@backstage/plugin-auth-backend 0.9.0-next.0 → 0.10.0

package/dist/index.cjs.js

@@ -20,17 +20,18 @@ var passportGithub2 = require('passport-github2');
 var passportGitlab2 = require('passport-gitlab2');
 var passportGoogleOauth20 = require('passport-google-oauth20');
 var passportMicrosoft = require('passport-microsoft');
-var uuid = require('uuid');
-var luxon = require('luxon');
-var backendCommon = require('@backstage/backend-common');
-var firestore = require('@google-cloud/firestore');
-var lodash = require('lodash');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
 var openidClient = require('openid-client');
 var passportOktaOauth = require('passport-okta-oauth');
 var passportOneloginOauth = require('passport-onelogin-oauth');
 var passportSaml = require('passport-saml');
 var googleAuthLibrary = require('google-auth-library');
 var catalogClient = require('@backstage/catalog-client');
+var uuid = require('uuid');
+var luxon = require('luxon');
+var backendCommon = require('@backstage/backend-common');
+var firestore = require('@google-cloud/firestore');
+var lodash = require('lodash');
 var session = require('express-session');
 var passport = require('passport');
 var minimatch = require('minimatch');
@@ -149,15 +150,14 @@ const verifyNonce = (req, providerId) => {
     throw new Error("Invalid nonce");
   }
 };
-const getCookieConfig = (authUrl, providerId) => {
-  const { hostname: cookieDomain, pathname, protocol } = authUrl;
+const defaultCookieConfigurer = ({
+  callbackUrl,
+  providerId
+}) => {
+  const { hostname: domain, pathname, protocol } = new URL(callbackUrl);
   const secure = protocol === "https:";
-  const cookiePath = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
-  return {
-    cookieDomain,
-    cookiePath,
-    secure
-  };
+  const path = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
+  return { domain, path, secure };
 };
 
 class OAuthEnvironmentHandler {
@@ -281,58 +281,54 @@ class OAuthAdapter {
     this.setNonceCookie = (res, nonce) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: `${this.options.cookiePath}/handler`,
-        httpOnly: true
+        ...this.baseCookieOptions,
+        path: `${this.options.cookiePath}/handler`
       });
     };
-    this.setScopesCookie = (res, scope) => {
-      res.cookie(`${this.options.providerId}-scope`, scope, {
-        maxAge: TEN_MINUTES_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: `${this.options.cookiePath}/handler`,
-        httpOnly: true
+    this.setGrantedScopeCookie = (res, scope) => {
+      res.cookie(`${this.options.providerId}-granted-scope`, scope, {
+        maxAge: THOUSAND_DAYS_MS,
+        ...this.baseCookieOptions
       });
     };
-    this.getScopesFromCookie = (req, providerId) => {
-      return req.cookies[`${providerId}-scope`];
+    this.getGrantedScopeFromCookie = (req) => {
+      return req.cookies[`${this.options.providerId}-granted-scope`];
     };
     this.setRefreshTokenCookie = (res, refreshToken) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: this.options.cookiePath,
-        httpOnly: true
+        ...this.baseCookieOptions
       });
     };
     this.removeRefreshTokenCookie = (res) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: this.options.cookiePath,
-        httpOnly: true
+        ...this.baseCookieOptions
       });
     };
+    this.baseCookieOptions = {
+      httpOnly: true,
+      sameSite: "lax",
+      secure: this.options.secure,
+      path: this.options.cookiePath,
+      domain: this.options.cookieDomain
+    };
   }
   static fromConfig(config, handlers, options) {
     var _a;
     const { origin: appOrigin } = new url.URL(config.appUrl);
-    const authUrl = new url.URL((_a = options.callbackUrl) != null ? _a : config.baseUrl);
-    const { cookieDomain, cookiePath, secure } = getCookieConfig(authUrl, options.providerId);
+    const cookieConfigurer = (_a = config.cookieConfigurer) != null ? _a : defaultCookieConfigurer;
+    const cookieConfig = cookieConfigurer({
+      providerId: options.providerId,
+      baseUrl: config.baseUrl,
+      callbackUrl: options.callbackUrl
+    });
     return new OAuthAdapter(handlers, {
       ...options,
       appOrigin,
-      cookieDomain,
-      cookiePath,
-      secure,
+      cookieDomain: cookieConfig.domain,
+      cookiePath: cookieConfig.path,
+      secure: cookieConfig.secure,
       isOriginAllowed: config.isOriginAllowed
     });
   }
@@ -344,12 +340,12 @@ class OAuthAdapter {
     if (!env) {
       throw new errors.InputError("No env provided in request query parameters");
     }
-    if (this.options.persistScopes) {
-      this.setScopesCookie(res, scope);
-    }
     const nonce = crypto__default["default"].randomBytes(16).toString("base64");
     this.setNonceCookie(res, nonce);
     const state = { nonce, env, origin };
+    if (this.options.persistScopes) {
+      state.scope = scope;
+    }
     const forwardReq = Object.assign(req, { scope, state });
     const { url, status } = await this.handlers.start(forwardReq);
     res.statusCode = status || 302;
@@ -374,9 +370,9 @@ class OAuthAdapter {
       }
       verifyNonce(req, this.options.providerId);
       const { response, refreshToken } = await this.handlers.handler(req);
-      if (this.options.persistScopes) {
-        const grantedScopes = this.getScopesFromCookie(req, this.options.providerId);
-        response.providerInfo.scope = grantedScopes;
+      if (this.options.persistScopes && state.scope) {
+        this.setGrantedScopeCookie(res, state.scope);
+        response.providerInfo.scope = state.scope;
       }
       if (refreshToken && !this.options.disableRefresh) {
         this.setRefreshTokenCookie(res, refreshToken);
@@ -414,7 +410,10 @@ class OAuthAdapter {
       if (!refreshToken) {
         throw new errors.InputError("Missing session cookie");
       }
-      const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
+      let scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
+      if (this.options.persistScopes) {
+        scope = this.getGrantedScopeFromCookie(req);
+      }
       const forwardReq = Object.assign(req, { scope, refreshToken });
       const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
       const backstageIdentity = await this.populateIdentity(response.backstageIdentity);
@@ -718,7 +717,8 @@ const createAtlassianProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const scopes = envConfig.getString("scopes");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -736,9 +736,9 @@ const createAtlassianProvider = (options) => {
       tokenIssuer
