@backstage/plugin-auth-backend 0.21.2 → 0.22.0-next.0

package/dist/index.cjs.js

@@ -30,7 +30,9 @@ var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('@node-saml/passport-saml');
 var passportOauth2 = require('passport-oauth2');
 var catalogClient = require('@backstage/catalog-client');
+var minimatch = require('minimatch');
 var catalogModel = require('@backstage/catalog-model');
+var backendCommon = require('@backstage/backend-common');
 var luxon = require('luxon');
 var uuid = require('uuid');
 var firestore = require('@google-cloud/firestore');
@@ -39,8 +41,6 @@ var fs = require('fs');
 var session = require('express-session');
 var connectSessionKnex = require('connect-session-knex');
 var passport = require('passport');
-var minimatch = require('minimatch');
-var backendCommon = require('@backstage/backend-common');
 var config = require('@backstage/config');
 var types = require('@backstage/types');
 
@@ -931,12 +931,14 @@ const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
 class CloudflareAccessAuthProvider {
   constructor(options) {
     __publicField$9(this, "teamName");
+    __publicField$9(this, "serviceTokens");
     __publicField$9(this, "resolverContext");
     __publicField$9(this, "authHandler");
     __publicField$9(this, "signInResolver");
     __publicField$9(this, "jwtKeySet");
     __publicField$9(this, "cache");
     this.teamName = options.teamName;
+    this.serviceTokens = options.serviceTokens;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
     this.resolverContext = options.resolverContext;
@@ -990,8 +992,21 @@ class CloudflareAccessAuthProvider {
     const verifyResult = await jose.jwtVerify(jwt, this.jwtKeySet, {
       issuer: `https://${this.teamName}.cloudflareaccess.com`
     });
-    const sub = verifyResult.payload.sub;
-    const cfAccessResultStr = await ((_a = this.cache) == null ? void 0 : _a.get(`${CACHE_PREFIX}/${sub}`));
+    const isServiceToken = !verifyResult.payload.sub;
+    const subject = isServiceToken ? verifyResult.payload.common_name : verifyResult.payload.sub;
+    if (!subject) {
+      throw new errors.AuthenticationError(
+        `Missing both sub and common_name from Cloudflare Access JWT`
+      );
+    }
+    const serviceToken = this.serviceTokens.find((st) => st.token === subject);
+    if (isServiceToken && !serviceToken) {
+      throw new errors.AuthenticationError(
+        `${subject} is not a permitted Service Token.`
+      );
+    }
+    const cacheKey = `${CACHE_PREFIX}/${subject}`;
+    const cfAccessResultStr = await ((_a = this.cache) == null ? void 0 : _a.get(cacheKey));
     if (typeof cfAccessResultStr === "string") {
       const result = JSON.parse(cfAccessResultStr);
       return {
@@ -1001,13 +1016,23 @@ class CloudflareAccessAuthProvider {
     }
     const claims = verifyResult.payload;
     try {
-      const cfIdentity = await this.getIdentityProfile(jwt);
+      let cfIdentity;
+      if (serviceToken) {
+        cfIdentity = {
+          id: subject,
+          name: "Bot",
+          email: serviceToken.subject,
+          groups: []
+        };
+      } else {
+        cfIdentity = await this.getIdentityProfile(jwt);
+      }
       const cfAccessResult = {
         claims,
         cfIdentity,
         expiresInSeconds: claims.exp - claims.iat
       };
-      (_b = this.cache) == null ? void 0 : _b.set(`${CACHE_PREFIX}/${sub}`, JSON.stringify(cfAccessResult));
+      (_b = this.cache) == null ? void 0 : _b.set(cacheKey, JSON.stringify(cfAccessResult));
       return {
         ...cfAccessResult,
         token: jwt
@@ -1043,6 +1068,13 @@ const cfAccess = createAuthProviderIntegration({
   create(options) {
     return ({ config, resolverContext }) => {
       const teamName = config.getString("teamName");
+      const serviceTokensConfig = config.getOptionalConfigArray("serviceTokens");
