@backstage/plugin-auth-backend 0.4.10 → 0.6.0

package/dist/index.cjs.js

@@ -5,26 +5,25 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var express = require('express');
 var Router = require('express-promise-router');
 var cookieParser = require('cookie-parser');
-var passportGithub2 = require('passport-github2');
-var jwtDecoder = require('jwt-decode');
+var OAuth2Strategy = require('passport-oauth2');
 var errors = require('@backstage/errors');
 var pickBy = require('lodash/pickBy');
 var crypto = require('crypto');
 var url = require('url');
 var catalogModel = require('@backstage/catalog-model');
+var jwtDecoder = require('jwt-decode');
+var fetch = require('node-fetch');
+var NodeCache = require('node-cache');
+var jose = require('jose');
+var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
+var passportGithub2 = require('passport-github2');
 var passportGitlab2 = require('passport-gitlab2');
 var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
-var got = require('got');
-var OAuth2Strategy = require('passport-oauth2');
 var openidClient = require('openid-client');
 var passportOktaOauth = require('passport-okta-oauth');
-var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
-var fetch = require('node-fetch');
-var NodeCache = require('node-cache');
-var jose = require('jose');
-var passportSaml = require('passport-saml');
 var passportOneloginOauth = require('passport-onelogin-oauth');
+var passportSaml = require('passport-saml');
 var catalogClient = require('@backstage/catalog-client');
 var uuid = require('uuid');
 var luxon = require('luxon');
@@ -46,143 +45,81 @@ function _interopNamespace(e) {
         var d = Object.getOwnPropertyDescriptor(e, k);
         Object.defineProperty(n, k, d.get ? d : {
           enumerable: true,
-          get: function () {
-            return e[k];
-          }
+          get: function () { return e[k]; }
         });
       }
     });
   }
-  n['default'] = e;
+  n["default"] = e;
   return Object.freeze(n);
 }
 
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
-var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
+var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
 var pickBy__default = /*#__PURE__*/_interopDefaultLegacy(pickBy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
 var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
-var got__default = /*#__PURE__*/_interopDefaultLegacy(got);
-var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
+var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
 var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
 
-const makeProfileInfo = (profile, idToken) => {
-  var _a, _b;
-  let email = void 0;
-  if (profile.emails && profile.emails.length > 0) {
-    const [firstEmail] = profile.emails;
-    email = firstEmail.value;
-  }
-  let picture = void 0;
-  if (profile.avatarUrl) {
-    picture = profile.avatarUrl;
-  } else if (profile.photos && profile.photos.length > 0) {
-    const [firstPhoto] = profile.photos;
-    picture = firstPhoto.value;
-  }
-  let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
-  if ((!email || !picture || !displayName) && idToken) {
-    try {
-      const decoded = jwtDecoder__default['default'](idToken);
-      if (!email && decoded.email) {
-        email = decoded.email;
-      }
-      if (!picture && decoded.picture) {
-        picture = decoded.picture;
-      }
-      if (!displayName && decoded.name) {
-        displayName = decoded.name;
-      }
-    } catch (e) {
-      throw new Error(`Failed to parse id token and get profile info, ${e}`);
+const defaultScopes = ["offline_access", "read:me"];
+class AtlassianStrategy extends OAuth2Strategy__default["default"] {
+  constructor(options, verify) {
+    if (!options.scope) {
+      throw new TypeError("Atlassian requires a scope option");
     }
-  }
-  return {
-    email,
-    picture,
-    displayName
-  };
-};
-const executeRedirectStrategy = async (req, providerStrategy, options) => {
-  return new Promise((resolve) => {
-    const strategy = Object.create(providerStrategy);
-    strategy.redirect = (url, status) => {
-      resolve({url, status: status != null ? status : void 0});
-    };
-    strategy.authenticate(req, {...options});
-  });
-};
-const executeFrameHandlerStrategy = async (req, providerStrategy) => {
-  return new Promise((resolve, reject) => {
-    const strategy = Object.create(providerStrategy);
-    strategy.success = (result, privateInfo) => {
-      resolve({result, privateInfo});
-    };
-    strategy.fail = (info) => {
-      var _a;
-      reject(new Error(`Authentication rejected, ${(_a = info.message) != null ? _a : ""}`));
-    };
-    strategy.error = (error) => {
-      var _a;
-      let message = `Authentication failed, ${error.message}`;
-      if ((_a = error.oauthError) == null ? void 0 : _a.data) {
-        try {
-          const errorData = JSON.parse(error.oauthError.data);
-          if (errorData.message) {
-            message += ` - ${errorData.message}`;
-          }
-        } catch (parseError) {
-          message += ` - ${error.oauthError}`;
-        }
-      }
-      reject(new Error(message));
+    const scopes = options.scope.split(" ");
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://auth.atlassian.com/authorize`,
+      tokenURL: `https://auth.atlassian.com/oauth/token`,
+      scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
     };
-    strategy.redirect = () => {
-      reject(new Error("Unexpected redirect"));
+    super(optionsWithURLs, verify);
+    this.profileURL = "https://api.atlassian.com/me";
+    this.name = "atlassian";
+    this._oauth2.useAuthorizationHeaderforGET(true);
+  }
+  authorizationParams() {
+    return {
+      audience: "api.atlassian.com",
+      prompt: "consent"
     };
-    strategy.authenticate(req, {});
-  });
-};
-const executeRefreshTokenStrategy = async (providerStrategy, refreshToken, scope) => {
-  return new Promise((resolve, reject) => {
-    const anyStrategy = providerStrategy;
-    const OAuth2 = anyStrategy._oauth2.constructor;
-    const oauth2 = new OAuth2(anyStrategy._oauth2._clientId, anyStrategy._oauth2._clientSecret, anyStrategy._oauth2._baseSite, anyStrategy._oauth2._authorizeUrl, anyStrategy._refreshURL || anyStrategy._oauth2._accessTokenUrl, anyStrategy._oauth2._customHeaders);
-    oauth2.getOAuthAccessToken(refreshToken, {
-      scope,
-      grant_type: "refresh_token"
-    }, (err, accessToken, newRefreshToken, params) => {
+  }
+  userProfile(accessToken, done) {
+    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
       if (err) {
-        reject(new Error(`Failed to refresh access token ${err.toString()}`));
+        return done(new OAuth2Strategy.InternalOAuthError("Failed to fetch user profile", err.statusCode));
       }
-      if (!accessToken) {
-        reject(new Error(`Failed to refresh access token, no access token received`));
+      if (!body) {
+        return done(new Error("Failed to fetch user profile, body cannot be empty"));
       }
-      resolve({
-        accessToken,
-        refreshToken: newRefreshToken,
-        params
-      });
-    });
-  });
-};
-const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) => {
-  return new Promise((resolve, reject) => {
-    const anyStrategy = providerStrategy;
-    anyStrategy.userProfile(accessToken, (error, rawProfile) => {
-      if (error) {
-        reject(error);
-      } else {
-        resolve(rawProfile);
+      try {
+        const json = typeof body !== "string" ? body.toString() : body;
+        const profile = AtlassianStrategy.parse(json);
+        return done(null, profile);
+      } catch (e) {
+        return done(new Error("Failed to parse user profile"));
       }
     });
-  });
-};
+  }
+  static parse(json) {
+    const resp = JSON.parse(json);
+    return {
+      id: resp.account_id,
+      provider: "atlassian",
+      username: resp.nickname,
+      displayName: resp.name,
+      emails: [{ value: resp.email }],
+      photos: [{ value: resp.picture }]
+    };
+  }
+}
 
 const readState = (stateString) => {
   var _a, _b;
@@ -193,7 +130,7 @@ const readState = (stateString) => {
   return state;
 };
 const encodeState = (state) => {
-  const stateString = new URLSearchParams(pickBy__default['default'](state, (value) => value !== void 0)).toString();
+  const stateString = new URLSearchParams(pickBy__default["default"](state, (value) => value !== void 0)).toString();
   return Buffer.from(stateString, "utf-8").toString("hex");
 };
 const verifyNonce = (req, providerId) => {
@@ -218,7 +155,7 @@ class OAuthEnvironmentHandler {
   }
   static mapConfig(config, factoryFunc) {
     const envs = config.keys();
-    const handlers = new Map();
+    const handlers = /* @__PURE__ */ new Map();
     for (const env of envs) {
       const envConfig = config.getConfig(env);
       const handler = factoryFunc(envConfig);
@@ -287,11 +224,11 @@ const postMessageResponse = (res, appOrigin, response) => {
       window.close();
     }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)
   `;
-  const hash = crypto__default['default'].createHash("sha256").update(script).digest("base64");
+  const hash = crypto__default["default"].createHash("sha256").update(script).digest("base64");
   res.setHeader("Content-Type", "text/html");
   res.setHeader("X-Frame-Options", "sameorigin");
   res.setHeader("Content-Security-Policy", `script-src 'sha256-${hash}'`);
-  res.end(`<html><body><script>${script}</script></body></html>`);
+  res.end(`<html><body><script>${script}<\/script></body></html>`);
 };
 const ensuresXRequestedWith = (req) => {
   const requiredHeader = req.header("X-Requested-With");
@@ -301,6 +238,25 @@ const ensuresXRequestedWith = (req) => {
   return true;
 };
 
