@backstage/plugin-auth-backend 0.22.4-next.0 → 0.22.4

package/dist/index.cjs.js

@@ -15,8 +15,8 @@ var url = require('url');
 var errors = require('@backstage/errors');
 var jose = require('jose');
 var pluginAuthBackendModuleAwsAlbProvider = require('@backstage/plugin-auth-backend-module-aws-alb-provider');
-var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
-var fetch = require('node-fetch');
+var pluginAuthBackendModuleBitbucketProvider = require('@backstage/plugin-auth-backend-module-bitbucket-provider');
+var pluginAuthBackendModuleCloudflareAccessProvider = require('@backstage/plugin-auth-backend-module-cloudflare-access-provider');
 var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-backend-module-gcp-iap-provider');
 var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
 var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-backend-module-gitlab-provider');
@@ -29,6 +29,8 @@ var pluginAuthBackendModuleOktaProvider = require('@backstage/plugin-auth-backen
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('@node-saml/passport-saml');
 var passportOauth2 = require('passport-oauth2');
+var fetch = require('node-fetch');
+var pluginAuthBackendModuleAzureEasyauthProvider = require('@backstage/plugin-auth-backend-module-azure-easyauth-provider');
 var catalogClient = require('@backstage/catalog-client');
 var minimatch = require('minimatch');
 var catalogModel = require('@backstage/catalog-model');
@@ -219,10 +221,10 @@ const ensuresXRequestedWith = (req) => {
 
 const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$9 = Object.defineProperty;
+var __defNormalProp$9 = (obj, key, value) => key in obj ? __defProp$9(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$9 = (obj, key, value) => {
+  __defNormalProp$9(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -231,8 +233,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$c(this, "baseCookieOptions");
-    __publicField$c(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$9(this, "baseCookieOptions");
+    __publicField$9(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -240,34 +242,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$c(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$9(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$c(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$9(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$c(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$9(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$c(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$9(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$c(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$9(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$c(this, "getCookieConfig", (origin) => {
+    __publicField$9(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -565,21 +567,21 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
   });
 };
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$8 = Object.defineProperty;
+var __defNormalProp$8 = (obj, key, value) => key in obj ? __defProp$8(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$8 = (obj, key, value) => {
+  __defNormalProp$8(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$b(this, "_strategy");
-    __publicField$b(this, "signInResolver");
-    __publicField$b(this, "authHandler");
-    __publicField$b(this, "resolverContext");
-    __publicField$b(this, "audience");
-    __publicField$b(this, "connection");
-    __publicField$b(this, "connectionScope");
+    __publicField$8(this, "_strategy");
+    __publicField$8(this, "signInResolver");
+    __publicField$8(this, "authHandler");
+    __publicField$8(this, "resolverContext");
+    __publicField$8(this, "audience");
+    __publicField$8(this, "connection");
+    __publicField$8(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -588,7 +590,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$b(this, "store", {
+    __publicField$8(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -740,370 +742,34 @@ const awsAlb = createAuthProviderIntegration({
   }
 });
 
