@backstage/plugin-auth-backend 0.20.4-next.0 → 0.21.0-next.2

package/CHANGELOG.md

@@ -1,5 +1,72 @@
 # @backstage/plugin-auth-backend
 
+## 0.21.0-next.2
+
+### Minor Changes
+
+- 7dd8463: **BREAKING**: The `saml` provider has been migrated from `passport-saml` to `@node-saml/passport-saml`.
+
+  This comes with breaking changes to config options:
+
+  - `audience` is now mandatory
+  - `wantAuthnResponseSigned` is now exposed and defaults to `true`
+  - `wantAssertionsSigned` is now exposed and defaults to `true`
+
+### Patch Changes
+
+- 97f8724: Support additional algorithms in the `/.well-known/openid-configuration` endpoint.
+- a9e0107: The auth backend will now refuse to issue user tokens are excessively large.
+- d4cc552: The helper function `makeProfileInfo` and `PassportHelpers.transformProfile`
+  were refactored to use the `jose` library.
+- 8e8a25d: Ability for user to configure backstage token expiration
+- Updated dependencies
+  - @backstage/backend-common@0.21.0-next.2
+  - @backstage/backend-plugin-api@0.6.10-next.2
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.0-next.1
+  - @backstage/plugin-auth-node@0.4.4-next.2
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.1.2-next.2
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.7-next.2
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.7-next.2
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.7-next.2
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.5-next.2
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.7-next.2
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.1.0-next.2
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.3-next.2
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.4-next.2
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.2-next.2
+  - @backstage/plugin-catalog-node@1.6.2-next.2
+  - @backstage/config@1.1.1
+  - @backstage/catalog-client@1.6.0-next.1
+  - @backstage/catalog-model@1.4.4-next.0
+  - @backstage/errors@1.2.3
+  - @backstage/types@1.1.1
+
+## 0.20.4-next.1
+
+### Patch Changes
+
+- 23a98f8: Migrated the AWS ALB auth provider to new `@backstage/plugin-auth-backend-module-aws-alb-provider` module package.
+- Updated dependencies
+  - @backstage/catalog-model@1.4.4-next.0
+  - @backstage/catalog-client@1.6.0-next.1
+  - @backstage/backend-plugin-api@0.6.10-next.1
+  - @backstage/backend-common@0.21.0-next.1
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.0-next.0
+  - @backstage/config@1.1.1
+  - @backstage/errors@1.2.3
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.1.2-next.1
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.4-next.1
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.7-next.1
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.7-next.1
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.7-next.1
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.5-next.1
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.7-next.1
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.2-next.1
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.1.0-next.1
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.3-next.1
+  - @backstage/plugin-auth-node@0.4.4-next.1
+  - @backstage/plugin-catalog-node@1.6.2-next.1
+
 ## 0.20.4-next.0
 
 ### Patch Changes

package/README.md

@@ -165,3 +165,14 @@ To try out SAML, you can use the mock identity provider:
 ## Links
 
 - [The Backstage homepage](https://backstage.io)
+
+## Configuring Token Expiration in App Config
+
+If you need to change Backstage token expiration from the default value of one hour you can do so through configuration. Note that this is **not** the session duration, but rather the duration that the short-term cryptographic tokens are valid for. The expiration can not be set lower than 10 minutes or above 24 hours.
+
+This is what the configuration looks like:
+
+```
+auth:
+   backstageTokenExpiration: { minutes: <user_defined_value> }
+```

package/config.d.ts

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+import { HumanDuration } from '@backstage/types';
+
 export interface Config {
   /** Configuration options for the auth plugin */
   auth?: {
@@ -184,6 +186,10 @@ export interface Config {
       cfaccess?: {
         teamName: string;
       };
+      /**
+       * The backstage token expiration.
+       */
+      backstageTokenExpiration?: HumanDuration;
     };
   };
 }