+function parseJwtPayload(token) {
+  const [_header, payload, _signature] = token.split(".");
+  return JSON.parse(Buffer.from(payload, "base64").toString());
+}
+function prepareBackstageIdentityResponse(result) {
+  const { sub, ent } = parseJwtPayload(result.token);
+  return {
+    ...{
+      idToken: result.token,
+      ...result
+    },
+    identity: {
+      type: "user",
+      userEntityRef: sub,
+      ownershipEntityRefs: ent != null ? ent : []
+    }
+  };
+}
+
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
 const TEN_MINUTES_MS = 600 * 1e3;
 class OAuthAdapter {
@@ -352,7 +308,7 @@ class OAuthAdapter {
     };
   }
   static fromConfig(config, handlers, options) {
-    const {origin: appOrigin} = new url.URL(config.appUrl);
+    const { origin: appOrigin } = new url.URL(config.appUrl);
     const secure = config.baseUrl.startsWith("https://");
     const url$1 = new url.URL(config.baseUrl);
     const cookiePath = `${url$1.pathname}/${options.providerId}`;
@@ -376,11 +332,11 @@ class OAuthAdapter {
     if (this.options.persistScopes) {
       this.setScopesCookie(res, scope);
     }
-    const nonce = crypto__default['default'].randomBytes(16).toString("base64");
+    const nonce = crypto__default["default"].randomBytes(16).toString("base64");
     this.setNonceCookie(res, nonce);
-    const state = {nonce, env, origin};
-    const forwardReq = Object.assign(req, {scope, state});
-    const {url, status} = await this.handlers.start(forwardReq);
+    const state = { nonce, env, origin };
+    const forwardReq = Object.assign(req, { scope, state });
+    const { url, status } = await this.handlers.start(forwardReq);
     res.statusCode = status || 302;
     res.setHeader("Location", url);
     res.setHeader("Content-Length", "0");
@@ -402,7 +358,7 @@ class OAuthAdapter {
         }
       }
       verifyNonce(req, this.options.providerId);
-      const {response, refreshToken} = await this.handlers.handler(req);
+      const { response, refreshToken } = await this.handlers.handler(req);
       if (this.options.persistScopes) {
         const grantedScopes = this.getScopesFromCookie(req, this.options.providerId);
         response.providerInfo.scope = grantedScopes;
@@ -410,16 +366,16 @@ class OAuthAdapter {
       if (refreshToken && !this.options.disableRefresh) {
         this.setRefreshTokenCookie(res, refreshToken);
       }
-      await this.populateIdentity(response.backstageIdentity);
+      const identity = await this.populateIdentity(response.backstageIdentity);
       return postMessageResponse(res, appOrigin, {
         type: "authorization_response",
-        response
+        response: { ...response, backstageIdentity: identity }
       });
     } catch (error) {
-      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
+      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, appOrigin, {
         type: "authorization_response",
-        error: {name, message}
+        error: { name, message }
       });
     }
   }
@@ -444,309 +400,655 @@ class OAuthAdapter {
         throw new errors.InputError("Missing session cookie");
       }
       const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
-      const forwardReq = Object.assign(req, {scope, refreshToken});
-      const response = await this.handlers.refresh(forwardReq);
-      await this.populateIdentity(response.backstageIdentity);
-      if (response.providerInfo.refreshToken && response.providerInfo.refreshToken !== refreshToken) {
-        this.setRefreshTokenCookie(res, response.providerInfo.refreshToken);
+      const forwardReq = Object.assign(req, { scope, refreshToken });
+      const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
+      const backstageIdentity = await this.populateIdentity(response.backstageIdentity);
+      if (newRefreshToken && newRefreshToken !== refreshToken) {
+        this.setRefreshTokenCookie(res, newRefreshToken);
       }
-      res.status(200).json(response);
+      res.status(200).json({ ...response, backstageIdentity });
     } catch (error) {
       throw new errors.AuthenticationError("Refresh failed", error);
     }
   }
   async populateIdentity(identity) {
     if (!identity) {
-      return;
+      return void 0;
     }
-    if (!(identity.token || identity.idToken)) {
-      identity.token = await this.options.tokenIssuer.issueToken({
-        claims: {sub: identity.id}
-      });
-    } else if (!identity.token && identity.idToken) {
-      identity.token = identity.idToken;
+    if (identity.token) {
+      return prepareBackstageIdentityResponse(identity);
     }
+    const userEntityRef = catalogModel.stringifyEntityRef(catalogModel.parseEntityRef(identity.id, {
+      defaultKind: "user",
+      defaultNamespace: catalogModel.ENTITY_DEFAULT_NAMESPACE
+    }));
+    const token = await this.options.tokenIssuer.issueToken({
+      claims: { sub: userEntityRef }
+    });
+    return prepareBackstageIdentityResponse({ ...identity, token });
   }
 }
 
-class CatalogIdentityClient {
-  constructor(options) {
-    this.catalogApi = options.catalogApi;
-    this.tokenIssuer = options.tokenIssuer;
+const makeProfileInfo = (profile, idToken) => {
+  var _a, _b;
+  let email = void 0;
+  if (profile.emails && profile.emails.length > 0) {
+    const [firstEmail] = profile.emails;
+    email = firstEmail.value;
   }
-  async findUser(query) {
-    const filter = {
-      kind: "user"
-    };
-    for (const [key, value] of Object.entries(query.annotations)) {
-      filter[`metadata.annotations.${key}`] = value;
-    }
-    const token = await this.tokenIssuer.issueToken({
-      claims: {sub: "backstage.io/auth-backend"}
-    });
-    const {items} = await this.catalogApi.getEntities({filter}, {token});
-    if (items.length !== 1) {
-      if (items.length > 1) {
-        throw new errors.ConflictError("User lookup resulted in multiple matches");
-      } else {
-        throw new errors.NotFoundError("User not found");
-      }
-    }
-    return items[0];
+  let picture = void 0;
+  if (profile.avatarUrl) {
+    picture = profile.avatarUrl;
+  } else if (profile.photos && profile.photos.length > 0) {
+    const [firstPhoto] = profile.photos;
+    picture = firstPhoto.value;
   }
-  async resolveCatalogMembership({
-    entityRefs,
-    logger
-  }) {
-    const resolvedEntityRefs = entityRefs.map((ref) => {
-      try {
-        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
-          defaultKind: "user",
-          defaultNamespace: "default"
-        });
-        return parsedRef;
-      } catch {
-        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
-        return null;
+  let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
+  if ((!email || !picture || !displayName) && idToken) {
+    try {
+      const decoded = jwtDecoder__default["default"](idToken);
+      if (!email && decoded.email) {
+        email = decoded.email;
       }
-    }).filter((ref) => ref !== null);
-    const filter = resolvedEntityRefs.map((ref) => ({
-      kind: ref.kind,
-      "metadata.namespace": ref.namespace,
-      "metadata.name": ref.name
-    }));
-    const entities = await this.catalogApi.getEntities({filter}).then((r) => r.items);
-    if (entityRefs.length !== entities.length) {
-      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
-      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
-      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+      if (!picture && decoded.picture) {
+        picture = decoded.picture;
+      }
+      if (!displayName && decoded.name) {
+        displayName = decoded.name;
+      }
+    } catch (e) {
+      throw new Error(`Failed to parse id token and get profile info, ${e}`);
     }
-    const memberOf = entities.flatMap((e) => {
-      var _a, _b;
-      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.target)) != null ? _b : [];
-    });
-    const newEntityRefs = [
-      ...new Set(resolvedEntityRefs.concat(memberOf).map(catalogModel.stringifyEntityRef))
-    ];
-    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
-    return newEntityRefs;
   }
-}
-
-function getEntityClaims(entity) {
-  var _a, _b;
-  const userRef = catalogModel.stringifyEntityRef(entity);
-  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.target.kind.toLocaleLowerCase("en-US") === "group").map((r) => catalogModel.stringifyEntityRef(r.target))) != null ? _b : [];
   return {
-    sub: userRef,
+    email,
+    picture,
+    displayName
+  };
+};
+const executeRedirectStrategy = async (req, providerStrategy, options) => {
+  return new Promise((resolve) => {
+    const strategy = Object.create(providerStrategy);
+    strategy.redirect = (url, status) => {
+      resolve({ url, status: status != null ? status : void 0 });
+    };
+    strategy.authenticate(req, { ...options });
+  });
+};
+const executeFrameHandlerStrategy = async (req, providerStrategy) => {
+  return new Promise((resolve, reject) => {
+    const strategy = Object.create(providerStrategy);
+    strategy.success = (result, privateInfo) => {
+      resolve({ result, privateInfo });
+    };
+    strategy.fail = (info) => {
+      var _a;
+      reject(new Error(`Authentication rejected, ${(_a = info.message) != null ? _a : ""}`));
+    };
+    strategy.error = (error) => {
+      var _a;
+      let message = `Authentication failed, ${error.message}`;
+      if ((_a = error.oauthError) == null ? void 0 : _a.data) {
+        try {
+          const errorData = JSON.parse(error.oauthError.data);
+          if (errorData.message) {
+            message += ` - ${errorData.message}`;
+          }
+        } catch (parseError) {
+          message += ` - ${error.oauthError}`;
+        }
+      }
+      reject(new Error(message));
+    };
+    strategy.redirect = () => {
+      reject(new Error("Unexpected redirect"));
+    };
+    strategy.authenticate(req, {});
+  });
+};
+const executeRefreshTokenStrategy = async (providerStrategy, refreshToken, scope) => {
+  return new Promise((resolve, reject) => {
+    const anyStrategy = providerStrategy;
+    const OAuth2 = anyStrategy._oauth2.constructor;
+    const oauth2 = new OAuth2(anyStrategy._oauth2._clientId, anyStrategy._oauth2._clientSecret, anyStrategy._oauth2._baseSite, anyStrategy._oauth2._authorizeUrl, anyStrategy._refreshURL || anyStrategy._oauth2._accessTokenUrl, anyStrategy._oauth2._customHeaders);
+    oauth2.getOAuthAccessToken(refreshToken, {
+      scope,
+      grant_type: "refresh_token"
+    }, (err, accessToken, newRefreshToken, params) => {
+      if (err) {
+        reject(new Error(`Failed to refresh access token ${err.toString()}`));
+      }
+      if (!accessToken) {
+        reject(new Error(`Failed to refresh access token, no access token received`));
+      }
+      resolve({
+        accessToken,
+        refreshToken: newRefreshToken,
+        params
+      });
+    });
+  });
+};
+const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) => {
+  return new Promise((resolve, reject) => {
+    const anyStrategy = providerStrategy;
+    anyStrategy.userProfile(accessToken, (error, rawProfile) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve(rawProfile);
+      }
+    });
+  });
+};
+
+class CatalogIdentityClient {
+  constructor(options) {
+    this.catalogApi = options.catalogApi;
+    this.tokenIssuer = options.tokenIssuer;
+  }
+  async findUser(query) {
+    const filter = {
+      kind: "user"
+    };
+    for (const [key, value] of Object.entries(query.annotations)) {
+      filter[`metadata.annotations.${key}`] = value;
+    }
+    const token = await this.tokenIssuer.issueToken({
+      claims: { sub: "backstage.io/auth-backend" }
+    });
+    const { items } = await this.catalogApi.getEntities({ filter }, { token });
+    if (items.length !== 1) {
+      if (items.length > 1) {
+        throw new errors.ConflictError("User lookup resulted in multiple matches");
+      } else {
+        throw new errors.NotFoundError("User not found");
+      }
+    }
+    return items[0];
+  }
+  async resolveCatalogMembership(query) {
+    const { entityRefs, logger } = query;
+    const resolvedEntityRefs = entityRefs.map((ref) => {
+      try {
+        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
+          defaultKind: "user",
+          defaultNamespace: "default"
+        });
+        return parsedRef;
+      } catch {
+        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
+        return null;
+      }
+    }).filter((ref) => ref !== null);
+    const filter = resolvedEntityRefs.map((ref) => ({
+      kind: ref.kind,
+      "metadata.namespace": ref.namespace,
+      "metadata.name": ref.name
+    }));
+    const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
+    if (entityRefs.length !== entities.length) {
+      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
+      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
+      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+    }
+    const memberOf = entities.flatMap((e) => {
+      var _a, _b;
+      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.target)) != null ? _b : [];
+    });
+    const newEntityRefs = [
+      ...new Set(resolvedEntityRefs.concat(memberOf).map(catalogModel.stringifyEntityRef))
+    ];
+    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
+    return newEntityRefs;
+  }
+}
+
+function getEntityClaims(entity) {
+  var _a, _b;
+  const userRef = catalogModel.stringifyEntityRef(entity);
+  const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.target.kind.toLocaleLowerCase("en-US") === "group").map((r) => catalogModel.stringifyEntityRef(r.target))) != null ? _b : [];
+  return {
+    sub: userRef,
     ent: [userRef, ...membershipRefs]
   };
 }
 
