@backstage/plugin-auth-backend 0.5.2 → 0.7.0-next.0

package/dist/index.cjs.js

@@ -5,32 +5,32 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var express = require('express');
 var Router = require('express-promise-router');
 var cookieParser = require('cookie-parser');
-var passportGithub2 = require('passport-github2');
-var jwtDecoder = require('jwt-decode');
+var OAuth2Strategy = require('passport-oauth2');
 var errors = require('@backstage/errors');
 var pickBy = require('lodash/pickBy');
 var crypto = require('crypto');
 var url = require('url');
 var catalogModel = require('@backstage/catalog-model');
-var passportGitlab2 = require('passport-gitlab2');
-var passportGoogleOauth20 = require('passport-google-oauth20');
-var passportMicrosoft = require('passport-microsoft');
-var got = require('got');
-var OAuth2Strategy = require('passport-oauth2');
-var openidClient = require('openid-client');
-var passportOktaOauth = require('passport-okta-oauth');
-var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
+var jwtDecoder = require('jwt-decode');
 var fetch = require('node-fetch');
 var NodeCache = require('node-cache');
 var jose = require('jose');
-var passportSaml = require('passport-saml');
-var passportOneloginOauth = require('passport-onelogin-oauth');
-var catalogClient = require('@backstage/catalog-client');
+var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
+var passportGithub2 = require('passport-github2');
+var passportGitlab2 = require('passport-gitlab2');
+var passportGoogleOauth20 = require('passport-google-oauth20');
+var passportMicrosoft = require('passport-microsoft');
 var uuid = require('uuid');
 var luxon = require('luxon');
 var backendCommon = require('@backstage/backend-common');
 var firestore = require('@google-cloud/firestore');
 var lodash = require('lodash');
+var openidClient = require('openid-client');
+var passportOktaOauth = require('passport-okta-oauth');
+var passportOneloginOauth = require('passport-onelogin-oauth');
+var passportSaml = require('passport-saml');
+var googleAuthLibrary = require('google-auth-library');
+var catalogClient = require('@backstage/catalog-client');
 var session = require('express-session');
 var passport = require('passport');
 var minimatch = require('minimatch');
@@ -58,129 +58,69 @@ function _interopNamespace(e) {
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
-var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
+var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
 var pickBy__default = /*#__PURE__*/_interopDefaultLegacy(pickBy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
 var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
-var got__default = /*#__PURE__*/_interopDefaultLegacy(got);
-var OAuth2Strategy__default = /*#__PURE__*/_interopDefaultLegacy(OAuth2Strategy);
+var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
 var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
 
-const makeProfileInfo = (profile, idToken) => {
-  var _a, _b;
-  let email = void 0;
-  if (profile.emails && profile.emails.length > 0) {
-    const [firstEmail] = profile.emails;
-    email = firstEmail.value;
-  }
-  let picture = void 0;
-  if (profile.avatarUrl) {
-    picture = profile.avatarUrl;
-  } else if (profile.photos && profile.photos.length > 0) {
-    const [firstPhoto] = profile.photos;
-    picture = firstPhoto.value;
-  }
-  let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
-  if ((!email || !picture || !displayName) && idToken) {
-    try {
-      const decoded = jwtDecoder__default["default"](idToken);
-      if (!email && decoded.email) {
-        email = decoded.email;
-      }
-      if (!picture && decoded.picture) {
-        picture = decoded.picture;
-      }
-      if (!displayName && decoded.name) {
-        displayName = decoded.name;
-      }
-    } catch (e) {
-      throw new Error(`Failed to parse id token and get profile info, ${e}`);
+const defaultScopes = ["offline_access", "read:me"];
+class AtlassianStrategy extends OAuth2Strategy__default["default"] {
+  constructor(options, verify) {
+    if (!options.scope) {
+      throw new TypeError("Atlassian requires a scope option");
     }
-  }
-  return {
-    email,
-    picture,
-    displayName
-  };
-};
-const executeRedirectStrategy = async (req, providerStrategy, options) => {
-  return new Promise((resolve) => {
-    const strategy = Object.create(providerStrategy);
-    strategy.redirect = (url, status) => {
-      resolve({ url, status: status != null ? status : void 0 });
-    };
-    strategy.authenticate(req, { ...options });
-  });
-};
-const executeFrameHandlerStrategy = async (req, providerStrategy) => {
-  return new Promise((resolve, reject) => {
-    const strategy = Object.create(providerStrategy);
-    strategy.success = (result, privateInfo) => {
-      resolve({ result, privateInfo });
-    };
-    strategy.fail = (info) => {
-      var _a;
-      reject(new Error(`Authentication rejected, ${(_a = info.message) != null ? _a : ""}`));
-    };
-    strategy.error = (error) => {
-      var _a;
-      let message = `Authentication failed, ${error.message}`;
-      if ((_a = error.oauthError) == null ? void 0 : _a.data) {
-        try {
-          const errorData = JSON.parse(error.oauthError.data);
-          if (errorData.message) {
-            message += ` - ${errorData.message}`;
-          }
-        } catch (parseError) {
-          message += ` - ${error.oauthError}`;
-        }
-      }
-      reject(new Error(message));
+    const scopes = options.scope.split(" ");
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://auth.atlassian.com/authorize`,
+      tokenURL: `https://auth.atlassian.com/oauth/token`,
+      scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
     };
-    strategy.redirect = () => {
-      reject(new Error("Unexpected redirect"));
+    super(optionsWithURLs, verify);
+    this.profileURL = "https://api.atlassian.com/me";
+    this.name = "atlassian";
+    this._oauth2.useAuthorizationHeaderforGET(true);
+  }
+  authorizationParams() {
+    return {
+      audience: "api.atlassian.com",
+      prompt: "consent"
     };
-    strategy.authenticate(req, {});
-  });
-};
-const executeRefreshTokenStrategy = async (providerStrategy, refreshToken, scope) => {
-  return new Promise((resolve, reject) => {
-    const anyStrategy = providerStrategy;
-    const OAuth2 = anyStrategy._oauth2.constructor;
-    const oauth2 = new OAuth2(anyStrategy._oauth2._clientId, anyStrategy._oauth2._clientSecret, anyStrategy._oauth2._baseSite, anyStrategy._oauth2._authorizeUrl, anyStrategy._refreshURL || anyStrategy._oauth2._accessTokenUrl, anyStrategy._oauth2._customHeaders);
-    oauth2.getOAuthAccessToken(refreshToken, {
-      scope,
-      grant_type: "refresh_token"
-    }, (err, accessToken, newRefreshToken, params) => {
+  }
+  userProfile(accessToken, done) {
+    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
       if (err) {
-        reject(new Error(`Failed to refresh access token ${err.toString()}`));
+        return done(new OAuth2Strategy.InternalOAuthError("Failed to fetch user profile", err.statusCode));
       }
-      if (!accessToken) {
-        reject(new Error(`Failed to refresh access token, no access token received`));
+      if (!body) {
+        return done(new Error("Failed to fetch user profile, body cannot be empty"));
       }
-      resolve({
-        accessToken,
-        refreshToken: newRefreshToken,
-        params
-      });
-    });
-  });
-};
-const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) => {
-  return new Promise((resolve, reject) => {
-    const anyStrategy = providerStrategy;
-    anyStrategy.userProfile(accessToken, (error, rawProfile) => {
-      if (error) {
-        reject(error);
-      } else {
-        resolve(rawProfile);
+      try {
+        const json = typeof body !== "string" ? body.toString() : body;
+        const profile = AtlassianStrategy.parse(json);
+        return done(null, profile);
+      } catch (e) {
+        return done(new Error("Failed to parse user profile"));
       }
     });
-  });
-};
+  }
+  static parse(json) {
+    const resp = JSON.parse(json);
+    return {
+      id: resp.account_id,
+      provider: "atlassian",
+      username: resp.nickname,
+      displayName: resp.name,
+      emails: [{ value: resp.email }],
+      photos: [{ value: resp.picture }]
+    };
+  }
+}
 
 const readState = (stateString) => {
   var _a, _b;
@@ -462,10 +402,10 @@ class OAuthAdapter {
       }
       const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
       const forwardReq = Object.assign(req, { scope, refreshToken });
-      const response = await this.handlers.refresh(forwardReq);
+      const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
       const backstageIdentity = await this.populateIdentity(response.backstageIdentity);
-      if (response.providerInfo.refreshToken && response.providerInfo.refreshToken !== refreshToken) {
-        this.setRefreshTokenCookie(res, response.providerInfo.refreshToken);
+      if (newRefreshToken && newRefreshToken !== refreshToken) {
+        this.setRefreshTokenCookie(res, newRefreshToken);
       }
       res.status(200).json({ ...response, backstageIdentity });
     } catch (error) {
@@ -490,63 +430,176 @@ class OAuthAdapter {
   }
 }
 
