npm - @backstage/plugin-auth-backend - Versions diffs - 0.4.8 → 0.5.1 - Mend

@backstage/plugin-auth-backend 0.4.8 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.cjs.js CHANGED Viewed

@@ -17,12 +17,12 @@ var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
 var got = require('got');
 var OAuth2Strategy = require('passport-oauth2');
+var openidClient = require('openid-client');
 var passportOktaOauth = require('passport-okta-oauth');
 var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
-var fetch = require('cross-fetch');
+var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
-var openidClient = require('openid-client');
 var passportSaml = require('passport-saml');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var catalogClient = require('@backstage/catalog-client');
@@ -46,14 +46,12 @@ function _interopNamespace(e) {
         var d = Object.getOwnPropertyDescriptor(e, k);
         Object.defineProperty(n, k, d.get ? d : {
           enumerable: true,
-          get: function () {
-            return e[k];
-          }
+          get: function () { return e[k]; }
         });
       }
     });
   }
-  n['default'] = e;
+  n["default"] = e;
   return Object.freeze(n);
 }
@@ -88,7 +86,7 @@ const makeProfileInfo = (profile, idToken) => {
   let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
   if ((!email || !picture || !displayName) && idToken) {
     try {
-      const decoded = jwtDecoder__default['default'](idToken);
+      const decoded = jwtDecoder__default["default"](idToken);
       if (!email && decoded.email) {
         email = decoded.email;
       }
@@ -112,16 +110,16 @@ const executeRedirectStrategy = async (req, providerStrategy, options) => {
   return new Promise((resolve) => {
     const strategy = Object.create(providerStrategy);
     strategy.redirect = (url, status) => {
-      resolve({url, status: status != null ? status : void 0});
+      resolve({ url, status: status != null ? status : void 0 });
     };
-    strategy.authenticate(req, {...options});
+    strategy.authenticate(req, { ...options });
   });
 };
 const executeFrameHandlerStrategy = async (req, providerStrategy) => {
   return new Promise((resolve, reject) => {
     const strategy = Object.create(providerStrategy);
     strategy.success = (result, privateInfo) => {
-      resolve({result, privateInfo});
+      resolve({ result, privateInfo });
     };
     strategy.fail = (info) => {
       var _a;
@@ -193,7 +191,7 @@ const readState = (stateString) => {
   return state;
 };
 const encodeState = (state) => {
-  const stateString = new URLSearchParams(pickBy__default['default'](state, (value) => value !== void 0)).toString();
+  const stateString = new URLSearchParams(pickBy__default["default"](state, (value) => value !== void 0)).toString();
   return Buffer.from(stateString, "utf-8").toString("hex");
 };
 const verifyNonce = (req, providerId) => {
@@ -218,7 +216,7 @@ class OAuthEnvironmentHandler {
   }
   static mapConfig(config, factoryFunc) {
     const envs = config.keys();
-    const handlers = new Map();
+    const handlers = /* @__PURE__ */ new Map();
     for (const env of envs) {
       const envConfig = config.getConfig(env);
       const handler = factoryFunc(envConfig);
@@ -227,22 +225,22 @@ class OAuthEnvironmentHandler {
     return new OAuthEnvironmentHandler(handlers);
   }
   async start(req, res) {
-    const provider = this.getProviderForEnv(req, res);
-    await (provider == null ? void 0 : provider.start(req, res));
+    const provider = this.getProviderForEnv(req);
+    await provider.start(req, res);
   }
   async frameHandler(req, res) {
-    const provider = this.getProviderForEnv(req, res);
-    await (provider == null ? void 0 : provider.frameHandler(req, res));
+    const provider = this.getProviderForEnv(req);
+    await provider.frameHandler(req, res);
   }
   async refresh(req, res) {
     var _a;
-    const provider = this.getProviderForEnv(req, res);
-    await ((_a = provider == null ? void 0 : provider.refresh) == null ? void 0 : _a.call(provider, req, res));
+    const provider = this.getProviderForEnv(req);
+    await ((_a = provider.refresh) == null ? void 0 : _a.call(provider, req, res));
   }
   async logout(req, res) {
     var _a;
-    const provider = this.getProviderForEnv(req, res);
-    await ((_a = provider == null ? void 0 : provider.logout) == null ? void 0 : _a.call(provider, req, res));
+    const provider = this.getProviderForEnv(req);
+    await ((_a = provider.logout) == null ? void 0 : _a.call(provider, req, res));
   }
   getRequestFromEnv(req) {
     var _a, _b;
@@ -257,19 +255,16 @@ class OAuthEnvironmentHandler {
     const env = readState(stateParams).env;
     return env;
   }
-  getProviderForEnv(req, res) {
+  getProviderForEnv(req) {
     const env = this.getRequestFromEnv(req);
     if (!env) {
       throw new errors.InputError(`Must specify 'env' query to select environment`);
     }
-    if (!this.handlers.has(env)) {
-      res.status(404).send(`Missing configuration.
