@backstage/plugin-auth-backend 0.20.3 → 0.20.4-next.1

package/dist/index.cjs.js

@@ -14,18 +14,18 @@ var crypto = require('crypto');
 var url = require('url');
 var errors = require('@backstage/errors');
 var jwtDecoder = require('jwt-decode');
+var pluginAuthBackendModuleAwsAlbProvider = require('@backstage/plugin-auth-backend-module-aws-alb-provider');
+var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
 var fetch = require('node-fetch');
-var NodeCache = require('node-cache');
 var jose = require('jose');
-var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
 var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-backend-module-gcp-iap-provider');
 var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
 var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-backend-module-gitlab-provider');
 var pluginAuthBackendModuleGoogleProvider = require('@backstage/plugin-auth-backend-module-google-provider');
-var passportMicrosoft = require('passport-microsoft');
+var pluginAuthBackendModuleMicrosoftProvider = require('@backstage/plugin-auth-backend-module-microsoft-provider');
 var pluginAuthBackendModuleOauth2Provider = require('@backstage/plugin-auth-backend-module-oauth2-provider');
 var pluginAuthBackendModuleOauth2ProxyProvider = require('@backstage/plugin-auth-backend-module-oauth2-proxy-provider');
-var openidClient = require('openid-client');
+var pluginAuthBackendModuleOidcProvider = require('@backstage/plugin-auth-backend-module-oidc-provider');
 var pluginAuthBackendModuleOktaProvider = require('@backstage/plugin-auth-backend-module-okta-provider');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('passport-saml');
@@ -46,33 +46,13 @@ var config = require('@backstage/config');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n["default"] = e;
-  return Object.freeze(n);
-}
-
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
 var Auth0InternalStrategy__default = /*#__PURE__*/_interopDefaultLegacy(Auth0InternalStrategy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
-var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
 var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
-var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
@@ -240,10 +220,10 @@ const ensuresXRequestedWith = (req) => {
 
 const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
 
-var __defProp$f = Object.defineProperty;
-var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$f = (obj, key, value) => {
-  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -252,8 +232,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$f(this, "baseCookieOptions");
-    __publicField$f(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$c(this, "baseCookieOptions");
+    __publicField$c(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -261,34 +241,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$f(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$c(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$f(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$c(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$f(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$c(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$f(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$c(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$f(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$c(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$f(this, "getCookieConfig", (origin) => {
+    __publicField$c(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -586,21 +566,21 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
   });
 };
 
