@backstage/plugin-auth-backend 0.8.0 → 0.10.0-next.0

package/dist/index.cjs.js

@@ -149,15 +149,14 @@ const verifyNonce = (req, providerId) => {
     throw new Error("Invalid nonce");
   }
 };
-const getCookieConfig = (authUrl, providerId) => {
-  const { hostname: cookieDomain, pathname, protocol } = authUrl;
+const defaultCookieConfigurer = ({
+  callbackUrl,
+  providerId
+}) => {
+  const { hostname: domain, pathname, protocol } = new URL(callbackUrl);
   const secure = protocol === "https:";
-  const cookiePath = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
-  return {
-    cookieDomain,
-    cookiePath,
-    secure
-  };
+  const path = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
+  return { domain, path, secure };
 };
 
 class OAuthEnvironmentHandler {
@@ -281,58 +280,54 @@ class OAuthAdapter {
     this.setNonceCookie = (res, nonce) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: `${this.options.cookiePath}/handler`,
-        httpOnly: true
+        ...this.baseCookieOptions,
+        path: `${this.options.cookiePath}/handler`
       });
     };
-    this.setScopesCookie = (res, scope) => {
-      res.cookie(`${this.options.providerId}-scope`, scope, {
-        maxAge: TEN_MINUTES_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: `${this.options.cookiePath}/handler`,
-        httpOnly: true
+    this.setGrantedScopeCookie = (res, scope) => {
+      res.cookie(`${this.options.providerId}-granted-scope`, scope, {
+        maxAge: THOUSAND_DAYS_MS,
+        ...this.baseCookieOptions
       });
     };
-    this.getScopesFromCookie = (req, providerId) => {
-      return req.cookies[`${providerId}-scope`];
+    this.getGrantedScopeFromCookie = (req) => {
+      return req.cookies[`${this.options.providerId}-granted-scope`];
     };
     this.setRefreshTokenCookie = (res, refreshToken) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: this.options.cookiePath,
-        httpOnly: true
+        ...this.baseCookieOptions
       });
     };
     this.removeRefreshTokenCookie = (res) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: this.options.cookiePath,
-        httpOnly: true
+        ...this.baseCookieOptions
       });
     };
+    this.baseCookieOptions = {
+      httpOnly: true,
+      sameSite: "lax",
+      secure: this.options.secure,
+      path: this.options.cookiePath,
+      domain: this.options.cookieDomain
+    };
   }
   static fromConfig(config, handlers, options) {
     var _a;
     const { origin: appOrigin } = new url.URL(config.appUrl);
-    const authUrl = new url.URL((_a = options.callbackUrl) != null ? _a : config.baseUrl);
-    const { cookieDomain, cookiePath, secure } = getCookieConfig(authUrl, options.providerId);
+    const cookieConfigurer = (_a = config.cookieConfigurer) != null ? _a : defaultCookieConfigurer;
+    const cookieConfig = cookieConfigurer({
+      providerId: options.providerId,
+      baseUrl: config.baseUrl,
+      callbackUrl: options.callbackUrl
+    });
     return new OAuthAdapter(handlers, {
       ...options,
       appOrigin,
-      cookieDomain,
-      cookiePath,
-      secure,
+      cookieDomain: cookieConfig.domain,
+      cookiePath: cookieConfig.path,
+      secure: cookieConfig.secure,
       isOriginAllowed: config.isOriginAllowed
     });
   }
@@ -344,12 +339,12 @@ class OAuthAdapter {
     if (!env) {
       throw new errors.InputError("No env provided in request query parameters");
     }
-    if (this.options.persistScopes) {
-      this.setScopesCookie(res, scope);
-    }
     const nonce = crypto__default["default"].randomBytes(16).toString("base64");
     this.setNonceCookie(res, nonce);
     const state = { nonce, env, origin };
+    if (this.options.persistScopes) {
+      state.scope = scope;
+    }
     const forwardReq = Object.assign(req, { scope, state });
     const { url, status } = await this.handlers.start(forwardReq);
     res.statusCode = status || 302;
@@ -374,9 +369,9 @@ class OAuthAdapter {
       }
       verifyNonce(req, this.options.providerId);
       const { response, refreshToken } = await this.handlers.handler(req);
