@backstage/plugin-auth-backend 0.24.5 → 0.25.0-next.1

package/dist/index.d.ts

@@ -1,23 +1,4 @@
 import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
-import { LoggerService, DatabaseService, RootConfigService, DiscoveryService, AuthService, HttpAuthService } from '@backstage/backend-plugin-api';
-import express from 'express';
-import * as _backstage_plugin_auth_node from '@backstage/plugin-auth-node';
-import { TokenParams as TokenParams$1, AuthProviderFactory as AuthProviderFactory$1, AuthOwnershipResolver, ProfileInfo as ProfileInfo$1, BackstageSignInResult, OAuthState as OAuthState$1, AuthResolverCatalogUserQuery as AuthResolverCatalogUserQuery$1, AuthResolverContext as AuthResolverContext$1, CookieConfigurer as CookieConfigurer$1, AuthProviderConfig as AuthProviderConfig$1, AuthProviderRouteHandlers as AuthProviderRouteHandlers$1, ClientAuthResponse, SignInInfo as SignInInfo$1, SignInResolver as SignInResolver$1, OAuthEnvironmentHandler as OAuthEnvironmentHandler$1, decodeOAuthState, encodeOAuthState, prepareBackstageIdentityResponse as prepareBackstageIdentityResponse$1, WebMessageResponse as WebMessageResponse$1 } from '@backstage/plugin-auth-node';
-import { TokenManager } from '@backstage/backend-common';
-import { CatalogApi } from '@backstage/catalog-client';
-import { Config } from '@backstage/config';
-import { Profile } from 'passport';
-import * as _backstage_plugin_auth_backend_module_aws_alb_provider from '@backstage/plugin-auth-backend-module-aws-alb-provider';
-import { AwsAlbResult as AwsAlbResult$1 } from '@backstage/plugin-auth-backend-module-aws-alb-provider';
-import * as _backstage_plugin_auth_backend_module_azure_easyauth_provider from '@backstage/plugin-auth-backend-module-azure-easyauth-provider';
-import { AzureEasyAuthResult } from '@backstage/plugin-auth-backend-module-azure-easyauth-provider';
-import * as _backstage_plugin_auth_backend_module_oauth2_proxy_provider from '@backstage/plugin-auth-backend-module-oauth2-proxy-provider';
-import { OAuth2ProxyResult as OAuth2ProxyResult$1 } from '@backstage/plugin-auth-backend-module-oauth2-proxy-provider';
-import * as _backstage_plugin_auth_backend_module_oidc_provider from '@backstage/plugin-auth-backend-module-oidc-provider';
-import { OidcAuthResult as OidcAuthResult$1 } from '@backstage/plugin-auth-backend-module-oidc-provider';
-import { GcpIapTokenInfo as GcpIapTokenInfo$1, GcpIapResult as GcpIapResult$1 } from '@backstage/plugin-auth-backend-module-gcp-iap-provider';
-import * as _backstage_plugin_auth_backend_module_cloudflare_access_provider from '@backstage/plugin-auth-backend-module-cloudflare-access-provider';
-import { UserEntity, Entity } from '@backstage/catalog-model';
 
 /**
  * Auth plugin
@@ -26,834 +7,4 @@ import { UserEntity, Entity } from '@backstage/catalog-model';
  */
 declare const authPlugin: _backstage_backend_plugin_api.BackendFeature;
 
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type TokenParams = TokenParams$1;
-
-/**
- * @public
- * @deprecated Migrate the auth plugin to the new backend system https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
- */
-type ProviderFactories = {
-    [s: string]: AuthProviderFactory$1;
-};
-/**
- * @public
- * @deprecated this export will be removed
- */
-declare function createOriginFilter(config: Config): (origin: string) => boolean;
-
-/**
- * @public
- * @deprecated Please migrate to the new backend system as this will be removed in the future.
- */
-interface RouterOptions {
-    logger: LoggerService;
-    database: DatabaseService;
-    config: RootConfigService;
-    discovery: DiscoveryService;
-    tokenManager?: TokenManager;
-    auth?: AuthService;
-    httpAuth?: HttpAuthService;
-    tokenFactoryAlgorithm?: string;
-    providerFactories?: ProviderFactories;
-    disableDefaultProviderFactories?: boolean;
-    catalogApi?: CatalogApi;
-    ownershipResolver?: AuthOwnershipResolver;
-}
-/**
- * @public
- * @deprecated Please migrate to the new backend system as this will be removed in the future.
