@backstage/plugin-auth-backend 0.18.8-next.0 → 0.18.8

package/dist/index.d.ts

@@ -1,31 +1,43 @@
 /// <reference types="node" />
-import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
-import { LoggerService } from '@backstage/backend-plugin-api';
 import express from 'express';
-import * as _backstage_plugin_auth_node from '@backstage/plugin-auth-node';
-import { BackstageSignInResult, OAuthState as OAuthState$1, AuthResolverCatalogUserQuery as AuthResolverCatalogUserQuery$1, AuthResolverContext as AuthResolverContext$1, CookieConfigurer as CookieConfigurer$1, AuthProviderConfig as AuthProviderConfig$1, AuthProviderRouteHandlers as AuthProviderRouteHandlers$1, AuthProviderFactory as AuthProviderFactory$1, ClientAuthResponse, ProfileInfo as ProfileInfo$1, SignInInfo as SignInInfo$1, SignInResolver as SignInResolver$1, OAuthEnvironmentHandler as OAuthEnvironmentHandler$1, decodeOAuthState, encodeOAuthState, prepareBackstageIdentityResponse as prepareBackstageIdentityResponse$1, TokenParams as TokenParams$1, WebMessageResponse as WebMessageResponse$1 } from '@backstage/plugin-auth-node';
+import { Logger } from 'winston';
+import { GetEntitiesRequest, CatalogApi } from '@backstage/catalog-client';
+import { Entity, UserEntity } from '@backstage/catalog-model';
+import { Config } from '@backstage/config';
+import { BackstageSignInResult, BackstageIdentityResponse } from '@backstage/plugin-auth-node';
+import { JsonValue } from '@backstage/types';
 import { Profile } from 'passport';
 import { PluginDatabaseManager, PluginEndpointDiscovery, TokenManager } from '@backstage/backend-common';
-import { CatalogApi } from '@backstage/catalog-client';
-import { Config } from '@backstage/config';
 import { IncomingHttpHeaders } from 'http';
 import { TokenSet, UserinfoResponse } from 'openid-client';
-import * as _backstage_plugin_auth_backend_module_gcp_iap_provider from '@backstage/plugin-auth-backend-module-gcp-iap-provider';
-import { GcpIapTokenInfo as GcpIapTokenInfo$1, GcpIapResult as GcpIapResult$1 } from '@backstage/plugin-auth-backend-module-gcp-iap-provider';
-import { UserEntity, Entity } from '@backstage/catalog-model';
+import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
 
 /**
- * Auth plugin
+ * Parameters used to issue new ID Tokens
  *
  * @public
  */
-declare const authPlugin: () => _backstage_backend_plugin_api.BackendFeature;
+type TokenParams = {
+    /**
+     * The claims that will be embedded within the token. At a minimum, this should include
+     * the subject claim, `sub`. It is common to also list entity ownership relations in the
+     * `ent` list. Additional claims may also be added at the developer's discretion except
+     * for the following list, which will be overwritten by the TokenIssuer: `iss`, `aud`,
+     * `iat`, and `exp`. The Backstage team also maintains the right add new claims in the future
+     * without listing the change as a "breaking change".
+     */
+    claims: {
+        /** The token subject, i.e. User ID */
+        sub: string;
+        /** A list of entity references that the user claims ownership through */
+        ent?: string[];
+    } & Record<string, JsonValue>;
+};
 