-    <br>
-    <br>
-    For this flow to work you need to supply a valid configuration for the "${env}" environment of provider.`);
-      return void 0;
+    const handler = this.handlers.get(env);
+    if (!handler) {
+      throw new errors.NotFoundError(`No configuration available for the '${env}' environment of this provider.`);
     }
-    return this.handlers.get(env);
+    return handler;
   }
 }
@@ -290,11 +285,11 @@ const postMessageResponse = (res, appOrigin, response) => {
       window.close();
     }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)
   `;
-  const hash = crypto__default['default'].createHash("sha256").update(script).digest("base64");
+  const hash = crypto__default["default"].createHash("sha256").update(script).digest("base64");
   res.setHeader("Content-Type", "text/html");
   res.setHeader("X-Frame-Options", "sameorigin");
   res.setHeader("Content-Security-Policy", `script-src 'sha256-${hash}'`);
-  res.end(`<html><body><script>${script}</script></body></html>`);
+  res.end(`<html><body><script>${script}<\/script></body></html>`);
 };
 const ensuresXRequestedWith = (req) => {
   const requiredHeader = req.header("X-Requested-With");
@@ -304,6 +299,25 @@ const ensuresXRequestedWith = (req) => {
   return true;
 };
+function parseJwtPayload(token) {
+  const [_header, payload, _signature] = token.split(".");
+  return JSON.parse(Buffer.from(payload, "base64").toString());
+}
+function prepareBackstageIdentityResponse(result) {
+  const { sub, ent } = parseJwtPayload(result.token);
+  return {
+    ...{
+      idToken: result.token,
+      ...result
+    },
+    identity: {
+      type: "user",
+      userEntityRef: sub,
+      ownershipEntityRefs: ent != null ? ent : []
+    }
+  };
+}
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
 const TEN_MINUTES_MS = 600 * 1e3;
 class OAuthAdapter {
@@ -355,7 +369,7 @@ class OAuthAdapter {
     };
   }
   static fromConfig(config, handlers, options) {
-    const {origin: appOrigin} = new url.URL(config.appUrl);
+    const { origin: appOrigin } = new url.URL(config.appUrl);
     const secure = config.baseUrl.startsWith("https://");
     const url$1 = new url.URL(config.baseUrl);
     const cookiePath = `${url$1.pathname}/${options.providerId}`;
@@ -379,11 +393,11 @@ class OAuthAdapter {
     if (this.options.persistScopes) {
       this.setScopesCookie(res, scope);
     }
-    const nonce = crypto__default['default'].randomBytes(16).toString("base64");
+    const nonce = crypto__default["default"].randomBytes(16).toString("base64");
     this.setNonceCookie(res, nonce);
-    const state = {nonce, env, origin};
-    const forwardReq = Object.assign(req, {scope, state});
-    const {url, status} = await this.handlers.start(forwardReq);
+    const state = { nonce, env, origin };
+    const forwardReq = Object.assign(req, { scope, state });
+    const { url, status } = await this.handlers.start(forwardReq);
     res.statusCode = status || 302;
     res.setHeader("Location", url);
     res.setHeader("Content-Length", "0");
@@ -405,7 +419,7 @@ class OAuthAdapter {
         }
       }
       verifyNonce(req, this.options.providerId);
-      const {response, refreshToken} = await this.handlers.handler(req);
+      const { response, refreshToken } = await this.handlers.handler(req);
       if (this.options.persistScopes) {
         const grantedScopes = this.getScopesFromCookie(req, this.options.providerId);
         response.providerInfo.scope = grantedScopes;
@@ -413,65 +427,62 @@ class OAuthAdapter {
       if (refreshToken && !this.options.disableRefresh) {
         this.setRefreshTokenCookie(res, refreshToken);
       }
-      await this.populateIdentity(response.backstageIdentity);
+      const identity = await this.populateIdentity(response.backstageIdentity);
       return postMessageResponse(res, appOrigin, {
         type: "authorization_response",
-        response
+        response: { ...response, backstageIdentity: identity }
       });
     } catch (error) {
-      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
+      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, appOrigin, {
         type: "authorization_response",
-        error: {name, message}
+        error: { name, message }
       });
     }
   }
   async logout(req, res) {
     if (!ensuresXRequestedWith(req)) {
-      res.status(401).send("Invalid X-Requested-With header");
-      return;
+      throw new errors.AuthenticationError("Invalid X-Requested-With header");
     }
     this.removeRefreshTokenCookie(res);
-    res.status(200).send("logout!");
+    res.status(200).end();
   }
   async refresh(req, res) {
     var _a, _b;
     if (!ensuresXRequestedWith(req)) {
-      res.status(401).send("Invalid X-Requested-With header");
-      return;
+      throw new errors.AuthenticationError("Invalid X-Requested-With header");
     }
     if (!this.handlers.refresh || this.options.disableRefresh) {
-      res.status(400).send(`Refresh token not supported for provider: ${this.options.providerId}`);
-      return;
+      throw new errors.InputError(`Refresh token is not supported for provider ${this.options.providerId}`);
     }
     try {
       const refreshToken = req.cookies[`${this.options.providerId}-refresh-token`];
       if (!refreshToken) {
-        throw new Error("Missing session cookie");
+        throw new errors.InputError("Missing session cookie");
       }
       const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
-      const forwardReq = Object.assign(req, {scope, refreshToken});
+      const forwardReq = Object.assign(req, { scope, refreshToken });
       const response = await this.handlers.refresh(forwardReq);
-      await this.populateIdentity(response.backstageIdentity);
+      const backstageIdentity = await this.populateIdentity(response.backstageIdentity);
       if (response.providerInfo.refreshToken && response.providerInfo.refreshToken !== refreshToken) {
         this.setRefreshTokenCookie(res, response.providerInfo.refreshToken);
       }
-      res.status(200).json(response);
+      res.status(200).json({ ...response, backstageIdentity });
     } catch (error) {
-      res.status(401).send(String(error));
+      throw new errors.AuthenticationError("Refresh failed", error);
     }
   }
   async populateIdentity(identity) {
     if (!identity) {
-      return;
+      return void 0;
     }
-    if (!(identity.token || identity.idToken)) {
-      identity.token = await this.options.tokenIssuer.issueToken({
-        claims: {sub: identity.id}
-      });
-    } else if (!identity.token && identity.idToken) {
-      identity.token = identity.idToken;
+    if (identity.token) {
+      return prepareBackstageIdentityResponse(identity);
     }
+    const token = await this.options.tokenIssuer.issueToken({
+      claims: { sub: identity.id }
+    });
+    return prepareBackstageIdentityResponse({ ...identity, token });
   }
 }
@@ -488,9 +499,9 @@ class CatalogIdentityClient {
       filter[`metadata.annotations.${key}`] = value;