+      const serviceTokens = (serviceTokensConfig == null ? void 0 : serviceTokensConfig.map((cfg) => {
+        return {
+          token: cfg.getString("token"),
+          subject: cfg.getString("subject")
+        };
+      })) || [];
       if (!options.signIn.resolver) {
         throw new Error(
           "SignInResolver is required to use this authentication provider"
@@ -1058,6 +1090,7 @@ const cfAccess = createAuthProviderIntegration({
       };
       return new CloudflareAccessAuthProvider({
         teamName,
+        serviceTokens,
         signInResolver: options == null ? void 0 : options.signIn.resolver,
         authHandler,
         resolverContext,
@@ -1832,9 +1865,289 @@ const defaultAuthProviderFactories = {
   atlassian: atlassian.create()
 };
 
-function createOidcRouter(options) {
+var __defProp$4 = Object.defineProperty;
+var __defNormalProp$4 = (obj, key, value) => key in obj ? __defProp$4(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$4 = (obj, key, value) => {
+  __defNormalProp$4(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
+class CatalogIdentityClient {
+  constructor(options) {
+    __publicField$4(this, "catalogApi");
+    __publicField$4(this, "auth");
+    this.catalogApi = options.catalogApi;
+    const { auth } = backendCommon.createLegacyAuthAdapters({
+      auth: options.auth,
+      httpAuth: options.httpAuth,
+      discovery: options.discovery,
+      tokenManager: options.tokenManager
+    });
+    this.auth = auth;
+  }
+  /**
+   * Looks up a single user using a query.
+   *
+   * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
+   */
+  async findUser(query) {
+    const filter = {
+      kind: "user"
+    };
+    for (const [key, value] of Object.entries(query.annotations)) {
+      filter[`metadata.annotations.${key}`] = value;
+    }
+    const { token } = await this.auth.getPluginRequestToken({
+      onBehalfOf: await this.auth.getOwnServiceCredentials(),
+      targetPluginId: "catalog"
+    });
+    const { items } = await this.catalogApi.getEntities({ filter }, { token });
+    if (items.length !== 1) {
+      if (items.length > 1) {
+        throw new errors.ConflictError("User lookup resulted in multiple matches");
+      } else {
+        throw new errors.NotFoundError("User not found");
+      }
+    }
+    return items[0];
+  }
+  /**
+   * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
+   * to be used within a `signInResolver` where additional entity claims might be provided, but
+   * group membership and transient group membership lean on imported catalog relations.
+   *
+   * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
+   */
+  async resolveCatalogMembership(query) {
+    const { entityRefs, logger } = query;
+    const resolvedEntityRefs = entityRefs.map((ref) => {
+      try {
+        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
+          defaultKind: "user",
+          defaultNamespace: "default"
+        });
+        return parsedRef;
+      } catch {
+        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
+        return null;
+      }
+    }).filter((ref) => ref !== null);
+    const filter = resolvedEntityRefs.map((ref) => ({
+      kind: ref.kind,
+      "metadata.namespace": ref.namespace,
+      "metadata.name": ref.name
+    }));
+    const { token } = await this.auth.getPluginRequestToken({
+      onBehalfOf: await this.auth.getOwnServiceCredentials(),
+      targetPluginId: "catalog"
+    });
+    const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
+    if (entityRefs.length !== entities.length) {
+      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
+      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
+      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+    }
+    const memberOf = entities.flatMap(
+      (e) => {
+        var _a, _b;