-var __defProp$e = Object.defineProperty;
-var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$e = (obj, key, value) => {
-  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$b = Object.defineProperty;
+var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$b = (obj, key, value) => {
+  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$e(this, "_strategy");
-    __publicField$e(this, "signInResolver");
-    __publicField$e(this, "authHandler");
-    __publicField$e(this, "resolverContext");
-    __publicField$e(this, "audience");
-    __publicField$e(this, "connection");
-    __publicField$e(this, "connectionScope");
+    __publicField$b(this, "_strategy");
+    __publicField$b(this, "signInResolver");
+    __publicField$b(this, "authHandler");
+    __publicField$b(this, "resolverContext");
+    __publicField$b(this, "audience");
+    __publicField$b(this, "connection");
+    __publicField$b(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -609,7 +589,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$e(this, "store", {
+    __publicField$b(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -750,162 +730,29 @@ const auth0 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$d = Object.defineProperty;
-var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$d = (obj, key, value) => {
-  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const ALB_JWT_HEADER = "x-amzn-oidc-data";
-const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
-class AwsAlbAuthProvider {
-  constructor(options) {
-    __publicField$d(this, "region");
-    __publicField$d(this, "issuer");
-    __publicField$d(this, "resolverContext");
-    __publicField$d(this, "keyCache");
-    __publicField$d(this, "authHandler");
-    __publicField$d(this, "signInResolver");
-    __publicField$d(this, "getKey", async (header) => {
-      if (!header.kid) {
-        throw new errors.AuthenticationError("No key id was specified in header");
-      }
-      const optionalCacheKey = this.keyCache.get(header.kid);
-      if (optionalCacheKey) {
-        return crypto__namespace.createPublicKey(optionalCacheKey);
-      }
-      const keyText = await fetch__default["default"](
-        `https://public-keys.auth.elb.${encodeURIComponent(
-          this.region
-        )}.amazonaws.com/${encodeURIComponent(header.kid)}`
-      ).then((response) => response.text());
-      const keyValue = crypto__namespace.createPublicKey(keyText);
-      this.keyCache.set(
-        header.kid,
-        keyValue.export({ format: "pem", type: "spki" })
-      );
-      return keyValue;
-    });
-    this.region = options.region;
-    this.issuer = options.issuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.resolverContext = options.resolverContext;
-    this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    try {
-      const result = await this.getResult(req);
-      const response = await this.handleResult(result);
-      res.json(response);
-    } catch (e) {
-      throw new errors.AuthenticationError(
-        "Exception occurred during AWS ALB token refresh",
-        e
-      );
-    }
-  }
-  start() {
-    return Promise.resolve(void 0);
-  }
-  async getResult(req) {
-    const jwt = req.header(ALB_JWT_HEADER);
-    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);
-    if (jwt === void 0) {
-      throw new errors.AuthenticationError(
-        `Missing ALB OIDC header: ${ALB_JWT_HEADER}`
-      );
-    }
-    if (accessToken === void 0) {
-      throw new errors.AuthenticationError(
-        `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`
-      );
-    }
-    try {
-      const verifyResult = await jose.jwtVerify(jwt, this.getKey);
-      const claims = verifyResult.payload;
-      if (this.issuer && claims.iss !== this.issuer) {
-        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
-      }
-      const fullProfile = {
-        provider: "unknown",
-        id: claims.sub,
