@backstage/plugin-auth-backend 0.6.2 → 0.9.0-next.0

package/dist/index.cjs.js

@@ -20,17 +20,17 @@ var passportGithub2 = require('passport-github2');
 var passportGitlab2 = require('passport-gitlab2');
 var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
+var uuid = require('uuid');
+var luxon = require('luxon');
+var backendCommon = require('@backstage/backend-common');
+var firestore = require('@google-cloud/firestore');
+var lodash = require('lodash');
 var openidClient = require('openid-client');
 var passportOktaOauth = require('passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('passport-saml');
 var googleAuthLibrary = require('google-auth-library');
 var catalogClient = require('@backstage/catalog-client');
-var uuid = require('uuid');
-var luxon = require('luxon');
-var backendCommon = require('@backstage/backend-common');
-var firestore = require('@google-cloud/firestore');
-var lodash = require('lodash');
 var session = require('express-session');
 var passport = require('passport');
 var minimatch = require('minimatch');
@@ -149,6 +149,16 @@ const verifyNonce = (req, providerId) => {
     throw new Error("Invalid nonce");
   }
 };
+const getCookieConfig = (authUrl, providerId) => {
+  const { hostname: cookieDomain, pathname, protocol } = authUrl;
+  const secure = protocol === "https:";
+  const cookiePath = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
+  return {
+    cookieDomain,
+    cookiePath,
+    secure
+  };
+};
 
 class OAuthEnvironmentHandler {
   constructor(handlers) {
@@ -245,6 +255,10 @@ function parseJwtPayload(token) {
 }
 function prepareBackstageIdentityResponse(result) {
   const { sub, ent } = parseJwtPayload(result.token);
+  const userEntityRef = catalogModel.stringifyEntityRef(catalogModel.parseEntityRef(sub, {
+    defaultKind: "user",
+    defaultNamespace: catalogModel.ENTITY_DEFAULT_NAMESPACE
+  }));
   return {
     ...{
       idToken: result.token,
@@ -252,7 +266,7 @@ function prepareBackstageIdentityResponse(result) {
     },
     identity: {
       type: "user",
-      userEntityRef: sub,
+      userEntityRef,
       ownershipEntityRefs: ent != null ? ent : []
     }
   };
@@ -309,14 +323,14 @@ class OAuthAdapter {
     };
   }
   static fromConfig(config, handlers, options) {
+    var _a;
     const { origin: appOrigin } = new url.URL(config.appUrl);
-    const secure = config.baseUrl.startsWith("https://");
-    const url$1 = new url.URL(config.baseUrl);
-    const cookiePath = `${url$1.pathname}/${options.providerId}`;
+    const authUrl = new url.URL((_a = options.callbackUrl) != null ? _a : config.baseUrl);
+    const { cookieDomain, cookiePath, secure } = getCookieConfig(authUrl, options.providerId);
     return new OAuthAdapter(handlers, {
       ...options,
       appOrigin,
-      cookieDomain: url$1.hostname,
+      cookieDomain,
       cookiePath,
       secure,
       isOriginAllowed: config.isOriginAllowed
@@ -546,7 +560,7 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
 class CatalogIdentityClient {
   constructor(options) {
     this.catalogApi = options.catalogApi;
-    this.tokenIssuer = options.tokenIssuer;
+    this.tokenManager = options.tokenManager;
   }
   async findUser(query) {
     const filter = {
@@ -555,9 +569,7 @@ class CatalogIdentityClient {
     for (const [key, value] of Object.entries(query.annotations)) {
       filter[`metadata.annotations.${key}`] = value;
     }
-    const token = await this.tokenIssuer.issueToken({
-      claims: { sub: "backstage.io/auth-backend" }
-    });
+    const { token } = await this.tokenManager.getToken();
     const { items } = await this.catalogApi.getEntities({ filter }, { token });
     if (items.length !== 1) {
       if (items.length > 1) {
@@ -587,7 +599,8 @@ class CatalogIdentityClient {
       "metadata.namespace": ref.namespace,
       "metadata.name": ref.name
     }));
-    const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
+    const { token } = await this.tokenManager.getToken();
+    const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
     if (entityRefs.length !== entities.length) {
       const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
       const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
@@ -655,7 +668,12 @@ class AtlassianAuthProvider {
     };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -669,11 +687,7 @@ class AtlassianAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
@@ -696,6 +710,7 @@ const createAtlassianProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -706,7 +721,7 @@ const createAtlassianProvider = (options) => {
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
     const provider = new AtlassianAuthProvider({
@@ -793,7 +808,12 @@ class Auth0AuthProvider {
     };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -807,11 +827,7 @@ class Auth0AuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
@@ -830,6 +846,7 @@ const createAuth0Provider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -840,7 +857,7 @@ const createAuth0Provider = (options) => {
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -937,15 +954,16 @@ class AwsAlbAuthProvider {
     }
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
-    const backstageIdentity = await this.signInResolver({
-      result,
-      profile
-    }, {
+    const context = {
       tokenIssuer: this.tokenIssuer,
       catalogIdentityClient: this.catalogIdentityClient,
       logger: this.logger
-    });
+    };
+    const { profile } = await this.authHandler(result, context);
+    const backstageIdentity = await this.signInResolver({
+      result,
+      profile
+    }, context);
     return {
       providerInfo: {
         accessToken: result.accessToken,
@@ -967,7 +985,7 @@ class AwsAlbAuthProvider {
   }
 }
 const createAwsAlbProvider = (options) => {
-  return ({ config, tokenIssuer, catalogApi, logger }) => {
+  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
     const region = config.getString("region");
     const issuer = config.getOptionalString("iss");
     if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
@@ -975,7 +993,7 @@ const createAwsAlbProvider = (options) => {
     }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: makeProfileInfo(fullProfile)
@@ -1045,7 +1063,12 @@ class BitbucketAuthProvider {
   }
   async handleResult(result) {
     result.fullProfile.avatarUrl = result.fullProfile._json.links.avatar.href;
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1059,11 +1082,7 @@ class BitbucketAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
@@ -1102,6 +1121,7 @@ const createBitbucketProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1111,7 +1131,7 @@ const createBitbucketProvider = (options) => {
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1179,7 +1199,12 @@ class GithubAuthProvider {
     };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const expiresInStr = result.params.expires_in;
     const response = {
       providerInfo: {
@@ -1193,11 +1218,7 @@ class GithubAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
@@ -1206,7 +1227,10 @@ const githubDefaultSignInResolver = async (info, ctx) => {
   const { fullProfile } = info.result;
   const userId = fullProfile.username || fullProfile.id;
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
+    claims: {
+      sub: `user:default/${userId}`,
+      ent: [`user:default/${userId}`]
+    }
   });
   return { id: userId, token };
 };
@@ -1216,6 +1240,7 @@ const createGithubProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1230,7 +1255,7 @@ const createGithubProvider = (options) => {
