npm - @backstage/plugin-auth-backend - Versions diffs - 0.3.21 → 0.4.0 - Mend

@backstage/plugin-auth-backend 0.3.21 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,66 @@
 # @backstage/plugin-auth-backend
+## 0.4.0
+### Minor Changes
+- 19f45179a5: Bump `passport-saml` to version 3. This is a breaking change, in that it [now requires](https://github.com/node-saml/passport-saml/pull/548) the `auth.saml.cert` parameter to be set. If you are not using SAML auth, you can ignore this.
+  To update your settings, add something similar to the following to your app-config:
+  ```yaml
+  auth:
+    saml:
+      # ... other settings ...
+      cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='
+  ```
+  For more information, see the [library README](https://github.com/node-saml/passport-saml#security-and-signatures).
+### Patch Changes
+- 560d6810f0: Fix a bug preventing an access token to be refreshed a second time with the GitLab provider.
+- de5717872d: Use a more informative error message if the configured OIDC identity provider does not provide a `userinfo_endpoint` in its metadata.
+- Updated dependencies
+  - @backstage/backend-common@0.9.3
+## 0.3.24
+### Patch Changes
+- 2a105f451: Add a warning log message that `passport-saml` will require a `cert` config parameter imminently.
+  We intend to upgrade this package soon, past the point where we will start to strictly require the `auth.saml.cert` configuration parameter to be present. To avoid issues starting your auth backend, please
+- 31892ee25: typo fix `tenentId` in Azure auth provider docs
+- e9b1e2a9f: Added signIn and authHandler resolver for oAuth2 provider
+- ca45b169d: Export GitHub to allow use with Identity resolver
+- Updated dependencies
+  - @backstage/catalog-model@0.9.1
+  - @backstage/backend-common@0.9.1
+## 0.3.23
+### Patch Changes
+- 392b36fa1: Added support for using authenticating via GitHub Apps in addition to GitHub OAuth Apps. It used to be possible to use GitHub Apps, but they did not handle session refresh correctly.
+  Note that GitHub Apps handle OAuth scope at the app installation level, meaning that the `scope` parameter for `getAccessToken` has no effect. When calling `getAccessToken` in open source plugins, one should still include the appropriate scope, but also document in the plugin README what scopes are required in the case of GitHub Apps.
+  In addition, the `authHandler` and `signInResolver` options have been implemented for the GitHub provider in the auth backend.
+- ea9fe9567: Fixed a bug where OAuth state parameters would be serialized as the string `'undefined'`.
+- 39fc3d7f8: Add Sign In and Handler resolver for GitLab provider
+- Updated dependencies
+  - @backstage/backend-common@0.9.0
+  - @backstage/config@0.1.8
+## 0.3.22
+### Patch Changes
+- 79d24a966: Fix an issue where the default app origin was not allowed to authenticate users.