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -854,7 +854,8 @@ const createAuth0Provider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const domain = envConfig.getString("domain");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -877,7 +878,8 @@ const createAuth0Provider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1128,7 +1130,8 @@ const createBitbucketProvider = (options) => {
     var _a;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -1149,11 +1152,14 @@ const createBitbucketProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
 
+const ACCESS_TOKEN_PREFIX = "access-token.";
+const BACKSTAGE_SESSION_EXPIRATION = 3600;
 class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
@@ -1181,21 +1187,43 @@ class GithubAuthProvider {
   }
   async handler(req) {
     const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    let refreshToken = privateInfo.refreshToken;
+    if (!refreshToken && !result.params.expires_in) {
+      refreshToken = ACCESS_TOKEN_PREFIX + result.accessToken;
+    }
     return {
       response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
+      refreshToken
     };
   }
   async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    const { scope, refreshToken } = req;
+    if (refreshToken == null ? void 0 : refreshToken.startsWith(ACCESS_TOKEN_PREFIX)) {
+      const accessToken = refreshToken.slice(ACCESS_TOKEN_PREFIX.length);
+      const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken).catch((error) => {
+        var _a;
+        if (((_a = error.oauthError) == null ? void 0 : _a.statusCode) === 401) {
+          throw new Error("Invalid access token");
+        }
+        throw error;
+      });
+      return {
+        response: await this.handleResult({
+          fullProfile,
+          params: { scope },
+          accessToken
+        }),
+        refreshToken
+      };
+    }
+    const result = await executeRefreshTokenStrategy(this._strategy, refreshToken, scope);
     return {
       response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
+        fullProfile: await executeFetchUserProfileStrategy(this._strategy, result.accessToken),
+        params: { ...result.params, scope },
+        accessToken: result.accessToken
       }),
-      refreshToken
+      refreshToken: result.refreshToken
     };
   }
   async handleResult(result) {
@@ -1206,21 +1234,28 @@ class GithubAuthProvider {
     };
     const { profile } = await this.authHandler(result, context);
     const expiresInStr = result.params.expires_in;
-    const response = {
+    let expiresInSeconds = expiresInStr === void 0 ? void 0 : Number(expiresInStr);
+    let backstageIdentity = void 0;
+    if (this.signInResolver) {
+      backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, context);
+      if (expiresInSeconds) {
+        expiresInSeconds = Math.min(expiresInSeconds, BACKSTAGE_SESSION_EXPIRATION);
+      } else {
+        expiresInSeconds = BACKSTAGE_SESSION_EXPIRATION;
+      }
+    }
+    return {
+      backstageIdentity,
       providerInfo: {
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
+        expiresInSeconds
       },
       profile
     };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
-        result,
-        profile
-      }, context);
-    }
-    return response;
   }
 }
 const githubDefaultSignInResolver = async (info, ctx) => {
@@ -1392,7 +1427,8 @@ const createGitlabProvider = (options) => {
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getOptionalString("audience");
     const baseUrl = audience || "https://gitlab.com";
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -1418,7 +1454,8 @@ const createGitlabProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1547,7 +1584,8 @@ const createGoogleProvider = (options) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -1574,7 +1612,8 @@ const createGoogleProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1706,7 +1745,8 @@ const createMicrosoftProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const tenantId = envConfig.getString("tenantId");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
     const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
@@ -1737,7 +1777,8 @@ const createMicrosoftProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1851,7 +1892,8 @@ const createOAuth2Provider = (options) => {
     var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const authorizationUrl = envConfig.getString("authorizationUrl");
     const tokenUrl = envConfig.getString("tokenUrl");
     const scope = envConfig.getOptionalString("scope");
@@ -1887,447 +1929,108 @@ const createOAuth2Provider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
 
-function createOidcRouter(options) {
-  const { baseUrl, tokenIssuer } = options;
-  const router = Router__default["default"]();
-  const config = {
-    issuer: baseUrl,
-    token_endpoint: `${baseUrl}/v1/token`,
-    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
-    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
-    response_types_supported: ["id_token"],
-    subject_types_supported: ["public"],
-    id_token_signing_alg_values_supported: ["RS256"],
-    scopes_supported: ["openid"],
-    token_endpoint_auth_methods_supported: [],
-    claims_supported: ["sub"],
-    grant_types_supported: []
-  };
-  router.get("/.well-known/openid-configuration", (_req, res) => {
-    res.json(config);
-  });
-  router.get("/.well-known/jwks.json", async (_req, res) => {
-    const { keys } = await tokenIssuer.listPublicKeys();
-    res.json({ keys });
-  });
-  router.get("/v1/token", (_req, res) => {
-    res.status(501).send("Not Implemented");
-  });
-  router.get("/v1/userinfo", (_req, res) => {
-    res.status(501).send("Not Implemented");
-  });
-  return router;
-}
-
-const CLOCK_MARGIN_S = 10;
-class IdentityClient {
+const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
+class Oauth2ProxyAuthProvider {
   constructor(options) {
-    this.discovery = options.discovery;
-    this.issuer = options.issuer;
-    this.keyStore = new jose.JWKS.KeyStore();
-    this.keyStoreUpdated = 0;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.tokenIssuer = options.tokenIssuer;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
   }
-  async authenticate(token) {
-    var _a;
-    if (!token) {
-      throw new errors.AuthenticationError("No token specified");
-    }
-    const key = await this.getKey(token);
-    if (!key) {
-      throw new errors.AuthenticationError("No signing key matching token found");
-    }
-    const decoded = jose.JWT.IdToken.verify(token, key, {
-      algorithms: ["ES256"],
-      audience: "backstage",
-      issuer: this.issuer
-    });
-    if (!decoded.sub) {
-      throw new errors.AuthenticationError("No user sub found in token");
