@backstage/plugin-auth-backend 0.18.8-next.0 → 0.18.8

package/dist/index.cjs.js

@@ -2,27 +2,26 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var backendPluginApi = require('@backstage/backend-plugin-api');
-var pluginAuthNode = require('@backstage/plugin-auth-node');
-var alpha = require('@backstage/plugin-catalog-node/alpha');
 var express = require('express');
 var Router = require('express-promise-router');
 var cookieParser = require('cookie-parser');
 var OAuth2Strategy = require('passport-oauth2');
+var errors = require('@backstage/errors');
+var pickBy = require('lodash/pickBy');
 var crypto = require('crypto');
 var url = require('url');
-var errors = require('@backstage/errors');
 var jwtDecoder = require('jwt-decode');
 var Auth0InternalStrategy = require('passport-auth0');
 var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
 var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
-var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-backend-module-gcp-iap-provider');
-var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
+var googleAuthLibrary = require('google-auth-library');
+var passportGithub2 = require('passport-github2');
 var passportGitlab2 = require('passport-gitlab2');
-var pluginAuthBackendModuleGoogleProvider = require('@backstage/plugin-auth-backend-module-google-provider');
+var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
 var openidClient = require('openid-client');
 var passportOktaOauth = require('@davidzemon/passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
@@ -64,6 +63,7 @@ var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
 var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
+var pickBy__default = /*#__PURE__*/_interopDefaultLegacy(pickBy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
 var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
 var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
@@ -74,10 +74,10 @@ var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
 
-var __defProp$j = Object.defineProperty;
-var __defNormalProp$j = (obj, key, value) => key in obj ? __defProp$j(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$j = (obj, key, value) => {
-  __defNormalProp$j(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$m = Object.defineProperty;
+var __defNormalProp$m = (obj, key, value) => key in obj ? __defProp$m(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$m = (obj, key, value) => {
+  __defNormalProp$m(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const defaultScopes = ["offline_access", "read:me"];
@@ -94,7 +94,7 @@ class AtlassianStrategy extends OAuth2Strategy__default["default"] {
       scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
     };
     super(optionsWithURLs, verify);
-    __publicField$j(this, "profileURL");
+    __publicField$m(this, "profileURL");
     this.profileURL = "https://api.atlassian.com/me";
     this.name = "atlassian";
     this._oauth2.useAuthorizationHeaderforGET(true);
@@ -142,10 +142,22 @@ class AtlassianStrategy extends OAuth2Strategy__default["default"] {
   }
 }
 
-const OAuthEnvironmentHandler = pluginAuthNode.OAuthEnvironmentHandler;
-
-const readState = pluginAuthNode.decodeOAuthState;
-const encodeState = pluginAuthNode.encodeOAuthState;
+const readState = (stateString) => {
+  var _a, _b;
+  const state = Object.fromEntries(
+    new URLSearchParams(Buffer.from(stateString, "hex").toString("utf-8"))
+  );
+  if (!state.nonce || !state.env || ((_a = state.nonce) == null ? void 0 : _a.length) === 0 || ((_b = state.env) == null ? void 0 : _b.length) === 0) {
+    throw Error(`Invalid state passed via request`);
+  }
+  return state;
+};
+const encodeState = (state) => {
+  const stateString = new URLSearchParams(
+    pickBy__default["default"](state, (value) => value !== void 0)
+  ).toString();
+  return Buffer.from(stateString, "utf-8").toString("hex");
+};
 const verifyNonce = (req, providerId) => {
   var _a, _b;
   const cookieNonce = req.cookies[`${providerId}-nonce`];
@@ -176,6 +188,66 @@ const defaultCookieConfigurer = ({
   return { domain, path, secure, sameSite };
 };
 
