@backstage/plugin-auth-backend 0.20.0 → 0.20.1-next.1

package/dist/index.cjs.js

@@ -8,12 +8,12 @@ var alpha = require('@backstage/plugin-catalog-node/alpha');
 var express = require('express');
 var Router = require('express-promise-router');
 var cookieParser = require('cookie-parser');
-var OAuth2Strategy = require('passport-oauth2');
+var pluginAuthBackendModuleAtlassianProvider = require('@backstage/plugin-auth-backend-module-atlassian-provider');
+var Auth0InternalStrategy = require('passport-auth0');
 var crypto = require('crypto');
 var url = require('url');
 var errors = require('@backstage/errors');
 var jwtDecoder = require('jwt-decode');
-var Auth0InternalStrategy = require('passport-auth0');
 var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
@@ -24,10 +24,12 @@ var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-back
 var pluginAuthBackendModuleGoogleProvider = require('@backstage/plugin-auth-backend-module-google-provider');
 var passportMicrosoft = require('passport-microsoft');
 var pluginAuthBackendModuleOauth2Provider = require('@backstage/plugin-auth-backend-module-oauth2-provider');
+var pluginAuthBackendModuleOauth2ProxyProvider = require('@backstage/plugin-auth-backend-module-oauth2-proxy-provider');
 var openidClient = require('openid-client');
-var passportOktaOauth = require('@davidzemon/passport-okta-oauth');
+var pluginAuthBackendModuleOktaProvider = require('@backstage/plugin-auth-backend-module-okta-provider');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('passport-saml');
+var passportOauth2 = require('passport-oauth2');
 var catalogClient = require('@backstage/catalog-client');
 var catalogModel = require('@backstage/catalog-model');
 var luxon = require('luxon');
@@ -65,82 +67,109 @@ function _interopNamespace(e) {
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
-var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
+var Auth0InternalStrategy__default = /*#__PURE__*/_interopDefaultLegacy(Auth0InternalStrategy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
 var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
 var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
-var Auth0InternalStrategy__default = /*#__PURE__*/_interopDefaultLegacy(Auth0InternalStrategy);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
 var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
 
