@backstage/plugin-auth-backend 0.18.7 → 0.18.8-next.0

package/dist/index.d.ts

@@ -1,43 +1,31 @@
 /// <reference types="node" />
+import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
+import { LoggerService } from '@backstage/backend-plugin-api';
 import express from 'express';
-import { Logger } from 'winston';
-import { GetEntitiesRequest, CatalogApi } from '@backstage/catalog-client';
-import { Entity, UserEntity } from '@backstage/catalog-model';
-import { Config } from '@backstage/config';
-import { BackstageSignInResult, BackstageIdentityResponse } from '@backstage/plugin-auth-node';
-import { JsonValue } from '@backstage/types';
+import * as _backstage_plugin_auth_node from '@backstage/plugin-auth-node';
+import { BackstageSignInResult, OAuthState as OAuthState$1, AuthResolverCatalogUserQuery as AuthResolverCatalogUserQuery$1, AuthResolverContext as AuthResolverContext$1, CookieConfigurer as CookieConfigurer$1, AuthProviderConfig as AuthProviderConfig$1, AuthProviderRouteHandlers as AuthProviderRouteHandlers$1, AuthProviderFactory as AuthProviderFactory$1, ClientAuthResponse, ProfileInfo as ProfileInfo$1, SignInInfo as SignInInfo$1, SignInResolver as SignInResolver$1, OAuthEnvironmentHandler as OAuthEnvironmentHandler$1, decodeOAuthState, encodeOAuthState, prepareBackstageIdentityResponse as prepareBackstageIdentityResponse$1, TokenParams as TokenParams$1, WebMessageResponse as WebMessageResponse$1 } from '@backstage/plugin-auth-node';
 import { Profile } from 'passport';
 import { PluginDatabaseManager, PluginEndpointDiscovery, TokenManager } from '@backstage/backend-common';
+import { CatalogApi } from '@backstage/catalog-client';
+import { Config } from '@backstage/config';
 import { IncomingHttpHeaders } from 'http';
 import { TokenSet, UserinfoResponse } from 'openid-client';
-import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
+import * as _backstage_plugin_auth_backend_module_gcp_iap_provider from '@backstage/plugin-auth-backend-module-gcp-iap-provider';
+import { GcpIapTokenInfo as GcpIapTokenInfo$1, GcpIapResult as GcpIapResult$1 } from '@backstage/plugin-auth-backend-module-gcp-iap-provider';
+import { UserEntity, Entity } from '@backstage/catalog-model';
 
 /**
- * Parameters used to issue new ID Tokens
+ * Auth plugin
  *
  * @public
  */
-type TokenParams = {
-    /**
-     * The claims that will be embedded within the token. At a minimum, this should include
-     * the subject claim, `sub`. It is common to also list entity ownership relations in the
-     * `ent` list. Additional claims may also be added at the developer's discretion except
-     * for the following list, which will be overwritten by the TokenIssuer: `iss`, `aud`,
-     * `iat`, and `exp`. The Backstage team also maintains the right add new claims in the future
-     * without listing the change as a "breaking change".
-     */
-    claims: {
-        /** The token subject, i.e. User ID */
-        sub: string;
-        /** A list of entity references that the user claims ownership through */
-        ent?: string[];
-    } & Record<string, JsonValue>;
-};
+declare const authPlugin: () => _backstage_backend_plugin_api.BackendFeature;
 