- */
-declare function createRouter(options: RouterOptions): Promise<express.Router>;
-
-/**
- * Common options for passport.js-based OAuth providers
- *
- * @public
- * @deprecated No longer in use
- */
-type OAuthProviderOptions = {
-    /**
-     * Client ID of the auth provider.
-     */
-    clientId: string;
-    /**
-     * Client Secret of the auth provider.
-     */
-    clientSecret: string;
-    /**
-     * Callback URL to be passed to the auth provider to redirect to after the user signs in.
-     */
-    callbackUrl: string;
-};
-/**
- * @public
- * @deprecated Use `OAuthAuthenticatorResult<PassportProfile>` from `@backstage/plugin-auth-node` instead
- */
-type OAuthResult = {
-    fullProfile: Profile;
-    params: {
-        id_token?: string;
-        scope: string;
-        token_type?: string;
-        expires_in: number;
-    };
-    accessToken: string;
-    refreshToken?: string;
-};
-/**
- * @public
- * @deprecated Use `ClientAuthResponse` from `@backstage/plugin-auth-node` instead
- */
-type OAuthResponse = {
-    profile: ProfileInfo$1;
-    providerInfo: OAuthProviderInfo;
-    backstageIdentity?: BackstageSignInResult;
-};
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-type OAuthProviderInfo = {
-    /**
-     * An access token issued for the signed in user.
-     */
-    accessToken: string;
-    /**
-     * (Optional) Id token issued for the signed in user.
-     */
-    idToken?: string;
-    /**
-     * Expiry of the access token in seconds.
-     */
-    expiresInSeconds?: number;
-    /**
-     * Scopes granted for the access token.
-     */
-    scope: string;
-};
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type OAuthState = OAuthState$1;
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-type OAuthStartRequest = express.Request<{}> & {
-    scope: string;
-    state: OAuthState;
-};
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-type OAuthRefreshRequest = express.Request<{}> & {
-    scope: string;
-    refreshToken: string;
-};
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-type OAuthLogoutRequest = express.Request<{}> & {
-    refreshToken: string;
-};
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-interface OAuthHandlers {
-    /**
-     * Initiate a sign in request with an auth provider.
-     */
-    start(req: OAuthStartRequest): Promise<OAuthStartResponse>;
-    /**
-     * Handle the redirect from the auth provider when the user has signed in.
-     */
-    handler(req: express.Request): Promise<{
-        response: OAuthResponse;
-        refreshToken?: string;
-    }>;
-    /**
-     * (Optional) Given a refresh token and scope fetches a new access token from the auth provider.
-     */
-    refresh?(req: OAuthRefreshRequest): Promise<{
-        response: OAuthResponse;
-        refreshToken?: string;
-    }>;
-    /**
-     * (Optional) Sign out of the auth provider.
-     */
-    logout?(req: OAuthLogoutRequest): Promise<void>;
-}
-
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type AuthResolverCatalogUserQuery = AuthResolverCatalogUserQuery$1;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type AuthResolverContext = AuthResolverContext$1;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type CookieConfigurer = CookieConfigurer$1;
-/**
- * @public
- * @deprecated Use `createOAuthAuthenticator` from `@backstage/plugin-auth-node` instead
- */
-type OAuthStartResponse = {
-    /**
-     * URL to redirect to
-     */
-    url: string;
-    /**
-     * Status code to use for the redirect
-     */
-    status?: number;
-};
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type AuthProviderConfig = AuthProviderConfig$1;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type AuthProviderRouteHandlers = AuthProviderRouteHandlers$1;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type AuthProviderFactory = AuthProviderFactory$1;
-/**
- * @public
- * @deprecated import `ClientAuthResponse` from `@backstage/plugin-auth-node` instead
- */
-type AuthResponse<TProviderInfo> = ClientAuthResponse<TProviderInfo>;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type ProfileInfo = ProfileInfo$1;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type SignInInfo<TAuthResult> = SignInInfo$1<TAuthResult>;
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type SignInResolver<TAuthResult> = SignInResolver$1<TAuthResult>;
-/**
- * The return type of an authentication handler. Must contain valid profile
- * information.
- *
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-type AuthHandlerResult = {
-    profile: ProfileInfo$1;
-};
-/**
- * The AuthHandler function is called every time the user authenticates using
- * the provider.
