@backstage/plugin-auth-backend 0.18.9-next.2 → 0.19.0

package/CHANGELOG.md

@@ -1,5 +1,86 @@
 # @backstage/plugin-auth-backend
 
+## 0.19.0
+
+### Minor Changes
+
+- 71114ac50e02: **BREAKING**: The export for the new backend system has been moved to be the `default` export.
+
+  For example, if you are currently importing the plugin using the following pattern:
+
+  ```ts
+  import { examplePlugin } from '@backstage/plugin-example-backend';
+
+  backend.add(examplePlugin);
+  ```
+
+  It should be migrated to this:
+
+  ```ts
+  backend.add(import('@backstage/plugin-example-backend'));
+  ```
+
+### Patch Changes
+
+- 080cc7794700: Migrated the GitLab auth provider to be implemented using the new `@backstage/plugin-auth-backend-module-gitlab-provider` module.
+- 7944d43f4790: Added `authPlugin` export for the new backend system. The plugin does not include any built-in auth providers, they must instead be added by installing additional modules, for example `authModuleGoogleProvider` from `@backstage/plugin-auth-backend-module-google-provider`.
+- 8513cd7d00e3: Deprecated several exports that are now available from `@backstage/plugin-auth-node` instead.
+- 7944d43f4790: Added the ability to disable the built-in auth providers by passing `disableDefaultProviderFactories` to `createRouter`.
+- 7944d43f4790: The algorithm used when generating Backstage tokens can be configured via `auth.identityTokenAlgorithm`.
+- Updated dependencies
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.1.0
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.0
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.0
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.0
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.0
+  - @backstage/backend-common@0.19.5
+  - @backstage/plugin-auth-node@0.3.0
+  - @backstage/config@1.1.0
+  - @backstage/catalog-client@1.4.4
+  - @backstage/catalog-model@1.4.2
+  - @backstage/errors@1.2.2
+  - @backstage/types@1.1.1
+  - @backstage/backend-plugin-api@0.6.3
+  - @backstage/plugin-catalog-node@1.4.4
+
+## 0.19.0-next.3
+
+### Minor Changes
+
+- 71114ac50e02: **BREAKING**: The export for the new backend system has been moved to be the `default` export.
+
+  For example, if you are currently importing the plugin using the following pattern:
+
+  ```ts
+  import { examplePlugin } from '@backstage/plugin-example-backend';
+
+  backend.add(examplePlugin);
+  ```
+
+  It should be migrated to this:
+
+  ```ts
+  backend.add(import('@backstage/plugin-example-backend'));
+  ```
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.1.0-next.3
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.0-next.3
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.0-next.2
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.0-next.3
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.0-next.0
+  - @backstage/catalog-client@1.4.4-next.2
+  - @backstage/catalog-model@1.4.2-next.2
+  - @backstage/config@1.1.0-next.2
+  - @backstage/errors@1.2.2-next.0
+  - @backstage/types@1.1.1-next.0
+  - @backstage/backend-plugin-api@0.6.3-next.3
+  - @backstage/backend-common@0.19.5-next.3
+  - @backstage/plugin-auth-node@0.3.0-next.3
+  - @backstage/plugin-catalog-node@1.4.4-next.3
+
 ## 0.18.9-next.2
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -23,6 +23,7 @@ var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-back
 var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-backend-module-gitlab-provider');
 var pluginAuthBackendModuleGoogleProvider = require('@backstage/plugin-auth-backend-module-google-provider');
 var passportMicrosoft = require('passport-microsoft');
+var pluginAuthBackendModuleOauth2Provider = require('@backstage/plugin-auth-backend-module-oauth2-provider');
 var openidClient = require('openid-client');
 var passportOktaOauth = require('@davidzemon/passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
@@ -74,10 +75,10 @@ var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
 
-var __defProp$i = Object.defineProperty;
-var __defNormalProp$i = (obj, key, value) => key in obj ? __defProp$i(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$i = (obj, key, value) => {
-  __defNormalProp$i(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$h = Object.defineProperty;
+var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$h = (obj, key, value) => {
+  __defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const defaultScopes = ["offline_access", "read:me"];
@@ -94,7 +95,7 @@ class AtlassianStrategy extends OAuth2Strategy__default["default"] {
       scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
     };
     super(optionsWithURLs, verify);
-    __publicField$i(this, "profileURL");
+    __publicField$h(this, "profileURL");
     this.profileURL = "https://api.atlassian.com/me";
     this.name = "atlassian";
     this._oauth2.useAuthorizationHeaderforGET(true);
@@ -209,10 +210,10 @@ const ensuresXRequestedWith = (req) => {
 
 const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
 
-var __defProp$h = Object.defineProperty;
-var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$h = (obj, key, value) => {
-  __defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$g = Object.defineProperty;
+var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$g = (obj, key, value) => {
+  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -221,8 +222,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$h(this, "baseCookieOptions");
-    __publicField$h(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$g(this, "baseCookieOptions");
+    __publicField$g(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -230,34 +231,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$h(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$g(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$h(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$g(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$h(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$g(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$h(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$g(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$h(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$g(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$h(this, "getCookieConfig", (origin) => {
+    __publicField$g(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -563,10 +564,10 @@ function createAuthProviderIntegration(config) {
   });
 }
 
