@backstage/plugin-auth-backend 0.5.1 → 0.6.2

package/dist/index.cjs.js

@@ -5,26 +5,26 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var express = require('express');
 var Router = require('express-promise-router');
 var cookieParser = require('cookie-parser');
-var passportGithub2 = require('passport-github2');
-var jwtDecoder = require('jwt-decode');
+var OAuth2Strategy = require('passport-oauth2');
 var errors = require('@backstage/errors');
 var pickBy = require('lodash/pickBy');
 var crypto = require('crypto');
 var url = require('url');
 var catalogModel = require('@backstage/catalog-model');
+var jwtDecoder = require('jwt-decode');
+var fetch = require('node-fetch');
+var NodeCache = require('node-cache');
+var jose = require('jose');
+var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
+var passportGithub2 = require('passport-github2');
 var passportGitlab2 = require('passport-gitlab2');
 var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
-var got = require('got');
-var OAuth2Strategy = require('passport-oauth2');
 var openidClient = require('openid-client');
 var passportOktaOauth = require('passport-okta-oauth');
-var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
-var fetch = require('node-fetch');
-var NodeCache = require('node-cache');
-var jose = require('jose');
-var passportSaml = require('passport-saml');
 var passportOneloginOauth = require('passport-onelogin-oauth');
+var passportSaml = require('passport-saml');
+var googleAuthLibrary = require('google-auth-library');
 var catalogClient = require('@backstage/catalog-client');
 var uuid = require('uuid');
 var luxon = require('luxon');
@@ -58,129 +58,69 @@ function _interopNamespace(e) {
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
-var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
+var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
 var pickBy__default = /*#__PURE__*/_interopDefaultLegacy(pickBy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
 var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
-var got__default = /*#__PURE__*/_interopDefaultLegacy(got);
-var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
+var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
 var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
 
-const makeProfileInfo = (profile, idToken) => {
-  var _a, _b;
-  let email = void 0;
-  if (profile.emails && profile.emails.length > 0) {
-    const [firstEmail] = profile.emails;
-    email = firstEmail.value;
-  }
-  let picture = void 0;
-  if (profile.avatarUrl) {
-    picture = profile.avatarUrl;
-  } else if (profile.photos && profile.photos.length > 0) {
-    const [firstPhoto] = profile.photos;
-    picture = firstPhoto.value;
-  }
-  let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
-  if ((!email || !picture || !displayName) && idToken) {
-    try {
-      const decoded = jwtDecoder__default["default"](idToken);
-      if (!email && decoded.email) {
-        email = decoded.email;
-      }
-      if (!picture && decoded.picture) {
-        picture = decoded.picture;
-      }
-      if (!displayName && decoded.name) {
-        displayName = decoded.name;
-      }
-    } catch (e) {
-      throw new Error(`Failed to parse id token and get profile info, ${e}`);
+const defaultScopes = ["offline_access", "read:me"];
+class AtlassianStrategy extends OAuth2Strategy__default["default"] {
+  constructor(options, verify) {
+    if (!options.scope) {
+      throw new TypeError("Atlassian requires a scope option");
     }
-  }
-  return {
-    email,
-    picture,
-    displayName
-  };
-};
-const executeRedirectStrategy = async (req, providerStrategy, options) => {
-  return new Promise((resolve) => {
-    const strategy = Object.create(providerStrategy);
-    strategy.redirect = (url, status) => {
-      resolve({ url, status: status != null ? status : void 0 });
-    };
-    strategy.authenticate(req, { ...options });
-  });
-};
-const executeFrameHandlerStrategy = async (req, providerStrategy) => {
-  return new Promise((resolve, reject) => {
-    const strategy = Object.create(providerStrategy);
-    strategy.success = (result, privateInfo) => {
-      resolve({ result, privateInfo });
-    };
-    strategy.fail = (info) => {
-      var _a;
-      reject(new Error(`Authentication rejected, ${(_a = info.message) != null ? _a : ""}`));
-    };
-    strategy.error = (error) => {
-      var _a;
-      let message = `Authentication failed, ${error.message}`;
-      if ((_a = error.oauthError) == null ? void 0 : _a.data) {
-        try {
-          const errorData = JSON.parse(error.oauthError.data);
-          if (errorData.message) {
-            message += ` - ${errorData.message}`;
-          }
-        } catch (parseError) {
-          message += ` - ${error.oauthError}`;
-        }
-      }
-      reject(new Error(message));
+    const scopes = options.scope.split(" ");
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://auth.atlassian.com/authorize`,
+      tokenURL: `https://auth.atlassian.com/oauth/token`,
+      scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
     };
-    strategy.redirect = () => {
-      reject(new Error("Unexpected redirect"));
+    super(optionsWithURLs, verify);
+    this.profileURL = "https://api.atlassian.com/me";
+    this.name = "atlassian";
+    this._oauth2.useAuthorizationHeaderforGET(true);
+  }
+  authorizationParams() {
+    return {
+      audience: "api.atlassian.com",
+      prompt: "consent"
     };
-    strategy.authenticate(req, {});
-  });
-};
-const executeRefreshTokenStrategy = async (providerStrategy, refreshToken, scope) => {
-  return new Promise((resolve, reject) => {
-    const anyStrategy = providerStrategy;
-    const OAuth2 = anyStrategy._oauth2.constructor;
-    const oauth2 = new OAuth2(anyStrategy._oauth2._clientId, anyStrategy._oauth2._clientSecret, anyStrategy._oauth2._baseSite, anyStrategy._oauth2._authorizeUrl, anyStrategy._refreshURL || anyStrategy._oauth2._accessTokenUrl, anyStrategy._oauth2._customHeaders);
-    oauth2.getOAuthAccessToken(refreshToken, {
-      scope,
-      grant_type: "refresh_token"
-    }, (err, accessToken, newRefreshToken, params) => {
+  }
+  userProfile(accessToken, done) {
+    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
       if (err) {
-        reject(new Error(`Failed to refresh access token ${err.toString()}`));
+        return done(new OAuth2Strategy.InternalOAuthError("Failed to fetch user profile", err.statusCode));
       }
-      if (!accessToken) {
-        reject(new Error(`Failed to refresh access token, no access token received`));
+      if (!body) {
+        return done(new Error("Failed to fetch user profile, body cannot be empty"));
       }
-      resolve({
-        accessToken,
-        refreshToken: newRefreshToken,
-        params
-      });
-    });
-  });
-};
-const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) => {
-  return new Promise((resolve, reject) => {
-    const anyStrategy = providerStrategy;
-    anyStrategy.userProfile(accessToken, (error, rawProfile) => {
-      if (error) {
-        reject(error);
-      } else {
-        resolve(rawProfile);
+      try {
+        const json = typeof body !== "string" ? body.toString() : body;
+        const profile = AtlassianStrategy.parse(json);
+        return done(null, profile);
+      } catch (e) {
+        return done(new Error("Failed to parse user profile"));
       }
     });
-  });
-};
+  }
+  static parse(json) {
+    const resp = JSON.parse(json);
+    return {
+      id: resp.account_id,
+      provider: "atlassian",
+      username: resp.nickname,
+      displayName: resp.name,
+      emails: [{ value: resp.email }],
+      photos: [{ value: resp.picture }]
+    };
+  }
+}
 
 const readState = (stateString) => {
   var _a, _b;
@@ -462,10 +402,10 @@ class OAuthAdapter {
       }
       const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
       const forwardReq = Object.assign(req, { scope, refreshToken });
-      const response = await this.handlers.refresh(forwardReq);
+      const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
       const backstageIdentity = await this.populateIdentity(response.backstageIdentity);
-      if (response.providerInfo.refreshToken && response.providerInfo.refreshToken !== refreshToken) {
-        this.setRefreshTokenCookie(res, response.providerInfo.refreshToken);
+      if (newRefreshToken && newRefreshToken !== refreshToken) {
+        this.setRefreshTokenCookie(res, newRefreshToken);
       }
       res.status(200).json({ ...response, backstageIdentity });
     } catch (error) {
@@ -479,78 +419,195 @@ class OAuthAdapter {
     if (identity.token) {
       return prepareBackstageIdentityResponse(identity);
     }
+    const userEntityRef = catalogModel.stringifyEntityRef(catalogModel.parseEntityRef(identity.id, {
+      defaultKind: "user",
+      defaultNamespace: catalogModel.ENTITY_DEFAULT_NAMESPACE
+    }));
     const token = await this.options.tokenIssuer.issueToken({
-      claims: { sub: identity.id }
+      claims: { sub: userEntityRef }
     });
     return prepareBackstageIdentityResponse({ ...identity, token });
   }
 }
 