+        return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.targetRef)) != null ? _b : [];
+      }
+    );
+    const newEntityRefs = [
+      ...new Set(resolvedEntityRefs.map(catalogModel.stringifyEntityRef).concat(memberOf))
+    ];
+    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
+    return newEntityRefs;
+  }
+}
+
+function getDefaultOwnershipEntityRefs(entity) {
+  var _a, _b;
+  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter(
+    (r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")
+  ).map((r) => r.targetRef)) != null ? _b : [];
+  return Array.from(/* @__PURE__ */ new Set([catalogModel.stringifyEntityRef(entity), ...membershipRefs]));
+}
+class CatalogAuthResolverContext {
+  constructor(logger, tokenIssuer, catalogIdentityClient, catalogApi, auth) {
+    this.logger = logger;
+    this.tokenIssuer = tokenIssuer;
+    this.catalogIdentityClient = catalogIdentityClient;
+    this.catalogApi = catalogApi;
+    this.auth = auth;
+  }
+  static create(options) {
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi: options.catalogApi,
+      tokenManager: options.tokenManager,
+      discovery: options.discovery,
+      auth: options.auth,
+      httpAuth: options.httpAuth
+    });
+    return new CatalogAuthResolverContext(
+      options.logger,
+      options.tokenIssuer,
+      catalogIdentityClient,
+      options.catalogApi,
+      options.auth
+    );
+  }
+  async issueToken(params) {
+    const token = await this.tokenIssuer.issueToken(params);
+    return { token };
+  }
+  async findCatalogUser(query) {
+    let result = void 0;
+    const { token } = await this.auth.getPluginRequestToken({
+      onBehalfOf: await this.auth.getOwnServiceCredentials(),
+      targetPluginId: "catalog"
+    });
+    if ("entityRef" in query) {
+      const entityRef = catalogModel.parseEntityRef(query.entityRef, {
+        defaultKind: "User",
+        defaultNamespace: catalogModel.DEFAULT_NAMESPACE
+      });
+      result = await this.catalogApi.getEntityByRef(entityRef, { token });
+    } else if ("annotations" in query) {
+      const filter = {
+        kind: "user"
+      };
+      for (const [key, value] of Object.entries(query.annotations)) {
+        filter[`metadata.annotations.${key}`] = value;
+      }
+      const res = await this.catalogApi.getEntities({ filter }, { token });
+      result = res.items;
+    } else if ("filter" in query) {
+      const res = await this.catalogApi.getEntities(
+        { filter: query.filter },
+        { token }
+      );
+      result = res.items;
+    } else {
+      throw new errors.InputError("Invalid user lookup query");
+    }
+    if (Array.isArray(result)) {
+      if (result.length > 1) {
+        throw new errors.ConflictError("User lookup resulted in multiple matches");
+      }
+      result = result[0];
+    }
+    if (!result) {
+      throw new errors.NotFoundError("User not found");
+    }
+    return { entity: result };
+  }
+  async signInWithCatalogUser(query) {
+    const { entity } = await this.findCatalogUser(query);
+    const ownershipRefs = getDefaultOwnershipEntityRefs(entity);
+    const token = await this.tokenIssuer.issueToken({
+      claims: {
+        sub: catalogModel.stringifyEntityRef(entity),
+        ent: ownershipRefs
+      }
+    });
+    return { token };
+  }
+}
+
+function bindProviderRouters(targetRouter, options) {
+  const {
+    providers,
+    appUrl,
+    baseUrl,
+    config,
+    logger,
+    discovery,
+    auth,
+    httpAuth,
+    tokenManager,
+    tokenIssuer,
+    catalogApi
+  } = options;
+  const providersConfig = config.getOptionalConfig("auth.providers");
+  const isOriginAllowed = createOriginFilter(config);
+  for (const [providerId, providerFactory] of Object.entries(providers)) {
+    if (providersConfig == null ? void 0 : providersConfig.has(providerId)) {
