oidc-client-ts
Version:
OpenID Connect (OIDC) & OAuth2 client library
1 lines • 67.4 kB
JavaScript
"use strict";var oidc=(()=>{var ke=Object.defineProperty;var Je=Object.getOwnPropertyDescriptor;var Fe=Object.getOwnPropertyNames;var Ke=Object.prototype.hasOwnProperty;var $e=(d,e)=>{for(var t in e)ke(d,t,{get:e[t],enumerable:!0})},Be=(d,e,t,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let i of Fe(e))!Ke.call(d,i)&&i!==t&&ke(d,i,{get:()=>e[i],enumerable:!(r=Je(e,i))||r.enumerable});return d};var ze=d=>Be(ke({},"__esModule",{value:!0}),d);var lt={};$e(lt,{AccessTokenEvents:()=>X,CheckSessionIFrame:()=>Y,DPoPState:()=>j,ErrorResponse:()=>S,ErrorTimeout:()=>C,InMemoryWebStorage:()=>M,IndexedDbDPoPStore:()=>ve,Log:()=>z,Logger:()=>l,MetadataService:()=>Z,OidcClient:()=>oe,OidcClientSettingsStore:()=>A,SessionMonitor:()=>re,SigninResponse:()=>L,SigninState:()=>W,SignoutResponse:()=>te,State:()=>k,User:()=>H,UserManager:()=>Ce,UserManagerSettingsStore:()=>se,Version:()=>qe,WebStorageStateStore:()=>D});var Qe={debug:()=>{},info:()=>{},warn:()=>{},error:()=>{}},x,R,z=(s=>(s[s.NONE=0]="NONE",s[s.ERROR=1]="ERROR",s[s.WARN=2]="WARN",s[s.INFO=3]="INFO",s[s.DEBUG=4]="DEBUG",s))(z||{});(r=>{function d(){x=3,R=Qe}r.reset=d;function e(i){if(!(0<=i&&i<=4))throw new Error("Invalid log level");x=i}r.setLevel=e;function t(i){R=i}r.setLogger=t})(z||(z={}));var l=class d{constructor(e){this._name=e}debug(...e){x>=4&&R.debug(d._format(this._name,this._method),...e)}info(...e){x>=3&&R.info(d._format(this._name,this._method),...e)}warn(...e){x>=2&&R.warn(d._format(this._name,this._method),...e)}error(...e){x>=1&&R.error(d._format(this._name,this._method),...e)}throw(e){throw this.error(e),e}create(e){let t=Object.create(this);return t._method=e,t.debug("begin"),t}static createStatic(e,t){let r=new d(`${e}.${t}`);return r.debug("begin"),r}static _format(e,t){let r=`[${e}]`;return t?`${r} ${t}:`:r}static debug(e,...t){x>=4&&R.debug(d._format(e),...t)}static info(e,...t){x>=3&&R.info(d._format(e),...t)}static warn(e,...t){x>=2&&R.warn(d._format(e),...t)}static error(e,...t){x>=1&&R.error(d._format(e),...t)}};z.reset();var Q=class extends Error{};Q.prototype.name="InvalidTokenError";function Ge(d){return decodeURIComponent(atob(d).replace(/(.)/g,(e,t)=>{let r=t.charCodeAt(0).toString(16).toUpperCase();return r.length<2&&(r="0"+r),"%"+r}))}function Ve(d){let e=d.replace(/-/g,"+").replace(/_/g,"/");switch(e.length%4){case 0:break;case 2:e+="==";break;case 3:e+="=";break;default:throw new Error("base64 string is not of the correct length")}try{return Ge(e)}catch{return atob(e)}}function Ue(d,e){if(typeof d!="string")throw new Q("Invalid token specified: must be a string");e||(e={});let t=e.header===!0?0:1,r=d.split(".")[t];if(typeof r!="string")throw new Q(`Invalid token specified: missing part #${t+1}`);let i;try{i=Ve(r)}catch(s){throw new Q(`Invalid token specified: invalid base64 for part #${t+1} (${s.message})`)}try{return JSON.parse(i)}catch(s){throw new Q(`Invalid token specified: invalid json for part #${t+1} (${s.message})`)}}var U=class{static decode(e){try{return Ue(e)}catch(t){throw l.error("JwtUtils.decode",t),t}}static async generateSignedJwt(e,t,r){let i=m.encodeBase64Url(new TextEncoder().encode(JSON.stringify(e))),s=m.encodeBase64Url(new TextEncoder().encode(JSON.stringify(t))),n=`${i}.${s}`,o=await window.crypto.subtle.sign({name:"ECDSA",hash:{name:"SHA-256"}},r,new TextEncoder().encode(n)),a=m.encodeBase64Url(new Uint8Array(o));return`${n}.${a}`}};var Xe="10000000-1000-4000-8000-100000000000",Pe=d=>btoa([...new Uint8Array(d)].map(e=>String.fromCharCode(e)).join("")),y=class y{static _randomWord(){let e=new Uint32Array(1);return crypto.getRandomValues(e),e[0]}static generateUUIDv4(){return Xe.replace(/[018]/g,t=>(+t^y._randomWord()&15>>+t/4).toString(16)).replace(/-/g,"")}static generateCodeVerifier(){return y.generateUUIDv4()+y.generateUUIDv4()+y.generateUUIDv4()}static async generateCodeChallenge(e){if(!crypto.subtle)throw new Error("Crypto.subtle is available only in secure contexts (HTTPS).");try{let r=new TextEncoder().encode(e),i=await crypto.subtle.digest("SHA-256",r);return Pe(i).