+class OAuthEnvironmentHandler {
+  constructor(handlers) {
+    this.handlers = handlers;
+  }
+  static mapConfig(config, factoryFunc) {
+    const envs = config.keys();
+    const handlers = /* @__PURE__ */ new Map();
+    for (const env of envs) {
+      const envConfig = config.getConfig(env);
+      const handler = factoryFunc(envConfig);
+      handlers.set(env, handler);
+    }
+    return new OAuthEnvironmentHandler(handlers);
+  }
+  async start(req, res) {
+    const provider = this.getProviderForEnv(req);
+    await provider.start(req, res);
+  }
+  async frameHandler(req, res) {
+    const provider = this.getProviderForEnv(req);
+    await provider.frameHandler(req, res);
+  }
+  async refresh(req, res) {
+    var _a;
+    const provider = this.getProviderForEnv(req);
+    await ((_a = provider.refresh) == null ? void 0 : _a.call(provider, req, res));
+  }
+  async logout(req, res) {
+    var _a;
+    const provider = this.getProviderForEnv(req);
+    await ((_a = provider.logout) == null ? void 0 : _a.call(provider, req, res));
+  }
+  getRequestFromEnv(req) {
+    var _a, _b;
+    const reqEnv = (_a = req.query.env) == null ? void 0 : _a.toString();
+    if (reqEnv) {
+      return reqEnv;
+    }
+    const stateParams = (_b = req.query.state) == null ? void 0 : _b.toString();
+    if (!stateParams) {
+      return void 0;
+    }
+    const env = readState(stateParams).env;
+    return env;
+  }
+  getProviderForEnv(req) {
+    const env = this.getRequestFromEnv(req);
+    if (!env) {
+      throw new errors.InputError(`Must specify 'env' query to select environment`);
+    }
+    const handler = this.handlers.get(env);
+    if (!handler) {
+      throw new errors.NotFoundError(
+        `No configuration available for the '${env}' environment of this provider.`
+      );
+    }
+    return handler;
+  }
+}
+
 const safelyEncodeURIComponent = (value) => {
   return encodeURIComponent(value).replace(/'/g, "%27");
 };
@@ -207,12 +279,26 @@ const ensuresXRequestedWith = (req) => {
   return true;
 };
 
-const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
+function parseJwtPayload(token) {
+  const [_header, payload, _signature] = token.split(".");
+  return JSON.parse(Buffer.from(payload, "base64").toString());
+}
+function prepareBackstageIdentityResponse(result) {
+  const { sub, ent } = parseJwtPayload(result.token);
+  return {
+    ...result,
+    identity: {
+      type: "user",
+      userEntityRef: sub,
+      ownershipEntityRefs: ent != null ? ent : []
+    }
+  };
+}
 
-var __defProp$i = Object.defineProperty;
-var __defNormalProp$i = (obj, key, value) => key in obj ? __defProp$i(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$i = (obj, key, value) => {
-  __defNormalProp$i(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$l = Object.defineProperty;
+var __defNormalProp$l = (obj, key, value) => key in obj ? __defProp$l(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$l = (obj, key, value) => {
+  __defNormalProp$l(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -221,8 +307,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$i(this, "baseCookieOptions");
-    __publicField$i(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$l(this, "baseCookieOptions");
+    __publicField$l(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -230,34 +316,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$i(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$l(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$i(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$l(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$i(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$l(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$i(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$l(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$i(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$l(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$i(this, "getCookieConfig", (origin) => {
+    __publicField$l(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -563,10 +649,10 @@ function createAuthProviderIntegration(config) {
   });
 }
 