-class CatalogIdentityClient {
-  constructor(options) {
-    this.catalogApi = options.catalogApi;
-    this.tokenIssuer = options.tokenIssuer;
+const makeProfileInfo = (profile, idToken) => {
+  var _a, _b;
+  let email = void 0;
+  if (profile.emails && profile.emails.length > 0) {
+    const [firstEmail] = profile.emails;
+    email = firstEmail.value;
   }
-  async findUser(query) {
-    const filter = {
-      kind: "user"
-    };
-    for (const [key, value] of Object.entries(query.annotations)) {
-      filter[`metadata.annotations.${key}`] = value;
-    }
-    const token = await this.tokenIssuer.issueToken({
-      claims: { sub: "backstage.io/auth-backend" }
-    });
-    const { items } = await this.catalogApi.getEntities({ filter }, { token });
-    if (items.length !== 1) {
-      if (items.length > 1) {
-        throw new errors.ConflictError("User lookup resulted in multiple matches");
-      } else {
-        throw new errors.NotFoundError("User not found");
-      }
-    }
-    return items[0];
+  let picture = void 0;
+  if (profile.avatarUrl) {
+    picture = profile.avatarUrl;
+  } else if (profile.photos && profile.photos.length > 0) {
+    const [firstPhoto] = profile.photos;
+    picture = firstPhoto.value;
   }
-  async resolveCatalogMembership(query) {
-    const { entityRefs, logger } = query;
-    const resolvedEntityRefs = entityRefs.map((ref) => {
-      try {
-        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
-          defaultKind: "user",
-          defaultNamespace: "default"
-        });
-        return parsedRef;
-      } catch {
-        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
-        return null;
+  let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
+  if ((!email || !picture || !displayName) && idToken) {
+    try {
+      const decoded = jwtDecoder__default["default"](idToken);
+      if (!email && decoded.email) {
+        email = decoded.email;
       }
-    }).filter((ref) => ref !== null);
-    const filter = resolvedEntityRefs.map((ref) => ({
-      kind: ref.kind,
-      "metadata.namespace": ref.namespace,
-      "metadata.name": ref.name
-    }));
-    const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
-    if (entityRefs.length !== entities.length) {
-      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
-      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
-      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+      if (!picture && decoded.picture) {
+        picture = decoded.picture;
+      }
+      if (!displayName && decoded.name) {
+        displayName = decoded.name;
+      }
+    } catch (e) {
+      throw new Error(`Failed to parse id token and get profile info, ${e}`);
     }
-    const memberOf = entities.flatMap((e) => {
-      var _a, _b;
-      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.target)) != null ? _b : [];
-    });
-    const newEntityRefs = [
-      ...new Set(resolvedEntityRefs.concat(memberOf).map(catalogModel.stringifyEntityRef))
-    ];
-    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
-    return newEntityRefs;
   }
-}
-
-function getEntityClaims(entity) {
-  var _a, _b;
-  const userRef = catalogModel.stringifyEntityRef(entity);
+  return {
+    email,
+    picture,
+    displayName
+  };
+};
+const executeRedirectStrategy = async (req, providerStrategy, options) => {
+  return new Promise((resolve) => {
+    const strategy = Object.create(providerStrategy);
+    strategy.redirect = (url, status) => {
+      resolve({ url, status: status != null ? status : void 0 });
+    };
+    strategy.authenticate(req, { ...options });
+  });
+};
+const executeFrameHandlerStrategy = async (req, providerStrategy) => {
+  return new Promise((resolve, reject) => {
+    const strategy = Object.create(providerStrategy);
+    strategy.success = (result, privateInfo) => {
+      resolve({ result, privateInfo });
+    };
+    strategy.fail = (info) => {
+      var _a;
+      reject(new Error(`Authentication rejected, ${(_a = info.message) != null ? _a : ""}`));
+    };
+    strategy.error = (error) => {
+      var _a;
+      let message = `Authentication failed, ${error.message}`;
+      if ((_a = error.oauthError) == null ? void 0 : _a.data) {
+        try {
+          const errorData = JSON.parse(error.oauthError.data);
+          if (errorData.message) {
+            message += ` - ${errorData.message}`;
+          }
+        } catch (parseError) {
+          message += ` - ${error.oauthError}`;
+        }
+      }
+      reject(new Error(message));
+    };
+    strategy.redirect = () => {
+      reject(new Error("Unexpected redirect"));
+    };
+    strategy.authenticate(req, {});
+  });
+};
+const executeRefreshTokenStrategy = async (providerStrategy, refreshToken, scope) => {
+  return new Promise((resolve, reject) => {
+    const anyStrategy = providerStrategy;
+    const OAuth2 = anyStrategy._oauth2.constructor;
+    const oauth2 = new OAuth2(anyStrategy._oauth2._clientId, anyStrategy._oauth2._clientSecret, anyStrategy._oauth2._baseSite, anyStrategy._oauth2._authorizeUrl, anyStrategy._refreshURL || anyStrategy._oauth2._accessTokenUrl, anyStrategy._oauth2._customHeaders);
+    oauth2.getOAuthAccessToken(refreshToken, {
+      scope,
+      grant_type: "refresh_token"
+    }, (err, accessToken, newRefreshToken, params) => {
+      if (err) {
+        reject(new Error(`Failed to refresh access token ${err.toString()}`));
+      }
+      if (!accessToken) {
+        reject(new Error(`Failed to refresh access token, no access token received`));
+      }
+      resolve({
+        accessToken,
+        refreshToken: newRefreshToken,
+        params
+      });
+    });
+  });
+};
+const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) => {
+  return new Promise((resolve, reject) => {
+    const anyStrategy = providerStrategy;
+    anyStrategy.userProfile(accessToken, (error, rawProfile) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve(rawProfile);
+      }
+    });
+  });
+};
+
+class CatalogIdentityClient {
+  constructor(options) {
+    this.catalogApi = options.catalogApi;
+    this.tokenIssuer = options.tokenIssuer;
+  }
+  async findUser(query) {
+    const filter = {
+      kind: "user"
+    };
+    for (const [key, value] of Object.entries(query.annotations)) {
+      filter[`metadata.annotations.${key}`] = value;
+    }
+    const token = await this.tokenIssuer.issueToken({
+      claims: { sub: "backstage.io/auth-backend" }
+    });
+    const { items } = await this.catalogApi.getEntities({ filter }, { token });
+    if (items.length !== 1) {
+      if (items.length > 1) {
+        throw new errors.ConflictError("User lookup resulted in multiple matches");
+      } else {
+        throw new errors.NotFoundError("User not found");
+      }
+    }
+    return items[0];
+  }
+  async resolveCatalogMembership(query) {
+    const { entityRefs, logger } = query;
+    const resolvedEntityRefs = entityRefs.map((ref) => {
+      try {
+        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
+          defaultKind: "user",
+          defaultNamespace: "default"
+        });
+        return parsedRef;
+      } catch {
+        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
+        return null;
+      }
+    }).filter((ref) => ref !== null);
+    const filter = resolvedEntityRefs.map((ref) => ({
+      kind: ref.kind,
+      "metadata.namespace": ref.namespace,
+      "metadata.name": ref.name
+    }));
+    const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
+    if (entityRefs.length !== entities.length) {
+      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
+      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
+      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+    }
+    const memberOf = entities.flatMap((e) => {
+      var _a, _b;
+      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.target)) != null ? _b : [];
+    });
+    const newEntityRefs = [
+      ...new Set(resolvedEntityRefs.concat(memberOf).map(catalogModel.stringifyEntityRef))
+    ];
+    logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
+    return newEntityRefs;
+  }
+}
+
+function getEntityClaims(entity) {
+  var _a, _b;
+  const userRef = catalogModel.stringifyEntityRef(entity);
   const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF && r.target.kind.toLocaleLowerCase("en-US") === "group").map((r) => catalogModel.stringifyEntityRef(r.target))) != null ? _b : [];
   return {
     sub: userRef,
@@ -558,29 +615,162 @@ function getEntityClaims(entity) {
   };
 }
 