 ## 0.3.21
 ### Patch Changes

package/config.d.ts CHANGED Viewed

@@ -48,7 +48,7 @@ export interface Config {
         entryPoint: string;
         logoutUrl?: string;
         issuer: string;
-        cert?: string;
+        cert: string;
         privateKey?: string;
         decryptionPvk?: string;
         signatureAlgorithm?: 'sha256' | 'sha512';

package/dist/index.cjs.js CHANGED Viewed

@@ -5,18 +5,19 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var express = require('express');
 var Router = require('express-promise-router');
 var cookieParser = require('cookie-parser');
-var passportGoogleOauth20 = require('passport-google-oauth20');
+var passportGithub2 = require('passport-github2');
+var jwtDecoder = require('jwt-decode');
 var errors = require('@backstage/errors');
-var catalogModel = require('@backstage/catalog-model');
+var pickBy = require('lodash/pickBy');
 var crypto = require('crypto');
 var url = require('url');
-var jwtDecoder = require('jwt-decode');
+var catalogModel = require('@backstage/catalog-model');
+var passportGitlab2 = require('passport-gitlab2');
+var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
 var got = require('got');
-var passportOktaOauth = require('passport-okta-oauth');
-var passportGithub2 = require('passport-github2');
-var passportGitlab2 = require('passport-gitlab2');
 var OAuth2Strategy = require('passport-oauth2');
+var passportOktaOauth = require('passport-okta-oauth');
 var openidClient = require('openid-client');
 var passportSaml = require('passport-saml');
 var passportOneloginOauth = require('passport-onelogin-oauth');
@@ -56,9 +57,10 @@ function _interopNamespace(e) {
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
+var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
+var pickBy__default = /*#__PURE__*/_interopDefaultLegacy(pickBy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
 var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
-var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
 var got__default = /*#__PURE__*/_interopDefaultLegacy(got);
 var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
@@ -66,79 +68,118 @@ var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
-class CatalogIdentityClient {
-  constructor(options) {
-    this.catalogApi = options.catalogApi;
-    this.tokenIssuer = options.tokenIssuer;
+const makeProfileInfo = (profile, idToken) => {
+  var _a, _b;
+  let email = void 0;
+  if (profile.emails && profile.emails.length > 0) {
+    const [firstEmail] = profile.emails;
+    email = firstEmail.value;
   }
-  async findUser(query) {
-    const filter = {
-      kind: "user"
-    };
-    for (const [key, value] of Object.entries(query.annotations)) {
-      filter[`metadata.annotations.${key}`] = value;
-    }
-    const token = await this.tokenIssuer.issueToken({
-      claims: {sub: "backstage.io/auth-backend"}
-    });
-    const {items} = await this.catalogApi.getEntities({filter}, {token});
-    if (items.length !== 1) {
-      if (items.length > 1) {
-        throw new errors.ConflictError("User lookup resulted in multiple matches");
-      } else {
-        throw new errors.NotFoundError("User not found");
-      }
-    }
-    return items[0];
+  let picture = void 0;
+  if (profile.avatarUrl) {
+    picture = profile.avatarUrl;
+  } else if (profile.photos && profile.photos.length > 0) {
+    const [firstPhoto] = profile.photos;
+    picture = firstPhoto.value;
   }
-  async resolveCatalogMembership({
-    entityRefs,
-    logger
-  }) {
-    const resolvedEntityRefs = entityRefs.map((ref) => {
-      try {
-        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
-          defaultKind: "user",
-          defaultNamespace: "default"
-        });
-        return parsedRef;
-      } catch {
-        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
-        return null;
+  let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
+  if ((!email || !picture || !displayName) && idToken) {
+    try {
+      const decoded = jwtDecoder__default['default'](idToken);
+      if (!email && decoded.email) {
+        email = decoded.email;
       }
-    }).filter((ref) => ref !== null);
-    const filter = resolvedEntityRefs.map((ref) => ({
-      kind: ref.kind,
-      "metadata.namespace": ref.namespace,
-      "metadata.name": ref.name
-    }));
-    const entities = await this.catalogApi.getEntities({filter}).then((r) => r.items);
-    if (entityRefs.length !== entities.length) {
-      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
-      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