-var __defProp$g = Object.defineProperty;
-var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$g = (obj, key, value) => {
-  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$f = Object.defineProperty;
+var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$f = (obj, key, value) => {
+  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const atlassianDefaultAuthHandler = async ({
@@ -577,10 +578,10 @@ const atlassianDefaultAuthHandler = async ({
 });
 class AtlassianAuthProvider {
   constructor(options) {
-    __publicField$g(this, "_strategy");
-    __publicField$g(this, "signInResolver");
-    __publicField$g(this, "authHandler");
-    __publicField$g(this, "resolverContext");
+    __publicField$f(this, "_strategy");
+    __publicField$f(this, "signInResolver");
+    __publicField$f(this, "authHandler");
+    __publicField$f(this, "resolverContext");
     this.resolverContext = options.resolverContext;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -698,21 +699,21 @@ class Auth0Strategy extends Auth0InternalStrategy__default["default"] {
   }
 }
 
-var __defProp$f = Object.defineProperty;
-var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$f = (obj, key, value) => {
-  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$e = Object.defineProperty;
+var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$e = (obj, key, value) => {
+  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$f(this, "_strategy");
-    __publicField$f(this, "signInResolver");
-    __publicField$f(this, "authHandler");
-    __publicField$f(this, "resolverContext");
-    __publicField$f(this, "audience");
-    __publicField$f(this, "connection");
-    __publicField$f(this, "connectionScope");
+    __publicField$e(this, "_strategy");
+    __publicField$e(this, "signInResolver");
+    __publicField$e(this, "authHandler");
+    __publicField$e(this, "resolverContext");
+    __publicField$e(this, "audience");
+    __publicField$e(this, "connection");
+    __publicField$e(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -721,7 +722,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$f(this, "store", {
+    __publicField$e(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -862,23 +863,23 @@ const auth0 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$e = Object.defineProperty;
-var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$e = (obj, key, value) => {
-  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$d = Object.defineProperty;
+var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$d = (obj, key, value) => {
+  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
 class AwsAlbAuthProvider {
   constructor(options) {
-    __publicField$e(this, "region");
-    __publicField$e(this, "issuer");
-    __publicField$e(this, "resolverContext");
-    __publicField$e(this, "keyCache");
-    __publicField$e(this, "authHandler");
-    __publicField$e(this, "signInResolver");
-    __publicField$e(this, "getKey", async (header) => {
+    __publicField$d(this, "region");
+    __publicField$d(this, "issuer");
+    __publicField$d(this, "resolverContext");
+    __publicField$d(this, "keyCache");
+    __publicField$d(this, "authHandler");
+    __publicField$d(this, "signInResolver");
+    __publicField$d(this, "getKey", async (header) => {
       if (!header.kid) {
         throw new errors.AuthenticationError("No key id was specified in header");
       }
@@ -1006,18 +1007,18 @@ const awsAlb = createAuthProviderIntegration({
   }
 });
 
-var __defProp$d = Object.defineProperty;
-var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$d = (obj, key, value) => {
-  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class BitbucketAuthProvider {
   constructor(options) {
-    __publicField$d(this, "_strategy");
-    __publicField$d(this, "signInResolver");
-    __publicField$d(this, "authHandler");
-    __publicField$d(this, "resolverContext");
+    __publicField$c(this, "_strategy");
+    __publicField$c(this, "signInResolver");
+    __publicField$c(this, "authHandler");
+    __publicField$c(this, "resolverContext");
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
@@ -1185,10 +1186,10 @@ const commonByEmailResolver = async (info, ctx) => {
   });
 };
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$b = Object.defineProperty;
+var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$b = (obj, key, value) => {
+  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const CF_JWT_HEADER = "cf-access-jwt-assertion";
@@ -1196,12 +1197,12 @@ const COOKIE_AUTH_NAME = "CF_Authorization";
 const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
 class CloudflareAccessAuthProvider {
   constructor(options) {
-    __publicField$c(this, "teamName");
-    __publicField$c(this, "resolverContext");
-    __publicField$c(this, "authHandler");
-    __publicField$c(this, "signInResolver");
-    __publicField$c(this, "jwtKeySet");
-    __publicField$c(this, "cache");
+    __publicField$b(this, "teamName");
+    __publicField$b(this, "resolverContext");
+    __publicField$b(this, "authHandler");
+    __publicField$b(this, "signInResolver");
+    __publicField$b(this, "jwtKeySet");
+    __publicField$b(this, "cache");
     this.teamName = options.teamName;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -1497,20 +1498,20 @@ const google = createAuthProviderIntegration({
 