     const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: makeProfileInfo(fullProfile)
@@ -1261,7 +1286,8 @@ const createGithubProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       persistScopes: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1273,7 +1299,7 @@ const gitlabDefaultSignInResolver = async (info, ctx) => {
     id = profile.email.split("@")[0];
   }
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: id, ent: [`user:default/${id}`] }
+    claims: { sub: `user:default/${id}`, ent: [`user:default/${id}`] }
   });
   return { id, token };
 };
@@ -1327,7 +1353,12 @@ class GitlabAuthProvider {
     };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1341,11 +1372,7 @@ class GitlabAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
@@ -1356,6 +1383,7 @@ const createGitlabProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1367,7 +1395,7 @@ const createGitlabProvider = (options) => {
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
     const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
@@ -1446,7 +1474,12 @@ class GoogleAuthProvider {
     };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1460,11 +1493,7 @@ class GoogleAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
@@ -1501,7 +1530,7 @@ const googleDefaultSignInResolver = async (info, ctx) => {
     userId = profile.email.split("@")[0];
   }
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
+    claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
   });
   return { id: userId, token };
 };
@@ -1511,6 +1540,7 @@ const createGoogleProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1520,7 +1550,7 @@ const createGoogleProvider = (options) => {
     const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1595,7 +1625,12 @@ class MicrosoftAuthProvider {
   async handleResult(result) {
     const photo = await this.getUserPhoto(result.accessToken);
     result.fullProfile.photos = photo ? [{ value: photo }] : void 0;
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1609,11 +1644,7 @@ class MicrosoftAuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
@@ -1654,7 +1685,10 @@ const microsoftDefaultSignInResolver = async (info, ctx) => {
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
+    claims: {
+      sub: `user:default/${userId}`,
+      ent: [`user:default/${userId}`]
+    }
   });
   return { id: userId, token };
 };
@@ -1664,6 +1698,7 @@ const createMicrosoftProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1676,7 +1711,7 @@ const createMicrosoftProvider = (options) => {
     const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1765,7 +1800,12 @@ class OAuth2AuthProvider {
     };
   }
   async handleResult(result) {
-    const { profile } = await this.authHandler(result);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -1779,11 +1819,7 @@ class OAuth2AuthProvider {
       response.backstageIdentity = await this.signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+      }, context);
     }
     return response;
   }
@@ -1798,7 +1834,7 @@ const oAuth2DefaultSignInResolver$1 = async (info, ctx) => {
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
+    claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
   });
   return { id: userId, token };
 };
@@ -1808,6 +1844,7 @@ const createOAuth2Provider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1822,7 +1859,7 @@ const createOAuth2Provider = (options) => {
     const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1855,107 +1892,525 @@ const createOAuth2Provider = (options) => {
   });
 };
 
-class OidcAuthProvider {
+function createOidcRouter(options) {
+  const { baseUrl, tokenIssuer } = options;
+  const router = Router__default["default"]();
+  const config = {
+    issuer: baseUrl,
+    token_endpoint: `${baseUrl}/v1/token`,
+    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
+    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+    response_types_supported: ["id_token"],
+    subject_types_supported: ["public"],
+    id_token_signing_alg_values_supported: ["RS256"],
+    scopes_supported: ["openid"],
+    token_endpoint_auth_methods_supported: [],
+    claims_supported: ["sub"],
+    grant_types_supported: []
+  };
+  router.get("/.well-known/openid-configuration", (_req, res) => {
+    res.json(config);
+  });
+  router.get("/.well-known/jwks.json", async (_req, res) => {
+    const { keys } = await tokenIssuer.listPublicKeys();
+    res.json({ keys });
+  });
+  router.get("/v1/token", (_req, res) => {
+    res.status(501).send("Not Implemented");
+  });
+  router.get("/v1/userinfo", (_req, res) => {
+    res.status(501).send("Not Implemented");
+  });
+  return router;
+}
+
+const CLOCK_MARGIN_S = 10;
+class IdentityClient {
   constructor(options) {
-    this.implementation = this.setupStrategy(options);
-    this.scope = options.scope;
-    this.prompt = options.prompt;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+    this.discovery = options.discovery;
+    this.issuer = options.issuer;
+    this.keyStore = new jose.JWKS.KeyStore();
+    this.keyStoreUpdated = 0;
   }
-  async start(req) {
-    const { strategy } = await this.implementation;
-    const options = {
-      scope: req.scope || this.scope || "openid profile email",
-      state: encodeState(req.state)
-    };
-    const prompt = this.prompt || "none";
-    if (prompt !== "auto") {
-      options.prompt = prompt;
+  async authenticate(token) {
+    var _a;
+    if (!token) {
+      throw new errors.AuthenticationError("No token specified");
     }
-    return await executeRedirectStrategy(req, strategy, options);
-  }
-  async handler(req) {
-    const { strategy } = await this.implementation;
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
+    const key = await this.getKey(token);
+    if (!key) {
+      throw new errors.AuthenticationError("No signing key matching token found");
+    }
+    const decoded = jose.JWT.IdToken.verify(token, key, {
+      algorithms: ["ES256"],
+      audience: "backstage",
+      issuer: this.issuer
+    });
+    if (!decoded.sub) {
+      throw new errors.AuthenticationError("No user sub found in token");
+    }
+    const user = {
+      id: decoded.sub,
+      token,
+      identity: {
+        type: "user",
+        userEntityRef: decoded.sub,
+        ownershipEntityRefs: (_a = decoded.ent) != null ? _a : []
+      }
     };
+    return user;
   }
-  async refresh(req) {
-    const { client } = await this.implementation;
-    const tokenset = await client.refresh(req.refreshToken);
-    if (!tokenset.access_token) {
-      throw new Error("Refresh failed");
+  static getBearerToken(authorizationHeader) {
+    if (typeof authorizationHeader !== "string") {
+      return void 0;
     }
-    const userinfo = await client.userinfo(tokenset.access_token);
-    return {
-      response: await this.handleResult({ tokenset, userinfo }),
-      refreshToken: tokenset.refresh_token
-    };
+    const matches = authorizationHeader.match(/Bearer\s+(\S+)/i);
+    return matches == null ? void 0 : matches[1];
   }
-  async setupStrategy(options) {
-    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
-    const client = new issuer.Client({
-      access_type: "offline",
-      client_id: options.clientId,
-      client_secret: options.clientSecret,
-      redirect_uris: [options.callbackUrl],
-      response_types: ["code"],
-      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