     }
     const token = await this.tokenIssuer.issueToken({
-      claims: {sub: "backstage.io/auth-backend"}
+      claims: { sub: "backstage.io/auth-backend" }
     });
-    const {items} = await this.catalogApi.getEntities({filter}, {token});
+    const { items } = await this.catalogApi.getEntities({ filter }, { token });
     if (items.length !== 1) {
       if (items.length > 1) {
         throw new errors.ConflictError("User lookup resulted in multiple matches");
@@ -500,10 +511,8 @@ class CatalogIdentityClient {
     }
     return items[0];
   }
-  async resolveCatalogMembership({
-    entityRefs,
-    logger
-  }) {
+  async resolveCatalogMembership(query) {
+    const { entityRefs, logger } = query;
     const resolvedEntityRefs = entityRefs.map((ref) => {
       try {
         const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
@@ -521,7 +530,7 @@ class CatalogIdentityClient {
       "metadata.namespace": ref.namespace,
       "metadata.name": ref.name
     }));
-    const entities = await this.catalogApi.getEntities({filter}).then((r) => r.items);
+    const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
     if (entityRefs.length !== entities.length) {
       const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
       const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
@@ -565,7 +574,7 @@ class GithubAuthProvider {
       userProfileURL: options.userProfileUrl,
       authorizationURL: options.authorizationUrl
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {fullProfile, params, accessToken}, {refreshToken});
+      done(void 0, { fullProfile, params, accessToken }, { refreshToken });
     });
   }
   async start(req) {
@@ -575,7 +584,7 @@ class GithubAuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
@@ -596,7 +605,7 @@ class GithubAuthProvider {
     });
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const expiresInStr = result.params.expires_in;
     const response = {
       providerInfo: {
@@ -621,12 +630,12 @@ class GithubAuthProvider {
   }
 }
 const githubDefaultSignInResolver = async (info, ctx) => {
-  const {fullProfile} = info.result;
+  const { fullProfile } = info.result;
   const userId = fullProfile.username || fullProfile.id;
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return {id: userId, token};
+  return { id: userId, token };
 };
 const createGithubProvider = (options) => {
   return ({
@@ -650,7 +659,7 @@ const createGithubProvider = (options) => {
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: makeProfileInfo(fullProfile)
     });
     const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : githubDefaultSignInResolver;
@@ -660,7 +669,7 @@ const createGithubProvider = (options) => {
       logger
     });
     const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
-      return {encodedState: encodeState(req.state)};
+      return { encodedState: encodeState(req.state) };
     };
     const provider = new GithubAuthProvider({
       clientId,
@@ -685,15 +694,15 @@ const createGithubProvider = (options) => {
 };
 const gitlabDefaultSignInResolver = async (info, ctx) => {
-  const {profile, result} = info;
+  const { profile, result } = info;
   let id = result.fullProfile.id;
   if (profile.email) {
     id = profile.email.split("@")[0];
   }
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: id, ent: [`user:default/${id}`]}
+    claims: { sub: id, ent: [`user:default/${id}`] }
   });
-  return {id, token};
+  return { id, token };
 };
 const gitlabDefaultAuthHandler = async ({
   fullProfile,
@@ -714,7 +723,7 @@ class GitlabAuthProvider {
       callbackURL: options.callbackUrl,
       baseURL: options.baseUrl
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {fullProfile, params, accessToken}, {
+      done(void 0, { fullProfile, params, accessToken }, {
         refreshToken
       });
     });
@@ -726,7 +735,7 @@ class GitlabAuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
@@ -747,7 +756,7 @@ class GitlabAuthProvider {
     });
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -848,14 +857,14 @@ class GoogleAuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
     return this.handleResult({
       fullProfile,
@@ -865,7 +874,7 @@ class GoogleAuthProvider {
     });
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -889,7 +898,7 @@ class GoogleAuthProvider {
   }
 }
 const googleEmailSignInResolver = async (info, ctx) => {
-  const {profile} = info;
+  const { profile } = info;
   if (!profile.email) {
     throw new Error("Google profile contained no email");
   }
@@ -899,11 +908,11 @@ const googleEmailSignInResolver = async (info, ctx) => {
     }
   });
   const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
 };
 const googleDefaultSignInResolver = async (info, ctx) => {
-  const {profile} = info;
+  const { profile } = info;
   if (!profile.email) {
     throw new Error("Google profile contained no email");
   }
@@ -920,9 +929,9 @@ const googleDefaultSignInResolver = async (info, ctx) => {
     userId = profile.email.split("@")[0];
   }
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return {id: userId, token};
+  return { id: userId, token };
 };
 const createGoogleProvider = (options) => {
   return ({
@@ -941,7 +950,7 @@ const createGoogleProvider = (options) => {
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
     const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : googleDefaultSignInResolver;
@@ -983,7 +992,7 @@ class MicrosoftAuthProvider {
       tokenURL: options.tokenUrl,
       passReqToCallback: false
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {fullProfile, accessToken, params}, {refreshToken});
+      done(void 0, { fullProfile, accessToken, params }, { refreshToken });
     });
   }
   async start(req) {
@@ -993,14 +1002,14 @@ class MicrosoftAuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
     return this.handleResult({
       fullProfile,
@@ -1011,8 +1020,8 @@ class MicrosoftAuthProvider {
   }
   async handleResult(result) {
     const photo = await this.getUserPhoto(result.accessToken);
-    result.fullProfile.photos = photo ? [{value: photo}] : void 0;
-    const {profile} = await this.authHandler(result);
+    result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1036,7 +1045,7 @@ class MicrosoftAuthProvider {
   }
   getUserPhoto(accessToken) {
     return new Promise((resolve) => {
-      got__default['default'].get("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
+      got__default["default"].get("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
         encoding: "binary",
         responseType: "buffer",
         headers: {
@@ -1053,7 +1062,7 @@ class MicrosoftAuthProvider {
   }
 }
 const microsoftEmailSignInResolver = async (info, ctx) => {
-  const {profile} = info;
+  const { profile } = info;
   if (!profile.email) {
     throw new Error("Microsoft profile contained no email");
   }
@@ -1063,19 +1072,19 @@ const microsoftEmailSignInResolver = async (info, ctx) => {
