@backstage/plugin-auth-backend 0.7.0 → 0.9.0

package/dist/index.cjs.js

@@ -149,6 +149,16 @@ const verifyNonce = (req, providerId) => {
     throw new Error("Invalid nonce");
   }
 };
+const getCookieConfig = (authUrl, providerId) => {
+  const { hostname: cookieDomain, pathname, protocol } = authUrl;
+  const secure = protocol === "https:";
+  const cookiePath = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
+  return {
+    cookieDomain,
+    cookiePath,
+    secure
+  };
+};
 
 class OAuthEnvironmentHandler {
   constructor(handlers) {
@@ -271,56 +281,48 @@ class OAuthAdapter {
     this.setNonceCookie = (res, nonce) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: `${this.options.cookiePath}/handler`,
-        httpOnly: true
+        ...this.baseCookieOptions,
+        path: `${this.options.cookiePath}/handler`
       });
     };
-    this.setScopesCookie = (res, scope) => {
-      res.cookie(`${this.options.providerId}-scope`, scope, {
-        maxAge: TEN_MINUTES_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: `${this.options.cookiePath}/handler`,
-        httpOnly: true
+    this.setGrantedScopeCookie = (res, scope) => {
+      res.cookie(`${this.options.providerId}-granted-scope`, scope, {
+        maxAge: THOUSAND_DAYS_MS,
+        ...this.baseCookieOptions
       });
     };
-    this.getScopesFromCookie = (req, providerId) => {
-      return req.cookies[`${providerId}-scope`];
+    this.getGrantedScopeFromCookie = (req) => {
+      return req.cookies[`${this.options.providerId}-granted-scope`];
     };
     this.setRefreshTokenCookie = (res, refreshToken) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: this.options.cookiePath,
-        httpOnly: true
+        ...this.baseCookieOptions
       });
     };
     this.removeRefreshTokenCookie = (res) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: this.options.cookiePath,
-        httpOnly: true
+        ...this.baseCookieOptions
       });
     };
+    this.baseCookieOptions = {
+      httpOnly: true,
+      sameSite: "lax",
+      secure: this.options.secure,
+      path: this.options.cookiePath,
+      domain: this.options.cookieDomain
+    };
   }
   static fromConfig(config, handlers, options) {
+    var _a;
     const { origin: appOrigin } = new url.URL(config.appUrl);
-    const secure = config.baseUrl.startsWith("https://");
-    const url$1 = new url.URL(config.baseUrl);
-    const cookiePath = `${url$1.pathname}/${options.providerId}`;
+    const authUrl = new url.URL((_a = options.callbackUrl) != null ? _a : config.baseUrl);
+    const { cookieDomain, cookiePath, secure } = getCookieConfig(authUrl, options.providerId);
     return new OAuthAdapter(handlers, {
       ...options,
       appOrigin,
-      cookieDomain: url$1.hostname,
+      cookieDomain,
       cookiePath,
       secure,
       isOriginAllowed: config.isOriginAllowed
@@ -334,12 +336,12 @@ class OAuthAdapter {
     if (!env) {
       throw new errors.InputError("No env provided in request query parameters");
     }
-    if (this.options.persistScopes) {
-      this.setScopesCookie(res, scope);
-    }
     const nonce = crypto__default["default"].randomBytes(16).toString("base64");
     this.setNonceCookie(res, nonce);
     const state = { nonce, env, origin };
+    if (this.options.persistScopes) {
+      state.scope = scope;
+    }
     const forwardReq = Object.assign(req, { scope, state });
     const { url, status } = await this.handlers.start(forwardReq);
     res.statusCode = status || 302;
@@ -364,9 +366,9 @@ class OAuthAdapter {
       }
       verifyNonce(req, this.options.providerId);
       const { response, refreshToken } = await this.handlers.handler(req);
-      if (this.options.persistScopes) {
-        const grantedScopes = this.getScopesFromCookie(req, this.options.providerId);