-    }
-    const user = {
-      id: decoded.sub,
-      token,
-      identity: {
-        type: "user",
-        userEntityRef: decoded.sub,
-        ownershipEntityRefs: (_a = decoded.ent) != null ? _a : []
-      }
-    };
-    return user;
+  frameHandler() {
+    return Promise.resolve(void 0);
   }
-  static getBearerToken(authorizationHeader) {
-    if (typeof authorizationHeader !== "string") {
-      return void 0;
+  async refresh(req, res) {
+    try {
+      const result = this.getResult(req);
+      const response = await this.handleResult(result);
+      res.json(response);
+    } catch (e) {
+      this.logger.error(`Exception occurred during ${OAUTH2_PROXY_JWT_HEADER} refresh`, e);
+      res.status(401);
+      res.end();
     }
-    const matches = authorizationHeader.match(/Bearer\s+(\S+)/i);
-    return matches == null ? void 0 : matches[1];
   }
-  async getKey(rawJwtToken) {
-    const { header, payload } = jose.JWT.decode(rawJwtToken, {
-      complete: true
-    });
-    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });
-    const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!keyStoreHasKey && issuedAfterLastRefresh) {
-      await this.refreshKeyStore();
-    }
-    return this.keyStore.get({ kid: header.kid });
+  start() {
+    return Promise.resolve(void 0);
   }
-  async listPublicKeys() {
-    const url = `${await this.discovery.getBaseUrl("auth")}/.well-known/jwks.json`;
-    const response = await fetch__default["default"](url);
-    if (!response.ok) {
-      const payload = await response.text();
-      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;
-      throw new Error(message);
-    }
-    const publicKeys = await response.json();
-    return publicKeys;
+  async handleResult(result) {
+    const ctx = {
+      logger: this.logger,
+      tokenIssuer: this.tokenIssuer,
+      catalogIdentityClient: this.catalogIdentityClient
+    };
+    const { profile } = await this.authHandler(result, ctx);
+    const backstageSignInResult = await this.signInResolver({
+      result,
+      profile
+    }, ctx);
+    return {
+      providerInfo: {
+        accessToken: result.accessToken
+      },
+      backstageIdentity: prepareBackstageIdentityResponse(backstageSignInResult),
+      profile
+    };
   }
-  async refreshKeyStore() {
-    const now = Date.now() / 1e3;
-    const publicKeys = await this.listPublicKeys();
-    this.keyStore = jose.JWKS.asKeyStore({
-      keys: publicKeys.keys.map((key) => key)
-    });
-    this.keyStoreUpdated = now;
+  getResult(req) {
+    const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
+    const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
+    if (!jwt) {
+      throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
+    }
+    const decodedJWT = jose.JWT.decode(jwt);
+    return {
+      fullProfile: decodedJWT,
+      accessToken: jwt
+    };
   }
 }
+const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
+  const signInResolver = options.signIn.resolver;
+  const authHandler = options.authHandler;
+  const catalogIdentityClient = new CatalogIdentityClient({
+    catalogApi,
+    tokenManager
+  });
+  return new Oauth2ProxyAuthProvider({
+    logger,
+    signInResolver,
+    authHandler,
+    tokenIssuer,
+    catalogIdentityClient
+  });
+};
 
-const MS_IN_S = 1e3;
-class TokenFactory {
+class OidcAuthProvider {
   constructor(options) {
-    this.issuer = options.issuer;
+    this.implementation = this.setupStrategy(options);
+    this.scope = options.scope;
+    this.prompt = options.prompt;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
-    this.keyStore = options.keyStore;
-    this.keyDurationSeconds = options.keyDurationSeconds;
-  }
-  async issueToken(params) {
-    const key = await this.getKey();
-    const iss = this.issuer;
-    const sub = params.claims.sub;
-    const ent = params.claims.ent;
-    const aud = "backstage";
-    const iat = Math.floor(Date.now() / MS_IN_S);
-    const exp = iat + this.keyDurationSeconds;
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
-    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
-      alg: key.alg,
-      kid: key.kid
-    });
   }
-  async listPublicKeys() {
-    const { items: keys } = await this.keyStore.listKeys();
-    const validKeys = [];
-    const expiredKeys = [];
-    for (const key of keys) {
-      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
-        seconds: 3 * this.keyDurationSeconds
-      });
-      if (expireAt < luxon.DateTime.local()) {
-        expiredKeys.push(key);
-      } else {
-        validKeys.push(key);
-      }
-    }
-    if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({ key }) => key.kid);
-      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
-      this.keyStore.removeKeys(kids).catch((error) => {
-        this.logger.error(`Failed to remove expired keys, ${error}`);
-      });
+  async start(req) {
+    const { strategy } = await this.implementation;
+    const options = {
+      scope: req.scope || this.scope || "openid profile email",
+      state: encodeState(req.state)
+    };
+    const prompt = this.prompt || "none";
+    if (prompt !== "auto") {
+      options.prompt = prompt;
     }
-    return { keys: validKeys.map(({ key }) => key) };
-  }
-  async getKey() {
-    if (this.privateKeyPromise) {
-      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
-        return this.privateKeyPromise;
-      }
-      this.logger.info(`Signing key has expired, generating new key`);
-      delete this.privateKeyPromise;
-    }
-    this.keyExpiry = luxon.DateTime.utc().plus({
-      seconds: this.keyDurationSeconds
-    }).toJSDate();
-    const promise = (async () => {
-      const key = await jose.JWK.generate("EC", "P-256", {
-        use: "sig",
-        kid: uuid.v4(),
-        alg: "ES256"
-      });
-      this.logger.info(`Created new signing key ${key.kid}`);
-      await this.keyStore.addKey(key.toJWK(false));
-      return key;
-    })();
-    this.privateKeyPromise = promise;
-    try {
-      await promise;
-    } catch (error) {
-      this.logger.error(`Failed to generate new signing key, ${error}`);
-      delete this.keyExpiry;
-      delete this.privateKeyPromise;
-    }
-    return promise;
-  }
-}
-
-const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
-const TABLE = "signing_keys";
-const parseDate = (date) => {
-  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
-  if (!parsedDate.isValid) {
-    throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
-  }
-  return parsedDate.toJSDate();
-};
-class DatabaseKeyStore {
-  static async create(options) {
-    const { database } = options;
-    await database.migrate.latest({