-      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+      if (!picture && decoded.picture) {
+        picture = decoded.picture;
+      }
+      if (!displayName && decoded.name) {
+        displayName = decoded.name;
+      }
+    } catch (e) {
+      throw new Error(`Failed to parse id token and get profile info, ${e}`);
     }
-    const memberOf = entities.flatMap((e) => {
-      var _a, _b;
-      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.target)) != null ? _b : [];
-    });
-    const newEntityRefs = [
-      ...new Set(resolvedEntityRefs.concat(memberOf).map(catalogModel.stringifyEntityRef))
-    ];
-    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
-    return newEntityRefs;
   }
-}
-function getEntityClaims(entity) {
-  var _a, _b;
-  const userRef = catalogModel.stringifyEntityRef(entity);
-  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.target.kind.toLocaleLowerCase("en-US") === "group").map((r) => catalogModel.stringifyEntityRef(r.target))) != null ? _b : [];
   return {
-    sub: userRef,
-    ent: [userRef, ...membershipRefs]
+    email,
+    picture,
+    displayName
   };
-}
+};
+const executeRedirectStrategy = async (req, providerStrategy, options) => {
+  return new Promise((resolve) => {
+    const strategy = Object.create(providerStrategy);
+    strategy.redirect = (url, status) => {
+      resolve({url, status: status != null ? status : void 0});
+    };
+    strategy.authenticate(req, {...options});
+  });
+};
+const executeFrameHandlerStrategy = async (req, providerStrategy) => {
+  return new Promise((resolve, reject) => {
+    const strategy = Object.create(providerStrategy);
+    strategy.success = (result, privateInfo) => {
+      resolve({result, privateInfo});
+    };
+    strategy.fail = (info) => {
+      var _a;
+      reject(new Error(`Authentication rejected, ${(_a = info.message) != null ? _a : ""}`));
+    };
+    strategy.error = (error) => {
+      var _a;
+      let message = `Authentication failed, ${error.message}`;
+      if ((_a = error.oauthError) == null ? void 0 : _a.data) {
+        try {
+          const errorData = JSON.parse(error.oauthError.data);
+          if (errorData.message) {
+            message += ` - ${errorData.message}`;
+          }
+        } catch (parseError) {
+          message += ` - ${error.oauthError}`;
+        }
+      }
+      reject(new Error(message));
+    };
+    strategy.redirect = () => {
+      reject(new Error("Unexpected redirect"));
+    };
+    strategy.authenticate(req, {});
+  });
+};
+const executeRefreshTokenStrategy = async (providerStrategy, refreshToken, scope) => {
+  return new Promise((resolve, reject) => {
+    const anyStrategy = providerStrategy;
+    const OAuth2 = anyStrategy._oauth2.constructor;
+    const oauth2 = new OAuth2(anyStrategy._oauth2._clientId, anyStrategy._oauth2._clientSecret, anyStrategy._oauth2._baseSite, anyStrategy._oauth2._authorizeUrl, anyStrategy._refreshURL || anyStrategy._oauth2._accessTokenUrl, anyStrategy._oauth2._customHeaders);
+    oauth2.getOAuthAccessToken(refreshToken, {
+      scope,
+      grant_type: "refresh_token"
+    }, (err, accessToken, newRefreshToken, params) => {
+      if (err) {
+        reject(new Error(`Failed to refresh access token ${err.toString()}`));
+      }
+      if (!accessToken) {
+        reject(new Error(`Failed to refresh access token, no access token received`));
+      }
+      resolve({
+        accessToken,
+        refreshToken: newRefreshToken,
+        params
+      });
+    });
+  });
+};
+const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) => {
+  return new Promise((resolve, reject) => {
+    const anyStrategy = providerStrategy;
+    anyStrategy.userProfile(accessToken, (error, rawProfile) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve(rawProfile);
+      }
+    });
+  });
+};
 const readState = (stateString) => {
   var _a, _b;
@@ -149,7 +190,7 @@ const readState = (stateString) => {
   return state;
 };
 const encodeState = (state) => {
-  const stateString = new URLSearchParams(state).toString();
+  const stateString = new URLSearchParams(pickBy__default['default'](state, (value) => value !== void 0)).toString();
   return Buffer.from(stateString, "utf-8").toString("hex");
 };
 const verifyNonce = (req, providerId) => {
@@ -366,10 +407,7 @@ class OAuthAdapter {
         const grantedScopes = this.getScopesFromCookie(req, this.options.providerId);
         response.providerInfo.scope = grantedScopes;
       }
-      if (!this.options.disableRefresh) {
-        if (!refreshToken) {