-        response.providerInfo.scope = grantedScopes;
+      if (this.options.persistScopes && state.scope) {
+        this.setGrantedScopeCookie(res, state.scope);
+        response.providerInfo.scope = state.scope;
       }
       if (refreshToken && !this.options.disableRefresh) {
         this.setRefreshTokenCookie(res, refreshToken);
@@ -404,7 +406,10 @@ class OAuthAdapter {
       if (!refreshToken) {
         throw new errors.InputError("Missing session cookie");
       }
-      const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
+      let scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
+      if (this.options.persistScopes) {
+        scope = this.getGrantedScopeFromCookie(req);
+      }
       const forwardReq = Object.assign(req, { scope, refreshToken });
       const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
       const backstageIdentity = await this.populateIdentity(response.backstageIdentity);
@@ -550,7 +555,7 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
 class CatalogIdentityClient {
   constructor(options) {
     this.catalogApi = options.catalogApi;
-    this.tokenIssuer = options.tokenIssuer;
+    this.tokenManager = options.tokenManager;
   }
   async findUser(query) {
     const filter = {
@@ -559,9 +564,7 @@ class CatalogIdentityClient {
     for (const [key, value] of Object.entries(query.annotations)) {
       filter[`metadata.annotations.${key}`] = value;
     }
-    const token = await this.tokenIssuer.issueToken({
-      claims: { sub: "backstage.io/auth-backend" }
-    });
+    const { token } = await this.tokenManager.getToken();
     const { items } = await this.catalogApi.getEntities({ filter }, { token });
     if (items.length !== 1) {
       if (items.length > 1) {
@@ -591,7 +594,8 @@ class CatalogIdentityClient {
       "metadata.namespace": ref.namespace,
       "metadata.name": ref.name
     }));
-    const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
+    const { token } = await this.tokenManager.getToken();
+    const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
     if (entityRefs.length !== entities.length) {
       const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
       const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
@@ -701,6 +705,7 @@ const createAtlassianProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -708,10 +713,11 @@ const createAtlassianProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const scopes = envConfig.getString("scopes");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
     const provider = new AtlassianAuthProvider({
@@ -728,7 +734,8 @@ const createAtlassianProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -836,6 +843,7 @@ const createAuth0Provider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -843,10 +851,11 @@ const createAuth0Provider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const domain = envConfig.getString("domain");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -866,7 +875,8 @@ const createAuth0Provider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -974,7 +984,7 @@ class AwsAlbAuthProvider {
   }
 }
 const createAwsAlbProvider = (options) => {
-  return ({ config, tokenIssuer, catalogApi, logger }) => {
+  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
     const region = config.getString("region");
     const issuer = config.getOptionalString("iss");
     if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
@@ -982,7 +992,7 @@ const createAwsAlbProvider = (options) => {
     }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: makeProfileInfo(fullProfile)
@@ -1110,16 +1120,18 @@ const createBitbucketProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1137,11 +1149,14 @@ const createBitbucketProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
 