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}catch(t){throw l.error("CryptoUtils.generateCodeChallenge",t),t}}static generateBasicAuth(e,t){let i=new TextEncoder().encode([e,t].join(":"));return Pe(i)}static async hash(e,t){let r=new TextEncoder().encode(t),i=await crypto.subtle.digest(e,r);return new Uint8Array(i)}static async customCalculateJwkThumbprint(e){let t;switch(e.kty){case"RSA":t={e:e.e,kty:e.kty,n:e.n};break;case"EC":t={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":t={crv:e.crv,kty:e.kty,x:e.x};break;case"oct":t={crv:e.k,kty:e.kty};break;default:throw new Error("Unknown jwk type")}let r=await y.hash("SHA-256",JSON.stringify(t));return y.encodeBase64Url(r)}static async generateDPoPProof({url:e,accessToken:t,httpMethod:r,keyPair:i,nonce:s}){let n,o,a={jti:window.crypto.randomUUID(),htm:r!=null?r:"GET",htu:e,iat:Math.floor(Date.now()/1e3)};t&&(n=await y.hash("SHA-256",t),o=y.encodeBase64Url(n),a.ath=o),s&&(a.nonce=s);try{let c=await crypto.subtle.exportKey("jwk",i.publicKey),g={alg:"ES256",typ:"dpop+jwt",jwk:{crv:c.crv,kty:c.kty,x:c.x,y:c.y}};return await U.generateSignedJwt(g,a,i.privateKey)}catch(c){throw c instanceof TypeError?new Error(`Error exporting dpop public key: ${c.message}`):c}}static async generateDPoPJkt(e){try{let t=await crypto.subtle.exportKey("jwk",e.publicKey);return await y.customCalculateJwkThumbprint(t)}catch(t){throw t instanceof TypeError?new Error(`Could not retrieve dpop keys from storage: ${t.message}`):t}}static async generateDPoPKeys(){return await window.crypto.subtle.generateKey({name:"ECDSA",namedCurve:"P-256"},!1,["sign","verify"])}};y.encodeBase64Url=e=>Pe(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_");var m=y;var w=class{constructor(e){this._name=e;this._callbacks=[];this._logger=new l(`Event('${this._name}')`)}addHandler(e){return this._callbacks.push(e),()=>this.removeHandler(e)}removeHandler(e){let t=this._callbacks.lastIndexOf(e);t>=0&&this._callbacks.splice(t,1)}async raise(...e){this._logger.debug("raise:",...e);for(let t of this._callbacks)await t(...e)}};var ne=class{static center({...e}){var t,r,i;return e.width==null&&(e.width=(t=[800,720,600,480].find(s=>s<=window.outerWidth/1.618))!=null?t:360),(r=e.left)!=null||(e.left=Math.max(0,Math.round(window.screenX+(window.outerWidth-e.width)/2))),e.height!=null&&((i=e.top)!=null||(e.top=Math.max(0,Math.round(window.screenY+(window.outerHeight-e.height)/2)))),e}static serialize(e){return Object.entries(e).filter(([,t])=>t!=null).map(([t,r])=>`${t}=${typeof r!="boolean"?r:r?"yes":"no"}`).join(",")}};var f=class d extends w{constructor(){super(...arguments);this._logger=new l(`Timer('${this._name}')`);this._timerHandle=null;this._expiration=0;this._callback=()=>{let t=this._expiration-d.getEpochTime();this._logger.debug("timer completes in",t),this._expiration<=d.getEpochTime()&&(this.cancel(),super.raise())}}static getEpochTime(){return Math.floor(Date.now()/1e3)}init(t){let r=this._logger.create("init");t=Math.max(Math.floor(t),1);let i=d.getEpochTime()+t;if(this.expiration===i&&this._timerHandle){r.debug("skipping since already initialized for expiration at",this.expiration);return}this.cancel(),r.debug("using duration",t),this._expiration=i;let s=Math.min(t,5);this._timerHandle=setInterval(this._callback,s*1e3)}get expiration(){return this._expiration}cancel(){this._logger.create("cancel"),this._timerHandle&&(clearInterval(this._timerHandle),this._timerHandle=null)}};var G=class{static readParams(e,t="query"){if(!e)throw new TypeError("Invalid URL");let i=new URL(e,"http://127.0.0.1")[t==="fragment"?"hash":"search"];return new URLSearchParams(i.slice(1))}},T=";";var S=class extends Error{constructor(t,r){var i,s,n;super(t.error_description||t.error||"");this.form=r;this.name="ErrorResponse";if(!t.error)throw l.error("ErrorResponse","No error passed"),new Error("No error passed");this.error=t.error,this.error_description=(i=t.error_description)!=null?i:null,this.error_uri=(s=t.error_uri)!=null?s:null,this.state=t.userState,this.session_state=(n=t.session_state)!=null?n:null,this.url_state=t.url_state}};var C=class extends Error{constructor(t){super(t);this.name="ErrorTimeout"}};var X=class{constructor(e){this._logger=new l("AccessTokenEvents");this._expiringTimer=new f("Access token expiring");this._expiredTimer=new f("Access token expired");this._expiringNotificationTimeInSeconds=e.expiringNotificationTimeInSeconds}async load(e){let t=this._logger.create("load");if(e.access_token&&e.expires_in!