@axa-fr/oidc-client
Version:
OpenID Connect & OAuth authentication using native javascript only, compatible with angular, react, vue, svelte, next, etc.
2 lines • 52 kB
JavaScript
(function(I,W){typeof exports=="object"&&typeof module<"u"?W(exports):typeof define=="function"&&define.amd?define(["exports"],W):(I=typeof globalThis<"u"?globalThis:I||self,W(I["oidc-client"]={}))})(this,function(I){"use strict";class W{open(n){window.location.href=n}reload(){window.location.reload()}getCurrentHref(){return window.location.href}getPath(){const n=window.location;return n.pathname+(n.search||"")+(n.hash||"")}getOrigin(){return window.origin}}const ue=2e3,$=console;class xe{constructor(n,t,s,o=ue,i=!0){this._callback=n,this._client_id=t,this._url=s,this._interval=o||ue,this._stopOnError=i;const r=s.indexOf("/",s.indexOf("//")+2);this._frame_origin=s.substring(0,r),this._frame=window.document.createElement("iframe"),this._frame.style.visibility="hidden",this._frame.style.position="absolute",this._frame.style.display="none",this._frame.width=0,this._frame.height=0,this._frame.src=s}load(){return new Promise(n=>{this._frame.onload=()=>{n()},window.document.body.appendChild(this._frame),this._boundMessageEvent=this._message.bind(this),window.addEventListener("message",this._boundMessageEvent,!1)})}_message(n){n.origin===this._frame_origin&&n.source===this._frame.contentWindow&&(n.data==="error"?($.error("CheckSessionIFrame: error message from check session op iframe"),this._stopOnError&&this.stop()):n.data==="changed"?($.debug(n),$.debug("CheckSessionIFrame: changed message from check session op iframe"),this.stop(),this._callback()):$.debug("CheckSessionIFrame: "+n.data+" message from check session op iframe"))}start(n){$.debug("CheckSessionIFrame.start :"+n),this.stop();const t=()=>{this._frame.contentWindow.postMessage(this._client_id+" "+n,this._frame_origin)};t(),this._timer=window.setInterval(t,this._interval)}stop(){this._timer&&($.debug("CheckSessionIFrame.stop"),window.clearInterval(this._timer),this._timer=null)}}const k={service_worker_not_supported_by_browser:"service_worker_not_supported_by_browser",token_acquired:"token_acquired",logout_from_another_tab:"logout_from_another_tab",logout_from_same_tab:"logout_from_same_tab",token_renewed:"token_renewed",token_timer:"token_timer",loginAsync_begin:"loginAsync_begin",loginAsync_error:"loginAsync_error",loginCallbackAsync_begin:"loginCallbackAsync_begin",loginCallbackAsync_end:"loginCallbackAsync_end",loginCallbackAsync_error:"loginCallbackAsync_error",refreshTokensAsync_begin:"refreshTokensAsync_begin",refreshTokensAsync:"refreshTokensAsync",refreshTokensAsync_end:"refreshTokensAsync_end",refreshTokensAsync_error:"refreshTokensAsync_error",refreshTokensAsync_silent_error:"refreshTokensAsync_silent_error",tryKeepExistingSessionAsync_begin:"tryKeepExistingSessionAsync_begin",tryKeepExistingSessionAsync_end:"tryKeepExistingSessionAsync_end",tryKeepExistingSessionAsync_error:"tryKeepExistingSessionAsync_error",silentLoginAsync_begin:"silentLoginAsync_begin",silentLoginAsync:"silentLoginAsync",silentLoginAsync_end:"silentLoginAsync_end",silentLoginAsync_error:"silentLoginAsync_error",syncTokensAsync_begin:"syncTokensAsync_begin",syncTokensAsync_lock_not_available:"syncTokensAsync_lock_not_available",syncTokensAsync_end:"syncTokensAsync_end",syncTokensAsync_error:"syncTokensAsync_error",tokensInvalidAndWaitingActionsToRefresh:"tokensInvalidAndWaitingActionsToRefresh"},C=(e,n=sessionStorage)=>{const t=g=>(n[`oidc.${e}`]=JSON.stringify({tokens:null,status:g}),Promise.resolve()),s=async()=>{if(!n[`oidc.${e}`])return n[`oidc.${e}`]=JSON.stringify({tokens:null,status:null}),{tokens:null,status:null};const g=JSON.parse(n[`oidc.${e}`]);return Promise.resolve({tokens:g.tokens,status:g.status})},o=g=>{n[`oidc.${e}`]=JSON.stringify({tokens:g})},i=async g=>{n[`oidc.session_state.${e}`]=g},r=async()=>n[`oidc.session_state.${e}`],a=g=>{n[`oidc.nonce.${e}`]=g.nonce},c=g=>{n[`oidc.jwk.${e}`]=JSON.stringify(g)},l=()=>JSON.parse(n[`oidc.jwk.${e}`]),d=async()=>({nonce:n[`oidc.nonce.${e}`]}),u=async g=>{n[`oidc.dpop_nonce.${e}`]=g},_=()=>n[`oidc.dpop_nonce.${e}`],f=()=>n[`oidc.${e}`]?JSON.stringify({tokens:JSON.parse(n[`oidc.${e}`]).tokens}):null,y={};return{clearAsync:t,initAsync:s,setTokens:o,getTokens:f,setSessionStateAsync:i,getSessionStateAsync:r,setNonceAsync:a,getNonceAsync:d,setLoginParams:g=>{y[e]=g,n[`oidc.login.${e}`]=JSON.stringify(g)},getLoginParams:()=>{const g=n[`oidc.login.${e}`];return g?(y[e]||(y[e]=JSON.parse(g)),y[e]):(console.warn(`storage[oidc.login.${e}] is empty, you should have an bad OIDC or code configuration somewhere.`),null)},getStateAsync:async()=>n[`oidc.state.${e}`],setStateAsync:async g=>{n[`oidc.state.${e}`]=g},getCodeVerifierAsync:async()=>n[`oidc.code_verifier.${e}`],setCodeVerifierAsync:async g=>{n[`oidc.code_verifier.${e}`]=g},setDemonstratingProofOfPossessionNonce:u,getDemonstratingProofOfPossessionNonce:_,setDemonstratingProofOfPossessionJwkAsync:c,getDemonstratingProofOfPossessionJwkAsync:l}};var U=(e=>(e.AutomaticBeforeTokenExpiration="AutomaticBeforeTokensExpiration",e.AutomaticOnlyWhenFetchExecuted="AutomaticOnlyWhenFetchExecuted",e))(U||{});const We=e=>decodeURIComponent(Array.prototype.map.call(atob(e),n=>"%"+("00"+n.charCodeAt(0).toString(16)).slice(-2)).join("")),Le=e=>JSON.parse(We(e.replaceAll(/-/g,"+").replaceAll(/_/g,"/"))),_e=e=>{try{return e&&De(e,".")===2?Le(e.split(".")[1]):null}catch(n){console.warn(n)}return null},De=(e,n)=>e.split(n).length-1,j={access_token_or_id_token_invalid:"access_token_or_id_token_invalid",access_token_invalid:"access_token_invalid",id_token_invalid:"id_token_invalid"};function Re(e,n,t){if(e.issuedAt){if(typeof e.issuedAt=="string")return parseInt(e.issuedAt,10)}else return n&&n.iat?n.iat:t&&t.iat?t.iat:new Date().getTime()/1e3;return e.issuedAt}const z=(e,n=null,t)=>{if(!e)return null;let s;const o=typeof e.expiresIn=="string"?parseInt(e.expiresIn,10):e.expiresIn;e.accessTokenPayload!==void 0?s=e.accessTokenPayload:s=_e(e.accessToken);let i;n!=null&&"idToken"in n&&!