 /**
  * Common options for passport.js-based OAuth providers
  *
  * @public
+ * @deprecated No longer in use
  */
 type OAuthProviderOptions = {
     /**
@@ -53,28 +41,34 @@ type OAuthProviderOptions = {
      */
     callbackUrl: string;
 };
-/** @public */
+/**
+ * @public
+ * @deprecated Use `OAuthAuthenticatorResult<PassportProfile>` from `@backstage/plugin-auth-node` instead
+ */
 type OAuthResult = {
     fullProfile: Profile;
     params: {
         id_token?: string;
         scope: string;
+        token_type?: string;
         expires_in: number;
     };
     accessToken: string;
     refreshToken?: string;
 };
 /**
- * The expected response from an OAuth flow.
- *
  * @public
+ * @deprecated Use `ClientAuthResponse` from `@backstage/plugin-auth-node` instead
  */
 type OAuthResponse = {
     profile: ProfileInfo;
     providerInfo: OAuthProviderInfo;
     backstageIdentity?: BackstageSignInResult;
 };
-/** @public */
+/**
+ * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
+ */
 type OAuthProviderInfo = {
     /**
      * An access token issued for the signed in user.
@@ -93,35 +87,37 @@ type OAuthProviderInfo = {
      */
     scope: string;
 };
-/** @public */
-type OAuthState = {
-    nonce: string;
-    env: string;
-    origin?: string;
-    scope?: string;
-    redirectUrl?: string;
-    flow?: string;
-};
-/** @public */
+/**
+ * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
+ */
+type OAuthState = OAuthState$1;
+/**
+ * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
+ */
 type OAuthStartRequest = express.Request<{}> & {
     scope: string;
     state: OAuthState;
 };
-/** @public */
+/**
+ * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
+ */
 type OAuthRefreshRequest = express.Request<{}> & {
     scope: string;
     refreshToken: string;
 };
-/** @public */
+/**
+ * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
+ */
 type OAuthLogoutRequest = express.Request<{}> & {
     refreshToken: string;
 };
 /**
- * Any OAuth provider needs to implement this interface which has provider specific
- * handlers for different methods to perform authentication, get access tokens,
- * refresh tokens and perform sign out.
- *
  * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
  */
 interface OAuthHandlers {
     /**
@@ -149,99 +145,24 @@ interface OAuthHandlers {
 }
 