 /**
  * Common options for passport.js-based OAuth providers
  *
  * @public
- * @deprecated No longer in use
  */
 type OAuthProviderOptions = {
     /**
@@ -41,34 +53,28 @@ type OAuthProviderOptions = {
      */
     callbackUrl: string;
 };
-/**
- * @public
- * @deprecated Use `OAuthAuthenticatorResult<PassportProfile>` from `@backstage/plugin-auth-node` instead
- */
+/** @public */
 type OAuthResult = {
     fullProfile: Profile;
     params: {
         id_token?: string;
         scope: string;
-        token_type?: string;
         expires_in: number;
     };
     accessToken: string;
     refreshToken?: string;
 };
 /**
+ * The expected response from an OAuth flow.
+ *
  * @public
- * @deprecated Use `ClientAuthResponse` from `@backstage/plugin-auth-node` instead
  */
 type OAuthResponse = {
     profile: ProfileInfo;
     providerInfo: OAuthProviderInfo;
     backstageIdentity?: BackstageSignInResult;
 };
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
+/** @public */
 type OAuthProviderInfo = {
     /**
      * An access token issued for the signed in user.
@@ -87,37 +93,35 @@ type OAuthProviderInfo = {
      */
     scope: string;
 };
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type OAuthState = OAuthState$1;
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
+/** @public */
+type OAuthState = {
+    nonce: string;
+    env: string;
+    origin?: string;
+    scope?: string;
+    redirectUrl?: string;
+    flow?: string;
+};
+/** @public */
 type OAuthStartRequest = express.Request<{}> & {
     scope: string;
     state: OAuthState;
 };
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
+/** @public */
 type OAuthRefreshRequest = express.Request<{}> & {
     scope: string;
     refreshToken: string;
 };
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
+/** @public */
 type OAuthLogoutRequest = express.Request<{}> & {
     refreshToken: string;
 };
 /**
+ * Any OAuth provider needs to implement this interface which has provider specific
+ * handlers for different methods to perform authentication, get access tokens,
+ * refresh tokens and perform sign out.
+ *
  * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
  */
 interface OAuthHandlers {
     /**
@@ -145,24 +149,99 @@ interface OAuthHandlers {
 }
 