-class GithubAuthProvider {
+const atlassianDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class AtlassianAuthProvider {
+  constructor(options) {
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new AtlassianStrategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      scope: options.scopes
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      });
+    });
+  }
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const { result } = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: result.refreshToken
+    };
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
+    }
+    return response;
+  }
+  async refresh(req) {
+    const { accessToken, params, refreshToken } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
+  }
+}
+const createAtlassianProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const scopes = envConfig.getString("scopes");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
+    const provider = new AtlassianAuthProvider({
+      clientId,
+      clientSecret,
+      scopes,
+      callbackUrl,
+      authHandler,
+      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+      catalogIdentityClient,
+      logger,
+      tokenIssuer
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: true,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+
+class Auth0Strategy extends OAuth2Strategy__default["default"] {
+  constructor(options, verify) {
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://${options.domain}/authorize`,
+      tokenURL: `https://${options.domain}/oauth/token`,
+      userInfoURL: `https://${options.domain}/userinfo`,
+      apiUrl: `https://${options.domain}/api`
+    };
+    super(optionsWithURLs, verify);
+  }
+}
+
+class Auth0AuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
-    this.stateEncoder = options.stateEncoder;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new passportGithub2.Strategy({
+    this._strategy = new Auth0Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      tokenURL: options.tokenUrl,
-      userProfileURL: options.userProfileUrl,
-      authorizationURL: options.authorizationUrl
+      domain: options.domain,
+      passReqToCallback: false
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, { fullProfile, params, accessToken }, { refreshToken });
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      }, {
+        refreshToken
+      });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
       scope: req.scope,
-      state: (await this.stateEncoder(req)).encodedState
+      state: encodeState(req.state)
     });
   }
   async handler(req) {
@@ -591,28 +781,25 @@ class GithubAuthProvider {
     };
   }
   async refresh(req) {
-    const {
-      accessToken,
-      refreshToken: newRefreshToken,
-      params
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: newRefreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
     const { profile } = await this.authHandler(result);
-    const expiresInStr = result.params.expires_in;
     const response = {
       providerInfo: {
+        idToken: result.params.id_token,
         accessToken: result.accessToken,
-        refreshToken: result.refreshToken,
         scope: result.params.scope,
-        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
+        expiresInSeconds: result.params.expires_in
       },
       profile
     };
@@ -629,15 +816,15 @@ class GithubAuthProvider {
     return response;
   }
 }
-const githubDefaultSignInResolver = async (info, ctx) => {
-  const { fullProfile } = info.result;
-  const userId = fullProfile.username || fullProfile.id;
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
-  });
-  return { id: userId, token };
+const defaultSignInResolver$1 = async (info) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Profile does not contain an email");
+  }
+  const id = profile.email.split("@")[0];
+  return { id, token: "" };
 };
-const createGithubProvider = (options) => {
+const createAuth0Provider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -646,90 +833,193 @@ const createGithubProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
+    var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
-    const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
-    const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const domain = envConfig.getString("domain");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-      profile: makeProfileInfo(fullProfile)
-    });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : githubDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
-      return { encodedState: encodeState(req.state) };
-    };
-    const provider = new GithubAuthProvider({
+    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver$1;
+    const provider = new Auth0AuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      tokenUrl,
-      userProfileUrl,
-      authorizationUrl,
-      signInResolver,
+      domain,
       authHandler,
+      signInResolver,
       tokenIssuer,
       catalogIdentityClient,
-      stateEncoder,
       logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      persistScopes: true,
+      disableRefresh: true,
       providerId,
       tokenIssuer
     });
   });
 };
 
-const gitlabDefaultSignInResolver = async (info, ctx) => {
-  const { profile, result } = info;
-  let id = result.fullProfile.id;
-  if (profile.email) {
-    id = profile.email.split("@")[0];
+const ALB_JWT_HEADER = "x-amzn-oidc-data";
+const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
+const getJWTHeaders = (input) => {
+  const encoded = input.split(".")[0];
+  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
+};
+class AwsAlbAuthProvider {
+  constructor(options) {
+    this.region = options.region;
+    this.issuer = options.issuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
   }
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: id, ent: [`user:default/${id}`] }
-  });
-  return { id, token };
+  frameHandler() {
+    return Promise.resolve(void 0);
+  }
+  async refresh(req, res) {
+    try {
+      const result = await this.getResult(req);
+      const response = await this.handleResult(result);
+      res.json(response);
+    } catch (e) {
+      this.logger.error("Exception occurred during AWS ALB token refresh", e);
+      res.status(401);
+      res.end();
+    }
+  }
+  start() {
+    return Promise.resolve(void 0);
+  }
+  async getResult(req) {
+    const jwt = req.header(ALB_JWT_HEADER);
+    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);
+    if (jwt === void 0) {
+      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_JWT_HEADER}`);
+    }
+    if (accessToken === void 0) {
+      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`);
+    }
+    try {
+      const headers = getJWTHeaders(jwt);
+      const key = await this.getKey(headers.kid);
+      const claims = jose.JWT.verify(jwt, key);
+      if (this.issuer && claims.iss !== this.issuer) {
+        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
+      }
+      const fullProfile = {
+        provider: "unknown",
+        id: claims.sub,
+        displayName: claims.name,
+        username: claims.email.split("@")[0].toLowerCase(),
+        name: {
+          familyName: claims.family_name,
+          givenName: claims.given_name
+        },
+        emails: [{ value: claims.email.toLowerCase() }],
+        photos: [{ value: claims.picture }]
+      };
+      return {
+        fullProfile,
+        expiresInSeconds: claims.exp,
+        accessToken
+      };
+    } catch (e) {
+      throw new Error(`Exception occurred during JWT processing: ${e}`);
+    }
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result);
+    const backstageIdentity = await this.signInResolver({
+      result,
+      profile
+    }, {
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient,
+      logger: this.logger
+    });
+    return {
+      providerInfo: {
+        accessToken: result.accessToken,
+        expiresInSeconds: result.expiresInSeconds
+      },
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
+      profile
+    };
+  }
+  async getKey(keyId) {
+    const optionalCacheKey = this.keyCache.get(keyId);
+    if (optionalCacheKey) {
+      return crypto__namespace.createPublicKey(optionalCacheKey);
+    }
+    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
+    const keyValue = crypto__namespace.createPublicKey(keyText);
+    this.keyCache.set(keyId, keyValue.export({ format: "pem", type: "spki" }));
+    return keyValue;
+  }
+}
+const createAwsAlbProvider = (options) => {
+  return ({ config, tokenIssuer, catalogApi, logger }) => {
+    const region = config.getString("region");
+    const issuer = config.getOptionalString("iss");
+    if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
+      throw new Error("SignInResolver is required to use this authentication provider");
+    }
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+      profile: makeProfileInfo(fullProfile)
+    });
+    const signInResolver = options == null ? void 0 : options.signIn.resolver;
+    return new AwsAlbAuthProvider({
+      region,
+      issuer,
+      signInResolver,
+      authHandler,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+  };
 };
-const gitlabDefaultAuthHandler = async ({
-  fullProfile,
-  params
-}) => ({
-  profile: makeProfileInfo(fullProfile, params.id_token)
-});
-class GitlabAuthProvider {
+
+class BitbucketAuthProvider {
   constructor(options) {
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this._strategy = new passportGitlab2.Strategy({
+    this._strategy = new passportBitbucketOauth2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      baseURL: options.baseUrl
+      passReqToCallback: false
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, { fullProfile, params, accessToken }, {
+      done(void 0, {
+        fullProfile,
+        params,
+        accessToken,
+        refreshToken
+      }, {
         refreshToken
       });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
       scope: req.scope,
       state: encodeState(req.state)
     });
@@ -742,26 +1032,24 @@ class GitlabAuthProvider {
     };
   }
   async refresh(req) {
-    const {
-      accessToken,
-      refreshToken: newRefreshToken,
-      params
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: newRefreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
+    result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
     const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
-        refreshToken: result.refreshToken,
         scope: result.params.scope,
         expiresInSeconds: result.params.expires_in
       },
@@ -780,7 +1068,35 @@ class GitlabAuthProvider {
     return response;
   }
 }
-const createGitlabProvider = (options) => {
+const bitbucketUsernameSignInResolver = async (info, ctx) => {
+  const { result } = info;
+  if (!result.fullProfile.username) {
+    throw new Error("Bitbucket profile contained no Username");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "bitbucket.org/username": result.fullProfile.username
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const bitbucketUserIdSignInResolver = async (info, ctx) => {
+  const { result } = info;
+  if (!result.fullProfile.id) {
+    throw new Error("Bitbucket profile contained no User ID");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "bitbucket.org/user-id": result.fullProfile.id
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const createBitbucketProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -789,33 +1105,26 @@ const createGitlabProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
+    var _a;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getOptionalString("audience");
-    const baseUrl = audience || "https://gitlab.com";
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const provider = new GitlabAuthProvider({
+    const provider = new BitbucketAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      baseUrl,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
       authHandler,
-      signInResolver,
+      tokenIssuer,
       catalogIdentityClient,
-      logger,
-      tokenIssuer
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
@@ -825,35 +1134,29 @@ const createGitlabProvider = (options) => {
   });
 };
 