     }
   });
   const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
 };
 const microsoftDefaultSignInResolver = async (info, ctx) => {
-  const {profile} = info;
+  const { profile } = info;
   if (!profile.email) {
     throw new Error("Profile contained no email");
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return {id: userId, token};
+  return { id: userId, token };
 };
 const createMicrosoftProvider = (options) => {
   return ({
@@ -1097,7 +1106,7 @@ const createMicrosoftProvider = (options) => {
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
     const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
@@ -1140,7 +1149,10 @@ class OAuth2AuthProvider {
       authorizationURL: options.authorizationUrl,
       tokenURL: options.tokenUrl,
       passReqToCallback: false,
-      scope: options.scope
+      scope: options.scope,
+      customHeaders: options.includeBasicAuth ? {
+        Authorization: `Basic ${this.encodeClientCredentials(options.clientId, options.clientSecret)}`
+      } : void 0
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
         fullProfile,
@@ -1161,7 +1173,7 @@ class OAuth2AuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
@@ -1183,7 +1195,7 @@ class OAuth2AuthProvider {
     });
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1206,17 +1218,20 @@ class OAuth2AuthProvider {
     }
     return response;
   }
+  encodeClientCredentials(clientID, clientSecret) {
+    return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
+  }
 }
-const oAuth2DefaultSignInResolver = async (info, ctx) => {
-  const {profile} = info;
+const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
+  const { profile } = info;
   if (!profile.email) {
     throw new Error("Profile contained no email");
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return {id: userId, token};
+  return { id: userId, token };
 };
 const createOAuth2Provider = (options) => {
   return ({
@@ -1234,15 +1249,16 @@ const createOAuth2Provider = (options) => {
     const authorizationUrl = envConfig.getString("authorizationUrl");
     const tokenUrl = envConfig.getString("tokenUrl");
     const scope = envConfig.getOptionalString("scope");
+    const includeBasicAuth = envConfig.getOptionalBoolean("includeBasicAuth");
     const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver$1;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
@@ -1259,7 +1275,8 @@ const createOAuth2Provider = (options) => {
       authorizationUrl,
       tokenUrl,
       scope,
-      logger
+      logger,
+      includeBasicAuth
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh,
@@ -1269,6 +1286,168 @@ const createOAuth2Provider = (options) => {
   });
 };
+class OidcAuthProvider {
+  constructor(options) {
+    this.implementation = this.setupStrategy(options);
+    this.scope = options.scope;
+    this.prompt = options.prompt;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+  }
+  async start(req) {
+    const { strategy } = await this.implementation;
+    const options = {
+      scope: req.scope || this.scope || "openid profile email",
+      state: encodeState(req.state)
+    };
+    const prompt = this.prompt || "none";
+    if (prompt !== "auto") {
+      options.prompt = prompt;
+    }
+    return await executeRedirectStrategy(req, strategy, options);
+  }
+  async handler(req) {
+    const { strategy } = await this.implementation;
+    const strategyResponse = await executeFrameHandlerStrategy(req, strategy);
+    const {
+      result: { userinfo, tokenset },
+      privateInfo
+    } = strategyResponse;
+    const identityResponse = await this.handleResult({ tokenset, userinfo });
+    return {
+      response: identityResponse,
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const { client } = await this.implementation;
+    const tokenset = await client.refresh(req.refreshToken);
+    if (!tokenset.access_token) {
+      throw new Error("Refresh failed");
+    }
+    const profile = await client.userinfo(tokenset.access_token);
+    return this.handleResult({ tokenset, userinfo: profile });
+  }
+  async setupStrategy(options) {
+    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
+    const client = new issuer.Client({
+      access_type: "offline",
+      client_id: options.clientId,
+      client_secret: options.clientSecret,
+      redirect_uris: [options.callbackUrl],
+      response_types: ["code"],
+      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
+      scope: options.scope || ""
+    });
+    const strategy = new openidClient.Strategy({
+      client,
+      passReqToCallback: false
+    }, (tokenset, userinfo, done) => {
+      if (typeof done !== "function") {
+        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
+      }
+      done(void 0, { tokenset, userinfo }, {
+        refreshToken: tokenset.refresh_token
+      });
+    });
+    strategy.error = console.error;
+    return { strategy, client };
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.tokenset.id_token,
+        accessToken: result.tokenset.access_token,
+        refreshToken: result.tokenset.refresh_token,
+        scope: result.tokenset.scope,
+        expiresInSeconds: result.tokenset.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+}
+const oAuth2DefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Profile contained no email");
+  }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
+  });
+  return { id: userId, token };
+};
+const createOidcProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const metadataUrl = envConfig.getString("metadataUrl");
+    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
+    const scope = envConfig.getOptionalString("scope");
+    const prompt = envConfig.getOptionalString("prompt");
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
+      profile: {
+        displayName: userinfo.name,
+        email: userinfo.email,
+        picture: userinfo.picture
+      }
+    });
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oAuth2DefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new OidcAuthProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      tokenSignedResponseAlg,
+      metadataUrl,
+      scope,
+      prompt,
+      signInResolver,
+      authHandler,
+      logger,
+      tokenIssuer,
+      catalogIdentityClient
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
 class OktaAuthProvider {
   constructor(options) {
     this._store = {
@@ -1312,14 +1491,14 @@ class OktaAuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
     return this.handleResult({
       fullProfile,
@@ -1329,7 +1508,7 @@ class OktaAuthProvider {
     });
   }
   async handleResult(result) {
-    const {profile} = await this._authHandler(result);
+    const { profile } = await this._authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1353,7 +1532,7 @@ class OktaAuthProvider {
   }
 }
 const oktaEmailSignInResolver = async (info, ctx) => {
-  const {profile} = info;
+  const { profile } = info;