+const ACCESS_TOKEN_PREFIX = "access-token.";
+const BACKSTAGE_SESSION_EXPIRATION = 3600;
 class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
@@ -1169,21 +1184,43 @@ class GithubAuthProvider {
   }
   async handler(req) {
     const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    let refreshToken = privateInfo.refreshToken;
+    if (!refreshToken && !result.params.expires_in) {
+      refreshToken = ACCESS_TOKEN_PREFIX + result.accessToken;
+    }
     return {
       response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
+      refreshToken
     };
   }
   async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    const { scope, refreshToken } = req;
+    if (refreshToken == null ? void 0 : refreshToken.startsWith(ACCESS_TOKEN_PREFIX)) {
+      const accessToken = refreshToken.slice(ACCESS_TOKEN_PREFIX.length);
+      const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken).catch((error) => {
+        var _a;
+        if (((_a = error.oauthError) == null ? void 0 : _a.statusCode) === 401) {
+          throw new Error("Invalid access token");
+        }
+        throw error;
+      });
+      return {
+        response: await this.handleResult({
+          fullProfile,
+          params: { scope },
+          accessToken
+        }),
+        refreshToken
+      };
+    }
+    const result = await executeRefreshTokenStrategy(this._strategy, refreshToken, scope);
     return {
       response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
+        fullProfile: await executeFetchUserProfileStrategy(this._strategy, result.accessToken),
+        params: { ...result.params, scope },
+        accessToken: result.accessToken
       }),
-      refreshToken
+      refreshToken: result.refreshToken
     };
   }
   async handleResult(result) {
@@ -1194,21 +1231,28 @@ class GithubAuthProvider {
     };
     const { profile } = await this.authHandler(result, context);
     const expiresInStr = result.params.expires_in;
-    const response = {
+    let expiresInSeconds = expiresInStr === void 0 ? void 0 : Number(expiresInStr);
+    let backstageIdentity = void 0;
+    if (this.signInResolver) {
+      backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, context);
+      if (expiresInSeconds) {
+        expiresInSeconds = Math.min(expiresInSeconds, BACKSTAGE_SESSION_EXPIRATION);
+      } else {
+        expiresInSeconds = BACKSTAGE_SESSION_EXPIRATION;
+      }
+    }
+    return {
+      backstageIdentity,
       providerInfo: {
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
+        expiresInSeconds
       },
       profile
     };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
-        result,
-        profile
-      }, context);
-    }
-    return response;
   }
 }
 const githubDefaultSignInResolver = async (info, ctx) => {
@@ -1228,6 +1272,7 @@ const createGithubProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1242,7 +1287,7 @@ const createGithubProvider = (options) => {
     const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: makeProfileInfo(fullProfile)
@@ -1273,7 +1318,8 @@ const createGithubProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       persistScopes: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1369,6 +1415,7 @@ const createGitlabProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1377,10 +1424,11 @@ const createGitlabProvider = (options) => {
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getOptionalString("audience");
     const baseUrl = audience || "https://gitlab.com";
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
     const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
@@ -1403,7 +1451,8 @@ const createGitlabProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1515,7 +1564,7 @@ const googleDefaultSignInResolver = async (info, ctx) => {
     userId = profile.email.split("@")[0];
   }
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
+    claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
   });
   return { id: userId, token };
 };
@@ -1525,16 +1574,18 @@ const createGoogleProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1558,7 +1609,8 @@ const createGoogleProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1682,6 +1734,7 @@ const createMicrosoftProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1689,12 +1742,13 @@ const createMicrosoftProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const tenantId = envConfig.getString("tenantId");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
     const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1720,7 +1774,8 @@ const createMicrosoftProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1827,13 +1882,15 @@ const createOAuth2Provider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const authorizationUrl = envConfig.getString("authorizationUrl");
     const tokenUrl = envConfig.getString("tokenUrl");
     const scope = envConfig.getOptionalString("scope");
@@ -1841,7 +1898,7 @@ const createOAuth2Provider = (options) => {
     const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1869,7 +1926,8 @@ const createOAuth2Provider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2272,12 +2330,12 @@ class Oauth2ProxyAuthProvider {
     };
   }
 }
-const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer }) => {
+const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
   const signInResolver = options.signIn.resolver;
   const authHandler = options.authHandler;
   const catalogIdentityClient = new CatalogIdentityClient({
     catalogApi,
-    tokenIssuer
+    tokenManager
   });
   return new Oauth2ProxyAuthProvider({
     logger,
@@ -2388,7 +2446,10 @@ const oAuth2DefaultSignInResolver = async (info, ctx) => {
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
+    claims: {
+      sub: `user:default/${userId}`,
+      ent: [`user:default/${userId}`]
+    }
   });
   return { id: userId, token };
 };
@@ -2398,20 +2459,22 @@ const createOidcProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const metadataUrl = envConfig.getString("metadataUrl");
     const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
     const scope = envConfig.getOptionalString("scope");
     const prompt = envConfig.getOptionalString("prompt");
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
       profile: {
@@ -2443,7 +2506,8 @@ const createOidcProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2565,6 +2629,7 @@ const createOktaProvider = (_options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -2572,13 +2637,14 @@ const createOktaProvider = (_options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getString("audience");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     if (!audience.startsWith("https://")) {
       throw new Error("URL for 'audience' must start with 'https://'.");
     }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -2603,7 +2669,8 @@ const createOktaProvider = (_options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2698,6 +2765,7 @@ const createOneLoginProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -2705,10 +2773,11 @@ const createOneLoginProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const issuer = envConfig.getString("issuer");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -2728,7 +2797,8 @@ const createOneLoginProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2798,13 +2868,14 @@ const createSamlProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => {
     var _a, _b;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: {
@@ -2912,7 +2983,7 @@ class GcpIapProvider {
   }
 }
 function createGcpIapProvider(options) {
-  return ({ config, tokenIssuer, catalogApi, logger }) => {
+  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
     var _a;
     const audience = config.getString("audience");
     const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
@@ -2920,7 +2991,7 @@ function createGcpIapProvider(options) {
     const tokenValidator = createTokenValidator(audience);
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     return new GcpIapProvider({
       authHandler,
@@ -2950,7 +3021,14 @@ const factories = {
 };
 
 async function createRouter(options) {
-  const { logger, config, discovery, database, providerFactories } = options;
+  const {
+    logger,
+    config,
+    discovery,
+    database,
+    tokenManager,
+    providerFactories
+  } = options;
   const router = Router__default["default"]();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
@@ -2996,6 +3074,7 @@ async function createRouter(options) {
           globalConfig: { baseUrl: authUrl, appUrl, isOriginAllowed },
           config: providersConfig.getConfig(providerId),
           logger,
+          tokenManager,
           tokenIssuer,
           discovery,
           catalogApi