-var __defProp$a = Object.defineProperty;
-var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$a = (obj, key, value) => {
-  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-class BitbucketAuthProvider {
-  constructor(options) {
-    __publicField$a(this, "_strategy");
-    __publicField$a(this, "signInResolver");
-    __publicField$a(this, "authHandler");
-    __publicField$a(this, "resolverContext");
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.resolverContext = options.resolverContext;
-    this._strategy = new passportBitbucketOauth2.Strategy(
-      {
-        clientID: options.clientId,
-        clientSecret: options.clientSecret,
-        callbackURL: options.callbackUrl,
-        passReqToCallback: false
-      },
-      (accessToken, refreshToken, params, fullProfile, done) => {
-        done(
-          void 0,
-          {
-            fullProfile,
-            params,
-            accessToken,
-            refreshToken
-          },
-          {
-            refreshToken
-          }
-        );
-      }
-    );
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: req.scope,
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(
-      this._strategy,
-      req.refreshToken,
-      req.scope
-    );
-    const fullProfile = await executeFetchUserProfileStrategy(
-      this._strategy,
-      accessToken
-    );
-    return {
-      response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
-      }),
-      refreshToken
-    };
-  }
-  async handleResult(result) {
-    result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const response = {
-      providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
-      },
-      profile
-    };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver(
-        {
-          result,
-          profile
-        },
-        this.resolverContext
-      );
-    }
-    return response;
-  }
-}
 const bitbucket = createAuthProviderIntegration({
   create(options) {
-    return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-      var _a;
-      const clientId = envConfig.getString("clientId");
-      const clientSecret = envConfig.getString("clientSecret");
-      const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-      const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-        profile: makeProfileInfo(fullProfile, params.id_token)
-      });
-      const provider = new BitbucketAuthProvider({
-        clientId,
-        clientSecret,
-        callbackUrl,
-        signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
-        authHandler,
-        resolverContext
-      });
-      return OAuthAdapter.fromConfig(globalConfig, provider, {
-        providerId,
-        callbackUrl
-      });
+    var _a;
+    return pluginAuthNode.createOAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleBitbucketProvider.bitbucketAuthenticator,
+      profileTransform: adaptLegacyOAuthHandler(options == null ? void 0 : options.authHandler),
+      signInResolver: adaptLegacyOAuthSignInResolver((_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver)
     });
   },
-  resolvers: {
-    /**
-     * Looks up the user by matching their username to the `bitbucket.org/username` annotation.
-     */
-    usernameMatchingUserEntityAnnotation() {
-      return async (info, ctx) => {
-        const { result } = info;
-        if (!result.fullProfile.username) {
-          throw new Error("Bitbucket profile contained no Username");
-        }
-        return ctx.signInWithCatalogUser({
-          annotations: {
-            "bitbucket.org/username": result.fullProfile.username
-          }
-        });
-      };
-    },
-    /**
-     * Looks up the user by matching their user ID to the `bitbucket.org/user-id` annotation.
-     */
-    userIdMatchingUserEntityAnnotation() {
-      return async (info, ctx) => {
-        const { result } = info;
-        if (!result.fullProfile.id) {
-          throw new Error("Bitbucket profile contained no User ID");
-        }
-        return ctx.signInWithCatalogUser({
-          annotations: {
-            "bitbucket.org/user-id": result.fullProfile.id
-          }
-        });
-      };
-    }
-  }
+  resolvers: adaptOAuthSignInResolverToLegacy({
+    userIdMatchingUserEntityAnnotation: pluginAuthBackendModuleBitbucketProvider.bitbucketSignInResolvers.userIdMatchingUserEntityAnnotation(),
+    usernameMatchingUserEntityAnnotation: pluginAuthBackendModuleBitbucketProvider.bitbucketSignInResolvers.usernameMatchingUserEntityAnnotation()
+  })
 });
 