-var __defProp$j = Object.defineProperty;
-var __defNormalProp$j = (obj, key, value) => key in obj ? __defProp$j(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$j = (obj, key, value) => {
-  __defNormalProp$j(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const defaultScopes = ["offline_access", "read:me"];
-class AtlassianStrategy extends OAuth2Strategy__default["default"] {
-  constructor(options, verify) {
-    if (!options.scope) {
-      throw new TypeError("Atlassian requires a scope option");
-    }
-    const scopes = options.scope.split(" ");
-    const optionsWithURLs = {
-      ...options,
-      authorizationURL: `https://auth.atlassian.com/authorize`,
-      tokenURL: `https://auth.atlassian.com/oauth/token`,
-      scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
-    };
-    super(optionsWithURLs, verify);
-    __publicField$j(this, "profileURL");
-    this.profileURL = "https://api.atlassian.com/me";
-    this.name = "atlassian";
-    this._oauth2.useAuthorizationHeaderforGET(true);
-  }
-  authorizationParams() {
-    return {
-      audience: "api.atlassian.com",
-      prompt: "consent"
-    };
-  }
-  userProfile(accessToken, done) {
-    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
-      if (err) {
-        return done(
-          new OAuth2Strategy.InternalOAuthError(
-            "Failed to fetch user profile",
-            err.statusCode
-          )
-        );
-      }
-      if (!body) {
-        return done(
-          new Error("Failed to fetch user profile, body cannot be empty")
-        );
+function createAuthProviderIntegration(config) {
+  var _a;
+  return Object.freeze({
+    ...config,
+    resolvers: Object.freeze((_a = config.resolvers) != null ? _a : {})
+  });
+}
+
+function adaptLegacyOAuthHandler(authHandler) {
+  return authHandler && (async (result, ctx) => authHandler(
+    {
+      fullProfile: result.fullProfile,
+      accessToken: result.session.accessToken,
+      params: {
+        scope: result.session.scope,
+        id_token: result.session.idToken,
+        token_type: result.session.tokenType,
+        expires_in: result.session.expiresInSeconds
       }
-      try {
-        const json = typeof body !== "string" ? body.toString() : body;
-        const profile = AtlassianStrategy.parse(json);
-        return done(null, profile);
-      } catch (e) {
-        return done(new Error("Failed to parse user profile"));
+    },
+    ctx
+  ));
+}
+
+function adaptLegacyOAuthSignInResolver(signInResolver) {
+  return signInResolver && (async (input, ctx) => signInResolver(
+    {
+      profile: input.profile,
+      result: {
+        fullProfile: input.result.fullProfile,
+        accessToken: input.result.session.accessToken,
+        refreshToken: input.result.session.refreshToken,
+        params: {
+          scope: input.result.session.scope,
+          id_token: input.result.session.idToken,
+          token_type: input.result.session.tokenType,
+          expires_in: input.result.session.expiresInSeconds
+        }
       }
+    },
+    ctx
+  ));
+}
+
+function adaptOAuthSignInResolverToLegacy(resolvers) {
+  const legacyResolvers = {};
+  for (const name of Object.keys(resolvers)) {
+    const resolver = resolvers[name];
+    legacyResolvers[name] = () => async (input, ctx) => {
+      var _a;
+      return resolver(
+        {
+          profile: input.profile,
+          result: {
+            fullProfile: input.result.fullProfile,
+            session: {
+              accessToken: input.result.accessToken,
+              expiresInSeconds: input.result.params.expires_in,
+              scope: input.result.params.scope,
+              idToken: input.result.params.id_token,
+              tokenType: (_a = input.result.params.token_type) != null ? _a : "bearer",
+              refreshToken: input.result.refreshToken
+            }
+          }
+        },
+        ctx
+      );
+    };
+  }
+  return legacyResolvers;
+}
+
+const atlassian = createAuthProviderIntegration({
+  create(options) {
+    var _a;
+    return pluginAuthNode.createOAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleAtlassianProvider.atlassianAuthenticator,
+      profileTransform: adaptLegacyOAuthHandler(options == null ? void 0 : options.authHandler),
+      signInResolver: adaptLegacyOAuthSignInResolver((_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver)
     });
   }
-  static parse(json) {
-    const resp = JSON.parse(json);
-    return {
-      id: resp.account_id,
-      provider: "atlassian",
-      username: resp.nickname,
-      displayName: resp.name,
-      emails: [{ value: resp.email }],
-      photos: [{ value: resp.picture }]
+});
+
+class Auth0Strategy extends Auth0InternalStrategy__default["default"] {
+  constructor(options, verify) {
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://${options.domain}/authorize`,
+      tokenURL: `https://${options.domain}/oauth/token`,
+      userInfoURL: `https://${options.domain}/userinfo`,
+      apiUrl: `https://${options.domain}/api`
     };
+    super(optionsWithURLs, verify);
   }
 }
 
@@ -211,10 +240,10 @@ const ensuresXRequestedWith = (req) => {
 
 const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
 
-var __defProp$i = Object.defineProperty;
-var __defNormalProp$i = (obj, key, value) => key in obj ? __defProp$i(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$i = (obj, key, value) => {
-  __defNormalProp$i(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$f = Object.defineProperty;
+var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$f = (obj, key, value) => {
+  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -223,8 +252,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$i(this, "baseCookieOptions");
-    __publicField$i(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$f(this, "baseCookieOptions");
+    __publicField$f(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -232,34 +261,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$i(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$f(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$i(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$f(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$i(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$f(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$i(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$f(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$i(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$f(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$i(this, "getCookieConfig", (origin) => {
+    __publicField$f(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -557,164 +586,21 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
   });
 };
 