-class CatalogIdentityClient {
-  constructor(options) {
-    this.catalogApi = options.catalogApi;
-    this.tokenIssuer = options.tokenIssuer;
+const makeProfileInfo = (profile, idToken) => {
+  var _a, _b;
+  let email = void 0;
+  if (profile.emails && profile.emails.length > 0) {
+    const [firstEmail] = profile.emails;
+    email = firstEmail.value;
   }
-  async findUser(query) {
-    const filter = {
-      kind: "user"
-    };
-    for (const [key, value] of Object.entries(query.annotations)) {
-      filter[`metadata.annotations.${key}`] = value;
-    }
-    const token = await this.tokenIssuer.issueToken({
-      claims: { sub: "backstage.io/auth-backend" }
-    });
-    const { items } = await this.catalogApi.getEntities({ filter }, { token });
-    if (items.length !== 1) {
-      if (items.length > 1) {
-        throw new errors.ConflictError("User lookup resulted in multiple matches");
-      } else {
-        throw new errors.NotFoundError("User not found");
-      }
-    }
-    return items[0];
+  let picture = void 0;
+  if (profile.avatarUrl) {
+    picture = profile.avatarUrl;
+  } else if (profile.photos && profile.photos.length > 0) {
+    const [firstPhoto] = profile.photos;
+    picture = firstPhoto.value;
   }
-  async resolveCatalogMembership(query) {
-    const { entityRefs, logger } = query;
-    const resolvedEntityRefs = entityRefs.map((ref) => {
-      try {
-        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
-          defaultKind: "user",
-          defaultNamespace: "default"
-        });
-        return parsedRef;
-      } catch {
-        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
-        return null;
+  let displayName = (_b = (_a = profile.displayName) != null ? _a : profile.username) != null ? _b : profile.id;
+  if ((!email || !picture || !displayName) && idToken) {
+    try {
+      const decoded = jwtDecoder__default["default"](idToken);
+      if (!email && decoded.email) {
+        email = decoded.email;
       }
-    }).filter((ref) => ref !== null);
-    const filter = resolvedEntityRefs.map((ref) => ({
-      kind: ref.kind,
-      "metadata.namespace": ref.namespace,
-      "metadata.name": ref.name
-    }));
-    const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
-    if (entityRefs.length !== entities.length) {
-      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
-      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
-      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+      if (!picture && decoded.picture) {
+        picture = decoded.picture;
+      }
+      if (!displayName && decoded.name) {
+        displayName = decoded.name;
+      }
+    } catch (e) {
+      throw new Error(`Failed to parse id token and get profile info, ${e}`);
     }
-    const memberOf = entities.flatMap((e) => {
-      var _a, _b;
-      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.target)) != null ? _b : [];
-    });
-    const newEntityRefs = [
-      ...new Set(resolvedEntityRefs.concat(memberOf).map(catalogModel.stringifyEntityRef))
-    ];
+  }
+  return {
+    email,
+    picture,
+    displayName
+  };
+};
+const executeRedirectStrategy = async (req, providerStrategy, options) => {
+  return new Promise((resolve) => {
+    const strategy = Object.create(providerStrategy);
+    strategy.redirect = (url, status) => {
+      resolve({ url, status: status != null ? status : void 0 });
+    };
+    strategy.authenticate(req, { ...options });
+  });
+};
+const executeFrameHandlerStrategy = async (req, providerStrategy) => {
+  return new Promise((resolve, reject) => {
+    const strategy = Object.create(providerStrategy);
+    strategy.success = (result, privateInfo) => {
+      resolve({ result, privateInfo });
+    };
+    strategy.fail = (info) => {
+      var _a;
+      reject(new Error(`Authentication rejected, ${(_a = info.message) != null ? _a : ""}`));
+    };
+    strategy.error = (error) => {
+      var _a;
+      let message = `Authentication failed, ${error.message}`;
+      if ((_a = error.oauthError) == null ? void 0 : _a.data) {
+        try {
+          const errorData = JSON.parse(error.oauthError.data);
+          if (errorData.message) {
+            message += ` - ${errorData.message}`;
+          }
+        } catch (parseError) {
+          message += ` - ${error.oauthError}`;
+        }
+      }
+      reject(new Error(message));
+    };
+    strategy.redirect = () => {
+      reject(new Error("Unexpected redirect"));
+    };
+    strategy.authenticate(req, {});
+  });
+};
+const executeRefreshTokenStrategy = async (providerStrategy, refreshToken, scope) => {
+  return new Promise((resolve, reject) => {
+    const anyStrategy = providerStrategy;
+    const OAuth2 = anyStrategy._oauth2.constructor;
+    const oauth2 = new OAuth2(anyStrategy._oauth2._clientId, anyStrategy._oauth2._clientSecret, anyStrategy._oauth2._baseSite, anyStrategy._oauth2._authorizeUrl, anyStrategy._refreshURL || anyStrategy._oauth2._accessTokenUrl, anyStrategy._oauth2._customHeaders);
+    oauth2.getOAuthAccessToken(refreshToken, {
+      scope,
+      grant_type: "refresh_token"
+    }, (err, accessToken, newRefreshToken, params) => {
+      if (err) {
+        reject(new Error(`Failed to refresh access token ${err.toString()}`));
+      }
+      if (!accessToken) {
+        reject(new Error(`Failed to refresh access token, no access token received`));
+      }
+      resolve({
+        accessToken,
+        refreshToken: newRefreshToken,
+        params
+      });
+    });
+  });
+};
+const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) => {
+  return new Promise((resolve, reject) => {
+    const anyStrategy = providerStrategy;
+    anyStrategy.userProfile(accessToken, (error, rawProfile) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve(rawProfile);
+      }
+    });
+  });
+};
+
+class CatalogIdentityClient {
+  constructor(options) {
+    this.catalogApi = options.catalogApi;
+    this.tokenIssuer = options.tokenIssuer;
+  }
+  async findUser(query) {
+    const filter = {
+      kind: "user"
+    };
+    for (const [key, value] of Object.entries(query.annotations)) {
+      filter[`metadata.annotations.${key}`] = value;
+    }
+    const token = await this.tokenIssuer.issueToken({
+      claims: { sub: "backstage.io/auth-backend" }
+    });
+    const { items } = await this.catalogApi.getEntities({ filter }, { token });
+    if (items.length !== 1) {
+      if (items.length > 1) {
+        throw new errors.ConflictError("User lookup resulted in multiple matches");
+      } else {
+        throw new errors.NotFoundError("User not found");
+      }
+    }
+    return items[0];
+  }
+  async resolveCatalogMembership(query) {
+    const { entityRefs, logger } = query;
+    const resolvedEntityRefs = entityRefs.map((ref) => {
+      try {
+        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
+          defaultKind: "user",
+          defaultNamespace: "default"
+        });
+        return parsedRef;
+      } catch {
+        logger == null ? void 0 : logger.warn(`Failed to parse entityRef from ${ref}, ignoring`);
+        return null;
+      }
+    }).filter((ref) => ref !== null);
+    const filter = resolvedEntityRefs.map((ref) => ({
+      kind: ref.kind,
+      "metadata.namespace": ref.namespace,
+      "metadata.name": ref.name
+    }));
+    const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
+    if (entityRefs.length !== entities.length) {
+      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
+      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
+      logger == null ? void 0 : logger.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+    }
+    const memberOf = entities.flatMap((e) => {
+      var _a, _b;
+      return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.target)) != null ? _b : [];
+    });
+    const newEntityRefs = [
+      ...new Set(resolvedEntityRefs.concat(memberOf).map(catalogModel.stringifyEntityRef))
+    ];
     logger == null ? void 0 : logger.debug(`Found catalog membership: ${newEntityRefs.join()}`);
     return newEntityRefs;
   }
@@ -562,61 +615,58 @@ function getEntityClaims(entity) {
   };
 }
 
-class GithubAuthProvider {
+const atlassianDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class AtlassianAuthProvider {
   constructor(options) {
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.stateEncoder = options.stateEncoder;
-    this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new passportGithub2.Strategy({
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new AtlassianStrategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      tokenURL: options.tokenUrl,
-      userProfileURL: options.userProfileUrl,
-      authorizationURL: options.authorizationUrl
+      scope: options.scopes
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, { fullProfile, params, accessToken }, { refreshToken });
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
-      scope: req.scope,
-      state: (await this.stateEncoder(req)).encodedState
+      state: encodeState(req.state)
     });
   }
   async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    const { result } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
       response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
+      refreshToken: result.refreshToken
     };
   }
-  async refresh(req) {
-    const {
-      accessToken,
-      refreshToken: newRefreshToken,
-      params
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: newRefreshToken
-    });
-  }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
-    const expiresInStr = result.params.expires_in;
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
+        idToken: result.params.id_token,
         accessToken: result.accessToken,
-        refreshToken: result.refreshToken,
         scope: result.params.scope,
-        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
+        expiresInSeconds: result.params.expires_in
       },
       profile
     };
@@ -624,24 +674,24 @@ class GithubAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
+  async refresh(req) {
+    const { accessToken, params, refreshToken } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
+  }
 }
-const githubDefaultSignInResolver = async (info, ctx) => {
-  const { fullProfile } = info.result;
-  const userId = fullProfile.username || fullProfile.id;
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
-  });
-  return { id: userId, token };
-};
-const createGithubProvider = (options) => {
+const createAtlassianProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -650,90 +700,76 @@ const createGithubProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
+    var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
-    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
-    const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
-    const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
-    const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
-    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const scopes = envConfig.getString("scopes");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-      profile: makeProfileInfo(fullProfile)
-    });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : githubDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
-      return { encodedState: encodeState(req.state) };
-    };
-    const provider = new GithubAuthProvider({
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
+    const provider = new AtlassianAuthProvider({
       clientId,
       clientSecret,
+      scopes,
       callbackUrl,
-      tokenUrl,
-      userProfileUrl,
-      authorizationUrl,
-      signInResolver,
       authHandler,
-      tokenIssuer,
+      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
       catalogIdentityClient,
-      stateEncoder,
-      logger
+      logger,
+      tokenIssuer
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      persistScopes: true,
+      disableRefresh: true,
       providerId,
       tokenIssuer
     });
   });
 };
 
-const gitlabDefaultSignInResolver = async (info, ctx) => {
-  const { profile, result } = info;
-  let id = result.fullProfile.id;
-  if (profile.email) {
-    id = profile.email.split("@")[0];
-  }
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: id, ent: [`user:default/${id}`] }
-  });
-  return { id, token };
-};
-const gitlabDefaultAuthHandler = async ({
-  fullProfile,
-  params
-}) => ({
-  profile: makeProfileInfo(fullProfile, params.id_token)
-});
-class GitlabAuthProvider {
+class Auth0Strategy extends OAuth2Strategy__default["default"] {
+  constructor(options, verify) {
+    const optionsWithURLs = {
+      ...options,
+      authorizationURL: `https://${options.domain}/authorize`,
+      tokenURL: `https://${options.domain}/oauth/token`,
+      userInfoURL: `https://${options.domain}/userinfo`,
+      apiUrl: `https://${options.domain}/api`
+    };
+    super(optionsWithURLs, verify);
+  }
+}
+
+class Auth0AuthProvider {
   constructor(options) {
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this._strategy = new passportGitlab2.Strategy({
+    this._strategy = new Auth0Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      baseURL: options.baseUrl
+      domain: options.domain,
+      passReqToCallback: false
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, { fullProfile, params, accessToken }, {
+      done(void 0, {
+        fullProfile,
+        accessToken,
+        refreshToken,
+        params
+      }, {
         refreshToken
       });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
       scope: req.scope,
       state: encodeState(req.state)
     });
@@ -746,26 +782,28 @@ class GitlabAuthProvider {
     };
   }
   async refresh(req) {
-    const {
-      accessToken,
-      refreshToken: newRefreshToken,
-      params
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: newRefreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
-        refreshToken: result.refreshToken,
         scope: result.params.scope,
         expiresInSeconds: result.params.expires_in
       },
@@ -775,16 +813,20 @@ class GitlabAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
 }
-const createGitlabProvider = (options) => {
+const defaultSignInResolver$1 = async (info) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Profile does not contain an email");
+  }
+  const id = profile.email.split("@")[0];
+  return { id, token: "" };
+};
+const createAuth0Provider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -793,50 +835,175 @@ const createGitlabProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b, _c;
+    var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getOptionalString("audience");
-    const baseUrl = audience || "https://gitlab.com";
+    const domain = envConfig.getString("domain");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const provider = new GitlabAuthProvider({
+    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver$1;
+    const provider = new Auth0AuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      baseUrl,
+      domain,
       authHandler,
       signInResolver,
+      tokenIssuer,
       catalogIdentityClient,
-      logger,
-      tokenIssuer
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
+      disableRefresh: true,
       providerId,
       tokenIssuer
     });
   });
 };
 
