@backstage/plugin-auth-backend 0.4.2 → 0.4.6

package/dist/index.cjs.js

@@ -18,16 +18,18 @@ var passportMicrosoft = require('passport-microsoft');
 var got = require('got');
 var OAuth2Strategy = require('passport-oauth2');
 var passportOktaOauth = require('passport-okta-oauth');
-var openidClient = require('openid-client');
-var passportSaml = require('passport-saml');
-var passportOneloginOauth = require('passport-onelogin-oauth');
+var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
 var fetch = require('cross-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
+var openidClient = require('openid-client');
+var passportSaml = require('passport-saml');
+var passportOneloginOauth = require('passport-onelogin-oauth');
 var catalogClient = require('@backstage/catalog-client');
 var uuid = require('uuid');
 var luxon = require('luxon');
 var backendCommon = require('@backstage/backend-common');
+var firestore = require('@google-cloud/firestore');
 var session = require('express-session');
 var passport = require('passport');
 var minimatch = require('minimatch');
@@ -416,12 +418,10 @@ class OAuthAdapter {
         response
       });
     } catch (error) {
+      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, appOrigin, {
         type: "authorization_response",
-        error: {
-          name: error.name,
-          message: error.message
-        }
+        error: {name, message}
       });
     }
   }
@@ -457,7 +457,7 @@ class OAuthAdapter {
       }
       res.status(200).json(response);
     } catch (error) {
-      res.status(401).send(`${error.message}`);
+      res.status(401).send(String(error));
     }
   }
   async populateIdentity(identity) {
@@ -550,6 +550,7 @@ class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
+    this.stateEncoder = options.stateEncoder;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
@@ -567,7 +568,7 @@ class GithubAuthProvider {
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
       scope: req.scope,
-      state: encodeState(req.state)
+      state: (await this.stateEncoder(req)).encodedState
     });
   }
   async handler(req) {
@@ -578,13 +579,17 @@ class GithubAuthProvider {
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const {
+      accessToken,
+      refreshToken: newRefreshToken,
+      params
+    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
     return this.handleResult({
       fullProfile,
       params,
       accessToken,
-      refreshToken: req.refreshToken
+      refreshToken: newRefreshToken
     });
   }
   async handleResult(result) {
@@ -593,6 +598,7 @@ class GithubAuthProvider {
     const response = {
       providerInfo: {
         accessToken: result.accessToken,
+        refreshToken: result.refreshToken,
         scope: result.params.scope,
         expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
       },
@@ -628,7 +634,7 @@ const createGithubProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
@@ -650,6 +656,9 @@ const createGithubProvider = (options) => {
       tokenIssuer,
       logger
     });
+    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
+      return {encodedState: encodeState(req.state)};
+    };
     const provider = new GithubAuthProvider({
       clientId,
       clientSecret,
@@ -661,6 +670,7 @@ const createGithubProvider = (options) => {
       authHandler,
       tokenIssuer,
       catalogIdentityClient,
+      stateEncoder,
       logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
@@ -1378,6 +1388,9 @@ const createOktaProvider = (_options) => {
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getString("audience");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    if (!audience.startsWith("https://")) {
+      throw new Error("URL for 'audience' must start with 'https://'.");
+    }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
@@ -1410,6 +1423,444 @@ const createOktaProvider = (_options) => {
   });
 };
 
+class BitbucketAuthProvider {
+  constructor(options) {
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this._strategy = new passportBitbucketOauth2.Strategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      passReqToCallback: false
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        fullProfile,
+        params,
+        accessToken,
+        refreshToken
+      }, {
+        refreshToken
+      });