-class GithubAuthProvider {
+const atlassianDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class AtlassianAuthProvider {
+  constructor(options) {
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new AtlassianStrategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      scope: options.scopes
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      });
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const { result } = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: result.refreshToken
+    };
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+  async refresh(req) {
+    const { accessToken, params, refreshToken } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
+  }
+}
+const createAtlassianProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const scopes = envConfig.getString("scopes");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
+    const provider = new AtlassianAuthProvider({
+      clientId,
+      clientSecret,
+      scopes,
+      callbackUrl,
+      authHandler,
+      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+      catalogIdentityClient,
+      logger,
+      tokenIssuer
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: true,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+
+class Auth0Strategy extends OAuth2Strategy__default["default"] {
+  constructor(options, verify) {
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://${options.domain}/authorize`,
+      tokenURL: `https://${options.domain}/oauth/token`,
+      userInfoURL: `https://${options.domain}/userinfo`,
+      apiUrl: `https://${options.domain}/api`
+    };
+    super(optionsWithURLs, verify);
+  }
+}
+
+class Auth0AuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.stateEncoder = options.stateEncoder;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new passportGithub2.Strategy({
+    this._strategy = new Auth0Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      tokenURL: options.tokenUrl,
-      userProfileURL: options.userProfileUrl,
-      authorizationURL: options.authorizationUrl
+      domain: options.domain,
+      passReqToCallback: false
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {fullProfile, params, accessToken}, {refreshToken});
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      }, {
+        refreshToken
+      });
     });
   }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      scope: req.scope,
-      state: (await this.stateEncoder(req)).encodedState
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: req.scope,
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+}
+const defaultSignInResolver$1 = async (info) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Profile does not contain an email");
+  }
+  const id = profile.email.split("@")[0];
+  return { id, token: "" };
+};
+const createAuth0Provider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const domain = envConfig.getString("domain");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver$1;
+    const provider = new Auth0AuthProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      domain,
+      authHandler,
+      signInResolver,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: true,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+
+const ALB_JWT_HEADER = "x-amzn-oidc-data";
+const ALB_ACCESSTOKEN_HEADER = "x-amzn-oidc-accesstoken";
+const getJWTHeaders = (input) => {
+  const encoded = input.split(".")[0];
+  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
+};
+class AwsAlbAuthProvider {
+  constructor(options) {
+    this.region = options.region;
+    this.issuer = options.issuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
+  }
+  frameHandler() {
+    return Promise.resolve(void 0);
+  }
+  async refresh(req, res) {
+    try {
+      const result = await this.getResult(req);
+      const response = await this.handleResult(result);
+      res.json(response);
+    } catch (e) {
+      this.logger.error("Exception occurred during AWS ALB token refresh", e);
+      res.status(401);
+      res.end();
+    }
+  }
+  start() {
+    return Promise.resolve(void 0);
+  }
+  async getResult(req) {
+    const jwt = req.header(ALB_JWT_HEADER);
+    const accessToken = req.header(ALB_ACCESSTOKEN_HEADER);
+    if (jwt === void 0) {
+      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_JWT_HEADER}`);
+    }
+    if (accessToken === void 0) {
+      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESSTOKEN_HEADER}`);
+    }
+    try {
+      const headers = getJWTHeaders(jwt);
+      const key = await this.getKey(headers.kid);
+      const claims = jose.JWT.verify(jwt, key);
+      if (this.issuer && claims.iss !== this.issuer) {
+        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
+      }
+      const fullProfile = {
+        provider: "unknown",
+        id: claims.sub,
+        displayName: claims.name,
+        username: claims.email.split("@")[0].toLowerCase(),
+        name: {
+          familyName: claims.family_name,
+          givenName: claims.given_name
+        },
+        emails: [{ value: claims.email.toLowerCase() }],
+        photos: [{ value: claims.picture }]
+      };
+      return {
+        fullProfile,
+        expiresInSeconds: claims.exp,
+        accessToken
+      };
+    } catch (e) {
+      throw new Error(`Exception occurred during JWT processing: ${e}`);
+    }
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result);
+    const backstageIdentity = await this.signInResolver({
+      result,
+      profile
+    }, {
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient,
+      logger: this.logger
     });
-  }
-  async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
     return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const {
-      accessToken,
-      refreshToken: newRefreshToken,
-      params
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: newRefreshToken
-    });
-  }
-  async handleResult(result) {
-    const {profile} = await this.authHandler(result);
-    const expiresInStr = result.params.expires_in;
-    const response = {
       providerInfo: {
         accessToken: result.accessToken,
-        refreshToken: result.refreshToken,
-        scope: result.params.scope,
-        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
+        expiresInSeconds: result.expiresInSeconds
       },
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
       profile
     };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
-        result,
-        profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+  }
+  async getKey(keyId) {
+    const optionalCacheKey = this.keyCache.get(keyId);
+    if (optionalCacheKey) {
+      return crypto__namespace.createPublicKey(optionalCacheKey);
     }
-    return response;
+    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
+    const keyValue = crypto__namespace.createPublicKey(keyText);
+    this.keyCache.set(keyId, keyValue.export({ format: "pem", type: "spki" }));
+    return keyValue;
   }
 }
-const githubDefaultSignInResolver = async (info, ctx) => {
-  const {fullProfile} = info.result;
-  const userId = fullProfile.username || fullProfile.id;
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
-  });
-  return {id: userId, token};
-};
-const createGithubProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
-    const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
-    const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+const createAwsAlbProvider = (options) => {
+  return ({ config, tokenIssuer, catalogApi, logger }) => {
+    const region = config.getString("region");
+    const issuer = config.getOptionalString("iss");
+    if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
+      throw new Error("SignInResolver is required to use this authentication provider");
+    }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: makeProfileInfo(fullProfile)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : githubDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
-      return {encodedState: encodeState(req.state)};
-    };
-    const provider = new GithubAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      tokenUrl,
-      userProfileUrl,
-      authorizationUrl,
+    const signInResolver = options == null ? void 0 : options.signIn.resolver;
+    return new AwsAlbAuthProvider({
+      region,
+      issuer,
       signInResolver,
       authHandler,
       tokenIssuer,
       catalogIdentityClient,
-      stateEncoder,
       logger
     });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      persistScopes: true,
-      providerId,
-      tokenIssuer
-    });
-  });
+  };
 };
 