-class GoogleAuthProvider {
+const ALB_JWT_HEADER = "x-amzn-oidc-data";
+const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
+const getJWTHeaders = (input) => {
+  const encoded = input.split(".")[0];
+  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
+};
+class AwsAlbAuthProvider {
+  constructor(options) {
+    this.region = options.region;
+    this.issuer = options.issuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
+  }
+  frameHandler() {
+    return Promise.resolve(void 0);
+  }
+  async refresh(req, res) {
+    try {
+      const result = await this.getResult(req);
+      const response = await this.handleResult(result);
+      res.json(response);
+    } catch (e) {
+      this.logger.error("Exception occurred during AWS ALB token refresh", e);
+      res.status(401);
+      res.end();
+    }
+  }
+  start() {
+    return Promise.resolve(void 0);
+  }
+  async getResult(req) {
+    const jwt = req.header(ALB_JWT_HEADER);
+    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);
+    if (jwt === void 0) {
+      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_JWT_HEADER}`);
+    }
+    if (accessToken === void 0) {
+      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`);
+    }
+    try {
+      const headers = getJWTHeaders(jwt);
+      const key = await this.getKey(headers.kid);
+      const claims = jose.JWT.verify(jwt, key);
+      if (this.issuer && claims.iss !== this.issuer) {
+        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
+      }
+      const fullProfile = {
+        provider: "unknown",
+        id: claims.sub,
+        displayName: claims.name,
+        username: claims.email.split("@")[0].toLowerCase(),
+        name: {
+          familyName: claims.family_name,
+          givenName: claims.given_name
+        },
+        emails: [{ value: claims.email.toLowerCase() }],
+        photos: [{ value: claims.picture }]
+      };
+      return {
+        fullProfile,
+        expiresInSeconds: claims.exp,
+        accessToken
+      };
+    } catch (e) {
+      throw new Error(`Exception occurred during JWT processing: ${e}`);
+    }
+  }
+  async handleResult(result) {
+    const context = {
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient,
+      logger: this.logger
+    };
+    const { profile } = await this.authHandler(result, context);
+    const backstageIdentity = await this.signInResolver({
+      result,
+      profile
+    }, context);
+    return {
+      providerInfo: {
+        accessToken: result.accessToken,
+        expiresInSeconds: result.expiresInSeconds
+      },
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
+      profile
+    };
+  }
+  async getKey(keyId) {
+    const optionalCacheKey = this.keyCache.get(keyId);
+    if (optionalCacheKey) {
+      return crypto__namespace.createPublicKey(optionalCacheKey);
+    }
+    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
+    const keyValue = crypto__namespace.createPublicKey(keyText);
+    this.keyCache.set(keyId, keyValue.export({ format: "pem", type: "spki" }));
+    return keyValue;
+  }
+}
+const createAwsAlbProvider = (options) => {
+  return ({ config, tokenIssuer, catalogApi, logger }) => {
+    const region = config.getString("region");
+    const issuer = config.getOptionalString("iss");
+    if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
+      throw new Error("SignInResolver is required to use this authentication provider");
+    }
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+      profile: makeProfileInfo(fullProfile)
+    });
+    const signInResolver = options == null ? void 0 : options.signIn.resolver;
+    return new AwsAlbAuthProvider({
+      region,
+      issuer,
+      signInResolver,
+      authHandler,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+  };
+};
+
+class BitbucketAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new passportGoogleOauth20.Strategy({
+    this._strategy = new passportBitbucketOauth2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
@@ -868,17 +1035,25 @@ class GoogleAuthProvider {
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -892,52 +1067,40 @@ class GoogleAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
 }
-const googleEmailSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Google profile contained no email");
+const bitbucketUsernameSignInResolver = async (info, ctx) => {
+  const { result } = info;
+  if (!result.fullProfile.username) {
+    throw new Error("Bitbucket profile contained no Username");
   }
   const entity = await ctx.catalogIdentityClient.findUser({
     annotations: {
-      "google.com/email": profile.email
+      "bitbucket.org/username": result.fullProfile.username
     }
   });
   const claims = getEntityClaims(entity);
   const token = await ctx.tokenIssuer.issueToken({ claims });
   return { id: entity.metadata.name, entity, token };
 };
-const googleDefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Google profile contained no email");
-  }
-  let userId;
-  try {
-    const entity = await ctx.catalogIdentityClient.findUser({
-      annotations: {
-        "google.com/email": profile.email
-      }
-    });
-    userId = entity.metadata.name;
-  } catch (error) {
-    ctx.logger.warn(`Failed to look up user, ${error}, falling back to allowing login based on email pattern, this will probably break in the future`);
-    userId = profile.email.split("@")[0];
+const bitbucketUserIdSignInResolver = async (info, ctx) => {
+  const { result } = info;
+  if (!result.fullProfile.id) {
+    throw new Error("Bitbucket profile contained no User ID");
   }
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "bitbucket.org/user-id": result.fullProfile.id
+    }
   });
-  return { id: userId, token };
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
 };
-const createGoogleProvider = (options) => {
+const createBitbucketProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -946,7 +1109,7 @@ const createGoogleProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
@@ -957,17 +1120,11 @@ const createGoogleProvider = (options) => {
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : googleDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const provider = new GoogleAuthProvider({
+    const provider = new BitbucketAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      signInResolver,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
       authHandler,
       tokenIssuer,
       catalogIdentityClient,
@@ -981,28 +1138,29 @@ const createGoogleProvider = (options) => {
   });
 };
 
-class MicrosoftAuthProvider {
+class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
+    this.stateEncoder = options.stateEncoder;
     this.tokenIssuer = options.tokenIssuer;
-    this.logger = options.logger;
     this.catalogIdentityClient = options.catalogIdentityClient;
-    this._strategy = new passportMicrosoft.Strategy({
+    this.logger = options.logger;
+    this._strategy = new passportGithub2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      authorizationURL: options.authorizationUrl,
       tokenURL: options.tokenUrl,
-      passReqToCallback: false
+      userProfileURL: options.userProfileUrl,
+      authorizationURL: options.authorizationUrl
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, { fullProfile, accessToken, params }, { refreshToken });
+      done(void 0, { fullProfile, params, accessToken }, { refreshToken });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
       scope: req.scope,
-      state: encodeState(req.state)
+      state: (await this.stateEncoder(req)).encodedState
     });
   }
   async handler(req) {
@@ -1013,25 +1171,30 @@ class MicrosoftAuthProvider {
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const photo = await this.getUserPhoto(result.accessToken);
-    result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
+    const expiresInStr = result.params.expires_in;
     const response = {
       providerInfo: {
-        idToken: result.params.id_token,
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
+        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
       },
       profile
     };
@@ -1039,58 +1202,20 @@ class MicrosoftAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
-  getUserPhoto(accessToken) {
-    return new Promise((resolve) => {
-      got__default["default"].get("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
-        encoding: "binary",
-        responseType: "buffer",
-        headers: {
-          Authorization: `Bearer ${accessToken}`
-        }
-      }).then((photoData) => {
-        const photoURL = `data:image/jpeg;base64,${Buffer.from(photoData.body).toString("base64")}`;
-        resolve(photoURL);
-      }).catch((error) => {
-        this.logger.warn(`Could not retrieve user profile photo from Microsoft Graph API: ${error}`);
-        resolve(void 0);
-      });
-    });
-  }
 }
-const microsoftEmailSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Microsoft profile contained no email");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "microsoft.com/email": profile.email
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const microsoftDefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Profile contained no email");
-  }
-  const userId = profile.email.split("@")[0];
+const githubDefaultSignInResolver = async (info, ctx) => {
+  const { fullProfile } = info.result;
+  const userId = fullProfile.username || fullProfile.id;
   const token = await ctx.tokenIssuer.issueToken({
     claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
   return { id: userId, token };
 };
-const createMicrosoftProvider = (options) => {
+const createGithubProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1099,79 +1224,90 @@ const createMicrosoftProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const tenantId = envConfig.getString("tenantId");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
-    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
+    const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const authorizationUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/authorize` : void 0;
+    const tokenUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/login/oauth/access_token` : void 0;
+    const userProfileUrl = enterpriseInstanceUrl ? `${enterpriseInstanceUrl}/api/v3/user` : void 0;
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+      profile: makeProfileInfo(fullProfile)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : githubDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new MicrosoftAuthProvider({
+    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
+      return { encodedState: encodeState(req.state) };
+    };
+    const provider = new GithubAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      authorizationUrl,
       tokenUrl,
-      authHandler,
+      userProfileUrl,
+      authorizationUrl,
       signInResolver,
+      authHandler,
+      tokenIssuer,
       catalogIdentityClient,
-      logger,
-      tokenIssuer
+      stateEncoder,
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
+      persistScopes: true,
       providerId,
       tokenIssuer
     });
   });
 };
 
-class OAuth2AuthProvider {
+const gitlabDefaultSignInResolver = async (info, ctx) => {
+  const { profile, result } = info;
+  let id = result.fullProfile.id;
+  if (profile.email) {
+    id = profile.email.split("@")[0];
+  }
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: id, ent: [`user:default/${id}`] }
+  });
+  return { id, token };
+};
+const gitlabDefaultAuthHandler = async ({
+  fullProfile,
+  params
+}) => ({
+  profile: makeProfileInfo(fullProfile, params.id_token)
+});
+class GitlabAuthProvider {
   constructor(options) {
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new OAuth2Strategy.Strategy({
+    this.tokenIssuer = options.tokenIssuer;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this._strategy = new passportGitlab2.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      authorizationURL: options.authorizationUrl,
-      tokenURL: options.tokenUrl,
-      passReqToCallback: false,
-      scope: options.scope,
-      customHeaders: options.includeBasicAuth ? {
-        Authorization: `Basic ${this.encodeClientCredentials(options.clientId, options.clientSecret)}`
-      } : void 0
+      baseURL: options.baseUrl
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        fullProfile,
-        accessToken,
-        refreshToken,
-        params
-      }, {
+      done(void 0, { fullProfile, params, accessToken }, {
         refreshToken
       });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
       scope: req.scope,
       state: encodeState(req.state)
     });
@@ -1184,29 +1320,30 @@ class OAuth2AuthProvider {
     };
   }
   async refresh(req) {
-    const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const {
-      accessToken,
-      params,
-      refreshToken: updatedRefreshToken
-    } = refreshTokenResponse;
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: updatedRefreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in,
-        refreshToken: result.refreshToken
+        expiresInSeconds: result.params.expires_in
       },
       profile
     };
@@ -1214,30 +1351,12 @@ class OAuth2AuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
-  encodeClientCredentials(clientID, clientSecret) {
-    return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
-  }
 }
-const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Profile contained no email");
-  }
-  const userId = profile.email.split("@")[0];
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
-  });
-  return { id: userId, token };
-};
-const createOAuth2Provider = (options) => {
+const createGitlabProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1249,126 +1368,102 @@ const createOAuth2Provider = (options) => {
     var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
+    const audience = envConfig.getOptionalString("audience");
+    const baseUrl = audience || "https://gitlab.com";
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const authorizationUrl = envConfig.getString("authorizationUrl");
-    const tokenUrl = envConfig.getString("tokenUrl");
-    const scope = envConfig.getOptionalString("scope");
-    const includeBasicAuth = envConfig.getOptionalBoolean("includeBasicAuth");
-    const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver$1;
+    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new OAuth2AuthProvider({
+    const provider = new GitlabAuthProvider({
       clientId,
       clientSecret,
-      tokenIssuer,
-      catalogIdentityClient,
       callbackUrl,
-      signInResolver,
+      baseUrl,
       authHandler,
-      authorizationUrl,
-      tokenUrl,
-      scope,
+      signInResolver,
+      catalogIdentityClient,
       logger,
-      includeBasicAuth
+      tokenIssuer
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh,
+      disableRefresh: false,
       providerId,
       tokenIssuer
     });
   });
 };
 