("idToken"in e)?i=n.idToken:i=e.idToken;const r=e.idTokenPayload?e.idTokenPayload:_e(i),a=r&&r.exp?r.exp:Number.MAX_VALUE,c=s&&s.exp?s.exp:e.issuedAt+o;e.issuedAt=Re(e,s,r);let l;e.expiresAt?l=e.expiresAt:t===j.access_token_invalid?l=c:t===j.id_token_invalid?l=a:l=a<c?a:c;const d={...e,idTokenPayload:r,accessTokenPayload:s,expiresAt:l,idToken:i};if(n!=null&&"refreshToken"in n&&!("refreshToken"in e)){const u=n.refreshToken;return{...d,refreshToken:u}}return d},Q=(e,n,t)=>{if(!e)return null;if(!e.issued_at){const o=new Date().getTime()/1e3;e.issued_at=o}const s={accessToken:e.access_token,expiresIn:e.expires_in,idToken:e.id_token,scope:e.scope,tokenType:e.token_type,issuedAt:e.issued_at};return"refresh_token"in e&&(s.refreshToken=e.refresh_token),e.accessTokenPayload!==void 0&&(s.accessTokenPayload=e.accessTokenPayload),e.idTokenPayload!==void 0&&(s.idTokenPayload=e.idTokenPayload),z(s,n,t)},M=(e,n)=>{const t=new Date().getTime()/1e3,s=n-t;return Math.round(s-e)},fe=(e,n=0)=>e?M(n,e.expiresAt)>0:!1,de=async(e,n=200,t=50)=>{let s=t;if(!e.getTokens())return null;for(;!fe(e.getTokens(),e.configuration.refresh_time_before_tokens_expiration_in_second)&&s>0;){if(e.configuration.token_automatic_renew_mode==U.AutomaticOnlyWhenFetchExecuted){await e.renewTokensAsync({});break}else await ee({milliseconds:n});s=s-1}return{isTokensValid:fe(e.getTokens()),tokens:e.getTokens(),numberWaited:s-t}},he=(e,n,t)=>{if(e.idTokenPayload){const s=e.idTokenPayload;if(t.issuer!==s.iss)return{isValid:!1,reason:`Issuer does not match (oidcServerConfiguration issuer) ${t.issuer} !== (idTokenPayload issuer) ${s.iss}`};const o=new Date().getTime()/1e3;if(s.exp&&s.exp<o)return{isValid:!1,reason:`Token expired (idTokenPayload exp) ${s.exp} < (currentTimeUnixSecond) ${o}`};const i=60*60*24*7;if(s.iat&&s.iat+i<o)return{isValid:!1,reason:`Token is used from too long time (idTokenPayload iat + timeInSevenDays) ${s.iat+i} < (currentTimeUnixSecond) ${o}`};if(s.nonce&&s.nonce!==n)return{isValid:!1,reason:`Nonce does not match (idTokenPayload nonce) ${s.nonce} !== (nonce) ${n}`}}return{isValid:!0,reason:""}},K=function(){const e=typeof window>"u"?global:window;return{setTimeout:setTimeout.bind(e),clearTimeout:clearTimeout.bind(e),setInterval:setInterval.bind(e),clearInterval:clearInterval.bind(e)}}(),Z="7.25.13";let ye=null,G;const ee=({milliseconds:e})=>new Promise(n=>K.setTimeout(n,e)),ge=(e="/")=>{try{G=new AbortController,fetch(`${e}OidcKeepAliveServiceWorker.json?minSleepSeconds=150`,{signal:G.signal}).catch(s=>{console.log(s)}),ee({milliseconds:150*1e3}).then(ge)}catch(n){console.log(n)}},ne=()=>{G&&G.abort()},ke=e=>{const n=sessionStorage.getItem(`oidc.tabId.${e}`);if(n)return n;const t=globalThis.crypto.randomUUID();return sessionStorage.setItem(`oidc.tabId.${e}`,t),t},E=e=>n=>new Promise(function(t,s){const o=new MessageChannel;o.port1.onmessage=function(i){i!=null&&i.data.error?s(i.data.error):t(i.data),o.port1.close(),o.port2.close()},e.active.postMessage({...n,tabId:ke(n.configurationName)},[o.port2])}),N=async(e,n)=>{const t=e.service_worker_relative_url;if(typeof window>"u"||typeof navigator>"u"||!navigator.serviceWorker||!t||e.service_worker_activate()===!1)return null;const s=`${t}?v=${Z}`;let o=null;e.service_worker_register?o=await e.service_worker_register(t):o=await navigator.serviceWorker.register(s,{updateViaCache:"none"}),o.addEventListener("updatefound",()=>{const h=o.installing;ne(),h==null||h.addEventListener("statechange",()=>{h.state==="installed"&&navigator.serviceWorker.controller&&(ne(),console.log("New SW waiting – skipWaiting()"),h.postMessage({type:"SKIP_WAITING"}))})}),navigator.serviceWorker.addEventListener("controllerchange",()=>{console.log("SW controller changed – reloading page"),ne(),window.location.reload()});try{await navigator.serviceWorker.ready,navigator.serviceWorker.controller||await E(o)({type:"claim"})}catch(h){return console.warn(`Failed init ServiceWorker ${h.toString()}`),null}const i=async h=>E(o)({type:"clear",data:{status:h},configurationName:n}),r=async(h,O,S)=>{const m=await E(o)({type:"init",data:{oidcServerConfiguration:h,where:O,oidcConfiguration:{token_renew_mode:S.token_renew_mode,service_worker_convert_all_requests_to_cors:S.service_worker_convert_all_requests_to_cors}},configurationName:n}),L=m.version;return L!==Z&&console.warn(`Service worker ${L} version mismatch with js client version ${Z}, unregistering and reloading`),{tokens:Q(m.tokens,null,S.token_renew_mode),status:m.status}},a=(h="/")=>{ye==null&&(ye="not_null",ge(h))},c=h=>E(o)({type:"setSessionState",data:{sessionState:h},configurationName:n}),l=async()=>(await E(o)({type:"getSessionState",data:null,configurationName:n})).sessionState,d=h=>(sessionStorage[`oidc.nonce.${n}`]=h.nonce,E(o)({type:"setNonce",data:{nonce:h},configurationName:n})),u=async(h=!0)=>{let S=(await E(o)({type:"getNonce",data:null,configurationName:n})).nonce;return S||(S=sessionStorage[`oidc.nonce.${n}`],console.warn("nonce not found in service worker, using sessionStorage"),h&&(await d(S),S=(await u(!1)).nonce)),{nonce:S}},_={},f=h=>{_[n]=h,localStorage[`oidc.login.${n}`]=JSON.stringify(h)},y=()=>{const h=localStorage[`oidc.login.${n}`];return _[n]||(_[n]=JSON.parse(h)),_[n]},p=async h=>{await E(o)({type:"setDemonstratingProofOfPossessionNonce",data:{demonstratingProofOfPossessionNonce:h},configurationName:n})},w=async()=>(await E(o)({type:"getDemonstratingProofOfPossessionNonce",data:null,configurationName:n})).demonstratingProofOfPossessionNonce,v=async h=>{const O=JSON.stringify(h);await E(o)({type:"setDemonstratingProofOfPossessionJwk",data:{demonstratingProofOfPossessionJwkJson:O},configurationName:n})},P=async()=>{const h=await E(o)({type:"getDemonstratingProofOfPossessionJwk",data:null,configurationName:n});return h.demonstratingProofOfPossessionJwkJson?JSON.parse(h.demonstratingProofOfPossessionJwkJson):null},A=async(h=!0)=>{let S=(await E(o)({type:"getState",data:null,configurationName:n})).state;return S||(S=sessionStorage[`oidc.state.${n}`],console.warn("state not found in service worker, using sessionStorage"),h&&(await T(S),S=await A(!1))),S},T=async h=>(sessionStorage[`oidc.state.${n}`]=h,E(o)({type:"setState",data:{state:h},configurationName:n})),g=async(h=!0)=>{let S=(await E(o)({type:"getCodeVerifier",data:null,configurationName:n})).codeVerifier;return S||(S=sessionStorage[`oidc.code_verifier.