-const gitlabDefaultSignInResolver = async (info, ctx) => {
-  const {profile, result} = info;
-  let id = result.fullProfile.id;
-  if (profile.email) {
-    id = profile.email.split("@")[0];
-  }
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: id, ent: [`user:default/${id}`]}
-  });
-  return {id, token};
-};
-const gitlabDefaultAuthHandler = async ({
-  fullProfile,
-  params
-}) => ({
-  profile: makeProfileInfo(fullProfile, params.id_token)
-});
-class GitlabAuthProvider {
+class BitbucketAuthProvider {
   constructor(options) {
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this._strategy = new passportGitlab2.Strategy({
+    this._strategy = new passportBitbucketOauth2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      baseURL: options.baseUrl
+      passReqToCallback: false
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {fullProfile, params, accessToken}, {
+      done(void 0, {
+        fullProfile,
+        params,
+        accessToken,
+        refreshToken
+      }, {
         refreshToken
       });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
       scope: req.scope,
       state: encodeState(req.state)
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {
-      accessToken,
-      refreshToken: newRefreshToken,
-      params
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: newRefreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
-        refreshToken: result.refreshToken,
         scope: result.params.scope,
         expiresInSeconds: result.params.expires_in
       },
@@ -765,7 +1067,35 @@ class GitlabAuthProvider {
     return response;
   }
 }
-const createGitlabProvider = (options) => {
+const bitbucketUsernameSignInResolver = async (info, ctx) => {
+  const { result } = info;
+  if (!result.fullProfile.username) {
+    throw new Error("Bitbucket profile contained no Username");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "bitbucket.org/username": result.fullProfile.username
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const bitbucketUserIdSignInResolver = async (info, ctx) => {
+  const { result } = info;
+  if (!result.fullProfile.id) {
+    throw new Error("Bitbucket profile contained no User ID");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "bitbucket.org/user-id": result.fullProfile.id
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const createBitbucketProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -774,33 +1104,26 @@ const createGitlabProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
+    var _a;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getOptionalString("audience");
-    const baseUrl = audience || "https://gitlab.com";
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const provider = new GitlabAuthProvider({
+    const provider = new BitbucketAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      baseUrl,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
       authHandler,
-      signInResolver,
+      tokenIssuer,
       catalogIdentityClient,
-      logger,
-      tokenIssuer
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
@@ -810,62 +1133,58 @@ const createGitlabProvider = (options) => {
   });
 };
 
-class GoogleAuthProvider {
+class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
+    this.stateEncoder = options.stateEncoder;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new passportGoogleOauth20.Strategy({
+    this._strategy = new passportGithub2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      passReqToCallback: false
+      tokenURL: options.tokenUrl,
+      userProfileURL: options.userProfileUrl,
+      authorizationURL: options.authorizationUrl
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        fullProfile,
-        params,
-        accessToken,
-        refreshToken
-      }, {
-        refreshToken
-      });
+      done(void 0, { fullProfile, params, accessToken }, { refreshToken });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
       scope: req.scope,
-      state: encodeState(req.state)
+      state: (await this.stateEncoder(req)).encodedState
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
+    const expiresInStr = result.params.expires_in;
     const response = {
       providerInfo: {
-        idToken: result.params.id_token,
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
+        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
       },
       profile
     };
@@ -882,43 +1201,15 @@ class GoogleAuthProvider {
     return response;
   }
 }
-const googleEmailSignInResolver = async (info, ctx) => {
-  const {profile} = info;
-  if (!profile.email) {
-    throw new Error("Google profile contained no email");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "google.com/email": profile.email
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
-};
-const googleDefaultSignInResolver = async (info, ctx) => {
-  const {profile} = info;
-  if (!profile.email) {
-    throw new Error("Google profile contained no email");
-  }
-  let userId;
-  try {
-    const entity = await ctx.catalogIdentityClient.findUser({
-      annotations: {
-        "google.com/email": profile.email
-      }
-    });
-    userId = entity.metadata.name;
-  } catch (error) {
-    ctx.logger.warn(`Failed to look up user, ${error}, falling back to allowing login based on email pattern, this will probably break in the future`);
-    userId = profile.email.split("@")[0];
-  }
+const githubDefaultSignInResolver = async (info, ctx) => {
+  const { fullProfile } = info.result;
+  const userId = fullProfile.username || fullProfile.id;
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return {id: userId, token};
+  return { id: userId, token };
 };
-const createGoogleProvider = (options) => {
+const createGithubProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -927,57 +1218,86 @@ const createGoogleProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
+    const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
+    const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+      profile: makeProfileInfo(fullProfile)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : googleDefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : githubDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new GoogleAuthProvider({
+    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
+      return { encodedState: encodeState(req.state) };
+    };
+    const provider = new GithubAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
+      tokenUrl,
+      userProfileUrl,
+      authorizationUrl,
       signInResolver,
       authHandler,
       tokenIssuer,
       catalogIdentityClient,
+      stateEncoder,
       logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
+      persistScopes: true,
       providerId,
       tokenIssuer
     });
   });
 };
 
-class MicrosoftAuthProvider {
+const gitlabDefaultSignInResolver = async (info, ctx) => {
+  const { profile, result } = info;
+  let id = result.fullProfile.id;
+  if (profile.email) {
+    id = profile.email.split("@")[0];
+  }
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: id, ent: [`user:default/${id}`] }
+  });
+  return { id, token };
+};
+const gitlabDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class GitlabAuthProvider {
   constructor(options) {
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.logger = options.logger;
     this.catalogIdentityClient = options.catalogIdentityClient;
-    this._strategy = new passportMicrosoft.Strategy({
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new passportGitlab2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      authorizationURL: options.authorizationUrl,
-      tokenURL: options.tokenUrl,
-      passReqToCallback: false
+      baseURL: options.baseUrl
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {fullProfile, accessToken, params}, {refreshToken});
+      done(void 0, { fullProfile, params, accessToken }, {
+        refreshToken
+      });
     });
   }
   async start(req) {
@@ -987,26 +1307,26 @@ class MicrosoftAuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const photo = await this.getUserPhoto(result.accessToken);
-    result.fullProfile.photos = photo ? [{value: photo}] : void 0;
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1028,50 +1348,8 @@ class MicrosoftAuthProvider {
     }
     return response;
   }
-  getUserPhoto(accessToken) {
-    return new Promise((resolve) => {
-      got__default['default'].get("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
-        encoding: "binary",
-        responseType: "buffer",
-        headers: {
-          Authorization: `Bearer ${accessToken}`
-        }
-      }).then((photoData) => {
-        const photoURL = `data:image/jpeg;base64,${Buffer.from(photoData.body).toString("base64")}`;
-        resolve(photoURL);
-      }).catch((error) => {
-        this.logger.warn(`Could not retrieve user profile photo from Microsoft Graph API: ${error}`);
-        resolve(void 0);
-      });
-    });
-  }
 }
-const microsoftEmailSignInResolver = async (info, ctx) => {
-  const {profile} = info;
-  if (!profile.email) {
-    throw new Error("Microsoft profile contained no email");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "microsoft.com/email": profile.email
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
-};
-const microsoftDefaultSignInResolver = async (info, ctx) => {
-  const {profile} = info;
-  if (!profile.email) {
-    throw new Error("Profile contained no email");
-  }
-  const userId = profile.email.split("@")[0];
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
-  });
-  return {id: userId, token};
-};
-const createMicrosoftProvider = (options) => {
+const createGitlabProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1080,32 +1358,28 @@ const createMicrosoftProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const tenantId = envConfig.getString("tenantId");
+    const audience = envConfig.getOptionalString("audience");
+    const baseUrl = audience || "https://gitlab.com";
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
-    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new MicrosoftAuthProvider({
+    const provider = new GitlabAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      authorizationUrl,
-      tokenUrl,
+      baseUrl,
       authHandler,
       signInResolver,
       catalogIdentityClient,
@@ -1120,30 +1394,24 @@ const createMicrosoftProvider = (options) => {
   });
 };
 
-class OAuth2AuthProvider {
+class GoogleAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new OAuth2Strategy.Strategy({
+    this._strategy = new passportGoogleOauth20.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      authorizationURL: options.authorizationUrl,
-      tokenURL: options.tokenUrl,
-      passReqToCallback: false,
-      scope: options.scope,
-      customHeaders: {
-        Authorization: `Basic ${this.encodeClientCredentials(options.clientId, options.clientSecret)}`
-      }
+      passReqToCallback: false
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
         fullProfile,
+        params,
         accessToken,
-        refreshToken,
-        params
+        refreshToken
       }, {
         refreshToken
       });
@@ -1158,36 +1426,32 @@ class OAuth2AuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const {
-      accessToken,
-      params,
-      refreshToken: updatedRefreshToken
-    } = refreshTokenResponse;
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: updatedRefreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in,
-        refreshToken: result.refreshToken
+        expiresInSeconds: result.params.expires_in
       },
       profile
     };
@@ -1203,22 +1467,44 @@ class OAuth2AuthProvider {
     }
     return response;
   }
-  encodeClientCredentials(clientID, clientSecret) {
-    return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
-  }
 }
-const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
-  const {profile} = info;
+const googleEmailSignInResolver = async (info, ctx) => {
+  const { profile } = info;
   if (!profile.email) {
-    throw new Error("Profile contained no email");
+    throw new Error("Google profile contained no email");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "google.com/email": profile.email
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const googleDefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Google profile contained no email");
+  }
+  let userId;
+  try {
+    const entity = await ctx.catalogIdentityClient.findUser({
+      annotations: {
+        "google.com/email": profile.email
+      }
+    });
+    userId = entity.metadata.name;
+  } catch (error) {
+    ctx.logger.warn(`Failed to look up user, ${error}, falling back to allowing login based on email pattern, this will probably break in the future`);
+    userId = profile.email.split("@")[0];
   }
-  const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return {id: userId, token};
+  return { id: userId, token };
 };
-const createOAuth2Provider = (options) => {
+const createGoogleProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1227,127 +1513,94 @@ const createOAuth2Provider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
+    var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = envConfig.getString("authorizationUrl");
-    const tokenUrl = envConfig.getString("tokenUrl");
-    const scope = envConfig.getOptionalString("scope");
-    const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver$1;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : googleDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new OAuth2AuthProvider({
+    const provider = new GoogleAuthProvider({
       clientId,
       clientSecret,
-      tokenIssuer,
-      catalogIdentityClient,
       callbackUrl,
       signInResolver,
       authHandler,
-      authorizationUrl,
-      tokenUrl,
-      scope,
+      tokenIssuer,
+      catalogIdentityClient,
       logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh,
+      disableRefresh: false,
       providerId,
       tokenIssuer
     });
   });
 };
 