   if (!profile.email) {
     throw new Error("Okta profile contained no email");
   }
@@ -1363,19 +1542,19 @@ const oktaEmailSignInResolver = async (info, ctx) => {
     }
   });
   const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
 };
 const oktaDefaultSignInResolver = async (info, ctx) => {
-  const {profile} = info;
+  const { profile } = info;
   if (!profile.email) {
     throw new Error("Okta profile contained no email");
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: {sub: userId, ent: [`user:default/${userId}`]}
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return {id: userId, token};
+  return { id: userId, token };
 };
 const createOktaProvider = (_options) => {
   return ({
@@ -1398,7 +1577,7 @@ const createOktaProvider = (_options) => {
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({fullProfile, params}) => ({
+    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
     const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
@@ -1458,14 +1637,14 @@ class BitbucketAuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
     return this.handleResult({
       fullProfile,
@@ -1476,7 +1655,7 @@ class BitbucketAuthProvider {
   }
   async handleResult(result) {
     result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1500,7 +1679,7 @@ class BitbucketAuthProvider {
   }
 }
 const bitbucketUsernameSignInResolver = async (info, ctx) => {
-  const {result} = info;
+  const { result } = info;
   if (!result.fullProfile.username) {
     throw new Error("Bitbucket profile contained no Username");
   }
@@ -1510,11 +1689,11 @@ const bitbucketUsernameSignInResolver = async (info, ctx) => {
     }
   });
   const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
 };
 const bitbucketUserIdSignInResolver = async (info, ctx) => {
-  const {result} = info;
+  const { result } = info;
   if (!result.fullProfile.id) {
     throw new Error("Bitbucket profile contained no User ID");
   }
@@ -1524,8 +1703,8 @@ const bitbucketUserIdSignInResolver = async (info, ctx) => {
     }
   });
   const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({claims});
-  return {id: entity.metadata.name, entity, token};
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
 };
 const createBitbucketProvider = (options) => {
   return ({
@@ -1544,7 +1723,7 @@ const createBitbucketProvider = (options) => {
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile, params}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
     const provider = new BitbucketAuthProvider({
@@ -1566,7 +1745,7 @@ const createBitbucketProvider = (options) => {
 };
 const defaultScopes = ["offline_access", "read:me"];
-class AtlassianStrategy extends OAuth2Strategy__default['default'] {
+class AtlassianStrategy extends OAuth2Strategy__default["default"] {
   constructor(options, verify) {
     if (!options.scope) {
       throw new TypeError("Atlassian requires a scope option");
@@ -1576,7 +1755,7 @@ class AtlassianStrategy extends OAuth2Strategy__default['default'] {
       ...options,
       authorizationURL: `https://auth.atlassian.com/authorize`,
       tokenURL: `https://auth.atlassian.com/oauth/token`,
-      scope: Array.from(new Set([...defaultScopes, ...scopes]))
+      scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
     };
     super(optionsWithURLs, verify);
     this.profileURL = "https://api.atlassian.com/me";
@@ -1613,8 +1792,8 @@ class AtlassianStrategy extends OAuth2Strategy__default['default'] {
       provider: "atlassian",
       username: resp.nickname,
       displayName: resp.name,
-      emails: [{value: resp.email}],
-      photos: [{value: resp.picture}]
+      emails: [{ value: resp.email }],
+      photos: [{ value: resp.picture }]
     };
   }
 }
@@ -1653,14 +1832,14 @@ class AtlassianAuthProvider {
   }
   async handler(req) {
     var _a;
-    const {result} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: (_a = result.refreshToken) != null ? _a : ""
     };
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1751,7 +1930,7 @@ class AwsAlbAuthProvider {
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.keyCache = new NodeCache__default['default']({stdTTL: 3600});
+    this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
   }
   frameHandler() {
     return Promise.resolve(void 0);
@@ -1795,8 +1974,8 @@ class AwsAlbAuthProvider {
           familyName: claims.family_name,
           givenName: claims.given_name
         },
-        emails: [{value: claims.email.toLowerCase()}],
-        photos: [{value: claims.picture}]
+        emails: [{ value: claims.email.toLowerCase() }],
+        photos: [{ value: claims.picture }]
       };
       return {
         fullProfile,
@@ -1808,7 +1987,7 @@ class AwsAlbAuthProvider {
     }
   }
   async handleResult(result) {
-    const {profile} = await this.authHandler(result);
+    const { profile } = await this.authHandler(result);
     const backstageIdentity = await this.signInResolver({
       result,
       profile
@@ -1822,7 +2001,7 @@ class AwsAlbAuthProvider {
         accessToken: result.accessToken,
         expiresInSeconds: result.expiresInSeconds
       },
-      backstageIdentity,
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
       profile
     };
   }
@@ -1831,14 +2010,14 @@ class AwsAlbAuthProvider {
     if (optionalCacheKey) {
       return crypto__namespace.createPublicKey(optionalCacheKey);
     }
-    const keyText = await fetch__default['default'](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
+    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
     const keyValue = crypto__namespace.createPublicKey(keyText);
-    this.keyCache.set(keyId, keyValue.export({format: "pem", type: "spki"}));
+    this.keyCache.set(keyId, keyValue.export({ format: "pem", type: "spki" }));
     return keyValue;
   }
 }
 const createAwsAlbProvider = (options) => {
-  return ({config, tokenIssuer, catalogApi, logger}) => {
+  return ({ config, tokenIssuer, catalogApi, logger }) => {
     const region = config.getString("region");
     const issuer = config.getOptionalString("iss");
     if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
@@ -1848,7 +2027,7 @@ const createAwsAlbProvider = (options) => {
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({fullProfile}) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: makeProfileInfo(fullProfile)
     });
     const signInResolver = options == null ? void 0 : options.signIn.resolver;
@@ -1864,182 +2043,98 @@ const createAwsAlbProvider = (options) => {
   };
 };
-class OidcAuthProvider {
-  constructor(options) {
-    this.implementation = this.setupStrategy(options);
-    this.scope = options.scope;
-    this.prompt = options.prompt;
-  }
-  async start(req) {
-    const {strategy} = await this.implementation;
-    const options = {
-      accessType: "offline",
-      scope: req.scope || this.scope || "openid profile email",
-      state: encodeState(req.state)
-    };
-    const prompt = this.prompt || "none";
-    if (prompt !== "auto") {