-        displayName: claims.name,
-        username: claims.email.split("@")[0].toLowerCase(),
-        name: {
-          familyName: claims.family_name,
-          givenName: claims.given_name
-        },
-        emails: [{ value: claims.email.toLowerCase() }],
-        photos: [{ value: claims.picture }]
-      };
-      return {
-        fullProfile,
-        expiresInSeconds: claims.exp,
-        accessToken
-      };
-    } catch (e) {
-      throw new Error(`Exception occurred during JWT processing: ${e}`);
-    }
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageIdentity = await this.signInResolver(
-      {
-        result,
-        profile
-      },
-      this.resolverContext
-    );
-    return {
-      providerInfo: {
-        accessToken: result.accessToken,
-        expiresInSeconds: result.expiresInSeconds
-      },
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
-      profile
-    };
-  }
-}
 const awsAlb = createAuthProviderIntegration({
   create(options) {
-    return ({ config, resolverContext }) => {
-      const region = config.getString("region");
-      const issuer = config.getOptionalString("iss");
-      if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
-        throw new Error(
-          "SignInResolver is required to use this authentication provider"
-        );
-      }
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-        profile: makeProfileInfo(fullProfile)
-      });
-      return new AwsAlbAuthProvider({
-        region,
-        issuer,
-        signInResolver: options == null ? void 0 : options.signIn.resolver,
-        authHandler,
-        resolverContext
-      });
-    };
+    var _a;
+    return pluginAuthNode.createProxyAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleAwsAlbProvider.awsAlbAuthenticator,
+      profileTransform: options == null ? void 0 : options.authHandler,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver
+    });
   }
 });
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$a = Object.defineProperty;
+var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$a = (obj, key, value) => {
+  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class BitbucketAuthProvider {
   constructor(options) {
-    __publicField$c(this, "_strategy");
-    __publicField$c(this, "signInResolver");
-    __publicField$c(this, "authHandler");
-    __publicField$c(this, "resolverContext");
+    __publicField$a(this, "_strategy");
+    __publicField$a(this, "signInResolver");
+    __publicField$a(this, "authHandler");
+    __publicField$a(this, "resolverContext");
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
@@ -1073,10 +920,10 @@ const commonByEmailResolver = async (info, ctx) => {
   });
 };
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$9 = Object.defineProperty;
+var __defNormalProp$9 = (obj, key, value) => key in obj ? __defProp$9(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$9 = (obj, key, value) => {
+  __defNormalProp$9(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const CF_JWT_HEADER = "cf-access-jwt-assertion";
@@ -1084,12 +931,12 @@ const COOKIE_AUTH_NAME = "CF_Authorization";
 const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
 class CloudflareAccessAuthProvider {
   constructor(options) {
-    __publicField$b(this, "teamName");
-    __publicField$b(this, "resolverContext");
-    __publicField$b(this, "authHandler");
-    __publicField$b(this, "signInResolver");
-    __publicField$b(this, "jwtKeySet");
-    __publicField$b(this, "cache");
+    __publicField$9(this, "teamName");
+    __publicField$9(this, "resolverContext");
+    __publicField$9(this, "authHandler");
+    __publicField$9(this, "signInResolver");
+    __publicField$9(this, "jwtKeySet");
+    __publicField$9(this, "cache");
     this.teamName = options.teamName;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -1319,184 +1166,20 @@ const google = createAuthProviderIntegration({
   })
 });
 