-          throw new errors.InputError("Missing refresh token");
-        }
+      if (refreshToken && !this.options.disableRefresh) {
         this.setRefreshTokenCookie(res, refreshToken);
       }
       await this.populateIdentity(response.backstageIdentity);
@@ -392,9 +430,7 @@ class OAuthAdapter {
       res.status(401).send("Invalid X-Requested-With header");
       return;
     }
-    if (!this.options.disableRefresh) {
-      this.removeRefreshTokenCookie(res);
-    }
+    this.removeRefreshTokenCookie(res);
     res.status(200).send("logout!");
   }
   async refresh(req, res) {
@@ -436,112 +472,332 @@ class OAuthAdapter {
   }
 }
-const makeProfileInfo = (profile, idToken) => {
-  let {displayName} = profile;
-  let email = void 0;
-  if (profile.emails && profile.emails.length > 0) {
-    const [firstEmail] = profile.emails;
-    email = firstEmail.value;
-  }
-  let picture = void 0;
-  if (profile.photos && profile.photos.length > 0) {
-    const [firstPhoto] = profile.photos;
-    picture = firstPhoto.value;
+class CatalogIdentityClient {
+  constructor(options) {
+    this.catalogApi = options.catalogApi;
+    this.tokenIssuer = options.tokenIssuer;
   }
-  if ((!email || !picture || !displayName) && idToken) {
-    try {
-      const decoded = jwtDecoder__default['default'](idToken);
-      if (!email && decoded.email) {
-        email = decoded.email;
-      }
-      if (!picture && decoded.picture) {
-        picture = decoded.picture;
-      }
-      if (!displayName && decoded.name) {
-        displayName = decoded.name;
+  async findUser(query) {
+    const filter = {
+      kind: "user"
+    };
+    for (const [key, value] of Object.entries(query.annotations)) {
+      filter[`metadata.annotations.${key}`] = value;
+    }
+    const token = await this.tokenIssuer.issueToken({
+      claims: {sub: "backstage.io/auth-backend"}
+    });
+    const {items} = await this.catalogApi.getEntities({filter}, {token});
+    if (items.length !== 1) {
+      if (items.length > 1) {
+        throw new errors.ConflictError("User lookup resulted in multiple matches");
+      } else {
+        throw new errors.NotFoundError("User not found");
       }
-    } catch (e) {
-      throw new Error(`Failed to parse id token and get profile info, ${e}`);
     }
+    return items[0];
   }
-  return {
-    email,
-    picture,
-    displayName
-  };
-};
-const executeRedirectStrategy = async (req, providerStrategy, options) => {
-  return new Promise((resolve) => {
-    const strategy = Object.create(providerStrategy);
-    strategy.redirect = (url, status) => {
-      resolve({url, status: status != null ? status : void 0});
-    };
-    strategy.authenticate(req, {...options});
-  });
-};
-const executeFrameHandlerStrategy = async (req, providerStrategy) => {
-  return new Promise((resolve, reject) => {
-    const strategy = Object.create(providerStrategy);
-    strategy.success = (result, privateInfo) => {
-      resolve({result, privateInfo});
-    };
-    strategy.fail = (info) => {
-      var _a;
-      reject(new Error(`Authentication rejected, ${(_a = info.message) != null ? _a : ""}`));
-    };
-    strategy.error = (error) => {
-      var _a;
-      let message = `Authentication failed, ${error.message}`;
-      if ((_a = error.oauthError) == null ? void 0 : _a.data) {
-        try {
-          const errorData = JSON.parse(error.oauthError.data);
-          if (errorData.message) {
-            message += ` - ${errorData.message}`;
-          }
-        } catch (parseError) {
-          message += ` - ${error.oauthError}`;
-        }
+  async resolveCatalogMembership({
+    entityRefs,
+    logger
+  }) {
+    const resolvedEntityRefs = entityRefs.map((ref) => {
+      try {
+        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
+          defaultKind: "user",
+          defaultNamespace: "default"
+        });
+        return parsedRef;
+      } catch {
+        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
+        return null;
       }
-      reject(new Error(message));
+    }).filter((ref) => ref !== null);
+    const filter = resolvedEntityRefs.map((ref) => ({
+      kind: ref.kind,
+      "metadata.namespace": ref.namespace,
+      "metadata.name": ref.name
+    }));
+    const entities = await this.catalogApi.getEntities({filter}).then((r) => r.items);
+    if (entityRefs.length !== entities.length) {
+      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
+      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
+      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+    }