-class GoogleAuthProvider {
+class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
+    this.stateEncoder = options.stateEncoder;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new passportGoogleOauth20.Strategy({
+    this._strategy = new passportGithub2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      passReqToCallback: false
+      tokenURL: options.tokenUrl,
+      userProfileURL: options.userProfileUrl,
+      authorizationURL: options.authorizationUrl
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        fullProfile,
-        params,
-        accessToken,
-        refreshToken
-      }, {
-        refreshToken
-      });
+      done(void 0, { fullProfile, params, accessToken }, { refreshToken });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
       scope: req.scope,
-      state: encodeState(req.state)
+      state: (await this.stateEncoder(req)).encodedState
     });
   }
   async handler(req) {
@@ -864,23 +1167,25 @@ class GoogleAuthProvider {
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
     const { profile } = await this.authHandler(result);
+    const expiresInStr = result.params.expires_in;
     const response = {
       providerInfo: {
-        idToken: result.params.id_token,
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
+        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
       },
       profile
     };
@@ -897,43 +1202,15 @@ class GoogleAuthProvider {
     return response;
   }
 }
-const googleEmailSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Google profile contained no email");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "google.com/email": profile.email
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const googleDefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Google profile contained no email");
-  }
-  let userId;
-  try {
-    const entity = await ctx.catalogIdentityClient.findUser({
-      annotations: {
-        "google.com/email": profile.email
-      }
-    });
-    userId = entity.metadata.name;
-  } catch (error) {
-    ctx.logger.warn(`Failed to look up user, ${error}, falling back to allowing login based on email pattern, this will probably break in the future`);
-    userId = profile.email.split("@")[0];
-  }
+const githubDefaultSignInResolver = async (info, ctx) => {
+  const { fullProfile } = info.result;
+  const userId = fullProfile.username || fullProfile.id;
   const token = await ctx.tokenIssuer.issueToken({
     claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
   return { id: userId, token };
 };
-const createGoogleProvider = (options) => {
+const createGithubProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -942,57 +1219,86 @@ const createGoogleProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
+    const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
+    const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+      profile: makeProfileInfo(fullProfile)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : googleDefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : githubDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new GoogleAuthProvider({
+    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
+      return { encodedState: encodeState(req.state) };
+    };
+    const provider = new GithubAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
+      tokenUrl,
+      userProfileUrl,
+      authorizationUrl,
       signInResolver,
       authHandler,
       tokenIssuer,
       catalogIdentityClient,
+      stateEncoder,
       logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
+      persistScopes: true,
       providerId,
       tokenIssuer
     });
   });
 };
 
-class MicrosoftAuthProvider {
+const gitlabDefaultSignInResolver = async (info, ctx) => {
+  const { profile, result } = info;
+  let id = result.fullProfile.id;
+  if (profile.email) {
+    id = profile.email.split("@")[0];
+  }
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: id, ent: [`user:default/${id}`] }
+  });
+  return { id, token };
+};
+const gitlabDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class GitlabAuthProvider {
   constructor(options) {
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.logger = options.logger;
     this.catalogIdentityClient = options.catalogIdentityClient;
-    this._strategy = new passportMicrosoft.Strategy({
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new passportGitlab2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      authorizationURL: options.authorizationUrl,
-      tokenURL: options.tokenUrl,
-      passReqToCallback: false
+      baseURL: options.baseUrl
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, { fullProfile, accessToken, params }, { refreshToken });
+      done(void 0, { fullProfile, params, accessToken }, {
+        refreshToken
+      });
     });
   }
   async start(req) {
@@ -1009,18 +1315,18 @@ class MicrosoftAuthProvider {
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const photo = await this.getUserPhoto(result.accessToken);
-    result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
     const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
@@ -1037,56 +1343,14 @@ class MicrosoftAuthProvider {
         profile
       }, {
         tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
-    }
-    return response;
-  }
-  getUserPhoto(accessToken) {
-    return new Promise((resolve) => {
-      got__default["default"].get("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
-        encoding: "binary",
-        responseType: "buffer",
-        headers: {
-          Authorization: `Bearer ${accessToken}`
-        }
-      }).then((photoData) => {
-        const photoURL = `data:image/jpeg;base64,${Buffer.from(photoData.body).toString("base64")}`;
-        resolve(photoURL);
-      }).catch((error) => {
-        this.logger.warn(`Could not retrieve user profile photo from Microsoft Graph API: ${error}`);
-        resolve(void 0);
-      });
-    });
-  }
-}
-const microsoftEmailSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Microsoft profile contained no email");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "microsoft.com/email": profile.email
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
     }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const microsoftDefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Profile contained no email");
+    return response;
   }
-  const userId = profile.email.split("@")[0];
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
-  });
-  return { id: userId, token };
-};
-const createMicrosoftProvider = (options) => {
+}
+const createGitlabProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1095,32 +1359,28 @@ const createMicrosoftProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const tenantId = envConfig.getString("tenantId");
+    const audience = envConfig.getOptionalString("audience");
+    const baseUrl = audience || "https://gitlab.com";
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
-    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new MicrosoftAuthProvider({
+    const provider = new GitlabAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      authorizationUrl,
-      tokenUrl,
+      baseUrl,
       authHandler,
       signInResolver,
       catalogIdentityClient,
@@ -1135,30 +1395,24 @@ const createMicrosoftProvider = (options) => {
   });
 };
 