-      scope: options.scope || ""
-    });
-    const strategy = new openidClient.Strategy({
-      client,
-      passReqToCallback: false
-    }, (tokenset, userinfo, done) => {
-      if (typeof done !== "function") {
-        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
-      }
-      done(void 0, { tokenset, userinfo }, {
-        refreshToken: tokenset.refresh_token
-      });
+  async getKey(rawJwtToken) {
+    const { header, payload } = jose.JWT.decode(rawJwtToken, {
+      complete: true
     });
-    strategy.error = console.error;
-    return { strategy, client };
+    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });
+    const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
+    if (!keyStoreHasKey && issuedAfterLastRefresh) {
+      await this.refreshKeyStore();
+    }
+    return this.keyStore.get({ kid: header.kid });
   }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result);
-    const response = {
-      providerInfo: {
-        idToken: result.tokenset.id_token,
-        accessToken: result.tokenset.access_token,
-        scope: result.tokenset.scope,
-        expiresInSeconds: result.tokenset.expires_in
-      },
-      profile
-    };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
-        result,
-        profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
+  async listPublicKeys() {
+    const url = `${await this.discovery.getBaseUrl("auth")}/.well-known/jwks.json`;
+    const response = await fetch__default["default"](url);
+    if (!response.ok) {
+      const payload = await response.text();
+      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;
+      throw new Error(message);
     }
-    return response;
+    const publicKeys = await response.json();
+    return publicKeys;
   }
-}
-const oAuth2DefaultSignInResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Profile contained no email");
+  async refreshKeyStore() {
+    const now = Date.now() / 1e3;
+    const publicKeys = await this.listPublicKeys();
+    this.keyStore = jose.JWKS.asKeyStore({
+      keys: publicKeys.keys.map((key) => key)
+    });
+    this.keyStoreUpdated = now;
   }
-  const userId = profile.email.split("@")[0];
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
-  });
+}
+
+const MS_IN_S = 1e3;
+class TokenFactory {
+  constructor(options) {
+    this.issuer = options.issuer;
+    this.logger = options.logger;
+    this.keyStore = options.keyStore;
+    this.keyDurationSeconds = options.keyDurationSeconds;
+  }
+  async issueToken(params) {
+    const key = await this.getKey();
+    const iss = this.issuer;
+    const sub = params.claims.sub;
+    const ent = params.claims.ent;
+    const aud = "backstage";
+    const iat = Math.floor(Date.now() / MS_IN_S);
+    const exp = iat + this.keyDurationSeconds;
+    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
+    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
+      alg: key.alg,
+      kid: key.kid
+    });
+  }
+  async listPublicKeys() {
+    const { items: keys } = await this.keyStore.listKeys();
+    const validKeys = [];
+    const expiredKeys = [];
+    for (const key of keys) {
+      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
+        seconds: 3 * this.keyDurationSeconds
+      });
+      if (expireAt < luxon.DateTime.local()) {
+        expiredKeys.push(key);
+      } else {
+        validKeys.push(key);
+      }
+    }
+    if (expiredKeys.length > 0) {
+      const kids = expiredKeys.map(({ key }) => key.kid);
+      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
+      this.keyStore.removeKeys(kids).catch((error) => {
+        this.logger.error(`Failed to remove expired keys, ${error}`);
+      });
+    }
+    return { keys: validKeys.map(({ key }) => key) };
+  }
+  async getKey() {
+    if (this.privateKeyPromise) {
+      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
+        return this.privateKeyPromise;
+      }
+      this.logger.info(`Signing key has expired, generating new key`);
+      delete this.privateKeyPromise;
+    }
+    this.keyExpiry = luxon.DateTime.utc().plus({
+      seconds: this.keyDurationSeconds
+    }).toJSDate();
+    const promise = (async () => {
+      const key = await jose.JWK.generate("EC", "P-256", {
+        use: "sig",
+        kid: uuid.v4(),
+        alg: "ES256"
+      });
+      this.logger.info(`Created new signing key ${key.kid}`);
+      await this.keyStore.addKey(key.toJWK(false));
+      return key;
+    })();
+    this.privateKeyPromise = promise;
+    try {
+      await promise;
+    } catch (error) {
+      this.logger.error(`Failed to generate new signing key, ${error}`);
+      delete this.keyExpiry;
+      delete this.privateKeyPromise;
+    }
+    return promise;
+  }
+}
+
+const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
+const TABLE = "signing_keys";
+const parseDate = (date) => {
+  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
+  if (!parsedDate.isValid) {
+    throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
+  }
+  return parsedDate.toJSDate();
+};
+class DatabaseKeyStore {
+  static async create(options) {
+    const { database } = options;
+    await database.migrate.latest({
+      directory: migrationsDir
+    });
+    return new DatabaseKeyStore(options);
+  }
+  constructor(options) {
+    this.database = options.database;
+  }
+  async addKey(key) {
+    await this.database(TABLE).insert({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    });
+  }
+  async listKeys() {
+    const rows = await this.database(TABLE).select();
+    return {
+      items: rows.map((row) => ({
+        key: JSON.parse(row.key),
+        createdAt: parseDate(row.created_at)
+      }))
+    };
+  }
+  async removeKeys(kids) {
+    await this.database(TABLE).delete().whereIn("kid", kids);
+  }
+}
+
+class MemoryKeyStore {
+  constructor() {
+    this.keys = /* @__PURE__ */ new Map();
+  }
+  async addKey(key) {
+    this.keys.set(key.kid, {
+      createdAt: luxon.DateTime.utc().toJSDate(),
+      key: JSON.stringify(key)
+    });
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      this.keys.delete(kid);
+    }
+  }
+  async listKeys() {
+    return {
+      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
+        createdAt,
+        key: JSON.parse(keyStr)
+      }))
+    };
+  }
+}
+
+const DEFAULT_TIMEOUT_MS = 1e4;
+const DEFAULT_DOCUMENT_PATH = "sessions";
+class FirestoreKeyStore {
+  constructor(database, path, timeout) {
+    this.database = database;
+    this.path = path;
+    this.timeout = timeout;
+  }
+  static async create(settings) {
+    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
+    const database = new firestore.Firestore(firestoreSettings);
+    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
+  }
+  static async verifyConnection(keyStore, logger) {
+    try {
+      await keyStore.verify();
+    } catch (error) {
+      if (process.env.NODE_ENV !== "development") {
+        throw new Error(`Failed to connect to database: ${error.message}`);
+      }
+      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
+    }
+  }
+  async addKey(key) {
+    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    }));
+  }
+  async listKeys() {
+    const keys = await this.withTimeout(this.database.collection(this.path).get());
+    return {
+      items: keys.docs.map((key) => ({
+        key: key.data(),
+        createdAt: key.createTime.toDate()
+      }))
+    };
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
+    }
+  }