 /**
+ * A query for a single user in the catalog.
+ *
+ * If `entityRef` is used, the default kind is `'User'`.
+ *
+ * If `annotations` are used, all annotations must be present and
+ * match the provided value exactly. Only entities of kind `'User'` will be considered.
+ *
+ * If `filter` are used they are passed on as they are to the `CatalogApi`.
+ *
+ * Regardless of the query method, the query must match exactly one entity
+ * in the catalog, or an error will be thrown.
+ *
  * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type AuthResolverCatalogUserQuery = AuthResolverCatalogUserQuery$1;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type AuthResolverContext = AuthResolverContext$1;
+type AuthResolverCatalogUserQuery = {
+    entityRef: string | {
+        kind?: string;
+        namespace?: string;
+        name: string;
+    };
+} | {
+    annotations: Record<string, string>;
+} | {
+    filter: Exclude<GetEntitiesRequest['filter'], undefined>;
+};
 /**
+ * The context that is used for auth processing.
+ *
  * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type CookieConfigurer = CookieConfigurer$1;
+type AuthResolverContext = {
+    /**
+     * Issues a Backstage token using the provided parameters.
+     */
+    issueToken(params: TokenParams): Promise<{
+        token: string;
+    }>;
+    /**
+     * Finds a single user in the catalog using the provided query.
+     *
+     * See {@link AuthResolverCatalogUserQuery} for details.
+     */
+    findCatalogUser(query: AuthResolverCatalogUserQuery): Promise<{
+        entity: Entity;
+    }>;
+    /**
+     * Finds a single user in the catalog using the provided query, and then
+     * issues an identity for that user using default ownership resolution.
+     *
+     * See {@link AuthResolverCatalogUserQuery} for details.
+     */
+    signInWithCatalogUser(query: AuthResolverCatalogUserQuery): Promise<BackstageSignInResult>;
+};
 /**
+ * The callback used to resolve the cookie configuration for auth providers that use cookies.
  * @public
- * @deprecated Use `createOAuthAuthenticator` from `@backstage/plugin-auth-node` instead
  */
+type CookieConfigurer = (ctx: {
+    /** ID of the auth provider that this configuration applies to */
+    providerId: string;
+    /** The externally reachable base URL of the auth-backend plugin */
+    baseUrl: string;
+    /** The configured callback URL of the auth provider */
+    callbackUrl: string;
+    /** The origin URL of the app */
+    appOrigin: string;
+}) => {
+    domain: string;
+    path: string;
+    secure: boolean;
+    sameSite?: 'none' | 'lax' | 'strict';
+};
+/** @public */
+type AuthProviderConfig = {
+    /**
+     * The protocol://domain[:port] where the app is hosted. This is used to construct the
+     * callbackURL to redirect to once the user signs in to the auth provider.
+     */
+    baseUrl: string;
+    /**
+     * The base URL of the app as provided by app.baseUrl
+     */
+    appUrl: string;
+    /**
+     * A function that is called to check whether an origin is allowed to receive the authentication result.
+     */
+    isOriginAllowed: (origin: string) => boolean;
+    /**
+     * The function used to resolve cookie configuration based on the auth provider options.
+     */
+    cookieConfigurer?: CookieConfigurer;
+};
+/** @public */
 type OAuthStartResponse = {
     /**
      * URL to redirect to
@@ -174,46 +253,125 @@ type OAuthStartResponse = {
     status?: number;
 };
 /**
+ * Any Auth provider needs to implement this interface which handles the routes in the
+ * auth backend. Any auth API requests from the frontend reaches these methods.
+ *
+ * The routes in the auth backend API are tied to these methods like below
+ *
+ * `/auth/[provider]/start -> start`
+ * `/auth/[provider]/handler/frame -> frameHandler`
+ * `/auth/[provider]/refresh -> refresh`
+ * `/auth/[provider]/logout -> logout`
+ *
  * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type AuthProviderConfig = AuthProviderConfig$1;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type AuthProviderRouteHandlers = AuthProviderRouteHandlers$1;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type AuthProviderFactory = AuthProviderFactory$1;
-/**
- * @public
- * @deprecated import `ClientAuthResponse` from `@backstage/plugin-auth-node` instead
  */
-type AuthResponse<TProviderInfo> = ClientAuthResponse<TProviderInfo>;
+interface AuthProviderRouteHandlers {
+    /**
+     * Handles the start route of the API. This initiates a sign in request with an auth provider.
+     *
+     * Request
+     * - scopes for the auth request (Optional)
+     * Response
+     * - redirect to the auth provider for the user to sign in or consent.
+     * - sets a nonce cookie and also pass the nonce as 'state' query parameter in the redirect request
+     */
+    start(req: express.Request, res: express.Response): Promise<void>;
+    /**
+     * Once the user signs in or consents in the OAuth screen, the auth provider redirects to the
+     * callbackURL which is handled by this method.
+     *
+     * Request
+     * - to contain a nonce cookie and a 'state' query parameter
+     * Response
+     * - postMessage to the window with a payload that contains accessToken, expiryInSeconds?, idToken? and scope.
+     * - sets a refresh token cookie if the auth provider supports refresh tokens
+     */
+    frameHandler(req: express.Request, res: express.Response): Promise<void>;
+    /**
+     * (Optional) If the auth provider supports refresh tokens then this method handles
+     * requests to get a new access token.
+     *
+     * Request
+     * - to contain a refresh token cookie and scope (Optional) query parameter.
+     * Response
+     * - payload with accessToken, expiryInSeconds?, idToken?, scope and user profile information.
+     */
+    refresh?(req: express.Request, res: express.Response): Promise<void>;
+    /**
+     * (Optional) Handles sign out requests
+     *
+     * Response
+     * - removes the refresh token cookie
+     */
+    logout?(req: express.Request, res: express.Response): Promise<void>;
+}
+/** @public */
+type AuthProviderFactory = (options: {
+    providerId: string;
+    globalConfig: AuthProviderConfig;
+    config: Config;
+    logger: Logger;
+    resolverContext: AuthResolverContext;
+}) => AuthProviderRouteHandlers;
+/** @public */
+type AuthResponse<ProviderInfo> = {
+    providerInfo: ProviderInfo;
+    profile: ProfileInfo;
+    backstageIdentity?: BackstageIdentityResponse;
+};
 /**
+ * Used to display login information to user, i.e. sidebar popup.
+ *
+ * It is also temporarily used as the profile of the signed-in user's Backstage
+ * identity, but we want to replace that with data from identity and/org catalog
+ * service
+ *
  * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type ProfileInfo = ProfileInfo$1;
+type ProfileInfo = {
+    /**
+     * Email ID of the signed in user.
+     */
+    email?: string;
+    /**
+     * Display name that can be presented to the signed in user.
+     */
+    displayName?: string;
+    /**
+     * URL to an image that can be used as the display image or avatar of the
+     * signed in user.
+     */
+    picture?: string;
+};
 /**
+ * Type of sign in information context. Includes the profile information and
+ * authentication result which contains auth related information.
+ *
  * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type SignInInfo<TAuthResult> = SignInInfo$1<TAuthResult>;
+type SignInInfo<TAuthResult> = {
+    /**
+     * The simple profile passed down for use in the frontend.
+     */
+    profile: ProfileInfo;
+    /**
+     * The authentication result that was received from the authentication
+     * provider.
+     */
+    result: TAuthResult;
+};
 /**
+ * Describes the function which handles the result of a successful
+ * authentication. Must return a valid {@link @backstage/plugin-auth-node#BackstageSignInResult}.
+ *
  * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type SignInResolver<TAuthResult> = SignInResolver$1<TAuthResult>;
+type SignInResolver<TAuthResult> = (info: SignInInfo<TAuthResult>, context: AuthResolverContext) => Promise<BackstageSignInResult>;
 /**
  * The return type of an authentication handler. Must contain valid profile
  * information.
  *
  * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
  */
 type AuthHandlerResult = {
     profile: ProfileInfo;
@@ -230,13 +388,9 @@ type AuthHandlerResult = {
  * group of users.
  *
  * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
  */
 type AuthHandler<TAuthResult> = (input: TAuthResult, context: AuthResolverContext) => Promise<AuthHandlerResult>;
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
+/** @public */
 type StateEncoder = (req: OAuthStartRequest) => Promise<{
     encodedState: string;
 }>;
@@ -254,16 +408,20 @@ type EasyAuthResult = {
     accessToken?: string;
 };
 