-class OAuth2AuthProvider {
+class GoogleAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new OAuth2Strategy.Strategy({
+    this._strategy = new passportGoogleOauth20.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      authorizationURL: options.authorizationUrl,
-      tokenURL: options.tokenUrl,
-      passReqToCallback: false,
-      scope: options.scope,
-      customHeaders: options.includeBasicAuth ? {
-        Authorization: `Basic ${this.encodeClientCredentials(options.clientId, options.clientSecret)}`
-      } : void 0
+      passReqToCallback: false
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
         fullProfile,
+        params,
         accessToken,
-        refreshToken,
-        params
+        refreshToken
       }, {
         refreshToken
       });
@@ -1180,19 +1434,16 @@ class OAuth2AuthProvider {
     };
   }
   async refresh(req) {
-    const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const {
-      accessToken,
-      params,
-      refreshToken: updatedRefreshToken
-    } = refreshTokenResponse;
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: updatedRefreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
     const { profile } = await this.authHandler(result);
@@ -1201,8 +1452,7 @@ class OAuth2AuthProvider {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in,
-        refreshToken: result.refreshToken
+        expiresInSeconds: result.params.expires_in
       },
       profile
     };
@@ -1218,22 +1468,44 @@ class OAuth2AuthProvider {
     }
     return response;
   }
-  encodeClientCredentials(clientID, clientSecret) {
-    return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
-  }
 }
-const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
+const googleEmailSignInResolver = async (info, ctx) => {
   const { profile } = info;
   if (!profile.email) {
-    throw new Error("Profile contained no email");
+    throw new Error("Google profile contained no email");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "google.com/email": profile.email
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const googleDefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Google profile contained no email");
+  }
+  let userId;
+  try {
+    const entity = await ctx.catalogIdentityClient.findUser({
+      annotations: {
+        "google.com/email": profile.email
+      }
+    });
+    userId = entity.metadata.name;
+  } catch (error) {
+    ctx.logger.warn(`Failed to look up user, ${error}, falling back to allowing login based on email pattern, this will probably break in the future`);
+    userId = profile.email.split("@")[0];
   }
-  const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
     claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
   return { id: userId, token };
 };
-const createOAuth2Provider = (options) => {
+const createGoogleProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1242,15 +1514,10 @@ const createOAuth2Provider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
+    var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = envConfig.getString("authorizationUrl");
-    const tokenUrl = envConfig.getString("tokenUrl");
-    const scope = envConfig.getOptionalString("scope");
-    const includeBasicAuth = envConfig.getOptionalBoolean("includeBasicAuth");
-    const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
@@ -1258,113 +1525,83 @@ const createOAuth2Provider = (options) => {
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver$1;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : googleDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new OAuth2AuthProvider({
+    const provider = new GoogleAuthProvider({
       clientId,
       clientSecret,
-      tokenIssuer,
-      catalogIdentityClient,
       callbackUrl,
       signInResolver,
       authHandler,
-      authorizationUrl,
-      tokenUrl,
-      scope,
-      logger,
-      includeBasicAuth
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh,
+      disableRefresh: false,
       providerId,
       tokenIssuer
     });
   });
 };
 
-class OidcAuthProvider {
+class MicrosoftAuthProvider {
   constructor(options) {
-    this.implementation = this.setupStrategy(options);
-    this.scope = options.scope;
-    this.prompt = options.prompt;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this._strategy = new passportMicrosoft.Strategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      authorizationURL: options.authorizationUrl,
+      tokenURL: options.tokenUrl,
+      passReqToCallback: false
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, { fullProfile, accessToken, params }, { refreshToken });
+    });
   }
   async start(req) {
-    const { strategy } = await this.implementation;
-    const options = {
-      scope: req.scope || this.scope || "openid profile email",
+    return await executeRedirectStrategy(req, this._strategy, {
+      scope: req.scope,
       state: encodeState(req.state)
-    };
-    const prompt = this.prompt || "none";
-    if (prompt !== "auto") {
-      options.prompt = prompt;
-    }
-    return await executeRedirectStrategy(req, strategy, options);
+    });
   }
   async handler(req) {
-    const { strategy } = await this.implementation;
-    const strategyResponse = await executeFrameHandlerStrategy(req, strategy);
-    const {
-      result: { userinfo, tokenset },
-      privateInfo
-    } = strategyResponse;
-    const identityResponse = await this.handleResult({ tokenset, userinfo });
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
-      response: identityResponse,
+      response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const { client } = await this.implementation;
-    const tokenset = await client.refresh(req.refreshToken);
-    if (!tokenset.access_token) {
-      throw new Error("Refresh failed");
-    }
-    const profile = await client.userinfo(tokenset.access_token);
-    return this.handleResult({ tokenset, userinfo: profile });
-  }
-  async setupStrategy(options) {
-    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
-    const client = new issuer.Client({
-      access_type: "offline",
-      client_id: options.clientId,
-      client_secret: options.clientSecret,
-      redirect_uris: [options.callbackUrl],
-      response_types: ["code"],
-      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
-      scope: options.scope || ""
-    });
-    const strategy = new openidClient.Strategy({
-      client,
-      passReqToCallback: false
-    }, (tokenset, userinfo, done) => {
-      if (typeof done !== "function") {
-        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
-      }
-      done(void 0, { tokenset, userinfo }, {
-        refreshToken: tokenset.refresh_token
-      });
-    });
-    strategy.error = console.error;
-    return { strategy, client };
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
+    const photo = await this.getUserPhoto(result.accessToken);
+    result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
     const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
-        idToken: result.tokenset.id_token,
-        accessToken: result.tokenset.access_token,
-        refreshToken: result.tokenset.refresh_token,
-        scope: result.tokenset.scope,
-        expiresInSeconds: result.tokenset.expires_in
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
       },
       profile
     };
@@ -1380,8 +1617,37 @@ class OidcAuthProvider {
     }
     return response;
   }
+  getUserPhoto(accessToken) {
+    return new Promise((resolve) => {
+      fetch__default["default"]("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        }
+      }).then((response) => response.arrayBuffer()).then((arrayBuffer) => {
+        const imageUrl = `data:image/jpeg;base64,${Buffer.from(arrayBuffer).toString("base64")}`;
+        resolve(imageUrl);
+      }).catch((error) => {
+        this.logger.warn(`Could not retrieve user profile photo from Microsoft Graph API: ${error}`);
+        resolve(void 0);
+      });
+    });
+  }
 }
-const oAuth2DefaultSignInResolver = async (info, ctx) => {
+const microsoftEmailSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Microsoft profile contained no email");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "microsoft.com/email": profile.email
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const microsoftDefaultSignInResolver = async (info, ctx) => {
   const { profile } = info;
   if (!profile.email) {
     throw new Error("Profile contained no email");
@@ -1392,7 +1658,7 @@ const oAuth2DefaultSignInResolver = async (info, ctx) => {
   });
   return { id: userId, token };
 };
-const createOidcProvider = (options) => {
+const createMicrosoftProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1404,41 +1670,34 @@ const createOidcProvider = (options) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
+    const tenantId = envConfig.getString("tenantId");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const metadataUrl = envConfig.getString("metadataUrl");
-    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
-    const scope = envConfig.getOptionalString("scope");
-    const prompt = envConfig.getOptionalString("prompt");
+    const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
+    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
-      profile: {
-        displayName: userinfo.name,
-        email: userinfo.email,
-        picture: userinfo.picture
-      }
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oAuth2DefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new OidcAuthProvider({
+    const provider = new MicrosoftAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      tokenSignedResponseAlg,
-      metadataUrl,
-      scope,
-      prompt,
-      signInResolver,
+      authorizationUrl,
+      tokenUrl,
       authHandler,
+      signInResolver,
+      catalogIdentityClient,
       logger,
-      tokenIssuer,
-      catalogIdentityClient
+      tokenIssuer
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
@@ -1448,35 +1707,30 @@ const createOidcProvider = (options) => {
   });
 };
 