-class OidcAuthProvider {
+class MicrosoftAuthProvider {
   constructor(options) {
-    this.implementation = this.setupStrategy(options);
-    this.scope = options.scope;
-    this.prompt = options.prompt;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this._strategy = new passportMicrosoft.Strategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      authorizationURL: options.authorizationUrl,
+      tokenURL: options.tokenUrl,
+      passReqToCallback: false
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, { fullProfile, accessToken, params }, { refreshToken });
+    });
   }
   async start(req) {
-    const {strategy} = await this.implementation;
-    const options = {
-      scope: req.scope || this.scope || "openid profile email",
+    return await executeRedirectStrategy(req, this._strategy, {
+      scope: req.scope,
       state: encodeState(req.state)
-    };
-    const prompt = this.prompt || "none";
-    if (prompt !== "auto") {
-      options.prompt = prompt;
-    }
-    return await executeRedirectStrategy(req, strategy, options);
+    });
   }
   async handler(req) {
-    const {strategy} = await this.implementation;
-    const strategyResponse = await executeFrameHandlerStrategy(req, strategy);
-    const {
-      result: {userinfo, tokenset},
-      privateInfo
-    } = strategyResponse;
-    const identityResponse = await this.handleResult({tokenset, userinfo});
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
-      response: identityResponse,
+      response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {client} = await this.implementation;
-    const tokenset = await client.refresh(req.refreshToken);
-    if (!tokenset.access_token) {
-      throw new Error("Refresh failed");
-    }
-    const profile = await client.userinfo(tokenset.access_token);
-    return this.handleResult({tokenset, userinfo: profile});
-  }
-  async setupStrategy(options) {
-    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
-    const client = new issuer.Client({
-      access_type: "offline",
-      client_id: options.clientId,
-      client_secret: options.clientSecret,
-      redirect_uris: [options.callbackUrl],
-      response_types: ["code"],
-      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
-      scope: options.scope || ""
-    });
-    const strategy = new openidClient.Strategy({
-      client,
-      passReqToCallback: false
-    }, (tokenset, userinfo, done) => {
-      if (typeof done !== "function") {
-        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
-      }
-      done(void 0, {tokenset, userinfo}, {
-        refreshToken: tokenset.refresh_token
-      });
-    });
-    strategy.error = console.error;
-    return {strategy, client};
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
-    const response = {
-      providerInfo: {
-        idToken: result.tokenset.id_token,
-        accessToken: result.tokenset.access_token,
-        refreshToken: result.tokenset.refresh_token,
-        scope: result.tokenset.scope,
-        expiresInSeconds: result.tokenset.expires_in
+    const photo = await this.getUserPhoto(result.accessToken);
+    result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
+    const { profile } = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
       },
       profile
     };
@@ -1363,19 +1616,48 @@ class OidcAuthProvider {
     }
     return response;
   }
+  getUserPhoto(accessToken) {
+    return new Promise((resolve) => {
+      fetch__default["default"]("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        }
+      }).then((response) => response.arrayBuffer()).then((arrayBuffer) => {
+        const imageUrl = `data:image/jpeg;base64,${Buffer.from(arrayBuffer).toString("base64")}`;
+        resolve(imageUrl);
+      }).catch((error) => {
+        this.logger.warn(`Could not retrieve user profile photo from Microsoft Graph API: ${error}`);
+        resolve(void 0);
+      });
+    });
+  }
 }
-const oAuth2DefaultSignInResolver = async (info, ctx) => {
-  const {profile} = info;
+const microsoftEmailSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Microsoft profile contained no email");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "microsoft.com/email": profile.email
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const microsoftDefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
   if (!profile.email) {
     throw new Error("Profile contained no email");
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return {id: userId, token};
+  return { id: userId, token };
 };
-const createOidcProvider = (options) => {
+const createMicrosoftProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1387,41 +1669,34 @@ const createOidcProvider = (options) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
+    const tenantId = envConfig.getString("tenantId");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const metadataUrl = envConfig.getString("metadataUrl");
-    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
-    const scope = envConfig.getOptionalString("scope");
-    const prompt = envConfig.getOptionalString("prompt");
+    const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
+    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({userinfo}) => ({
-      profile: {
-        displayName: userinfo.name,
-        email: userinfo.email,
-        picture: userinfo.picture
-      }
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oAuth2DefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new OidcAuthProvider({
+    const provider = new MicrosoftAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      tokenSignedResponseAlg,
-      metadataUrl,
-      scope,
-      prompt,
-      signInResolver,
+      authorizationUrl,
+      tokenUrl,
       authHandler,
+      signInResolver,
+      catalogIdentityClient,
       logger,
-      tokenIssuer,
-      catalogIdentityClient
+      tokenIssuer
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
@@ -1431,35 +1706,30 @@ const createOidcProvider = (options) => {
   });
 };
 
-class OktaAuthProvider {
+class OAuth2AuthProvider {
   constructor(options) {
-    this._store = {
-      store(_req, cb) {
-        cb(null, null);
-      },
-      verify(_req, _state, cb) {
-        cb(null, true);
-      }
-    };
-    this._signInResolver = options.signInResolver;
-    this._authHandler = options.authHandler;
-    this._tokenIssuer = options.tokenIssuer;
-    this._catalogIdentityClient = options.catalogIdentityClient;
-    this._logger = options.logger;
-    this._strategy = new passportOktaOauth.Strategy({
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this._strategy = new OAuth2Strategy.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      audience: options.audience,
+      authorizationURL: options.authorizationUrl,
+      tokenURL: options.tokenUrl,
       passReqToCallback: false,
-      store: this._store,
-      response_type: "code"
+      scope: options.scope,
+      customHeaders: options.includeBasicAuth ? {
+        Authorization: `Basic ${this.encodeClientCredentials(options.clientId, options.clientSecret)}`
+      } : void 0
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
+        fullProfile,
         accessToken,
         refreshToken,
-        params,
-        fullProfile
+        params
       }, {
         refreshToken
       });
@@ -1474,24 +1744,27 @@ class OktaAuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, params, refreshToken } = refreshTokenResponse;
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const {profile} = await this._authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1501,45 +1774,34 @@ class OktaAuthProvider {
       },
       profile
     };
-    if (this._signInResolver) {
-      response.backstageIdentity = await this._signInResolver({
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
         result,
         profile
       }, {
-        tokenIssuer: this._tokenIssuer,
-        catalogIdentityClient: this._catalogIdentityClient,
-        logger: this._logger
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
       });
     }
     return response;
   }
-}
-const oktaEmailSignInResolver = async (info, ctx) => {
-  const {profile} = info;
-  if (!profile.email) {
-    throw new Error("Okta profile contained no email");
+  encodeClientCredentials(clientID, clientSecret) {
+    return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
   }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "okta.com/email": profile.email
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
-};
-const oktaDefaultSignInResolver = async (info, ctx) => {
-  const {profile} = info;
+}
+const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
+  const { profile } = info;
   if (!profile.email) {
-    throw new Error("Okta profile contained no email");
+    throw new Error("Profile contained no email");
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return {id: userId, token};
+  return { id: userId, token };
 };
-const createOktaProvider = (_options) => {
+const createOAuth2Provider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1548,103 +1810,126 @@ const createOktaProvider = (_options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getString("audience");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    if (!audience.startsWith("https://")) {
-      throw new Error("URL for 'audience' must start with 'https://'.");
-    }
+    const authorizationUrl = envConfig.getString("authorizationUrl");
+    const tokenUrl = envConfig.getString("tokenUrl");
+    const scope = envConfig.getOptionalString("scope");
+    const includeBasicAuth = envConfig.getOptionalBoolean("includeBasicAuth");
+    const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({fullProfile, params}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver$1;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new OktaAuthProvider({
-      audience,
+    const provider = new OAuth2AuthProvider({
       clientId,
       clientSecret,
-      callbackUrl,
-      authHandler,
-      signInResolver,
       tokenIssuer,
       catalogIdentityClient,
-      logger
+      callbackUrl,
+      signInResolver,
+      authHandler,
+      authorizationUrl,
+      tokenUrl,
+      scope,
+      logger,
+      includeBasicAuth
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
+      disableRefresh,
       providerId,
       tokenIssuer
     });
   });
 };
 