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-declare const OAuthEnvironmentHandler: typeof OAuthEnvironmentHandler$1;
+/** @public */
+declare class OAuthEnvironmentHandler implements AuthProviderRouteHandlers {
+    private readonly handlers;
+    static mapConfig(config: Config, factoryFunc: (envConfig: Config) => AuthProviderRouteHandlers): OAuthEnvironmentHandler;
+    constructor(handlers: Map<string, AuthProviderRouteHandlers>);
+    start(req: express.Request, res: express.Response): Promise<void>;
+    frameHandler(req: express.Request, res: express.Response): Promise<void>;
+    refresh(req: express.Request, res: express.Response): Promise<void>;
+    logout(req: express.Request, res: express.Response): Promise<void>;
+    private getRequestFromEnv;
+    private getProviderForEnv;
+}
 
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
+/** @public */
 type OAuthAdapterOptions = {
     providerId: string;
     persistScopes?: boolean;
@@ -273,10 +431,7 @@ type OAuthAdapterOptions = {
     isOriginAllowed: (origin: string) => boolean;
     callbackUrl: string;
 };
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
+/** @public */
 declare class OAuthAdapter implements AuthProviderRouteHandlers {
     private readonly handlers;
     private readonly options;
@@ -301,20 +456,11 @@ declare class OAuthAdapter implements AuthProviderRouteHandlers {
     private getCookieConfig;
 }
 
-/**
- * @public
- * @deprecated Use `decodeOAuthState` from `@backstage/plugin-auth-node` instead
- */
-declare const readState: typeof decodeOAuthState;
-/**
- * @public
- * @deprecated Use `encodeOAuthState` from `@backstage/plugin-auth-node` instead
- */
-declare const encodeState: typeof encodeOAuthState;
-/**
- * @public
- * @deprecated Use inline logic to make sure the session and state nonce matches instead.
- */
+/** @public */
+declare const readState: (stateString: string) => OAuthState;
+/** @public */
+declare const encodeState: (state: OAuthState) => string;
+/** @public */
 declare const verifyNonce: (req: express.Request, providerId: string) => void;
 
 /** @public */
@@ -514,17 +660,33 @@ type SamlAuthResult = {
  * The data extracted from an IAP token.
  *
  * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-gcp-iap-provider` instead
  */
-type GcpIapTokenInfo = GcpIapTokenInfo$1;
+type GcpIapTokenInfo = {
+    /**
+     * The unique, stable identifier for the user.
+     */
+    sub: string;
+    /**
+     * User email address.
+     */
+    email: string;
+    /**
+     * Other fields.
+     */
+    [key: string]: JsonValue;
+};
 /**
  * The result of the initial auth challenge. This is the input to the auth
  * callbacks.
  *
  * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-gcp-iap-provider` instead
  */
-type GcpIapResult = GcpIapResult$1;
+type GcpIapResult = {
+    /**
+     * The data extracted from the IAP token header.
+     */
+    iapToken: GcpIapTokenInfo;
+};
 