-class OktaAuthProvider {
+class OAuth2AuthProvider {
   constructor(options) {
-    this._store = {
-      store(_req, cb) {
-        cb(null, null);
-      },
-      verify(_req, _state, cb) {
-        cb(null, true);
-      }
-    };
-    this._signInResolver = options.signInResolver;
-    this._authHandler = options.authHandler;
-    this._tokenIssuer = options.tokenIssuer;
-    this._catalogIdentityClient = options.catalogIdentityClient;
-    this._logger = options.logger;
-    this._strategy = new passportOktaOauth.Strategy({
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this._strategy = new OAuth2Strategy.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      audience: options.audience,
+      authorizationURL: options.authorizationUrl,
+      tokenURL: options.tokenUrl,
       passReqToCallback: false,
-      store: this._store,
-      response_type: "code"
+      scope: options.scope,
+      customHeaders: options.includeBasicAuth ? {
+        Authorization: `Basic ${this.encodeClientCredentials(options.clientId, options.clientSecret)}`
+      } : void 0
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
+        fullProfile,
         accessToken,
         refreshToken,
-        params,
-        fullProfile
+        params
       }, {
         refreshToken
       });
@@ -1498,17 +1752,20 @@ class OktaAuthProvider {
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, params, refreshToken } = refreshTokenResponse;
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const { profile } = await this._authHandler(result);
+    const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1518,37 +1775,26 @@ class OktaAuthProvider {
       },
       profile
     };
-    if (this._signInResolver) {
-      response.backstageIdentity = await this._signInResolver({
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
         result,
         profile
       }, {
-        tokenIssuer: this._tokenIssuer,
-        catalogIdentityClient: this._catalogIdentityClient,
-        logger: this._logger
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
       });
     }
     return response;
   }
-}
-const oktaEmailSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Okta profile contained no email");
+  encodeClientCredentials(clientID, clientSecret) {
+    return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
   }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "okta.com/email": profile.email
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const oktaDefaultSignInResolver = async (info, ctx) => {
+}
+const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
   const { profile } = info;
   if (!profile.email) {
-    throw new Error("Okta profile contained no email");
+    throw new Error("Profile contained no email");
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
@@ -1556,7 +1802,7 @@ const oktaDefaultSignInResolver = async (info, ctx) => {
   });
   return { id: userId, token };
 };
-const createOktaProvider = (_options) => {
+const createOAuth2Provider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1565,103 +1811,126 @@ const createOktaProvider = (_options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getString("audience");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    if (!audience.startsWith("https://")) {
-      throw new Error("URL for 'audience' must start with 'https://'.");
-    }
+    const authorizationUrl = envConfig.getString("authorizationUrl");
+    const tokenUrl = envConfig.getString("tokenUrl");
+    const scope = envConfig.getOptionalString("scope");
+    const includeBasicAuth = envConfig.getOptionalBoolean("includeBasicAuth");
+    const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver$1;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new OktaAuthProvider({
-      audience,
+    const provider = new OAuth2AuthProvider({
       clientId,
       clientSecret,
-      callbackUrl,
-      authHandler,
-      signInResolver,
       tokenIssuer,
       catalogIdentityClient,
-      logger
+      callbackUrl,
+      signInResolver,
+      authHandler,
+      authorizationUrl,
+      tokenUrl,
+      scope,
+      logger,
+      includeBasicAuth
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
+      disableRefresh,
       providerId,
       tokenIssuer
     });
   });
 };
 
-class BitbucketAuthProvider {
+class OidcAuthProvider {
   constructor(options) {
+    this.implementation = this.setupStrategy(options);
+    this.scope = options.scope;
+    this.prompt = options.prompt;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new passportBitbucketOauth2.Strategy({
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      passReqToCallback: false
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        fullProfile,
-        params,
-        accessToken,
-        refreshToken
-      }, {
-        refreshToken
-      });
-    });
   }
   async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: req.scope,
+    const { strategy } = await this.implementation;
+    const options = {
+      scope: req.scope || this.scope || "openid profile email",
       state: encodeState(req.state)
-    });
+    };
+    const prompt = this.prompt || "none";
+    if (prompt !== "auto") {
+      options.prompt = prompt;
+    }
+    return await executeRedirectStrategy(req, strategy, options);
   }
   async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    const { strategy } = await this.implementation;
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, strategy);
     return {
       response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
+    const { client } = await this.implementation;
+    const tokenset = await client.refresh(req.refreshToken);
+    if (!tokenset.access_token) {
+      throw new Error("Refresh failed");
+    }
+    const userinfo = await client.userinfo(tokenset.access_token);
+    return {
+      response: await this.handleResult({ tokenset, userinfo }),
+      refreshToken: tokenset.refresh_token
+    };
+  }
+  async setupStrategy(options) {
+    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
+    const client = new issuer.Client({
+      access_type: "offline",
+      client_id: options.clientId,
+      client_secret: options.clientSecret,
+      redirect_uris: [options.callbackUrl],
+      response_types: ["code"],
+      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
+      scope: options.scope || ""
+    });
+    const strategy = new openidClient.Strategy({
+      client,
+      passReqToCallback: false
+    }, (tokenset, userinfo, done) => {
+      if (typeof done !== "function") {
+        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
+      }
+      done(void 0, { tokenset, userinfo }, {
+        refreshToken: tokenset.refresh_token
+      });
     });
+    strategy.error = console.error;
+    return { strategy, client };
   }
   async handleResult(result) {
-    result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
     const { profile } = await this.authHandler(result);
     const response = {
       providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
+        idToken: result.tokenset.id_token,
+        accessToken: result.tokenset.access_token,
+        scope: result.tokenset.scope,
+        expiresInSeconds: result.tokenset.expires_in
       },
       profile
     };
@@ -1678,35 +1947,18 @@ class BitbucketAuthProvider {
     return response;
   }
 }
-const bitbucketUsernameSignInResolver = async (info, ctx) => {
-  const { result } = info;
-  if (!result.fullProfile.username) {
-    throw new Error("Bitbucket profile contained no Username");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "bitbucket.org/username": result.fullProfile.username
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const bitbucketUserIdSignInResolver = async (info, ctx) => {
-  const { result } = info;
-  if (!result.fullProfile.id) {
-    throw new Error("Bitbucket profile contained no User ID");
+const oAuth2DefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Profile contained no email");
   }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "bitbucket.org/user-id": result.fullProfile.id
-    }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
+  return { id: userId, token };
 };
-const createBitbucketProvider = (options) => {
+const createOidcProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1715,26 +1967,44 @@ const createBitbucketProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a;
+    var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const metadataUrl = envConfig.getString("metadataUrl");
+    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
+    const scope = envConfig.getOptionalString("scope");
+    const prompt = envConfig.getOptionalString("prompt");
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
+      profile: {
+        displayName: userinfo.name,
+        email: userinfo.email,
+        picture: userinfo.picture
+      }
     });
-    const provider = new BitbucketAuthProvider({
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oAuth2DefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new OidcAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
+      tokenSignedResponseAlg,
+      metadataUrl,
+      scope,
+      prompt,
+      signInResolver,
       authHandler,
+      logger,
       tokenIssuer,
-      catalogIdentityClient,
-      logger
+      catalogIdentityClient
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
@@ -1744,140 +2014,117 @@ const createBitbucketProvider = (options) => {
   });
 };
 