package/dist/index.cjs.js

@@ -13,11 +13,10 @@ var Auth0InternalStrategy = require('passport-auth0');
 var crypto = require('crypto');
 var url = require('url');
 var errors = require('@backstage/errors');
-var jwtDecoder = require('jwt-decode');
-var fetch = require('node-fetch');
-var NodeCache = require('node-cache');
 var jose = require('jose');
+var pluginAuthBackendModuleAwsAlbProvider = require('@backstage/plugin-auth-backend-module-aws-alb-provider');
 var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
+var fetch = require('node-fetch');
 var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-backend-module-gcp-iap-provider');
 var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
 var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-backend-module-gitlab-provider');
@@ -28,7 +27,7 @@ var pluginAuthBackendModuleOauth2ProxyProvider = require('@backstage/plugin-auth
 var pluginAuthBackendModuleOidcProvider = require('@backstage/plugin-auth-backend-module-oidc-provider');
 var pluginAuthBackendModuleOktaProvider = require('@backstage/plugin-auth-backend-module-okta-provider');
 var passportOneloginOauth = require('passport-onelogin-oauth');
-var passportSaml = require('passport-saml');
+var passportSaml = require('@node-saml/passport-saml');
 var passportOauth2 = require('passport-oauth2');
 var catalogClient = require('@backstage/catalog-client');
 var catalogModel = require('@backstage/catalog-model');
@@ -43,36 +42,16 @@ var passport = require('passport');
 var minimatch = require('minimatch');
 var backendCommon = require('@backstage/backend-common');
 var config = require('@backstage/config');
+var types = require('@backstage/types');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n["default"] = e;
-  return Object.freeze(n);
-}
-
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
 var Auth0InternalStrategy__default = /*#__PURE__*/_interopDefaultLegacy(Auth0InternalStrategy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
-var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
-var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
-var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
@@ -240,10 +219,10 @@ const ensuresXRequestedWith = (req) => {
 