-const BACKSTAGE_SESSION_EXPIRATION = 3600;
-
-var __defProp$a = Object.defineProperty;
-var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$a = (obj, key, value) => {
-  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-class MicrosoftAuthProvider {
-  constructor(options) {
-    __publicField$a(this, "_strategy");
-    __publicField$a(this, "signInResolver");
-    __publicField$a(this, "authHandler");
-    __publicField$a(this, "logger");
-    __publicField$a(this, "resolverContext");
-    __publicField$a(this, "skipUserProfile", (accessToken) => {
-      const { aud, scp } = jose.decodeJwt(accessToken);
-      const hasGraphReadScope = aud === "00000003-0000-0000-c000-000000000000" && scp.split(" ").map((s) => s.toLowerCase()).includes("user.read");
-      return !hasGraphReadScope;
-    });
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.logger = options.logger;
-    this.resolverContext = options.resolverContext;
-    this._strategy = new passportMicrosoft.Strategy(
-      {
-        clientID: options.clientId,
-        clientSecret: options.clientSecret,
-        callbackURL: options.callbackUrl,
-        authorizationURL: options.authorizationUrl,
-        tokenURL: options.tokenUrl,
-        passReqToCallback: false,
-        skipUserProfile: (accessToken, done) => {
-          done(null, this.skipUserProfile(accessToken));
-        }
-      },
-      (accessToken, refreshToken, params, fullProfile, done) => {
-        done(void 0, { fullProfile, accessToken, params }, { refreshToken });
-      }
-    );
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      scope: req.scope,
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(
-      this._strategy,
-      req.refreshToken,
-      req.scope
-    );
-    return {
-      response: await this.handleResult({
-        params,
-        accessToken,
-        ...!this.skipUserProfile(accessToken) && {
-          fullProfile: await executeFetchUserProfileStrategy(
-            this._strategy,
-            accessToken
-          )
-        }
-      }),
-      refreshToken
-    };
-  }
-  async handleResult(result) {
-    let profile = {};
-    if (result.fullProfile) {
-      const photo = await this.getUserPhoto(result.accessToken);
-      result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
-      ({ profile } = await this.authHandler(
-        result,
-        this.resolverContext
-      ));
-    }
-    const expiresInSeconds = result.params.expires_in === void 0 ? BACKSTAGE_SESSION_EXPIRATION : Math.min(result.params.expires_in, BACKSTAGE_SESSION_EXPIRATION);
-    return {
-      providerInfo: {
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds,
-        ...{ idToken: result.params.id_token }
-      },
-      profile,
-      ...result.fullProfile && this.signInResolver && {
-        backstageIdentity: await this.signInResolver(
-          { result, profile },
-          this.resolverContext
-        )
-      }
-    };
-  }
-  async getUserPhoto(accessToken) {
-    try {
-      const res = await fetch__default["default"](
-        "https://graph.microsoft.com/v1.0/me/photos/48x48/$value",
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`
-          }
-        }
-      );
-      const data = await res.buffer();
-      return `data:image/jpeg;base64,${data.toString("base64")}`;
-    } catch (error) {
-      this.logger.warn(
-        `Could not retrieve user profile photo from Microsoft Graph API: ${error}`
-      );
-      return void 0;
-    }
-  }
-}
 const microsoft = createAuthProviderIntegration({
   create(options) {
-    return ({ providerId, globalConfig, config, logger, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-      var _a;
-      const clientId = envConfig.getString("clientId");
-      const clientSecret = envConfig.getString("clientSecret");
-      const tenantId = envConfig.getString("tenantId");
-      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-      const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
-      const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-        profile: makeProfileInfo(fullProfile != null ? fullProfile : {}, params.id_token)
-      });
-      const provider = new MicrosoftAuthProvider({
-        clientId,
-        clientSecret,
-        callbackUrl,
-        authorizationUrl,
-        tokenUrl,
-        authHandler,
-        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
-        logger,
-        resolverContext
-      });
-      return OAuthAdapter.fromConfig(globalConfig, provider, {
-        providerId,
-        callbackUrl
-      });
+    var _a;
+    return pluginAuthNode.createOAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleMicrosoftProvider.microsoftAuthenticator,
+      profileTransform: adaptLegacyOAuthHandler(options == null ? void 0 : options.authHandler),
+      signInResolver: adaptLegacyOAuthSignInResolver((_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver)
     });
   },
-  resolvers: {
-    /**
-     * Looks up the user by matching their email local part to the entity name.
-     */
-    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
-    /**
-     * Looks up the user by matching their email to the entity email.
-     */
-    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
-    /**
-     * Looks up the user by matching their email to the `microsoft.com/email` annotation.
-     */
-    emailMatchingUserEntityAnnotation() {
-      return async (info, ctx) => {
-        const { profile } = info;
-        if (!profile.email) {
-          throw new Error("Microsoft profile contained no email");
-        }
-        return ctx.signInWithCatalogUser({
-          annotations: {
-            "microsoft.com/email": profile.email
-          }
-        });
-      };
-    }
-  }
+  resolvers: adaptOAuthSignInResolverToLegacy({
+    emailLocalPartMatchingUserEntityName: pluginAuthNode.commonSignInResolvers.emailLocalPartMatchingUserEntityName(),
+    emailMatchingUserEntityProfileEmail: pluginAuthNode.commonSignInResolvers.emailMatchingUserEntityProfileEmail(),
+    emailMatchingUserEntityAnnotation: pluginAuthBackendModuleMicrosoftProvider.microsoftSignInResolvers.emailMatchingUserEntityAnnotation()
+  })
 });
 