- *
- * The handler should return a profile that represents the session for the user
- * in the frontend.
- *
- * Throwing an error in the function will cause the authentication to fail,
- * making it possible to use this function as a way to limit access to a certain
- * group of users.
- *
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-type AuthHandler<TAuthResult> = (input: TAuthResult, context: AuthResolverContext$1) => Promise<AuthHandlerResult>;
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-type StateEncoder = (req: OAuthStartRequest) => Promise<{
-    encodedState: string;
-}>;
-
-/**
- * The result of the initial auth challenge. This is the input to the auth
- * callbacks.
- *
- * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-aws-alb-provider` instead
- */
-type AwsAlbResult = AwsAlbResult$1;
-
-/**
- * @public
- * @deprecated import AzureEasyAuthResult from `@backstage/plugin-auth-backend-module-azure-easyauth-provider` instead
- */
-type EasyAuthResult = AzureEasyAuthResult;
-
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-declare const OAuthEnvironmentHandler: typeof OAuthEnvironmentHandler$1;
-
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-type OAuthAdapterOptions = {
-    providerId: string;
-    persistScopes?: boolean;
-    appOrigin: string;
-    baseUrl: string;
-    cookieConfigurer: CookieConfigurer$1;
-    isOriginAllowed: (origin: string) => boolean;
-    callbackUrl: string;
-};
-/**
- * @public
- * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead
- */
-declare class OAuthAdapter implements AuthProviderRouteHandlers$1 {
-    private readonly handlers;
-    private readonly options;
-    static fromConfig(config: AuthProviderConfig$1, handlers: OAuthHandlers, options: Pick<OAuthAdapterOptions, 'providerId' | 'persistScopes' | 'callbackUrl'>): OAuthAdapter;
-    private readonly baseCookieOptions;
-    constructor(handlers: OAuthHandlers, options: OAuthAdapterOptions);
-    start(req: express.Request, res: express.Response): Promise<void>;
-    frameHandler(req: express.Request, res: express.Response): Promise<void>;
-    logout(req: express.Request, res: express.Response): Promise<void>;
-    refresh(req: express.Request, res: express.Response): Promise<void>;
-    /**
-     * If the response from the OAuth provider includes a Backstage identity, we
-     * make sure it's populated with all the information we can derive from the user ID.
-     */
-    private populateIdentity;
-    private setNonceCookie;
-    private setGrantedScopeCookie;
-    private getRefreshTokenFromCookie;
-    private getGrantedScopeFromCookie;
-    private setRefreshTokenCookie;
-    private removeRefreshTokenCookie;
-    private getCookieConfig;
-}
-
-/**
- * @public
- * @deprecated Use `decodeOAuthState` from `@backstage/plugin-auth-node` instead
- */
-declare const readState: typeof decodeOAuthState;
-/**
- * @public
- * @deprecated Use `encodeOAuthState` from `@backstage/plugin-auth-node` instead
- */
-declare const encodeState: typeof encodeOAuthState;
-/**
- * @public
- * @deprecated Use inline logic to make sure the session and state nonce matches instead.
- */
-declare const verifyNonce: (req: express.Request, providerId: string) => void;
-
-/**
- * @public
- * @deprecated The Bitbucket auth provider was extracted to `@backstage/plugin-auth-backend-module-bitbucket-provider`.
- */
-type BitbucketOAuthResult = {
-    fullProfile: BitbucketPassportProfile;
-    params: {
-        id_token?: string;
-        scope: string;
-        expires_in: number;
-    };
-    accessToken: string;
-    refreshToken?: string;
-};
-/**
- * @public
- * @deprecated The Bitbucket auth provider was extracted to `@backstage/plugin-auth-backend-module-bitbucket-provider`.
- */
-type BitbucketPassportProfile = Profile & {
-    id?: string;
-    displayName?: string;
-    username?: string;
-    avatarUrl?: string;
-    _json?: {
-        links?: {
-            avatar?: {
-                href?: string;
-            };
-        };
-    };
-};
-
-/**
- * @public
- * @deprecated The Bitbucket Server auth provider was extracted to `@backstage/plugin-auth-backend-module-bitbucket-server-provider`.