-      directory: migrationsDir
-    });
-    return new DatabaseKeyStore(options);
-  }
-  constructor(options) {
-    this.database = options.database;
-  }
-  async addKey(key) {
-    await this.database(TABLE).insert({
-      kid: key.kid,
-      key: JSON.stringify(key)
-    });
-  }
-  async listKeys() {
-    const rows = await this.database(TABLE).select();
-    return {
-      items: rows.map((row) => ({
-        key: JSON.parse(row.key),
-        createdAt: parseDate(row.created_at)
-      }))
-    };
-  }
-  async removeKeys(kids) {
-    await this.database(TABLE).delete().whereIn("kid", kids);
-  }
-}
-
-class MemoryKeyStore {
-  constructor() {
-    this.keys = /* @__PURE__ */ new Map();
-  }
-  async addKey(key) {
-    this.keys.set(key.kid, {
-      createdAt: luxon.DateTime.utc().toJSDate(),
-      key: JSON.stringify(key)
-    });
-  }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      this.keys.delete(kid);
-    }
-  }
-  async listKeys() {
-    return {
-      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
-        createdAt,
-        key: JSON.parse(keyStr)
-      }))
-    };
-  }
-}
-
-const DEFAULT_TIMEOUT_MS = 1e4;
-const DEFAULT_DOCUMENT_PATH = "sessions";
-class FirestoreKeyStore {
-  constructor(database, path, timeout) {
-    this.database = database;
-    this.path = path;
-    this.timeout = timeout;
-  }
-  static async create(settings) {
-    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
-    const database = new firestore.Firestore(firestoreSettings);
-    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
-  }
-  static async verifyConnection(keyStore, logger) {
-    try {
-      await keyStore.verify();
-    } catch (error) {
-      if (process.env.NODE_ENV !== "development") {
-        throw new Error(`Failed to connect to database: ${error.message}`);
-      }
-      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
-    }
-  }
-  async addKey(key) {
-    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
-      kid: key.kid,
-      key: JSON.stringify(key)
-    }));
-  }
-  async listKeys() {
-    const keys = await this.withTimeout(this.database.collection(this.path).get());
-    return {
-      items: keys.docs.map((key) => ({
-        key: key.data(),
-        createdAt: key.createTime.toDate()
-      }))
-    };
-  }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
-    }
-  }
-  async withTimeout(operation) {
-    const timer = new Promise((_, reject) => setTimeout(() => {
-      reject(new Error(`Operation timed out after ${this.timeout}ms`));
-    }, this.timeout));
-    return Promise.race([operation, timer]);
-  }
-  async verify() {
-    await this.withTimeout(this.database.collection(this.path).limit(1).get());
-  }
-}
-
-class KeyStores {
-  static async fromConfig(config, options) {
-    var _a;
-    const { logger, database } = options != null ? options : {};
-    const ks = config.getOptionalConfig("auth.keyStore");
-    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
-    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
-    if (provider === "database") {
-      if (!database) {
-        throw new Error("This KeyStore provider requires a database");
-      }
-      return await DatabaseKeyStore.create({
-        database: await database.getClient()
-      });
-    }
-    if (provider === "memory") {
-      return new MemoryKeyStore();
-    }
-    if (provider === "firestore") {
-      const settings = ks == null ? void 0 : ks.getConfig(provider);
-      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
-        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
-        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
-        host: settings == null ? void 0 : settings.getOptionalString("host"),
-        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
-        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
-        path: settings == null ? void 0 : settings.getOptionalString("path"),
-        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
-      }, (value) => value !== void 0));
-      await FirestoreKeyStore.verifyConnection(keyStore, logger);
-      return keyStore;
-    }
-    throw new Error(`Unknown KeyStore provider: ${provider}`);
-  }
-}
-
-const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
-class Oauth2ProxyAuthProvider {
-  constructor(options) {
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-    this.tokenIssuer = options.tokenIssuer;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    try {
-      const result = this.getResult(req);
-      const response = await this.handleResult(result);
-      res.json(response);
-    } catch (e) {
-      this.logger.error(`Exception occurred during ${OAUTH2_PROXY_JWT_HEADER} refresh`, e);
-      res.status(401);
-      res.end();
-    }
-  }
-  start() {
-    return Promise.resolve(void 0);
-  }
-  async handleResult(result) {
-    const ctx = {
-      logger: this.logger,
-      tokenIssuer: this.tokenIssuer,
-      catalogIdentityClient: this.catalogIdentityClient
-    };
-    const { profile } = await this.authHandler(result, ctx);
-    const backstageSignInResult = await this.signInResolver({
-      result,
-      profile
-    }, ctx);
-    return {
-      providerInfo: {
-        accessToken: result.accessToken
-      },
-      backstageIdentity: prepareBackstageIdentityResponse(backstageSignInResult),
-      profile
-    };
-  }
-  getResult(req) {
-    const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
-    const jwt = IdentityClient.getBearerToken(authHeader);
-    if (!jwt) {
-      throw new errors.AuthenticationError(`Missing or in incorrect format - Oauth2Proxy OIDC header: ${OAUTH2_PROXY_JWT_HEADER}`);
-    }
-    const decodedJWT = jose.JWT.decode(jwt);
-    return {
-      fullProfile: decodedJWT,
-      accessToken: jwt
-    };
-  }
-}
-const createOauth2ProxyProvider = (options) => ({ catalogApi, logger, tokenIssuer, tokenManager }) => {
-  const signInResolver = options.signIn.resolver;
-  const authHandler = options.authHandler;
-  const catalogIdentityClient = new CatalogIdentityClient({
-    catalogApi,
-    tokenManager
-  });
-  return new Oauth2ProxyAuthProvider({
-    logger,
-    signInResolver,
-    authHandler,
-    tokenIssuer,
-    catalogIdentityClient
-  });
-};
-
-class OidcAuthProvider {
-  constructor(options) {
-    this.implementation = this.setupStrategy(options);
-    this.scope = options.scope;
-    this.prompt = options.prompt;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
-  }
-  async start(req) {
-    const { strategy } = await this.implementation;
-    const options = {
-      scope: req.scope || this.scope || "openid profile email",