-var __defProp$h = Object.defineProperty;
-var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$h = (obj, key, value) => {
-  __defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$k = Object.defineProperty;
+var __defNormalProp$k = (obj, key, value) => key in obj ? __defProp$k(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$k = (obj, key, value) => {
+  __defNormalProp$k(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const atlassianDefaultAuthHandler = async ({
@@ -577,10 +663,10 @@ const atlassianDefaultAuthHandler = async ({
 });
 class AtlassianAuthProvider {
   constructor(options) {
-    __publicField$h(this, "_strategy");
-    __publicField$h(this, "signInResolver");
-    __publicField$h(this, "authHandler");
-    __publicField$h(this, "resolverContext");
+    __publicField$k(this, "_strategy");
+    __publicField$k(this, "signInResolver");
+    __publicField$k(this, "authHandler");
+    __publicField$k(this, "resolverContext");
     this.resolverContext = options.resolverContext;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -698,21 +784,21 @@ class Auth0Strategy extends Auth0InternalStrategy__default["default"] {
   }
 }
 
-var __defProp$g = Object.defineProperty;
-var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$g = (obj, key, value) => {
-  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$j = Object.defineProperty;
+var __defNormalProp$j = (obj, key, value) => key in obj ? __defProp$j(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$j = (obj, key, value) => {
+  __defNormalProp$j(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$g(this, "_strategy");
-    __publicField$g(this, "signInResolver");
-    __publicField$g(this, "authHandler");
-    __publicField$g(this, "resolverContext");
-    __publicField$g(this, "audience");
-    __publicField$g(this, "connection");
-    __publicField$g(this, "connectionScope");
+    __publicField$j(this, "_strategy");
+    __publicField$j(this, "signInResolver");
+    __publicField$j(this, "authHandler");
+    __publicField$j(this, "resolverContext");
+    __publicField$j(this, "audience");
+    __publicField$j(this, "connection");
+    __publicField$j(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -721,7 +807,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$g(this, "store", {
+    __publicField$j(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -862,23 +948,23 @@ const auth0 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$f = Object.defineProperty;
-var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$f = (obj, key, value) => {
-  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$i = Object.defineProperty;
+var __defNormalProp$i = (obj, key, value) => key in obj ? __defProp$i(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$i = (obj, key, value) => {
+  __defNormalProp$i(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
 class AwsAlbAuthProvider {
   constructor(options) {
-    __publicField$f(this, "region");
-    __publicField$f(this, "issuer");
-    __publicField$f(this, "resolverContext");
-    __publicField$f(this, "keyCache");
-    __publicField$f(this, "authHandler");
-    __publicField$f(this, "signInResolver");
-    __publicField$f(this, "getKey", async (header) => {
+    __publicField$i(this, "region");
+    __publicField$i(this, "issuer");
+    __publicField$i(this, "resolverContext");
+    __publicField$i(this, "keyCache");
+    __publicField$i(this, "authHandler");
+    __publicField$i(this, "signInResolver");
+    __publicField$i(this, "getKey", async (header) => {
       if (!header.kid) {
         throw new errors.AuthenticationError("No key id was specified in header");
       }
@@ -1006,18 +1092,18 @@ const awsAlb = createAuthProviderIntegration({
   }
 });
 
-var __defProp$e = Object.defineProperty;
-var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$e = (obj, key, value) => {
-  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$h = Object.defineProperty;
+var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$h = (obj, key, value) => {
+  __defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class BitbucketAuthProvider {
   constructor(options) {
-    __publicField$e(this, "_strategy");
-    __publicField$e(this, "signInResolver");
-    __publicField$e(this, "authHandler");
-    __publicField$e(this, "resolverContext");
+    __publicField$h(this, "_strategy");
+    __publicField$h(this, "signInResolver");
+    __publicField$h(this, "authHandler");
+    __publicField$h(this, "resolverContext");
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
@@ -1185,10 +1271,10 @@ const commonByEmailResolver = async (info, ctx) => {
   });
 };
 