 /**
- * A query for a single user in the catalog.
- *
- * If `entityRef` is used, the default kind is `'User'`.
- *
- * If `annotations` are used, all annotations must be present and
- * match the provided value exactly. Only entities of kind `'User'` will be considered.
- *
- * If `filter` are used they are passed on as they are to the `CatalogApi`.
- *
- * Regardless of the query method, the query must match exactly one entity
- * in the catalog, or an error will be thrown.
- *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type AuthResolverCatalogUserQuery = {
-    entityRef: string | {
-        kind?: string;
-        namespace?: string;
-        name: string;
-    };
-} | {
-    annotations: Record<string, string>;
-} | {
-    filter: Exclude<GetEntitiesRequest['filter'], undefined>;
-};
+type AuthResolverCatalogUserQuery = AuthResolverCatalogUserQuery$1;
 /**
- * The context that is used for auth processing.
- *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type AuthResolverContext = {
-    /**
-     * Issues a Backstage token using the provided parameters.
-     */
-    issueToken(params: TokenParams): Promise<{
-        token: string;
-    }>;
-    /**
-     * Finds a single user in the catalog using the provided query.
-     *
-     * See {@link AuthResolverCatalogUserQuery} for details.
-     */
-    findCatalogUser(query: AuthResolverCatalogUserQuery): Promise<{
-        entity: Entity;
-    }>;
-    /**
-     * Finds a single user in the catalog using the provided query, and then
-     * issues an identity for that user using default ownership resolution.
-     *
-     * See {@link AuthResolverCatalogUserQuery} for details.
-     */
-    signInWithCatalogUser(query: AuthResolverCatalogUserQuery): Promise<BackstageSignInResult>;
-};
+type AuthResolverContext = AuthResolverContext$1;
 /**
- * The callback used to resolve the cookie configuration for auth providers that use cookies.
  * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
+ */
+type CookieConfigurer = CookieConfigurer$1;
+/**
+ * @public
+ * @deprecated Use `createOAuthAuthenticator` from `@backstage/plugin-auth-node` instead
  */
-type CookieConfigurer = (ctx: {
-    /** ID of the auth provider that this configuration applies to */
-    providerId: string;
-    /** The externally reachable base URL of the auth-backend plugin */
-    baseUrl: string;
-    /** The configured callback URL of the auth provider */
-    callbackUrl: string;
-    /** The origin URL of the app */
-    appOrigin: string;
-}) => {
-    domain: string;
-    path: string;
-    secure: boolean;
-    sameSite?: 'none' | 'lax' | 'strict';
-};
-/** @public */
-type AuthProviderConfig = {
-    /**
-     * The protocol://domain[:port] where the app is hosted. This is used to construct the
-     * callbackURL to redirect to once the user signs in to the auth provider.
-     */
-    baseUrl: string;
-    /**
-     * The base URL of the app as provided by app.baseUrl
-     */
-    appUrl: string;
-    /**
-     * A function that is called to check whether an origin is allowed to receive the authentication result.
-     */
-    isOriginAllowed: (origin: string) => boolean;
-    /**
-     * The function used to resolve cookie configuration based on the auth provider options.
-     */
-    cookieConfigurer?: CookieConfigurer;
-};
-/** @public */
 type OAuthStartResponse = {
     /**
      * URL to redirect to
@@ -253,125 +174,46 @@ type OAuthStartResponse = {
     status?: number;
 };
 /**
- * Any Auth provider needs to implement this interface which handles the routes in the
- * auth backend. Any auth API requests from the frontend reaches these methods.
- *
- * The routes in the auth backend API are tied to these methods like below
- *
- * `/auth/[provider]/start -> start`
- * `/auth/[provider]/handler/frame -> frameHandler`
- * `/auth/[provider]/refresh -> refresh`
- * `/auth/[provider]/logout -> logout`
- *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-interface AuthProviderRouteHandlers {
-    /**
-     * Handles the start route of the API. This initiates a sign in request with an auth provider.
-     *
-     * Request
-     * - scopes for the auth request (Optional)
-     * Response
-     * - redirect to the auth provider for the user to sign in or consent.
-     * - sets a nonce cookie and also pass the nonce as 'state' query parameter in the redirect request
-     */
-    start(req: express.Request, res: express.Response): Promise<void>;
-    /**
-     * Once the user signs in or consents in the OAuth screen, the auth provider redirects to the
-     * callbackURL which is handled by this method.
-     *
-     * Request
-     * - to contain a nonce cookie and a 'state' query parameter
-     * Response
-     * - postMessage to the window with a payload that contains accessToken, expiryInSeconds?, idToken? and scope.
-     * - sets a refresh token cookie if the auth provider supports refresh tokens
-     */
-    frameHandler(req: express.Request, res: express.Response): Promise<void>;
-    /**
-     * (Optional) If the auth provider supports refresh tokens then this method handles
-     * requests to get a new access token.
-     *
-     * Request
-     * - to contain a refresh token cookie and scope (Optional) query parameter.
-     * Response
-     * - payload with accessToken, expiryInSeconds?, idToken?, scope and user profile information.
-     */
-    refresh?(req: express.Request, res: express.Response): Promise<void>;
-    /**
-     * (Optional) Handles sign out requests
-     *
-     * Response
-     * - removes the refresh token cookie
-     */
-    logout?(req: express.Request, res: express.Response): Promise<void>;
-}
-/** @public */
-type AuthProviderFactory = (options: {
-    providerId: string;
-    globalConfig: AuthProviderConfig;
-    config: Config;
-    logger: Logger;
-    resolverContext: AuthResolverContext;
-}) => AuthProviderRouteHandlers;
-/** @public */
-type AuthResponse<ProviderInfo> = {
-    providerInfo: ProviderInfo;
-    profile: ProfileInfo;
-    backstageIdentity?: BackstageIdentityResponse;
-};
+type AuthProviderConfig = AuthProviderConfig$1;
 /**
- * Used to display login information to user, i.e. sidebar popup.
- *
- * It is also temporarily used as the profile of the signed-in user's Backstage
- * identity, but we want to replace that with data from identity and/org catalog
- * service
- *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type ProfileInfo = {
-    /**
-     * Email ID of the signed in user.
-     */
-    email?: string;
-    /**
-     * Display name that can be presented to the signed in user.
-     */
-    displayName?: string;
-    /**
-     * URL to an image that can be used as the display image or avatar of the
-     * signed in user.
-     */
-    picture?: string;
-};
+type AuthProviderRouteHandlers = AuthProviderRouteHandlers$1;
 /**
- * Type of sign in information context. Includes the profile information and
- * authentication result which contains auth related information.
- *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type SignInInfo<TAuthResult> = {
-    /**
-     * The simple profile passed down for use in the frontend.
-     */
-    profile: ProfileInfo;
-    /**
-     * The authentication result that was received from the authentication
-     * provider.
-     */
-    result: TAuthResult;
-};
+type AuthProviderFactory = AuthProviderFactory$1;
+/**
+ * @public
+ * @deprecated import `ClientAuthResponse` from `@backstage/plugin-auth-node` instead
+ */
+type AuthResponse<TProviderInfo> = ClientAuthResponse<TProviderInfo>;
+/**
+ * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
+ */
+type ProfileInfo = ProfileInfo$1;
+/**
+ * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
+ */
+type SignInInfo<TAuthResult> = SignInInfo$1<TAuthResult>;
 /**
- * Describes the function which handles the result of a successful
- * authentication. Must return a valid {@link @backstage/plugin-auth-node#BackstageSignInResult}.
- *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type SignInResolver<TAuthResult> = (info: SignInInfo<TAuthResult>, context: AuthResolverContext) => Promise<BackstageSignInResult>;
+type SignInResolver<TAuthResult> = SignInResolver$1<TAuthResult>;
 /**
  * The return type of an authentication handler. Must contain valid profile
  * information.
  *
  * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
  */
 type AuthHandlerResult = {
     profile: ProfileInfo;
@@ -388,9 +230,13 @@ type AuthHandlerResult = {
  * group of users.
  *
  * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
  */
 type AuthHandler<TAuthResult> = (input: TAuthResult, context: AuthResolverContext) => Promise<AuthHandlerResult>;
-/** @public */
+/**
+ * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
+ */
 type StateEncoder = (req: OAuthStartRequest) => Promise<{
     encodedState: string;
 }>;
@@ -408,20 +254,16 @@ type EasyAuthResult = {
     accessToken?: string;
 };
 