+  async withTimeout(operation) {
+    const timer = new Promise((_, reject) => setTimeout(() => {
+      reject(new Error(`Operation timed out after ${this.timeout}ms`));
+    }, this.timeout));
+    return Promise.race([operation, timer]);
+  }
+  async verify() {
+    await this.withTimeout(this.database.collection(this.path).limit(1).get());
+  }
+}
+
+class KeyStores {
+  static async fromConfig(config, options) {
+    var _a;
+    const { logger, database } = options != null ? options : {};
+    const ks = config.getOptionalConfig("auth.keyStore");
+    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
+    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
+    if (provider === "database") {
+      if (!database) {
+        throw new Error("This KeyStore provider requires a database");
+      }
+      return await DatabaseKeyStore.create({
+        database: await database.getClient()
+      });
+    }
+    if (provider === "memory") {
+      return new MemoryKeyStore();
+    }
+    if (provider === "firestore") {
+      const settings = ks == null ? void 0 : ks.getConfig(provider);
+      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
+        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
+        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
+        host: settings == null ? void 0 : settings.getOptionalString("host"),
+        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
+        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
+        path: settings == null ? void 0 : settings.getOptionalString("path"),
+        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
+      }, (value) => value !== void 0));
+      await FirestoreKeyStore.verifyConnection(keyStore, logger);
+      return keyStore;
+    }
+    throw new Error(`Unknown KeyStore provider: ${provider}`);
+  }
+}
+
+const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
+class Oauth2ProxyAuthProvider {
+  constructor(options) {
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+  }
+  frameHandler() {
+    return Promise.resolve(void 0);
+  }
+  async refresh(req, res) {
+    try {
+      const result = this.getResult(req);
+      const response = await this.handleResult(result);
+      res.json(response);
+    } catch (e) {
+      this.logger.error(`Exception occurred during ${OAUTH2_PROXY_JWT_HEADER} refresh`, e);
+      res.status(401);
+      res.end();
+    }
+  }
+  start() {
+    return Promise.resolve(void 0);
+  }
+  async handleResult(result) {
+    const ctx = {
+      logger: this.logger,
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient
+    };
+    const { profile } = await this.authHandler(result, ctx);
+    const backstageSignInResult = await this.signInResolver({
+      result,
+      profile
+    }, ctx);
+    return {
+      providerInfo: {
+        accessToken: result.accessToken
+      },
+      backstageIdentity: prepareBackstageIdentityResponse(backstageSignInResult),
+      profile
+    };
+  }
+  getResult(req) {
+    const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
+    const jwt = IdentityClient.getBearerToken(authHeader);
+    if (!jwt) {
+      throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
+    }
+    const decodedJWT = jose.JWT.decode(jwt);
+    return {
+      fullProfile: decodedJWT,
+      accessToken: jwt
+    };
+  }
+}
+const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
+  const signInResolver = options.signIn.resolver;
+  const authHandler = options.authHandler;
+  const catalogIdentityClient = new CatalogIdentityClient({
+    catalogApi,
+    tokenManager
+  });
+  return new Oauth2ProxyAuthProvider({
+    logger,
+    signInResolver,
+    authHandler,
+    tokenIssuer,
+    catalogIdentityClient
+  });
+};
+
+class OidcAuthProvider {
+  constructor(options) {
+    this.implementation = this.setupStrategy(options);
+    this.scope = options.scope;
+    this.prompt = options.prompt;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+  }
+  async start(req) {
+    const { strategy } = await this.implementation;
+    const options = {
+      scope: req.scope || this.scope || "openid profile email",
+      state: encodeState(req.state)
+    };
+    const prompt = this.prompt || "none";
+    if (prompt !== "auto") {
+      options.prompt = prompt;
+    }
+    return await executeRedirectStrategy(req, strategy, options);
+  }
+  async handler(req) {
+    const { strategy } = await this.implementation;
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
+  }
+  async refresh(req) {
+    const { client } = await this.implementation;
+    const tokenset = await client.refresh(req.refreshToken);
+    if (!tokenset.access_token) {
+      throw new Error("Refresh failed");
+    }
+    const userinfo = await client.userinfo(tokenset.access_token);
+    return {
+      response: await this.handleResult({ tokenset, userinfo }),
+      refreshToken: tokenset.refresh_token
+    };
+  }
+  async setupStrategy(options) {
+    const issuer = await openidClient.Issuer.discover(options.metadataUrl);
+    const client = new issuer.Client({
+      access_type: "offline",
+      client_id: options.clientId,
+      client_secret: options.clientSecret,
+      redirect_uris: [options.callbackUrl],
+      response_types: ["code"],
+      id_token_signed_response_alg: options.tokenSignedResponseAlg || "RS256",
+      scope: options.scope || ""
+    });
+    const strategy = new openidClient.Strategy({
+      client,
+      passReqToCallback: false
+    }, (tokenset, userinfo, done) => {
+      if (typeof done !== "function") {
+        throw new Error("OIDC IdP must provide a userinfo_endpoint in the metadata response");
+      }
+      done(void 0, { tokenset, userinfo }, {
+        refreshToken: tokenset.refresh_token
+      });
+    });
+    strategy.error = console.error;
+    return { strategy, client };
+  }
+  async handleResult(result) {
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
+    const response = {
+      providerInfo: {
+        idToken: result.tokenset.id_token,
+        accessToken: result.tokenset.access_token,
+        scope: result.tokenset.scope,
+        expiresInSeconds: result.tokenset.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, context);
+    }
+    return response;
+  }
+}
+const oAuth2DefaultSignInResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Profile contained no email");
+  }
+  const userId = profile.email.split("@")[0];
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: {
+      sub: `user:default/${userId}`,
+      ent: [`user:default/${userId}`]
+    }
+  });
   return { id: userId, token };
 };
 const createOidcProvider = (options) => {
@@ -1964,6 +2419,7 @@ const createOidcProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1977,7 +2433,7 @@ const createOidcProvider = (options) => {
     const prompt = envConfig.getOptionalString("prompt");
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
       profile: {
@@ -2076,7 +2532,12 @@ class OktaAuthProvider {
     };
   }
   async handleResult(result) {
-    const { profile } = await this._authHandler(result);
+    const context = {
+      logger: this._logger,
+      catalogIdentityClient: this._catalogIdentityClient,
+      tokenIssuer: this._tokenIssuer
+    };
+    const { profile } = await this._authHandler(result, context);
     const response = {
       providerInfo: {
         idToken: result.params.id_token,
@@ -2090,11 +2551,7 @@ class OktaAuthProvider {
       response.backstageIdentity = await this._signInResolver({
         result,