${n}`],console.warn("codeVerifier not found in service worker, using sessionStorage"),h&&(await b(S),S=await g(!1))),S},b=async h=>(sessionStorage[`oidc.code_verifier.${n}`]=h,E(o)({type:"setCodeVerifier",data:{codeVerifier:h},configurationName:n}));return{clearAsync:i,initAsync:r,startKeepAliveServiceWorker:()=>a(e.service_worker_keep_alive_path),setSessionStateAsync:c,getSessionStateAsync:l,setNonceAsync:d,getNonceAsync:u,setLoginParams:f,getLoginParams:y,getStateAsync:A,setStateAsync:T,getCodeVerifierAsync:g,setCodeVerifierAsync:b,setDemonstratingProofOfPossessionNonce:p,getDemonstratingProofOfPossessionNonce:w,setDemonstratingProofOfPossessionJwkAsync:v,getDemonstratingProofOfPossessionJwkAsync:P}},F={},$e=(e,n=window.sessionStorage,t)=>{if(!F[e]&&n){const o=n.getItem(e);o&&(F[e]=JSON.parse(o))}const s=1e3*t;return F[e]&&F[e].timestamp+s>Date.now()?F[e].result:null},Ue=(e,n,t=window.sessionStorage)=>{const s=Date.now();F[e]={result:n,timestamp:s},t&&t.setItem(e,JSON.stringify({result:n,timestamp:s}))};function me(e){return new TextEncoder().encode(e)}function pe(e){return btoa(e).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+/g,"")}function Ke(e){return encodeURIComponent(e).replace(/%([0-9A-F]{2})/g,function(t,s){return String.fromCharCode(parseInt(s,16))})}const te=e=>{let n="";return e.forEach(function(t){n+=String.fromCharCode(t)}),pe(n)};function we(e){return pe(Ke(e))}const Fe={importKeyAlgorithm:{name:"ECDSA",namedCurve:"P-256",hash:{name:"ES256"}},signAlgorithm:{name:"ECDSA",hash:{name:"SHA-256"}},generateKeyAlgorithm:{name:"ECDSA",namedCurve:"P-256"},digestAlgorithm:{name:"SHA-256"},jwtHeaderAlgorithm:"ES256"},Ve={sign:e=>async(n,t,s,o,i="dpop+jwt")=>{switch(n=Object.assign({},n),t.typ=i,t.alg=o.jwtHeaderAlgorithm,t.alg){case"ES256":t.jwk={kty:n.kty,crv:n.crv,x:n.x,y:n.y};break;case"RS256":t.jwk={kty:n.kty,n:n.n,e:n.e,kid:t.kid};break;default:throw new Error("Unknown or not implemented JWS algorithm")}const r={protected:we(JSON.stringify(t)),payload:we(JSON.stringify(s))},a=o.importKeyAlgorithm,c=!0,l=["sign"],d=await e.crypto.subtle.importKey("jwk",n,a,c,l),u=me(`${r.protected}.${r.payload}`),_=o.signAlgorithm,f=await e.crypto.subtle.sign(_,d,u);return r.signature=te(new Uint8Array(f)),`${r.protected}.${r.payload}.${r.signature}`}},Me={generate:e=>async n=>{const t=n,s=!0,o=["sign","verify"],i=await e.crypto.subtle.generateKey(t,s,o);return await e.crypto.subtle.exportKey("jwk",i.privateKey)},neuter:e=>{const n=Object.assign({},e);return delete n.d,n.key_ops=["verify"],n}},Je={thumbprint:e=>async(n,t)=>{let s;switch(n.kty){case"EC":s='{"crv":"CRV","kty":"EC","x":"X","y":"Y"}'.replace("CRV",n.crv).replace("X",n.x).replace("Y",n.y);break;case"RSA":s='{"e":"E","kty":"RSA","n":"N"}'.replace("E",n.e).replace("N",n.n);break;default:throw new Error("Unknown or not implemented JWK type")}const o=await e.crypto.subtle.digest(t,me(s));return te(new Uint8Array(o))}},Be=e=>async n=>await Me.generate(e)(n),Ae=e=>n=>async(t,s="POST",o,i={})=>{const r={jti:btoa(He()),htm:s,htu:o,iat:Math.round(Date.now()/1e3),...i},a=await Je.thumbprint(e)(t,n.digestAlgorithm);return await Ve.sign(e)(t,{kid:a},r,n)},He=()=>{const e="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx",n="0123456789abcdef";let t=0,s="";for(let o=0;o<36;o++)e[o]!=="-"&&e[o]!=="4"&&(t=Math.random()*16|0),e[o]==="x"?s+=n[t]:e[o]==="y"?(t&=3,t|=8,s+=n[t]):s+=e[o];return s},Se=()=>{const e=typeof window<"u"&&!!window.crypto,n=e&&!!window.crypto.subtle;return{hasCrypto:e,hasSubtleCrypto:n}},se="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",je=e=>{const n=[];for(let t=0;t<e.byteLength;t+=1){const s=e[t]%se.length;n.push(se[s])}return n.join("")},oe=e=>{const n=new Uint8Array(e),{hasCrypto:t}=Se();if(t)window.crypto.getRandomValues(n);else for(let s=0;s<e;s+=1)n[s]=Math.random()*se.length|0;return je(n)};function Ge(e){const n=new ArrayBuffer(e.length),t=new Uint8Array(n);for(let s=0;s<e.length;s++)t[s]=e.charCodeAt(s);return t}function Te(e){return new Promise((n,t)=>{crypto.subtle.digest("SHA-256",Ge(e)).then(s=>n(te(new Uint8Array(s))),s=>t(s))})}const qe=e=>{if(e.length<43||e.length>128)return Promise.reject(new Error("Invalid code length."));const{hasSubtleCrypto:n}=Se();return n?Te(e):Promise.reject(new Error("window.crypto.subtle is unavailable."))},Ye=60*60,Xe=e=>async(n,t=Ye,s=window.sessionStorage,o=1e4)=>{const i=`${n}/.well-known/openid-configuration`,r=`oidc.server:${n}`,a=$e(r,s,t);if(a)return new ce(a);const c=await J(e)(i,{},o);if(c.status!==200)return null;const l=await c.json();return Ue(r,l,s),new ce(l)},J=e=>async(n,t={},s=1e4,o=0)=>{let i;try{const r=new AbortController;setTimeout(()=>r.abort(),s),i=await e(n,{...t,signal:r.signal})}catch(r){if(r.name==="AbortError"||r.message==="Network request failed"){if(o<=1)return await J(e)(n,t,s,o+1);throw r}else throw console.error(r.message),r}return i},ie={refresh_token:"refresh_token",access_token:"access_token"},ve=e=>async(n,t,s=ie.refresh_token,o,i={},r=1e4)=>{const a={token:t,token_type_hint:s,client_id:o};for(const[u,_]of Object.entries(i))a[u]===void 0&&(a[u]=_);const c=[];for(const u in a){const _=encodeURIComponent(u),f=encodeURIComponent(a[u]);c.push(`${_}=${f}`)}const l=c.join("&");return(await J(e)(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"},body:l},r)).status!==200?{success:!1}:{success:!0}},ze=e=>async(n,t,s,o,i={},r,a=1e4)=>{for(const[f,y]of Object.entries(s))t[f]===void 0&&(t[f]=y);const c=[];for(const f in t){const y=encodeURIComponent(f),p=encodeURIComponent(t[f]);c.push(`${y}=${p}`)}const l=c.join("&"),d=await J(e)(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8",...i},body:l},a);if(d.status!==200)return{success:!1,status:d.status,demonstratingProofOfPossessionNonce:null};const u=await d.json();let _=null;return d.headers.has(q)&&(_=d.headers.get(q)),{success:!0,status:d.status,data:Q(u,o,r),demonstratingProofOfPossessionNonce:_}},Qe=(e,n)=>async(t,s)=>{s=s?{...s}:{};const o=oe(128),i=await qe(o);await e.setCodeVerifierAsync(o),await e.setStateAsync(s.state),s.code_challenge=i,s.code_challenge_method="S256";let r="";if(s)for(const[a,c]of Object.entries(s))r===""?r+="?":r+="&",r+=`${a}=${encodeURIComponent(c)}`;n.open(`${t}${r}`)},q="DPoP-Nonce",Ze=e=>async(n,t,s,o,i=1e4)=>{t=t?