-var __defProp$d = Object.defineProperty;
-var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$d = (obj, key, value) => {
-  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$g = Object.defineProperty;
+var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$g = (obj, key, value) => {
+  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const CF_JWT_HEADER = "cf-access-jwt-assertion";
@@ -1196,12 +1282,12 @@ const COOKIE_AUTH_NAME = "CF_Authorization";
 const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
 class CloudflareAccessAuthProvider {
   constructor(options) {
-    __publicField$d(this, "teamName");
-    __publicField$d(this, "resolverContext");
-    __publicField$d(this, "authHandler");
-    __publicField$d(this, "signInResolver");
-    __publicField$d(this, "jwtKeySet");
-    __publicField$d(this, "cache");
+    __publicField$g(this, "teamName");
+    __publicField$g(this, "resolverContext");
+    __publicField$g(this, "authHandler");
+    __publicField$g(this, "signInResolver");
+    __publicField$g(this, "jwtKeySet");
+    __publicField$g(this, "cache");
     this.teamName = options.teamName;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -1339,52 +1425,272 @@ const cfAccess = createAuthProviderIntegration({
   }
 });
 
+function createTokenValidator(audience, mockClient) {
+  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
+  return async function tokenValidator(token) {
+    const response = await client.getIapPublicKeys();
+    const ticket = await client.verifySignedJwtWithCertsAsync(
+      token,
+      response.pubkeys,
+      audience,
+      ["https://cloud.google.com/iap"]
+    );
+    const payload = ticket.getPayload();
+    if (!payload) {
+      throw new TypeError("Token had no payload");
+    }
+    return payload;
+  };
+}
+async function parseRequestToken(jwtToken, tokenValidator) {
+  if (typeof jwtToken !== "string" || !jwtToken) {
+    throw new errors.AuthenticationError("Missing Google IAP header");
+  }
+  let payload;
+  try {
+    payload = await tokenValidator(jwtToken);
+  } catch (e) {
+    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
+  }
+  if (!payload.sub || !payload.email) {
+    throw new errors.AuthenticationError(
+      "Google IAP token payload is missing sub and/or email claim"
+    );
+  }
+  return {
+    iapToken: {
+      ...payload,
+      sub: payload.sub,
+      email: payload.email
+    }
+  };
+}
+const defaultAuthHandler$1 = async ({
+  iapToken
+}) => ({ profile: { email: iapToken.email } });
+
+const DEFAULT_IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+
+var __defProp$f = Object.defineProperty;
+var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$f = (obj, key, value) => {
+  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
+class GcpIapProvider {
+  constructor(options) {
+    __publicField$f(this, "authHandler");
+    __publicField$f(this, "signInResolver");
+    __publicField$f(this, "tokenValidator");
+    __publicField$f(this, "resolverContext");
+    __publicField$f(this, "jwtHeader");
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenValidator = options.tokenValidator;
+    this.resolverContext = options.resolverContext;
+    this.jwtHeader = (options == null ? void 0 : options.jwtHeader) || DEFAULT_IAP_JWT_HEADER;
+  }
+  async start() {
+  }
+  async frameHandler() {
+  }
+  async refresh(req, res) {
+    const result = await parseRequestToken(
+      req.header(this.jwtHeader),
+      this.tokenValidator
+    );
+    const { profile } = await this.authHandler(result, this.resolverContext);
+    const backstageIdentity = await this.signInResolver(
+      { profile, result },
+      this.resolverContext
+    );
+    const response = {
+      providerInfo: { iapToken: result.iapToken },
+      profile,
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
+    };
+    res.json(response);
+  }
+}
 const gcpIap = createAuthProviderIntegration({
   create(options) {
-    var _a;
-    return pluginAuthNode.createProxyAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleGcpIapProvider.gcpIapAuthenticator,
-      profileTransform: options == null ? void 0 : options.authHandler,
-      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver
-    });
+    return ({ config, resolverContext }) => {
+      var _a;
+      const audience = config.getString("audience");
+      const jwtHeader = config.getOptionalString("jwtHeader");
+      const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler$1;
+      const signInResolver = options.signIn.resolver;
+      const tokenValidator = createTokenValidator(audience);
+      return new GcpIapProvider({
+        authHandler,
+        signInResolver,
+        tokenValidator,
+        resolverContext,
+        jwtHeader
+      });
+    };
   }
 });
 