-class BitbucketAuthProvider {
+class OidcAuthProvider {
   constructor(options) {
+    this.implementation = this.setupStrategy(options);
+    this.scope = options.scope;
+    this.prompt = options.prompt;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new passportBitbucketOauth2.Strategy({
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      passReqToCallback: false
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        fullProfile,
-        params,
-        accessToken,
-        refreshToken
-      }, {
-        refreshToken
-      });
-    });
   }
   async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: req.scope,
+    const { strategy } = await this.implementation;
+    const options = {
+      scope: req.scope || this.scope || "openid profile email",
       state: encodeState(req.state)
-    });
+    };
+    const prompt = this.prompt || "none";
+    if (prompt !== "auto") {
+      options.prompt = prompt;
+    }
+    return await executeRedirectStrategy(req, strategy, options);
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { strategy } = await this.implementation;
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
+    const { client } = await this.implementation;
+    const tokenset = await client.refresh(req.refreshToken);
+    if (!tokenset.access_token) {
+      throw new Error("Refresh failed");
+    }
+    const userinfo = await client.userinfo(tokenset.access_token);
+    return {
+      response: await this.handleResult({ tokenset, userinfo }),
+      refreshToken: tokenset.refresh_token
+    };
+  }
+  async setupStrategy(options) {
+    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
+    const client = new issuer.Client({
+      access_type: "offline",
+      client_id: options.clientId,
+      client_secret: options.clientSecret,
+      redirect_uris: [options.callbackUrl],
+      response_types: ["code"],
+      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
+      scope: options.scope || ""
+    });
+    const strategy = new openidClient.Strategy({
+      client,
+      passReqToCallback: false
+    }, (tokenset, userinfo, done) => {
+      if (typeof done !== "function") {
+        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
+      }
+      done(void 0, { tokenset, userinfo }, {
+        refreshToken: tokenset.refresh_token
+      });
     });
+    strategy.error = console.error;
+    return { strategy, client };
   }
   async handleResult(result) {
-    result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
+        idToken: result.tokenset.id_token,
+        accessToken: result.tokenset.access_token,
+        scope: result.tokenset.scope,
+        expiresInSeconds: result.tokenset.expires_in
       },
       profile
     };
@@ -1655,41 +1940,24 @@ class BitbucketAuthProvider {
       }, {
         tokenIssuer: this.tokenIssuer,
         catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
-    }
-    return response;
-  }
-}
-const bitbucketUsernameSignInResolver = async (info, ctx) => {
-  const {result} = info;
-  if (!result.fullProfile.username) {
-    throw new Error("Bitbucket profile contained no Username");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "bitbucket.org/username": result.fullProfile.username
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
-};
-const bitbucketUserIdSignInResolver = async (info, ctx) => {
-  const {result} = info;
-  if (!result.fullProfile.id) {
-    throw new Error("Bitbucket profile contained no User ID");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "bitbucket.org/user-id": result.fullProfile.id
+        logger: this.logger
+      });
     }
+    return response;
+  }
+}
+const oAuth2DefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Profile contained no email");
+  }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
+  return { id: userId, token };
 };
-const createBitbucketProvider = (options) => {
+const createOidcProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1698,26 +1966,44 @@ const createBitbucketProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a;
+    var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const metadataUrl = envConfig.getString("metadataUrl");
+    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
+    const scope = envConfig.getOptionalString("scope");
+    const prompt = envConfig.getOptionalString("prompt");
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
+      profile: {
+        displayName: userinfo.name,
+        email: userinfo.email,
+        picture: userinfo.picture
+      }
     });
-    const provider = new BitbucketAuthProvider({
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oAuth2DefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new OidcAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+      tokenSignedResponseAlg,
+      metadataUrl,
+      scope,
+      prompt,
+      signInResolver,
       authHandler,
+      logger,
       tokenIssuer,
-      catalogIdentityClient,
-      logger
+      catalogIdentityClient
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
@@ -1727,140 +2013,117 @@ const createBitbucketProvider = (options) => {
   });
 };
 
-const defaultScopes = ["offline_access", "read:me"];
-class AtlassianStrategy extends OAuth2Strategy__default['default'] {
-  constructor(options, verify) {
-    if (!options.scope) {
-      throw new TypeError("Atlassian requires a scope option");
-    }
-    const scopes = options.scope.split(" ");
-    const optionsWithURLs = {
-      ...options,
-      authorizationURL: `https://auth.atlassian.com/authorize`,
-      tokenURL: `https://auth.atlassian.com/oauth/token`,
-      scope: Array.from(new Set([...defaultScopes, ...scopes]))
-    };
-    super(optionsWithURLs, verify);
-    this.profileURL = "https://api.atlassian.com/me";
-    this.name = "atlassian";
-    this._oauth2.useAuthorizationHeaderforGET(true);
-  }
-  authorizationParams() {
-    return {
-      audience: "api.atlassian.com",
-      prompt: "consent"
-    };
-  }
-  userProfile(accessToken, done) {
-    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
-      if (err) {
-        return done(new OAuth2Strategy.InternalOAuthError("Failed to fetch user profile", err.statusCode));
-      }
-      if (!body) {
-        return done(new Error("Failed to fetch user profile, body cannot be empty"));
-      }
-      try {
-        const json = typeof body !== "string" ? body.toString() : body;
-        const profile = AtlassianStrategy.parse(json);
-        return done(null, profile);
-      } catch (e) {
-        return done(new Error("Failed to parse user profile"));
+class OktaAuthProvider {
+  constructor(options) {
+    this._store = {
+      store(_req, cb) {
+        cb(null, null);
+      },
+      verify(_req, _state, cb) {
+        cb(null, true);
       }
-    });
-  }
-  static parse(json) {
-    const resp = JSON.parse(json);
-    return {
-      id: resp.account_id,
-      provider: "atlassian",
-      username: resp.nickname,
-      displayName: resp.name,
-      emails: [{value: resp.email}],
-      photos: [{value: resp.picture}]
     };
-  }
-}
-
-const atlassianDefaultAuthHandler = async ({
-  fullProfile,
-  params
-}) => ({
-  profile: makeProfileInfo(fullProfile, params.id_token)
-});
-class AtlassianAuthProvider {
-  constructor(options) {
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this._strategy = new AtlassianStrategy({
+    this._signInResolver = options.signInResolver;
+    this._authHandler = options.authHandler;
+    this._tokenIssuer = options.tokenIssuer;
+    this._catalogIdentityClient = options.catalogIdentityClient;
+    this._logger = options.logger;
+    this._strategy = new passportOktaOauth.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      scope: options.scopes
+      audience: options.audience,
+      passReqToCallback: false,
+      store: this._store,
+      response_type: "code"
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
-        fullProfile,
         accessToken,
         refreshToken,
-        params
+        params,
+        fullProfile
+      }, {
+        refreshToken
       });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: req.scope,
       state: encodeState(req.state)
     });
   }
   async handler(req) {
-    var _a;
-    const {result} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
-      refreshToken: (_a = result.refreshToken) != null ? _a : ""
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
     };
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this._authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
-        refreshToken: result.refreshToken,
         scope: result.params.scope,
         expiresInSeconds: result.params.expires_in
       },
       profile
     };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
+    if (this._signInResolver) {
+      response.backstageIdentity = await this._signInResolver({
         result,
         profile
       }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
+        tokenIssuer: this._tokenIssuer,
+        catalogIdentityClient: this._catalogIdentityClient,
+        logger: this._logger
       });
     }
     return response;
   }
-  async refresh(req) {
-    const {
-      accessToken,
-      params,
-      refreshToken: newRefreshToken
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: newRefreshToken
-    });
-  }
 }
-const createAtlassianProvider = (options) => {
+const oktaEmailSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Okta profile contained no email");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "okta.com/email": profile.email
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const oktaDefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Okta profile contained no email");
+  }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
+  });
+  return { id: userId, token };
+};
+const createOktaProvider = (_options) => {
   return ({
     providerId,
     globalConfig,
@@ -1872,158 +2135,165 @@ const createAtlassianProvider = (options) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const scopes = envConfig.getString("scopes");
+    const audience = envConfig.getString("audience");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    if (!audience.startsWith("https://")) {
+      throw new Error("URL for 'audience' must start with 'https://'.");
+    }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
-    const provider = new AtlassianAuthProvider({
+    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new OktaAuthProvider({
+      audience,
       clientId,
       clientSecret,
-      scopes,
       callbackUrl,
       authHandler,
-      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+      signInResolver,
+      tokenIssuer,
       catalogIdentityClient,
-      logger,
-      tokenIssuer
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
+      disableRefresh: false,
       providerId,
       tokenIssuer
     });
   });
 };
 