-class OidcAuthProvider {
+class GoogleAuthProvider {
   constructor(options) {
-    this.implementation = this.setupStrategy(options);
-    this.scope = options.scope;
-    this.prompt = options.prompt;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
+    this._strategy = new passportGoogleOauth20.Strategy({
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      passReqToCallback: false
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        fullProfile,
+        params,
+        accessToken,
+        refreshToken
+      }, {
+        refreshToken
+      });
+    });
   }
   async start(req) {
-    const { strategy } = await this.implementation;
-    const options = {
-      scope: req.scope || this.scope || "openid profile email",
+    return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: req.scope,
       state: encodeState(req.state)
-    };
-    const prompt = this.prompt || "none";
-    if (prompt !== "auto") {
-      options.prompt = prompt;
-    }
-    return await executeRedirectStrategy(req, strategy, options);
+    });
   }
   async handler(req) {
-    const { strategy } = await this.implementation;
-    const strategyResponse = await executeFrameHandlerStrategy(req, strategy);
-    const {
-      result: { userinfo, tokenset },
-      privateInfo
-    } = strategyResponse;
-    const identityResponse = await this.handleResult({ tokenset, userinfo });
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
     return {
-      response: identityResponse,
+      response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const { client } = await this.implementation;
-    const tokenset = await client.refresh(req.refreshToken);
-    if (!tokenset.access_token) {
-      throw new Error("Refresh failed");
-    }
-    const profile = await client.userinfo(tokenset.access_token);
-    return this.handleResult({ tokenset, userinfo: profile });
-  }
-  async setupStrategy(options) {
-    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
-    const client = new issuer.Client({
-      access_type: "offline",
-      client_id: options.clientId,
-      client_secret: options.clientSecret,
-      redirect_uris: [options.callbackUrl],
-      response_types: ["code"],
-      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
-      scope: options.scope || ""
-    });
-    const strategy = new openidClient.Strategy({
-      client,
-      passReqToCallback: false
-    }, (tokenset, userinfo, done) => {
-      if (typeof done !== "function") {
-        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
-      }
-      done(void 0, { tokenset, userinfo }, {
-        refreshToken: tokenset.refresh_token
-      });
-    });
-    strategy.error = console.error;
-    return { strategy, client };
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
-        idToken: result.tokenset.id_token,
-        accessToken: result.tokenset.access_token,
-        refreshToken: result.tokenset.refresh_token,
-        scope: result.tokenset.scope,
-        expiresInSeconds: result.tokenset.expires_in
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
       },
       profile
     };
@@ -1376,27 +1471,48 @@ class OidcAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
 }
-const oAuth2DefaultSignInResolver = async (info, ctx) => {
+const googleEmailSignInResolver = async (info, ctx) => {
   const { profile } = info;
   if (!profile.email) {
-    throw new Error("Profile contained no email");
+    throw new Error("Google profile contained no email");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "google.com/email": profile.email
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const googleDefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Google profile contained no email");
+  }
+  let userId;
+  try {
+    const entity = await ctx.catalogIdentityClient.findUser({
+      annotations: {
+        "google.com/email": profile.email
+      }
+    });
+    userId = entity.metadata.name;
+  } catch (error) {
+    ctx.logger.warn(`Failed to look up user, ${error}, falling back to allowing login based on email pattern, this will probably break in the future`);
+    userId = profile.email.split("@")[0];
   }
-  const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
     claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
   return { id: userId, token };
 };
-const createOidcProvider = (options) => {
+const createGoogleProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1409,40 +1525,28 @@ const createOidcProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const metadataUrl = envConfig.getString("metadataUrl");
-    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
-    const scope = envConfig.getOptionalString("scope");
-    const prompt = envConfig.getOptionalString("prompt");
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
-      profile: {
-        displayName: userinfo.name,
-        email: userinfo.email,
-        picture: userinfo.picture
-      }
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oAuth2DefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : googleDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new OidcAuthProvider({
+    const provider = new GoogleAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      tokenSignedResponseAlg,
-      metadataUrl,
-      scope,
-      prompt,
       signInResolver,
       authHandler,
-      logger,
       tokenIssuer,
-      catalogIdentityClient
+      catalogIdentityClient,
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
@@ -1452,44 +1556,26 @@ const createOidcProvider = (options) => {
   });
 };
 
-class OktaAuthProvider {
+class MicrosoftAuthProvider {
   constructor(options) {
-    this._store = {
-      store(_req, cb) {
-        cb(null, null);
-      },
-      verify(_req, _state, cb) {
-        cb(null, true);
-      }
-    };
-    this._signInResolver = options.signInResolver;
-    this._authHandler = options.authHandler;
-    this._tokenIssuer = options.tokenIssuer;
-    this._catalogIdentityClient = options.catalogIdentityClient;
-    this._logger = options.logger;
-    this._strategy = new passportOktaOauth.Strategy({
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.logger = options.logger;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this._strategy = new passportMicrosoft.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      audience: options.audience,
-      passReqToCallback: false,
-      store: this._store,
-      response_type: "code"
+      authorizationURL: options.authorizationUrl,
+      tokenURL: options.tokenUrl,
+      passReqToCallback: false
     }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        accessToken,
-        refreshToken,
-        params,
-        fullProfile
-      }, {
-        refreshToken
-      });
+      done(void 0, { fullProfile, accessToken, params }, { refreshToken });
     });
   }
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
       scope: req.scope,
       state: encodeState(req.state)
     });
@@ -1502,17 +1588,26 @@ class OktaAuthProvider {
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    const { profile } = await this._authHandler(result);
+    const photo = await this.getUserPhoto(result.accessToken);
+    result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1522,37 +1617,48 @@ class OktaAuthProvider {
       },
       profile
     };
-    if (this._signInResolver) {
-      response.backstageIdentity = await this._signInResolver({
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this._tokenIssuer,
-        catalogIdentityClient: this._catalogIdentityClient,
-        logger: this._logger
-      });
+      }, context);
     }
     return response;
   }
+  getUserPhoto(accessToken) {
+    return new Promise((resolve) => {
+      fetch__default["default"]("https://graph.microsoft.com/v1.0/me/photos/48x48/$value", {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        }
+      }).then((response) => response.arrayBuffer()).then((arrayBuffer) => {
+        const imageUrl = `data:image/jpeg;base64,${Buffer.from(arrayBuffer).toString("base64")}`;
+        resolve(imageUrl);
+      }).catch((error) => {
+        this.logger.warn(`Could not retrieve user profile photo from Microsoft Graph API: ${error}`);
+        resolve(void 0);
+      });
+    });
+  }
 }
-const oktaEmailSignInResolver = async (info, ctx) => {
+const microsoftEmailSignInResolver = async (info, ctx) => {
   const { profile } = info;
   if (!profile.email) {
-    throw new Error("Okta profile contained no email");
+    throw new Error("Microsoft profile contained no email");
   }
   const entity = await ctx.catalogIdentityClient.findUser({
     annotations: {
-      "okta.com/email": profile.email
+      "microsoft.com/email": profile.email
     }
   });
   const claims = getEntityClaims(entity);
   const token = await ctx.tokenIssuer.issueToken({ claims });
   return { id: entity.metadata.name, entity, token };
 };
-const oktaDefaultSignInResolver = async (info, ctx) => {
+const microsoftDefaultSignInResolver = async (info, ctx) => {
   const { profile } = info;
   if (!profile.email) {
-    throw new Error("Okta profile contained no email");
+    throw new Error("Profile contained no email");
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
@@ -1560,7 +1666,7 @@ const oktaDefaultSignInResolver = async (info, ctx) => {
   });
   return { id: userId, token };
 };
-const createOktaProvider = (_options) => {
+const createMicrosoftProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1572,34 +1678,34 @@ const createOktaProvider = (_options) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getString("audience");
+    const tenantId = envConfig.getString("tenantId");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    if (!audience.startsWith("https://")) {
-      throw new Error("URL for 'audience' must start with 'https://'.");
-    }
+    const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
+    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : microsoftDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    const provider = new OktaAuthProvider({
-      audience,
+    const provider = new MicrosoftAuthProvider({
       clientId,
       clientSecret,
       callbackUrl,
+      authorizationUrl,
+      tokenUrl,
       authHandler,
       signInResolver,
-      tokenIssuer,
       catalogIdentityClient,
-      logger
+      logger,
+      tokenIssuer
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
@@ -1609,24 +1715,30 @@ const createOktaProvider = (_options) => {
   });
 };
 
-class BitbucketAuthProvider {
+class OAuth2AuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this._strategy = new passportBitbucketOauth2.Strategy({
+    this._strategy = new OAuth2Strategy.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      passReqToCallback: false
+      authorizationURL: options.authorizationUrl,
+      tokenURL: options.tokenUrl,
+      passReqToCallback: false,
+      scope: options.scope,
+      customHeaders: options.includeBasicAuth ? {
+        Authorization: `Basic ${this.encodeClientCredentials(options.clientId, options.clientSecret)}`
+      } : void 0
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
         fullProfile,
-        params,
         accessToken,
-        refreshToken
+        refreshToken,
+        params
       }, {
         refreshToken
       });
@@ -1648,18 +1760,25 @@ class BitbucketAuthProvider {
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const refreshTokenResponse = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, params, refreshToken } = refreshTokenResponse;
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: req.refreshToken
-    });
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
   }
   async handleResult(result) {
-    result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1673,44 +1792,26 @@ class BitbucketAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
+  encodeClientCredentials(clientID, clientSecret) {
+    return Buffer.from(`${clientID}:${clientSecret}`).toString("base64");
+  }
 }
-const bitbucketUsernameSignInResolver = async (info, ctx) => {
-  const { result } = info;
-  if (!result.fullProfile.username) {
-    throw new Error("Bitbucket profile contained no Username");
+const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Profile contained no email");
   }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "bitbucket.org/username": result.fullProfile.username
-    }
-  });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
-};
-const bitbucketUserIdSignInResolver = async (info, ctx) => {
-  const { result } = info;
-  if (!result.fullProfile.id) {
-    throw new Error("Bitbucket profile contained no User ID");
-  }
-  const entity = await ctx.catalogIdentityClient.findUser({
-    annotations: {
-      "bitbucket.org/user-id": result.fullProfile.id
-    }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  const claims = getEntityClaims(entity);
-  const token = await ctx.tokenIssuer.issueToken({ claims });
-  return { id: entity.metadata.name, entity, token };
+  return { id: userId, token };
 };
-const createBitbucketProvider = (options) => {
+const createOAuth2Provider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -1719,10 +1820,15 @@ const createBitbucketProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const authorizationUrl = envConfig.getString("authorizationUrl");
+    const tokenUrl = envConfig.getString("tokenUrl");
+    const scope = envConfig.getOptionalString("scope");
+    const includeBasicAuth = envConfig.getOptionalBoolean("includeBasicAuth");
+    const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
@@ -1730,222 +1836,393 @@ const createBitbucketProvider = (options) => {
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const provider = new BitbucketAuthProvider({
+    const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : oAuth2DefaultSignInResolver$1;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new OAuth2AuthProvider({
       clientId,
       clientSecret,
-      callbackUrl,
-      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver,
-      authHandler,
       tokenIssuer,
       catalogIdentityClient,
-      logger
+      callbackUrl,
+      signInResolver,
+      authHandler,
+      authorizationUrl,
+      tokenUrl,
+      scope,
+      logger,
+      includeBasicAuth
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
+      disableRefresh,
       providerId,
       tokenIssuer
     });
   });
 };
 
