.slice(ACCESS_TOKEN_PREFIX.length);
-      const fullProfile = await executeFetchUserProfileStrategy(
-        this._strategy,
-        accessToken
-      ).catch((error) => {
-        var _a;
-        if (((_a = error.oauthError) == null ? void 0 : _a.statusCode) === 401) {
-          throw new Error("Invalid access token");
-        }
-        throw error;
-      });
-      return {
-        response: await this.handleResult({
-          fullProfile,
-          params: { scope },
-          accessToken
-        }),
-        refreshToken
-      };
-    }
-    const result = await executeRefreshTokenStrategy(
-      this._strategy,
-      refreshToken,
-      scope
-    );
-    return {
-      response: await this.handleResult({
-        fullProfile: await executeFetchUserProfileStrategy(
-          this._strategy,
-          result.accessToken
-        ),
-        params: { ...result.params, scope },
-        accessToken: result.accessToken
-      }),
-      refreshToken: result.refreshToken
-    };
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const expiresInStr = result.params.expires_in;
-    let expiresInSeconds = expiresInStr === void 0 ? void 0 : Number(expiresInStr);
-    let backstageIdentity = void 0;
-    if (this.signInResolver) {
-      backstageIdentity = await this.signInResolver(
-        {
-          result,
-          profile
-        },
-        this.resolverContext
-      );
-      if (expiresInSeconds) {
-        expiresInSeconds = Math.min(
-          expiresInSeconds,
-          BACKSTAGE_SESSION_EXPIRATION
-        );
-      } else {
-        expiresInSeconds = BACKSTAGE_SESSION_EXPIRATION;
-      }
-    }
-    return {
-      backstageIdentity,
-      providerInfo: {
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds
-      },
-      profile
-    };
-  }
-}
 const github = createAuthProviderIntegration({
   create(options) {
-    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-      var _a, _b, _c;
-      const clientId = envConfig.getString("clientId");
-      const clientSecret = envConfig.getString("clientSecret");
-      const enterpriseInstanceUrl = (_a = envConfig.getOptionalString("enterpriseInstanceUrl")) == null ? void 0 : _a.replace(/\/$/, "");
-      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-      const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
-      const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
-      const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
-      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-        profile: makeProfileInfo(fullProfile)
-      });
-      const stateEncoder = (_b = options == null ? void 0 : options.stateEncoder) != null ? _b : async (req) => {
-        return { encodedState: encodeState(req.state) };
-      };
-      const provider = new GithubAuthProvider({
-        clientId,
-        clientSecret,
-        callbackUrl,
-        tokenUrl,
-        userProfileUrl,
-        authorizationUrl,
-        signInResolver: (_c = options == null ? void 0 : options.signIn) == null ? void 0 : _c.resolver,
-        authHandler,
-        stateEncoder,
-        resolverContext
-      });
-      return OAuthAdapter.fromConfig(globalConfig, provider, {
-        persistScopes: true,
-        providerId,
-        callbackUrl
-      });
+    var _a;
+    const authHandler = options == null ? void 0 : options.authHandler;
+    const signInResolver = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver;
+    return pluginAuthNode.createOAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleGithubProvider.githubAuthenticator,
+      profileTransform: authHandler && (async (result, ctx) => authHandler(
+        {
+          fullProfile: result.fullProfile,
+          accessToken: result.session.accessToken,
+          params: {
+            scope: result.session.scope,
+            expires_in: result.session.expiresInSeconds ? String(result.session.expiresInSeconds) : "",
+            refresh_token_expires_in: result.session.refreshTokenExpiresInSeconds ? String(result.session.refreshTokenExpiresInSeconds) : ""
+          }
+        },
+        ctx
+      )),
+      signInResolver: signInResolver && (async ({ profile, result }, ctx) => signInResolver(
+        {
+          profile,
+          result: {
+            fullProfile: result.fullProfile,
+            accessToken: result.session.accessToken,
+            refreshToken: result.session.refreshToken,
+            params: {
+              scope: result.session.scope,
+              expires_in: result.session.expiresInSeconds ? String(result.session.expiresInSeconds) : "",
+              refresh_token_expires_in: result.session.refreshTokenExpiresInSeconds ? String(result.session.refreshTokenExpiresInSeconds) : ""
+            }
+          }
+        },
+        ctx
+      ))
     });
   },
   resolvers: {
@@ -1710,10 +1404,10 @@ const github = createAuthProviderIntegration({
   }
 });
 
-var __defProp$d = Object.defineProperty;
-var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$d = (obj, key, value) => {
-  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const gitlabDefaultAuthHandler = async ({
@@ -1724,10 +1418,10 @@ const gitlabDefaultAuthHandler = async ({
 });
 class GitlabAuthProvider {
   constructor(options) {
-    __publicField$d(this, "_strategy");
-    __publicField$d(this, "signInResolver");
-    __publicField$d(this, "authHandler");
-    __publicField$d(this, "resolverContext");
+    __publicField$c(this, "_strategy");
+    __publicField$c(this, "signInResolver");