-/** @public */
-declare class OAuthEnvironmentHandler implements AuthProviderRouteHandlers {
-    private readonly handlers;
-    static mapConfig(config: Config, factoryFunc: (envConfig: Config) => AuthProviderRouteHandlers): OAuthEnvironmentHandler;
-    constructor(handlers: Map<string, AuthProviderRouteHandlers>);
-    start(req: express.Request, res: express.Response): Promise<void>;
-    frameHandler(req: express.Request, res: express.Response): Promise<void>;
-    refresh(req: express.Request, res: express.Response): Promise<void>;
-    logout(req: express.Request, res: express.Response): Promise<void>;
-    private getRequestFromEnv;
-    private getProviderForEnv;
-}
+/**
+ * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
+ */
+declare const OAuthEnvironmentHandler: typeof OAuthEnvironmentHandler$1;
 
-/** @public */
+/**
+ * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
+ */
 type OAuthAdapterOptions = {
     providerId: string;
     persistScopes?: boolean;
@@ -431,7 +273,10 @@ type OAuthAdapterOptions = {
     isOriginAllowed: (origin: string) => boolean;
     callbackUrl: string;
 };
-/** @public */
+/**
+ * @public
+ * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
+ */
 declare class OAuthAdapter implements AuthProviderRouteHandlers {
     private readonly handlers;
     private readonly options;
@@ -456,11 +301,20 @@ declare class OAuthAdapter implements AuthProviderRouteHandlers {
     private getCookieConfig;
 }
 
-/** @public */
-declare const readState: (stateString: string) => OAuthState;
-/** @public */
-declare const encodeState: (state: OAuthState) => string;
-/** @public */
+/**
+ * @public
+ * @deprecated Use `decodeOAuthState` from `@backstage/plugin-auth-node` instead
+ */
+declare const readState: typeof decodeOAuthState;
+/**
+ * @public
+ * @deprecated Use `encodeOAuthState` from `@backstage/plugin-auth-node` instead
+ */
+declare const encodeState: typeof encodeOAuthState;
+/**
+ * @public
+ * @deprecated Use inline logic to make sure the session and state nonce matches instead.
+ */
 declare const verifyNonce: (req: express.Request, providerId: string) => void;
 
 /** @public */
@@ -660,33 +514,17 @@ type SamlAuthResult = {
  * The data extracted from an IAP token.
  *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-backend-module-gcp-iap-provider` instead
  */
-type GcpIapTokenInfo = {
-    /**
-     * The unique, stable identifier for the user.
-     */
-    sub: string;
-    /**
-     * User email address.
-     */
-    email: string;
-    /**
-     * Other fields.
-     */
-    [key: string]: JsonValue;
-};
+type GcpIapTokenInfo = GcpIapTokenInfo$1;
 /**
  * The result of the initial auth challenge. This is the input to the auth
  * callbacks.
  *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-backend-module-gcp-iap-provider` instead
  */
-type GcpIapResult = {
-    /**
-     * The data extracted from the IAP token header.
-     */
-    iapToken: GcpIapTokenInfo;
-};
+type GcpIapResult = GcpIapResult$1;
 