-const defaultScopes = ["offline_access", "read:me"];
-class AtlassianStrategy extends OAuth2Strategy__default["default"] {
-  constructor(options, verify) {
-    if (!options.scope) {
-      throw new TypeError("Atlassian requires a scope option");
+function createOidcRouter(options) {
+  const { baseUrl, tokenIssuer } = options;
+  const router = Router__default["default"]();
+  const config = {
+    issuer: baseUrl,
+    token_endpoint: `${baseUrl}/v1/token`,
+    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
+    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+    response_types_supported: ["id_token"],
+    subject_types_supported: ["public"],
+    id_token_signing_alg_values_supported: ["RS256"],
+    scopes_supported: ["openid"],
+    token_endpoint_auth_methods_supported: [],
+    claims_supported: ["sub"],
+    grant_types_supported: []
+  };
+  router.get("/.well-known/openid-configuration", (_req, res) => {
+    res.json(config);
+  });
+  router.get("/.well-known/jwks.json", async (_req, res) => {
+    const { keys } = await tokenIssuer.listPublicKeys();
+    res.json({ keys });
+  });
+  router.get("/v1/token", (_req, res) => {
+    res.status(501).send("Not Implemented");
+  });
+  router.get("/v1/userinfo", (_req, res) => {
+    res.status(501).send("Not Implemented");
+  });
+  return router;
+}
+
+const CLOCK_MARGIN_S = 10;
+class IdentityClient {
+  constructor(options) {
+    this.discovery = options.discovery;
+    this.issuer = options.issuer;
+    this.keyStore = new jose.JWKS.KeyStore();
+    this.keyStoreUpdated = 0;
+  }
+  async authenticate(token) {
+    var _a;
+    if (!token) {
+      throw new errors.AuthenticationError("No token specified");
     }
-    const scopes = options.scope.split(" ");
-    const optionsWithURLs = {
-      ...options,
-      authorizationURL: `https://auth.atlassian.com/authorize`,
-      tokenURL: `https://auth.atlassian.com/oauth/token`,
-      scope: Array.from(/* @__PURE__ */ new Set([...defaultScopes, ...scopes]))
+    const key = await this.getKey(token);
+    if (!key) {
+      throw new errors.AuthenticationError("No signing key matching token found");
+    }
+    const decoded = jose.JWT.IdToken.verify(token, key, {
+      algorithms: ["ES256"],
+      audience: "backstage",
+      issuer: this.issuer
+    });
+    if (!decoded.sub) {
+      throw new errors.AuthenticationError("No user sub found in token");
+    }
+    const user = {
+      id: decoded.sub,
+      token,
+      identity: {
+        type: "user",
+        userEntityRef: decoded.sub,
+        ownershipEntityRefs: (_a = decoded.ent) != null ? _a : []
+      }
     };
-    super(optionsWithURLs, verify);
-    this.profileURL = "https://api.atlassian.com/me";
-    this.name = "atlassian";
-    this._oauth2.useAuthorizationHeaderforGET(true);
+    return user;
   }
-  authorizationParams() {
-    return {
-      audience: "api.atlassian.com",
-      prompt: "consent"
-    };
+  static getBearerToken(authorizationHeader) {
+    if (typeof authorizationHeader !== "string") {
+      return void 0;
+    }
+    const matches = authorizationHeader.match(/Bearer\s+(\S+)/i);
+    return matches == null ? void 0 : matches[1];
   }
-  userProfile(accessToken, done) {
-    this._oauth2.get(this.profileURL, accessToken, (err, body) => {
-      if (err) {
-        return done(new OAuth2Strategy.InternalOAuthError("Failed to fetch user profile", err.statusCode));
-      }
-      if (!body) {
-        return done(new Error("Failed to fetch user profile, body cannot be empty"));
-      }
-      try {
-        const json = typeof body !== "string" ? body.toString() : body;
-        const profile = AtlassianStrategy.parse(json);
-        return done(null, profile);
-      } catch (e) {
-        return done(new Error("Failed to parse user profile"));
-      }
+  async getKey(rawJwtToken) {
+    const { header, payload } = jose.JWT.decode(rawJwtToken, {
+      complete: true
     });
+    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });
+    const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
+    if (!keyStoreHasKey && issuedAfterLastRefresh) {
+      await this.refreshKeyStore();
+    }
+    return this.keyStore.get({ kid: header.kid });
   }
-  static parse(json) {
-    const resp = JSON.parse(json);
-    return {
-      id: resp.account_id,
-      provider: "atlassian",
-      username: resp.nickname,
-      displayName: resp.name,
-      emails: [{ value: resp.email }],
-      photos: [{ value: resp.picture }]
-    };
+  async listPublicKeys() {
+    const url = `${await this.discovery.getBaseUrl("auth")}/.well-known/jwks.json`;
+    const response = await fetch__default["default"](url);
+    if (!response.ok) {
+      const payload = await response.text();
+      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;
+      throw new Error(message);
+    }
+    const publicKeys = await response.json();
+    return publicKeys;
+  }
+  async refreshKeyStore() {
+    const now = Date.now() / 1e3;
+    const publicKeys = await this.listPublicKeys();
+    this.keyStore = jose.JWKS.asKeyStore({
+      keys: publicKeys.keys.map((key) => key)
+    });
+    this.keyStoreUpdated = now;
   }
 }
 
-const atlassianDefaultAuthHandler = async ({
-  fullProfile,
-  params
-}) => ({
-  profile: makeProfileInfo(fullProfile, params.id_token)
-});
-class AtlassianAuthProvider {
+const MS_IN_S = 1e3;
+class TokenFactory {
   constructor(options) {
-    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.issuer = options.issuer;
     this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this._strategy = new AtlassianStrategy({
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      scope: options.scopes
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        fullProfile,
-        accessToken,
-        refreshToken,
-        params
-      });
-    });
+    this.keyStore = options.keyStore;
+    this.keyDurationSeconds = options.keyDurationSeconds;
   }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      state: encodeState(req.state)
+  async issueToken(params) {
+    const key = await this.getKey();
+    const iss = this.issuer;
+    const sub = params.claims.sub;
+    const ent = params.claims.ent;
+    const aud = "backstage";
+    const iat = Math.floor(Date.now() / MS_IN_S);
+    const exp = iat + this.keyDurationSeconds;
+    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
+    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
+      alg: key.alg,
+      kid: key.kid
     });
   }
-  async handler(req) {
-    var _a;
-    const { result } = await executeFrameHandlerStrategy(req, this._strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: (_a = result.refreshToken) != null ? _a : ""
-    };
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result);
-    const response = {
-      providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        refreshToken: result.refreshToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
-      },
-      profile
-    };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
-        result,
-        profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
+  async listPublicKeys() {
+    const { items: keys } = await this.keyStore.listKeys();
+    const validKeys = [];
+    const expiredKeys = [];
+    for (const key of keys) {
+      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
+        seconds: 3 * this.keyDurationSeconds
       });
+      if (expireAt < luxon.DateTime.local()) {
+        expiredKeys.push(key);
+      } else {
+        validKeys.push(key);
+      }
     }
-    return response;
+    if (expiredKeys.length > 0) {
+      const kids = expiredKeys.map(({ key }) => key.kid);
+      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
+      this.keyStore.removeKeys(kids).catch((error) => {
+        this.logger.error(`Failed to remove expired keys, ${error}`);
+      });
+    }
+    return { keys: validKeys.map(({ key }) => key) };
   }
-  async refresh(req) {
-    const {
-      accessToken,
-      params,
-      refreshToken: newRefreshToken
-    } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return this.handleResult({
-      fullProfile,
-      params,
-      accessToken,
-      refreshToken: newRefreshToken
-    });
+  async getKey() {
+    if (this.privateKeyPromise) {
+      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
+        return this.privateKeyPromise;
+      }
+      this.logger.info(`Signing key has expired, generating new key`);
+      delete this.privateKeyPromise;
+    }
+    this.keyExpiry = luxon.DateTime.utc().plus({
+      seconds: this.keyDurationSeconds
+    }).toJSDate();
+    const promise = (async () => {
+      const key = await jose.JWK.generate("EC", "P-256", {
+        use: "sig",
+        kid: uuid.v4(),
+        alg: "ES256"
+      });
+      this.logger.info(`Created new signing key ${key.kid}`);
+      await this.keyStore.addKey(key.toJWK(false));
+      return key;
+    })();
+    this.privateKeyPromise = promise;
+    try {
+      await promise;
+    } catch (error) {
+      this.logger.error(`Failed to generate new signing key, ${error}`);
+      delete this.keyExpiry;
+      delete this.privateKeyPromise;
+    }
+    return promise;
   }
 }
-const createAtlassianProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const scopes = envConfig.getString("scopes");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenIssuer
+
+const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
+const TABLE = "signing_keys";
+const parseDate = (date) => {
+  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
+  if (!parsedDate.isValid) {
+    throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
+  }
+  return parsedDate.toJSDate();
+};
+class DatabaseKeyStore {
+  static async create(options) {
+    const { database } = options;
+    await database.migrate.latest({
+      directory: migrationsDir
     });
-    const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
-    const provider = new AtlassianAuthProvider({
-      clientId,
-      clientSecret,
-      scopes,
-      callbackUrl,
-      authHandler,
-      signInResolver: (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver,
-      catalogIdentityClient,
-      logger,
-      tokenIssuer
+    return new DatabaseKeyStore(options);
+  }
+  constructor(options) {
+    this.database = options.database;
+  }
+  async addKey(key) {
+    await this.database(TABLE).insert({
+      kid: key.kid,
+      key: JSON.stringify(key)
     });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
-      providerId,
-      tokenIssuer
+  }
+  async listKeys() {
+    const rows = await this.database(TABLE).select();
+    return {
+      items: rows.map((row) => ({
+        key: JSON.parse(row.key),
+        createdAt: parseDate(row.created_at)
+      }))
+    };
+  }
+  async removeKeys(kids) {
+    await this.database(TABLE).delete().whereIn("kid", kids);
+  }
+}
+
+class MemoryKeyStore {
+  constructor() {
+    this.keys = /* @__PURE__ */ new Map();
+  }
+  async addKey(key) {
+    this.keys.set(key.kid, {
+      createdAt: luxon.DateTime.utc().toJSDate(),
+      key: JSON.stringify(key)
     });
-  });
-};
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      this.keys.delete(kid);
+    }
+  }
+  async listKeys() {
+    return {
+      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
+        createdAt,
+        key: JSON.parse(keyStr)
+      }))
+    };
+  }
+}
 