+    __publicField$c(this, "authHandler");
+    __publicField$c(this, "resolverContext");
     this.resolverContext = options.resolverContext;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -1835,158 +1529,88 @@ const gitlab = createAuthProviderIntegration({
   }
 });
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-class GoogleAuthProvider {
-  constructor(options) {
-    __publicField$c(this, "strategy");
-    __publicField$c(this, "signInResolver");
-    __publicField$c(this, "authHandler");
-    __publicField$c(this, "resolverContext");
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.resolverContext = options.resolverContext;
-    this.strategy = new passportGoogleOauth20.Strategy(
-      {
-        clientID: options.clientId,
-        clientSecret: options.clientSecret,
-        callbackURL: options.callbackUrl,
-        passReqToCallback: false
-      },
-      (accessToken, refreshToken, params, fullProfile, done) => {
-        done(
-          void 0,
-          {
-            fullProfile,
-            params,
-            accessToken,
-            refreshToken
-          },
-          {
-            refreshToken
-          }
-        );
+function adaptLegacyOAuthHandler(authHandler) {
+  return authHandler && (async (result, ctx) => authHandler(
+    {
+      fullProfile: result.fullProfile,
+      accessToken: result.session.accessToken,
+      params: {
+        scope: result.session.scope,
+        id_token: result.session.idToken,
+        token_type: result.session.tokenType,
+        expires_in: result.session.expiresInSeconds
       }
-    );
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this.strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: req.scope,
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this.strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async logout(req) {
-    const oauthClient = new googleAuthLibrary.OAuth2Client();
-    await oauthClient.revokeToken(req.refreshToken);
-  }
-  async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(
-      this.strategy,
-      req.refreshToken,
-      req.scope
-    );
-    const fullProfile = await executeFetchUserProfileStrategy(
-      this.strategy,
-      accessToken
-    );
-    return {
-      response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
-      }),
-      refreshToken
-    };
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const response = {
-      providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
-      },
-      profile
-    };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver(
+    },
+    ctx
+  ));
+}
+
+function adaptLegacyOAuthSignInResolver(signInResolver) {
+  return signInResolver && (async (input, ctx) => signInResolver(
+    {
+      profile: input.profile,
+      result: {
+        fullProfile: input.result.fullProfile,
+        accessToken: input.result.session.accessToken,
+        refreshToken: input.result.session.refreshToken,
+        params: {
+          scope: input.result.session.scope,
+          id_token: input.result.session.idToken,
+          token_type: input.result.session.tokenType,
+          expires_in: input.result.session.expiresInSeconds
+        }
+      }
+    },
+    ctx
+  ));
+}
+
+function adaptOAuthSignInResolverToLegacy(resolvers) {
+  const legacyResolvers = {};
+  for (const name of Object.keys(resolvers)) {
+    const resolver = resolvers[name];
+    legacyResolvers[name] = () => async (input, ctx) => {
+      var _a;
+      return resolver(
         {
-          result,
-          profile
+          profile: input.profile,
+          result: {
+            fullProfile: input.result.fullProfile,
+            session: {
+              accessToken: input.result.accessToken,
+              expiresInSeconds: input.result.params.expires_in,
+              scope: input.result.params.scope,
+              idToken: input.result.params.id_token,
+              tokenType: (_a = input.result.params.token_type) != null ? _a : "bearer",
+              refreshToken: input.result.refreshToken
+            }
+          }
         },
-        this.resolverContext
+        ctx
       );
-    }
-    return response;
+    };
   }
+  return legacyResolvers;
 }
+
 const google = createAuthProviderIntegration({
   create(options) {
-    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-      var _a;
-      const clientId = envConfig.getString("clientId");
-      const clientSecret = envConfig.getString("clientSecret");
-      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-        profile: makeProfileInfo(fullProfile, params.id_token)
-      });
-      const provider = new GoogleAuthProvider({
-        clientId,
-        clientSecret,
-        callbackUrl,
-        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
-        authHandler,
-        resolverContext
-      });
-      return OAuthAdapter.fromConfig(globalConfig, provider, {
-        providerId,
-        callbackUrl
-      });
+    var _a;
+    return pluginAuthNode.createOAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleGoogleProvider.googleAuthenticator,
+      profileTransform: adaptLegacyOAuthHandler(options == null ? void 0 : options.authHandler),
+      signInResolver: adaptLegacyOAuthSignInResolver((_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver)
     });
   },
-  resolvers: {
-    /**
-     * Looks up the user by matching their email local part to the entity name.
-     */
-    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
-    /**
-     * Looks up the user by matching their email to the entity email.