-const defaultScopes = ["offline_access", "read:me"];
-class AtlassianStrategy extends OAuth2Strategy__default["default"] {
-  constructor(options, verify) {
-    if (!options.scope) {
-      throw new TypeError("Atlassian requires a scope option");
-    }
-    const scopes = options.scope.split(" ");
-    const optionsWithURLs = {
-      ...options,
-      authorizationURL: `https://auth.atlassian.com/authorize`,
-      tokenURL: `https://auth.atlassian.com/oauth/token`,
-      scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
-    };
-    super(optionsWithURLs, verify);
-    this.profileURL = "https://api.atlassian.com/me";
-    this.name = "atlassian";
-    this._oauth2.useAuthorizationHeaderforGET(true);
-  }
-  authorizationParams() {
-    return {
-      audience: "api.atlassian.com",
-      prompt: "consent"
-    };
-  }
-  userProfile(accessToken, done) {
-    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
-      if (err) {
-        return done(new OAuth2Strategy.InternalOAuthError("Failed to fetch user profile", err.statusCode));
-      }
-      if (!body) {
-        return done(new Error("Failed to fetch user profile, body cannot be empty"));
-      }
-      try {
-        const json = typeof body !== "string" ? body.toString() : body;
-        const profile = AtlassianStrategy.parse(json);
-        return done(null, profile);
-      } catch (e) {
-        return done(new Error("Failed to parse user profile"));
+class OktaAuthProvider {
+  constructor(options) {
+    this._store = {
+      store(_req, cb) {
+        cb(null, null);
+      },
+      verify(_req, _state, cb) {
+        cb(null, true);
       }
-    });
-  }
-  static parse(json) {
-    const resp = JSON.parse(json);
-    return {
-      id: resp.account_id,
-      provider: "atlassian",
-      username: resp.nickname,
-      displayName: resp.name,
-      emails: [{ value: resp.email }],
-      photos: [{ value: resp.picture }]
     };
-  }
-}
-
-const atlassianDefaultAuthHandler = async ({
-  fullProfile,
-  params
-}) => ({
-  profile: makeProfileInfo(fullProfile, params.id_token)
-});
-class AtlassianAuthProvider {
-  constructor(options) {
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this._strategy = new AtlassianStrategy({
+    this._signInResolver = options.signInResolver;
+    this._authHandler = options.authHandler;
+    this._tokenIssuer = options.tokenIssuer;
+    this._catalogIdentityClient = options.catalogIdentityClient;
+    this._logger = options.logger;
+    this._strategy = new passportOktaOauth.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      scope: options.scopes
+      audience: options.audience,
+      passReqToCallback: false,
+      store: this._store,
+      response_type: "code"
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
-        fullProfile,
         accessToken,
         refreshToken,
-        params
+        params,
+        fullProfile
+      }, {
+        refreshToken
       });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: req.scope,
       state: encodeState(req.state)
     });
   }
   async handler(req) {
-    var _a;
-    const { result } = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
-      refreshToken: (_a = result.refreshToken) != null ? _a : ""
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
     };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const { profile } = await this._authHandler(result);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
-        refreshToken: result.refreshToken,
         scope: result.params.scope,
         expiresInSeconds: result.params.expires_in
       },
       profile
     };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
+    if (this._signInResolver) {
+      response.backstageIdentity = await this._signInResolver({
         result,
         profile
       }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
+        tokenIssuer: this._tokenIssuer,
+        catalogIdentityClient: this._catalogIdentityClient,
+        logger: this._logger
       });
     }
     return response;
   }
-  async refresh(req) {
-    const {
-      accessToken,
-      params,
-      refreshToken: newRefreshToken
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: newRefreshToken
-    });
-  }
 }
-const createAtlassianProvider = (options) => {
+const oktaEmailSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Okta profile contained no email");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "okta.com/email": profile.email
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const oktaDefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Okta profile contained no email");
+  }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
+  });
+  return { id: userId, token };
+};
+const createOktaProvider = (_options) => {
   return ({
     providerId,
     globalConfig,
@@ -1889,158 +2136,165 @@ const createAtlassianProvider = (options) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const scopes = envConfig.getString("scopes");
+    const audience = envConfig.getString("audience");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    if (!audience.startsWith("https://")) {
+      throw new Error("URL for 'audience' must start with 'https://'.");
+    }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
-    const provider = new AtlassianAuthProvider({
+    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new OktaAuthProvider({
+      audience,
       clientId,
       clientSecret,
-      scopes,
       callbackUrl,
       authHandler,
-      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
+      signInResolver,
+      tokenIssuer,
       catalogIdentityClient,
-      logger,
-      tokenIssuer
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
+      disableRefresh: false,
       providerId,
       tokenIssuer
     });
   });
 };
 
-const ALB_JWT_HEADER = "x-amzn-oidc-data";
-const ALB_ACCESSTOKEN_HEADER = "x-amzn-oidc-accesstoken";
-const getJWTHeaders = (input) => {
-  const encoded = input.split(".")[0];
-  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
-};
-class AwsAlbAuthProvider {
+class OneLoginProvider {
   constructor(options) {
-    this.region = options.region;
-    this.issuer = options.issuer;
-    this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    try {
-      const result = await this.getResult(req);
-      const response = await this.handleResult(result);
-      res.json(response);
-    } catch (e) {
-      this.logger.error("Exception occurred during AWS ALB token refresh", e);
-      res.status(401);
-      res.end();
-    }
-  }
-  start() {
-    return Promise.resolve(void 0);
+    this._strategy = new passportOneloginOauth.Strategy({
+      issuer: options.issuer,
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      passReqToCallback: false
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        accessToken,
+        refreshToken,
+        params,
+        fullProfile
+      }, {
+        refreshToken
+      });
+    });
   }
-  async getResult(req) {
-    const jwt = req.header(ALB_JWT_HEADER);
-    const accessToken = req.header(ALB_ACCESSTOKEN_HEADER);
-    if (jwt === void 0) {
-      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_JWT_HEADER}`);
-    }
-    if (accessToken === void 0) {
-      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESSTOKEN_HEADER}`);
-    }
-    try {
-      const headers = getJWTHeaders(jwt);
-      const key = await this.getKey(headers.kid);
-      const claims = jose.JWT.verify(jwt, key);
-      if (this.issuer && claims.iss !== this.issuer) {
-        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
-      }
-      const fullProfile = {
-        provider: "unknown",
-        id: claims.sub,
-        displayName: claims.name,
-        username: claims.email.split("@")[0].toLowerCase(),
-        name: {
-          familyName: claims.family_name,
-          givenName: claims.given_name
-        },
-        emails: [{ value: claims.email.toLowerCase() }],
-        photos: [{ value: claims.picture }]
-      };
-      return {
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: "openid",
+      state: encodeState(req.state)
+    });
+  }
+  async handler(req) {
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
         fullProfile,
-        expiresInSeconds: claims.exp,
+        params,
         accessToken
-      };
-    } catch (e) {
-      throw new Error(`Exception occurred during JWT processing: ${e}`);
-    }
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
     const { profile } = await this.authHandler(result);
-    const backstageIdentity = await this.signInResolver({
-      result,
-      profile
-    }, {
-      tokenIssuer: this.tokenIssuer,
-      catalogIdentityClient: this.catalogIdentityClient,
-      logger: this.logger
-    });
-    return {
+    const response = {
       providerInfo: {
+        idToken: result.params.id_token,
         accessToken: result.accessToken,
-        expiresInSeconds: result.expiresInSeconds
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
       },
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
       profile
     };
-  }
-  async getKey(keyId) {
-    const optionalCacheKey = this.keyCache.get(keyId);
-    if (optionalCacheKey) {
-      return crypto__namespace.createPublicKey(optionalCacheKey);
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, {
+        tokenIssuer: this.tokenIssuer,
+        catalogIdentityClient: this.catalogIdentityClient,
+        logger: this.logger
+      });
     }
-    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
-    const keyValue = crypto__namespace.createPublicKey(keyText);
-    this.keyCache.set(keyId, keyValue.export({ format: "pem", type: "spki" }));
-    return keyValue;
+    return response;
   }
 }
-const createAwsAlbProvider = (options) => {
-  return ({ config, tokenIssuer, catalogApi, logger }) => {
-    const region = config.getString("region");
-    const issuer = config.getOptionalString("iss");
-    if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
-      throw new Error("SignInResolver is required to use this authentication provider");
-    }
+const defaultSignInResolver = async (info) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("OIDC profile contained no email");
+  }
+  const id = profile.email.split("@")[0];
+  return { id, token: "" };
+};
+const createOneLoginProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const issuer = envConfig.getString("issuer");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-      profile: makeProfileInfo(fullProfile)
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolver = options == null ? void 0 : options.signIn.resolver;
-    return new AwsAlbAuthProvider({
-      region,
+    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver;
+    const provider = new OneLoginProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
       issuer,
-      signInResolver,
       authHandler,
+      signInResolver,
       tokenIssuer,
       catalogIdentityClient,
       logger
     });
-  };
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
 };
 
 class SamlAuthProvider {
@@ -2151,190 +2405,95 @@ const createSamlProvider = (options) => {
   };
 };
 