-const commonByEmailLocalPartResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Login failed, user profile does not contain an email");
-  }
-  const [localPart] = profile.email.split("@");
-  return ctx.signInWithCatalogUser({
-    entityRef: { name: localPart }
-  });
-};
-const commonByEmailResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Login failed, user profile does not contain an email");
-  }
-  return ctx.signInWithCatalogUser({
-    filter: {
-      "spec.profile.email": profile.email
-    }
-  });
-};
-
-var __defProp$9 = Object.defineProperty;
-var __defNormalProp$9 = (obj, key, value) => key in obj ? __defProp$9(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$9 = (obj, key, value) => {
-  __defNormalProp$9(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const CF_JWT_HEADER = "cf-access-jwt-assertion";
-const COOKIE_AUTH_NAME = "CF_Authorization";
-const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
-class CloudflareAccessAuthProvider {
-  constructor(options) {
-    __publicField$9(this, "teamName");
-    __publicField$9(this, "serviceTokens");
-    __publicField$9(this, "resolverContext");
-    __publicField$9(this, "authHandler");
-    __publicField$9(this, "signInResolver");
-    __publicField$9(this, "jwtKeySet");
-    __publicField$9(this, "cache");
-    this.teamName = options.teamName;
-    this.serviceTokens = options.serviceTokens;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.resolverContext = options.resolverContext;
-    this.jwtKeySet = jose.createRemoteJWKSet(
-      new URL(
-        `https://${this.teamName}.cloudflareaccess.com/cdn-cgi/access/certs`
-      )
-    );
-    this.cache = options.cache;
-  }
-  frameHandler() {
-    return Promise.resolve();
-  }
-  async refresh(req, res) {
-    const result = await this.getResult(req);
-    const response = await this.handleResult(result);
-    res.json(response);
-  }
-  start() {
-    return Promise.resolve();
-  }
-  async getIdentityProfile(jwt) {
-    const headers = new fetch.Headers();
-    headers.set(CF_JWT_HEADER, jwt);
-    headers.set("cookie", `${COOKIE_AUTH_NAME}=${jwt}`);
-    try {
-      const res = await fetch__default.default(
-        `https://${this.teamName}.cloudflareaccess.com/cdn-cgi/access/get-identity`,
-        { headers }
-      );
-      if (!res.ok) {
-        throw await errors.ResponseError.fromResponse(res);
-      }
-      const cfIdentity = await res.json();
-      return cfIdentity;
-    } catch (err) {
-      throw new errors.ForwardedError("getIdentityProfile failed", err);
-    }
-  }
-  async getResult(req) {
-    var _a, _b;
-    let jwt = req.header(CF_JWT_HEADER);
-    if (!jwt) {
-      jwt = req.cookies.CF_Authorization;
-    }
-    if (!jwt) {
-      throw new errors.AuthenticationError(
-        `Missing ${CF_JWT_HEADER} from Cloudflare Access`
-      );
-    }
-    const verifyResult = await jose.jwtVerify(jwt, this.jwtKeySet, {
-      issuer: `https://${this.teamName}.cloudflareaccess.com`
-    });
-    const isServiceToken = !verifyResult.payload.sub;
-    const subject = isServiceToken ? verifyResult.payload.common_name : verifyResult.payload.sub;
-    if (!subject) {
-      throw new errors.AuthenticationError(
-        `Missing both sub and common_name from Cloudflare Access JWT`
-      );
-    }
-    const serviceToken = this.serviceTokens.find((st) => st.token === subject);
-    if (isServiceToken && !serviceToken) {
-      throw new errors.AuthenticationError(
-        `${subject} is not a permitted Service Token.`
-      );
-    }
-    const cacheKey = `${CACHE_PREFIX}/${subject}`;
-    const cfAccessResultStr = await ((_a = this.cache) == null ? void 0 : _a.get(cacheKey));
-    if (typeof cfAccessResultStr === "string") {
-      const result = JSON.parse(cfAccessResultStr);
-      return {
-        ...result,
-        token: jwt
-      };
-    }
-    const claims = verifyResult.payload;
-    try {
-      let cfIdentity;
-      if (serviceToken) {
-        cfIdentity = {
-          id: subject,
-          name: "Bot",
-          email: serviceToken.subject,
-          groups: []
-        };
-      } else {
-        cfIdentity = await this.getIdentityProfile(jwt);
-      }
-      const cfAccessResult = {
-        claims,
-        cfIdentity,
-        expiresInSeconds: claims.exp - claims.iat
-      };
-      (_b = this.cache) == null ? void 0 : _b.set(cacheKey, JSON.stringify(cfAccessResult));
-      return {
-        ...cfAccessResult,
-        token: jwt
-      };
-    } catch (err) {
-      throw new errors.ForwardedError(
-        "Failed to populate access identity information",
-        err
-      );
-    }
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageIdentity = await this.signInResolver(
-      {
-        result,
-        profile
-      },
-      this.resolverContext
-    );
-    return {
-      providerInfo: {
-        expiresInSeconds: result.expiresInSeconds,
-        claims: result.claims,
-        cfAccessIdentityProfile: result.cfIdentity
-      },
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
-      profile
-    };
-  }
-}
 const cfAccess = createAuthProviderIntegration({
   create(options) {
-    return ({ config, resolverContext }) => {
-      const teamName = config.getString("teamName");
-      const serviceTokensConfig = config.getOptionalConfigArray("serviceTokens");
-      const serviceTokens = (serviceTokensConfig == null ? void 0 : serviceTokensConfig.map((cfg) => {
-        return {
-          token: cfg.getString("token"),
-          subject: cfg.getString("subject")
-        };
-      })) || [];
-      if (!options.signIn.resolver) {
-        throw new Error(
-          "SignInResolver is required to use this authentication provider"
-        );
-      }
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ claims, cfIdentity }) => {
-        return {
-          profile: {
-            email: claims.email,
-            displayName: cfIdentity.name
-          }
-        };
-      };
-      return new CloudflareAccessAuthProvider({
-        teamName,
-        serviceTokens,
-        signInResolver: options == null ? void 0 : options.signIn.resolver,
-        authHandler,
-        resolverContext,
-        ...options.cache && { cache: options.cache }
-      });
-    };
+    var _a;
+    return pluginAuthNode.createProxyAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleCloudflareAccessProvider.createCloudflareAccessAuthenticator({
+        cache: options.cache
+      }),
+      profileTransform: options == null ? void 0 : options.authHandler,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+      signInResolverFactories: pluginAuthBackendModuleCloudflareAccessProvider.cloudflareAccessSignInResolvers
+    });
   },
-  resolvers: {
-    /**
-     * Looks up the user by matching their email to the entity email.
-     */
-    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver
-  }
+  resolvers: pluginAuthBackendModuleCloudflareAccessProvider.cloudflareAccessSignInResolvers
 });
 