-      options.prompt = prompt;
-    }
-    return await executeRedirectStrategy(req, strategy, options);
-  }
-  async handler(req) {
-    const {strategy} = await this.implementation;
-    const strategyResponse = await executeFrameHandlerStrategy(req, strategy);
-    const {
-      result: {userinfo, tokenset},
-      privateInfo
-    } = strategyResponse;
-    const identityResponse = await this.populateIdentity({
-      profile: {
-        displayName: userinfo.name,
-        email: userinfo.email,
-        picture: userinfo.picture
-      },
-      providerInfo: {
-        idToken: tokenset.id_token,
-        accessToken: tokenset.access_token || "",
-        scope: tokenset.scope || "",
-        expiresInSeconds: tokenset.expires_in
-      }
-    });
-    return {
-      response: identityResponse,
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const {client} = await this.implementation;
-    const tokenset = await client.refresh(req.refreshToken);
-    if (!tokenset.access_token) {
-      throw new Error("Refresh failed");
-    }
-    const profile = await client.userinfo(tokenset.access_token);
-    return this.populateIdentity({
-      providerInfo: {
-        accessToken: tokenset.access_token,
-        refreshToken: tokenset.refresh_token,
-        expiresInSeconds: tokenset.expires_in,
-        idToken: tokenset.id_token,
-        scope: tokenset.scope || ""
-      },
-      profile
-    });
-  }
-  async setupStrategy(options) {
-    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
-    const client = new issuer.Client({
-      client_id: options.clientId,
-      client_secret: options.clientSecret,
-      redirect_uris: [options.callbackUrl],
-      response_types: ["code"],
-      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
-      scope: options.scope || ""
-    });
-    const strategy = new openidClient.Strategy({
-      client,
-      passReqToCallback: false
-    }, (tokenset, userinfo, done) => {
-      if (typeof done !== "function") {
-        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
-      }
-      done(void 0, {tokenset, userinfo}, {
-        refreshToken: tokenset.refresh_token
-      });
-    });
-    strategy.error = console.error;
-    return {strategy, client};
-  }
-  async populateIdentity(response) {
-    const {profile} = response;
-    if (!profile.email) {
-      throw new Error("Profile does not contain an email");
-    }
-    const id = profile.email.split("@")[0];
-    return {...response, backstageIdentity: {id}};
-  }
-}
-const createOidcProvider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const metadataUrl = envConfig.getString("metadataUrl");
-    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
-    const scope = envConfig.getOptionalString("scope");
-    const prompt = envConfig.getOptionalString("prompt");
-    const provider = new OidcAuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      tokenSignedResponseAlg,
-      metadataUrl,
-      scope,
-      prompt
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
 class SamlAuthProvider {
   constructor(options) {
     this.appUrl = options.appUrl;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
-    this.strategy = new passportSaml.Strategy({...options}, (fullProfile, done) => {
-      done(void 0, {fullProfile});
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
+      done(void 0, { fullProfile });
     });
   }
   async start(req, res) {
-    const {url} = await executeRedirectStrategy(req, this.strategy, {});
+    const { url } = await executeRedirectStrategy(req, this.strategy, {});
     res.redirect(url);
   }
   async frameHandler(req, res) {
     try {
-      const {result} = await executeFrameHandlerStrategy(req, this.strategy);
-      const id = result.fullProfile.nameID;
-      const idToken = await this.tokenIssuer.issueToken({
-        claims: {sub: id}
-      });
+      const { result } = await executeFrameHandlerStrategy(req, this.strategy);
+      const { profile } = await this.authHandler(result);
+      const response = {
+        profile,
+        providerInfo: {}
+      };
+      if (this.signInResolver) {
+        const signInResponse = await this.signInResolver({
+          result,
+          profile
+        }, {
+          tokenIssuer: this.tokenIssuer,
+          catalogIdentityClient: this.catalogIdentityClient,
+          logger: this.logger
+        });
+        response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
+      }
       return postMessageResponse(res, this.appUrl, {
         type: "authorization_response",
-        response: {
-          profile: {
-            email: result.fullProfile.email,
-            displayName: result.fullProfile.displayName
-          },
-          providerInfo: {},
-          backstageIdentity: {id, idToken}
-        }
+        response
       });
     } catch (error) {
-      const {name, message} = errors.isError(error) ? error : new Error("Encountered invalid error");
+      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
       return postMessageResponse(res, this.appUrl, {
         type: "authorization_response",
-        error: {name, message}
+        error: { name, message }
       });
     }
   }
   async logout(_req, res) {
-    res.send("noop");
-  }
-  identifyEnv() {
-    return void 0;
+    res.end();
   }
 }
-const createSamlProvider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => {
-    const opts = {
+const samlDefaultSignInResolver = async (info, ctx) => {
+  const id = info.result.fullProfile.nameID;
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: id }
+  });
+  return { id, token };
+};
+const createSamlProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => {
+    var _a, _b;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+      profile: {
+        email: fullProfile.email,
+        displayName: fullProfile.displayName
+      }
+    });
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : samlDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    return new SamlAuthProvider({
       callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
       entryPoint: config.getString("entryPoint"),
       logoutUrl: config.getOptionalString("logoutUrl"),
       audience: config.getOptionalString("audience"),
       issuer: config.getString("issuer"),
       cert: config.getString("cert"),
-      privateCert: config.getOptionalString("privateKey"),
+      privateKey: config.getOptionalString("privateKey"),
       authnContext: config.getOptionalStringArray("authnContext"),
       identifierFormat: config.getOptionalString("identifierFormat"),
       decryptionPvk: config.getOptionalString("decryptionPvk"),
@@ -2047,13 +2142,16 @@ const createSamlProvider = (_options) => {
       digestAlgorithm: config.getOptionalString("digestAlgorithm"),
       acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
       tokenIssuer,
-      appUrl: globalConfig.appUrl
-    };
-    return new SamlAuthProvider(opts);
+      appUrl: globalConfig.appUrl,