-function createAuthProviderIntegration(config) {
-  var _a;
-  return Object.freeze({
-    ...config,
-    resolvers: Object.freeze((_a = config.resolvers) != null ? _a : {})
-  });
-}
-
-var __defProp$h = Object.defineProperty;
-var __defNormalProp$h = (obj, key, value) => key in obj ? __defProp$h(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$h = (obj, key, value) => {
-  __defNormalProp$h(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const atlassianDefaultAuthHandler = async ({
-  fullProfile,
-  params
-}) => ({
-  profile: makeProfileInfo(fullProfile, params.id_token)
-});
-class AtlassianAuthProvider {
-  constructor(options) {
-    __publicField$h(this, "_strategy");
-    __publicField$h(this, "signInResolver");
-    __publicField$h(this, "authHandler");
-    __publicField$h(this, "resolverContext");
-    this.resolverContext = options.resolverContext;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this._strategy = new AtlassianStrategy(
-      {
-        clientID: options.clientId,
-        clientSecret: options.clientSecret,
-        callbackURL: options.callbackUrl,
-        scope: options.scopes
-      },
-      (accessToken, refreshToken, params, fullProfile, done) => {
-        done(void 0, {
-          fullProfile,
-          accessToken,
-          refreshToken,
-          params
-        });
-      }
-    );
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const { result } = await executeFrameHandlerStrategy(
-      req,
-      this._strategy
-    );
-    return {
-      response: await this.handleResult(result),
-      refreshToken: result.refreshToken
-    };
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const response = {
-      providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
-      },
-      profile
-    };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver(
-        {
-          result,
-          profile
-        },
-        this.resolverContext
-      );
-    }
-    return response;
-  }
-  async refresh(req) {
-    const { accessToken, params, refreshToken } = await executeRefreshTokenStrategy(
-      this._strategy,
-      req.refreshToken,
-      req.scope
-    );
-    const fullProfile = await executeFetchUserProfileStrategy(
-      this._strategy,
-      accessToken
-    );
-    return {
-      response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
-      }),
-      refreshToken
-    };
-  }
-}
-const atlassian = createAuthProviderIntegration({
-  create(options) {
-    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-      var _a, _b;
-      const clientId = envConfig.getString("clientId");
-      const clientSecret = envConfig.getString("clientSecret");
-      const scopes = envConfig.getString("scopes");
-      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-      const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
-      const provider = new AtlassianAuthProvider({
-        clientId,
-        clientSecret,
-        scopes,
-        callbackUrl,
-        authHandler,
-        signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
-        resolverContext
-      });
-      return OAuthAdapter.fromConfig(globalConfig, provider, {
-        providerId,
-        callbackUrl
-      });
-    });
-  }
-});
-
-class Auth0Strategy extends Auth0InternalStrategy__default["default"] {
-  constructor(options, verify) {
-    const optionsWithURLs = {
-      ...options,
-      authorizationURL: `https://${options.domain}/authorize`,
-      tokenURL: `https://${options.domain}/oauth/token`,
-      userInfoURL: `https://${options.domain}/userinfo`,
-      apiUrl: `https://${options.domain}/api`
-    };
-    super(optionsWithURLs, verify);
-  }
-}
-
-var __defProp$g = Object.defineProperty;
-var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$g = (obj, key, value) => {
-  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$e = Object.defineProperty;
+var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$e = (obj, key, value) => {
+  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$g(this, "_strategy");
-    __publicField$g(this, "signInResolver");
-    __publicField$g(this, "authHandler");
-    __publicField$g(this, "resolverContext");
-    __publicField$g(this, "audience");
-    __publicField$g(this, "connection");
-    __publicField$g(this, "connectionScope");
+    __publicField$e(this, "_strategy");
+    __publicField$e(this, "signInResolver");
+    __publicField$e(this, "authHandler");
+    __publicField$e(this, "resolverContext");
+    __publicField$e(this, "audience");
+    __publicField$e(this, "connection");
+    __publicField$e(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -723,7 +609,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$g(this, "store", {
+    __publicField$e(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -864,23 +750,23 @@ const auth0 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$f = Object.defineProperty;
-var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$f = (obj, key, value) => {
-  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$d = Object.defineProperty;
+var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$d = (obj, key, value) => {
+  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
 class AwsAlbAuthProvider {
   constructor(options) {
-    __publicField$f(this, "region");
-    __publicField$f(this, "issuer");
-    __publicField$f(this, "resolverContext");
-    __publicField$f(this, "keyCache");
-    __publicField$f(this, "authHandler");
-    __publicField$f(this, "signInResolver");
-    __publicField$f(this, "getKey", async (header) => {
+    __publicField$d(this, "region");
+    __publicField$d(this, "issuer");
+    __publicField$d(this, "resolverContext");
+    __publicField$d(this, "keyCache");
+    __publicField$d(this, "authHandler");
+    __publicField$d(this, "signInResolver");
+    __publicField$d(this, "getKey", async (header) => {
       if (!header.kid) {
         throw new errors.AuthenticationError("No key id was specified in header");
       }
@@ -1008,18 +894,18 @@ const awsAlb = createAuthProviderIntegration({
   }
 });
 