- */
-type BitbucketServerOAuthResult = {
-    fullProfile: Profile;
-    params: {
-        scope: string;
-        access_token?: string;
-        token_type?: string;
-        expires_in?: number;
-    };
-    accessToken: string;
-    refreshToken?: string;
-};
-
-/**
- * CloudflareAccessClaims
- *
- * Can be used in externally provided auth handler or sign in resolver to
- * enrich user profile for sign-in user entity
- *
- * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-cloudflare-access-provider` instead
- */
-type CloudflareAccessClaims = {
-    /**
-     * `aud` identifies the application to which the JWT is issued.
-     */
-    aud: string[];
-    /**
-     * `email` contains the email address of the authenticated user.
-     */
-    email: string;
-    /**
-     * iat and exp are the issuance and expiration timestamps.
-     */
-    exp: number;
-    iat: number;
-    /**
-     * `nonce` is the session identifier.
-     */
-    nonce: string;
-    /**
-     * `identity_nonce` is available in the Application Token and can be used to
-     * query all group membership for a given user.
-     */
-    identity_nonce: string;
-    /**
-     * `sub` contains the identifier of the authenticated user.
-     */
-    sub: string;
-    /**
-     * `iss` the issuer is the application’s Cloudflare Access Domain URL.
-     */
-    iss: string;
-    /**
-     * `custom` contains SAML attributes in the Application Token specified by an
-     * administrator in the identity provider configuration.
-     */
-    custom: string;
-};
-/**
- * CloudflareAccessGroup
- *
- * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-cloudflare-access-provider` instead
- */
-type CloudflareAccessGroup = {
-    /**
-     * Group id
-     */
-    id: string;
-    /**
-     * Name of group as defined in Cloudflare zero trust dashboard
-     */
-    name: string;
-    /**
-     * Access group email address
-     */
-    email: string;
-};
-/**
- * CloudflareAccessIdentityProfile
- *
- * Can be used in externally provided auth handler or sign in resolver to
- * enrich user profile for sign-in user entity
- *
- * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-cloudflare-access-provider` instead
- */
-type CloudflareAccessIdentityProfile = {
-    id: string;
-    name: string;
-    email: string;
-    groups: CloudflareAccessGroup[];
-};
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-cloudflare-access-provider` instead
- */
-type CloudflareAccessResult = {
-    claims: CloudflareAccessClaims;
-    cfIdentity: CloudflareAccessIdentityProfile;
-    expiresInSeconds?: number;
-    token: string;
-};
-
-/**
- * @public
- * @deprecated Migrate the auth plugin to the new backend system https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
- */
-type GithubOAuthResult = {
-    fullProfile: Profile;
-    params: {
-        scope: string;
-        expires_in?: string;
-        refresh_token_expires_in?: string;
-    };
-    accessToken: string;
-    refreshToken?: string;
-};
-
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-oauth2-proxy-provider` instead
- */
-type OAuth2ProxyResult = OAuth2ProxyResult$1;
-
-/**
- * @public
- * @deprecated Use OidcAuthResult from `@backstage/plugin-auth-backend-module-oidc-provider` instead
- */
-type OidcAuthResult = OidcAuthResult$1;
-
-/**
- * @public
- * @deprecated Migrate the auth plugin to the new backend system https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
- */
-type SamlAuthResult = {
-    fullProfile: any;
-};
-
-/**
- * The data extracted from an IAP token.
- *
- * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-gcp-iap-provider` instead
- */
-type GcpIapTokenInfo = GcpIapTokenInfo$1;
-/**
- * The result of the initial auth challenge. This is the input to the auth
- * callbacks.
- *
- * @public
- * @deprecated import from `@backstage/plugin-auth-backend-module-gcp-iap-provider` instead
- */
-type GcpIapResult = GcpIapResult$1;
-
-/**
- * All built-in auth provider integrations.