 /**
  * All built-in auth provider integrations.
@@ -700,7 +538,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: never;
     }>;
     auth0: Readonly<{
@@ -709,7 +547,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: never;
     }>;
     awsAlb: Readonly<{
@@ -718,7 +556,7 @@ declare const providers: Readonly<{
             signIn: {
                 resolver: SignInResolver<AwsAlbResult>;
             };
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: never;
     }>;
     bitbucket: Readonly<{
@@ -727,7 +565,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: Readonly<{
             usernameMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
             userIdMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
@@ -739,7 +577,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<BitbucketServerOAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: Readonly<{
             emailMatchingUserEntityProfileEmail: () => SignInResolver<BitbucketServerOAuthResult>;
         }>;
@@ -751,30 +589,30 @@ declare const providers: Readonly<{
                 resolver: SignInResolver<CloudflareAccessResult>;
             };
             cache?: _backstage_backend_plugin_api.CacheService | undefined;
-        }) => AuthProviderFactory;
+        }) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: Readonly<{
             emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
         }>;
     }>;
     gcpIap: Readonly<{
         create: (options: {
-            authHandler?: AuthHandler<GcpIapResult> | undefined;
+            authHandler?: AuthHandler<_backstage_plugin_auth_backend_module_gcp_iap_provider.GcpIapResult> | undefined;
             signIn: {
-                resolver: SignInResolver<GcpIapResult>;
+                resolver: SignInResolver<_backstage_plugin_auth_backend_module_gcp_iap_provider.GcpIapResult>;
             };
-        }) => AuthProviderFactory;
+        }) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: never;
     }>;
     github: Readonly<{
         create: (options?: {
             authHandler?: AuthHandler<GithubOAuthResult> | undefined;
             signIn?: {
-                resolver: SignInResolver<GithubOAuthResult>;
+                resolver: _backstage_plugin_auth_node.SignInResolver<GithubOAuthResult>;
             } | undefined;
             stateEncoder?: StateEncoder | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: Readonly<{
-            usernameMatchingUserEntityName: () => SignInResolver<GithubOAuthResult>;
+            usernameMatchingUserEntityName: () => _backstage_plugin_auth_node.SignInResolver<GithubOAuthResult>;
         }>;
     }>;
     gitlab: Readonly<{
@@ -783,7 +621,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: never;
     }>;
     google: Readonly<{
@@ -792,11 +630,11 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: Readonly<{
-            emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
-            emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
-            emailMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
+            emailMatchingUserEntityProfileEmail: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
+            emailLocalPartMatchingUserEntityName: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
+            emailMatchingUserEntityAnnotation: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
         }>;
     }>;
     microsoft: Readonly<{
@@ -805,7 +643,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: Readonly<{
             emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
             emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
@@ -818,7 +656,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: never;
     }>;
     oauth2Proxy: Readonly<{
@@ -827,7 +665,7 @@ declare const providers: Readonly<{
             signIn: {
                 resolver: SignInResolver<OAuth2ProxyResult<unknown>>;
             };
-        }) => AuthProviderFactory;
+        }) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: never;
     }>;
     oidc: Readonly<{
@@ -836,7 +674,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OidcAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: Readonly<{
             emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
             emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
@@ -848,7 +686,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: Readonly<{
             emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
             emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
@@ -861,7 +699,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: never;
     }>;
     saml: Readonly<{
@@ -870,7 +708,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<SamlAuthResult>;
             } | undefined;
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: Readonly<{
             nameIdMatchingUserEntityName(): SignInResolver<SamlAuthResult>;
         }>;
@@ -881,7 +719,7 @@ declare const providers: Readonly<{
             signIn: {
                 resolver: SignInResolver<EasyAuthResult>;
             };
-        } | undefined) => AuthProviderFactory;
+        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
         resolvers: never;
     }>;
 }>;
@@ -914,13 +752,10 @@ declare function createAuthProviderIntegration<TCreateOptions extends unknown[],
 }>;
 
 /**
- * Parses a Backstage-issued token and decorates the
- * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the
- * token.
- *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-declare function prepareBackstageIdentityResponse(result: BackstageSignInResult): BackstageIdentityResponse;
+declare const prepareBackstageIdentityResponse: typeof prepareBackstageIdentityResponse$1;
 