 const gcpIap = createAuthProviderIntegration({
@@ -1236,6 +902,28 @@ const oauth2Proxy = createAuthProviderIntegration({
   }
 });
 
+const commonByEmailLocalPartResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Login failed, user profile does not contain an email");
+  }
+  const [localPart] = profile.email.split("@");
+  return ctx.signInWithCatalogUser({
+    entityRef: { name: localPart }
+  });
+};
+const commonByEmailResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Login failed, user profile does not contain an email");
+  }
+  return ctx.signInWithCatalogUser({
+    filter: {
+      "spec.profile.email": profile.email
+    }
+  });
+};
+
 const oidc = createAuthProviderIntegration({
   create(options) {
     var _a;
@@ -1302,18 +990,18 @@ const okta = createAuthProviderIntegration({
   }
 });
 
-var __defProp$8 = Object.defineProperty;
-var __defNormalProp$8 = (obj, key, value) => key in obj ? __defProp$8(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$8 = (obj, key, value) => {
-  __defNormalProp$8(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$7 = Object.defineProperty;
+var __defNormalProp$7 = (obj, key, value) => key in obj ? __defProp$7(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$7 = (obj, key, value) => {
+  __defNormalProp$7(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class OneLoginProvider {
   constructor(options) {
-    __publicField$8(this, "_strategy");
-    __publicField$8(this, "signInResolver");
-    __publicField$8(this, "authHandler");
-    __publicField$8(this, "resolverContext");
+    __publicField$7(this, "_strategy");
+    __publicField$7(this, "signInResolver");
+    __publicField$7(this, "authHandler");
+    __publicField$7(this, "resolverContext");
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
@@ -1427,19 +1115,19 @@ const onelogin = createAuthProviderIntegration({
   }
 });
 