-     */
-    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
-    /**
-     * Looks up the user by matching their email to the `google.com/email` annotation.
-     */
-    emailMatchingUserEntityAnnotation() {
-      return async (info, ctx) => {
-        const { profile } = info;
-        if (!profile.email) {
-          throw new Error("Google profile contained no email");
-        }
-        return ctx.signInWithCatalogUser({
-          annotations: {
-            "google.com/email": profile.email
-          }
-        });
-      };
-    }
-  }
+  resolvers: adaptOAuthSignInResolverToLegacy({
+    emailLocalPartMatchingUserEntityName: pluginAuthNode.commonSignInResolvers.emailLocalPartMatchingUserEntityName(),
+    emailMatchingUserEntityProfileEmail: pluginAuthNode.commonSignInResolvers.emailMatchingUserEntityProfileEmail(),
+    emailMatchingUserEntityAnnotation: pluginAuthBackendModuleGoogleProvider.googleSignInResolvers.emailMatchingUserEntityAnnotation()
+  })
 });
 
+const BACKSTAGE_SESSION_EXPIRATION = 3600;
+
 var __defProp$b = Object.defineProperty;
 var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __publicField$b = (obj, key, value) => {
@@ -3873,7 +3497,7 @@ async function createRouter(options) {
     database,
     tokenManager,
     tokenFactoryAlgorithm,
-    providerFactories,
+    providerFactories = {},
     catalogApi
   } = options;
   const router = Router__default["default"]();
@@ -3890,7 +3514,7 @@ async function createRouter(options) {
     keyStore,
     keyDurationSeconds,
     logger: logger.child({ component: "token-factory" }),
-    algorithm: tokenFactoryAlgorithm
+    algorithm: tokenFactoryAlgorithm != null ? tokenFactoryAlgorithm : config.getOptionalString("auth.identityTokenAlgorithm")
   });
   const secret = config.getOptionalString("auth.session.secret");
   if (secret) {
@@ -3916,21 +3540,23 @@ async function createRouter(options) {
   }
   router.use(express__default["default"].urlencoded({ extended: false }));
   router.use(express__default["default"].json());
-  const allProviderFactories = {
+  const allProviderFactories = options.disableDefaultProviderFactories ? providerFactories : {
     ...defaultAuthProviderFactories,
     ...providerFactories
   };
-  const providersConfig = config.getConfig("auth.providers");
-  const configuredProviders = providersConfig.keys();
+  const providersConfig = config.getOptionalConfig("auth.providers");
   const isOriginAllowed = createOriginFilter(config);
   for (const [providerId, providerFactory] of Object.entries(
     allProviderFactories
   )) {
-    if (configuredProviders.includes(providerId)) {
+    if (providersConfig == null ? void 0 : providersConfig.has(providerId)) {
       logger.info(`Configuring auth provider: ${providerId}`);
       try {
         const provider = providerFactory({
           providerId,
+          appUrl,
+          baseUrl: authUrl,
+          isOriginAllowed,
           globalConfig: {
             baseUrl: authUrl,
             appUrl,
@@ -4009,9 +3635,59 @@ function createOriginFilter(config) {
   };
 }
 
+const authPlugin = backendPluginApi.createBackendPlugin({
+  pluginId: "auth",
+  register(reg) {
+    const providers = /* @__PURE__ */ new Map();
+    reg.registerExtensionPoint(pluginAuthNode.authProvidersExtensionPoint, {
+      registerProvider({ providerId, factory }) {
+        if (providers.has(providerId)) {
+          throw new Error(
+            `Auth provider '${providerId}' was already registered`
+          );
+        }
+        providers.set(providerId, factory);
+      }
+    });
+    reg.registerInit({
+      deps: {
+        httpRouter: backendPluginApi.coreServices.httpRouter,
+        logger: backendPluginApi.coreServices.logger,
+        config: backendPluginApi.coreServices.rootConfig,
+        database: backendPluginApi.coreServices.database,
+        discovery: backendPluginApi.coreServices.discovery,
+        tokenManager: backendPluginApi.coreServices.tokenManager,
+        catalogApi: alpha.catalogServiceRef
+      },
+      async init({
+        httpRouter,
+        logger,
+        config,
+        database,
+        discovery,
+        tokenManager,
+        catalogApi
+      }) {
+        const router = await createRouter({
+          logger,
+          config,
+          database,
+          discovery,
+          tokenManager,
+          catalogApi,
+          providerFactories: Object.fromEntries(providers),
+          disableDefaultProviderFactories: true
+        });
+        httpRouter.use(router);
+      }
+    });
+  }
+});
+
 exports.CatalogIdentityClient = CatalogIdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
+exports.authPlugin = authPlugin;
 exports.createAuthProviderIntegration = createAuthProviderIntegration;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;