-      if (this.options.persistScopes) {
-        const grantedScopes = this.getScopesFromCookie(req, this.options.providerId);
-        response.providerInfo.scope = grantedScopes;
+      if (this.options.persistScopes && state.scope) {
+        this.setGrantedScopeCookie(res, state.scope);
+        response.providerInfo.scope = state.scope;
       }
       if (refreshToken && !this.options.disableRefresh) {
         this.setRefreshTokenCookie(res, refreshToken);
@@ -414,7 +409,10 @@ class OAuthAdapter {
       if (!refreshToken) {
         throw new errors.InputError("Missing session cookie");
       }
-      const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
+      let scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
+      if (this.options.persistScopes) {
+        scope = this.getGrantedScopeFromCookie(req);
+      }
       const forwardReq = Object.assign(req, { scope, refreshToken });
       const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
       const backstageIdentity = await this.populateIdentity(response.backstageIdentity);
@@ -560,7 +558,7 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
 class CatalogIdentityClient {
   constructor(options) {
     this.catalogApi = options.catalogApi;
-    this.tokenIssuer = options.tokenIssuer;
+    this.tokenManager = options.tokenManager;
   }
   async findUser(query) {
     const filter = {
@@ -569,9 +567,7 @@ class CatalogIdentityClient {
     for (const [key, value] of Object.entries(query.annotations)) {
       filter[`metadata.annotations.${key}`] = value;
     }
-    const token = await this.tokenIssuer.issueToken({
-      claims: { sub: "backstage.io/auth-backend" }
-    });
+    const { token } = await this.tokenManager.getToken();
     const { items } = await this.catalogApi.getEntities({ filter }, { token });
     if (items.length !== 1) {
       if (items.length > 1) {
@@ -601,7 +597,8 @@ class CatalogIdentityClient {
       "metadata.namespace": ref.namespace,
       "metadata.name": ref.name
     }));
-    const entities = await this.catalogApi.getEntities({ filter }).then((r) => r.items);
+    const { token } = await this.tokenManager.getToken();
+    const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
     if (entityRefs.length !== entities.length) {
       const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
       const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
@@ -711,6 +708,7 @@ const createAtlassianProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -718,10 +716,11 @@ const createAtlassianProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const scopes = envConfig.getString("scopes");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : atlassianDefaultAuthHandler;
     const provider = new AtlassianAuthProvider({
@@ -736,9 +735,9 @@ const createAtlassianProvider = (options) => {
       tokenIssuer
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -846,6 +845,7 @@ const createAuth0Provider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -853,10 +853,11 @@ const createAuth0Provider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const domain = envConfig.getString("domain");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -876,7 +877,8 @@ const createAuth0Provider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -984,7 +986,7 @@ class AwsAlbAuthProvider {
   }
 }
 const createAwsAlbProvider = (options) => {
-  return ({ config, tokenIssuer, catalogApi, logger }) => {
+  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
     const region = config.getString("region");
     const issuer = config.getOptionalString("iss");
     if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
@@ -992,7 +994,7 @@ const createAwsAlbProvider = (options) => {
     }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: makeProfileInfo(fullProfile)
@@ -1120,16 +1122,18 @@ const createBitbucketProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1147,11 +1151,14 @@ const createBitbucketProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
 