-var __defProp$7 = Object.defineProperty;
-var __defNormalProp$7 = (obj, key, value) => key in obj ? __defProp$7(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$7 = (obj, key, value) => {
-  __defNormalProp$7(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$6 = Object.defineProperty;
+var __defNormalProp$6 = (obj, key, value) => key in obj ? __defProp$6(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$6 = (obj, key, value) => {
+  __defNormalProp$6(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class SamlAuthProvider {
   constructor(options) {
-    __publicField$7(this, "strategy");
-    __publicField$7(this, "signInResolver");
-    __publicField$7(this, "authHandler");
-    __publicField$7(this, "resolverContext");
-    __publicField$7(this, "appUrl");
+    __publicField$6(this, "strategy");
+    __publicField$6(this, "signInResolver");
+    __publicField$6(this, "authHandler");
+    __publicField$6(this, "resolverContext");
+    __publicField$6(this, "appUrl");
     this.appUrl = options.appUrl;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
@@ -1543,19 +1231,19 @@ const saml = createAuthProviderIntegration({
   }
 });
 
-var __defProp$6 = Object.defineProperty;
-var __defNormalProp$6 = (obj, key, value) => key in obj ? __defProp$6(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$6 = (obj, key, value) => {
-  __defNormalProp$6(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$5 = Object.defineProperty;
+var __defNormalProp$5 = (obj, key, value) => key in obj ? __defProp$5(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$5 = (obj, key, value) => {
+  __defNormalProp$5(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class BitbucketServerAuthProvider {
   constructor(options) {
-    __publicField$6(this, "signInResolver");
-    __publicField$6(this, "authHandler");
-    __publicField$6(this, "resolverContext");
-    __publicField$6(this, "strategy");
-    __publicField$6(this, "host");
+    __publicField$5(this, "signInResolver");
+    __publicField$5(this, "authHandler");
+    __publicField$5(this, "resolverContext");
+    __publicField$5(this, "strategy");
+    __publicField$5(this, "host");
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
@@ -1720,112 +1408,16 @@ const bitbucketServer = createAuthProviderIntegration({
   }
 });
 
-var __defProp$5 = Object.defineProperty;
-var __defNormalProp$5 = (obj, key, value) => key in obj ? __defProp$5(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$5 = (obj, key, value) => {
-  __defNormalProp$5(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const ID_TOKEN_HEADER = "x-ms-token-aad-id-token";
-const ACCESS_TOKEN_HEADER = "x-ms-token-aad-access-token";
-class EasyAuthAuthProvider {
-  constructor(options) {
-    __publicField$5(this, "resolverContext");
-    __publicField$5(this, "authHandler");
-    __publicField$5(this, "signInResolver");
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.resolverContext = options.resolverContext;
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    const result = await this.getResult(req);
-    const response = await this.handleResult(result);
-    res.json(response);
-  }
-  start() {
-    return Promise.resolve(void 0);
-  }
-  async getResult(req) {
-    const idToken = req.header(ID_TOKEN_HEADER);
-    const accessToken = req.header(ACCESS_TOKEN_HEADER);
-    if (idToken === void 0) {
-      throw new errors.AuthenticationError(`Missing ${ID_TOKEN_HEADER} header`);
-    }
-    return {
-      fullProfile: this.idTokenToProfile(idToken),
-      accessToken
-    };
-  }
-  idTokenToProfile(idToken) {
-    const claims = jose.decodeJwt(idToken);
-    if (claims.ver !== "2.0") {
-      throw new Error("id_token is not version 2.0 ");
-    }
-    return {
-      id: claims.oid,
-      displayName: claims.name,
-      provider: "easyauth",
-      emails: [{ value: claims.email }],
-      username: claims.preferred_username
-    };
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageIdentity = await this.signInResolver(
-      {
-        result,
-        profile
-      },
-      this.resolverContext
-    );
-    return {
-      providerInfo: {
-        accessToken: result.accessToken
-      },
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
-      profile
-    };
-  }
-}
 const easyAuth = createAuthProviderIntegration({
   create(options) {
-    return ({ resolverContext }) => {
-      var _a;
-      validateAppServiceConfiguration(process.env);
-      if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
-        throw new Error(
-          "SignInResolver is required to use this authentication provider"
-        );
-      }
-      const authHandler = (_a = options.authHandler) != null ? _a : async ({ fullProfile }) => ({
-        profile: makeProfileInfo(fullProfile)
-      });
-      return new EasyAuthAuthProvider({
-        signInResolver: options.signIn.resolver,
-        authHandler,
-        resolverContext
-      });
-    };
+    var _a;
+    return pluginAuthNode.createProxyAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleAzureEasyauthProvider.azureEasyAuthAuthenticator,
+      profileTransform: options == null ? void 0 : options.authHandler,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver
+    });
   }
 });
-function validateAppServiceConfiguration(env) {
-  var _a, _b, _c;
-  if (env.WEBSITE_SKU === void 0) {
-    throw new Error("Backstage is not running on Azure App Services");
-  }
-  if (((_a = env.WEBSITE_AUTH_ENABLED) == null ? void 0 : _a.toLowerCase()) !== "true") {
-    throw new Error("Azure App Services does not have authentication enabled");
-  }
-  if (((_b = env.WEBSITE_AUTH_DEFAULT_PROVIDER) == null ? void 0 : _b.toLowerCase()) !== "azureactivedirectory") {
-    throw new Error("Authentication provider is not Entra ID");
-  }
-  if (((_c = process.env.WEBSITE_AUTH_TOKEN_STORE) == null ? void 0 : _c.toLowerCase()) !== "true") {
-    throw new Error("Token Store is not enabled");
-  }
-}
 