{...t}:{},t.code_verifier=await e.getCodeVerifierAsync();const r=[];for(const u in t){const _=encodeURIComponent(u),f=encodeURIComponent(t[u]);r.push(`${_}=${f}`)}const a=r.join("&"),c=await J(fetch)(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8",...s},body:a},i);if(await Promise.all([e.setCodeVerifierAsync(null),e.setStateAsync(null)]),c.status!==200)return{success:!1,status:c.status};let l=null;c.headers.has(q)&&(l=c.headers.get(q));const d=await c.json();return{success:!0,data:{state:t.state,tokens:Q(d,null,o),demonstratingProofOfPossessionNonce:l}}};async function be(e,n,t,s=null){const o=c=>{e.tokens=c},{tokens:i,status:r}=await Y(e)(o,0,n,t,s);return await N(e.configuration,e.configurationName)||await C(e.configurationName,e.configuration.storage).setTokens(e.tokens),e.tokens?i:(await e.destroyAsync(r),null)}async function Ee(e,n=!1,t=null,s=null){const o=e.configuration,i=`${o.client_id}_${e.configurationName}_${o.authority}`;let r;const a=await N(e.configuration,e.configurationName);if((o==null?void 0:o.storage)===(window==null?void 0:window.sessionStorage)&&!a||!navigator.locks)r=await be(e,n,t,s);else{let c="retry";for(;c==="retry";)c=await navigator.locks.request(i,{ifAvailable:!0},async l=>l?await be(e,n,t,s):(e.publishEvent(x.eventNames.syncTokensAsync_lock_not_available,{lock:"lock not available"}),"retry"));r=c}return r?(e.timeoutId&&(e.timeoutId=B(e,e.tokens.expiresAt,t,s)),e.tokens):null}const B=(e,n,t=null,s=null)=>{const o=e.configuration.refresh_time_before_tokens_expiration_in_second;return e.timeoutId&&K.clearTimeout(e.timeoutId),K.setTimeout(async()=>{const r={timeLeft:M(o,n)};e.publishEvent(x.eventNames.token_timer,r),await Ee(e,!1,t,s)},1e3)},D={FORCE_REFRESH:"FORCE_REFRESH",SESSION_LOST:"SESSION_LOST",NOT_CONNECTED:"NOT_CONNECTED",TOKENS_VALID:"TOKENS_VALID",TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID",LOGOUT_FROM_ANOTHER_TAB:"LOGOUT_FROM_ANOTHER_TAB",REQUIRE_SYNC_TOKENS:"REQUIRE_SYNC_TOKENS"},en=e=>async(n,t,s,o=!1)=>{const i={nonce:null};if(!s)return{tokens:null,status:"NOT_CONNECTED",nonce:i};let r=i;const a=await e.initAsync(n.authority,n.authority_configuration),c=await N(n,t);if(c){const{status:u,tokens:_}=await c.initAsync(a,"syncTokensAsync",n);if(u==="LOGGED_OUT")return{tokens:null,status:"LOGOUT_FROM_ANOTHER_TAB",nonce:i};if(u==="SESSIONS_LOST")return{tokens:null,status:"SESSIONS_LOST",nonce:i};if(!u||!_)return{tokens:null,status:"REQUIRE_SYNC_TOKENS",nonce:i};if(_.issuedAt!==s.issuedAt){const y=M(n.refresh_time_before_tokens_expiration_in_second,_.expiresAt)>0?"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID":"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID",p=await c.getNonceAsync();return{tokens:_,status:y,nonce:p}}r=await c.getNonceAsync()}else{const u=C(t,n.storage??sessionStorage),_=await u.initAsync();let{tokens:f}=_;const{status:y}=_;if(f&&(f=z(f,e.tokens,n.token_renew_mode)),f){if(y==="SESSIONS_LOST")return{tokens:null,status:"SESSIONS_LOST",nonce:i};if(f.issuedAt!==s.issuedAt){const w=M(n.refresh_time_before_tokens_expiration_in_second,f.expiresAt)>0?"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID":"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID",v=await u.getNonceAsync();return{tokens:f,status:w,nonce:v}}}else return{tokens:null,status:"LOGOUT_FROM_ANOTHER_TAB",nonce:i};r=await u.getNonceAsync()}const d=M(n.refresh_time_before_tokens_expiration_in_second,s.expiresAt)>0?"TOKENS_VALID":"TOKENS_INVALID";return o?{tokens:s,status:"FORCE_REFRESH",nonce:r}:{tokens:s,status:d,nonce:r}},Y=e=>async(n,t=0,s=!1,o=null,i=null)=>{if(!navigator.onLine&&document.hidden)return{tokens:e.tokens,status:"GIVE_UP"};let r=6;for(;!navigator.onLine&&r>0;)await ee({milliseconds:1e3}),r--,e.publishEvent(k.refreshTokensAsync,{message:`wait because navigator is offline try ${r}`});const a=document.hidden,c=a?t:t+1;if(t>4)return a?{tokens:e.tokens,status:"GIVE_UP"}:(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token"}),{tokens:null,status:"SESSION_LOST"});o||(o={});const l=e.configuration,d=(_,f=null,y=null)=>re(e.configurationName,e.configuration,e.publishEvent.bind(e))(_,f,y),u=async()=>{try{let _;const f=await N(l,e.configurationName);f?_=f.getLoginParams():_=C(e.configurationName,l.storage).getLoginParams();const y=await d({..._.extras,...o,prompt:"none",scope:i});return y?y.error?(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token silent"}),{tokens:null,status:"SESSION_LOST"}):(n(y.tokens),e.publishEvent(x.eventNames.token_renewed,{}),{tokens:y.tokens,status:"LOGGED"}):(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token silent not active"}),{tokens:null,status:"SESSION_LOST"})}catch(_){return console.error(_),e.publishEvent(k.refreshTokensAsync_silent_error,{message:"exceptionSilent",exception:_.message}),await Y(e)(n,c,s,o,i)}};try{const{status:_,tokens:f,nonce:y}=await en(e)(l,e.configurationName,e.tokens,s);switch(_){case D.SESSION_LOST:return n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token session lost"}),{tokens:null,status:"SESSION_LOST"};case D.NOT_CONNECTED:return n(null),{tokens:null,status:null};case D.TOKENS_VALID:return n(f),{tokens:f,status:"LOGGED_IN"};case D.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:return n(f),e.publishEvent(x.eventNames.token_renewed,{reason:"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID"}),{tokens:f,status:"LOGGED_IN"};case D.LOGOUT_FROM_ANOTHER_TAB:return n(null),e.publishEvent(k.logout_from_another_tab,{status:"session syncTokensAsync"}),{tokens:null,status:"LOGGED_OUT"};case D.REQUIRE_SYNC_TOKENS:return l.token_automatic_renew_mode==U.AutomaticOnlyWhenFetchExecuted&&D.FORCE_REFRESH!==_?(e.publishEvent(k.tokensInvalidAndWaitingActionsToRefresh,{}),{tokens:e.tokens,status:"GIVE_UP"}):(e.publishEvent(k.refreshTokensAsync_begin,{tryNumber:t}),await u());default:{if(l.token_automatic_renew_mode==U.AutomaticOnlyWhenFetchExecuted&&D.FORCE_REFRESH!