==void 0){let r=e.expires_in;if(t.debug("access token present, remaining duration:",r),r>0){let s=r-this._expiringNotificationTimeInSeconds;s<=0&&(s=1),t.debug("registering expiring timer, raising in",s,"seconds"),this._expiringTimer.init(s)}else t.debug("canceling existing expiring timer because we're past expiration."),this._expiringTimer.cancel();let i=r+1;t.debug("registering expired timer, raising in",i,"seconds"),this._expiredTimer.init(i)}else this._expiringTimer.cancel(),this._expiredTimer.cancel()}async unload(){this._logger.debug("unload: canceling existing access token timers"),this._expiringTimer.cancel(),this._expiredTimer.cancel()}addAccessTokenExpiring(e){return this._expiringTimer.addHandler(e)}removeAccessTokenExpiring(e){this._expiringTimer.removeHandler(e)}addAccessTokenExpired(e){return this._expiredTimer.addHandler(e)}removeAccessTokenExpired(e){this._expiredTimer.removeHandler(e)}};var Y=class{constructor(e,t,r,i,s){this._callback=e;this._client_id=t;this._intervalInSeconds=i;this._stopOnError=s;this._logger=new l("CheckSessionIFrame");this._timer=null;this._session_state=null;this._message=e=>{e.origin===this._frame_origin&&e.source===this._frame.contentWindow&&(e.data==="error"?(this._logger.error("error message from check session op iframe"),this._stopOnError&&this.stop()):e.data==="changed"?(this._logger.debug("changed message from check session op iframe"),this.stop(),this._callback()):this._logger.debug(e.data+" message from check session op iframe"))};let n=new URL(r);this._frame_origin=n.origin,this._frame=window.document.createElement("iframe"),this._frame.style.visibility="hidden",this._frame.style.position="fixed",this._frame.style.left="-1000px",this._frame.style.top="0",this._frame.width="0",this._frame.height="0",this._frame.src=n.href}load(){return new Promise(e=>{this._frame.onload=()=>{e()},window.document.body.appendChild(this._frame),window.addEventListener("message",this._message,!1)})}start(e){if(this._session_state===e)return;this._logger.create("start"),this.stop(),this._session_state=e;let t=()=>{!this._frame.contentWindow||!this._session_state||this._frame.contentWindow.postMessage(this._client_id+" "+this._session_state,this._frame_origin)};t(),this._timer=setInterval(t,this._intervalInSeconds*1e3)}stop(){this._logger.create("stop"),this._session_state=null,this._timer&&(clearInterval(this._timer),this._timer=null)}};var M=class{constructor(){this._logger=new l("InMemoryWebStorage");this._data={}}clear(){this._logger.create("clear"),this._data={}}getItem(e){return this._logger.create(`getItem('${e}')`),this._data[e]}setItem(e,t){this._logger.create(`setItem('${e}')`),this._data[e]=t}removeItem(e){this._logger.create(`removeItem('${e}')`),delete this._data[e]}get length(){return Object.getOwnPropertyNames(this._data).length}key(e){return Object.getOwnPropertyNames(this._data)[e]}};var V=class extends Error{constructor(t,r){super(r);this.name="ErrorDPoPNonce";this.nonce=t}};var N=class{constructor(e=[],t=null,r={}){this._jwtHandler=t;this._extraHeaders=r;this._logger=new l("JsonService");this._contentTypes=[];this._contentTypes.push(...e,"application/json"),t&&this._contentTypes.push("application/jwt")}async fetchWithTimeout(e,t={}){let{timeoutInSeconds:r,...i}=t;if(!r)return await fetch(e,i);let s=new AbortController,n=setTimeout(()=>s.abort(),r*1e3);try{return await fetch(e,{...t,signal:s.signal})}catch(o){throw o instanceof DOMException&&o.name==="AbortError"?new C("Network timed out"):o}finally{clearTimeout(n)}}async getJson(e,{token:t,credentials:r,timeoutInSeconds:i}={}){let s=this._logger.create("getJson"),n={Accept:this._contentTypes.join(", ")};t&&(s.debug("token passed, setting Authorization header"),n.Authorization="Bearer "+t),this._appendExtraHeaders(n);let o;try{s.debug("url:",e),o=await this.fetchWithTimeout(e,{method:"GET",headers:n,timeoutInSeconds:i,credentials:r})}catch(g){throw s.error("Network Error"),g}s.debug("HTTP response received, status",o.status);let a=o.headers.get("Content-Type");if(a&&!this._contentTypes.find(g=>a.startsWith(g))&&s.throw(new Error(`Invalid response Content-Type: ${a!=null?a:"undefined"}, from URL: ${e}`)),o.ok&&this._jwtHandler&&(a!