-var __defProp$e = Object.defineProperty;
-var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$e = (obj, key, value) => {
-  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class BitbucketAuthProvider {
   constructor(options) {
-    __publicField$e(this, "_strategy");
-    __publicField$e(this, "signInResolver");
-    __publicField$e(this, "authHandler");
-    __publicField$e(this, "resolverContext");
+    __publicField$c(this, "_strategy");
+    __publicField$c(this, "signInResolver");
+    __publicField$c(this, "authHandler");
+    __publicField$c(this, "resolverContext");
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
@@ -1187,10 +1073,10 @@ const commonByEmailResolver = async (info, ctx) => {
   });
 };
 
-var __defProp$d = Object.defineProperty;
-var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$d = (obj, key, value) => {
-  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$b = Object.defineProperty;
+var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$b = (obj, key, value) => {
+  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const CF_JWT_HEADER = "cf-access-jwt-assertion";
@@ -1198,12 +1084,12 @@ const COOKIE_AUTH_NAME = "CF_Authorization";
 const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
 class CloudflareAccessAuthProvider {
   constructor(options) {
-    __publicField$d(this, "teamName");
-    __publicField$d(this, "resolverContext");
-    __publicField$d(this, "authHandler");
-    __publicField$d(this, "signInResolver");
-    __publicField$d(this, "jwtKeySet");
-    __publicField$d(this, "cache");
+    __publicField$b(this, "teamName");
+    __publicField$b(this, "resolverContext");
+    __publicField$b(this, "authHandler");
+    __publicField$b(this, "signInResolver");
+    __publicField$b(this, "jwtKeySet");
+    __publicField$b(this, "cache");
     this.teamName = options.teamName;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -1406,70 +1292,6 @@ const github = createAuthProviderIntegration({
   }
 });
 
-function adaptLegacyOAuthHandler(authHandler) {
-  return authHandler && (async (result, ctx) => authHandler(
-    {
-      fullProfile: result.fullProfile,
-      accessToken: result.session.accessToken,
-      params: {
-        scope: result.session.scope,
-        id_token: result.session.idToken,
-        token_type: result.session.tokenType,
-        expires_in: result.session.expiresInSeconds
-      }
-    },
-    ctx
-  ));
-}
-
-function adaptLegacyOAuthSignInResolver(signInResolver) {
-  return signInResolver && (async (input, ctx) => signInResolver(
-    {
-      profile: input.profile,
-      result: {
-        fullProfile: input.result.fullProfile,
-        accessToken: input.result.session.accessToken,
-        refreshToken: input.result.session.refreshToken,
-        params: {
-          scope: input.result.session.scope,
-          id_token: input.result.session.idToken,
-          token_type: input.result.session.tokenType,
-          expires_in: input.result.session.expiresInSeconds
-        }
-      }
-    },
-    ctx
-  ));
-}
-
-function adaptOAuthSignInResolverToLegacy(resolvers) {
-  const legacyResolvers = {};
-  for (const name of Object.keys(resolvers)) {
-    const resolver = resolvers[name];
-    legacyResolvers[name] = () => async (input, ctx) => {
-      var _a;
-      return resolver(
-        {
-          profile: input.profile,
-          result: {
-            fullProfile: input.result.fullProfile,
-            session: {
-              accessToken: input.result.accessToken,
-              expiresInSeconds: input.result.params.expires_in,
-              scope: input.result.params.scope,
-              idToken: input.result.params.id_token,
-              tokenType: (_a = input.result.params.token_type) != null ? _a : "bearer",
-              refreshToken: input.result.refreshToken
-            }
-          }
-        },
-        ctx
-      );
-    };
-  }
-  return legacyResolvers;
-}
-
 const gitlab = createAuthProviderIntegration({
   create(options) {
     var _a;
@@ -1499,20 +1321,20 @@ const google = createAuthProviderIntegration({
 