+      logger.info(`Configuring auth provider: ${providerId}`);
+      try {
+        const provider = providerFactory({
+          providerId,
+          appUrl,
+          baseUrl,
+          isOriginAllowed,
+          globalConfig: {
+            baseUrl,
+            appUrl,
+            isOriginAllowed
+          },
+          config: providersConfig.getConfig(providerId),
+          logger,
+          resolverContext: CatalogAuthResolverContext.create({
+            logger,
+            catalogApi: catalogApi != null ? catalogApi : new catalogClient.CatalogClient({ discoveryApi: discovery }),
+            tokenIssuer,
+            tokenManager,
+            discovery,
+            auth,
+            httpAuth
+          })
+        });
+        const r = Router__default["default"]();
+        r.get("/start", provider.start.bind(provider));
+        r.get("/handler/frame", provider.frameHandler.bind(provider));
+        r.post("/handler/frame", provider.frameHandler.bind(provider));
+        if (provider.logout) {
+          r.post("/logout", provider.logout.bind(provider));
+        }
+        if (provider.refresh) {
+          r.get("/refresh", provider.refresh.bind(provider));
+          r.post("/refresh", provider.refresh.bind(provider));
+        }
+        targetRouter.use(`/${providerId}`, r);
+      } catch (e) {
+        errors.assertError(e);
+        if (process.env.NODE_ENV !== "development") {
+          throw new Error(
+            `Failed to initialize ${providerId} auth provider, ${e.message}`
+          );
+        }
+        logger.warn(`Skipping ${providerId} auth provider, ${e.message}`);
+        targetRouter.use(`/${providerId}`, () => {
+          throw new errors.NotFoundError(
+            `Auth provider registered for '${providerId}' is misconfigured. This could mean the configs under auth.providers.${providerId} are missing or the environment variables used are not defined. Check the auth backend plugin logs when the backend starts to see more details.`
+          );
+        });
+      }
+    } else {
+      targetRouter.use(`/${providerId}`, () => {
+        throw new errors.NotFoundError(
+          `No auth provider registered for '${providerId}'`
+        );
+      });
+    }
+  }
+}
+function createOriginFilter(config) {
+  var _a;
+  const appUrl = config.getString("app.baseUrl");
+  const { origin: appOrigin } = new URL(appUrl);
+  const allowedOrigins = config.getOptionalStringArray(
+    "auth.experimentalExtraAllowedOrigins"
+  );
+  const allowedOriginPatterns = (_a = allowedOrigins == null ? void 0 : allowedOrigins.map(
+    (pattern) => new minimatch.Minimatch(pattern, { nocase: true, noglobstar: true })
+  )) != null ? _a : [];
+  return (origin) => {
+    if (origin === appOrigin) {
+      return true;
+    }
+    return allowedOriginPatterns.some((pattern) => pattern.match(origin));
+  };
+}
+
+function bindOidcRouter(targetRouter, options) {
   const { baseUrl, tokenIssuer } = options;
   const router = Router__default["default"]();
+  targetRouter.use(router);
   const config = {
     issuer: baseUrl,
     token_endpoint: `${baseUrl}/v1/token`,
@@ -1872,26 +2185,25 @@ function createOidcRouter(options) {
   router.get("/v1/userinfo", (_req, res) => {
     res.status(501).send("Not Implemented");
   });
-  return router;
 }
 
-var __defProp$4 = Object.defineProperty;
-var __defNormalProp$4 = (obj, key, value) => key in obj ? __defProp$4(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$4 = (obj, key, value) => {
-  __defNormalProp$4(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$3 = Object.defineProperty;
+var __defNormalProp$3 = (obj, key, value) => key in obj ? __defProp$3(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$3 = (obj, key, value) => {
+  __defNormalProp$3(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const MS_IN_S$1 = 1e3;
 const MAX_TOKEN_LENGTH = 32768;