 const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
 
-var __defProp$d = Object.defineProperty;
-var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$d = (obj, key, value) => {
-  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -252,8 +231,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$d(this, "baseCookieOptions");
-    __publicField$d(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$c(this, "baseCookieOptions");
+    __publicField$c(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -261,34 +240,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$d(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$c(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$d(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$c(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$d(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$c(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$d(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$c(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$d(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$c(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$d(this, "getCookieConfig", (origin) => {
+    __publicField$c(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -470,7 +449,7 @@ const makeProfileInfo = (profile, idToken) => {
   let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
   if ((!email || !picture || !displayName) && idToken) {
     try {
-      const decoded = jwtDecoder__default["default"](idToken);
+      const decoded = jose.decodeJwt(idToken);
       if (!email && decoded.email) {
         email = decoded.email;
       }
@@ -586,21 +565,21 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
   });
 };
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$b = Object.defineProperty;
+var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$b = (obj, key, value) => {
+  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$c(this, "_strategy");
-    __publicField$c(this, "signInResolver");
-    __publicField$c(this, "authHandler");
-    __publicField$c(this, "resolverContext");
-    __publicField$c(this, "audience");
-    __publicField$c(this, "connection");
-    __publicField$c(this, "connectionScope");
+    __publicField$b(this, "_strategy");
+    __publicField$b(this, "signInResolver");
+    __publicField$b(this, "authHandler");
+    __publicField$b(this, "resolverContext");
+    __publicField$b(this, "audience");
+    __publicField$b(this, "connection");
+    __publicField$b(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -609,7 +588,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$c(this, "store", {
+    __publicField$b(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -750,147 +729,14 @@ const auth0 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const ALB_JWT_HEADER = "x-amzn-oidc-data";
-const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
-class AwsAlbAuthProvider {
-  constructor(options) {
-    __publicField$b(this, "region");
-    __publicField$b(this, "issuer");
-    __publicField$b(this, "resolverContext");
-    __publicField$b(this, "keyCache");
-    __publicField$b(this, "authHandler");
-    __publicField$b(this, "signInResolver");
-    __publicField$b(this, "getKey", async (header) => {
-      if (!header.kid) {
-        throw new errors.AuthenticationError("No key id was specified in header");
-      }
-      const optionalCacheKey = this.keyCache.get(header.kid);
-      if (optionalCacheKey) {
-        return crypto__namespace.createPublicKey(optionalCacheKey);
-      }
-      const keyText = await fetch__default["default"](
-        `https://public-keys.auth.elb.${encodeURIComponent(
-          this.region
-        )}.amazonaws.com/${encodeURIComponent(header.kid)}`
-      ).then((response) => response.text());
-      const keyValue = crypto__namespace.createPublicKey(keyText);
-      this.keyCache.set(
-        header.kid,
-        keyValue.export({ format: "pem", type: "spki" })
-      );
-      return keyValue;
-    });
-    this.region = options.region;
-    this.issuer = options.issuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.resolverContext = options.resolverContext;
-    this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    try {
-      const result = await this.getResult(req);
-      const response = await this.handleResult(result);
-      res.json(response);
-    } catch (e) {
-      throw new errors.AuthenticationError(
-        "Exception occurred during AWS ALB token refresh",
-        e
-      );
-    }
-  }
-  start() {
-    return Promise.resolve(void 0);
-  }
-  async getResult(req) {
-    const jwt = req.header(ALB_JWT_HEADER);
-    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);
-    if (jwt === void 0) {
-      throw new errors.AuthenticationError(
-        `Missing ALB OIDC header: ${ALB_JWT_HEADER}`
-      );
-    }
-    if (accessToken === void 0) {
-      throw new errors.AuthenticationError(
-        `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`
-      );
-    }
-    try {
-      const verifyResult = await jose.jwtVerify(jwt, this.getKey);
-      const claims = verifyResult.payload;
-      if (this.issuer && claims.iss !== this.issuer) {
-        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
-      }
-      const fullProfile = {
-        provider: "unknown",
-        id: claims.sub,
-        displayName: claims.name,
-        username: claims.email.split("@")[0].toLowerCase(),
-        name: {
-          familyName: claims.family_name,
-          givenName: claims.given_name
-        },
-        emails: [{ value: claims.email.toLowerCase() }],
-        photos: [{ value: claims.picture }]
-      };
-      return {
-        fullProfile,
-        expiresInSeconds: claims.exp,
-        accessToken
-      };
-    } catch (e) {
-      throw new Error(`Exception occurred during JWT processing: ${e}`);
-    }
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageIdentity = await this.signInResolver(
-      {
-        result,
-        profile
-      },
-      this.resolverContext
-    );
-    return {
-      providerInfo: {
-        accessToken: result.accessToken,
-        expiresInSeconds: result.expiresInSeconds
-      },
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
-      profile
-    };
-  }
-}
 const awsAlb = createAuthProviderIntegration({
   create(options) {
-    return ({ config, resolverContext }) => {
-      const region = config.getString("region");
-      const issuer = config.getOptionalString("iss");
-      if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
-        throw new Error(
-          "SignInResolver is required to use this authentication provider"
-        );
-      }
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-        profile: makeProfileInfo(fullProfile)
-      });
-      return new AwsAlbAuthProvider({
-        region,
-        issuer,
-        signInResolver: options == null ? void 0 : options.signIn.resolver,
-        authHandler,
-        resolverContext
-      });
-    };
+    var _a;
+    return pluginAuthNode.createProxyAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleAwsAlbProvider.awsAlbAuthenticator,
+      profileTransform: options == null ? void 0 : options.authHandler,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver
+    });
   }
 });
 