 const BACKSTAGE_SESSION_EXPIRATION = 3600;
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$a = Object.defineProperty;
+var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$a = (obj, key, value) => {
+  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class MicrosoftAuthProvider {
   constructor(options) {
-    __publicField$c(this, "_strategy");
-    __publicField$c(this, "signInResolver");
-    __publicField$c(this, "authHandler");
-    __publicField$c(this, "logger");
-    __publicField$c(this, "resolverContext");
-    __publicField$c(this, "skipUserProfile", (accessToken) => {
+    __publicField$a(this, "_strategy");
+    __publicField$a(this, "signInResolver");
+    __publicField$a(this, "authHandler");
+    __publicField$a(this, "logger");
+    __publicField$a(this, "resolverContext");
+    __publicField$a(this, "skipUserProfile", (accessToken) => {
       const { aud, scp } = jose.decodeJwt(accessToken);
       const hasGraphReadScope = aud === "00000003-0000-0000-c000-000000000000" && scp.split(" ").map((s) => s.toLowerCase()).includes("user.read");
       return !hasGraphReadScope;
@@ -1688,106 +1510,31 @@ const oauth2 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
-class Oauth2ProxyAuthProvider {
-  constructor(options) {
-    __publicField$b(this, "resolverContext");
-    __publicField$b(this, "signInResolver");
-    __publicField$b(this, "authHandler");
-    this.resolverContext = options.resolverContext;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    try {
-      const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
-      const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
-      const decodedJWT = jwt && jose.decodeJwt(jwt);
-      const result = {
-        fullProfile: decodedJWT || {},
-        accessToken: jwt || "",
-        headers: req.headers,
-        getHeader(name) {
-          if (name.toLocaleLowerCase("en-US") === "set-cookie") {
-            throw new Error("Access Set-Cookie via the headers object instead");
-          }
-          return req.get(name);
-        }
-      };
-      const response = await this.handleResult(result);
-      res.json(response);
-    } catch (e) {
-      throw new errors.AuthenticationError("Refresh failed", e);
-    }
-  }
-  start() {
-    return Promise.resolve(void 0);
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageSignInResult = await this.signInResolver(
-      {
-        result,
-        profile
-      },
-      this.resolverContext
-    );
-    return {
-      providerInfo: {
-        accessToken: result.accessToken
-      },
-      backstageIdentity: prepareBackstageIdentityResponse(
-        backstageSignInResult
-      ),
-      profile
-    };
-  }
-}
-async function defaultAuthHandler(result) {
-  return {
-    profile: {
-      email: result.getHeader("x-forwarded-email"),
-      displayName: result.getHeader("x-forwarded-preferred-username") || result.getHeader("x-forwarded-user")
-    }
-  };
-}
 const oauth2Proxy = createAuthProviderIntegration({
   create(options) {
-    return ({ resolverContext }) => {
-      const signInResolver = options.signIn.resolver;
-      const authHandler = options.authHandler;
-      return new Oauth2ProxyAuthProvider({
-        resolverContext,
-        signInResolver,
-        authHandler: authHandler != null ? authHandler : defaultAuthHandler
-      });
-    };
+    var _a;
+    return pluginAuthNode.createProxyAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleOauth2ProxyProvider.oauth2ProxyAuthenticator,
+      profileTransform: options == null ? void 0 : options.authHandler,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver
+    });
   }
 });
 
-var __defProp$a = Object.defineProperty;
-var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$a = (obj, key, value) => {
-  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$9 = Object.defineProperty;
+var __defNormalProp$9 = (obj, key, value) => key in obj ? __defProp$9(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$9 = (obj, key, value) => {
+  __defNormalProp$9(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class OidcAuthProvider {
   constructor(options) {
-    __publicField$a(this, "implementation");
-    __publicField$a(this, "scope");
-    __publicField$a(this, "prompt");
-    __publicField$a(this, "signInResolver");
-    __publicField$a(this, "authHandler");
-    __publicField$a(this, "resolverContext");
+    __publicField$9(this, "implementation");
+    __publicField$9(this, "scope");
+    __publicField$9(this, "prompt");
+    __publicField$9(this, "signInResolver");
+    __publicField$9(this, "authHandler");
+    __publicField$9(this, "resolverContext");
     this.implementation = this.setupStrategy(options);
     this.scope = options.scope;
     this.prompt = options.prompt;
@@ -1948,176 +1695,16 @@ const oidc = createAuthProviderIntegration({
   }
 });
 