+      authHandler,
+      signInResolver,
+      logger,
+      catalogIdentityClient
+    });
   };
 };
-class Auth0Strategy extends OAuth2Strategy__default['default'] {
+class Auth0Strategy extends OAuth2Strategy__default["default"] {
   constructor(options, verify) {
     const optionsWithURLs = {
       ...options,
@@ -2094,7 +2192,7 @@ class Auth0AuthProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     const profile = makeProfileInfo(result.fullProfile, result.params.id_token);
     return {
       response: await this.populateIdentity({
@@ -2110,7 +2208,7 @@ class Auth0AuthProvider {
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
     const profile = makeProfileInfo(fullProfile, params.id_token);
     return this.populateIdentity({
@@ -2124,16 +2222,16 @@ class Auth0AuthProvider {
     });
   }
   async populateIdentity(response) {
-    const {profile} = response;
+    const { profile } = response;
     if (!profile.email) {
       throw new Error("Profile does not contain an email");
     }
     const id = profile.email.split("@")[0];
-    return {...response, backstageIdentity: {id}};
+    return { ...response, backstageIdentity: { id, token: "" } };
   }
 }
 const createAuth0Provider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+  return ({ providerId, globalConfig, config, tokenIssuer }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const domain = envConfig.getString("domain");
@@ -2180,7 +2278,7 @@ class OneLoginProvider {
     });
   }
   async handler(req) {
-    const {result, privateInfo} = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     const profile = makeProfileInfo(result.fullProfile, result.params.id_token);
     return {
       response: await this.populateIdentity({
@@ -2196,7 +2294,7 @@ class OneLoginProvider {
     };
   }
   async refresh(req) {
-    const {accessToken, params} = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
     const profile = makeProfileInfo(fullProfile, params.id_token);
     return this.populateIdentity({
@@ -2210,16 +2308,16 @@ class OneLoginProvider {
     });
   }
   async populateIdentity(response) {
-    const {profile} = response;
+    const { profile } = response;
     if (!profile.email) {
       throw new Error("OIDC profile contained no email");
     }
     const id = profile.email.split("@")[0];
-    return {...response, backstageIdentity: {id}};
+    return { ...response, backstageIdentity: { id, token: "" } };
   }
 }
 const createOneLoginProvider = (_options) => {
-  return ({providerId, globalConfig, config, tokenIssuer}) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+  return ({ providerId, globalConfig, config, tokenIssuer }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const issuer = envConfig.getString("issuer");
@@ -2255,8 +2353,8 @@ const factories = {
 };
 function createOidcRouter(options) {
-  const {baseUrl, tokenIssuer} = options;
-  const router = Router__default['default']();
+  const { baseUrl, tokenIssuer } = options;
+  const router = Router__default["default"]();
   const config = {
     issuer: baseUrl,
     token_endpoint: `${baseUrl}/v1/token`,
@@ -2274,8 +2372,8 @@ function createOidcRouter(options) {
     res.json(config);
   });
   router.get("/.well-known/jwks.json", async (_req, res) => {
-    const {keys} = await tokenIssuer.listPublicKeys();
-    res.json({keys});
+    const { keys } = await tokenIssuer.listPublicKeys();
+    res.json({ keys });
   });
   router.get("/v1/token", (_req, res) => {
     res.status(501).send("Not Implemented");
@@ -2295,21 +2393,30 @@ class IdentityClient {
     this.keyStoreUpdated = 0;
   }
   async authenticate(token) {
+    var _a;
     if (!token) {
-      throw new Error("No token specified");
+      throw new errors.AuthenticationError("No token specified");
     }
     const key = await this.getKey(token);
     if (!key) {
-      throw new Error("No signing key matching token found");
+      throw new errors.AuthenticationError("No signing key matching token found");
     }
     const decoded = jose.JWT.IdToken.verify(token, key, {
       algorithms: ["ES256"],
       audience: "backstage",
       issuer: this.issuer
     });
+    if (!decoded.sub) {
+      throw new errors.AuthenticationError("No user sub found in token");
+    }
     const user = {
       id: decoded.sub,
-      idToken: token
+      token,
+      identity: {
+        type: "user",
+        userEntityRef: decoded.sub,
+        ownershipEntityRefs: (_a = decoded.ent) != null ? _a : []
+      }
     };
     return user;
   }
@@ -2321,19 +2428,19 @@ class IdentityClient {
     return matches == null ? void 0 : matches[1];
   }
   async getKey(rawJwtToken) {
-    const {header, payload} = jose.JWT.decode(rawJwtToken, {
+    const { header, payload } = jose.JWT.decode(rawJwtToken, {
       complete: true
     });
-    const keyStoreHasKey = !!this.keyStore.get({kid: header.kid});
+    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });
     const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
     if (!keyStoreHasKey && issuedAfterLastRefresh) {
       await this.refreshKeyStore();
     }
-    return this.keyStore.get({kid: header.kid});
+    return this.keyStore.get({ kid: header.kid });
   }
   async listPublicKeys() {
     const url = `${await this.discovery.getBaseUrl("auth")}/.well-known/jwks.json`;
-    const response = await fetch__default['default'](url);
+    const response = await fetch__default["default"](url);
     if (!response.ok) {
       const payload = await response.text();
       const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;
@@ -2369,13 +2476,13 @@ class TokenFactory {
     const iat = Math.floor(Date.now() / MS_IN_S);
     const exp = iat + this.keyDurationSeconds;
     this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
-    return jose.JWS.sign({iss, sub, aud, iat, exp, ent}, key, {
+    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
       alg: key.alg,
       kid: key.kid
     });
   }
   async listPublicKeys() {
-    const {items: keys} = await this.keyStore.listKeys();
+    const { items: keys } = await this.keyStore.listKeys();
     const validKeys = [];
     const expiredKeys = [];
     for (const key of keys) {
@@ -2389,13 +2496,13 @@ class TokenFactory {
       }
     }
     if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({key}) => key.kid);
+      const kids = expiredKeys.map(({ key }) => key.kid);
       this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
       this.keyStore.removeKeys(kids).catch((error) => {
         this.logger.error(`Failed to remove expired keys, ${error}`);
       });
     }
-    return {keys: validKeys.map(({key}) => key)};
+    return { keys: validKeys.map(({ key }) => key) };
   }
   async getKey() {
     if (this.privateKeyPromise) {
@@ -2433,7 +2540,7 @@ class TokenFactory {
 const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
 const TABLE = "signing_keys";
 const parseDate = (date) => {