+    const memberOf = entities.flatMap((e) => {
+      var _a, _b;
+      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.target)) != null ? _b : [];
+    });
+    const newEntityRefs = [
+      ...new Set(resolvedEntityRefs.concat(memberOf).map(catalogModel.stringifyEntityRef))
+    ];
+    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
+    return newEntityRefs;
+  }
+}
+function getEntityClaims(entity) {
+  var _a, _b;
+  const userRef = catalogModel.stringifyEntityRef(entity);
+  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.target.kind.toLocaleLowerCase("en-US") === "group").map((r) => catalogModel.stringifyEntityRef(r.target))) != null ? _b : [];
+  return {
+    sub: userRef,
+    ent: [userRef, ...membershipRefs]
+  };
+}
+class GithubAuthProvider {
+  constructor(options) {
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this._strategy = new passportGithub2.Strategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      tokenURL: options.tokenUrl,
+      userProfileURL: options.userProfileUrl,
+      authorizationURL: options.authorizationUrl
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {fullProfile, params, accessToken}, {refreshToken});
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      scope: req.scope,
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
     };
-    strategy.redirect = () => {
-      reject(new Error("Unexpected redirect"));
+  }
+  async refresh(req) {
+    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return this.handleResult({
+      fullProfile,
+      params,
+      accessToken,
+      refreshToken: req.refreshToken
+    });
+  }
+  async handleResult(result) {
+    const {profile} = await this.authHandler(result);
+    const expiresInStr = result.params.expires_in;
+    const response = {
+      providerInfo: {
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
+      },
+      profile
     };
-    strategy.authenticate(req, {});
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+}
+const githubDefaultSignInResolver = async (info, ctx) => {
+  const {fullProfile} = info.result;
+  const userId = fullProfile.username || fullProfile.id;
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: {sub: userId, ent: [`user:default/${userId}`]}
   });
+  return {id: userId, token};
 };
-const executeRefreshTokenStrategy = async (providerStrategy, refreshToken, scope) => {
-  return new Promise((resolve, reject) => {
-    const anyStrategy = providerStrategy;
-    const OAuth2 = anyStrategy._oauth2.constructor;
-    const oauth2 = new OAuth2(anyStrategy._oauth2._clientId, anyStrategy._oauth2._clientSecret, anyStrategy._oauth2._baseSite, anyStrategy._oauth2._authorizeUrl, anyStrategy._refreshURL || anyStrategy._oauth2._accessTokenUrl, anyStrategy._oauth2._customHeaders);
-    oauth2.getOAuthAccessToken(refreshToken, {
-      scope,
-      grant_type: "refresh_token"
-    }, (err, accessToken, newRefreshToken, params) => {
-      if (err) {
-        reject(new Error(`Failed to refresh access token ${err.toString()}`));
-      }
-      if (!accessToken) {
-        reject(new Error(`Failed to refresh access token, no access token received`));
-      }
-      resolve({
-        accessToken,
-        refreshToken: newRefreshToken,
-        params
-      });
+const createGithubProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
+    const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
+    const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
+    const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile}) => ({
+      profile: makeProfileInfo(fullProfile)
+    });
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : githubDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new GithubAuthProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      tokenUrl,
+      userProfileUrl,
+      authorizationUrl,
+      signInResolver,
+      authHandler,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      persistScopes: true,
+      providerId,
+      tokenIssuer
     });
   });
 };
-const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) => {
-  return new Promise((resolve, reject) => {
-    const anyStrategy = providerStrategy;
-    anyStrategy.userProfile(accessToken, (error, rawProfile) => {
-      if (error) {
-        reject(error);
-      } else {
-        resolve(rawProfile);
-      }
+const gitlabDefaultSignInResolver = async (info, ctx) => {
+  const {profile, result} = info;
+  let id = result.fullProfile.id;
+  if (profile.email) {
+    id = profile.email.split("@")[0];
+  }