=null&&a.startsWith("application/jwt")))return await this._jwtHandler(await o.text());let c;try{c=await o.json()}catch(g){throw s.error("Error parsing JSON response",g),o.ok?g:new Error(`${o.statusText} (${o.status})`)}if(!o.ok)throw s.error("Error from server:",c),c.error?new S(c):new Error(`${o.statusText} (${o.status}): ${JSON.stringify(c)}`);return c}async postForm(e,{body:t,basicAuth:r,timeoutInSeconds:i,initCredentials:s,extraHeaders:n}){let o=this._logger.create("postForm"),a={Accept:this._contentTypes.join(", "),"Content-Type":"application/x-www-form-urlencoded",...n};r!==void 0&&(a.Authorization="Basic "+r),this._appendExtraHeaders(a);let c;try{o.debug("url:",e),c=await this.fetchWithTimeout(e,{method:"POST",headers:a,body:t,timeoutInSeconds:i,credentials:s})}catch(h){throw o.error("Network error"),h}o.debug("HTTP response received, status",c.status);let g=c.headers.get("Content-Type");if(g&&!this._contentTypes.find(h=>g.startsWith(h)))throw new Error(`Invalid response Content-Type: ${g!=null?g:"undefined"}, from URL: ${e}`);let u=await c.text(),p={};if(u)try{p=JSON.parse(u)}catch(h){throw o.error("Error parsing JSON response",h),c.ok?h:new Error(`${c.statusText} (${c.status})`)}if(!c.ok){if(o.error("Error from server:",p),c.headers.has("dpop-nonce")){let h=c.headers.get("dpop-nonce");throw new V(h,`${JSON.stringify(p)}`)}throw p.error?new S(p,t):new Error(`${c.statusText} (${c.status}): ${JSON.stringify(p)}`)}return p}_appendExtraHeaders(e){let t=this._logger.create("appendExtraHeaders"),r=Object.keys(this._extraHeaders),i=["accept","content-type"],s=["authorization"];r.length!==0&&r.forEach(n=>{if(i.includes(n.toLocaleLowerCase())){t.warn("Protected header could not be set",n,i);return}if(s.includes(n.toLocaleLowerCase())&&Object.keys(e).includes(n)){t.warn("Header could not be overridden",n,s);return}let o=typeof this._extraHeaders[n]=="function"?this._extraHeaders[n]():this._extraHeaders[n];o&&o!==""&&(e[n]=o)})}};var Z=class{constructor(e){this._settings=e;this._logger=new l("MetadataService");this._signingKeys=null;this._metadata=null;this._metadataUrl=this._settings.metadataUrl,this._jsonService=new N(["application/jwk-set+json"],null,this._settings.extraHeaders),this._settings.signingKeys&&(this._logger.debug("using signingKeys from settings"),this._signingKeys=this._settings.signingKeys),this._settings.metadata&&(this._logger.debug("using metadata from settings"),this._metadata=this._settings.metadata),this._settings.fetchRequestCredentials&&(this._logger.debug("using fetchRequestCredentials from settings"),this._fetchRequestCredentials=this._settings.fetchRequestCredentials)}resetSigningKeys(){this._signingKeys=null}async getMetadata(){let e=this._logger.create("getMetadata");if(this._metadata)return e.debug("using cached values"),this._metadata;if(!this._metadataUrl)throw e.throw(new Error("No authority or metadataUrl configured on settings")),null;e.debug("getting metadata from",this._metadataUrl);let t=await this._jsonService.getJson(this._metadataUrl,{credentials:this._fetchRequestCredentials,timeoutInSeconds:this._settings.requestTimeoutInSeconds});return e.debug("merging remote JSON with seed metadata"),this._metadata=Object.assign({},t,this._settings.metadataSeed),this._metadata}getIssuer(){return this._getMetadataProperty("issuer")}getAuthorizationEndpoint(){return this._getMetadataProperty("authorization_endpoint")}getUserInfoEndpoint(){return this._getMetadataProperty("userinfo_endpoint")}getTokenEndpoint(e=!0){return this._getMetadataProperty("token_endpoint",e)}getCheckSessionIframe(){return this._getMetadataProperty("check_session_iframe",!0)}getEndSessionEndpoint(){return this._getMetadataProperty("end_session_endpoint",!0)}getRevocationEndpoint(e=!0){return this._getMetadataProperty("revocation_endpoint",e)}getKeysEndpoint(e=!0){return this._getMetadataProperty("jwks_uri",e)}async _getMetadataProperty(e,t=!1){let r=this._logger.create(`_getMetadataProperty('${e}')`),i=await this.getMetadata();if(r.debug("resolved"),i[e]===void 0){if(t===!0){r.warn("Metadata does not contain optional property");return}r.throw(new Error("Metadata does not contain property "+e))}return i[e]}async getSigningKeys(){let e=this._logger.create("getSigningKeys");if(this._signingKeys)return e.debug("returning signingKeys from cache"),this._signingKeys;let t=await this.getKeysEndpoint(!1);e.debug("got jwks_uri",t);let r=await this._jsonService.getJson(t,{timeoutInSeconds:this._settings.requestTimeoutInSeconds});if(e.debug("got