-const ALB_JWT_HEADER = "x-amzn-oidc-data";
-const ALB_ACCESSTOKEN_HEADER = "x-amzn-oidc-accesstoken";
-const getJWTHeaders = (input) => {
-  const encoded = input.split(".")[0];
-  return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
-};
-class AwsAlbAuthProvider {
+const DEFAULT_TIMEOUT_MS = 1e4;
+const DEFAULT_DOCUMENT_PATH = "sessions";
+class FirestoreKeyStore {
+  constructor(database, path, timeout) {
+    this.database = database;
+    this.path = path;
+    this.timeout = timeout;
+  }
+  static async create(settings) {
+    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
+    const database = new firestore.Firestore(firestoreSettings);
+    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
+  }
+  static async verifyConnection(keyStore, logger) {
+    try {
+      await keyStore.verify();
+    } catch (error) {
+      if (process.env.NODE_ENV !== "development") {
+        throw new Error(`Failed to connect to database: ${error.message}`);
+      }
+      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
+    }
+  }
+  async addKey(key) {
+    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    }));
+  }
+  async listKeys() {
+    const keys = await this.withTimeout(this.database.collection(this.path).get());
+    return {
+      items: keys.docs.map((key) => ({
+        key: key.data(),
+        createdAt: key.createTime.toDate()
+      }))
+    };
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
+    }
+  }
+  async withTimeout(operation) {
+    const timer = new Promise((_, reject) => setTimeout(() => {
+      reject(new Error(`Operation timed out after ${this.timeout}ms`));
+    }, this.timeout));
+    return Promise.race([operation, timer]);
+  }
+  async verify() {
+    await this.withTimeout(this.database.collection(this.path).limit(1).get());
+  }
+}
+
+class KeyStores {
+  static async fromConfig(config, options) {
+    var _a;
+    const { logger, database } = options != null ? options : {};
+    const ks = config.getOptionalConfig("auth.keyStore");
+    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
+    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
+    if (provider === "database") {
+      if (!database) {
+        throw new Error("This KeyStore provider requires a database");
+      }
+      return await DatabaseKeyStore.create({
+        database: await database.getClient()
+      });
+    }
+    if (provider === "memory") {
+      return new MemoryKeyStore();
+    }
+    if (provider === "firestore") {
+      const settings = ks == null ? void 0 : ks.getConfig(provider);
+      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
+        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
+        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
+        host: settings == null ? void 0 : settings.getOptionalString("host"),
+        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
+        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
+        path: settings == null ? void 0 : settings.getOptionalString("path"),
+        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
+      }, (value) => value !== void 0));
+      await FirestoreKeyStore.verifyConnection(keyStore, logger);
+      return keyStore;
+    }
+    throw new Error(`Unknown KeyStore provider: ${provider}`);
+  }
+}
+
+const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
+class Oauth2ProxyAuthProvider {
   constructor(options) {
-    this.region = options.region;
-    this.issuer = options.issuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
+    this.tokenIssuer = options.tokenIssuer;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
   }
   frameHandler() {
     return Promise.resolve(void 0);
   }
   async refresh(req, res) {
     try {
-      const result = await this.getResult(req);
+      const result = this.getResult(req);
       const response = await this.handleResult(result);
       res.json(response);
     } catch (e) {
-      this.logger.error("Exception occurred during AWS ALB token refresh", e);
+      this.logger.error(`Exception occurred during ${OAUTH2_PROXY_JWT_HEADER} refresh`, e);
       res.status(401);
       res.end();
     }
@@ -1953,159 +2230,159 @@ class AwsAlbAuthProvider {
   start() {
     return Promise.resolve(void 0);
   }
-  async getResult(req) {
-    const jwt = req.header(ALB_JWT_HEADER);
-    const accessToken = req.header(ALB_ACCESSTOKEN_HEADER);
-    if (jwt === void 0) {
-      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_JWT_HEADER}`);
-    }
-    if (accessToken === void 0) {
-      throw new errors.AuthenticationError(`Missing ALB OIDC header: ${ALB_ACCESSTOKEN_HEADER}`);
-    }
-    try {
-      const headers = getJWTHeaders(jwt);
-      const key = await this.getKey(headers.kid);
-      const claims = jose.JWT.verify(jwt, key);
-      if (this.issuer && claims.iss !== this.issuer) {
-        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
-      }
-      const fullProfile = {
-        provider: "unknown",
-        id: claims.sub,
-        displayName: claims.name,
-        username: claims.email.split("@")[0].toLowerCase(),
-        name: {
-          familyName: claims.family_name,
-          givenName: claims.given_name
-        },
-        emails: [{ value: claims.email.toLowerCase() }],
-        photos: [{ value: claims.picture }]
-      };
-      return {
-        fullProfile,
-        expiresInSeconds: claims.exp,
-        accessToken
-      };
-    } catch (e) {
-      throw new Error(`Exception occurred during JWT processing: ${e}`);
-    }
-  }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
-    const backstageIdentity = await this.signInResolver({
+    const ctx = {
+      logger: this.logger,
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient
+    };
+    const { profile } = await this.authHandler(result, ctx);
+    const backstageSignInResult = await this.signInResolver({
       result,
       profile
-    }, {
-      tokenIssuer: this.tokenIssuer,
-      catalogIdentityClient: this.catalogIdentityClient,
-      logger: this.logger
-    });
+    }, ctx);
     return {
       providerInfo: {
-        accessToken: result.accessToken,
-        expiresInSeconds: result.expiresInSeconds
+        accessToken: result.accessToken
       },
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
+      backstageIdentity: prepareBackstageIdentityResponse(backstageSignInResult),
       profile
     };
   }
-  async getKey(keyId) {
-    const optionalCacheKey = this.keyCache.get(keyId);
-    if (optionalCacheKey) {
-      return crypto__namespace.createPublicKey(optionalCacheKey);
+  getResult(req) {
+    const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
+    const jwt = IdentityClient.getBearerToken(authHeader);
+    if (!jwt) {
+      throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
     }
-    const keyText = await fetch__default["default"](`https://public-keys.auth.elb.${this.region}.amazonaws.com/${keyId}`).then((response) => response.text());
-    const keyValue = crypto__namespace.createPublicKey(keyText);
-    this.keyCache.set(keyId, keyValue.export({ format: "pem", type: "spki" }));
-    return keyValue;
+    const decodedJWT = jose.JWT.decode(jwt);
+    return {
+      fullProfile: decodedJWT,
+      accessToken: jwt
+    };
   }
 }
-const createAwsAlbProvider = (options) => {
-  return ({ config, tokenIssuer, catalogApi, logger }) => {
-    const region = config.getString("region");
-    const issuer = config.getOptionalString("iss");
-    if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
-      throw new Error("SignInResolver is required to use this authentication provider");
-    }
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenIssuer
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-      profile: makeProfileInfo(fullProfile)
-    });
-    const signInResolver = options == null ? void 0 : options.signIn.resolver;
-    return new AwsAlbAuthProvider({
-      region,
-      issuer,
-      signInResolver,
-      authHandler,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-  };
+const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer }) => {
+  const signInResolver = options.signIn.resolver;
+  const authHandler = options.authHandler;
+  const catalogIdentityClient = new CatalogIdentityClient({
+    catalogApi,
+    tokenIssuer
+  });
+  return new Oauth2ProxyAuthProvider({
+    logger,
+    signInResolver,
+    authHandler,
+    tokenIssuer,
+    catalogIdentityClient
+  });
 };
 
-class SamlAuthProvider {
+class OidcAuthProvider {
   constructor(options) {
-    this.appUrl = options.appUrl;
+    this.implementation = this.setupStrategy(options);
+    this.scope = options.scope;
+    this.prompt = options.prompt;
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
-      done(void 0, { fullProfile });
-    });
   }
-  async start(req, res) {
-    const { url } = await executeRedirectStrategy(req, this.strategy, {});
-    res.redirect(url);
+  async start(req) {
+    const { strategy } = await this.implementation;
+    const options = {
+      scope: req.scope || this.scope || "openid profile email",
+      state: encodeState(req.state)
+    };
+    const prompt = this.prompt || "none";
+    if (prompt !== "auto") {
+      options.prompt = prompt;
+    }
+    return await executeRedirectStrategy(req, strategy, options);
   }
-  async frameHandler(req, res) {
-    try {
-      const { result } = await executeFrameHandlerStrategy(req, this.strategy);
-      const { profile } = await this.authHandler(result);
-      const response = {
-        profile,
-        providerInfo: {}
-      };
-      if (this.signInResolver) {
-        const signInResponse = await this.signInResolver({
-          result,
-          profile
-        }, {
-          tokenIssuer: this.tokenIssuer,
-          catalogIdentityClient: this.catalogIdentityClient,
-          logger: this.logger
-        });
-        response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
+  async handler(req) {
+    const { strategy } = await this.implementation;
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const { client } = await this.implementation;
+    const tokenset = await client.refresh(req.refreshToken);
+    if (!tokenset.access_token) {
+      throw new Error("Refresh failed");
+    }
+    const userinfo = await client.userinfo(tokenset.access_token);
+    return {
+      response: await this.handleResult({ tokenset, userinfo }),
+      refreshToken: tokenset.refresh_token
+    };
+  }
+  async setupStrategy(options) {
+    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
+    const client = new issuer.Client({
+      access_type: "offline",
+      client_id: options.clientId,
+      client_secret: options.clientSecret,
+      redirect_uris: [options.callbackUrl],
+      response_types: ["code"],
+      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
+      scope: options.scope || ""
+    });
+    const strategy = new openidClient.Strategy({
+      client,
+      passReqToCallback: false
+    }, (tokenset, userinfo, done) => {
+      if (typeof done !== "function") {
+        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
       }
-      return postMessageResponse(res, this.appUrl, {
-        type: "authorization_response",
-        response
-      });
-    } catch (error) {
-      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
-      return postMessageResponse(res, this.appUrl, {
-        type: "authorization_response",
-        error: { name, message }
+      done(void 0, { tokenset, userinfo }, {
+        refreshToken: tokenset.refresh_token
       });
-    }
+    });
+    strategy.error = console.error;
+    return { strategy, client };
   }
-  async logout(_req, res) {
-    res.end();
+  async handleResult(result) {
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
+    const response = {
+      providerInfo: {
+        idToken: result.tokenset.id_token,
+        accessToken: result.tokenset.access_token,
+        scope: result.tokenset.scope,
+        expiresInSeconds: result.tokenset.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, context);
+    }
+    return response;
   }
 }
-const samlDefaultSignInResolver = async (info, ctx) => {
-  const id = info.result.fullProfile.nameID;
+const oAuth2DefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Profile contained no email");
+  }
+  const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: id }
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
   });
-  return { id, token };
+  return { id: userId, token };
 };
-const createSamlProvider = (options) => {
+const createOidcProvider = (options) => {
   return ({
     providerId,
     globalConfig,
@@ -2113,75 +2390,83 @@ const createSamlProvider = (options) => {
     tokenIssuer,
     catalogApi,
     logger
-  }) => {
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const metadataUrl = envConfig.getString("metadataUrl");
+    const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
+    const scope = envConfig.getOptionalString("scope");
+    const prompt = envConfig.getOptionalString("prompt");
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenIssuer
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
       profile: {
-        email: fullProfile.email,
-        displayName: fullProfile.displayName
+        displayName: userinfo.name,
+        email: userinfo.email,
+        picture: userinfo.picture
       }
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : samlDefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oAuth2DefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
       logger
     });
-    return new SamlAuthProvider({
-      callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
-      entryPoint: config.getString("entryPoint"),
-      logoutUrl: config.getOptionalString("logoutUrl"),
-      audience: config.getOptionalString("audience"),
-      issuer: config.getString("issuer"),
-      cert: config.getString("cert"),
-      privateKey: config.getOptionalString("privateKey"),
-      authnContext: config.getOptionalStringArray("authnContext"),
-      identifierFormat: config.getOptionalString("identifierFormat"),
-      decryptionPvk: config.getOptionalString("decryptionPvk"),
-      signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
-      digestAlgorithm: config.getOptionalString("digestAlgorithm"),
-      acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
-      tokenIssuer,
-      appUrl: globalConfig.appUrl,
-      authHandler,
+    const provider = new OidcAuthProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      tokenSignedResponseAlg,
+      metadataUrl,
+      scope,
+      prompt,
       signInResolver,
+      authHandler,
       logger,
+      tokenIssuer,
       catalogIdentityClient
     });
-  };
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
 };
 