 class TokenFactory {
   constructor(options) {
-    __publicField$4(this, "issuer");
-    __publicField$4(this, "logger");
-    __publicField$4(this, "keyStore");
-    __publicField$4(this, "keyDurationSeconds");
-    __publicField$4(this, "algorithm");
-    __publicField$4(this, "keyExpiry");
-    __publicField$4(this, "privateKeyPromise");
+    __publicField$3(this, "issuer");
+    __publicField$3(this, "logger");
+    __publicField$3(this, "keyStore");
+    __publicField$3(this, "keyDurationSeconds");
+    __publicField$3(this, "algorithm");
+    __publicField$3(this, "keyExpiry");
+    __publicField$3(this, "privateKeyPromise");
     var _a;
     this.issuer = options.issuer;
     this.logger = options.logger;
@@ -2021,15 +2333,15 @@ class DatabaseKeyStore {
   }
 }
 
-var __defProp$3 = Object.defineProperty;
-var __defNormalProp$3 = (obj, key, value) => key in obj ? __defProp$3(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$3 = (obj, key, value) => {
-  __defNormalProp$3(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$2 = Object.defineProperty;
+var __defNormalProp$2 = (obj, key, value) => key in obj ? __defProp$2(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$2 = (obj, key, value) => {
+  __defNormalProp$2(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class MemoryKeyStore {
   constructor() {
-    __publicField$3(this, "keys", /* @__PURE__ */ new Map());
+    __publicField$2(this, "keys", /* @__PURE__ */ new Map());
   }
   async addKey(key) {
     this.keys.set(key.kid, {
@@ -2134,17 +2446,17 @@ class FirestoreKeyStore {
   }
 }
 
-var __defProp$2 = Object.defineProperty;
-var __defNormalProp$2 = (obj, key, value) => key in obj ? __defProp$2(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$2 = (obj, key, value) => {
-  __defNormalProp$2(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$1 = Object.defineProperty;
+var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$1 = (obj, key, value) => {
+  __defNormalProp$1(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const DEFAULT_ALGORITHM = "ES256";
 class StaticKeyStore {
   constructor(keyPairs) {
-    __publicField$2(this, "keyPairs");
-    __publicField$2(this, "createdAt");
+    __publicField$1(this, "keyPairs");
+    __publicField$1(this, "createdAt");
     if (keyPairs.length === 0) {
       throw new Error("Should provide at least one key pair");
     }
@@ -2270,172 +2582,6 @@ class KeyStores {
   }
 }
 
-var __defProp$1 = Object.defineProperty;
-var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$1 = (obj, key, value) => {
-  __defNormalProp$1(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-class CatalogIdentityClient {
-  constructor(options) {
-    __publicField$1(this, "catalogApi");
-    __publicField$1(this, "tokenManager");
-    this.catalogApi = options.catalogApi;
-    this.tokenManager = options.tokenManager;
-  }
-  /**
-   * Looks up a single user using a query.
-   *
-   * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
-   */
-  async findUser(query) {
-    const filter = {
-      kind: "user"
-    };
-    for (const [key, value] of Object.entries(query.annotations)) {
-      filter[`metadata.annotations.${key}`] = value;
-    }
-    const { token } = await this.tokenManager.getToken();
-    const { items } = await this.catalogApi.getEntities({ filter }, { token });
-    if (items.length !== 1) {
-      if (items.length > 1) {
-        throw new errors.ConflictError("User lookup resulted in multiple matches");
-      } else {
-        throw new errors.NotFoundError("User not found");
-      }
-    }
-    return items[0];
-  }
-  /**
-   * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
-   * to be used within a `signInResolver` where additional entity claims might be provided, but
-   * group membership and transient group membership lean on imported catalog relations.