         profile
-      }, {
-        tokenIssuer: this._tokenIssuer,
-        catalogIdentityClient: this._catalogIdentityClient,
-        logger: this._logger
-      });
+      }, context);
     }
     return response;
   }
@@ -2118,741 +2575,414 @@ const oktaDefaultSignInResolver = async (info, ctx) => {
   if (!profile.email) {
     throw new Error("Okta profile contained no email");
   }
-  const userId = profile.email.split("@")[0];
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
-  });
-  return { id: userId, token };
-};
-const createOktaProvider = (_options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const audience = envConfig.getString("audience");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    if (!audience.startsWith("https://")) {
-      throw new Error("URL for 'audience' must start with 'https://'.");
-    }
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenIssuer
-    });
-    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    const provider = new OktaAuthProvider({
-      audience,
-      clientId,
-      clientSecret,
-      callbackUrl,
-      authHandler,
-      signInResolver,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
-
-class OneLoginProvider {
-  constructor(options) {
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this._strategy = new passportOneloginOauth.Strategy({
-      issuer: options.issuer,
-      clientID: options.clientId,
-      clientSecret: options.clientSecret,
-      callbackURL: options.callbackUrl,
-      passReqToCallback: false
-    }, (accessToken, refreshToken, params, fullProfile, done) => {
-      done(void 0, {
-        accessToken,
-        refreshToken,
-        params,
-        fullProfile
-      }, {
-        refreshToken
-      });
-    });
-  }
-  async start(req) {
-    return await executeRedirectStrategy(req, this._strategy, {
-      accessType: "offline",
-      prompt: "consent",
-      scope: "openid",
-      state: encodeState(req.state)
-    });
-  }
-  async handler(req) {
-    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
-    return {
-      response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
-    };
-  }
-  async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
-    return {
-      response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
-      }),
-      refreshToken
-    };
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result);
-    const response = {
-      providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
-      },
-      profile
-    };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
-        result,
-        profile
-      }, {
-        tokenIssuer: this.tokenIssuer,
-        catalogIdentityClient: this.catalogIdentityClient,
-        logger: this.logger
-      });
-    }
-    return response;
-  }
-}
-const defaultSignInResolver = async (info) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("OIDC profile contained no email");
-  }
-  const id = profile.email.split("@")[0];
-  return { id, token: "" };
-};
-const createOneLoginProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const issuer = envConfig.getString("issuer");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenIssuer
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver;
-    const provider = new OneLoginProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      issuer,
-      authHandler,
-      signInResolver,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer
-    });
-  });
-};
-
-class SamlAuthProvider {
-  constructor(options) {
-    this.appUrl = options.appUrl;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
-      done(void 0, { fullProfile });
-    });
-  }
-  async start(req, res) {
-    const { url } = await executeRedirectStrategy(req, this.strategy, {});
-    res.redirect(url);
-  }
-  async frameHandler(req, res) {
-    try {
-      const { result } = await executeFrameHandlerStrategy(req, this.strategy);
-      const { profile } = await this.authHandler(result);
-      const response = {
-        profile,
-        providerInfo: {}
-      };
-      if (this.signInResolver) {
-        const signInResponse = await this.signInResolver({
-          result,
-          profile
-        }, {
-          tokenIssuer: this.tokenIssuer,
-          catalogIdentityClient: this.catalogIdentityClient,
-          logger: this.logger
-        });
-        response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
-      }
-      return postMessageResponse(res, this.appUrl, {
-        type: "authorization_response",
-        response
-      });
-    } catch (error) {
-      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
-      return postMessageResponse(res, this.appUrl, {
-        type: "authorization_response",
-        error: { name, message }
-      });
-    }
-  }
-  async logout(_req, res) {
-    res.end();
-  }
-}
-const samlDefaultSignInResolver = async (info, ctx) => {
-  const id = info.result.fullProfile.nameID;
+  const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: id }
+    claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
   });
-  return { id, token };
+  return { id: userId, token };
 };
-const createSamlProvider = (options) => {
+const createOktaProvider = (_options) => {
   return ({
     providerId,
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
-  }) => {
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const audience = envConfig.getString("audience");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    if (!audience.startsWith("https://")) {
+      throw new Error("URL for 'audience' must start with 'https://'.");
+    }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-      profile: {
-        email: fullProfile.email,
-        displayName: fullProfile.displayName
-      }
+    const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
     });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : samlDefaultSignInResolver;
+    const signInResolverFn = (_b = (_a = _options == null ? void 0 : _options.signIn) == null ? void 0 : _a.resolver) != null ? _b : oktaDefaultSignInResolver;
     const signInResolver = (info) => signInResolverFn(info, {
       catalogIdentityClient,
       tokenIssuer,
-      logger
-    });
-    return new SamlAuthProvider({
-      callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
-      entryPoint: config.getString("entryPoint"),
-      logoutUrl: config.getOptionalString("logoutUrl"),
-      audience: config.getOptionalString("audience"),
-      issuer: config.getString("issuer"),
-      cert: config.getString("cert"),
-      privateKey: config.getOptionalString("privateKey"),
-      authnContext: config.getOptionalStringArray("authnContext"),
-      identifierFormat: config.getOptionalString("identifierFormat"),
-      decryptionPvk: config.getOptionalString("decryptionPvk"),
-      signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
-      digestAlgorithm: config.getOptionalString("digestAlgorithm"),
-      acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
-      tokenIssuer,
-      appUrl: globalConfig.appUrl,
-      authHandler,
-      signInResolver,
-      logger,
-      catalogIdentityClient
-    });
-  };
-};
-
-const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
-
-function createTokenValidator(audience, mockClient) {
-  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
-  return async function tokenValidator(token) {
-    const response = await client.getIapPublicKeys();
-    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