 const oauth2 = createAuthProviderIntegration({
@@ -1521,166 +1204,21 @@ const oauth2Proxy = createAuthProviderIntegration({
   }
 });
 
-var __defProp$9 = Object.defineProperty;
-var __defNormalProp$9 = (obj, key, value) => key in obj ? __defProp$9(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$9 = (obj, key, value) => {
-  __defNormalProp$9(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-class OidcAuthProvider {
-  constructor(options) {
-    __publicField$9(this, "implementation");
-    __publicField$9(this, "scope");
-    __publicField$9(this, "prompt");
-    __publicField$9(this, "signInResolver");
-    __publicField$9(this, "authHandler");
-    __publicField$9(this, "resolverContext");
-    this.implementation = this.setupStrategy(options);
-    this.scope = options.scope;
-    this.prompt = options.prompt;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.resolverContext = options.resolverContext;
-  }
-  async start(req) {
-    const { strategy } = await this.implementation;
-    const options = {
-      scope: req.scope || this.scope || "openid profile email",
-      state: encodeState(req.state)
-    };
-    const prompt = this.prompt || "none";
-    if (prompt !== "auto") {
-      options.prompt = prompt;
-    }
-    return await executeRedirectStrategy(req, strategy, options);
-  }
-  async handler(req) {
-    const { strategy } = await this.implementation;
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const { client } = await this.implementation;
-    const tokenset = await client.refresh(req.refreshToken);
-    if (!tokenset.access_token) {
-      throw new Error("Refresh failed");
-    }
-    if (!tokenset.scope) {
-      tokenset.scope = req.scope;
-    }
-    const userinfo = await client.userinfo(tokenset.access_token);
-    return {
-      response: await this.handleResult({ tokenset, userinfo }),
-      refreshToken: tokenset.refresh_token
-    };
-  }
-  async setupStrategy(options) {
-    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
-    const client = new issuer.Client({
-      access_type: "offline",
-      // this option must be passed to provider to receive a refresh token
-      client_id: options.clientId,
-      client_secret: options.clientSecret,
-      redirect_uris: [options.callbackUrl],
-      response_types: ["code"],
-      token_endpoint_auth_method: options.tokenEndpointAuthMethod || "client_secret_basic",
-      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
-      scope: options.scope || ""
-    });
-    const strategy = new openidClient.Strategy(
-      {
-        client,
-        passReqToCallback: false
-      },
-      (tokenset, userinfo, done) => {
-        if (typeof done !== "function") {
-          throw new Error(
-            "OIDC IdP must provide a userinfo_endpoint in the metadata response"
-          );
-        }
-        done(
-          void 0,
-          { tokenset, userinfo },
-          {
-            refreshToken: tokenset.refresh_token
-          }
-        );
-      }
-    );
-    strategy.error = console.error;
-    return { strategy, client };
-  }
-  // Use this function to grab the user profile info from the token
-  // Then populate the profile with it
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const expiresInSeconds = result.tokenset.expires_in === void 0 ? BACKSTAGE_SESSION_EXPIRATION : Math.min(result.tokenset.expires_in, BACKSTAGE_SESSION_EXPIRATION);
-    let backstageIdentity = void 0;
-    if (this.signInResolver) {
-      backstageIdentity = await this.signInResolver(
-        {
-          result,
-          profile
-        },
-        this.resolverContext
-      );
-    }
-    return {
-      backstageIdentity,
-      providerInfo: {
-        idToken: result.tokenset.id_token,
-        accessToken: result.tokenset.access_token,
-        scope: result.tokenset.scope,
-        expiresInSeconds
-      },
-      profile
-    };
-  }
-}
 const oidc = createAuthProviderIntegration({
   create(options) {
-    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-      var _a;
-      const clientId = envConfig.getString("clientId");
-      const clientSecret = envConfig.getString("clientSecret");
-      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-      const metadataUrl = envConfig.getString("metadataUrl");
-      const tokenEndpointAuthMethod = envConfig.getOptionalString(
-        "tokenEndpointAuthMethod"
-      );
-      const tokenSignedResponseAlg = envConfig.getOptionalString(
-        "tokenSignedResponseAlg"
-      );
-      const scope = envConfig.getOptionalString("scope");
-      const prompt = envConfig.getOptionalString("prompt");
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
-        profile: {
-          displayName: userinfo.name,
-          email: userinfo.email,
-          picture: userinfo.picture
-        }
-      });
-      const provider = new OidcAuthProvider({
-        clientId,
-        clientSecret,
-        callbackUrl,
-        tokenEndpointAuthMethod,
-        tokenSignedResponseAlg,
-        metadataUrl,
-        scope,
-        prompt,
-        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
-        authHandler,
-        resolverContext
-      });
-      return OAuthAdapter.fromConfig(globalConfig, provider, {
-        providerId,
-        callbackUrl
-      });
+    var _a;
+    const authHandler = options == null ? void 0 : options.authHandler;
+    const signInResolver = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver;
+    return pluginAuthNode.createOAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleOidcProvider.oidcAuthenticator,
+      profileTransform: authHandler && ((result, context) => authHandler(result.fullProfile, context)),
+      signInResolver: signInResolver && ((info, context) => signInResolver(
+        {
+          result: info.result.fullProfile,
+          profile: info.profile
+        },
+        context
+      ))
     });
   },
   resolvers: {
@@ -2940,6 +2478,8 @@ _database = new WeakMap();
 _promise = new WeakMap();
 let AuthDatabase = _AuthDatabase;
 
+const BACKSTAGE_SESSION_EXPIRATION = 3600;
+
 var __defProp = Object.defineProperty;
 var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __publicField = (obj, key, value) => {