-const github = createAuthProviderIntegration({
-  create(options) {
-    var _a;
-    const authHandler = options == null ? void 0 : options.authHandler;
-    const signInResolver = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver;
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleGithubProvider.githubAuthenticator,
-      profileTransform: authHandler && (async (result, ctx) => authHandler(
-        {
-          fullProfile: result.fullProfile,
-          accessToken: result.session.accessToken,
-          params: {
-            scope: result.session.scope,
-            expires_in: result.session.expiresInSeconds ? String(result.session.expiresInSeconds) : "",
-            refresh_token_expires_in: result.session.refreshTokenExpiresInSeconds ? String(result.session.refreshTokenExpiresInSeconds) : ""
-          }
-        },
-        ctx
-      )),
-      signInResolver: signInResolver && (async ({ profile, result }, ctx) => signInResolver(
+const BACKSTAGE_SESSION_EXPIRATION = 3600;
+
+var __defProp$e = Object.defineProperty;
+var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$e = (obj, key, value) => {
+  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
+const ACCESS_TOKEN_PREFIX = "access-token.";
+class GithubAuthProvider {
+  constructor(options) {
+    __publicField$e(this, "_strategy");
+    __publicField$e(this, "signInResolver");
+    __publicField$e(this, "authHandler");
+    __publicField$e(this, "resolverContext");
+    __publicField$e(this, "stateEncoder");
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.stateEncoder = options.stateEncoder;
+    this.resolverContext = options.resolverContext;
+    this._strategy = new passportGithub2.Strategy(
+      {
+        clientID: options.clientId,
+        clientSecret: options.clientSecret,
+        callbackURL: options.callbackUrl,
+        tokenURL: options.tokenUrl,
+        userProfileURL: options.userProfileUrl,
+        authorizationURL: options.authorizationUrl
+      },
+      (accessToken, refreshToken, params, fullProfile, done) => {
+        done(void 0, { fullProfile, params, accessToken }, { refreshToken });
+      }
+    );
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      scope: req.scope,
+      state: (await this.stateEncoder(req)).encodedState
+    });
+  }
+  async handler(req) {
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    let refreshToken = privateInfo.refreshToken;
+    if (!refreshToken && !result.params.expires_in) {
+      refreshToken = ACCESS_TOKEN_PREFIX + result.accessToken;
+    }
+    return {
+      response: await this.handleResult(result),
+      refreshToken
+    };
+  }
+  async refresh(req) {
+    const { scope, refreshToken } = req;
+    if (refreshToken == null ? void 0 : refreshToken.startsWith(ACCESS_TOKEN_PREFIX)) {
+      const accessToken = refreshToken.slice(ACCESS_TOKEN_PREFIX.length);
+      const fullProfile = await executeFetchUserProfileStrategy(
+        this._strategy,
+        accessToken
+      ).catch((error) => {
+        var _a;
+        if (((_a = error.oauthError) == null ? void 0 : _a.statusCode) === 401) {
+          throw new Error("Invalid access token");
+        }
+        throw error;
+      });
+      return {
+        response: await this.handleResult({
+          fullProfile,
+          params: { scope },
+          accessToken
+        }),
+        refreshToken
+      };
+    }
+    const result = await executeRefreshTokenStrategy(
+      this._strategy,
+      refreshToken,
+      scope
+    );
+    return {
+      response: await this.handleResult({
+        fullProfile: await executeFetchUserProfileStrategy(
+          this._strategy,
+          result.accessToken
+        ),
+        params: { ...result.params, scope },
+        accessToken: result.accessToken
+      }),
+      refreshToken: result.refreshToken
+    };
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result, this.resolverContext);
+    const expiresInStr = result.params.expires_in;
+    let expiresInSeconds = expiresInStr === void 0 ? void 0 : Number(expiresInStr);
+    let backstageIdentity = void 0;
+    if (this.signInResolver) {
+      backstageIdentity = await this.signInResolver(
         {
-          profile,
-          result: {
-            fullProfile: result.fullProfile,
-            accessToken: result.session.accessToken,
-            refreshToken: result.session.refreshToken,
-            params: {
-              scope: result.session.scope,
-              expires_in: result.session.expiresInSeconds ? String(result.session.expiresInSeconds) : "",
-              refresh_token_expires_in: result.session.refreshTokenExpiresInSeconds ? String(result.session.refreshTokenExpiresInSeconds) : ""
-            }
-          }
+          result,
+          profile
         },
-        ctx
-      ))
+        this.resolverContext
+      );
+      if (expiresInSeconds) {
+        expiresInSeconds = Math.min(
+          expiresInSeconds,
+          BACKSTAGE_SESSION_EXPIRATION
+        );
+      } else {
+        expiresInSeconds = BACKSTAGE_SESSION_EXPIRATION;
+      }
+    }
+    return {
+      backstageIdentity,
+      providerInfo: {
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds
+      },
+      profile
+    };
+  }
+}
+const github = createAuthProviderIntegration({
+  create(options) {
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a, _b, _c;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const enterpriseInstanceUrl = (_a = envConfig.getOptionalString("enterpriseInstanceUrl")) == null ? void 0 : _a.replace(/\/$/, "");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
+      const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
+      const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+        profile: makeProfileInfo(fullProfile)
+      });
+      const stateEncoder = (_b = options == null ? void 0 : options.stateEncoder) != null ? _b : async (req) => {
+        return { encodedState: encodeState(req.state) };
+      };
+      const provider = new GithubAuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        tokenUrl,
+        userProfileUrl,
+        authorizationUrl,
+        signInResolver: (_c = options == null ? void 0 : options.signIn) == null ? void 0 : _c.resolver,
+        authHandler,
+        stateEncoder,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        persistScopes: true,
+        providerId,
+        callbackUrl
+      });
     });
   },
   resolvers: {
@@ -1404,10 +1710,10 @@ const github = createAuthProviderIntegration({
   }
 });
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$d = Object.defineProperty;
+var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$d = (obj, key, value) => {
+  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const gitlabDefaultAuthHandler = async ({
@@ -1418,10 +1724,10 @@ const gitlabDefaultAuthHandler = async ({
 });
 class GitlabAuthProvider {
   constructor(options) {
-    __publicField$c(this, "_strategy");
-    __publicField$c(this, "signInResolver");
-    __publicField$c(this, "authHandler");
-    __publicField$c(this, "resolverContext");
+    __publicField$d(this, "_strategy");
+    __publicField$d(this, "signInResolver");
+    __publicField$d(this, "authHandler");
+    __publicField$d(this, "resolverContext");
     this.resolverContext = options.resolverContext;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -1529,88 +1835,158 @@ const gitlab = createAuthProviderIntegration({
   }
 });
 