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: {sub: id, ent: [`user:default/${id}`]}
+  });
+  return {id, token};
+};
+const gitlabDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class GitlabAuthProvider {
+  constructor(options) {
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new passportGitlab2.Strategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      baseURL: options.baseUrl
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {fullProfile, params, accessToken}, {
+        refreshToken
+      });
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      scope: req.scope,
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const {
+      accessToken,
+      refreshToken: newRefreshToken,
+      params
+    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return this.handleResult({
+      fullProfile,
+      params,
+      accessToken,
+      refreshToken: newRefreshToken
+    });
+  }
+  async handleResult(result) {
+    const {profile} = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        refreshToken: result.refreshToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+}
+const createGitlabProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b, _c;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const audience = envConfig.getOptionalString("audience");
+    const baseUrl = audience || "https://gitlab.com";
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new GitlabAuthProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      baseUrl,
+      authHandler,
+      signInResolver,
+      catalogIdentityClient,
+      logger,
+      tokenIssuer
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
     });
   });
 };
@@ -807,7 +1063,147 @@ const microsoftDefaultSignInResolver = async (info, ctx) => {
   });
   return {id: userId, token};
 };
-const createMicrosoftProvider = (options) => {
+const createMicrosoftProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const tenantId = envConfig.getString("tenantId");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
+    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new MicrosoftAuthProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      authorizationUrl,
+      tokenUrl,
+      authHandler,
+      signInResolver,
+      catalogIdentityClient,
+      logger,
+      tokenIssuer
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+class OAuth2AuthProvider {
+  constructor(options) {
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this._strategy = new OAuth2Strategy.Strategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      authorizationURL: options.authorizationUrl,
+      tokenURL: options.tokenUrl,
+      passReqToCallback: false,
+      scope: options.scope
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      }, {
+        refreshToken
+      });
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: req.scope,
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const {
+      accessToken,
+      params,
+      refreshToken: updatedRefreshToken
+    } = refreshTokenResponse;
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return this.handleResult({
+      fullProfile,
+      params,
+      accessToken,
+      refreshToken: updatedRefreshToken
+    });
+  }
+  async handleResult(result) {
+    const {profile} = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+}
+const oAuth2DefaultSignInResolver = async (info, ctx) => {
+  const {profile} = info;
+  if (!profile.email) {
+    throw new Error("Profile contained no email");
+  }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: {sub: userId, ent: [`user:default/${userId}`]}
+  });
+  return {id: userId, token};
+};
+const createOAuth2Provider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -816,13 +1212,14 @@ const createMicrosoftProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const tenantId = envConfig.getString("tenantId");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
-    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
+    const authorizationUrl = envConfig.getString("authorizationUrl");
+    const tokenUrl = envConfig.getString("tokenUrl");
+    const scope = envConfig.getOptionalString("scope");
+    const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
@@ -830,26 +1227,27 @@ const createMicrosoftProvider = (options) => {
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new MicrosoftAuthProvider({
+    const provider = new OAuth2AuthProvider({
       clientId,
       clientSecret,
+      tokenIssuer,
+      catalogIdentityClient,
       callbackUrl,
+      signInResolver,
+      authHandler,
       authorizationUrl,