-      state: encodeState(req.state)
-    };
-    const prompt = this.prompt || "none";
-    if (prompt !== "auto") {
-      options.prompt = prompt;
-    }
-    return await executeRedirectStrategy(req, strategy, options);
+    return await executeRedirectStrategy(req, strategy, options);
   }
   async handler(req) {
     const { strategy } = await this.implementation;
@@ -2426,7 +2129,8 @@ const createOidcProvider = (options) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const metadataUrl = envConfig.getString("metadataUrl");
     const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
     const scope = envConfig.getOptionalString("scope");
@@ -2465,7 +2169,8 @@ const createOidcProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2595,7 +2300,8 @@ const createOktaProvider = (_options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getString("audience");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     if (!audience.startsWith("https://")) {
       throw new Error("URL for 'audience' must start with 'https://'.");
     }
@@ -2626,7 +2332,8 @@ const createOktaProvider = (_options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2690,290 +2397,557 @@ class OneLoginProvider {
     };
     const { profile } = await this.authHandler(result, context);
     const response = {
-      providerInfo: {
-        idToken: result.params.id_token,
-        accessToken: result.accessToken,
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in
-      },
-      profile
+      providerInfo: {
+        idToken: result.params.id_token,
+        accessToken: result.accessToken,
+        scope: result.params.scope,
+        expiresInSeconds: result.params.expires_in
+      },
+      profile
+    };
+    if (this.signInResolver) {
+      response.backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, context);
+    }
+    return response;
+  }
+}
+const defaultSignInResolver = async (info) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("OIDC profile contained no email");
+  }
+  const id = profile.email.split("@")[0];
+  return { id, token: "" };
+};
+const createOneLoginProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    tokenManager,
+    catalogApi,
+    logger
+  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
+    var _a, _b;
+    const clientId = envConfig.getString("clientId");
+    const clientSecret = envConfig.getString("clientSecret");
+    const issuer = envConfig.getString("issuer");
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenManager
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
+      profile: makeProfileInfo(fullProfile, params.id_token)
+    });
+    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver;
+    const provider = new OneLoginProvider({
+      clientId,
+      clientSecret,
+      callbackUrl,
+      issuer,
+      authHandler,
+      signInResolver,
+      tokenIssuer,
+      catalogIdentityClient,
+      logger
+    });
+    return OAuthAdapter.fromConfig(globalConfig, provider, {
+      disableRefresh: false,
+      providerId,
+      tokenIssuer,
+      callbackUrl
+    });
+  });
+};
+
+class SamlAuthProvider {
+  constructor(options) {
+    this.appUrl = options.appUrl;
+    this.signInResolver = options.signInResolver;
+    this.authHandler = options.authHandler;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
+      done(void 0, { fullProfile });
+    });
+  }
+  async start(req, res) {
+    const { url } = await executeRedirectStrategy(req, this.strategy, {});
+    res.redirect(url);
+  }
+  async frameHandler(req, res) {
+    try {
+      const context = {
+        logger: this.logger,
+        catalogIdentityClient: this.catalogIdentityClient,
+        tokenIssuer: this.tokenIssuer
+      };
+      const { result } = await executeFrameHandlerStrategy(req, this.strategy);
+      const { profile } = await this.authHandler(result, context);
+      const response = {
+        profile,
+        providerInfo: {}
+      };
+      if (this.signInResolver) {
+        const signInResponse = await this.signInResolver({
+          result,
+          profile
+        }, context);
+        response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
+      }
+      return postMessageResponse(res, this.appUrl, {
+        type: "authorization_response",
+        response
+      });
+    } catch (error) {
+      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
+      return postMessageResponse(res, this.appUrl, {
+        type: "authorization_response",
+        error: { name, message }
+      });
+    }
+  }
+  async logout(_req, res) {
+    res.end();
+  }
+}
+const samlDefaultSignInResolver = async (info, ctx) => {
+  const id = info.result.fullProfile.nameID;
+  const token = await ctx.tokenIssuer.issueToken({
+    claims: { sub: id }
+  });
+  return { id, token };
+};
+const createSamlProvider = (options) => {
+  return ({
+    providerId,
+    globalConfig,
+    config,
+    tokenIssuer,
+    tokenManager,
+    catalogApi,
+    logger
+  }) => {
+    var _a, _b;
+    const catalogIdentityClient = new CatalogIdentityClient({
+      catalogApi,
+      tokenManager
+    });
+    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
+      profile: {
+        email: fullProfile.email,
+        displayName: fullProfile.displayName
+      }
+    });
+    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : samlDefaultSignInResolver;
+    const signInResolver = (info) => signInResolverFn(info, {
+      catalogIdentityClient,
+      tokenIssuer,
+      logger
+    });
+    return new SamlAuthProvider({
+      callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
+      entryPoint: config.getString("entryPoint"),
+      logoutUrl: config.getOptionalString("logoutUrl"),
+      audience: config.getOptionalString("audience"),
+      issuer: config.getString("issuer"),
+      cert: config.getString("cert"),
+      privateKey: config.getOptionalString("privateKey"),
+      authnContext: config.getOptionalStringArray("authnContext"),
+      identifierFormat: config.getOptionalString("identifierFormat"),
+      decryptionPvk: config.getOptionalString("decryptionPvk"),
+      signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
+      digestAlgorithm: config.getOptionalString("digestAlgorithm"),
+      acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
+      tokenIssuer,
+      appUrl: globalConfig.appUrl,
+      authHandler,
+      signInResolver,
+      logger,
+      catalogIdentityClient
+    });
+  };
+};
+
+const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+
+function createTokenValidator(audience, mockClient) {
+  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
+  return async function tokenValidator(token) {