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: req.scope,
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return this.handleResult({
+      fullProfile,
+      params,
+      accessToken,
+      refreshToken: req.refreshToken
+    });
+  }
+  async handleResult(result) {
+    result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
+    const {profile} = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+}
+const bitbucketUsernameSignInResolver = async (info, ctx) => {
+  const {result} = info;
+  if (!result.fullProfile.username) {
+    throw new Error("Bitbucket profile contained no Username");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "bitbucket.org/username": result.fullProfile.username
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({claims});
+  return {id: entity.metadata.name, entity, token};
+};
+const bitbucketUserIdSignInResolver = async (info, ctx) => {
+  const {result} = info;
+  if (!result.fullProfile.id) {
+    throw new Error("Bitbucket profile contained no User ID");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "bitbucket.org/user-id": result.fullProfile.id
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({claims});
+  return {id: entity.metadata.name, entity, token};
+};
+const createBitbucketProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const provider = new BitbucketAuthProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+      authHandler,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+
+const defaultScopes = ["offline_access", "read:me"];
+class AtlassianStrategy extends OAuth2Strategy__default['default'] {
+  constructor(options, verify) {
+    if (!options.scope) {
+      throw new TypeError("Atlassian requires a scope option");
+    }
+    const scopes = options.scope.split(" ");
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://auth.atlassian.com/authorize`,
+      tokenURL: `https://auth.atlassian.com/oauth/token`,
+      scope: Array.from(new Set([...defaultScopes, ...scopes]))
+    };
+    super(optionsWithURLs, verify);
+    this.profileURL = "https://api.atlassian.com/me";
+    this.name = "atlassian";
+    this._oauth2.useAuthorizationHeaderforGET(true);
+  }
+  authorizationParams() {
+    return {
+      audience: "api.atlassian.com",
+      prompt: "consent"
+    };
+  }
+  userProfile(accessToken, done) {
+    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
+      if (err) {
+        return done(new OAuth2Strategy.InternalOAuthError("Failed to fetch user profile", err.statusCode));
+      }
+      if (!body) {
+        return done(new Error("Failed to fetch user profile, body cannot be empty"));
+      }
+      try {
+        const json = typeof body !== "string" ? body.toString() : body;
+        const profile = AtlassianStrategy.parse(json);
+        return done(null, profile);
+      } catch (e) {
+        return done(new Error("Failed to parse user profile"));
+      }
+    });
+  }
+  static parse(json) {
+    const resp = JSON.parse(json);
+    return {
+      id: resp.account_id,
+      provider: "atlassian",
+      username: resp.nickname,
+      displayName: resp.name,
+      emails: [{value: resp.email}],
+      photos: [{value: resp.picture}]
+    };
+  }
+}
+
+const atlassianDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class AtlassianAuthProvider {
+  constructor(options) {
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new AtlassianStrategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      scope: options.scopes
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      });
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    var _a;
+    const {result} = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: (_a = result.refreshToken) != null ? _a : ""
+    };
+  }
+  async handleResult(result) {
+    const {profile} = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        refreshToken: result.refreshToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+  async refresh(req) {
+    const {
+      accessToken,
+      params,
+      refreshToken: newRefreshToken
+    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return this.handleResult({
+      fullProfile,
+      params,
+      accessToken,
+      refreshToken: newRefreshToken
+    });
+  }
+}
+const createAtlassianProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const scopes = envConfig.getString("scopes");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