       tokenUrl,
-      authHandler,
-      signInResolver,
-      catalogIdentityClient,
-      logger,
-      tokenIssuer
+      scope,
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
+      disableRefresh,
       providerId,
       tokenIssuer
     });
@@ -1010,273 +1408,6 @@ const createOktaProvider = (_options) => {
   });
 };
-class GithubAuthProvider {
-  constructor(options) {
-    this._strategy = new passportGithub2.Strategy({
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      tokenURL: options.tokenUrl,
-      userProfileURL: options.userProfileUrl,
-      authorizationURL: options.authorizationUrl
-    }, (accessToken, _refreshToken, params, fullProfile, done) => {
-      done(void 0, {fullProfile, params, accessToken});
-    });
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      scope: req.scope,
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const {
-      result: {fullProfile, accessToken, params}
-    } = await executeFrameHandlerStrategy(req, this._strategy);
-    const profile = makeProfileInfo({
-      ...fullProfile,
-      id: fullProfile.username || fullProfile.id,
-      displayName: fullProfile.displayName || fullProfile.username || fullProfile.id
-    }, params.id_token);
-    return {
-      response: {
-        profile,
-        providerInfo: {
-          accessToken,
-          scope: params.scope,
-          expiresInSeconds: params.expires_in
-        },
-        backstageIdentity: {
-          id: fullProfile.username || fullProfile.id
-        }
-      }
-    };
-  }
-}
-const createGithubProvider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
-    const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
-    const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
-    const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const provider = new GithubAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      tokenUrl,
-      userProfileUrl,
-      authorizationUrl
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
-      persistScopes: true,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
-function transformProfile(fullProfile) {
-  var _a;
-  const profile = makeProfileInfo({
-    ...fullProfile,
-    photos: [
-      ...(_a = fullProfile.photos) != null ? _a : [],
-      ...fullProfile.avatarUrl ? [{value: fullProfile.avatarUrl}] : []
-    ]
-  });
-  let id = fullProfile.id;
-  if (profile.email) {
-    id = profile.email.split("@")[0];
-  }
-  return {id, profile};
-}
-class GitlabAuthProvider {
-  constructor(options) {
-    this._strategy = new passportGitlab2.Strategy({
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      baseURL: options.baseUrl
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {fullProfile, params, accessToken}, {
-        refreshToken
-      });
-    });
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      scope: req.scope,
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
-    const {accessToken, params} = result;
-    const {id, profile} = transformProfile(result.fullProfile);
-    return {
-      response: {
-        profile,
-        providerInfo: {
-          accessToken,
-          scope: params.scope,
-          expiresInSeconds: params.expires_in,
-          idToken: params.id_token
-        },
-        backstageIdentity: {
-          id
-        }
-      },
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const {
-      accessToken,
-      refreshToken: newRefreshToken,
-      params
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    const {id, profile} = transformProfile(fullProfile);
-    return {
-      profile,
-      providerInfo: {
-        accessToken,
-        refreshToken: newRefreshToken,
-        idToken: params.id_token,
-        expiresInSeconds: params.expires_in,
-        scope: params.scope
-      },
-      backstageIdentity: {
-        id
-      }
-    };
-  }
-}
-const createGitlabProvider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getOptionalString("audience");
-    const baseUrl = audience || "https://gitlab.com";
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const provider = new GitlabAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      baseUrl
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
-class OAuth2AuthProvider {
-  constructor(options) {
-    this._strategy = new OAuth2Strategy.Strategy({
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      authorizationURL: options.authorizationUrl,
-      tokenURL: options.tokenUrl,
-      passReqToCallback: false,
-      scope: options.scope
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        fullProfile,