==_)return e.publishEvent(k.tokensInvalidAndWaitingActionsToRefresh,{}),{tokens:e.tokens,status:"GIVE_UP"};if(e.publishEvent(k.refreshTokensAsync_begin,{refreshToken:f.refreshToken,status:_,tryNumber:t}),!f.refreshToken)return await u();const p=l.client_id,w=l.redirect_uri,v=l.authority,A={...l.token_request_extras?l.token_request_extras:{}};for(const[g,b]of Object.entries(o))g.endsWith(":token_request")&&(A[g.replace(":token_request","")]=b);return await(async()=>{const g={client_id:p,redirect_uri:w,grant_type:"refresh_token",refresh_token:f.refreshToken},b=await e.initAsync(v,l.authority_configuration),h=document.hidden?1e4:3e4*10,O=b.tokenEndpoint,S={};l.demonstrating_proof_of_possession&&(S.DPoP=await e.generateDemonstrationOfProofOfPossessionAsync(f.accessToken,O,"POST"));const m=await ze(e.getFetch())(O,g,A,f,S,l.token_renew_mode,h);if(m.success){const{isValid:L,reason:wn}=he(m.data,y.nonce,b);if(!L)return n(null),e.publishEvent(k.refreshTokensAsync_error,{message:`refresh token return not valid tokens, reason: ${wn}`}),{tokens:null,status:"SESSION_LOST"};if(n(m.data),m.demonstratingProofOfPossessionNonce){const Ne=await N(l,e.configurationName);Ne?await Ne.setDemonstratingProofOfPossessionNonce(m.demonstratingProofOfPossessionNonce):await C(e.configurationName,l.storage).setDemonstratingProofOfPossessionNonce(m.demonstratingProofOfPossessionNonce)}return e.publishEvent(k.refreshTokensAsync_end,{success:m.success}),e.publishEvent(x.eventNames.token_renewed,{reason:"REFRESH_TOKEN"}),{tokens:m.data,status:"LOGGED_IN"}}else return e.publishEvent(k.refreshTokensAsync_silent_error,{message:"bad request",tokenResponse:m}),m.status>=400&&m.status<500?(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:`session lost: ${m.status}`}),{tokens:null,status:"SESSION_LOST"}):await Y(e)(n,c,s,o,i)})()}}}catch(_){return console.error(_),e.publishEvent(k.refreshTokensAsync_silent_error,{message:"exception",exception:_.message}),new Promise((f,y)=>{setTimeout(()=>{Y(e)(n,c,s,o,i).then(f).catch(y)},1e3)})}},re=(e,n,t)=>(s=null,o=null,i=null)=>{if(!n.silent_redirect_uri||!n.silent_login_uri)return Promise.resolve(null);try{t(k.silentLoginAsync_begin,{});let r="";if(o&&(s==null&&(s={}),s.state=o),i!=null&&(s==null&&(s={}),s.scope=i),s!=null)for(const[u,_]of Object.entries(s))r===""?r=`?${encodeURIComponent(u)}=${encodeURIComponent(_)}`:r+=`&${encodeURIComponent(u)}=${encodeURIComponent(_)}`;const a=n.silent_login_uri+r,c=a.indexOf("/",a.indexOf("//")+2),l=a.substring(0,c),d=document.createElement("iframe");return d.width="0px",d.height="0px",d.id=`${e}_oidc_iframe`,d.setAttribute("src",a),document.body.appendChild(d),new Promise((u,_)=>{let f=!1;const y=()=>{window.removeEventListener("message",p),d.remove(),f=!0},p=w=>{if(w.origin===l&&w.source===d.contentWindow){const v=`${e}_oidc_tokens:`,P=`${e}_oidc_error:`,A=`${e}_oidc_exception:`,T=w.data;if(T&&typeof T=="string"&&!f){if(T.startsWith(v)){const g=JSON.parse(w.data.replace(v,""));t(k.silentLoginAsync_end,{}),u(g),y()}else if(T.startsWith(P)){const g=JSON.parse(w.data.replace(P,""));t(k.silentLoginAsync_error,g),u({error:"oidc_"+g.error,tokens:null,sessionState:null}),y()}else if(T.startsWith(A)){const g=JSON.parse(w.data.replace(A,""));t(k.silentLoginAsync_error,g),_(new Error(g.error)),y()}}}};try{window.addEventListener("message",p);const w=n.silent_login_timeout;setTimeout(()=>{f||(y(),t(k.silentLoginAsync_error,{reason:"timeout"}),_(new Error("timeout")))},w)}catch(w){y(),t(k.silentLoginAsync_error,w),_(w)}})}catch(r){throw t(k.silentLoginAsync_error,r),r}},nn=(e,n,t,s,o)=>(i=null,r=void 0)=>{i={...i};const a=(l,d,u)=>re(n,t,s.bind(o))(l,d,u);return(async()=>{o.timeoutId&&K.clearTimeout(o.timeoutId);let l;i&&"state"in i&&(l=i.state,delete i.state);try{const d=t.extras?{...t.extras,...i}:i,u=await a({...d,prompt:"none"},l,r);if(u)return o.tokens=u.tokens,s(k.token_acquired,{}),o.timeoutId=B(o,o.tokens.expiresAt,i,r),{}}catch(d){return d}})()},tn=(e,n,t)=>(s,o,i,r=!1)=>{const a=(c,l=void 0,d=void 0)=>re(e.configurationName,t,e.publishEvent.bind(e))(c,l,d);return new Promise((c,l)=>{if(t.silent_login_uri&&t.silent_redirect_uri&&t.monitor_session&&s&&i&&!r){const d=()=>{e.checkSessionIFrame.stop();const u=e.tokens;if(u===null)return;const _=u.idToken,f=u.idTokenPayload;return a({prompt:"none",id_token_hint:_,scope:t.scope||"openid"}).then(y=>{if(y.error)throw new Error(y.error);const p=y.tokens.idTokenPayload;if(f.sub===p.sub){const w=y.sessionState;e.checkSessionIFrame.start(y.sessionState),f.sid===p.sid?console.debug("SessionMonitor._callback: Same sub still logged in at OP, restarting check session iframe; session_state:",w):console.debug("SessionMonitor._callback: Same sub still logged in at OP, session state has changed, restarting check session iframe; session_state:",w)}else console.debug("SessionMonitor._callback: Different subject signed into OP:",p.sub)}).catch(async y=>{console.warn("SessionMonitor._callback: Silent login failed, logging out other tabs:",y);for(const[,p]of Object.entries(n))await p.logoutOtherTabAsync(t.client_id,f.sub)})};e.checkSessionIFrame=new xe(d,o,s),e.checkSessionIFrame.load().then(()=>{e.checkSessionIFrame.start(i),c(e.checkSessionIFrame)}).catch(u=>{l(u)})}else c(null)})},sn=e=>!!(e.os==="iOS"&&e.osVersion.startsWith("12")||e.os==="Mac OS X"&&e.osVersion.startsWith("10_15_6")),on=e=>{const n=e.appVersion,t=e.userAgent,s="-";let o=s;const i=[{s:"Windows 10",r:/(Windows 10.0|Windows NT 10.0)/},{s:"Windows 8.1",r:/(Windows 8.1|Windows NT 6.3)/},{s:"Windows 8",r:/(Windows 8|Windows NT 6.2)/},{s:"Windows 7",r:/(Windows 7|Windows NT 6.1)/},{s:"Windows Vista",r:/Windows NT 6.0/},{s:"Windows Server 2003",r:/Windows NT 5.2/},{s:"Windows XP",r:/(Windows NT 5.1|Windows XP)/},{s:"Windows 2000",r:/(Windows NT 5.0|Windows 2000)/},{s:"Windows ME",r:/(Win 9x 4.90|Windows ME)/},{s:"Windows 98",r:/(Windows 98|Win98)/},{s:"Windows 95",r:/(Windows 95|Win95|Windows_95)/},{s:"Windows NT 4.0",r:/(Windows NT 4.0|WinNT4.0|WinNT|Windows NT)/},{s:"Windows CE",r:/Windows CE/},{s:"Windows 3.11",r:/Win16/},{s:"Android",r:/Android/},{s:"Open BSD",r:/OpenBSD/},{s:"Sun OS",r:/SunOS/},{s:"Chrome OS",r:/CrOS/},{s:"Linux",r:/(Linux|X11(?!.*CrOS))/},{s:"iOS",r:/(iPhone|iPad|iPod)/},{s:"Mac OS X",r:/Mac OS X/},{s:"Mac OS",r:/(Mac OS|MacPPC|MacIntel|Mac_PowerPC|Macintosh)/},{s:"QNX",r:/QNX/},{s:"UNIX",r:/UNIX/},{s:"BeOS",r:/BeOS/},{s:"OS/2",r:/OS\/2/},{s:"Search Bot",r:/(nuhk|Googlebot|Yammybot|Openbot|Slurp|MSNBot|Ask Jeeves\/Teoma|ia_archiver)/}];for(const a in i){const c=i[a];if(c.r.test(t)){o=c.s;break}}let r=s;switch(/Windows/.test(o)&&(r=/Windows (.