-   *
-   * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
-   */
-  async resolveCatalogMembership(query) {
-    const { entityRefs, logger } = query;
-    const resolvedEntityRefs = entityRefs.map((ref) => {
-      try {
-        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
-          defaultKind: "user",
-          defaultNamespace: "default"
-        });
-        return parsedRef;
-      } catch {
-        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
-        return null;
-      }
-    }).filter((ref) => ref !== null);
-    const filter = resolvedEntityRefs.map((ref) => ({
-      kind: ref.kind,
-      "metadata.namespace": ref.namespace,
-      "metadata.name": ref.name
-    }));
-    const { token } = await this.tokenManager.getToken();
-    const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
-    if (entityRefs.length !== entities.length) {
-      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
-      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
-      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
-    }
-    const memberOf = entities.flatMap(
-      (e) => {
-        var _a, _b;
-        return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.targetRef)) != null ? _b : [];
-      }
-    );
-    const newEntityRefs = [
-      ...new Set(resolvedEntityRefs.map(catalogModel.stringifyEntityRef).concat(memberOf))
-    ];
-    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
-    return newEntityRefs;
-  }
-}
-
-function getDefaultOwnershipEntityRefs(entity) {
-  var _a, _b;
-  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter(
-    (r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")
-  ).map((r) => r.targetRef)) != null ? _b : [];
-  return Array.from(/* @__PURE__ */ new Set([catalogModel.stringifyEntityRef(entity), ...membershipRefs]));
-}
-class CatalogAuthResolverContext {
-  constructor(logger, tokenIssuer, catalogIdentityClient, catalogApi, tokenManager) {
-    this.logger = logger;
-    this.tokenIssuer = tokenIssuer;
-    this.catalogIdentityClient = catalogIdentityClient;
-    this.catalogApi = catalogApi;
-    this.tokenManager = tokenManager;
-  }
-  static create(options) {
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi: options.catalogApi,
-      tokenManager: options.tokenManager
-    });
-    return new CatalogAuthResolverContext(
-      options.logger,
-      options.tokenIssuer,
-      catalogIdentityClient,
-      options.catalogApi,
-      options.tokenManager
-    );
-  }
-  async issueToken(params) {
-    const token = await this.tokenIssuer.issueToken(params);
-    return { token };
-  }
-  async findCatalogUser(query) {
-    let result = void 0;
-    const { token } = await this.tokenManager.getToken();
-    if ("entityRef" in query) {
-      const entityRef = catalogModel.parseEntityRef(query.entityRef, {
-        defaultKind: "User",
-        defaultNamespace: catalogModel.DEFAULT_NAMESPACE
-      });
-      result = await this.catalogApi.getEntityByRef(entityRef, { token });
-    } else if ("annotations" in query) {
-      const filter = {
-        kind: "user"
-      };
-      for (const [key, value] of Object.entries(query.annotations)) {
-        filter[`metadata.annotations.${key}`] = value;
-      }
-      const res = await this.catalogApi.getEntities({ filter }, { token });
-      result = res.items;
-    } else if ("filter" in query) {
-      const res = await this.catalogApi.getEntities(
-        { filter: query.filter },
-        { token }
-      );
-      result = res.items;
-    } else {
-      throw new errors.InputError("Invalid user lookup query");
-    }
-    if (Array.isArray(result)) {
-      if (result.length > 1) {
-        throw new errors.ConflictError("User lookup resulted in multiple matches");
-      }
-      result = result[0];
-    }
-    if (!result) {
-      throw new errors.NotFoundError("User not found");
-    }
-    return { entity: result };
-  }
-  async signInWithCatalogUser(query) {
-    const { entity } = await this.findCatalogUser(query);
-    const ownershipRefs = getDefaultOwnershipEntityRefs(entity);
-    const token = await this.tokenIssuer.issueToken({
-      claims: {
-        sub: catalogModel.stringifyEntityRef(entity),
-        ent: ownershipRefs
-      }
-    });
-    return { token };
-  }
-}
-
 var __accessCheck = (obj, member, msg) => {
   if (!member.has(obj))
     throw TypeError("Cannot " + msg);
@@ -2580,11 +2726,10 @@ async function createRouter(options) {
     config,
     discovery,
     database,
-    tokenManager,
     tokenFactoryAlgorithm,
-    providerFactories = {},
-    catalogApi
+    providerFactories = {}
   } = options;