-    const payload = ticket.getPayload();
-    if (!payload) {
-      throw new TypeError("Token had no payload");
-    }
-    return payload;
-  };
-}
-async function parseRequestToken(jwtToken, tokenValidator) {
-  if (typeof jwtToken !== "string" || !jwtToken) {
-    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
-  }
-  let payload;
-  try {
-    payload = await tokenValidator(jwtToken);
-  } catch (e) {
-    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
-  }
-  if (!payload.sub || !payload.email) {
-    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
-  }
-  return {
-    iapToken: {
-      ...payload,
-      sub: payload.sub,
-      email: payload.email
-    }
-  };
-}
-const defaultAuthHandler = async ({
-  iapToken
-}) => ({ profile: { email: iapToken.email } });
-
-class GcpIapProvider {
-  constructor(options) {
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.tokenValidator = options.tokenValidator;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-  }
-  async start() {
-  }
-  async frameHandler() {
-  }
-  async refresh(req, res) {
-    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
-    const { profile } = await this.authHandler(result);
-    const backstageIdentity = await this.signInResolver({ profile, result }, {
-      tokenIssuer: this.tokenIssuer,
-      catalogIdentityClient: this.catalogIdentityClient,
-      logger: this.logger
-    });
-    const response = {
-      providerInfo: { iapToken: result.iapToken },
-      profile,
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
-    };
-    res.json(response);
-  }
-}
-function createGcpIapProvider(options) {
-  return ({ config, tokenIssuer, catalogApi, logger }) => {
-    var _a;
-    const audience = config.getString("audience");
-    const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
-    const signInResolver = options.signIn.resolver;
-    const tokenValidator = createTokenValidator(audience);
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenIssuer
-    });
-    return new GcpIapProvider({
-      authHandler,
-      signInResolver,
-      tokenValidator,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-  };
-}
-
-const factories = {
-  google: createGoogleProvider(),
-  github: createGithubProvider(),
-  gitlab: createGitlabProvider(),
-  saml: createSamlProvider(),
-  okta: createOktaProvider(),
-  auth0: createAuth0Provider(),
-  microsoft: createMicrosoftProvider(),
-  oauth2: createOAuth2Provider(),
-  oidc: createOidcProvider(),
-  onelogin: createOneLoginProvider(),
-  awsalb: createAwsAlbProvider(),
-  bitbucket: createBitbucketProvider(),
-  atlassian: createAtlassianProvider()
-};
-
-function createOidcRouter(options) {
-  const { baseUrl, tokenIssuer } = options;
-  const router = Router__default["default"]();
-  const config = {
-    issuer: baseUrl,
-    token_endpoint: `${baseUrl}/v1/token`,
-    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
-    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
-    response_types_supported: ["id_token"],
-    subject_types_supported: ["public"],
-    id_token_signing_alg_values_supported: ["RS256"],
-    scopes_supported: ["openid"],
-    token_endpoint_auth_methods_supported: [],
-    claims_supported: ["sub"],
-    grant_types_supported: []
-  };
-  router.get("/.well-known/openid-configuration", (_req, res) => {
-    res.json(config);
-  });
-  router.get("/.well-known/jwks.json", async (_req, res) => {
-    const { keys } = await tokenIssuer.listPublicKeys();
-    res.json({ keys });
-  });
-  router.get("/v1/token", (_req, res) => {
-    res.status(501).send("Not Implemented");
-  });
-  router.get("/v1/userinfo", (_req, res) => {
-    res.status(501).send("Not Implemented");
-  });
-  return router;
-}
-
-const CLOCK_MARGIN_S = 10;
-class IdentityClient {
-  constructor(options) {
-    this.discovery = options.discovery;
-    this.issuer = options.issuer;
-    this.keyStore = new jose.JWKS.KeyStore();
-    this.keyStoreUpdated = 0;
-  }
-  async authenticate(token) {
-    var _a;
-    if (!token) {
-      throw new errors.AuthenticationError("No token specified");
-    }
-    const key = await this.getKey(token);
-    if (!key) {
-      throw new errors.AuthenticationError("No signing key matching token found");
-    }
-    const decoded = jose.JWT.IdToken.verify(token, key, {
-      algorithms: ["ES256"],
-      audience: "backstage",
-      issuer: this.issuer
-    });
-    if (!decoded.sub) {
-      throw new errors.AuthenticationError("No user sub found in token");
-    }
-    const user = {
-      id: decoded.sub,
-      token,
-      identity: {
-        type: "user",
-        userEntityRef: decoded.sub,
-        ownershipEntityRefs: (_a = decoded.ent) != null ? _a : []
-      }
-    };
-    return user;
-  }
-  static getBearerToken(authorizationHeader) {
-    if (typeof authorizationHeader !== "string") {
-      return void 0;
-    }
-    const matches = authorizationHeader.match(/Bearer\s+(\S+)/i);
-    return matches == null ? void 0 : matches[1];
-  }
-  async getKey(rawJwtToken) {
-    const { header, payload } = jose.JWT.decode(rawJwtToken, {
-      complete: true
-    });
-    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });
-    const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!keyStoreHasKey && issuedAfterLastRefresh) {
-      await this.refreshKeyStore();
-    }
-    return this.keyStore.get({ kid: header.kid });
-  }
-  async listPublicKeys() {
-    const url = `${await this.discovery.getBaseUrl("auth")}/.well-known/jwks.json`;
-    const response = await fetch__default["default"](url);
-    if (!response.ok) {
-      const payload = await response.text();
-      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;
-      throw new Error(message);
-    }
-    const publicKeys = await response.json();
-    return publicKeys;
-  }
-  async refreshKeyStore() {
-    const now = Date.now() / 1e3;
-    const publicKeys = await this.listPublicKeys();
-    this.keyStore = jose.JWKS.asKeyStore({
-      keys: publicKeys.keys.map((key) => key)
+      logger
     });
-    this.keyStoreUpdated = now;
-  }
-}
+    const provider = new OktaAuthProvider({
+      audience,
+      clientId,
+      clientSecret,
+      callbackUrl,
+      authHandler,
+      signInResolver,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
 
-const MS_IN_S = 1e3;
-class TokenFactory {
+class OneLoginProvider {
   constructor(options) {
-    this.issuer = options.issuer;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.keyStore = options.keyStore;
-    this.keyDurationSeconds = options.keyDurationSeconds;
+    this._strategy = new passportOneloginOauth.Strategy({
+      issuer: options.issuer,
+      clientID: options.clientId,
+      clientSecret: options.clientSecret,
+      callbackURL: options.callbackUrl,
+      passReqToCallback: false
+    }, (accessToken, refreshToken, params, fullProfile, done) => {
+      done(void 0, {
+        accessToken,
+        refreshToken,
+        params,
+        fullProfile
+      }, {
+        refreshToken
+      });
+    });
   }
-  async issueToken(params) {
-    const key = await this.getKey();
-    const iss = this.issuer;
-    const sub = params.claims.sub;
-    const ent = params.claims.ent;
-    const aud = "backstage";
-    const iat = Math.floor(Date.now() / MS_IN_S);
-    const exp = iat + this.keyDurationSeconds;
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
-    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
-      alg: key.alg,