-class Auth0Strategy extends OAuth2Strategy__default["default"] {
-  constructor(options, verify) {
-    const optionsWithURLs = {
-      ...options,
-      authorizationURL: `https://${options.domain}/authorize`,
-      tokenURL: `https://${options.domain}/oauth/token`,
-      userInfoURL: `https://${options.domain}/userinfo`,
-      apiUrl: `https://${options.domain}/api`
-    };
-    super(optionsWithURLs, verify);
-  }
-}
-
-class Auth0AuthProvider {
+class OktaAuthProvider {
   constructor(options) {
-    this._strategy = new Auth0Strategy({
+    this._store = {
+      store(_req, cb) {
+        cb(null, null);
+      },
+      verify(_req, _state, cb) {
+        cb(null, true);
+      }
+    };
+    this._signInResolver = options.signInResolver;
+    this._authHandler = options.authHandler;
+    this._tokenIssuer = options.tokenIssuer;
+    this._catalogIdentityClient = options.catalogIdentityClient;
+    this._logger = options.logger;
+    this._strategy = new passportOktaOauth.Strategy({
       clientID: options.clientId,
       clientSecret: options.clientSecret,
       callbackURL: options.callbackUrl,
-      domain: options.domain,
-      passReqToCallback: false
+      audience: options.audience,
+      passReqToCallback: false,
+      store: this._store,
+      response_type: "code"
     }, (accessToken, refreshToken, params, fullProfile, done) => {
       done(void 0, {
-        fullProfile,
         accessToken,
         refreshToken,
-        params
+        params,
+        fullProfile
       }, {
         refreshToken
       });
@@ -2197,57 +2482,116 @@ class Auth0AuthProvider {
   }
   async handler(req) {
     const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    const profile = makeProfileInfo(result.fullProfile, result.params.id_token);
     return {
-      response: await this.populateIdentity({
-        profile,
-        providerInfo: {
-          idToken: result.params.id_token,
-          accessToken: result.accessToken,
-          scope: result.params.scope,
-          expiresInSeconds: result.params.expires_in
-        }
-      }),
+      response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    const profile = makeProfileInfo(fullProfile, params.id_token);
-    return this.populateIdentity({
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
+  }
+  async handleResult(result) {
+    const context = {
+      logger: this._logger,
+      catalogIdentityClient: this._catalogIdentityClient,
+      tokenIssuer: this._tokenIssuer
+    };
+    const { profile } = await this._authHandler(result, context);
+    const response = {
       providerInfo: {
-        accessToken,
-        idToken: params.id_token,
-        expiresInSeconds: params.expires_in,
-        scope: params.scope
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
       },
       profile
-    });
-  }
-  async populateIdentity(response) {
-    const { profile } = response;
-    if (!profile.email) {
-      throw new Error("Profile does not contain an email");
+    };
+    if (this._signInResolver) {
+      response.backstageIdentity = await this._signInResolver({
+        result,
+        profile
+      }, context);
     }
-    const id = profile.email.split("@")[0];
-    return { ...response, backstageIdentity: { id, token: "" } };
+    return response;
   }
 }
-const createAuth0Provider = (_options) => {
-  return ({ providerId, globalConfig, config, tokenIssuer }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+const oktaEmailSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Okta profile contained no email");
+  }
+  const entity = await ctx.catalogIdentityClient.findUser({
+    annotations: {
+      "okta.com/email": profile.email
+    }
+  });
+  const claims = getEntityClaims(entity);
+  const token = await ctx.tokenIssuer.issueToken({ claims });
+  return { id: entity.metadata.name, entity, token };
+};
+const oktaDefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Okta profile contained no email");
+  }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: userId, ent: [`user:default/${userId}`] }
+  });
+  return { id: userId, token };
+};
+const createOktaProvider = (_options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const domain = envConfig.getString("domain");
+    const audience = envConfig.getString("audience");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const provider = new Auth0AuthProvider({
+    if (!audience.startsWith("https://")) {
+      throw new Error("URL for 'audience' must start with 'https://'.");
+    }
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    const provider = new OktaAuthProvider({
+      audience,
       clientId,
       clientSecret,
       callbackUrl,
-      domain
+      authHandler,
+      signInResolver,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
+      disableRefresh: false,
       providerId,
       tokenIssuer
     });
@@ -2256,6 +2600,11 @@ const createAuth0Provider = (_options) => {
 
 class OneLoginProvider {
   constructor(options) {
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
     this._strategy = new passportOneloginOauth.Strategy({
       issuer: options.issuer,
       clientID: options.clientId,
@@ -2283,54 +2632,88 @@ class OneLoginProvider {
   }
   async handler(req) {
     const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    const profile = makeProfileInfo(result.fullProfile, result.params.id_token);
     return {
-      response: await this.populateIdentity({
-        profile,
-        providerInfo: {
-          idToken: result.params.id_token,
-          accessToken: result.accessToken,
-          scope: result.params.scope,
-          expiresInSeconds: result.params.expires_in
-        }
-      }),
+      response: await this.handleResult(result),
       refreshToken: privateInfo.refreshToken
     };
   }
   async refresh(req) {
-    const { accessToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
     const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    const profile = makeProfileInfo(fullProfile, params.id_token);
-    return this.populateIdentity({
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
+  }
+  async handleResult(result) {
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
+    const response = {
       providerInfo: {
-        accessToken,
-        idToken: params.id_token,
-        expiresInSeconds: params.expires_in,
-        scope: params.scope
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
       },
       profile
-    });
-  }
-  async populateIdentity(response) {
-    const { profile } = response;
-    if (!profile.email) {
-      throw new Error("OIDC profile contained no email");
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, context);
     }
-    const id = profile.email.split("@")[0];
-    return { ...response, backstageIdentity: { id, token: "" } };
+    return response;
   }
 }
-const createOneLoginProvider = (_options) => {
-  return ({ providerId, globalConfig, config, tokenIssuer }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+const defaultSignInResolver = async (info) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("OIDC profile contained no email");
+  }
+  const id = profile.email.split("@")[0];
+  return { id, token: "" };
+};
+const createOneLoginProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const issuer = envConfig.getString("issuer");
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver;
     const provider = new OneLoginProvider({
       clientId,
       clientSecret,
       callbackUrl,
-      issuer
+      issuer,
+      authHandler,
+      signInResolver,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
@@ -2340,362 +2723,222 @@ const createOneLoginProvider = (_options) => {
   });
 };
 