@@ -1565,9 +1411,10 @@ class SamlAuthProvider {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
-    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
-      done(void 0, { fullProfile });
-    });
+    const verifier = (profile, done) => {
+      done(null, { fullProfile: profile });
+    };
+    this.strategy = new passportSaml.Strategy(options, verifier, verifier);
   }
   async start(req, res) {
     const { url } = await executeRedirectStrategy(req, this.strategy, {});
@@ -1624,7 +1471,7 @@ const saml = createAuthProviderIntegration({
         callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
         entryPoint: config.getString("entryPoint"),
         logoutUrl: config.getOptionalString("logoutUrl"),
-        audience: config.getOptionalString("audience"),
+        audience: config.getString("audience"),
         issuer: config.getString("issuer"),
         cert: config.getString("cert"),
         privateKey: config.getOptionalString("privateKey"),
@@ -1634,6 +1481,10 @@ const saml = createAuthProviderIntegration({
         signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
         digestAlgorithm: config.getOptionalString("digestAlgorithm"),
         acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
+        wantAuthnResponseSigned: config.getOptionalBoolean(
+          "wantAuthnResponseSigned"
+        ),
+        wantAssertionsSigned: config.getOptionalBoolean("wantAssertionsSigned"),
         appUrl: globalConfig.appUrl,
         authHandler,
         signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
@@ -1991,7 +1842,18 @@ function createOidcRouter(options) {
     jwks_uri: `${baseUrl}/.well-known/jwks.json`,
     response_types_supported: ["id_token"],
     subject_types_supported: ["public"],
-    id_token_signing_alg_values_supported: ["RS256"],
+    id_token_signing_alg_values_supported: [
+      "RS256",
+      "RS384",
+      "RS512",
+      "ES256",
+      "ES384",
+      "ES512",
+      "PS256",
+      "PS384",
+      "PS512",
+      "EdDSA"
+    ],
     scopes_supported: ["openid"],
     token_endpoint_auth_methods_supported: [],
     claims_supported: ["sub"],
@@ -2020,6 +1882,7 @@ var __publicField$4 = (obj, key, value) => {
   return value;
 };
 const MS_IN_S$1 = 1e3;
+const MAX_TOKEN_LENGTH = 32768;
 class TokenFactory {
   constructor(options) {
     __publicField$4(this, "issuer");
@@ -2054,7 +1917,16 @@ class TokenFactory {
     if (!key.alg) {
       throw new errors.AuthenticationError("No algorithm was provided in the key");
     }
-    return new jose.SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    const claims = { ...additionalClaims, iss, sub, ent, aud, iat, exp };
+    const token = await new jose.SignJWT(claims).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    if (token.length > MAX_TOKEN_LENGTH) {
+      throw new Error(
+        `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
+          claims
+        )}'`
+      );
+    }
+    return token;
   }
   // This will be called by other services that want to verify ID tokens.
   // It is important that it returns a list of all public keys that could
@@ -2631,7 +2503,25 @@ _database = new WeakMap();
 _promise = new WeakMap();
 let AuthDatabase = _AuthDatabase;
 
-const BACKSTAGE_SESSION_EXPIRATION = 3600;
+const TOKEN_EXP_DEFAULT_S = 3600;
+const TOKEN_EXP_MIN_S = 600;
+const TOKEN_EXP_MAX_S = 86400;
+function readBackstageTokenExpiration(config$1) {
+  const processingIntervalKey = "auth.backstageTokenExpiration";
+  if (!config$1.has(processingIntervalKey)) {
+    return TOKEN_EXP_DEFAULT_S;
+  }
+  const duration = config.readDurationFromConfig(config$1, {
+    key: processingIntervalKey
+  });
+  const durationS = Math.round(types.durationToMilliseconds(duration) / 1e3);
+  if (durationS < TOKEN_EXP_MIN_S) {
+    return TOKEN_EXP_MIN_S;
+  } else if (durationS > TOKEN_EXP_MAX_S) {
+    return TOKEN_EXP_MAX_S;
+  }
+  return durationS;
+}
 
 var __defProp = Object.defineProperty;
 var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
@@ -2698,8 +2588,8 @@ async function createRouter(options) {
   const router = Router__default["default"]();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
+  const backstageTokenExpiration = readBackstageTokenExpiration(config);
   const authDb = AuthDatabase.create(database);
-  const sessionExpirationSeconds = BACKSTAGE_SESSION_EXPIRATION;
   const keyStore = await KeyStores.fromConfig(config, {
     logger,
     database: authDb
@@ -2710,7 +2600,7 @@ async function createRouter(options) {
       {
         logger: logger.child({ component: "token-factory" }),
         issuer: authUrl,
-        sessionExpirationSeconds
+        sessionExpirationSeconds: backstageTokenExpiration
       },
       keyStore
     );
@@ -2718,7 +2608,7 @@ async function createRouter(options) {
     tokenIssuer = new TokenFactory({
       issuer: authUrl,
       keyStore,
-      keyDurationSeconds: sessionExpirationSeconds,
+      keyDurationSeconds: backstageTokenExpiration,
       logger: logger.child({ component: "token-factory" }),
       algorithm: tokenFactoryAlgorithm != null ? tokenFactoryAlgorithm : config.getOptionalString("auth.identityTokenAlgorithm")
     });