- *
- * @public
- * @deprecated Migrate the auth plugin to the new backend system https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
- */
-declare const providers: Readonly<{
-    atlassian: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<OAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: never;
-    }>;
-    auth0: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<OAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: never;
-    }>;
-    awsAlb: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<_backstage_plugin_auth_backend_module_aws_alb_provider.AwsAlbResult>;
-            signIn: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<_backstage_plugin_auth_backend_module_aws_alb_provider.AwsAlbResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: never;
-    }>;
-    bitbucket: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<OAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: Readonly<{
-            userIdMatchingUserEntityAnnotation: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            usernameMatchingUserEntityAnnotation: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-        }>;
-    }>;
-    bitbucketServer: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<BitbucketServerOAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<BitbucketServerOAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: Readonly<{
-            emailMatchingUserEntityProfileEmail: () => _backstage_plugin_auth_node.SignInResolver<BitbucketServerOAuthResult>;
-        }>;
-    }>;
-    cfAccess: Readonly<{
-        create: (options: {
-            authHandler?: AuthHandler<CloudflareAccessResult>;
-            signIn: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<CloudflareAccessResult>;
-            };
-            cache?: _backstage_backend_plugin_api.CacheService;
-        }) => AuthProviderFactory$1;
-        resolvers: Readonly<typeof _backstage_plugin_auth_backend_module_cloudflare_access_provider.cloudflareAccessSignInResolvers>;
-    }>;
-    gcpIap: Readonly<{
-        create: (options: {
-            authHandler?: AuthHandler<GcpIapResult>;
-            signIn: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<GcpIapResult>;
-            };
-        }) => AuthProviderFactory$1;
-        resolvers: never;
-    }>;
-    github: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<GithubOAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<GithubOAuthResult>;
-            };
-            stateEncoder?: StateEncoder;
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: Readonly<{
-            usernameMatchingUserEntityName: () => _backstage_plugin_auth_node.SignInResolver<GithubOAuthResult>;
-        }>;
-    }>;
-    gitlab: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<OAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: never;
-    }>;
-    google: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<OAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: Readonly<{
-            emailMatchingUserEntityProfileEmail: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            emailLocalPartMatchingUserEntityName: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            emailMatchingUserEntityAnnotation: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-        }>;
-    }>;
-    microsoft: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<OAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: Readonly<{
-            emailMatchingUserEntityProfileEmail: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            emailLocalPartMatchingUserEntityName: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            userIdMatchingUserEntityAnnotation: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            emailMatchingUserEntityAnnotation: () => _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-        }>;
-    }>;
-    oauth2: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<OAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: never;
-    }>;
-    oauth2Proxy: Readonly<{
-        create: (options: {
-            authHandler?: AuthHandler<_backstage_plugin_auth_backend_module_oauth2_proxy_provider.OAuth2ProxyResult>;
-            signIn: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<_backstage_plugin_auth_backend_module_oauth2_proxy_provider.OAuth2ProxyResult>;
-            };
-        }) => AuthProviderFactory$1;
-        resolvers: never;
-    }>;
-    oidc: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<_backstage_plugin_auth_backend_module_oidc_provider.OidcAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<_backstage_plugin_auth_backend_module_oidc_provider.OidcAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: Readonly<{
-            emailLocalPartMatchingUserEntityName: () => _backstage_plugin_auth_node.SignInResolver<unknown>;
-            emailMatchingUserEntityProfileEmail: () => _backstage_plugin_auth_node.SignInResolver<unknown>;
-        }>;
-    }>;
-    okta: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<OAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: Readonly<{
-            emailLocalPartMatchingUserEntityName: () => _backstage_plugin_auth_node.SignInResolver<unknown>;
-            emailMatchingUserEntityProfileEmail: () => _backstage_plugin_auth_node.SignInResolver<unknown>;
-            emailMatchingUserEntityAnnotation(): _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-        }>;
-    }>;
-    onelogin: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<OAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<OAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: never;
-    }>;
-    saml: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<SamlAuthResult>;
-            signIn?: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<SamlAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: Readonly<{
-            nameIdMatchingUserEntityName(): _backstage_plugin_auth_node.SignInResolver<SamlAuthResult>;
-        }>;
-    }>;
-    easyAuth: Readonly<{
-        create: (options?: {
-            authHandler?: AuthHandler<_backstage_plugin_auth_backend_module_azure_easyauth_provider.AzureEasyAuthResult>;
-            signIn: {
-                resolver: _backstage_plugin_auth_node.SignInResolver<_backstage_plugin_auth_backend_module_azure_easyauth_provider.AzureEasyAuthResult>;
-            };
-        } | undefined) => AuthProviderFactory$1;
-        resolvers: never;
-    }>;
-}>;
-/**
- * All auth provider factories that are installed by default.
- *
- * @public
- * @deprecated Migrate the auth plugin to the new backend system https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
- */
-declare const defaultAuthProviderFactories: {
-    [providerId: string]: AuthProviderFactory$1;
-};
-
-/**
- * Creates a standardized representation of an integration with a third-party
- * auth provider.