 const BACKSTAGE_SESSION_EXPIRATION = 3600;
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$a = Object.defineProperty;
+var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$a = (obj, key, value) => {
+  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class MicrosoftAuthProvider {
   constructor(options) {
-    __publicField$b(this, "_strategy");
-    __publicField$b(this, "signInResolver");
-    __publicField$b(this, "authHandler");
-    __publicField$b(this, "logger");
-    __publicField$b(this, "resolverContext");
-    __publicField$b(this, "skipUserProfile", (accessToken) => {
+    __publicField$a(this, "_strategy");
+    __publicField$a(this, "signInResolver");
+    __publicField$a(this, "authHandler");
+    __publicField$a(this, "logger");
+    __publicField$a(this, "resolverContext");
+    __publicField$a(this, "skipUserProfile", (accessToken) => {
       const { aud, scp } = jose.decodeJwt(accessToken);
       const hasGraphReadScope = aud === "00000003-0000-0000-c000-000000000000" && scp.split(" ").map((s) => s.toLowerCase()).includes("user.read");
       return !hasGraphReadScope;
@@ -1675,153 +1676,13 @@ const microsoft = createAuthProviderIntegration({
   }
 });
 
-var __defProp$a = Object.defineProperty;
-var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$a = (obj, key, value) => {
-  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-class OAuth2AuthProvider {
-  constructor(options) {
-    __publicField$a(this, "_strategy");
-    __publicField$a(this, "signInResolver");
-    __publicField$a(this, "authHandler");
-    __publicField$a(this, "resolverContext");
-    __publicField$a(this, "disableRefresh");
-    var _a;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.resolverContext = options.resolverContext;
-    this.disableRefresh = (_a = options.disableRefresh) != null ? _a : false;
-    this._strategy = new OAuth2Strategy.Strategy(
-      {
-        clientID: options.clientId,
-        clientSecret: options.clientSecret,
-        callbackURL: options.callbackUrl,
-        authorizationURL: options.authorizationUrl,
-        tokenURL: options.tokenUrl,
-        passReqToCallback: false,
-        scope: options.scope,
-        customHeaders: options.includeBasicAuth ? {
-          Authorization: `Basic ${this.encodeClientCredentials(
-            options.clientId,
-            options.clientSecret
-          )}`
-        } : void 0
-      },
-      (accessToken, refreshToken, params, fullProfile, done) => {
-        done(
-          void 0,
-          {
-            fullProfile,
-            accessToken,
-            refreshToken,
-            params
-          },
-          {
-            refreshToken
-          }
-        );
-      }
-    );
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: req.scope,
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    if (this.disableRefresh) {
-      throw new errors.InputError("Session refreshes have been disabled");
-    }
-    const refreshTokenResponse = await executeRefreshTokenStrategy(
-      this._strategy,
-      req.refreshToken,
-      req.scope
-    );
-    const { accessToken, params, refreshToken } = refreshTokenResponse;
-    const fullProfile = await executeFetchUserProfileStrategy(
-      this._strategy,
-      accessToken
-    );
-    return {
-      response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
-      }),
-      refreshToken
-    };
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const response = {
-      providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
-      },
-      profile
-    };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver(
-        {
-          result,
-          profile
-        },
-        this.resolverContext
-      );
-    }
-    return response;
-  }
-  encodeClientCredentials(clientID, clientSecret) {
-    return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
-  }
-}
 const oauth2 = createAuthProviderIntegration({
   create(options) {
-    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-      var _a, _b;
-      const clientId = envConfig.getString("clientId");
-      const clientSecret = envConfig.getString("clientSecret");
-      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-      const authorizationUrl = envConfig.getString("authorizationUrl");
-      const tokenUrl = envConfig.getString("tokenUrl");
-      const scope = envConfig.getOptionalString("scope");
-      const includeBasicAuth = envConfig.getOptionalBoolean("includeBasicAuth");
-      const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-        profile: makeProfileInfo(fullProfile, params.id_token)
-      });
-      const provider = new OAuth2AuthProvider({
-        clientId,
-        clientSecret,
-        callbackUrl,
-        signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
-        authHandler,
-        authorizationUrl,
-        tokenUrl,
-        scope,
-        includeBasicAuth,
-        resolverContext,
-        disableRefresh
-      });
-      return OAuthAdapter.fromConfig(globalConfig, provider, {
-        providerId,
-        callbackUrl
-      });
+    var _a;
+    return pluginAuthNode.createOAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleOauth2Provider.oauth2Authenticator,
+      profileTransform: adaptLegacyOAuthHandler(options == null ? void 0 : options.authHandler),
+      signInResolver: adaptLegacyOAuthSignInResolver((_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver)
     });
   }
 });
@@ -3573,10 +3434,10 @@ const authPlugin = backendPluginApi.createBackendPlugin({
 exports.CatalogIdentityClient = CatalogIdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
-exports.authPlugin = authPlugin;
 exports.createAuthProviderIntegration = createAuthProviderIntegration;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;
+exports["default"] = authPlugin;
 exports.defaultAuthProviderFactories = defaultAuthProviderFactories;
 exports.encodeState = encodeState;
 exports.ensuresXRequestedWith = ensuresXRequestedWith;