 const providers = Object.freeze({
   atlassian,
@@ -2156,7 +1748,7 @@ function createOriginFilter(config) {
 }
 
 function bindOidcRouter(targetRouter, options) {
-  const { baseUrl, tokenIssuer } = options;
+  const { baseUrl, auth, tokenIssuer } = options;
   const router = Router__default.default();
   targetRouter.use(router);
   const config = {
@@ -2180,7 +1772,7 @@ function bindOidcRouter(targetRouter, options) {
     ],
     scopes_supported: ["openid"],
     token_endpoint_auth_methods_supported: [],
-    claims_supported: ["sub"],
+    claims_supported: ["sub", "ent"],
     grant_types_supported: []
   };
   router.get("/.well-known/openid-configuration", (_req, res) => {
@@ -2193,8 +1785,31 @@ function bindOidcRouter(targetRouter, options) {
   router.get("/v1/token", (_req, res) => {
     res.status(501).send("Not Implemented");
   });
-  router.get("/v1/userinfo", (_req, res) => {
-    res.status(501).send("Not Implemented");
+  router.get("/v1/userinfo", async (req, res) => {
+    var _a;
+    const matches = (_a = req.headers.authorization) == null ? void 0 : _a.match(/^Bearer[ ]+(\S+)$/i);
+    const token = matches == null ? void 0 : matches[1];
+    if (!token) {
+      throw new errors.AuthenticationError("No token provided");
+    }
+    const credentials = await auth.authenticate(token, {
+      allowLimitedAccess: true
+    });
+    if (!auth.isPrincipal(credentials, "user")) {
+      throw new errors.InputError(
+        "Userinfo endpoint must be called with a token that represents a user principal"
+      );
+    }
+    const { sub: userEntityRef, ent: ownershipEntityRefs = [] } = jose.decodeJwt(token);
+    if (typeof userEntityRef !== "string") {
+      throw new Error("Invalid user token, user entity ref must be a string");
+    }
+    if (!Array.isArray(ownershipEntityRefs) || ownershipEntityRefs.some((ref) => typeof ref !== "string")) {
+      throw new Error(
+        "Invalid user token, ownership entity refs must be an array of strings"
+      );
+    }
+    res.json({ sub: userEntityRef, ent: ownershipEntityRefs });
   });
 }
 