-        accessToken,
-        refreshToken,
-        params
-      }, {
-        refreshToken
-      });
-    });
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: req.scope,
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
-    const profile = makeProfileInfo(result.fullProfile, result.params.id_token);
-    return {
-      response: await this.populateIdentity({
-        profile,
-        providerInfo: {
-          idToken: result.params.id_token,
-          accessToken: result.accessToken,
-          scope: result.params.scope,
-          expiresInSeconds: result.params.expires_in
-        }
-      }),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const {
-      accessToken,
-      params,
-      refreshToken: updatedRefreshToken
-    } = refreshTokenResponse;
-    const rawProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    const profile = makeProfileInfo(rawProfile, params.id_token);
-    return this.populateIdentity({
-      providerInfo: {
-        accessToken,
-        refreshToken: updatedRefreshToken,
-        idToken: params.id_token,
-        expiresInSeconds: params.expires_in,
-        scope: params.scope
-      },
-      profile
-    });
-  }
-  async populateIdentity(response) {
-    const {profile} = response;
-    if (!profile.email) {
-      throw new Error("Profile does not contain an email");
-    }
-    const id = profile.email.split("@")[0];
-    return {...response, backstageIdentity: {id}};
-  }
-}
-const createOAuth2Provider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = envConfig.getString("authorizationUrl");
-    const tokenUrl = envConfig.getString("tokenUrl");
-    const scope = envConfig.getOptionalString("scope");
-    const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
-    const provider = new OAuth2AuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      authorizationUrl,
-      tokenUrl,
-      scope
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
 class OidcAuthProvider {
   constructor(options) {
     this.implementation = this.setupStrategy(options);
@@ -1353,6 +1484,9 @@ class OidcAuthProvider {
       client,
       passReqToCallback: false
     }, (tokenset, userinfo, done) => {
+      if (typeof done !== "function") {
+        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
+      }
       done(void 0, {tokenset, userinfo}, {
         refreshToken: tokenset.refresh_token
       });
@@ -1449,7 +1583,7 @@ const createSamlProvider = (_options) => {
       entryPoint: config.getString("entryPoint"),
       logoutUrl: config.getOptionalString("logoutUrl"),
       issuer: config.getString("issuer"),
-      cert: config.getOptionalString("cert"),
+      cert: config.getString("cert"),
       privateCert: config.getOptionalString("privateKey"),
       decryptionPvk: config.getOptionalString("decryptionPvk"),
       signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
@@ -1458,9 +1592,6 @@ const createSamlProvider = (_options) => {
       tokenIssuer,
       appUrl: globalConfig.appUrl
     };
-    if (!opts.cert) {
-      delete opts.cert;
-    }
     return new SamlAuthProvider(opts);
   };
 };
@@ -2040,12 +2171,15 @@ async function createRouter({
   return router;
 }
 function createOriginFilter(config) {
+  var _a;
+  const appUrl = config.getString("app.baseUrl");
+  const {origin: appOrigin} = new URL(appUrl);
   const allowedOrigins = config.getOptionalStringArray("auth.experimentalExtraAllowedOrigins");
-  if (!allowedOrigins || allowedOrigins.length === 0) {
-    return () => false;
-  }
-  const allowedOriginPatterns = allowedOrigins.map((pattern) => new minimatch.Minimatch(pattern, {nocase: true, noglobstar: true}));
+  const allowedOriginPatterns = (_a = allowedOrigins == null ? void 0 : allowedOrigins.map((pattern) => new minimatch.Minimatch(pattern, {nocase: true, noglobstar: true}))) != null ? _a : [];
   return (origin) => {
+    if (origin === appOrigin) {
+      return true;
+    }
     return allowedOriginPatterns.some((pattern) => pattern.match(origin));
   };
 }
@@ -2053,8 +2187,11 @@ function createOriginFilter(config) {
 exports.IdentityClient = IdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
+exports.createGithubProvider = createGithubProvider;
+exports.createGitlabProvider = createGitlabProvider;
 exports.createGoogleProvider = createGoogleProvider;
 exports.createMicrosoftProvider = createMicrosoftProvider;
+exports.createOAuth2Provider = createOAuth2Provider;
 exports.createOktaProvider = createOktaProvider;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;