 /**
  * All built-in auth provider integrations.
@@ -538,7 +700,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: never;
     }>;
     auth0: Readonly<{
@@ -547,7 +709,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: never;
     }>;
     awsAlb: Readonly<{
@@ -556,7 +718,7 @@ declare const providers: Readonly<{
             signIn: {
                 resolver: SignInResolver<AwsAlbResult>;
             };
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: never;
     }>;
     bitbucket: Readonly<{
@@ -565,7 +727,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: Readonly<{
             usernameMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
             userIdMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
@@ -577,7 +739,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<BitbucketServerOAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: Readonly<{
             emailMatchingUserEntityProfileEmail: () => SignInResolver<BitbucketServerOAuthResult>;
         }>;
@@ -589,30 +751,30 @@ declare const providers: Readonly<{
                 resolver: SignInResolver<CloudflareAccessResult>;
             };
             cache?: _backstage_backend_plugin_api.CacheService | undefined;
-        }) => _backstage_plugin_auth_node.AuthProviderFactory;
+        }) => AuthProviderFactory;
         resolvers: Readonly<{
             emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
         }>;
     }>;
     gcpIap: Readonly<{
         create: (options: {
-            authHandler?: AuthHandler<_backstage_plugin_auth_backend_module_gcp_iap_provider.GcpIapResult> | undefined;
+            authHandler?: AuthHandler<GcpIapResult> | undefined;
             signIn: {
-                resolver: SignInResolver<_backstage_plugin_auth_backend_module_gcp_iap_provider.GcpIapResult>;
+                resolver: SignInResolver<GcpIapResult>;
             };
-        }) => _backstage_plugin_auth_node.AuthProviderFactory;
+        }) => AuthProviderFactory;
         resolvers: never;
     }>;
     github: Readonly<{
         create: (options?: {
             authHandler?: AuthHandler<GithubOAuthResult> | undefined;
             signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<GithubOAuthResult>;
+                resolver: SignInResolver<GithubOAuthResult>;
             } | undefined;
             stateEncoder?: StateEncoder | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: Readonly<{
-            usernameMatchingUserEntityName: () => _backstage_plugin_auth_node.SignInResolver<GithubOAuthResult>;
+            usernameMatchingUserEntityName: () => SignInResolver<GithubOAuthResult>;
         }>;
     }>;
     gitlab: Readonly<{
@@ -621,7 +783,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: never;
     }>;
     google: Readonly<{
@@ -630,11 +792,11 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: Readonly<{
-            emailMatchingUserEntityProfileEmail: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            emailLocalPartMatchingUserEntityName: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            emailMatchingUserEntityAnnotation: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
+            emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
+            emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
+            emailMatchingUserEntityAnnotation(): SignInResolver<OAuthResult>;
         }>;
     }>;
     microsoft: Readonly<{
@@ -643,7 +805,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: Readonly<{
             emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
             emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
@@ -656,7 +818,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: never;
     }>;
     oauth2Proxy: Readonly<{
@@ -665,7 +827,7 @@ declare const providers: Readonly<{
             signIn: {
                 resolver: SignInResolver<OAuth2ProxyResult<unknown>>;
             };
-        }) => _backstage_plugin_auth_node.AuthProviderFactory;
+        }) => AuthProviderFactory;
         resolvers: never;
     }>;
     oidc: Readonly<{
@@ -674,7 +836,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OidcAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: Readonly<{
             emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
             emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
@@ -686,7 +848,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: Readonly<{
             emailLocalPartMatchingUserEntityName: () => SignInResolver<unknown>;
             emailMatchingUserEntityProfileEmail: () => SignInResolver<unknown>;
@@ -699,7 +861,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<OAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: never;
     }>;
     saml: Readonly<{
@@ -708,7 +870,7 @@ declare const providers: Readonly<{
             signIn?: {
                 resolver: SignInResolver<SamlAuthResult>;
             } | undefined;
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: Readonly<{
             nameIdMatchingUserEntityName(): SignInResolver<SamlAuthResult>;
         }>;
@@ -719,7 +881,7 @@ declare const providers: Readonly<{
             signIn: {
                 resolver: SignInResolver<EasyAuthResult>;
             };
-        } | undefined) => _backstage_plugin_auth_node.AuthProviderFactory;
+        } | undefined) => AuthProviderFactory;
         resolvers: never;
     }>;
 }>;
@@ -752,10 +914,13 @@ declare function createAuthProviderIntegration<TCreateOptions extends unknown[],
 }>;
 