key set",r),!Array.isArray(r.keys))throw e.throw(new Error("Missing keys on keyset")),null;return this._signingKeys=r.keys,this._signingKeys}};var D=class{constructor({prefix:e="oidc.",store:t=localStorage}={}){this._logger=new l("WebStorageStateStore");this._store=t,this._prefix=e}async set(e,t){this._logger.create(`set('${e}')`),e=this._prefix+e,await this._store.setItem(e,t)}async get(e){return this._logger.create(`get('${e}')`),e=this._prefix+e,await this._store.getItem(e)}async remove(e){this._logger.create(`remove('${e}')`),e=this._prefix+e;let t=await this._store.getItem(e);return await this._store.removeItem(e),t}async getAllKeys(){this._logger.create("getAllKeys");let e=await this._store.length,t=[];for(let r=0;r<e;r++){let i=await this._store.key(r);i&&i.indexOf(this._prefix)===0&&t.push(i.substr(this._prefix.length))}return t}};var Ye="code",Ze="openid",et="client_secret_post",tt=60*15,A=class{constructor({authority:e,metadataUrl:t,metadata:r,signingKeys:i,metadataSeed:s,client_id:n,client_secret:o,response_type:a=Ye,scope:c=Ze,redirect_uri:g,post_logout_redirect_uri:u,client_authentication:p=et,prompt:h,display:v,max_age:J,ui_locales:F,acr_values:K,resource:O,response_mode:$,filterProtocolClaims:E=!0,loadUserInfo:P=!1,requestTimeoutInSeconds:_,staleStateAgeInSeconds:I=tt,mergeClaimsStrategy:q={array:"replace"},disablePKCE:b=!1,stateStore:B,revokeTokenAdditionalContentTypes:de,fetchRequestCredentials:Ee,refreshTokenAllowedScope:Me,extraQueryParams:Ne={},extraTokenParams:De={},extraHeaders:We={},dpop:Le,omitScopeWhenRequesting:je=!1}){var Ie;if(this.authority=e,t?this.metadataUrl=t:(this.metadataUrl=e,e&&(this.metadataUrl.endsWith("/")||(this.metadataUrl+="/"),this.metadataUrl+=".well-known/openid-configuration")),this.metadata=r,this.metadataSeed=s,this.signingKeys=i,this.client_id=n,this.client_secret=o,this.response_type=a,this.scope=c,this.redirect_uri=g,this.post_logout_redirect_uri=u,this.client_authentication=p,this.prompt=h,this.display=v,this.max_age=J,this.ui_locales=F,this.acr_values=K,this.resource=O,this.response_mode=$,this.filterProtocolClaims=E!=null?E:!0,this.loadUserInfo=!!P,this.staleStateAgeInSeconds=I,this.mergeClaimsStrategy=q,this.omitScopeWhenRequesting=je,this.disablePKCE=!!b,this.revokeTokenAdditionalContentTypes=de,this.fetchRequestCredentials=Ee||"same-origin",this.requestTimeoutInSeconds=_,B)this.stateStore=B;else{let He=typeof window!="undefined"?window.localStorage:new M;this.stateStore=new D({store:He})}if(this.refreshTokenAllowedScope=Me,this.extraQueryParams=Ne,this.extraTokenParams=De,this.extraHeaders=We,this.dpop=Le,this.dpop&&!((Ie=this.dpop)!=null&&Ie.store))throw new Error("A DPoPStore is required when dpop is enabled")}};var le=class{constructor(e,t){this._settings=e;this._metadataService=t;this._logger=new l("UserInfoService");this._getClaimsFromJwt=async e=>{let t=this._logger.create("_getClaimsFromJwt");try{let r=U.decode(e);return t.debug("JWT decoding successful"),r}catch(r){throw t.error("Error parsing JWT response"),r}};this._jsonService=new N(void 0,this._getClaimsFromJwt,this._settings.extraHeaders)}async getClaims(e){let t=this._logger.create("getClaims");e||this._logger.throw(new Error("No token passed"));let r=await this._metadataService.getUserInfoEndpoint();t.debug("got userinfo url",r);let i=await this._jsonService.getJson(r,{token:e,credentials:this._settings.fetchRequestCredentials,timeoutInSeconds:this._settings.requestTimeoutInSeconds});return t.debug("got claims",i),i}};var ee=class{constructor(e,t){this._settings=e;this._metadataService=t;this._logger=new l("TokenClient");this._jsonService=new N(this._settings.revokeTokenAdditionalContentTypes,null,this._settings.extraHeaders)}async exchangeCode({grant_type:e="authorization_code",redirect_uri:t=this._settings.redirect_uri,client_id:r=this._settings.client_id,client_secret:i=this._settings.client_secret,extraHeaders:s,...n}){let o=this._logger.create("exchangeCode");r||o.throw(new Error("A client_id is required")),t||o.throw(new Error("A redirect_uri is required")),n.code||o.throw(new Error("A code is required"));let a=new URLSearchParams({grant_type:e,redirect_uri:t});for(let[p,h]of Object.entries(n))h!