-class Auth0Strategy extends OAuth2Strategy__default["default"] {
-  constructor(options, verify) {
-    const optionsWithURLs = {
-      ...options,
-      authorizationURL: `https://${options.domain}/authorize`,
-      tokenURL: `https://${options.domain}/oauth/token`,
-      userInfoURL: `https://${options.domain}/userinfo`,
-      apiUrl: `https://${options.domain}/api`
-    };
-    super(optionsWithURLs, verify);
-  }
-}
+const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
 
-class Auth0AuthProvider {
-  constructor(options) {
-    this._strategy = new Auth0Strategy({
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      domain: options.domain,
-      passReqToCallback: false
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        fullProfile,
-        accessToken,
-        refreshToken,
-        params
-      }, {
-        refreshToken
-      });
-    });
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: req.scope,
-      state: encodeState(req.state)
-    });
+function createTokenValidator(audience, mockClient) {
+  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
+  return async function tokenValidator(token) {
+    const response = await client.getIapPublicKeys();
+    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
+    const payload = ticket.getPayload();
+    if (!payload) {
+      throw new TypeError("Token had no payload");
+    }
+    return payload;
+  };
+}
+async function parseRequestToken(jwtToken, tokenValidator) {
+  if (typeof jwtToken !== "string" || !jwtToken) {
+    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
   }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    const profile = makeProfileInfo(result.fullProfile, result.params.id_token);
-    return {
-      response: await this.populateIdentity({
-        profile,
-        providerInfo: {
-          idToken: result.params.id_token,
-          accessToken: result.accessToken,
-          scope: result.params.scope,
-          expiresInSeconds: result.params.expires_in
-        }
-      }),
-      refreshToken: privateInfo.refreshToken
-    };
+  let payload;
+  try {
+    payload = await tokenValidator(jwtToken);
+  } catch (e) {
+    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
   }
-  async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    const profile = makeProfileInfo(fullProfile, params.id_token);
-    return this.populateIdentity({
-      providerInfo: {
-        accessToken,
-        idToken: params.id_token,
-        expiresInSeconds: params.expires_in,
-        scope: params.scope
-      },
-      profile
-    });
+  if (!payload.sub || !payload.email) {
+    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
   }
-  async populateIdentity(response) {
-    const { profile } = response;
-    if (!profile.email) {
-      throw new Error("Profile does not contain an email");
+  return {
+    iapToken: {
+      ...payload,
+      sub: payload.sub,
+      email: payload.email
     }
-    const id = profile.email.split("@")[0];
-    return { ...response, backstageIdentity: { id, token: "" } };
-  }
+  };
 }
-const createAuth0Provider = (_options) => {
-  return ({ providerId, globalConfig, config, tokenIssuer }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const domain = envConfig.getString("domain");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const provider = new Auth0AuthProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      domain
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
+const defaultAuthHandler = async ({
+  iapToken
+}) => ({ profile: { email: iapToken.email } });
 
-class OneLoginProvider {
+class GcpIapProvider {
   constructor(options) {
-    this._strategy = new passportOneloginOauth.Strategy({
-      issuer: options.issuer,
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      passReqToCallback: false
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        accessToken,
-        refreshToken,
-        params,
-        fullProfile
-      }, {
-        refreshToken
-      });
-    });
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenValidator = options.tokenValidator;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
   }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: "openid",
-      state: encodeState(req.state)
-    });
+  async start() {
   }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    const profile = makeProfileInfo(result.fullProfile, result.params.id_token);
-    return {
-      response: await this.populateIdentity({
-        profile,
-        providerInfo: {
-          idToken: result.params.id_token,
-          accessToken: result.accessToken,
-          scope: result.params.scope,
-          expiresInSeconds: result.params.expires_in
-        }
-      }),
-      refreshToken: privateInfo.refreshToken
-    };
+  async frameHandler() {
   }
-  async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    const profile = makeProfileInfo(fullProfile, params.id_token);
-    return this.populateIdentity({
-      providerInfo: {
-        accessToken,
-        idToken: params.id_token,
-        expiresInSeconds: params.expires_in,
-        scope: params.scope
-      },
-      profile
+  async refresh(req, res) {
+    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
+    const { profile } = await this.authHandler(result);
+    const backstageIdentity = await this.signInResolver({ profile, result }, {
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient,
+      logger: this.logger
     });
-  }
-  async populateIdentity(response) {
-    const { profile } = response;
-    if (!profile.email) {
-      throw new Error("OIDC profile contained no email");
-    }
-    const id = profile.email.split("@")[0];
-    return { ...response, backstageIdentity: { id, token: "" } };
+    const response = {
+      providerInfo: { iapToken: result.iapToken },
+      profile,
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
+    };
+    res.json(response);
   }
 }
-const createOneLoginProvider = (_options) => {
-  return ({ providerId, globalConfig, config, tokenIssuer }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const issuer = envConfig.getString("issuer");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const provider = new OneLoginProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      issuer
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
+function createGcpIapProvider(options) {
+  return ({ config, tokenIssuer, catalogApi, logger }) => {
+    var _a;
+    const audience = config.getString("audience");
+    const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
+    const signInResolver = options.signIn.resolver;
+    const tokenValidator = createTokenValidator(audience);
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
       tokenIssuer
     });
-  });
-};
+    return new GcpIapProvider({
+      authHandler,
+      signInResolver,
+      tokenValidator,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+  };
+}
 
 const factories = {
   google: createGoogleProvider(),
@@ -2709,7 +2868,13 @@ async function createRouter(options) {
   const secret = config.getOptionalString("auth.session.secret");
   if (secret) {
     router.use(cookieParser__default["default"](secret));
-    router.use(session__default["default"]({ secret, saveUninitialized: false, resave: false }));
+    const enforceCookieSSL = authUrl.startsWith("https");
+    router.use(session__default["default"]({
+      secret,
+      saveUninitialized: false,
+      resave: false,
+      cookie: { secure: enforceCookieSSL ? "auto" : false }
+    }));
     router.use(passport__default["default"].initialize());
     router.use(passport__default["default"].session());
   } else {
@@ -2795,8 +2960,10 @@ exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
 exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;
 exports.bitbucketUsernameSignInResolver = bitbucketUsernameSignInResolver;
 exports.createAtlassianProvider = createAtlassianProvider;
+exports.createAuth0Provider = createAuth0Provider;
 exports.createAwsAlbProvider = createAwsAlbProvider;
 exports.createBitbucketProvider = createBitbucketProvider;
+exports.createGcpIapProvider = createGcpIapProvider;
 exports.createGithubProvider = createGithubProvider;
 exports.createGitlabProvider = createGitlabProvider;
 exports.createGoogleProvider = createGoogleProvider;
@@ -2804,6 +2971,7 @@ exports.createMicrosoftProvider = createMicrosoftProvider;
 exports.createOAuth2Provider = createOAuth2Provider;
 exports.createOidcProvider = createOidcProvider;
 exports.createOktaProvider = createOktaProvider;
+exports.createOneLoginProvider = createOneLoginProvider;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;
 exports.createSamlProvider = createSamlProvider;