*)/.exec(o)[1],o="Windows"),o){case"Mac OS":case"Mac OS X":case"Android":r=/(?:Android|Mac OS|Mac OS X|MacPPC|MacIntel|Mac_PowerPC|Macintosh) ([._\d]+)/.exec(t)[1];break;case"iOS":{const a=/OS (\d+)_(\d+)_?(\d+)?/.exec(n);a!=null&&a.length>2&&(r=a[1]+"."+a[2]+"."+(parseInt(a[3])|0));break}}return{os:o,osVersion:r}};function rn(){const e=navigator.userAgent;let n,t=e.match(/(opera|chrome|safari|firefox|msie|trident(?=\/))\/?\s*(\d+)/i)||[];if(/trident/i.test(t[1]))return n=/\brv[ :]+(\d+)/g.exec(e)||[],{name:"ie",version:n[1]||""};if(t[1]==="Chrome"&&(n=e.match(/\bOPR|Edge\/(\d+)/),n!=null)){let s=n[1];if(!s){const o=e.split(n[0]+"/");o.length>1&&(s=o[1])}return{name:"opera",version:s}}return t=t[2]?[t[1],t[2]]:[navigator.appName,navigator.appVersion,"-?"],(n=e.match(/version\/(\d+)/i))!=null&&t.splice(1,1,n[1]),{name:t[0].toLowerCase(),version:t[1]}}const an=()=>{const{name:e,version:n}=rn();if(e==="chrome"&&parseInt(n)<=70||e==="opera"&&(!n||parseInt(n.split(".")[0])<80)||e==="ie")return!1;const t=on(navigator);return!sn(t)},cn=async e=>{let n;if(e.tokens!=null)return!1;e.publishEvent(k.tryKeepExistingSessionAsync_begin,{});try{const t=e.configuration,s=await e.initAsync(t.authority,t.authority_configuration);if(n=await N(t,e.configurationName),n){const{tokens:o}=await n.initAsync(s,"tryKeepExistingSessionAsync",t);if(o){n.startKeepAliveServiceWorker(),e.tokens=o;const i=n.getLoginParams(e.configurationName);e.timeoutId=B(e,e.tokens.expiresAt,i.extras,i.scope);const r=await n.getSessionStateAsync();return await e.startCheckSessionAsync(s.checkSessionIframe,t.client_id,r),t.preload_user_info&&await e.userInfoAsync(),e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!0,message:"tokens inside ServiceWorker are valid"}),!0}e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!1,message:"no exiting session found"})}else{t.service_worker_relative_url&&e.publishEvent(k.service_worker_not_supported_by_browser,{message:"service worker is not supported by this browser"});const o=C(e.configurationName,t.storage??sessionStorage),{tokens:i}=await o.initAsync();if(i){e.tokens=z(i,null,t.token_renew_mode);const r=o.getLoginParams();e.timeoutId=B(e,e.tokens.expiresAt,r.extras,r.scope);const a=await o.getSessionStateAsync();return await e.startCheckSessionAsync(s.checkSessionIframe,t.client_id,a),t.preload_user_info&&await e.userInfoAsync(),e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!0,message:"tokens inside storage are valid"}),!0}}return e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!1,message:n?"service worker sessions not retrieved":"session storage sessions not retrieved"}),!1}catch(t){return console.error(t),n&&await n.clearAsync(),e.publishEvent(k.tryKeepExistingSessionAsync_error,"tokens inside ServiceWorker are invalid"),!1}},Oe=e=>{const n=e.match(/^([a-z][\w-]+\:)\/\/(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/);if(!n)throw new Error("Invalid URL");let t=n[6],s=n[7];if(s){const o=s.split("?");o.length===2&&(s=o[0],t=o[1])}return t.startsWith("?")&&(t=t.slice(1)),n&&{href:e,protocol:n[1],host:n[2],hostname:n[3],port:n[4],path:n[5],search:t,hash:s}},ln=e=>{const n=Oe(e);let{path:t}=n;t.endsWith("/")&&(t=t.slice(0,-1));let{hash:s}=n;return s==="#_=_"&&(s=""),s&&(t+=s),t},X=e=>{const n=Oe(e),{search:t}=n;return un(t)},un=e=>{const n={};let t,s,o;const i=e.split("&");for(s=0,o=i.length;s<o;s++)t=i[s].split("="),n[decodeURIComponent(t[0])]=decodeURIComponent(t[1]);return n},_n=(e,n,t,s,o)=>(i=void 0,r=null,a=!1,c=void 0)=>{const l=r;return r={...r},(async()=>{const u=i||o.getPath();if("state"in r||(r.state=oe(16)),t(k.loginAsync_begin,{}),r)for(const _ of Object.keys(r))_.endsWith(":token_request")&&delete r[_];try{const _=a?n.silent_redirect_uri:n.redirect_uri;c||(c=n.scope);const f=n.extras?{...n.extras,...r}:r;f.nonce||(f.nonce=oe(12));const y={nonce:f.nonce},p=await N(n,e),w=await s(n.authority,n.authority_configuration);let v;if(p)p.setLoginParams({callbackPath:u,extras:l,scope:c}),await p.initAsync(w,"loginAsync",n),await p.setNonceAsync(y),p.startKeepAliveServiceWorker(),v=p;else{const A=C(e,n.storage??sessionStorage);A.setLoginParams({callbackPath:u,extras:l,scope:c}),await A.setNonceAsync(y),v=A}const P={client_id:n.client_id,redirect_uri:_,scope:c,response_type:"code",...f};await Qe(v,o)(w.authorizationEndpoint,P)}catch(_){throw t(k.loginAsync_error,_),_}})()},fn=e=>async(n=!1)=>{try{e.publishEvent(k.loginCallbackAsync_begin,{});const t=e.configuration,s=t.client_id,o=n?t.silent_redirect_uri:t.redirect_uri,i=t.authority,r=t.token_request_timeout,a=await e.initAsync(i,t.authority_configuration),c=e.location.getCurrentHref(),l=X(c),d=l.session_state,u=await N(t,e.configurationName);let _,f,y,p;if(u)await u.initAsync(a,"loginCallbackAsync",t),await u.setSessionStateAsync(d),f=await u.getNonceAsync(),y=u.getLoginParams(),p=await u.getStateAsync(),u.startKeepAliveServiceWorker(),_=u;else{const m=C(e.configurationName,t.storage??sessionStorage);await m.setSessionStateAsync(d),f=await m.getNonceAsync(),y=m.getLoginParams(),p=await m.getStateAsync(),_=m}if(l.error||l.error_description)throw new Error(`Error from OIDC server: ${l.error} - ${l.error_description}`);if(l.iss&&l.iss!==a.issuer)throw console.error(),new Error(`Issuer not valid (expected: ${a.issuer}, received: ${l.iss})`);if(l.state&&l.state!==p)throw new Error(`State not valid (expected: ${p}, received: ${l.state})`);const w={code:l.code,grant_type:"authorization_code",client_id:t.client_id,redirect_uri:o},v={};if(t.token_request_extras)for(const[m,L]of Object.entries(t.token_request_extras))v[m]=L;if(y!=null&&y.extras)for(const[m,L]of Object.entries(y.extras))m.endsWith(":token_request")&&(v[m.replace(":token_request","")]=L);const P=a.tokenEndpoint,A={};if(t.demonstrating_proof_of_possession)if(u)A.DPoP=`DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${e.configurationName}`;else{const m=await Be(window)(t.demonstrating_proof_of_possession_configuration.generateKeyAlgorithm);await C(e.configurationName,t.storage).setDemonstratingProofOfPossessionJwkAsync(m),A.DPoP=await Ae(window)(t.demonstrating_proof_of_possession_configuration)(m,"POST",P)}const T=await Ze(_)(P,{...w,...v},A,e.configuration.token_renew_mode,r);if(!T.success)throw new Error("Token request failed");let g;const b=T.data.tokens,h=T.data.demonstratingProofOfPossessionNonce;if(T.data.state!