+    const provider = new AtlassianAuthProvider({
+      clientId,
+      clientSecret,
+      scopes,
+      callbackUrl,
+      authHandler,
+      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+      catalogIdentityClient,
+      logger,
+      tokenIssuer
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: true,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+
+const ALB_JWT_HEADER = "x-amzn-oidc-data";
+const ALB_ACCESSTOKEN_HEADER = "x-amzn-oidc-accesstoken";
+const getJWTHeaders = (input) => {
+  const encoded = input.split(".")[0];
+  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
+};
+class AwsAlbAuthProvider {
+  constructor(options) {
+    this.region = options.region;
+    this.issuer = options.issuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.keyCache = new NodeCache__default['default']({stdTTL: 3600});
+  }
+  frameHandler() {
+    return Promise.resolve(void 0);
+  }
+  async refresh(req, res) {
+    try {
+      const result = await this.getResult(req);
+      const response = await this.handleResult(result);
+      res.json(response);
+    } catch (e) {
+      this.logger.error("Exception occurred during AWS ALB token refresh", e);
+      res.status(401);
+      res.end();
+    }
+  }
+  start() {
+    return Promise.resolve(void 0);
+  }
+  async getResult(req) {
+    const jwt = req.header(ALB_JWT_HEADER);
+    const accessToken = req.header(ALB_ACCESSTOKEN_HEADER);
+    if (jwt === void 0) {
+      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_JWT_HEADER}`);
+    }
+    if (accessToken === void 0) {
+      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESSTOKEN_HEADER}`);
+    }
+    try {
+      const headers = getJWTHeaders(jwt);
+      const key = await this.getKey(headers.kid);
+      const claims = jose.JWT.verify(jwt, key);
+      if (this.issuer && claims.iss !== this.issuer) {
+        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
+      }
+      const fullProfile = {
+        provider: "unknown",
+        id: claims.sub,
+        displayName: claims.name,
+        username: claims.email.split("@")[0].toLowerCase(),
+        name: {
+          familyName: claims.family_name,
+          givenName: claims.given_name
+        },
+        emails: [{value: claims.email.toLowerCase()}],
+        photos: [{value: claims.picture}]
+      };
+      return {
+        fullProfile,
+        expiresInSeconds: claims.exp,
+        accessToken
+      };
+    } catch (e) {
+      throw new Error(`Exception occurred during JWT processing: ${e}`);
+    }
+  }
+  async handleResult(result) {
+    const {profile} = await this.authHandler(result);
+    const backstageIdentity = await this.signInResolver({
+      result,
+      profile
+    }, {
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient,
+      logger: this.logger
+    });
+    return {
+      providerInfo: {
+        accessToken: result.accessToken,
+        expiresInSeconds: result.expiresInSeconds
+      },
+      backstageIdentity,
+      profile
+    };
+  }
+  async getKey(keyId) {
+    const optionalCacheKey = this.keyCache.get(keyId);
+    if (optionalCacheKey) {
+      return crypto__namespace.createPublicKey(optionalCacheKey);
+    }
+    const keyText = await fetch__default['default'](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
+    const keyValue = crypto__namespace.createPublicKey(keyText);
+    this.keyCache.set(keyId, keyValue.export({format: "pem", type: "spki"}));
+    return keyValue;
+  }
+}
+const createAwsAlbProvider = (options) => {
+  return ({config, tokenIssuer, catalogApi, logger}) => {
+    const region = config.getString("region");
+    const issuer = config.getOptionalString("iss");
+    if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
+      throw new Error("SignInResolver is required to use this authentication provider");
+    }
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile}) => ({
+      profile: makeProfileInfo(fullProfile)
+    });
+    const signInResolver = options == null ? void 0 : options.signIn.resolver;
+    return new AwsAlbAuthProvider({
+      region,
+      issuer,
+      signInResolver,
+      authHandler,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+  };
+};
+
 class OidcAuthProvider {
   constructor(options) {
     this.implementation = this.setupStrategy(options);