 /** @public */
 type ProviderFactories = {
@@ -928,13 +763,14 @@ type ProviderFactories = {
 };
 /** @public */
 interface RouterOptions {
-    logger: Logger;
+    logger: LoggerService;
     database: PluginDatabaseManager;
     config: Config;
     discovery: PluginEndpointDiscovery;
     tokenManager: TokenManager;
     tokenFactoryAlgorithm?: string;
     providerFactories?: ProviderFactories;
+    disableDefaultProviderFactories?: boolean;
     catalogApi?: CatalogApi;
 }
 /** @public */
@@ -943,22 +779,26 @@ declare function createRouter(options: RouterOptions): Promise<express.Router>;
 declare function createOriginFilter(config: Config): (origin: string) => boolean;
 
 /**
- * Payload sent as a post message after the auth request is complete.
- * If successful then has a valid payload with Auth information else contains an error.
- *
  * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type WebMessageResponse = {
-    type: 'authorization_response';
-    response: AuthResponse<unknown>;
-} | {
-    type: 'authorization_response';
-    error: Error;
-};
+type TokenParams = TokenParams$1;
 
-/** @public */
+/**
+ * @public
+ * @deprecated import from `@backstage/plugin-auth-node` instead
+ */
+type WebMessageResponse = WebMessageResponse$1;
+
+/**
+ * @public
+ * @deprecated Use `sendWebMessageResponse` from `@backstage/plugin-auth-node` instead
+ */
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
-/** @public */
+/**
+ * @public
+ * @deprecated Use inline logic to check that the `X-Requested-With` header is set to `'XMLHttpRequest'` instead.
+ */
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
 
 /**
@@ -990,7 +830,7 @@ declare class CatalogIdentityClient {
      */
     resolveCatalogMembership(query: {
         entityRefs: string[];
-        logger?: Logger;
+        logger?: LoggerService;
     }): Promise<string[]>;
 }
 
@@ -1004,4 +844,4 @@ declare class CatalogIdentityClient {
  */
 declare function getDefaultOwnershipEntityRefs(entity: Entity): string[];
 
-export { AuthHandler, AuthHandlerResult, AuthProviderConfig, AuthProviderFactory, AuthProviderRouteHandlers, AuthResolverCatalogUserQuery, AuthResolverContext, AuthResponse, AwsAlbResult, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketServerOAuthResult, CatalogIdentityClient, CloudflareAccessClaims, CloudflareAccessGroup, CloudflareAccessIdentityProfile, CloudflareAccessResult, CookieConfigurer, EasyAuthResult, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, OAuth2ProxyResult, OAuthAdapter, OAuthAdapterOptions, OAuthEnvironmentHandler, OAuthHandlers, OAuthLogoutRequest, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthStartResponse, OAuthState, OidcAuthResult, ProfileInfo, ProviderFactories, RouterOptions, SamlAuthResult, SignInInfo, SignInResolver, StateEncoder, TokenParams, WebMessageResponse, createAuthProviderIntegration, createOriginFilter, createRouter, defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getDefaultOwnershipEntityRefs, postMessageResponse, prepareBackstageIdentityResponse, providers, readState, verifyNonce };
+export { AuthHandler, AuthHandlerResult, AuthProviderConfig, AuthProviderFactory, AuthProviderRouteHandlers, AuthResolverCatalogUserQuery, AuthResolverContext, AuthResponse, AwsAlbResult, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketServerOAuthResult, CatalogIdentityClient, CloudflareAccessClaims, CloudflareAccessGroup, CloudflareAccessIdentityProfile, CloudflareAccessResult, CookieConfigurer, EasyAuthResult, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, OAuth2ProxyResult, OAuthAdapter, OAuthAdapterOptions, OAuthEnvironmentHandler, OAuthHandlers, OAuthLogoutRequest, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthStartResponse, OAuthState, OidcAuthResult, ProfileInfo, ProviderFactories, RouterOptions, SamlAuthResult, SignInInfo, SignInResolver, StateEncoder, TokenParams, WebMessageResponse, authPlugin, createAuthProviderIntegration, createOriginFilter, createRouter, defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getDefaultOwnershipEntityRefs, postMessageResponse, prepareBackstageIdentityResponse, providers, readState, verifyNonce };