 /**
+ * Parses a Backstage-issued token and decorates the
+ * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the
+ * token.
+ *
  * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-declare const prepareBackstageIdentityResponse: typeof prepareBackstageIdentityResponse$1;
+declare function prepareBackstageIdentityResponse(result: BackstageSignInResult): BackstageIdentityResponse;
 
 /** @public */
 type ProviderFactories = {
@@ -763,14 +928,13 @@ type ProviderFactories = {
 };
 /** @public */
 interface RouterOptions {
-    logger: LoggerService;
+    logger: Logger;
     database: PluginDatabaseManager;
     config: Config;
     discovery: PluginEndpointDiscovery;
     tokenManager: TokenManager;
     tokenFactoryAlgorithm?: string;
     providerFactories?: ProviderFactories;
-    disableDefaultProviderFactories?: boolean;
     catalogApi?: CatalogApi;
 }
 /** @public */
@@ -779,26 +943,22 @@ declare function createRouter(options: RouterOptions): Promise<express.Router>;
 declare function createOriginFilter(config: Config): (origin: string) => boolean;
 
 /**
+ * Payload sent as a post message after the auth request is complete.
+ * If successful then has a valid payload with Auth information else contains an error.
+ *
  * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type TokenParams = TokenParams$1;
-
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
  */
-type WebMessageResponse = WebMessageResponse$1;
+type WebMessageResponse = {
+    type: 'authorization_response';
+    response: AuthResponse<unknown>;
+} | {
+    type: 'authorization_response';
+    error: Error;
+};
 
-/**
- * @public
- * @deprecated Use `sendWebMessageResponse` from `@backstage/plugin-auth-node` instead
- */
+/** @public */
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
-/**
- * @public
- * @deprecated Use inline logic to check that the `X-Requested-With` header is set to `'XMLHttpRequest'` instead.
- */
+/** @public */
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
 
 /**
@@ -830,7 +990,7 @@ declare class CatalogIdentityClient {
      */
     resolveCatalogMembership(query: {
         entityRefs: string[];
-        logger?: LoggerService;
+        logger?: Logger;
     }): Promise<string[]>;
 }
 
@@ -844,4 +1004,4 @@ declare class CatalogIdentityClient {
  */
 declare function getDefaultOwnershipEntityRefs(entity: Entity): string[];
 
-export { AuthHandler, AuthHandlerResult, AuthProviderConfig, AuthProviderFactory, AuthProviderRouteHandlers, AuthResolverCatalogUserQuery, AuthResolverContext, AuthResponse, AwsAlbResult, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketServerOAuthResult, CatalogIdentityClient, CloudflareAccessClaims, CloudflareAccessGroup, CloudflareAccessIdentityProfile, CloudflareAccessResult, CookieConfigurer, EasyAuthResult, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, OAuth2ProxyResult, OAuthAdapter, OAuthAdapterOptions, OAuthEnvironmentHandler, OAuthHandlers, OAuthLogoutRequest, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthStartResponse, OAuthState, OidcAuthResult, ProfileInfo, ProviderFactories, RouterOptions, SamlAuthResult, SignInInfo, SignInResolver, StateEncoder, TokenParams, WebMessageResponse, authPlugin, createAuthProviderIntegration, createOriginFilter, createRouter, defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getDefaultOwnershipEntityRefs, postMessageResponse, prepareBackstageIdentityResponse, providers, readState, verifyNonce };
+export { AuthHandler, AuthHandlerResult, AuthProviderConfig, AuthProviderFactory, AuthProviderRouteHandlers, AuthResolverCatalogUserQuery, AuthResolverContext, AuthResponse, AwsAlbResult, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketServerOAuthResult, CatalogIdentityClient, CloudflareAccessClaims, CloudflareAccessGroup, CloudflareAccessIdentityProfile, CloudflareAccessResult, CookieConfigurer, EasyAuthResult, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, OAuth2ProxyResult, OAuthAdapter, OAuthAdapterOptions, OAuthEnvironmentHandler, OAuthHandlers, OAuthLogoutRequest, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthStartResponse, OAuthState, OidcAuthResult, ProfileInfo, ProviderFactories, RouterOptions, SamlAuthResult, SignInInfo, SignInResolver, StateEncoder, TokenParams, WebMessageResponse, createAuthProviderIntegration, createOriginFilter, createRouter, defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getDefaultOwnershipEntityRefs, postMessageResponse, prepareBackstageIdentityResponse, providers, readState, verifyNonce };