==v.state)throw new Error("state is not valid");const{isValid:O,reason:S}=he(b,f.nonce,a);if(!O)throw new Error(`Tokens are not OpenID valid, reason: ${S}`);if(u){if(b.refreshToken&&!b.refreshToken.includes("SECURED_BY_OIDC_SERVICE_WORKER"))throw new Error("Refresh token should be hidden by service worker");if(h&&(b!=null&&b.accessToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")))throw new Error("Demonstration of proof of possession require Access token not hidden by service worker")}if(u)await u.initAsync(a,"syncTokensAsync",t),g=u.getLoginParams(),h&&await u.setDemonstratingProofOfPossessionNonce(h);else{const m=C(e.configurationName,t.storage);g=m.getLoginParams(),h&&await m.setDemonstratingProofOfPossessionNonce(h)}return await e.startCheckSessionAsync(a.checkSessionIframe,s,d,n),e.publishEvent(k.loginCallbackAsync_end,{}),{tokens:b,state:"request.state",callbackPath:g.callbackPath,scope:l.scope,extras:g.extras}}catch(t){throw console.error(t),e.publishEvent(k.loginCallbackAsync_error,t),t}},Pe={access_token:"access_token",refresh_token:"refresh_token"},ae=(e,n)=>{const t={};if(e){for(const[s,o]of Object.entries(e))if(s.endsWith(n)){const i=s.replace(n,"");t[i]=o}return t}return t},dn=e=>{const n={};if(e){for(const[t,s]of Object.entries(e))t.includes(":")||(n[t]=s);return n}return n},hn=e=>async n=>{K.clearTimeout(e.timeoutId),e.timeoutId=null,e.checkSessionIFrame&&e.checkSessionIFrame.stop();const t=await N(e.configuration,e.configurationName);t?await t.clearAsync(n):await C(e.configurationName,e.configuration.storage).clearAsync(n),e.tokens=null,e.userInfo=null},yn=(e,n,t,s,o)=>async(i=void 0,r=null)=>{var v,P;const a=e.configuration,c=await e.initAsync(a.authority,a.authority_configuration);i&&typeof i!="string"&&(i=void 0,s.warn("callbackPathOrUrl path is not a string"));const l=i??o.getPath();let d=!1;i&&(d=i.includes("https://")||i.includes("http://"));const u=d?i:o.getOrigin()+l,_=e.tokens?e.tokens.idToken:"";try{const A=c.revocationEndpoint;if(A){const T=[],g=e.tokens?e.tokens.accessToken:null;if(g&&a.logout_tokens_to_invalidate.includes(Pe.access_token)){const h=ae(r,":revoke_access_token"),O=ve(t)(A,g,ie.access_token,a.client_id,h);T.push(O)}const b=e.tokens?e.tokens.refreshToken:null;if(b&&a.logout_tokens_to_invalidate.includes(Pe.refresh_token)){const h=ae(r,":revoke_refresh_token"),O=ve(t)(A,b,ie.refresh_token,a.client_id,h);T.push(O)}T.length>0&&await Promise.all(T)}}catch(A){s.warn("logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error"),s.warn(A)}const f=((P=(v=e.tokens)==null?void 0:v.idTokenPayload)==null?void 0:P.sub)??null;await e.destroyAsync("LOGGED_OUT");for(const[,A]of Object.entries(n))A!==e?await e.logoutSameTabAsync(e.configuration.client_id,f):e.publishEvent(k.logout_from_same_tab,{});const y=ae(r,":oidc");if(y&&y.no_reload==="true")return;const w=dn(r);if(c.endSessionEndpoint){"id_token_hint"in w||(w.id_token_hint=_),!("post_logout_redirect_uri"in w)&&i!==null&&(w.post_logout_redirect_uri=u);let A="";for(const[T,g]of Object.entries(w))g!=null&&(A===""?A+="?":A+="&",A+=`${T}=${encodeURIComponent(g)}`);o.open(`${c.endSessionEndpoint}${A}`)}else o.reload()},Ie=(e,n,t=!1)=>async(...s)=>{var f;const[o,i,...r]=s,a=i?{...i}:{method:"GET"};let c=new Headers;a.headers&&(c=a.headers instanceof Headers?a.headers:new Headers(a.headers));const l={getTokens:()=>n.tokens,configuration:{token_automatic_renew_mode:n.configuration.token_automatic_renew_mode,refresh_time_before_tokens_expiration_in_second:n.configuration.refresh_time_before_tokens_expiration_in_second},renewTokensAsync:n.renewTokensAsync.bind(n)},d=await de(l),u=(f=d==null?void 0:d.tokens)==null?void 0:f.accessToken;if(c.has("Accept")||c.set("Accept","application/json"),u){if(n.configuration.demonstrating_proof_of_possession&&t){const y=await n.generateDemonstrationOfProofOfPossessionAsync(u,o.toString(),a.method);c.set("Authorization",`DPoP ${u}`),c.set("DPoP",y)}else c.set("Authorization",`Bearer ${u}`);a.credentials||(a.credentials="same-origin")}const _={...a,headers:c};return await e(o,_,...r)},gn=e=>async(n=!1,t=!1)=>{if(e.userInfo!=null&&!n)return e.userInfo;const s=e.configuration,i=(await e.initAsync(s.authority,s.authority_configuration)).userInfoEndpoint,a=await(async()=>{const l=await Ie(fetch,e,t)(i);return l.status!==200?null:l.json()})();return e.userInfo=a,a},Ce=()=>fetch;class ce{constructor(n){this.authorizationEndpoint=n.authorization_endpoint,this.tokenEndpoint=n.token_endpoint,this.revocationEndpoint=n.revocation_endpoint,this.userInfoEndpoint=n.userinfo_endpoint,this.checkSessionIframe=n.check_session_iframe,this.issuer=n.issuer,this.endSessionEndpoint=n.end_session_endpoint}}const R={},kn=(e,n=new W)=>(t,s="default")=>(R[s]||(R[s]=new x(t,s,e,n)),R[s]),mn=async e=>{const{parsedTokens:n,callbackPath:t,extras:s,scope:o}=await e.loginCallbackAsync();return e.timeoutId=B(e,n.expiresAt,s,o),{callbackPath:t}},pn=e=>Math.floor(Math.random()*e),H=class H{constructor(n,t="default",s,o=new W){this.initPromise=null,this.tryKeepExistingSessionPromise=null,this.loginPromise=null,this.loginCallbackPromise=null,this.loginCallbackWithAutoTokensRenewPromise=null,this.userInfoPromise=null,this.renewTokensPromise=null,this.logoutPromise=null;let i=n.silent_login_uri;n.silent_redirect_uri&&!n.silent_login_uri&&(i=`${n.silent_redirect_uri.replace("-callback","").replace("callback","")}-login`);let r=n.refresh_time_before_tokens_expiration_in_second??120;r>60&&(r=r-Math.floor(Math.random()*40)),this.location=o??new W,this.configuration={...n,silent_login_uri:i,token_automatic_renew_mode:n.token_automatic_renew_mode??U.AutomaticBeforeTokenExpiration,monitor_session:n.monitor_session??!1,refresh_time_before_tokens_expiration_in_second:r,silent_login_timeout:n.silent_login_timeout??12e3,token_renew_mode:n.token_renew_mode??j.access_token_or_id_token_invalid,demonstrating_proof_of_possession:n.demonstrating_proof_of_possession??!1,authority_timeout_wellknowurl_in_millisecond:n.authority_timeout_wellknowurl_in_millisecond??1e4,logout_tokens_to_invalidate:n.logout_tokens_to_invalidate??