=null&&a.set(p,h);let c;switch(this._settings.client_authentication){case"client_secret_basic":if(i==null)throw o.throw(new Error("A client_secret is required")),null;c=m.generateBasicAuth(r,i);break;case"client_secret_post":a.append("client_id",r),i&&a.append("client_secret",i);break}let g=await this._metadataService.getTokenEndpoint(!1);o.debug("got token endpoint");let u=await this._jsonService.postForm(g,{body:a,basicAuth:c,timeoutInSeconds:this._settings.requestTimeoutInSeconds,initCredentials:this._settings.fetchRequestCredentials,extraHeaders:s});return o.debug("got response"),u}async exchangeCredentials({grant_type:e="password",client_id:t=this._settings.client_id,client_secret:r=this._settings.client_secret,scope:i=this._settings.scope,...s}){let n=this._logger.create("exchangeCredentials");t||n.throw(new Error("A client_id is required"));let o=new URLSearchParams({grant_type:e});this._settings.omitScopeWhenRequesting||o.set("scope",i);for(let[u,p]of Object.entries(s))p!=null&&o.set(u,p);let a;switch(this._settings.client_authentication){case"client_secret_basic":if(r==null)throw n.throw(new Error("A client_secret is required")),null;a=m.generateBasicAuth(t,r);break;case"client_secret_post":o.append("client_id",t),r&&o.append("client_secret",r);break}let c=await this._metadataService.getTokenEndpoint(!1);n.debug("got token endpoint");let g=await this._jsonService.postForm(c,{body:o,basicAuth:a,timeoutInSeconds:this._settings.requestTimeoutInSeconds,initCredentials:this._settings.fetchRequestCredentials});return n.debug("got response"),g}async exchangeRefreshToken({grant_type:e="refresh_token",client_id:t=this._settings.client_id,client_secret:r=this._settings.client_secret,timeoutInSeconds:i,extraHeaders:s,...n}){let o=this._logger.create("exchangeRefreshToken");t||o.throw(new Error("A client_id is required")),n.refresh_token||o.throw(new Error("A refresh_token is required"));let a=new URLSearchParams({grant_type:e});for(let[p,h]of Object.entries(n))Array.isArray(h)?h.forEach(v=>a.append(p,v)):h!=null&&a.set(p,h);let c;switch(this._settings.client_authentication){case"client_secret_basic":if(r==null)throw o.throw(new Error("A client_secret is required")),null;c=m.generateBasicAuth(t,r);break;case"client_secret_post":a.append("client_id",t),r&&a.append("client_secret",r);break}let g=await this._metadataService.getTokenEndpoint(!1);o.debug("got token endpoint");let u=await this._jsonService.postForm(g,{body:a,basicAuth:c,timeoutInSeconds:i,initCredentials:this._settings.fetchRequestCredentials,extraHeaders:s});return o.debug("got response"),u}async revoke(e){var s;let t=this._logger.create("revoke");e.token||t.throw(new Error("A token is required"));let r=await this._metadataService.getRevocationEndpoint(!1);t.debug(`got revocation endpoint, revoking ${(s=e.token_type_hint)!=null?s:"default token type"}`);let i=new URLSearchParams;for(let[n,o]of Object.entries(e))o!=null&&i.set(n,o);i.set("client_id",this._settings.client_id),this._settings.client_secret&&i.set("client_secret",this._settings.client_secret),await this._jsonService.postForm(r,{body:i,timeoutInSeconds:this._settings.requestTimeoutInSeconds}),t.debug("got response")}};var ge=class{constructor(e,t,r){this._settings=e;this._metadataService=t;this._claimsService=r;this._logger=new l("ResponseValidator");this._userInfoService=new le(this._settings,this._metadataService),this._tokenClient=new ee(this._settings,this._metadataService)}async validateSigninResponse(e,t,r){let i=this._logger.create("validateSigninResponse");this._processSigninState(e,t),i.debug("state processed"),await this._processCode(e,t,r),i.debug("code processed"),e.isOpenId&&this._validateIdTokenAttributes(e),i.debug("tokens validated"),await this._processClaims(e,t==null?void 0:t.skipUserInfo,e.isOpenId),i.debug("claims processed")}async validateCredentialsResponse(e,t){let r=this._logger.create("validateCredentialsResponse");e.isOpenId&&e.id_token&&this._validateIdTokenAttributes(e),r.debug("tokens validated"),await this._processClaims(e,t,e.isOpenId),r.debug("claims processed")}async validateRefreshResponse(e,t){var s,n;let r=this._logger.create("validateRefreshResponse");e.userState=t.data,(s=e.session_state)!=null||(e.session_state=t.session_state),(n=e.scope)!