+  const { auth, httpAuth } = backendCommon.createLegacyAuthAdapters(options);
   const router = Router__default["default"]();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
@@ -2637,100 +2782,29 @@ async function createRouter(options) {
   }
   router.use(express__default["default"].urlencoded({ extended: false }));
   router.use(express__default["default"].json());
-  const allProviderFactories = options.disableDefaultProviderFactories ? providerFactories : {
+  const providers = options.disableDefaultProviderFactories ? providerFactories : {
     ...defaultAuthProviderFactories,
     ...providerFactories
   };
-  const providersConfig = config.getOptionalConfig("auth.providers");
-  const isOriginAllowed = createOriginFilter(config);
-  for (const [providerId, providerFactory] of Object.entries(
-    allProviderFactories
-  )) {
-    if (providersConfig == null ? void 0 : providersConfig.has(providerId)) {
-      logger.info(`Configuring auth provider: ${providerId}`);
-      try {
-        const provider = providerFactory({
-          providerId,
-          appUrl,
-          baseUrl: authUrl,
-          isOriginAllowed,
-          globalConfig: {
-            baseUrl: authUrl,
-            appUrl,
-            isOriginAllowed
-          },
-          config: providersConfig.getConfig(providerId),
-          logger,
-          resolverContext: CatalogAuthResolverContext.create({
-            logger,
-            catalogApi: catalogApi != null ? catalogApi : new catalogClient.CatalogClient({ discoveryApi: discovery }),
-            tokenIssuer,
-            tokenManager
-          })
-        });
-        const r = Router__default["default"]();
-        r.get("/start", provider.start.bind(provider));
-        r.get("/handler/frame", provider.frameHandler.bind(provider));
-        r.post("/handler/frame", provider.frameHandler.bind(provider));
-        if (provider.logout) {
-          r.post("/logout", provider.logout.bind(provider));
-        }
-        if (provider.refresh) {
-          r.get("/refresh", provider.refresh.bind(provider));
-          r.post("/refresh", provider.refresh.bind(provider));
-        }
-        router.use(`/${providerId}`, r);
-      } catch (e) {
-        errors.assertError(e);
-        if (process.env.NODE_ENV !== "development") {
-          throw new Error(
-            `Failed to initialize ${providerId} auth provider, ${e.message}`
-          );
-        }
-        logger.warn(`Skipping ${providerId} auth provider, ${e.message}`);
-        router.use(`/${providerId}`, () => {
-          throw new errors.NotFoundError(
-            `Auth provider registered for '${providerId}' is misconfigured. This could mean the configs under auth.providers.${providerId} are missing or the environment variables used are not defined. Check the auth backend plugin logs when the backend starts to see more details.`
-          );
-        });
-      }
-    } else {
-      router.use(`/${providerId}`, () => {
-        throw new errors.NotFoundError(
-          `No auth provider registered for '${providerId}'`
-        );
-      });
-    }
-  }
-  router.use(
-    createOidcRouter({
-      tokenIssuer,
-      baseUrl: authUrl
-    })
-  );
+  bindProviderRouters(router, {
+    providers,
+    appUrl,
+    baseUrl: authUrl,
+    tokenIssuer,
+    ...options,
+    auth,
+    httpAuth
+  });
+  bindOidcRouter(router, {
+    tokenIssuer,
+    baseUrl: authUrl
+  });
   router.use("/:provider/", (req) => {
     const { provider } = req.params;
     throw new errors.NotFoundError(`Unknown auth provider '${provider}'`);
   });
   return router;
 }
-function createOriginFilter(config) {
-  var _a;
-  const appUrl = config.getString("app.baseUrl");
-  const { origin: appOrigin } = new URL(appUrl);
-  const allowedOrigins = config.getOptionalStringArray(
-    "auth.experimentalExtraAllowedOrigins"
-  );
-  const allowedOriginPatterns = (_a = allowedOrigins == null ? void 0 : allowedOrigins.map(
-    (pattern) => new minimatch.Minimatch(pattern, { nocase: true, noglobstar: true })
-  )) != null ? _a : [];
-  return (origin) => {
-    if (origin === appOrigin) {
-      return true;
-    }
-    return allowedOriginPatterns.some((pattern) => pattern.match(origin));
-  };
-}
 
 const authPlugin = backendPluginApi.createBackendPlugin({
   pluginId: "auth",
@@ -2775,6 +2849,10 @@ const authPlugin = backendPluginApi.createBackendPlugin({
           providerFactories: Object.fromEntries(providers),
           disableDefaultProviderFactories: true
         });
+        httpRouter.addAuthPolicy({
+          path: "/",
+          allow: "unauthenticated"
+        });
         httpRouter.use(router);
       }
     });