+    const response = await client.getIapPublicKeys();
+    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
+    const payload = ticket.getPayload();
+    if (!payload) {
+      throw new TypeError("Token had no payload");
+    }
+    return payload;
+  };
+}
+async function parseRequestToken(jwtToken, tokenValidator) {
+  if (typeof jwtToken !== "string" || !jwtToken) {
+    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
+  }
+  let payload;
+  try {
+    payload = await tokenValidator(jwtToken);
+  } catch (e) {
+    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
+  }
+  if (!payload.sub || !payload.email) {
+    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
+  }
+  return {
+    iapToken: {
+      ...payload,
+      sub: payload.sub,
+      email: payload.email
+    }
+  };
+}
+const defaultAuthHandler = async ({
+  iapToken
+}) => ({ profile: { email: iapToken.email } });
+
+class GcpIapProvider {
+  constructor(options) {
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.tokenValidator = options.tokenValidator;
+    this.tokenIssuer = options.tokenIssuer;
+    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.logger = options.logger;
+  }
+  async start() {
+  }
+  async frameHandler() {
+  }
+  async refresh(req, res) {
+    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
+    const context = {
+      logger: this.logger,
+      catalogIdentityClient: this.catalogIdentityClient,
+      tokenIssuer: this.tokenIssuer
+    };
+    const { profile } = await this.authHandler(result, context);
+    const backstageIdentity = await this.signInResolver({ profile, result }, context);
+    const response = {
+      providerInfo: { iapToken: result.iapToken },
+      profile,
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
     };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
-        result,
-        profile
-      }, context);
-    }
-    return response;
+    res.json(response);
   }
 }
-const defaultSignInResolver = async (info) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("OIDC profile contained no email");
-  }
-  const id = profile.email.split("@")[0];
-  return { id, token: "" };
-};
-const createOneLoginProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
-    const clientId = envConfig.getString("clientId");
-    const clientSecret = envConfig.getString("clientSecret");
-    const issuer = envConfig.getString("issuer");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+function createGcpIapProvider(options) {
+  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
+    var _a;
+    const audience = config.getString("audience");
+    const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
+    const signInResolver = options.signIn.resolver;
+    const tokenValidator = createTokenValidator(audience);
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
     });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
-      profile: makeProfileInfo(fullProfile, params.id_token)
-    });
-    const signInResolver = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : defaultSignInResolver;
-    const provider = new OneLoginProvider({
-      clientId,
-      clientSecret,
-      callbackUrl,
-      issuer,
+    return new GcpIapProvider({
       authHandler,
       signInResolver,
+      tokenValidator,
       tokenIssuer,
       catalogIdentityClient,
       logger
     });
-    return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: false,
-      providerId,
-      tokenIssuer
-    });
-  });
+  };
+}
+
+const factories = {
+  google: createGoogleProvider(),
+  github: createGithubProvider(),
+  gitlab: createGitlabProvider(),
+  saml: createSamlProvider(),
+  okta: createOktaProvider(),
+  auth0: createAuth0Provider(),
+  microsoft: createMicrosoftProvider(),
+  oauth2: createOAuth2Provider(),
+  oidc: createOidcProvider(),
+  onelogin: createOneLoginProvider(),
+  awsalb: createAwsAlbProvider(),
+  bitbucket: createBitbucketProvider(),
+  atlassian: createAtlassianProvider()
 };
 
-class SamlAuthProvider {
+function createOidcRouter(options) {
+  const { baseUrl, tokenIssuer } = options;
+  const router = Router__default["default"]();
+  const config = {
+    issuer: baseUrl,
+    token_endpoint: `${baseUrl}/v1/token`,
+    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
+    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+    response_types_supported: ["id_token"],
+    subject_types_supported: ["public"],
+    id_token_signing_alg_values_supported: ["RS256"],
+    scopes_supported: ["openid"],
+    token_endpoint_auth_methods_supported: [],
+    claims_supported: ["sub"],
+    grant_types_supported: []
+  };
+  router.get("/.well-known/openid-configuration", (_req, res) => {
+    res.json(config);
+  });
+  router.get("/.well-known/jwks.json", async (_req, res) => {
+    const { keys } = await tokenIssuer.listPublicKeys();
+    res.json({ keys });
+  });
+  router.get("/v1/token", (_req, res) => {
+    res.status(501).send("Not Implemented");
+  });
+  router.get("/v1/userinfo", (_req, res) => {
+    res.status(501).send("Not Implemented");
+  });
+  return router;
+}
+
+const MS_IN_S = 1e3;
+class TokenFactory {
   constructor(options) {
-    this.appUrl = options.appUrl;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
+    this.issuer = options.issuer;
     this.logger = options.logger;
-    this.strategy = new passportSaml.Strategy({ ...options }, (fullProfile, done) => {
-      done(void 0, { fullProfile });
+    this.keyStore = options.keyStore;
+    this.keyDurationSeconds = options.keyDurationSeconds;
+  }
+  async issueToken(params) {
+    const key = await this.getKey();
+    const iss = this.issuer;
+    const sub = params.claims.sub;
+    const ent = params.claims.ent;
+    const aud = "backstage";
+    const iat = Math.floor(Date.now() / MS_IN_S);
+    const exp = iat + this.keyDurationSeconds;
+    this.logger.info(`Issuing token for ${sub}, with entities ${ent != null ? ent : []}`);
+    return jose.JWS.sign({ iss, sub, aud, iat, exp, ent }, key, {
+      alg: key.alg,
+      kid: key.kid
     });
   }
-  async start(req, res) {
-    const { url } = await executeRedirectStrategy(req, this.strategy, {});
-    res.redirect(url);
+  async listPublicKeys() {
+    const { items: keys } = await this.keyStore.listKeys();
+    const validKeys = [];
+    const expiredKeys = [];
+    for (const key of keys) {
+      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
+        seconds: 3 * this.keyDurationSeconds
+      });
+      if (expireAt < luxon.DateTime.local()) {
+        expiredKeys.push(key);
+      } else {
+        validKeys.push(key);
+      }
+    }
+    if (expiredKeys.length > 0) {