-      kid: key.kid
+  async start(req) {
+    return await executeRedirectStrategy(req, this._strategy, {
+      accessType: "offline",
+      prompt: "consent",
+      scope: "openid",
+      state: encodeState(req.state)
     });
   }
-  async listPublicKeys() {
-    const { items: keys } = await this.keyStore.listKeys();
-    const validKeys = [];
-    const expiredKeys = [];
-    for (const key of keys) {
-      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
-        seconds: 3 * this.keyDurationSeconds
-      });
-      if (expireAt < luxon.DateTime.local()) {
-        expiredKeys.push(key);
-      } else {
-        validKeys.push(key);
-      }
-    }
-    if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({ key }) => key.kid);
-      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
-      this.keyStore.removeKeys(kids).catch((error) => {
-        this.logger.error(`Failed to remove expired keys, ${error}`);
-      });
-    }
-    return { keys: validKeys.map(({ key }) => key) };
+  async handler(req) {
+    const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    return {
+      response: await this.handleResult(result),
+      refreshToken: privateInfo.refreshToken
+    };
   }
-  async getKey() {
-    if (this.privateKeyPromise) {
-      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
-        return this.privateKeyPromise;
-      }
-      this.logger.info(`Signing key has expired, generating new key`);
-      delete this.privateKeyPromise;
-    }
-    this.keyExpiry = luxon.DateTime.utc().plus({
-      seconds: this.keyDurationSeconds
-    }).toJSDate();
-    const promise = (async () => {
-      const key = await jose.JWK.generate("EC", "P-256", {
-        use: "sig",
-        kid: uuid.v4(),
-        alg: "ES256"
-      });
-      this.logger.info(`Created new signing key ${key.kid}`);
-      await this.keyStore.addKey(key.toJWK(false));
-      return key;
-    })();
-    this.privateKeyPromise = promise;
-    try {
-      await promise;
-    } catch (error) {
-      this.logger.error(`Failed to generate new signing key, ${error}`);
-      delete this.keyExpiry;
-      delete this.privateKeyPromise;
+  async refresh(req) {
+    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
+    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    return {
+      response: await this.handleResult({
+        fullProfile,
+        params,
+        accessToken
+      }),
+      refreshToken
+    };
+  }
+  async handleResult(result) {
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
+    const response = {
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, context);
     }
-    return promise;
+    return response;
   }
 }
-
-const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
-const TABLE = "signing_keys";
-const parseDate = (date) => {
-  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
-  if (!parsedDate.isValid) {
-    throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
+const defaultSignInResolver = async (info) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("OIDC profile contained no email");
   }
-  return parsedDate.toJSDate();
+  const id = profile.email.split("@")[0];
+  return { id, token: "" };
 };
-class DatabaseKeyStore {
-  static async create(options) {
-    const { database } = options;
-    await database.migrate.latest({
-      directory: migrationsDir
+const createOneLoginProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    tokenManager,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const issuer = envConfig.getString("issuer");
+    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenManager
     });
-    return new DatabaseKeyStore(options);
-  }
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver;
+    const provider = new OneLoginProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      issuer,
+      authHandler,
+      signInResolver,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer
+    });
+  });
+};
+
+class SamlAuthProvider {
   constructor(options) {
-    this.database = options.database;
-  }
-  async addKey(key) {
-    await this.database(TABLE).insert({
-      kid: key.kid,
-      key: JSON.stringify(key)
+    this.appUrl = options.appUrl;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
+      done(void 0, { fullProfile });
     });
   }
-  async listKeys() {
-    const rows = await this.database(TABLE).select();
-    return {
-      items: rows.map((row) => ({
-        key: JSON.parse(row.key),
-        createdAt: parseDate(row.created_at)
-      }))
-    };
+  async start(req, res) {
+    const { url } = await executeRedirectStrategy(req, this.strategy, {});
+    res.redirect(url);
+  }
+  async frameHandler(req, res) {
+    try {
+      const context = {
+        logger: this.logger,
+        catalogIdentityClient: this.catalogIdentityClient,
+        tokenIssuer: this.tokenIssuer
+      };
+      const { result } = await executeFrameHandlerStrategy(req, this.strategy);
+      const { profile } = await this.authHandler(result, context);
+      const response = {
+        profile,
+        providerInfo: {}
+      };
+      if (this.signInResolver) {
+        const signInResponse = await this.signInResolver({
+          result,
+          profile
+        }, context);
+        response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
+      }
+      return postMessageResponse(res, this.appUrl, {
+        type: "authorization_response",
+        response
+      });
+    } catch (error) {
+      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
+      return postMessageResponse(res, this.appUrl, {
+        type: "authorization_response",
+        error: { name, message }
+      });
+    }
   }
-  async removeKeys(kids) {
-    await this.database(TABLE).delete().whereIn("kid", kids);
+  async logout(_req, res) {
+    res.end();
   }
 }
-
-class MemoryKeyStore {
-  constructor() {
-    this.keys = /* @__PURE__ */ new Map();
-  }
-  async addKey(key) {
-    this.keys.set(key.kid, {
-      createdAt: luxon.DateTime.utc().toJSDate(),
-      key: JSON.stringify(key)
+const samlDefaultSignInResolver = async (info, ctx) => {
+  const id = info.result.fullProfile.nameID;
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: id }
+  });
+  return { id, token };
+};
+const createSamlProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    tokenManager,
+    catalogApi,
+    logger
+  }) => {
+    var _a, _b;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenManager
     });
-  }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      this.keys.delete(kid);
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+      profile: {
+        email: fullProfile.email,
+        displayName: fullProfile.displayName
+      }
+    });
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : samlDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    return new SamlAuthProvider({
+      callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
+      entryPoint: config.getString("entryPoint"),
+      logoutUrl: config.getOptionalString("logoutUrl"),
+      audience: config.getOptionalString("audience"),
+      issuer: config.getString("issuer"),
+      cert: config.getString("cert"),
+      privateKey: config.getOptionalString("privateKey"),
+      authnContext: config.getOptionalStringArray("authnContext"),
+      identifierFormat: config.getOptionalString("identifierFormat"),
+      decryptionPvk: config.getOptionalString("decryptionPvk"),
+      signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