- *
- * The returned object facilitates the creation of provider instances, and
- * supplies built-in sign-in resolvers for the specific provider.
- *
- * @public
- * @deprecated Migrate the auth plugin to the new backend system https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin
- */
-declare function createAuthProviderIntegration<TCreateOptions extends unknown[], TResolvers extends {
-    [name in string]: (...args: any[]) => SignInResolver$1<any>;
-}>(config: {
-    create: (...args: TCreateOptions) => AuthProviderFactory$1;
-    resolvers?: TResolvers;
-}): Readonly<{
-    create: (...args: TCreateOptions) => AuthProviderFactory$1;
-    resolvers: Readonly<string extends keyof TResolvers ? never : TResolvers>;
-}>;
-
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-declare const prepareBackstageIdentityResponse: typeof prepareBackstageIdentityResponse$1;
-
-/**
- * @public
- * @deprecated import from `@backstage/plugin-auth-node` instead
- */
-type WebMessageResponse = WebMessageResponse$1;
-
-/**
- * @public
- * @deprecated Use `sendWebMessageResponse` from `@backstage/plugin-auth-node` instead
- */
-declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
-/**
- * @public
- * @deprecated Use inline logic to check that the `X-Requested-With` header is set to `'XMLHttpRequest'` instead.
- */
-declare const ensuresXRequestedWith: (req: express.Request) => boolean;
-
-/**
- * A catalog client tailored for reading out identity data from the catalog.
- *
- * @public
- * @deprecated Use the provided `AuthResolverContext` instead, see https://backstage.io/docs/auth/identity-resolver#building-custom-resolvers
- */
-declare class CatalogIdentityClient {
-    private readonly catalogApi;
-    private readonly auth;
-    constructor(options: {
-        catalogApi: CatalogApi;
-        tokenManager?: TokenManager;
-        discovery: DiscoveryService;
-        auth?: AuthService;
-        httpAuth?: HttpAuthService;
-    });
-    /**
-     * Looks up a single user using a query.
-     *
-     * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
-     */
-    findUser(query: {
-        annotations: Record<string, string>;
-    }): Promise<UserEntity>;
-    /**
-     * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
-     * to be used within a `signInResolver` where additional entity claims might be provided, but
-     * group membership and transient group membership lean on imported catalog relations.
-     *
-     * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
-     */
-    resolveCatalogMembership(query: {
-        entityRefs: string[];
-        logger?: LoggerService;
-    }): Promise<string[]>;
-}
-
-/**
- * Uses the default ownership resolution logic to return an array
- * of entity refs that the provided entity claims ownership through.
- *
- * A reference to the entity itself will also be included in the returned array.
- *
- * @public
- * @deprecated use `ctx.resolveOwnershipEntityRefs(entity)` from the provided `AuthResolverContext` instead.
- */
-declare function getDefaultOwnershipEntityRefs(entity: Entity): string[];
-
-export { type AuthHandler, type AuthHandlerResult, type AuthProviderConfig, type AuthProviderFactory, type AuthProviderRouteHandlers, type AuthResolverCatalogUserQuery, type AuthResolverContext, type AuthResponse, type AwsAlbResult, type BitbucketOAuthResult, type BitbucketPassportProfile, type BitbucketServerOAuthResult, CatalogIdentityClient, type CloudflareAccessClaims, type CloudflareAccessGroup, type CloudflareAccessIdentityProfile, type CloudflareAccessResult, type CookieConfigurer, type EasyAuthResult, type GcpIapResult, type GcpIapTokenInfo, type GithubOAuthResult, type OAuth2ProxyResult, OAuthAdapter, type OAuthAdapterOptions, OAuthEnvironmentHandler, type OAuthHandlers, type OAuthLogoutRequest, type OAuthProviderInfo, type OAuthProviderOptions, type OAuthRefreshRequest, type OAuthResponse, type OAuthResult, type OAuthStartRequest, type OAuthStartResponse, type OAuthState, type OidcAuthResult, type ProfileInfo, type ProviderFactories, type RouterOptions, type SamlAuthResult, type SignInInfo, type SignInResolver, type StateEncoder, type TokenParams, type WebMessageResponse, createAuthProviderIntegration, createOriginFilter, createRouter, authPlugin as default, defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getDefaultOwnershipEntityRefs, postMessageResponse, prepareBackstageIdentityResponse, providers, readState, verifyNonce };
+export { authPlugin as default };