["access_token","refresh_token"],service_worker_activate:n.service_worker_activate??an,demonstrating_proof_of_possession_configuration:n.demonstrating_proof_of_possession_configuration??Fe,preload_user_info:n.preload_user_info??!1},this.getFetch=s??Ce,this.configurationName=t,this.tokens=null,this.userInfo=null,this.events=[],this.timeoutId=null,this.loginCallbackWithAutoTokensRenewAsync.bind(this),this.initAsync.bind(this),this.loginCallbackAsync.bind(this),this.subscribeEvents.bind(this),this.removeEventSubscription.bind(this),this.publishEvent.bind(this),this.destroyAsync.bind(this),this.logoutAsync.bind(this),this.renewTokensAsync.bind(this),this.initAsync(this.configuration.authority,this.configuration.authority_configuration)}subscribeEvents(n){const t=pn(9999999999999).toString();return this.events.push({id:t,func:n}),t}removeEventSubscription(n){const t=this.events.filter(s=>s.id!==n);this.events=t}publishEvent(n,t){this.events.forEach(s=>{s.func(n,t)})}static get(n="default"){const t=typeof process>"u";if(!Object.prototype.hasOwnProperty.call(R,n)&&t)throw Error(`OIDC library does seem initialized.
Please checkout that you are using OIDC hook inside a <OidcProvider configurationName="${n}"></OidcProvider> component.`);return R[n]}_silentLoginCallbackFromIFrame(){if(this.configuration.silent_redirect_uri&&this.configuration.silent_login_uri){const n=this.location,t=X(n.getCurrentHref());window.parent.postMessage(`${this.configurationName}_oidc_tokens:${JSON.stringify({tokens:this.tokens,sessionState:t.session_state})}`,n.getOrigin())}}_silentLoginErrorCallbackFromIFrame(n=null){if(this.configuration.silent_redirect_uri&&this.configuration.silent_login_uri){const t=this.location,s=X(t.getCurrentHref());s.error?window.parent.postMessage(`${this.configurationName}_oidc_error:${JSON.stringify({error:s.error})}`,t.getOrigin()):window.parent.postMessage(`${this.configurationName}_oidc_exception:${JSON.stringify({error:n==null?"":n.toString()})}`,t.getOrigin())}}async silentLoginCallbackAsync(){try{await this.loginCallbackAsync(!0),this._silentLoginCallbackFromIFrame()}catch(n){console.error(n),this._silentLoginErrorCallbackFromIFrame(n)}}async initAsync(n,t){if(this.initPromise!==null)return this.initPromise;const s=async()=>{if(t!=null)return new ce({authorization_endpoint:t.authorization_endpoint,end_session_endpoint:t.end_session_endpoint,revocation_endpoint:t.revocation_endpoint,token_endpoint:t.token_endpoint,userinfo_endpoint:t.userinfo_endpoint,check_session_iframe:t.check_session_iframe,issuer:t.issuer});const i=await N(this.configuration,this.configurationName)?window.sessionStorage:null;return await Xe(this.getFetch())(n,this.configuration.authority_time_cache_wellknowurl_in_second??60*60,i,this.configuration.authority_timeout_wellknowurl_in_millisecond)};return this.initPromise=s(),this.initPromise.finally(()=>{this.initPromise=null})}async tryKeepExistingSessionAsync(){return this.tryKeepExistingSessionPromise!==null?this.tryKeepExistingSessionPromise:(this.tryKeepExistingSessionPromise=cn(this),this.tryKeepExistingSessionPromise.finally(()=>{this.tryKeepExistingSessionPromise=null}))}async startCheckSessionAsync(n,t,s,o=!1){await tn(this,R,this.configuration)(n,t,s,o)}async loginAsync(n=void 0,t=null,s=!1,o=void 0,i=!1){return this.logoutPromise&&await this.logoutPromise,this.loginPromise!==null?this.loginPromise:(i?this.loginPromise=nn(window,this.configurationName,this.configuration,this.publishEvent.bind(this),this)(t,o):this.loginPromise=_n(this.configurationName,this.configuration,this.publishEvent.bind(this),this.initAsync.bind(this),this.location)(n,t,s,o),this.loginPromise.finally(()=>{this.loginPromise=null}))}async loginCallbackAsync(n=!1){if(this.loginCallbackPromise!==null)return this.loginCallbackPromise;const t=async()=>{const s=await fn(this)(n),o=s.tokens;return this.tokens=o,await N(this.configuration,this.configurationName)||C(this.configurationName,this.configuration.storage).setTokens(o),this.publishEvent(H.eventNames.token_acquired,o),this.configuration.preload_user_info&&await this.userInfoAsync(),{parsedTokens:o,state:s.state,callbackPath:s.callbackPath,scope:s.scope,extras:s.extras}};return this.loginCallbackPromise=t(),this.loginCallbackPromise.finally(()=>{this.loginCallbackPromise=null})}async generateDemonstrationOfProofOfPossessionAsync(n,t,s,o={}){const i=this.configuration,r={ath:await Te(n),...o};if(await N(i,this.configurationName))return`DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${this.configurationName}#tabId=${ke(this.configurationName)}`;const c=C(this.configurationName,i.storage),l=await c.getDemonstratingProofOfPossessionJwkAsync(),d=c.getDemonstratingProofOfPossessionNonce();return d&&(r.nonce=d),await Ae(window)(i.demonstrating_proof_of_possession_configuration)(l,s,t,r)}loginCallbackWithAutoTokensRenewAsync(){return this.loginCallbackWithAutoTokensRenewPromise!==null?this.loginCallbackWithAutoTokensRenewPromise:(this.loginCallbackWithAutoTokensRenewPromise=mn(this),this.loginCallbackWithAutoTokensRenewPromise.finally(()=>{this.loginCallbackWithAutoTokensRenewPromise=null}))}userInfoAsync(n=!1,t=!1){return this.userInfoPromise!==null?this.userInfoPromise:(this.userInfoPromise=gn(this)(n,t),this.userInfoPromise.finally(()=>{this.userInfoPromise=null}))}async renewTokensAsync(n=null,t=null){if(this.renewTokensPromise!==null)return this.renewTokensPromise;if(this.timeoutId)return K.clearTimeout(this.timeoutId),this.renewTokensPromise=Ee(this,!0,n,t),this.renewTokensPromise.finally(()=>{this.renewTokensPromise=null})}async destroyAsync(n){return await hn(this)(n)}async logoutSameTabAsync(n,t){this.configuration.monitor_session&&this.configuration.client_id===n&&t&&this.tokens&&this.tokens.idTokenPayload&&this.tokens.idTokenPayload.sub===t&&(await this.destroyAsync("LOGGED_OUT"),this.publishEvent(k.logout_from_same_tab,{mmessage:"SessionMonitor",sub:t}))}async logoutOtherTabAsync(n,t){this.configuration.monitor_session&&this.configuration.client_id===n&&t&&this.tokens&&this.tokens.idTokenPayload&&this.tokens.idTokenPayload.sub===t&&(await this.destroyAsync("LOGGED_OUT"),this.publishEvent(k.logout_from_another_tab,{message:"SessionMonitor",sub:t}))}async logoutAsync(n=voi