-const factories = {
-  google: createGoogleProvider(),
-  github: createGithubProvider(),
-  gitlab: createGitlabProvider(),
-  saml: createSamlProvider(),
-  okta: createOktaProvider(),
-  auth0: createAuth0Provider(),
-  microsoft: createMicrosoftProvider(),
-  oauth2: createOAuth2Provider(),
-  oidc: createOidcProvider(),
-  onelogin: createOneLoginProvider(),
-  awsalb: createAwsAlbProvider(),
-  bitbucket: createBitbucketProvider(),
-  atlassian: createAtlassianProvider()
-};
-
-function createOidcRouter(options) {
-  const { baseUrl, tokenIssuer } = options;
-  const router = Router__default["default"]();
-  const config = {
-    issuer: baseUrl,
-    token_endpoint: `${baseUrl}/v1/token`,
-    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
-    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
-    response_types_supported: ["id_token"],
-    subject_types_supported: ["public"],
-    id_token_signing_alg_values_supported: ["RS256"],
-    scopes_supported: ["openid"],
-    token_endpoint_auth_methods_supported: [],
-    claims_supported: ["sub"],
-    grant_types_supported: []
-  };
-  router.get("/.well-known/openid-configuration", (_req, res) => {
-    res.json(config);
-  });
-  router.get("/.well-known/jwks.json", async (_req, res) => {
-    const { keys } = await tokenIssuer.listPublicKeys();
-    res.json({ keys });
-  });
-  router.get("/v1/token", (_req, res) => {
-    res.status(501).send("Not Implemented");
-  });
-  router.get("/v1/userinfo", (_req, res) => {
-    res.status(501).send("Not Implemented");
-  });
-  return router;
-}
-
-const CLOCK_MARGIN_S = 10;
-class IdentityClient {
-  constructor(options) {
-    this.discovery = options.discovery;
-    this.issuer = options.issuer;
-    this.keyStore = new jose.JWKS.KeyStore();
-    this.keyStoreUpdated = 0;
-  }
-  async authenticate(token) {
-    var _a;
-    if (!token) {
-      throw new errors.AuthenticationError("No token specified");
-    }
-    const key = await this.getKey(token);
-    if (!key) {
-      throw new errors.AuthenticationError("No signing key matching token found");
-    }
-    const decoded = jose.JWT.IdToken.verify(token, key, {
-      algorithms: ["ES256"],
-      audience: "backstage",
-      issuer: this.issuer
-    });
-    if (!decoded.sub) {
-      throw new errors.AuthenticationError("No user sub found in token");
-    }
-    const user = {
-      id: decoded.sub,
-      token,
-      identity: {
-        type: "user",
-        userEntityRef: decoded.sub,
-        ownershipEntityRefs: (_a = decoded.ent) != null ? _a : []
-      }
-    };
-    return user;
-  }
-  static getBearerToken(authorizationHeader) {
-    if (typeof authorizationHeader !== "string") {
-      return void 0;
-    }
-    const matches = authorizationHeader.match(/Bearer\s+(\S+)/i);
-    return matches == null ? void 0 : matches[1];
-  }
-  async getKey(rawJwtToken) {
-    const { header, payload } = jose.JWT.decode(rawJwtToken, {
-      complete: true
-    });
-    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });
-    const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!keyStoreHasKey && issuedAfterLastRefresh) {
-      await this.refreshKeyStore();
-    }
-    return this.keyStore.get({ kid: header.kid });
-  }
-  async listPublicKeys() {
-    const url = `${await this.discovery.getBaseUrl("auth")}/.well-known/jwks.json`;
-    const response = await fetch__default["default"](url);
-    if (!response.ok) {
-      const payload = await response.text();
-      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;
-      throw new Error(message);
-    }
-    const publicKeys = await response.json();
-    return publicKeys;
-  }
-  async refreshKeyStore() {
-    const now = Date.now() / 1e3;
-    const publicKeys = await this.listPublicKeys();
-    this.keyStore = jose.JWKS.asKeyStore({
-      keys: publicKeys.keys.map((key) => key)
-    });
-    this.keyStoreUpdated = now;
-  }
-}
-
-const MS_IN_S = 1e3;
-class TokenFactory {
+class SamlAuthProvider {
   constructor(options) {
-    this.issuer = options.issuer;
+    this.appUrl = options.appUrl;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.keyStore = options.keyStore;
-    this.keyDurationSeconds = options.keyDurationSeconds;
-  }
-  async issueToken(params) {
-    const key = await this.getKey();
-    const iss = this.issuer;
-    const sub = params.claims.sub;
-    const ent = params.claims.ent;
-    const aud = "backstage";
-    const iat = Math.floor(Date.now() / MS_IN_S);
-    const exp = iat + this.keyDurationSeconds;
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
-    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
-      alg: key.alg,
-      kid: key.kid
+    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
+      done(void 0, { fullProfile });
     });
   }
-  async listPublicKeys() {
-    const { items: keys } = await this.keyStore.listKeys();
-    const validKeys = [];
-    const expiredKeys = [];
-    for (const key of keys) {
-      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
-        seconds: 3 * this.keyDurationSeconds
-      });
-      if (expireAt < luxon.DateTime.local()) {
-        expiredKeys.push(key);
-      } else {
-        validKeys.push(key);
-      }
-    }
-    if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({ key }) => key.kid);
-      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
-      this.keyStore.removeKeys(kids).catch((error) => {
-        this.logger.error(`Failed to remove expired keys, ${error}`);
-      });
-    }
-    return { keys: validKeys.map(({ key }) => key) };
+  async start(req, res) {
+    const { url } = await executeRedirectStrategy(req, this.strategy, {});
+    res.redirect(url);
   }
-  async getKey() {
-    if (this.privateKeyPromise) {
-      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
-        return this.privateKeyPromise;
+  async frameHandler(req, res) {
+    try {
+      const context = {
+        logger: this.logger,
+        catalogIdentityClient: this.catalogIdentityClient,
+        tokenIssuer: this.tokenIssuer
+      };
+      const { result } = await executeFrameHandlerStrategy(req, this.strategy);
+      const { profile } = await this.authHandler(result, context);
+      const response = {
+        profile,
+        providerInfo: {}
+      };
+      if (this.signInResolver) {
+        const signInResponse = await this.signInResolver({
+          result,
+          profile
+        }, context);
+        response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
       }
-      this.logger.info(`Signing key has expired, generating new key`);
-      delete this.privateKeyPromise;
-    }
-    this.keyExpiry = luxon.DateTime.utc().plus({
-      seconds: this.keyDurationSeconds
-    }).toJSDate();
-    const promise = (async () => {
-      const key = await jose.JWK.generate("EC", "P-256", {
-        use: "sig",
-        kid: uuid.v4(),
-        alg: "ES256"
+      return postMessageResponse(res, this.appUrl, {
+        type: "authorization_response",
+        response
       });
-      this.logger.info(`Created new signing key ${key.kid}`);
-      await this.keyStore.addKey(key.toJWK(false));
-      return key;
-    })();
-    this.privateKeyPromise = promise;
-    try {
-      await promise;
     } catch (error) {
-      this.logger.error(`Failed to generate new signing key, ${error}`);
-      delete this.keyExpiry;
-      delete this.privateKeyPromise;
+      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
+      return postMessageResponse(res, this.appUrl, {
+        type: "authorization_response",
+        error: { name, message }
+      });
     }
-    return promise;
   }
-}
-
-const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
-const TABLE = "signing_keys";
-const parseDate = (date) => {
-  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
-  if (!parsedDate.isValid) {
-    throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
+  async logout(_req, res) {
+    res.end();
   }
-  return parsedDate.toJSDate();
+}
+const samlDefaultSignInResolver = async (info, ctx) => {
+  const id = info.result.fullProfile.nameID;
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: id }
+  });
+  return { id, token };
 };
-class DatabaseKeyStore {
-  static async create(options) {
-    const { database } = options;
-    await database.migrate.latest({
-      directory: migrationsDir
+const createSamlProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    catalogApi,
+    logger
+  }) => {
+    var _a, _b;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
     });
-    return new DatabaseKeyStore(options);
-  }
-  constructor(options) {
-    this.database = options.database;
-  }
-  async addKey(key) {
-    await this.database(TABLE).insert({
-      kid: key.kid,
-      key: JSON.stringify(key)
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+      profile: {
+        email: fullProfile.email,
+        displayName: fullProfile.displayName
+      }
     });
-  }
-  async listKeys() {
-    const rows = await this.database(TABLE).select();
-    return {
-      items: rows.map((row) => ({
-        key: JSON.parse(row.key),
-        createdAt: parseDate(row.created_at)
-      }))
-    };
-  }
-  async removeKeys(kids) {
-    await this.database(TABLE).delete().whereIn("kid", kids);
-  }
-}
-
-class MemoryKeyStore {
-  constructor() {
-    this.keys = /* @__PURE__ */ new Map();
-  }
-  async addKey(key) {
-    this.keys.set(key.kid, {
-      createdAt: luxon.DateTime.utc().toJSDate(),
-      key: JSON.stringify(key)
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : samlDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    return new SamlAuthProvider({
+      callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
+      entryPoint: config.getString("entryPoint"),
+      logoutUrl: config.getOptionalString("logoutUrl"),
+      audience: config.getOptionalString("audience"),
+      issuer: config.getString("issuer"),
+      cert: config.getString("cert"),
+      privateKey: config.getOptionalString("privateKey"),
+      authnContext: config.getOptionalStringArray("authnContext"),
+      identifierFormat: config.getOptionalString("identifierFormat"),
+      decryptionPvk: config.getOptionalString("decryptionPvk"),
+      signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
+      digestAlgorithm: config.getOptionalString("digestAlgorithm"),
+      acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
+      tokenIssuer,
+      appUrl: globalConfig.appUrl,
+      authHandler,
+      signInResolver,
+      logger,
+      catalogIdentityClient
     });
+  };
+};
+
+const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+
+function createTokenValidator(audience, mockClient) {
+  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
+  return async function tokenValidator(token) {
+    const response = await client.getIapPublicKeys();
+    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
+    const payload = ticket.getPayload();
+    if (!payload) {
+      throw new TypeError("Token had no payload");
+    }
+    return payload;
+  };
+}
+async function parseRequestToken(jwtToken, tokenValidator) {
+  if (typeof jwtToken !== "string" || !jwtToken) {
+    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
   }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      this.keys.delete(kid);
-    }
+  let payload;
+  try {
+    payload = await tokenValidator(jwtToken);
+  } catch (e) {
+    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
   }
-  async listKeys() {
-    return {
-      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
-        createdAt,
-        key: JSON.parse(keyStr)
-      }))
-    };
+  if (!payload.sub || !payload.email) {
+    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
   }
+  return {
+    iapToken: {
+      ...payload,
+      sub: payload.sub,
+      email: payload.email
+    }
+  };
 }
+const defaultAuthHandler = async ({
+  iapToken
+}) => ({ profile: { email: iapToken.email } });
 
-const DEFAULT_TIMEOUT_MS = 1e4;
-const DEFAULT_DOCUMENT_PATH = "sessions";
-class FirestoreKeyStore {
-  constructor(database, path, timeout) {
-    this.database = database;
-    this.path = path;
-    this.timeout = timeout;
-  }
-  static async create(settings) {
-    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
-    const database = new firestore.Firestore(firestoreSettings);
-    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
+class GcpIapProvider {
+  constructor(options) {
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenValidator = options.tokenValidator;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
   }
-  static async verifyConnection(keyStore, logger) {
-    try {
-      await keyStore.verify();
-    } catch (error) {
-      if (process.env.NODE_ENV !== "development") {
-        throw new Error(`Failed to connect to database: ${error.message}`);
-      }
-      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
-    }
+  async start() {
   }
-  async addKey(key) {
-    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
-      kid: key.kid,
-      key: JSON.stringify(key)
-    }));
+  async frameHandler() {
   }
-  async listKeys() {
-    const keys = await this.withTimeout(this.database.collection(this.path).get());
-    return {
-      items: keys.docs.map((key) => ({
-        key: key.data(),
-        createdAt: key.createTime.toDate()
-      }))
+  async refresh(req, res) {
+    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
     };
-  }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
-    }
-  }
-  async withTimeout(operation) {
-    const timer = new Promise((_, reject) => setTimeout(() => {
-      reject(new Error(`Operation timed out after ${this.timeout}ms`));
-    }, this.timeout));
-    return Promise.race([operation, timer]);
-  }
-  async verify() {
-    await this.withTimeout(this.database.collection(this.path).limit(1).get());
+    const { profile } = await this.authHandler(result, context);
+    const backstageIdentity = await this.signInResolver({ profile, result }, context);
+    const response = {
+      providerInfo: { iapToken: result.iapToken },
+      profile,
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
+    };
+    res.json(response);
   }
 }
-
-class KeyStores {
-  static async fromConfig(config, options) {
+function createGcpIapProvider(options) {
+  return ({ config, tokenIssuer, catalogApi, logger }) => {
     var _a;
-    const { logger, database } = options != null ? options : {};
-    const ks = config.getOptionalConfig("auth.keyStore");
-    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
-    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
-    if (provider === "database") {
-      if (!database) {
-        throw new Error("This KeyStore provider requires a database");
-      }
-      return await DatabaseKeyStore.create({
-        database: await database.getClient()
-      });
-    }
-    if (provider === "memory") {
-      return new MemoryKeyStore();
-    }
-    if (provider === "firestore") {
-      const settings = ks == null ? void 0 : ks.getConfig(provider);
-      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
-        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
-        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
-        host: settings == null ? void 0 : settings.getOptionalString("host"),
-        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
-        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
-        path: settings == null ? void 0 : settings.getOptionalString("path"),
-        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
-      }, (value) => value !== void 0));
-      await FirestoreKeyStore.verifyConnection(keyStore, logger);
-      return keyStore;
-    }
-    throw new Error(`Unknown KeyStore provider: ${provider}`);
-  }
+    const audience = config.getString("audience");
+    const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
+    const signInResolver = options.signIn.resolver;
+    const tokenValidator = createTokenValidator(audience);
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenIssuer
+    });
+    return new GcpIapProvider({
+      authHandler,
+      signInResolver,
+      tokenValidator,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+  };
 }
 
+const factories = {
+  google: createGoogleProvider(),
+  github: createGithubProvider(),
+  gitlab: createGitlabProvider(),
+  saml: createSamlProvider(),
+  okta: createOktaProvider(),
+  auth0: createAuth0Provider(),
+  microsoft: createMicrosoftProvider(),
+  oauth2: createOAuth2Provider(),
+  oidc: createOidcProvider(),
+  onelogin: createOneLoginProvider(),
+  awsalb: createAwsAlbProvider(),
+  bitbucket: createBitbucketProvider(),
+  atlassian: createAtlassianProvider()
+};
+
 async function createRouter(options) {
   const { logger, config, discovery, database, providerFactories } = options;
   const router = Router__default["default"]();
@@ -2713,7 +2956,13 @@ async function createRouter(options) {
   const secret = config.getOptionalString("auth.session.secret");
   if (secret) {
     router.use(cookieParser__default["default"](secret));
-    router.use(session__default["default"]({ secret, saveUninitialized: false, resave: false }));
+    const enforceCookieSSL = authUrl.startsWith("https");
+    router.use(session__default["default"]({
+      secret,
+      saveUninitialized: false,
+      resave: false,
+      cookie: { secure: enforceCookieSSL ? "auto" : false }
+    }));
     router.use(passport__default["default"].initialize());
     router.use(passport__default["default"].session());
   } else {
@@ -2799,15 +3048,19 @@ exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
 exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;
 exports.bitbucketUsernameSignInResolver = bitbucketUsernameSignInResolver;
 exports.createAtlassianProvider = createAtlassianProvider;
+exports.createAuth0Provider = createAuth0Provider;
 exports.createAwsAlbProvider = createAwsAlbProvider;
 exports.createBitbucketProvider = createBitbucketProvider;
+exports.createGcpIapProvider = createGcpIapProvider;
 exports.createGithubProvider = createGithubProvider;
 exports.createGitlabProvider = createGitlabProvider;
 exports.createGoogleProvider = createGoogleProvider;
 exports.createMicrosoftProvider = createMicrosoftProvider;
 exports.createOAuth2Provider = createOAuth2Provider;
+exports.createOauth2ProxyProvider = createOauth2ProxyProvider;
 exports.createOidcProvider = createOidcProvider;
 exports.createOktaProvider = createOktaProvider;
+exports.createOneLoginProvider = createOneLoginProvider;
 exports.createOriginFilter = createOriginFilter;
 exports.createRouter = createRouter;
 exports.createSamlProvider = createSamlProvider;