-function adaptLegacyOAuthHandler(authHandler) {
-  return authHandler && (async (result, ctx) => authHandler(
-    {
-      fullProfile: result.fullProfile,
-      accessToken: result.session.accessToken,
-      params: {
-        scope: result.session.scope,
-        id_token: result.session.idToken,
-        token_type: result.session.tokenType,
-        expires_in: result.session.expiresInSeconds
-      }
-    },
-    ctx
-  ));
-}
-
-function adaptLegacyOAuthSignInResolver(signInResolver) {
-  return signInResolver && (async (input, ctx) => signInResolver(
-    {
-      profile: input.profile,
-      result: {
-        fullProfile: input.result.fullProfile,
-        accessToken: input.result.session.accessToken,
-        refreshToken: input.result.session.refreshToken,
-        params: {
-          scope: input.result.session.scope,
-          id_token: input.result.session.idToken,
-          token_type: input.result.session.tokenType,
-          expires_in: input.result.session.expiresInSeconds
-        }
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
+class GoogleAuthProvider {
+  constructor(options) {
+    __publicField$c(this, "strategy");
+    __publicField$c(this, "signInResolver");
+    __publicField$c(this, "authHandler");
+    __publicField$c(this, "resolverContext");
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.resolverContext = options.resolverContext;
+    this.strategy = new passportGoogleOauth20.Strategy(
+      {
+        clientID: options.clientId,
+        clientSecret: options.clientSecret,
+        callbackURL: options.callbackUrl,
+        passReqToCallback: false
+      },
+      (accessToken, refreshToken, params, fullProfile, done) => {
+        done(
+          void 0,
+          {
+            fullProfile,
+            params,
+            accessToken,
+            refreshToken
+          },
+          {
+            refreshToken
+          }
+        );
       }
-    },
-    ctx
-  ));
-}
-
-function adaptOAuthSignInResolverToLegacy(resolvers) {
-  const legacyResolvers = {};
-  for (const name of Object.keys(resolvers)) {
-    const resolver = resolvers[name];
-    legacyResolvers[name] = () => async (input, ctx) => {
-      var _a;
-      return resolver(
+    );
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this.strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: req.scope,
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this.strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async logout(req) {
+    const oauthClient = new googleAuthLibrary.OAuth2Client();
+    await oauthClient.revokeToken(req.refreshToken);
+  }
+  async refresh(req) {
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(
+      this.strategy,
+      req.refreshToken,
+      req.scope
+    );
+    const fullProfile = await executeFetchUserProfileStrategy(
+      this.strategy,
+      accessToken
+    );
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result, this.resolverContext);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver(
         {
-          profile: input.profile,
-          result: {
-            fullProfile: input.result.fullProfile,
-            session: {
-              accessToken: input.result.accessToken,
-              expiresInSeconds: input.result.params.expires_in,
-              scope: input.result.params.scope,
-              idToken: input.result.params.id_token,
-              tokenType: (_a = input.result.params.token_type) != null ? _a : "bearer",
-              refreshToken: input.result.refreshToken
-            }
-          }
+          result,
+          profile
         },
-        ctx
+        this.resolverContext
       );
-    };
+    }
+    return response;
   }
-  return legacyResolvers;
 }
-
 const google = createAuthProviderIntegration({
   create(options) {
-    var _a;
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleGoogleProvider.googleAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options == null ? void 0 : options.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver((_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver)
+    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+      var _a;
+      const clientId = envConfig.getString("clientId");
+      const clientSecret = envConfig.getString("clientSecret");
+      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+        profile: makeProfileInfo(fullProfile, params.id_token)
+      });
+      const provider = new GoogleAuthProvider({
+        clientId,
+        clientSecret,
+        callbackUrl,
+        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+        authHandler,
+        resolverContext
+      });
+      return OAuthAdapter.fromConfig(globalConfig, provider, {
+        providerId,
+        callbackUrl
+      });
     });
   },
-  resolvers: adaptOAuthSignInResolverToLegacy({
-    emailLocalPartMatchingUserEntityName: pluginAuthNode.commonSignInResolvers.emailLocalPartMatchingUserEntityName(),
-    emailMatchingUserEntityProfileEmail: pluginAuthNode.commonSignInResolvers.emailMatchingUserEntityProfileEmail(),
-    emailMatchingUserEntityAnnotation: pluginAuthBackendModuleGoogleProvider.googleSignInResolvers.emailMatchingUserEntityAnnotation()
-  })
+  resolvers: {
+    /**
+     * Looks up the user by matching their email local part to the entity name.
+     */
+    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
+    /**
+     * Looks up the user by matching their email to the entity email.
+     */
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
+    /**
+     * Looks up the user by matching their email to the `google.com/email` annotation.
+     */
+    emailMatchingUserEntityAnnotation() {
+      return async (info, ctx) => {
+        const { profile } = info;
+        if (!profile.email) {
+          throw new Error("Google profile contained no email");
+        }
+        return ctx.signInWithCatalogUser({
+          annotations: {
+            "google.com/email": profile.email
+          }
+        });
+      };
+    }
+  }
 });
 