+const ACCESS_TOKEN_PREFIX = "access-token.";
+const BACKSTAGE_SESSION_EXPIRATION = 3600;
 class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
@@ -1179,21 +1186,43 @@ class GithubAuthProvider {
   }
   async handler(req) {
     const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    let refreshToken = privateInfo.refreshToken;
+    if (!refreshToken && !result.params.expires_in) {
+      refreshToken = ACCESS_TOKEN_PREFIX + result.accessToken;
+    }
     return {
       response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
+      refreshToken
     };
   }
   async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    const { scope, refreshToken } = req;
+    if (refreshToken == null ? void 0 : refreshToken.startsWith(ACCESS_TOKEN_PREFIX)) {
+      const accessToken = refreshToken.slice(ACCESS_TOKEN_PREFIX.length);
+      const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken).catch((error) => {
+        var _a;
+        if (((_a = error.oauthError) == null ? void 0 : _a.statusCode) === 401) {
+          throw new Error("Invalid access token");
+        }
+        throw error;
+      });
+      return {
+        response: await this.handleResult({
+          fullProfile,
+          params: { scope },
+          accessToken
+        }),
+        refreshToken
+      };
+    }
+    const result = await executeRefreshTokenStrategy(this._strategy, refreshToken, scope);
     return {
       response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
+        fullProfile: await executeFetchUserProfileStrategy(this._strategy, result.accessToken),
+        params: { ...result.params, scope },
+        accessToken: result.accessToken
       }),
-      refreshToken
+      refreshToken: result.refreshToken
     };
   }
   async handleResult(result) {
@@ -1204,21 +1233,28 @@ class GithubAuthProvider {
     };
     const { profile } = await this.authHandler(result, context);
     const expiresInStr = result.params.expires_in;
-    const response = {
+    let expiresInSeconds = expiresInStr === void 0 ? void 0 : Number(expiresInStr);
+    let backstageIdentity = void 0;
+    if (this.signInResolver) {
+      backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, context);
+      if (expiresInSeconds) {
+        expiresInSeconds = Math.min(expiresInSeconds, BACKSTAGE_SESSION_EXPIRATION);
+      } else {
+        expiresInSeconds = BACKSTAGE_SESSION_EXPIRATION;
+      }
+    }
+    return {
+      backstageIdentity,
       providerInfo: {
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
+        expiresInSeconds
       },
       profile
     };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
-        result,
-        profile
-      }, context);
-    }
-    return response;
   }
 }
 const githubDefaultSignInResolver = async (info, ctx) => {
@@ -1238,6 +1274,7 @@ const createGithubProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1252,7 +1289,7 @@ const createGithubProvider = (options) => {
     const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: makeProfileInfo(fullProfile)
@@ -1380,6 +1417,7 @@ const createGitlabProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1388,10 +1426,11 @@ const createGitlabProvider = (options) => {
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getOptionalString("audience");
     const baseUrl = audience || "https://gitlab.com";
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (_a = options == null ? void 0 : options.authHandler) != null ? _a : gitlabDefaultAuthHandler;
     const signInResolverFn = (_c = (_b = options == null ? void 0 : options.signIn) == null ? void 0 : _b.resolver) != null ? _c : gitlabDefaultSignInResolver;
@@ -1414,7 +1453,8 @@ const createGitlabProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1536,16 +1576,18 @@ const createGoogleProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1569,7 +1611,8 @@ const createGoogleProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1693,6 +1736,7 @@ const createMicrosoftProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -1700,12 +1744,13 @@ const createMicrosoftProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const tenantId = envConfig.getString("tenantId");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
     const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1731,7 +1776,8 @@ const createMicrosoftProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1838,13 +1884,15 @@ const createOAuth2Provider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const authorizationUrl = envConfig.getString("authorizationUrl");
     const tokenUrl = envConfig.getString("tokenUrl");
     const scope = envConfig.getOptionalString("scope");
@@ -1852,7 +1900,7 @@ const createOAuth2Provider = (options) => {
     const disableRefresh = (_a = envConfig.getOptionalBoolean("disableRefresh")) != null ? _a : false;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -1880,7 +1928,8 @@ const createOAuth2Provider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2283,12 +2332,12 @@ class Oauth2ProxyAuthProvider {
     };
   }
 }
-const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer }) => {
+const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
   const signInResolver = options.signIn.resolver;
   const authHandler = options.authHandler;
   const catalogIdentityClient = new CatalogIdentityClient({
     catalogApi,
-    tokenIssuer
+    tokenManager
   });
   return new Oauth2ProxyAuthProvider({
     logger,
@@ -2412,20 +2461,22 @@ const createOidcProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const metadataUrl = envConfig.getString("metadataUrl");
     const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
     const scope = envConfig.getOptionalString("scope");
     const prompt = envConfig.getOptionalString("prompt");
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ userinfo }) => ({
       profile: {
@@ -2457,7 +2508,8 @@ const createOidcProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2579,6 +2631,7 @@ const createOktaProvider = (_options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -2586,13 +2639,14 @@ const createOktaProvider = (_options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getString("audience");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     if (!audience.startsWith("https://")) {
       throw new Error("URL for 'audience' must start with 'https://'.");
     }
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (_options == null ? void 0 : _options.authHandler) ? _options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -2617,7 +2671,8 @@ const createOktaProvider = (_options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2712,6 +2767,7 @@ const createOneLoginProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
@@ -2719,10 +2775,11 @@ const createOneLoginProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const issuer = envConfig.getString("issuer");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
       profile: makeProfileInfo(fullProfile, params.id_token)
@@ -2742,7 +2799,8 @@ const createOneLoginProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2812,13 +2870,14 @@ const createSamlProvider = (options) => {
     globalConfig,
     config,
     tokenIssuer,
+    tokenManager,
     catalogApi,
     logger
   }) => {
     var _a, _b;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
       profile: {
@@ -2926,7 +2985,7 @@ class GcpIapProvider {
   }
 }
 function createGcpIapProvider(options) {
-  return ({ config, tokenIssuer, catalogApi, logger }) => {
+  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
     var _a;
     const audience = config.getString("audience");
     const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
@@ -2934,7 +2993,7 @@ function createGcpIapProvider(options) {
     const tokenValidator = createTokenValidator(audience);
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
-      tokenIssuer
+      tokenManager
     });
     return new GcpIapProvider({
       authHandler,
@@ -2964,7 +3023,14 @@ const factories = {
 };
 
 async function createRouter(options) {
-  const { logger, config, discovery, database, providerFactories } = options;
+  const {
+    logger,
+    config,
+    discovery,
+    database,
+    tokenManager,
+    providerFactories
+  } = options;
   const router = Router__default["default"]();
   const appUrl = config.getString("app.baseUrl");
   const authUrl = await discovery.getExternalBaseUrl("auth");
@@ -3007,9 +3073,14 @@ async function createRouter(options) {
       try {
         const provider = providerFactory({
           providerId,
-          globalConfig: { baseUrl: authUrl, appUrl, isOriginAllowed },
+          globalConfig: {
+            baseUrl: authUrl,
+            appUrl,
+            isOriginAllowed
+          },
           config: providersConfig.getConfig(providerId),
           logger,
+          tokenManager,
           tokenIssuer,
           discovery,
           catalogApi