-  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, {zone: "UTC"}) : luxon.DateTime.fromJSDate(date);
+  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
   if (!parsedDate.isValid) {
     throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
   }
@@ -2441,7 +2548,7 @@ const parseDate = (date) => {
 };
 class DatabaseKeyStore {
   static async create(options) {
-    const {database} = options;
+    const { database } = options;
     await database.migrate.latest({
       directory: migrationsDir
     });
@@ -2472,7 +2579,7 @@ class DatabaseKeyStore {
 class MemoryKeyStore {
   constructor() {
-    this.keys = new Map();
+    this.keys = /* @__PURE__ */ new Map();
   }
   async addKey(key) {
     this.keys.set(key.kid, {
@@ -2487,7 +2594,7 @@ class MemoryKeyStore {
   }
   async listKeys() {
     return {
-      items: Array.from(this.keys).map(([, {createdAt, key: keyStr}]) => ({
+      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
         createdAt,
         key: JSON.parse(keyStr)
       }))
@@ -2504,7 +2611,7 @@ class FirestoreKeyStore {
     this.timeout = timeout;
   }
   static async create(settings) {
-    const {path, timeout, ...firestoreSettings} = settings != null ? settings : {};
+    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
     const database = new firestore.Firestore(firestoreSettings);
     return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
   }
@@ -2552,7 +2659,7 @@ class FirestoreKeyStore {
 class KeyStores {
   static async fromConfig(config, options) {
     var _a;
-    const {logger, database} = options != null ? options : {};
+    const { logger, database } = options != null ? options : {};
     const ks = config.getOptionalConfig("auth.keyStore");
     const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
     logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
@@ -2585,36 +2692,31 @@ class KeyStores {
   }
 }
-async function createRouter({
-  logger,
-  config,
-  discovery,
-  database,
-  providerFactories
-}) {
-  const router = Router__default['default']();
+async function createRouter(options) {
+  const { logger, config, discovery, database, providerFactories } = options;
+  const router = Router__default["default"]();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
-  const keyStore = await KeyStores.fromConfig(config, {logger, database});
+  const keyStore = await KeyStores.fromConfig(config, { logger, database });
   const keyDurationSeconds = 3600;
   const tokenIssuer = new TokenFactory({
     issuer: authUrl,
     keyStore,
     keyDurationSeconds,
-    logger: logger.child({component: "token-factory"})
+    logger: logger.child({ component: "token-factory" })
   });
-  const catalogApi = new catalogClient.CatalogClient({discoveryApi: discovery});
+  const catalogApi = new catalogClient.CatalogClient({ discoveryApi: discovery });
   const secret = config.getOptionalString("auth.session.secret");
   if (secret) {
-    router.use(cookieParser__default['default'](secret));
-    router.use(session__default['default']({secret, saveUninitialized: false, resave: false}));
-    router.use(passport__default['default'].initialize());
-    router.use(passport__default['default'].session());
+    router.use(cookieParser__default["default"](secret));
+    router.use(session__default["default"]({ secret, saveUninitialized: false, resave: false }));
+    router.use(passport__default["default"].initialize());
+    router.use(passport__default["default"].session());
   } else {
-    router.use(cookieParser__default['default']());
+    router.use(cookieParser__default["default"]());
   }
-  router.use(express__default['default'].urlencoded({extended: false}));
-  router.use(express__default['default'].json());
+  router.use(express__default["default"].urlencoded({ extended: false }));
+  router.use(express__default["default"].json());
   const allProviderFactories = {
     ...factories,
     ...providerFactories
@@ -2628,14 +2730,14 @@ async function createRouter({
       try {
         const provider = providerFactory({
           providerId,
-          globalConfig: {baseUrl: authUrl, appUrl, isOriginAllowed},
+          globalConfig: { baseUrl: authUrl, appUrl, isOriginAllowed },
           config: providersConfig.getConfig(providerId),
           logger,
           tokenIssuer,
           discovery,
           catalogApi
         });
-        const r = Router__default['default']();
+        const r = Router__default["default"]();
         r.get("/start", provider.start.bind(provider));
         r.get("/handler/frame", provider.frameHandler.bind(provider));
         r.post("/handler/frame", provider.frameHandler.bind(provider));
@@ -2667,7 +2769,7 @@ async function createRouter({
     baseUrl: authUrl
   }));
   router.use("/:provider/", (req) => {
-    const {provider} = req.params;
+    const { provider } = req.params;
     throw new errors.NotFoundError(`Unknown auth provider '${provider}'`);
   });
   return router;
@@ -2675,9 +2777,9 @@ async function createRouter({
 function createOriginFilter(config) {
   var _a;
   const appUrl = config.getString("app.baseUrl");
-  const {origin: appOrigin} = new URL(appUrl);
+  const { origin: appOrigin } = new URL(appUrl);
   const allowedOrigins = config.getOptionalStringArray("auth.experimentalExtraAllowedOrigins");
-  const allowedOriginPatterns = (_a = allowedOrigins == null ? void 0 : allowedOrigins.map((pattern) => new minimatch.Minimatch(pattern, {nocase: true, noglobstar: true}))) != null ? _a : [];
+  const allowedOriginPatterns = (_a = allowedOrigins == null ? void 0 : allowedOrigins.map((pattern) => new minimatch.Minimatch(pattern, { nocase: true, noglobstar: true }))) != null ? _a : [];
   return (origin) => {
     if (origin === appOrigin) {
       return true;
@@ -2686,6 +2788,7 @@ function createOriginFilter(config) {
   };
 }
+exports.CatalogIdentityClient = CatalogIdentityClient;
 exports.IdentityClient = IdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
@@ -2699,16 +2802,20 @@ exports.createGitlabProvider = createGitlabProvider;
 exports.createGoogleProvider = createGoogleProvider;
 exports.createMicrosoftProvider = createMicrosoftProvider;
 exports.createOAuth2Provider = createOAuth2Provider;
+exports.createOidcProvider = createOidcProvider;
 exports.createOktaProvider = createOktaProvider;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;
+exports.createSamlProvider = createSamlProvider;
 exports.defaultAuthProviderFactories = factories;
 exports.encodeState = encodeState;
 exports.ensuresXRequestedWith = ensuresXRequestedWith;
+exports.getEntityClaims = getEntityClaims;
 exports.googleEmailSignInResolver = googleEmailSignInResolver;
 exports.microsoftEmailSignInResolver = microsoftEmailSignInResolver;
 exports.oktaEmailSignInResolver = oktaEmailSignInResolver;
 exports.postMessageResponse = postMessageResponse;
+exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse;
 exports.readState = readState;
 exports.verifyNonce = verifyNonce;
 //# sourceMappingURL=index.cjs.js.map