=null||(e.scope=t.scope),e.isOpenId&&e.id_token&&(this._validateIdTokenAttributes(e,t.id_token),r.debug("ID Token validated")),e.id_token||(e.id_token=t.id_token,e.profile=t.profile);let i=e.isOpenId&&!!e.id_token;await this._processClaims(e,!1,i),r.debug("claims processed")}validateSignoutResponse(e,t){let r=this._logger.create("validateSignoutResponse");if(t.id!==e.state&&r.throw(new Error("State does not match")),r.debug("state validated"),e.userState=t.data,e.error)throw r.warn("Response was error",e.error),new S(e)}_processSigninState(e,t){var i;let r=this._logger.create("_processSigninState");if(t.id!==e.state&&r.throw(new Error("State does not match")),t.client_id||r.throw(new Error("No client_id on state")),t.authority||r.throw(new Error("No authority on state")),this._settings.authority!==t.authority&&r.throw(new Error("authority mismatch on settings vs. signin state")),this._settings.client_id&&this._settings.client_id!==t.client_id&&r.throw(new Error("client_id mismatch on settings vs. signin state")),r.debug("state validated"),e.userState=t.data,e.url_state=t.url_state,(i=e.scope)!=null||(e.scope=t.scope),e.error)throw r.warn("Response was error",e.error),new S(e);t.code_verifier&&!e.code&&r.throw(new Error("Expected code in response"))}async _processClaims(e,t=!1,r=!0){let i=this._logger.create("_processClaims");if(e.profile=this._claimsService.filterProtocolClaims(e.profile),t||!this._settings.loadUserInfo||!e.access_token){i.debug("not loading user info");return}i.debug("loading user info");let s=await this._userInfoService.getClaims(e.access_token);i.debug("user info claims received from user info endpoint"),r&&s.sub!==e.profile.sub&&i.throw(new Error("subject from UserInfo response does not match subject in ID Token")),e.profile=this._claimsService.mergeClaims(e.profile,this._claimsService.filterProtocolClaims(s)),i.debug("user info claims received, updated profile:",e.profile)}async _processCode(e,t,r){let i=this._logger.create("_processCode");if(e.code){i.debug("Validating code");let s=await this._tokenClient.exchangeCode({client_id:t.client_id,client_secret:t.client_secret,code:e.code,redirect_uri:t.redirect_uri,code_verifier:t.code_verifier,extraHeaders:r,...t.extraTokenParams});Object.assign(e,s)}else i.debug("No code to process")}_validateIdTokenAttributes(e,t){var s;let r=this._logger.create("_validateIdTokenAttributes");r.debug("decoding ID Token JWT");let i=U.decode((s=e.id_token)!=null?s:"");if(i.sub||r.throw(new Error("ID Token is missing a subject claim")),t){let n=U.decode(t);i.sub!==n.sub&&r.throw(new Error("sub in id_token does not match current sub")),i.auth_time&&i.auth_time!==n.auth_time&&r.throw(new Error("auth_time in id_token does not match original auth_time")),i.azp&&i.azp!==n.azp&&r.throw(new Error("azp in id_token does not match original azp")),!i.azp&&n.azp&&r.throw(new Error("azp not in id_token, but present in original id_token"))}e.profile=i}};var k=class d{constructor(e){this.id=e.id||m.generateUUIDv4(),this.data=e.data,e.created&&e.created>0?this.created=e.created:this.created=f.getEpochTime(),this.request_type=e.request_type,this.url_state=e.url_state}toStorageString(){return new l("State").create("toStorageString"),JSON.stringify({id:this.id,data:this.data,created:this.created,request_type:this.request_type,url_state:this.url_state})}static fromStorageString(e){return l.createStatic("State","fromStorageString"),Promise.resolve(new d(JSON.parse(e)))}static async clearStaleState(e,t){let r=l.createStatic("State","clearStaleState"),i=f.getEpochTime()-t,s=await e.getAllKeys();r.debug("got keys",s);for(let n=0;n<s.length;n++){let o=s[n],a=await e.get(o),c=!1;if(a)try{let g=await d.fromStorageString(a);r.debug("got item from key:",o,g.created),g.created<=i&&(c=!0)}catch(g){r.error("Error parsing state for key:",o,g),c=!0}else r.debug("no item in storage for key:",o),c=!0;c&&(r.debug("removed item for key:",o),e.remove(o))}}};var W=class d extends k{constructor(e){super(e),this.code_verifier=e.code_verifier,this.code_challenge=e.code_challenge,this.authority=e.authority,this.client_id=e.client_id,this.redirect_uri=e.redirect_uri,this.scope=e.scope,this.client_secret=e.client_secret,this.extraTokenParams=e.extraTokenParams,this.response_mode=e.response_mode,this.skipUserInfo=e.skipUserInfo}static async create(e){let t=e.code_verifier===!0?m.generateCodeVerifier():e.code_verifier||void 0,r=t?await m.generateCodeChallenge(t):void 0;return new