-const BACKSTAGE_SESSION_EXPIRATION = 3600;
-
 var __defProp$b = Object.defineProperty;
 var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __publicField$b = (obj, key, value) => {
@@ -3497,7 +3873,7 @@ async function createRouter(options) {
     database,
     tokenManager,
     tokenFactoryAlgorithm,
-    providerFactories = {},
+    providerFactories,
     catalogApi
   } = options;
   const router = Router__default["default"]();
@@ -3514,7 +3890,7 @@ async function createRouter(options) {
     keyStore,
     keyDurationSeconds,
     logger: logger.child({ component: "token-factory" }),
-    algorithm: tokenFactoryAlgorithm != null ? tokenFactoryAlgorithm : config.getOptionalString("auth.identityTokenAlgorithm")
+    algorithm: tokenFactoryAlgorithm
   });
   const secret = config.getOptionalString("auth.session.secret");
   if (secret) {
@@ -3540,23 +3916,21 @@ async function createRouter(options) {
   }
   router.use(express__default["default"].urlencoded({ extended: false }));
   router.use(express__default["default"].json());
-  const allProviderFactories = options.disableDefaultProviderFactories ? providerFactories : {
+  const allProviderFactories = {
     ...defaultAuthProviderFactories,
     ...providerFactories
   };
-  const providersConfig = config.getOptionalConfig("auth.providers");
+  const providersConfig = config.getConfig("auth.providers");
+  const configuredProviders = providersConfig.keys();
   const isOriginAllowed = createOriginFilter(config);
   for (const [providerId, providerFactory] of Object.entries(
     allProviderFactories
   )) {
-    if (providersConfig == null ? void 0 : providersConfig.has(providerId)) {
+    if (configuredProviders.includes(providerId)) {
       logger.info(`Configuring auth provider: ${providerId}`);
       try {
         const provider = providerFactory({
           providerId,
-          appUrl,
-          baseUrl: authUrl,
-          isOriginAllowed,
           globalConfig: {
             baseUrl: authUrl,
             appUrl,
@@ -3635,59 +4009,9 @@ function createOriginFilter(config) {
   };
 }
 