+      const kids = expiredKeys.map(({ key }) => key.kid);
+      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
+      this.keyStore.removeKeys(kids).catch((error) => {
+        this.logger.error(`Failed to remove expired keys, ${error}`);
+      });
+    }
+    return { keys: validKeys.map(({ key }) => key) };
   }
-  async frameHandler(req, res) {
-    try {
-      const context = {
-        logger: this.logger,
-        catalogIdentityClient: this.catalogIdentityClient,
-        tokenIssuer: this.tokenIssuer
-      };
-      const { result } = await executeFrameHandlerStrategy(req, this.strategy);
-      const { profile } = await this.authHandler(result, context);
-      const response = {
-        profile,
-        providerInfo: {}
-      };
-      if (this.signInResolver) {
-        const signInResponse = await this.signInResolver({
-          result,
-          profile
-        }, context);
-        response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
+  async getKey() {
+    if (this.privateKeyPromise) {
+      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
+        return this.privateKeyPromise;
       }
-      return postMessageResponse(res, this.appUrl, {
-        type: "authorization_response",
-        response
+      this.logger.info(`Signing key has expired, generating new key`);
+      delete this.privateKeyPromise;
+    }
+    this.keyExpiry = luxon.DateTime.utc().plus({
+      seconds: this.keyDurationSeconds
+    }).toJSDate();
+    const promise = (async () => {
+      const key = await jose.JWK.generate("EC", "P-256", {
+        use: "sig",
+        kid: uuid.v4(),
+        alg: "ES256"
       });
+      this.logger.info(`Created new signing key ${key.kid}`);
+      await this.keyStore.addKey(key.toJWK(false));
+      return key;
+    })();
+    this.privateKeyPromise = promise;
+    try {
+      await promise;
     } catch (error) {
-      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
-      return postMessageResponse(res, this.appUrl, {
-        type: "authorization_response",
-        error: { name, message }
-      });
+      this.logger.error(`Failed to generate new signing key, ${error}`);
+      delete this.keyExpiry;
+      delete this.privateKeyPromise;
     }
+    return promise;
+  }
+}
+
+const migrationsDir = backendCommon.resolvePackagePath("@backstage/plugin-auth-backend", "migrations");
+const TABLE = "signing_keys";
+const parseDate = (date) => {
+  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
+  if (!parsedDate.isValid) {
+    throw new Error(`Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`);
+  }
+  return parsedDate.toJSDate();
+};
+class DatabaseKeyStore {
+  static async create(options) {
+    const { database } = options;
+    await database.migrate.latest({
+      directory: migrationsDir
+    });
+    return new DatabaseKeyStore(options);
+  }
+  constructor(options) {
+    this.database = options.database;
+  }
+  async addKey(key) {
+    await this.database(TABLE).insert({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    });
+  }
+  async listKeys() {
+    const rows = await this.database(TABLE).select();
+    return {
+      items: rows.map((row) => ({
+        key: JSON.parse(row.key),
+        createdAt: parseDate(row.created_at)
+      }))
+    };
   }
-  async logout(_req, res) {
-    res.end();
+  async removeKeys(kids) {
+    await this.database(TABLE).delete().whereIn("kid", kids);
   }
 }
-const samlDefaultSignInResolver = async (info, ctx) => {
-  const id = info.result.fullProfile.nameID;
-  const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: id }
-  });
-  return { id, token };
-};
-const createSamlProvider = (options) => {
-  return ({
-    providerId,
-    globalConfig,
-    config,
-    tokenIssuer,
-    tokenManager,
-    catalogApi,
-    logger
-  }) => {
-    var _a, _b;
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-      profile: {
-        email: fullProfile.email,
-        displayName: fullProfile.displayName
-      }
-    });
-    const signInResolverFn = (_b = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver) != null ? _b : samlDefaultSignInResolver;
-    const signInResolver = (info) => signInResolverFn(info, {
-      catalogIdentityClient,
-      tokenIssuer,
-      logger
-    });
-    return new SamlAuthProvider({
-      callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
-      entryPoint: config.getString("entryPoint"),
-      logoutUrl: config.getOptionalString("logoutUrl"),
-      audience: config.getOptionalString("audience"),
-      issuer: config.getString("issuer"),
-      cert: config.getString("cert"),
-      privateKey: config.getOptionalString("privateKey"),
-      authnContext: config.getOptionalStringArray("authnContext"),
-      identifierFormat: config.getOptionalString("identifierFormat"),
-      decryptionPvk: config.getOptionalString("decryptionPvk"),
-      signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
-      digestAlgorithm: config.getOptionalString("digestAlgorithm"),
-      acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
-      tokenIssuer,
-      appUrl: globalConfig.appUrl,
-      authHandler,
-      signInResolver,
-      logger,
-      catalogIdentityClient
-    });
-  };
-};
-
-const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
 
-function createTokenValidator(audience, mockClient) {
-  const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
-  return async function tokenValidator(token) {
-    const response = await client.getIapPublicKeys();
-    const ticket = await client.verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, ["https://cloud.google.com/iap"]);
-    const payload = ticket.getPayload();
-    if (!payload) {
-      throw new TypeError("Token had no payload");
-    }
-    return payload;
-  };
-}
-async function parseRequestToken(jwtToken, tokenValidator) {
-  if (typeof jwtToken !== "string" || !jwtToken) {
-    throw new errors.AuthenticationError(`Missing Google IAP header: ${IAP_JWT_HEADER}`);
-  }
-  let payload;
-  try {
-    payload = await tokenValidator(jwtToken);
-  } catch (e) {
-    throw new errors.AuthenticationError(`Google IAP token verification failed, ${e}`);
+class MemoryKeyStore {
+  constructor() {
+    this.keys = /* @__PURE__ */ new Map();
   }
-  if (!payload.sub || !payload.email) {
-    throw new errors.AuthenticationError("Google IAP token payload is missing sub and/or email claim");
+  async addKey(key) {
+    this.keys.set(key.kid, {
+      createdAt: luxon.DateTime.utc().toJSDate(),
+      key: JSON.stringify(key)
+    });
   }
-  return {
-    iapToken: {
-      ...payload,
-      sub: payload.sub,
-      email: payload.email