-const ALB_JWT_HEADER = "x-amzn-oidc-data";
-const ALB_ACCESSTOKEN_HEADER = "x-amzn-oidc-accesstoken";
-const getJWTHeaders = (input) => {
-  const encoded = input.split(".")[0];
-  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
-};
-class AwsAlbAuthProvider {
+class OneLoginProvider {
   constructor(options) {
-    this.region = options.region;
-    this.issuer = options.issuer;
-    this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.keyCache = new NodeCache__default['default']({stdTTL: 3600});
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
+    this._strategy = new passportOneloginOauth.Strategy({
+      issuer: options.issuer,
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      passReqToCallback: false
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        accessToken,
+        refreshToken,
+        params,
+        fullProfile
+      }, {
+        refreshToken
+      });
+    });
   }
-  async refresh(req, res) {
-    try {
-      const result = await this.getResult(req);
-      const response = await this.handleResult(result);
-      res.json(response);
-    } catch (e) {
-      this.logger.error("Exception occurred during AWS ALB token refresh", e);
-      res.status(401);
-      res.end();
-    }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: "openid",
+      state: encodeState(req.state)
+    });
   }
-  start() {
-    return Promise.resolve(void 0);
+  async handler(req) {
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
   }
-  async getResult(req) {
-    const jwt = req.header(ALB_JWT_HEADER);
-    const accessToken = req.header(ALB_ACCESSTOKEN_HEADER);
-    if (jwt === void 0) {
-      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_JWT_HEADER}`);
-    }
-    if (accessToken === void 0) {
-      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESSTOKEN_HEADER}`);
-    }
-    try {
-      const headers = getJWTHeaders(jwt);
-      const key = await this.getKey(headers.kid);
-      const claims = jose.JWT.verify(jwt, key);
-      if (this.issuer && claims.iss !== this.issuer) {
-        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
-      }
-      const fullProfile = {
-        provider: "unknown",
-        id: claims.sub,
-        displayName: claims.name,
-        username: claims.email.split("@")[0].toLowerCase(),
-        name: {
-          familyName: claims.family_name,
-          givenName: claims.given_name
-        },
-        emails: [{value: claims.email.toLowerCase()}],
-        photos: [{value: claims.picture}]
-      };
-      return {
+  async refresh(req) {
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
         fullProfile,
-        expiresInSeconds: claims.exp,
+        params,
         accessToken
-      };
-    } catch (e) {
-      throw new Error(`Exception occurred during JWT processing: ${e}`);
-    }
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
-    const backstageIdentity = await this.signInResolver({
-      result,
-      profile
-    }, {
-      tokenIssuer: this.tokenIssuer,
-      catalogIdentityClient: this.catalogIdentityClient,
-      logger: this.logger
-    });
-    return {
+    const { profile } = await this.authHandler(result);
+    const response = {
       providerInfo: {
+        idToken: result.params.id_token,
         accessToken: result.accessToken,
-        expiresInSeconds: result.expiresInSeconds
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
       },
-      backstageIdentity,
       profile
     };
-  }
-  async getKey(keyId) {
-    const optionalCacheKey = this.keyCache.get(keyId);
-    if (optionalCacheKey) {
-      return crypto__namespace.createPublicKey(optionalCacheKey);
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
     }
-    const keyText = await fetch__default['default'](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
-    const keyValue = crypto__namespace.createPublicKey(keyText);
-    this.keyCache.set(keyId, keyValue.export({format: "pem", type: "spki"}));
-    return keyValue;
+    return response;
   }
 }
-const createAwsAlbProvider = (options) => {
-  return ({config, tokenIssuer, catalogApi, logger}) => {
-    const region = config.getString("region");
-    const issuer = config.getOptionalString("iss");
-    if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
-      throw new Error("SignInResolver is required to use this authentication provider");
-    }
+const defaultSignInResolver = async (info) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("OIDC profile contained no email");
+  }
+  const id = profile.email.split("@")[0];
+  return { id, token: "" };
+};
+const createOneLoginProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const issuer = envConfig.getString("issuer");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile}) => ({
-      profile: makeProfileInfo(fullProfile)
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolver = options == null ? void 0 : options.signIn.resolver;
-    return new AwsAlbAuthProvider({
-      region,
+    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver;
+    const provider = new OneLoginProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
       issuer,
-      signInResolver,
       authHandler,
+      signInResolver,
       tokenIssuer,
       catalogIdentityClient,
       logger
     });
-  };
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
 };
 
 class SamlAuthProvider {
@@ -2034,24 +2304,24 @@ class SamlAuthProvider {
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.strategy = new passportSaml.Strategy({...options}, (fullProfile, done) => {
-      done(void 0, {fullProfile});
+    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
+      done(void 0, { fullProfile });
     });
   }
   async start(req, res) {
-    const {url} = await executeRedirectStrategy(req, this.strategy, {});
+    const { url } = await executeRedirectStrategy(req, this.strategy, {});
     res.redirect(url);
   }
   async frameHandler(req, res) {
     try {
-      const {result} = await executeFrameHandlerStrategy(req, this.strategy);
-      const {profile} = await this.authHandler(result);
+      const { result } = await executeFrameHandlerStrategy(req, this.strategy);
+      const { profile } = await this.authHandler(result);
       const response = {
         profile,
         providerInfo: {}
       };
       if (this.signInResolver) {
-        response.backstageIdentity = await this.signInResolver({
+        const signInResponse = await this.signInResolver({
           result,
           profile
         }, {
@@ -2059,16 +2329,17 @@ class SamlAuthProvider {
           catalogIdentityClient: this.catalogIdentityClient,
           logger: this.logger
         });
+        response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
       }
       return postMessageResponse(res, this.appUrl, {
         type: "authorization_response",
         response
       });
     } catch (error) {
-      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
+      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, this.appUrl, {
         type: "authorization_response",
-        error: {name, message}
+        error: { name, message }
       });
     }
   }
@@ -2079,9 +2350,9 @@ class SamlAuthProvider {
 const samlDefaultSignInResolver = async (info, ctx) => {
   const id = info.result.fullProfile.nameID;
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: id}
+    claims: { sub: id }
   });
-  return {id, token};
+  return { id, token };
 };
 const createSamlProvider = (options) => {
   return ({
@@ -2097,7 +2368,7 @@ const createSamlProvider = (options) => {
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: {
         email: fullProfile.email,
         displayName: fullProfile.displayName
@@ -2133,191 +2404,6 @@ const createSamlProvider = (options) => {
   };
 };
 
-class Auth0Strategy extends OAuth2Strategy__default['default'] {
-  constructor(options, verify) {
-    const optionsWithURLs = {
-      ...options,
-      authorizationURL: `https://${options.domain}/authorize`,
-      tokenURL: `https://${options.domain}/oauth/token`,
-      userInfoURL: `https://${options.domain}/userinfo`,
-      apiUrl: `https://${options.domain}/api`
-    };
-    super(optionsWithURLs, verify);
-  }
-}
-
-class Auth0AuthProvider {
-  constructor(options) {
-    this._strategy = new Auth0Strategy({
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      domain: options.domain,
-      passReqToCallback: false
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        fullProfile,
-        accessToken,
-        refreshToken,
-        params
-      }, {
-        refreshToken
-      });
-    });
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: req.scope,
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
-    const profile = makeProfileInfo(result.fullProfile, result.params.id_token);
-    return {
-      response: await this.populateIdentity({
-        profile,
-        providerInfo: {
-          idToken: result.params.id_token,
-          accessToken: result.accessToken,
-          scope: result.params.scope,
-          expiresInSeconds: result.params.expires_in
-        }
-      }),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    const profile = makeProfileInfo(fullProfile, params.id_token);
-    return this.populateIdentity({
-      providerInfo: {
-        accessToken,
-        idToken: params.id_token,
-        expiresInSeconds: params.expires_in,
-        scope: params.scope
-      },
-      profile
-    });
-  }
-  async populateIdentity(response) {
-    const {profile} = response;
-    if (!profile.email) {
-      throw new Error("Profile does not contain an email");
-    }
-    const id = profile.email.split("@")[0];
-    return {...response, backstageIdentity: {id}};
-  }
-}
-const createAuth0Provider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const domain = envConfig.getString("domain");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const provider = new Auth0AuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      domain
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
-
-class OneLoginProvider {
-  constructor(options) {
-    this._strategy = new passportOneloginOauth.Strategy({
-      issuer: options.issuer,
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      passReqToCallback: false
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        accessToken,
-        refreshToken,
-        params,
-        fullProfile
-      }, {
-        refreshToken
-      });
-    });
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: "openid",
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
-    const profile = makeProfileInfo(result.fullProfile, result.params.id_token);
-    return {
-      response: await this.populateIdentity({
-        profile,
-        providerInfo: {
-          idToken: result.params.id_token,
-          accessToken: result.accessToken,
-          scope: result.params.scope,
-          expiresInSeconds: result.params.expires_in
-        }
-      }),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    const profile = makeProfileInfo(fullProfile, params.id_token);
-    return this.populateIdentity({
-      providerInfo: {
-        accessToken,
-        idToken: params.id_token,
-        expiresInSeconds: params.expires_in,
-        scope: params.scope
-      },
-      profile
-    });
-  }
-  async populateIdentity(response) {
-    const {profile} = response;
-    if (!profile.email) {
-      throw new Error("OIDC profile contained no email");
-    }
-    const id = profile.email.split("@")[0];
-    return {...response, backstageIdentity: {id}};
-  }
-}
-const createOneLoginProvider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const issuer = envConfig.getString("issuer");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const provider = new OneLoginProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      issuer
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
-
 const factories = {
   google: createGoogleProvider(),
   github: createGithubProvider(),
@@ -2335,8 +2421,8 @@ const factories = {
 };
 