-const authPlugin = backendPluginApi.createBackendPlugin({
-  pluginId: "auth",
-  register(reg) {
-    const providers = /* @__PURE__ */ new Map();
-    reg.registerExtensionPoint(pluginAuthNode.authProvidersExtensionPoint, {
-      registerProvider({ providerId, factory }) {
-        if (providers.has(providerId)) {
-          throw new Error(
-            `Auth provider '${providerId}' was already registered`
-          );
-        }
-        providers.set(providerId, factory);
-      }
-    });
-    reg.registerInit({
-      deps: {
-        httpRouter: backendPluginApi.coreServices.httpRouter,
-        logger: backendPluginApi.coreServices.logger,
-        config: backendPluginApi.coreServices.rootConfig,
-        database: backendPluginApi.coreServices.database,
-        discovery: backendPluginApi.coreServices.discovery,
-        tokenManager: backendPluginApi.coreServices.tokenManager,
-        catalogApi: alpha.catalogServiceRef
-      },
-      async init({
-        httpRouter,
-        logger,
-        config,
-        database,
-        discovery,
-        tokenManager,
-        catalogApi
-      }) {
-        const router = await createRouter({
-          logger,
-          config,
-          database,
-          discovery,
-          tokenManager,
-          catalogApi,
-          providerFactories: Object.fromEntries(providers),
-          disableDefaultProviderFactories: true
-        });
-        httpRouter.use(router);
-      }
-    });
-  }
-});
-
 exports.CatalogIdentityClient = CatalogIdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
-exports.authPlugin = authPlugin;
 exports.createAuthProviderIntegration = createAuthProviderIntegration;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;