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      this.keys.delete(kid);
     }
-  };
+  }
+  async listKeys() {
+    return {
+      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
+        createdAt,
+        key: JSON.parse(keyStr)
+      }))
+    };
+  }
 }
-const defaultAuthHandler = async ({
-  iapToken
-}) => ({ profile: { email: iapToken.email } });
 
-class GcpIapProvider {
-  constructor(options) {
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.tokenValidator = options.tokenValidator;
-    this.tokenIssuer = options.tokenIssuer;
-    this.catalogIdentityClient = options.catalogIdentityClient;
-    this.logger = options.logger;
+const DEFAULT_TIMEOUT_MS = 1e4;
+const DEFAULT_DOCUMENT_PATH = "sessions";
+class FirestoreKeyStore {
+  constructor(database, path, timeout) {
+    this.database = database;
+    this.path = path;
+    this.timeout = timeout;
   }
-  async start() {
+  static async create(settings) {
+    const { path, timeout, ...firestoreSettings } = settings != null ? settings : {};
+    const database = new firestore.Firestore(firestoreSettings);
+    return new FirestoreKeyStore(database, path != null ? path : DEFAULT_DOCUMENT_PATH, timeout != null ? timeout : DEFAULT_TIMEOUT_MS);
   }
-  async frameHandler() {
+  static async verifyConnection(keyStore, logger) {
+    try {
+      await keyStore.verify();
+    } catch (error) {
+      if (process.env.NODE_ENV !== "development") {
+        throw new Error(`Failed to connect to database: ${error.message}`);
+      }
+      logger == null ? void 0 : logger.warn(`Failed to connect to database: ${error.message}`);
+    }
   }
-  async refresh(req, res) {
-    const result = await parseRequestToken(req.header(IAP_JWT_HEADER), this.tokenValidator);
-    const context = {
-      logger: this.logger,
-      catalogIdentityClient: this.catalogIdentityClient,
-      tokenIssuer: this.tokenIssuer
-    };
-    const { profile } = await this.authHandler(result, context);
-    const backstageIdentity = await this.signInResolver({ profile, result }, context);
-    const response = {
-      providerInfo: { iapToken: result.iapToken },
-      profile,
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity)
+  async addKey(key) {
+    await this.withTimeout(this.database.collection(this.path).doc(key.kid).set({
+      kid: key.kid,
+      key: JSON.stringify(key)
+    }));
+  }
+  async listKeys() {
+    const keys = await this.withTimeout(this.database.collection(this.path).get());
+    return {
+      items: keys.docs.map((key) => ({
+        key: key.data(),
+        createdAt: key.createTime.toDate()
+      }))
     };
-    res.json(response);
+  }
+  async removeKeys(kids) {
+    for (const kid of kids) {
+      await this.withTimeout(this.database.collection(this.path).doc(kid).delete());
+    }
+  }
+  async withTimeout(operation) {
+    const timer = new Promise((_, reject) => setTimeout(() => {
+      reject(new Error(`Operation timed out after ${this.timeout}ms`));
+    }, this.timeout));
+    return Promise.race([operation, timer]);
+  }
+  async verify() {
+    await this.withTimeout(this.database.collection(this.path).limit(1).get());
   }
 }
-function createGcpIapProvider(options) {
-  return ({ config, tokenIssuer, catalogApi, logger, tokenManager }) => {
+
+class KeyStores {
+  static async fromConfig(config, options) {
     var _a;
-    const audience = config.getString("audience");
-    const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler;
-    const signInResolver = options.signIn.resolver;
-    const tokenValidator = createTokenValidator(audience);
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi,
-      tokenManager
-    });
-    return new GcpIapProvider({
-      authHandler,
-      signInResolver,
-      tokenValidator,
-      tokenIssuer,
-      catalogIdentityClient,
-      logger
-    });
-  };
+    const { logger, database } = options != null ? options : {};
+    const ks = config.getOptionalConfig("auth.keyStore");
+    const provider = (_a = ks == null ? void 0 : ks.getOptionalString("provider")) != null ? _a : "database";
+    logger == null ? void 0 : logger.info(`Configuring "${provider}" as KeyStore provider`);
+    if (provider === "database") {
+      if (!database) {
+        throw new Error("This KeyStore provider requires a database");
+      }
+      return await DatabaseKeyStore.create({
+        database: await database.getClient()
+      });
+    }
+    if (provider === "memory") {
+      return new MemoryKeyStore();
+    }
+    if (provider === "firestore") {
+      const settings = ks == null ? void 0 : ks.getConfig(provider);
+      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
+        projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
+        keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
+        host: settings == null ? void 0 : settings.getOptionalString("host"),
+        port: settings == null ? void 0 : settings.getOptionalNumber("port"),
+        ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
+        path: settings == null ? void 0 : settings.getOptionalString("path"),
+        timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
+      }, (value) => value !== void 0));
+      await FirestoreKeyStore.verifyConnection(keyStore, logger);
+      return keyStore;
+    }
+    throw new Error(`Unknown KeyStore provider: ${provider}`);
+  }
 }
 
-const factories = {
-  google: createGoogleProvider(),
-  github: createGithubProvider(),
-  gitlab: createGitlabProvider(),
-  saml: createSamlProvider(),
-  okta: createOktaProvider(),
-  auth0: createAuth0Provider(),
-  microsoft: createMicrosoftProvider(),
-  oauth2: createOAuth2Provider(),
-  oidc: createOidcProvider(),
-  onelogin: createOneLoginProvider(),
-  awsalb: createAwsAlbProvider(),
-  bitbucket: createBitbucketProvider(),
-  atlassian: createAtlassianProvider()
-};
-
 async function createRouter(options) {
   const {
     logger,
@@ -3025,7 +2999,11 @@ async function createRouter(options) {
       try {
         const provider = providerFactory({
           providerId,
-          globalConfig: { baseUrl: authUrl, appUrl, isOriginAllowed },
+          globalConfig: {
+            baseUrl: authUrl,
+            appUrl,
+            isOriginAllowed
+          },
           config: providersConfig.getConfig(providerId),
           logger,
           tokenManager,
@@ -3085,7 +3063,6 @@ function createOriginFilter(config) {
 }
 
 exports.CatalogIdentityClient = CatalogIdentityClient;
-exports.IdentityClient = IdentityClient;
 exports.OAuthAdapter = OAuthAdapter;
 exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
 exports.bitbucketUserIdSignInResolver = bitbucketUserIdSignInResolver;