@@ -1562,12 +2013,10 @@ class SamlAuthProvider {
         }
       });
     } catch (error) {
+      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, this.appUrl, {
         type: "authorization_response",
-        error: {
-          name: error.name,
-          message: error.message
-        }
+        error: {name, message}
       });
     }
   }
@@ -1587,6 +2036,8 @@ const createSamlProvider = (_options) => {
       issuer: config.getString("issuer"),
       cert: config.getString("cert"),
       privateCert: config.getOptionalString("privateKey"),
+      authnContext: config.getOptionalStringArray("authnContext"),
+      identifierFormat: config.getOptionalString("identifierFormat"),
       decryptionPvk: config.getOptionalString("decryptionPvk"),
       signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
       digestAlgorithm: config.getOptionalString("digestAlgorithm"),
@@ -1783,77 +2234,6 @@ const createOneLoginProvider = (_options) => {
   });
 };
 
-const ALB_JWT_HEADER = "x-amzn-oidc-data";
-const getJWTHeaders = (input) => {
-  const encoded = input.split(".")[0];
-  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
-};
-class AwsAlbAuthProvider {
-  constructor(logger, catalogClient, options) {
-    this.logger = logger;
-    this.catalogClient = catalogClient;
-    this.options = options;
-    this.keyCache = new NodeCache__default['default']({stdTTL: 3600});
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    const jwt = req.header(ALB_JWT_HEADER);
-    if (jwt !== void 0) {
-      try {
-        const headers = getJWTHeaders(jwt);
-        const key = await this.getKey(headers.kid);
-        const payload = jose.JWT.verify(jwt, key);
-        if (this.options.issuer && headers.iss !== this.options.issuer) {
-          throw new Error("issuer mismatch on JWT");
-        }
-        const resolvedEntity = await this.options.identityResolutionCallback(payload, this.catalogClient);
-        res.json(resolvedEntity);
-      } catch (e) {
-        this.logger.error("exception occurred during JWT processing", e);
-        res.status(401);
-        res.end();
-      }
-    } else {
-      res.status(401);
-      res.end();
-    }
-  }
-  start() {
-    return Promise.resolve(void 0);
-  }
-  async getKey(keyId) {
-    const optionalCacheKey = this.keyCache.get(keyId);
-    if (optionalCacheKey) {
-      return crypto__namespace.createPublicKey(optionalCacheKey);
-    }
-    const keyText = await fetch__default['default'](`https://public-keys.auth.elb.${this.options.region}.amazonaws.com/${keyId}`).then((response) => response.text());
-    const keyValue = crypto__namespace.createPublicKey(keyText);
-    this.keyCache.set(keyId, keyValue.export({format: "pem", type: "spki"}));
-    return keyValue;
-  }
-}
-const createAwsAlbProvider = (_options) => {
-  return ({
-    logger,
-    catalogApi,
-    config,
-    identityResolver
-  }) => {
-    const region = config.getString("region");
-    const issuer = config.getOptionalString("iss");
-    if (identityResolver !== void 0) {
-      return new AwsAlbAuthProvider(logger, catalogApi, {
-        region,
-        issuer,
-        identityResolutionCallback: identityResolver
-      });
-    }
-    throw new Error("Identity resolver is required to use this authentication provider");
-  };
-};
-
 const factories = {
   google: createGoogleProvider(),
   github: createGithubProvider(),
@@ -1865,7 +2245,9 @@ const factories = {
   oauth2: createOAuth2Provider(),
   oidc: createOidcProvider(),
   onelogin: createOneLoginProvider(),
-  awsalb: createAwsAlbProvider()
+  awsalb: createAwsAlbProvider(),
+  bitbucket: createBitbucketProvider(),
+  atlassian: createAtlassianProvider()
 };
 
 function createOidcRouter(options) {
@@ -2084,6 +2466,121 @@ class DatabaseKeyStore {
   }
 }
 
+class MemoryKeyStore {
+  constructor() {
+    this.keys = new Map();
+  }
+  async addKey(key) {
+    this.keys.set(key.kid, {
+      createdAt: luxon.DateTime.utc().toJSDate(),
+      key: JSON.stringify(key)
+    });
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      this.keys.delete(kid);
+    }
+  }
+  async listKeys() {
+    return {
+      items: Array.from(this.keys).map(([, {createdAt, key: keyStr}]) => ({
+        createdAt,
+        key: JSON.parse(keyStr)
+      }))
+    };
+  }
+}
+
+const DEFAULT_TIMEOUT_MS = 1e4;
+const DEFAULT_DOCUMENT_PATH = "sessions";