+      digestAlgorithm: config.getOptionalString("digestAlgorithm"),
+      acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
+      tokenIssuer,
+      appUrl: globalConfig.appUrl,
+      authHandler,
+      signInResolver,
+      logger,
+      catalogIdentityClient
+    });
+  };
+};
+
+const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+
+function createTokenValidator(audience, mockClient) {
+  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
+  return async function tokenValidator(token) {
+    const response = await client.getIapPublicKeys();
+    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
+    const payload = ticket.getPayload();
+    if (!payload) {
+      throw new TypeError("Token had no payload");
     }
+    return payload;
+  };
+}
+async function parseRequestToken(jwtToken, tokenValidator) {
+  if (typeof jwtToken !== "string" || !jwtToken) {
+    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
   }
-  async listKeys() {
-    return {
-      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
-        createdAt,
-        key: JSON.parse(keyStr)
-      }))
-    };
+  let payload;
+  try {
+    payload = await tokenValidator(jwtToken);
+  } catch (e) {
+    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
+  }
+  if (!payload.sub || !payload.email) {
+    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
   }
+  return {
+    iapToken: {
+      ...payload,
+      sub: payload.sub,
+      email: payload.email
+    }
+  };
 }
+const defaultAuthHandler = async ({
+  iapToken
+}) => ({ profile: { email: iapToken.email } });
 
-const DEFAULT_TIMEOUT_MS = 1e4;
-const DEFAULT_DOCUMENT_PATH = "sessions";
-class FirestoreKeyStore {
-  constructor(database, path, timeout) {
-    this.database = database;
-    this.path = path;
-    this.timeout = timeout;
-  }
-  static async create(settings) {
-    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
-    const database = new firestore.Firestore(firestoreSettings);
-    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
+class GcpIapProvider {
+  constructor(options) {
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenValidator = options.tokenValidator;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
   }
-  static async verifyConnection(keyStore, logger) {
-    try {
-      await keyStore.verify();
-    } catch (error) {
-      if (process.env.NODE_ENV !== "development") {
-        throw new Error(`Failed to connect to database: ${error.message}`);
-      }
-      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
-    }
+  async start() {
   }
-  async addKey(key) {
-    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
-      kid: key.kid,
-      key: JSON.stringify(key)
-    }));
+  async frameHandler() {
   }
-  async listKeys() {
-    const keys = await this.withTimeout(this.database.collection(this.path).get());
-    return {
-      items: keys.docs.map((key) => ({
-        key: key.data(),
-        createdAt: key.createTime.toDate()
-      }))
+  async refresh(req, res) {
+    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
     };
-  }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
-    }
-  }
-  async withTimeout(operation) {
-    const timer = new Promise((_, reject) => setTimeout(() => {
-      reject(new Error(`Operation timed out after ${this.timeout}ms`));
-    }, this.timeout));
-    return Promise.race([operation, timer]);
-  }
-  async verify() {
-    await this.withTimeout(this.database.collection(this.path).limit(1).get());
+    const { profile } = await this.authHandler(result, context);
+    const backstageIdentity = await this.signInResolver({ profile, result }, context);
+    const response = {
+      providerInfo: { iapToken: result.iapToken },
+      profile,
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
+    };
+    res.json(response);
   }
 }
-
-class KeyStores {
-  static async fromConfig(config, options) {
+function createGcpIapProvider(options) {
+  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
     var _a;
-    const { logger, database } = options != null ? options : {};
-    const ks = config.getOptionalConfig("auth.keyStore");
-    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
-    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
-    if (provider === "database") {
-      if (!database) {
-        throw new Error("This KeyStore provider requires a database");
-      }
-      return await DatabaseKeyStore.create({
-        database: await database.getClient()
-      });
-    }
-    if (provider === "memory") {
-      return new MemoryKeyStore();
-    }
-    if (provider === "firestore") {
-      const settings = ks == null ? void 0 : ks.getConfig(provider);
-      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
-        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
-        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
-        host: settings == null ? void 0 : settings.getOptionalString("host"),
-        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
-        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
-        path: settings == null ? void 0 : settings.getOptionalString("path"),
-        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
-      }, (value) => value !== void 0));
-      await FirestoreKeyStore.verifyConnection(keyStore, logger);
-      return keyStore;
-    }
-    throw new Error(`Unknown KeyStore provider: ${provider}`);
-  }
+    const audience = config.getString("audience");
+    const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
+    const signInResolver = options.signIn.resolver;
+    const tokenValidator = createTokenValidator(audience);
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenManager
+    });
+    return new GcpIapProvider({
+      authHandler,
+      signInResolver,
+      tokenValidator,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+  };
 }
 
+const factories = {
+  google: createGoogleProvider(),
+  github: createGithubProvider(),
+  gitlab: createGitlabProvider(),
+  saml: createSamlProvider(),
+  okta: createOktaProvider(),
+  auth0: createAuth0Provider(),
+  microsoft: createMicrosoftProvider(),
+  oauth2: createOAuth2Provider(),
+  oidc: createOidcProvider(),
+  onelogin: createOneLoginProvider(),
+  awsalb: createAwsAlbProvider(),
+  bitbucket: createBitbucketProvider(),
+  atlassian: createAtlassianProvider()
+};
+
 async function createRouter(options) {
-  const { logger, config, discovery, database, providerFactories } = options;
+  const {
+    logger,
+    config,
+    discovery,
+    database,
+    tokenManager,
+    providerFactories
+  } = options;
   const router = Router__default["default"]();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
@@ -2898,6 +3028,7 @@ async function createRouter(options) {
           globalConfig: { baseUrl: authUrl, appUrl, isOriginAllowed },
           config: providersConfig.getConfig(providerId),
           logger,
+          tokenManager,
           tokenIssuer,
           discovery,
           catalogApi
@@ -2969,6 +3100,7 @@ exports.createGitlabProvider = createGitlabProvider;
 exports.createGoogleProvider = createGoogleProvider;
 exports.createMicrosoftProvider = createMicrosoftProvider;
 exports.createOAuth2Provider = createOAuth2Provider;
+exports.createOauth2ProxyProvider = createOauth2ProxyProvider;
 exports.createOidcProvider = createOidcProvider;
 exports.createOktaProvider = createOktaProvider;
 exports.createOneLoginProvider = createOneLoginProvider;