 function createOidcRouter(options) {
-  const {baseUrl, tokenIssuer} = options;
-  const router = Router__default['default']();
+  const { baseUrl, tokenIssuer } = options;
+  const router = Router__default["default"]();
   const config = {
     issuer: baseUrl,
     token_endpoint: `${baseUrl}/v1/token`,
@@ -2354,8 +2440,8 @@ function createOidcRouter(options) {
     res.json(config);
   });
   router.get("/.well-known/jwks.json", async (_req, res) => {
-    const {keys} = await tokenIssuer.listPublicKeys();
-    res.json({keys});
+    const { keys } = await tokenIssuer.listPublicKeys();
+    res.json({ keys });
   });
   router.get("/v1/token", (_req, res) => {
     res.status(501).send("Not Implemented");
@@ -2375,21 +2461,30 @@ class IdentityClient {
     this.keyStoreUpdated = 0;
   }
   async authenticate(token) {
+    var _a;
     if (!token) {
-      throw new Error("No token specified");
+      throw new errors.AuthenticationError("No token specified");
     }
     const key = await this.getKey(token);
     if (!key) {
-      throw new Error("No signing key matching token found");
+      throw new errors.AuthenticationError("No signing key matching token found");
     }
     const decoded = jose.JWT.IdToken.verify(token, key, {
       algorithms: ["ES256"],
       audience: "backstage",
       issuer: this.issuer
     });
+    if (!decoded.sub) {
+      throw new errors.AuthenticationError("No user sub found in token");
+    }
     const user = {
       id: decoded.sub,
-      idToken: token
+      token,
+      identity: {
+        type: "user",
+        userEntityRef: decoded.sub,
+        ownershipEntityRefs: (_a = decoded.ent) != null ? _a : []
+      }
     };
     return user;
   }
@@ -2401,19 +2496,19 @@ class IdentityClient {
     return matches == null ? void 0 : matches[1];
   }
   async getKey(rawJwtToken) {
-    const {header, payload} = jose.JWT.decode(rawJwtToken, {
+    const { header, payload } = jose.JWT.decode(rawJwtToken, {
       complete: true
     });
-    const keyStoreHasKey = !!this.keyStore.get({kid: header.kid});
+    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });
     const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
     if (!keyStoreHasKey && issuedAfterLastRefresh) {
       await this.refreshKeyStore();
     }
-    return this.keyStore.get({kid: header.kid});
+    return this.keyStore.get({ kid: header.kid });
   }
   async listPublicKeys() {
     const url = `${await this.discovery.getBaseUrl("auth")}/.well-known/jwks.json`;
-    const response = await fetch__default['default'](url);
+    const response = await fetch__default["default"](url);
     if (!response.ok) {
       const payload = await response.text();
       const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;
@@ -2449,13 +2544,13 @@ class TokenFactory {
     const iat = Math.floor(Date.now() / MS_IN_S);
     const exp = iat + this.keyDurationSeconds;
     this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
-    return jose.JWS.sign({iss, sub, aud, iat, exp, ent}, key, {
+    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
       alg: key.alg,
       kid: key.kid
     });
   }
   async listPublicKeys() {
-    const {items: keys} = await this.keyStore.listKeys();
+    const { items: keys } = await this.keyStore.listKeys();
     const validKeys = [];
     const expiredKeys = [];
     for (const key of keys) {
@@ -2469,13 +2564,13 @@ class TokenFactory {
       }
     }
     if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({key}) => key.kid);
+      const kids = expiredKeys.map(({ key }) => key.kid);
       this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
       this.keyStore.removeKeys(kids).catch((error) => {
         this.logger.error(`Failed to remove expired keys, ${error}`);
       });
     }
-    return {keys: validKeys.map(({key}) => key)};
+    return { keys: validKeys.map(({ key }) => key) };
   }
   async getKey() {
     if (this.privateKeyPromise) {
@@ -2513,7 +2608,7 @@ class TokenFactory {
 const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
 const TABLE = "signing_keys";
 const parseDate = (date) => {
-  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, {zone: "UTC"}) : luxon.DateTime.fromJSDate(date);
+  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
   if (!parsedDate.isValid) {
     throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
   }
@@ -2521,7 +2616,7 @@ const parseDate = (date) => {
 };
 class DatabaseKeyStore {
   static async create(options) {
-    const {database} = options;
+    const { database } = options;
     await database.migrate.latest({
       directory: migrationsDir
     });
@@ -2552,7 +2647,7 @@ class DatabaseKeyStore {
 
 class MemoryKeyStore {
   constructor() {
-    this.keys = new Map();
+    this.keys = /* @__PURE__ */ new Map();
   }
   async addKey(key) {
     this.keys.set(key.kid, {
@@ -2567,7 +2662,7 @@ class MemoryKeyStore {
   }
   async listKeys() {
     return {
-      items: Array.from(this.keys).map(([, {createdAt, key: keyStr}]) => ({
+      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
         createdAt,
         key: JSON.parse(keyStr)
       }))
@@ -2584,7 +2679,7 @@ class FirestoreKeyStore {
     this.timeout = timeout;
   }
   static async create(settings) {
-    const {path, timeout, ...firestoreSettings} = settings != null ? settings : {};
+    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
     const database = new firestore.Firestore(firestoreSettings);
     return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
   }
@@ -2632,7 +2727,7 @@ class FirestoreKeyStore {
 class KeyStores {
   static async fromConfig(config, options) {
     var _a;
-    const {logger, database} = options != null ? options : {};
+    const { logger, database } = options != null ? options : {};
     const ks = config.getOptionalConfig("auth.keyStore");
     const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
     logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
@@ -2665,36 +2760,37 @@ class KeyStores {
   }
 }
 
-async function createRouter({
-  logger,
-  config,
-  discovery,
-  database,
-  providerFactories
-}) {
-  const router = Router__default['default']();
+async function createRouter(options) {
+  const { logger, config, discovery, database, providerFactories } = options;
+  const router = Router__default["default"]();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
-  const keyStore = await KeyStores.fromConfig(config, {logger, database});
+  const keyStore = await KeyStores.fromConfig(config, { logger, database });
   const keyDurationSeconds = 3600;
   const tokenIssuer = new TokenFactory({
     issuer: authUrl,
     keyStore,
     keyDurationSeconds,
-    logger: logger.child({component: "token-factory"})
+    logger: logger.child({ component: "token-factory" })
   });
-  const catalogApi = new catalogClient.CatalogClient({discoveryApi: discovery});
+  const catalogApi = new catalogClient.CatalogClient({ discoveryApi: discovery });
   const secret = config.getOptionalString("auth.session.secret");
   if (secret) {
-    router.use(cookieParser__default['default'](secret));
-    router.use(session__default['default']({secret, saveUninitialized: false, resave: false}));
-    router.use(passport__default['default'].initialize());
-    router.use(passport__default['default'].session());
+    router.use(cookieParser__default["default"](secret));
+    const enforceCookieSSL = authUrl.startsWith("https");
+    router.use(session__default["default"]({
+      secret,
+      saveUninitialized: false,
+      resave: false,
+      cookie: { secure: enforceCookieSSL }
+    }));
+    router.use(passport__default["default"].initialize());
+    router.use(passport__default["default"].session());
   } else {
-    router.use(cookieParser__default['default']());
+    router.use(cookieParser__default["default"]());
   }
-  router.use(express__default['default'].urlencoded({extended: false}));
-  router.use(express__default['default'].json());
+  router.use(express__default["default"].urlencoded({ extended: false }));
+  router.use(express__default["default"].json());
   const allProviderFactories = {
     ...factories,
     ...providerFactories
@@ -2708,14 +2804,14 @@ async function createRouter({
       try {
         const provider = providerFactory({
           providerId,
-          globalConfig: {baseUrl: authUrl, appUrl, isOriginAllowed},
+          globalConfig: { baseUrl: authUrl, appUrl, isOriginAllowed },
           config: providersConfig.getConfig(providerId),
           logger,
           tokenIssuer,
           discovery,
           catalogApi
         });
-        const r = Router__default['default']();
+        const r = Router__default["default"]();
         r.get("/start", provider.start.bind(provider));
         r.get("/handler/frame", provider.frameHandler.bind(provider));
         r.post("/handler/frame", provider.frameHandler.bind(provider));
@@ -2747,7 +2843,7 @@ async function createRouter({
     baseUrl: authUrl
   }));
   router.use("/:provider/", (req) => {
-    const {provider} = req.params;
+    const { provider } = req.params;
     throw new errors.NotFoundError(`Unknown auth provider '${provider}'`);
   });
   return router;
@@ -2755,9 +2851,9 @@ async function createRouter({
 function createOriginFilter(config) {
   var _a;
   const appUrl = config.getString("app.baseUrl");
-  const {origin: appOrigin} = new URL(appUrl);
+  const { origin: appOrigin } = new URL(appUrl);
   const allowedOrigins = config.getOptionalStringArray("auth.experimentalExtraAllowedOrigins");
-  const allowedOriginPatterns = (_a = allowedOrigins == null ? void 0 : allowedOrigins.map((pattern) => new minimatch.Minimatch(pattern, {nocase: true, noglobstar: true}))) != null ? _a : [];
+  const allowedOriginPatterns = (_a = allowedOrigins == null ? void 0 : allowedOrigins.map((pattern) => new minimatch.Minimatch(pattern, { nocase: true, noglobstar: true }))) != null ? _a : [];
   return (origin) => {
     if (origin === appOrigin) {
       return true;
@@ -2773,6 +2869,7 @@ exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
 exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;
 exports.bitbucketUsernameSignInResolver = bitbucketUsernameSignInResolver;
 exports.createAtlassianProvider = createAtlassianProvider;
+exports.createAuth0Provider = createAuth0Provider;
 exports.createAwsAlbProvider = createAwsAlbProvider;
 exports.createBitbucketProvider = createBitbucketProvider;
 exports.createGithubProvider = createGithubProvider;
@@ -2782,6 +2879,7 @@ exports.createMicrosoftProvider = createMicrosoftProvider;
 exports.createOAuth2Provider = createOAuth2Provider;
 exports.createOidcProvider = createOidcProvider;
 exports.createOktaProvider = createOktaProvider;
+exports.createOneLoginProvider = createOneLoginProvider;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;
 exports.createSamlProvider = createSamlProvider;
@@ -2793,6 +2891,7 @@ exports.googleEmailSignInResolver = googleEmailSignInResolver;
 exports.microsoftEmailSignInResolver = microsoftEmailSignInResolver;
 exports.oktaEmailSignInResolver = oktaEmailSignInResolver;
 exports.postMessageResponse = postMessageResponse;
+exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse;
 exports.readState = readState;
 exports.verifyNonce = verifyNonce;
 //# sourceMappingURL=index.cjs.js.map