-var __defProp$9 = Object.defineProperty;
-var __defNormalProp$9 = (obj, key, value) => key in obj ? __defProp$9(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$9 = (obj, key, value) => {
-  __defNormalProp$9(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-class OktaAuthProvider {
-  constructor(options) {
-    __publicField$9(this, "strategy");
-    __publicField$9(this, "signInResolver");
-    __publicField$9(this, "authHandler");
-    __publicField$9(this, "resolverContext");
-    __publicField$9(this, "additionalScopes");
-    /**
-     * Due to passport-okta-oauth forcing options.state = true,
-     * passport-oauth2 requires express-session to be installed
-     * so that the 'state' parameter of the oauth2 flow can be stored.
-     * This implementation of StateStore matches the NullStore found within
-     * passport-oauth2, which is the StateStore implementation used when options.state = false,
-     * allowing us to avoid using express-session in order to integrate with Okta.
-     */
-    __publicField$9(this, "store", {
-      store(_req, cb) {
-        cb(null, null);
-      },
-      verify(_req, _state, cb) {
-        cb(null, true);
-      }
-    });
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.resolverContext = options.resolverContext;
-    this.additionalScopes = options.additionalScopes || "";
-    this.strategy = new passportOktaOauth.Strategy(
-      {
-        clientID: options.clientId,
-        clientSecret: options.clientSecret,
-        callbackURL: options.callbackUrl,
-        audience: options.audience,
-        authServerID: options.authServerId,
-        idp: options.idp,
-        passReqToCallback: false,
-        store: this.store,
-        response_type: "code"
-      },
-      (accessToken, refreshToken, params, fullProfile, done) => {
-        done(
-          void 0,
-          {
-            accessToken,
-            refreshToken,
-            params,
-            fullProfile
-          },
-          {
-            refreshToken
-          }
-        );
-      }
-    );
-  }
-  combineScopeStrings(scopesA, scopesB) {
-    const scopesAArray = scopesA.split(" ");
-    const scopesBArray = scopesB.split(" ");
-    const combinedScopes = /* @__PURE__ */ new Set([...scopesAArray, ...scopesBArray]);
-    return Array.from(combinedScopes).join(" ");
-  }
-  async start(req) {
-    const scope = this.combineScopeStrings(req.scope, this.additionalScopes);
-    return await executeRedirectStrategy(req, this.strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope,
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this.strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const scope = this.combineScopeStrings(req.scope, this.additionalScopes);
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this.strategy, req.refreshToken, scope);
-    const fullProfile = await executeFetchUserProfileStrategy(
-      this.strategy,
-      accessToken
-    );
-    return {
-      response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
-      }),
-      refreshToken
-    };
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const response = {
-      providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
-      },
-      profile
-    };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver(
-        {
-          result,
-          profile
-        },
-        this.resolverContext
-      );
-    }
-    return response;
-  }
-}
 const okta = createAuthProviderIntegration({
   create(options) {
-    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-      var _a;
-      const clientId = envConfig.getString("clientId");
-      const clientSecret = envConfig.getString("clientSecret");
-      const audience = envConfig.getString("audience");
-      const authServerId = envConfig.getOptionalString("authServerId");
-      const idp = envConfig.getOptionalString("idp");
-      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-      const additionalScopes = envConfig.getOptionalString("additionalScopes");
-      if (!audience.startsWith("https://")) {
-        throw new Error("URL for 'audience' must start with 'https://'.");
-      }
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-        profile: makeProfileInfo(fullProfile, params.id_token)
-      });
-      const provider = new OktaAuthProvider({
-        audience,
-        authServerId,
-        idp,
-        clientId,
-        clientSecret,
-        callbackUrl,
-        authHandler,
-        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
-        resolverContext,
-        additionalScopes
-      });
-      return OAuthAdapter.fromConfig(globalConfig, provider, {
-        providerId,
-        callbackUrl
-      });
+    var _a;
+    return pluginAuthNode.createOAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleOktaProvider.oktaAuthenticator,
+      profileTransform: adaptLegacyOAuthHandler(options == null ? void 0 : options.authHandler),
+      signInResolver: adaptLegacyOAuthSignInResolver((_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver)
     });
   },
   resolvers: {
-    /**
-     * Looks up the user by matching their email local part to the entity name.
-     */
-    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
-    /**
-     * Looks up the user by matching their email to the entity email.
-     */
-    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
-    /**
-     * Looks up the user by matching their email to the `okta.com/email` annotation.
-     */
     emailMatchingUserEntityAnnotation() {
       return async (info, ctx) => {
         const { profile } = info;
@@ -2386,7 +1973,7 @@ class BitbucketServerAuthProvider {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
-    this.strategy = new OAuth2Strategy.Strategy(
+    this.strategy = new passportOauth2.Strategy(
       {
         authorizationURL: options.authorizationUrl,
         tokenURL: options.tokenUrl,