@@ -2225,8 +1840,8 @@ class TokenFactory {
   async issueToken(params) {
     const key = await this.getKey();
     const iss = this.issuer;
-    const { sub, ent, ...additionalClaims } = params.claims;
-    const aud = "backstage";
+    const { sub, ent = [sub], ...additionalClaims } = params.claims;
+    const aud = pluginAuthNode.tokenTypes.user.audClaim;
     const iat = Math.floor(Date.now() / MS_IN_S$1);
     const exp = iat + this.keyDurationSeconds;
     try {
@@ -2236,12 +1851,35 @@ class TokenFactory {
         '"sub" claim provided by the auth resolver is not a valid EntityRef.'
       );
     }
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
     if (!key.alg) {
       throw new errors.AuthenticationError("No algorithm was provided in the key");
     }
-    const claims = { ...additionalClaims, iss, sub, ent, aud, iat, exp };
-    const token = await new jose.SignJWT(claims).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);
+    const signingKey = await jose.importJWK(key);
+    const uip = await this.createUserIdentityClaim({
+      header: {
+        typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
+        alg: key.alg,
+        kid: key.kid
+      },
+      payload: { sub, ent, iat, exp },
+      key: signingKey
+    });
+    const claims = {
+      ...additionalClaims,
+      iss,
+      sub,
+      ent,
+      aud,
+      iat,
+      exp,
+      uip
+    };
+    const token = await new jose.SignJWT(claims).setProtectedHeader({
+      typ: pluginAuthNode.tokenTypes.user.typParam,
+      alg: key.alg,
+      kid: key.kid
+    }).sign(signingKey);
     if (token.length > MAX_TOKEN_LENGTH) {
       throw new Error(
         `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
@@ -2308,6 +1946,26 @@ class TokenFactory {
     }
     return promise;
   }
+  // Creates a string claim that can be used as part of reconstructing a limited
+  // user token. The output of this function is only the signature part of a
+  // JWS.
+  async createUserIdentityClaim(options) {
+    const header = {
+      typ: options.header.typ,
+      alg: options.header.alg,
+      ...options.header.kid ? { kid: options.header.kid } : {}
+    };
+    const payload = {
+      sub: options.payload.sub,
+      ent: options.payload.ent,
+      iat: options.payload.iat,
+      exp: options.payload.exp
+    };
+    const jws = await new jose.GeneralSign(
+      new TextEncoder().encode(JSON.stringify(payload))
+    ).addSignature(options.key).setProtectedHeader(header).done().sign();
+    return jws.signatures[0].signature;
+  }
 }
 
 const TABLE = "signing_keys";
@@ -2807,6 +2465,7 @@ async function createRouter(options) {
     httpAuth
   });
   bindOidcRouter(router, {
+    auth,
     tokenIssuer,
     baseUrl: authUrl
   });
@@ -2839,6 +2498,8 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         database: backendPluginApi.coreServices.database,
         discovery: backendPluginApi.coreServices.discovery,
         tokenManager: backendPluginApi.coreServices.tokenManager,
+        auth: backendPluginApi.coreServices.auth,
+        httpAuth: backendPluginApi.coreServices.httpAuth,
         catalogApi: alpha.catalogServiceRef
       },
       async init({
@@ -2848,6 +2509,8 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         database,
         discovery,
         tokenManager,
+        auth,
+        httpAuth,
         catalogApi
       }) {
         const router = await createRouter({
@@ -2856,6 +2519,8 @@ const authPlugin = backendPluginApi.createBackendPlugin({
           database,
           discovery,
           tokenManager,
+          auth,
+          httpAuth,
           catalogApi,
           providerFactories: Object.fromEntries(providers),
           disableDefaultProviderFactories: true