+class FirestoreKeyStore {
+  constructor(database, path, timeout) {
+    this.database = database;
+    this.path = path;
+    this.timeout = timeout;
+  }
+  static async create(settings) {
+    const {path, timeout, ...firestoreSettings} = settings != null ? settings : {};
+    const database = new firestore.Firestore(firestoreSettings);
+    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
+  }
+  static async verifyConnection(keyStore, logger) {
+    try {
+      await keyStore.verify();
+    } catch (error) {
+      if (process.env.NODE_ENV !== "development") {
+        throw new Error(`Failed to connect to database: ${error.message}`);
+      }
+      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
+    }
+  }
+  async addKey(key) {
+    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    }));
+  }
+  async listKeys() {
+    const keys = await this.withTimeout(this.database.collection(this.path).get());
+    return {
+      items: keys.docs.map((key) => ({
+        key: key.data(),
+        createdAt: key.createTime.toDate()
+      }))
+    };
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
+    }
+  }
+  async withTimeout(operation) {
+    const timer = new Promise((_, reject) => setTimeout(() => {
+      reject(new Error(`Operation timed out after ${this.timeout}ms`));
+    }, this.timeout));
+    return Promise.race([operation, timer]);
+  }
+  async verify() {
+    await this.withTimeout(this.database.collection(this.path).limit(1).get());
+  }
+}
+
+class KeyStores {
+  static async fromConfig(config, options) {
+    var _a;
+    const {logger, database} = options != null ? options : {};
+    const ks = config.getOptionalConfig("auth.keyStore");
+    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
+    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
+    if (provider === "database") {
+      if (!database) {
+        throw new Error("This KeyStore provider requires a database");
+      }
+      return await DatabaseKeyStore.create({
+        database: await database.getClient()
+      });
+    }
+    if (provider === "memory") {
+      return new MemoryKeyStore();
+    }
+    if (provider === "firestore") {
+      const settings = ks == null ? void 0 : ks.getConfig(provider);
+      const keyStore = await FirestoreKeyStore.create({
+        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
+        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
+        host: settings == null ? void 0 : settings.getOptionalString("host"),
+        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
+        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
+        path: settings == null ? void 0 : settings.getOptionalString("path"),
+        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
+      });
+      await FirestoreKeyStore.verifyConnection(keyStore, logger);
+      return keyStore;
+    }
+    throw new Error(`Unknown KeyStore provider: ${provider}`);
+  }
+}
+
 async function createRouter({
   logger,
   config,
@@ -2094,10 +2591,8 @@ async function createRouter({
   const router = Router__default['default']();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
+  const keyStore = await KeyStores.fromConfig(config, {logger, database});
   const keyDurationSeconds = 3600;
-  const keyStore = await DatabaseKeyStore.create({
-    database: await database.getClient()
-  });
   const tokenIssuer = new TokenFactory({
     issuer: authUrl,
     keyStore,
@@ -2148,6 +2643,7 @@ async function createRouter({
         }
         router.use(`/${providerId}`, r);
       } catch (e) {
+        errors.assertError(e);
         if (process.env.NODE_ENV !== "development") {
           throw new Error(`Failed to initialize ${providerId} auth provider, ${e.message}`);
         }
@@ -2189,6 +2685,11 @@ function createOriginFilter(config) {
 exports.IdentityClient = IdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
+exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;
+exports.bitbucketUsernameSignInResolver = bitbucketUsernameSignInResolver;
+exports.createAtlassianProvider = createAtlassianProvider;
+exports.createAwsAlbProvider = createAwsAlbProvider;
+exports.createBitbucketProvider = createBitbucketProvider;
 exports.createGithubProvider = createGithubProvider;
 exports.createGitlabProvider = createGitlabProvider;
 exports.createGoogleProvider = createGoogleProvider;