d({...e,code_verifier:t,code_challenge:r})}toStorageString(){return new l("SigninState").create("toStorageString"),JSON.stringify({id:this.id,data:this.data,created:this.created,request_type:this.request_type,url_state:this.url_state,code_verifier:this.code_verifier,authority:this.authority,client_id:this.client_id,redirect_uri:this.redirect_uri,scope:this.scope,client_secret:this.client_secret,extraTokenParams:this.extraTokenParams,response_mode:this.response_mode,skipUserInfo:this.skipUserInfo})}static fromStorageString(e){l.createStatic("SigninState","fromStorageString");let t=JSON.parse(e);return d.create(t)}};var ue=class ue{constructor(e){this.url=e.url,this.state=e.state}static async create({url:e,authority:t,client_id:r,redirect_uri:i,response_type:s,scope:n,state_data:o,response_mode:a,request_type:c,client_secret:g,nonce:u,url_state:p,resource:h,skipUserInfo:v,extraQueryParams:J,extraTokenParams:F,disablePKCE:K,dpopJkt:O,omitScopeWhenRequesting:$,...E}){if(!e)throw this._logger.error("create: No url passed"),new Error("url");if(!r)throw this._logger.error("create: No client_id passed"),new Error("client_id");if(!i)throw this._logger.error("create: No redirect_uri passed"),new Error("redirect_uri");if(!s)throw this._logger.error("create: No response_type passed"),new Error("response_type");if(!n)throw this._logger.error("create: No scope passed"),new Error("scope");if(!t)throw this._logger.error("create: No authority passed"),new Error("authority");let P=await W.create({data:o,request_type:c,url_state:p,code_verifier:!K,client_id:r,authority:t,redirect_uri:i,response_mode:a,client_secret:g,scope:n,extraTokenParams:F,skipUserInfo:v}),_=new URL(e);_.searchParams.append("client_id",r),_.searchParams.append("redirect_uri",i),_.searchParams.append("response_type",s),$||_.searchParams.append("scope",n),u&&_.searchParams.append("nonce",u),O&&_.searchParams.append("dpop_jkt",O);let I=P.id;p&&(I=`${I}${T}${p}`),_.searchParams.append("state",I),P.code_challenge&&(_.searchParams.append("code_challenge",P.code_challenge),_.searchParams.append("code_challenge_method","S256")),h&&(Array.isArray(h)?h:[h]).forEach(b=>_.searchParams.append("resource",b));for(let[q,b]of Object.entries({response_mode:a,...E,...J}))b!=null&&_.searchParams.append(q,b.toString());return new ue({url:_.href,state:P})}};ue._logger=new l("SigninRequest");var pe=ue;var rt="openid",L=class{constructor(e){this.access_token="";this.token_type="";this.profile={};if(this.state=e.get("state"),this.session_state=e.get("session_state"),this.state){let t=decodeURIComponent(this.state).split(T);this.state=t[0],t.length>1&&(this.url_state=t.slice(1).join(T))}this.error=e.get("error"),this.error_description=e.get("error_description"),this.error_uri=e.get("error_uri"),this.code=e.get("code")}get expires_in(){if(this.expires_at!==void 0)return this.expires_at-f.getEpochTime()}set expires_in(e){typeof e=="string"&&(e=Number(e)),e!==void 0&&e>=0&&(this.expires_at=Math.floor(e)+f.getEpochTime())}get isOpenId(){var e;return((e=this.scope)==null?void 0:e.split(" ").includes(rt))||!!this.id_token}};var he=class{constructor({url:e,state_data:t,id_token_hint:r,post_logout_redirect_uri:i,extraQueryParams:s,request_type:n,client_id:o,url_state:a}){this._logger=new l("SignoutRequest");if(!e)throw this._logger.error("ctor: No url passed"),new Error("url");let c=new URL(e);if(r&&c.searchParams.append("id_token_hint",r),o&&c.searchParams.append("client_id",o),i&&(c.searchParams.append("post_logout_redirect_uri",i),t||a)){this.state=new k({data:t,request_type:n,url_state:a});let g=this.state.id;a&&(g=`${g}${T}${a}`),c.searchParams.append("state",g)}for(let[g,u]of Object.entries({...s}))u!=null&&c.searchParams.append(g,u.toString());this.url=c.href}};var te=class{constructor(e){if(this.state=e.get("state"),this.state){let t=decodeURIComponent(this.state).split(T);this.state=t[0],t.length>1&&(this.url_state=t.slice(1).join(T))}this.error=e.get("error"),this.error_description=e.get("error_description"),this.error_uri=e.get("error_uri")}};var it=["nbf","jti","auth_time","nonce","acr","amr","azp","at_hash"],st=["sub","iss","aud","exp","iat"],me=class{constructor(e){this._settings=e;this._logger=new l("ClaimsService")}filterProtocolClaims(e){let t={...e};if(this._settings.filterProtocolClaims){let r;Array.isArray(this._settings.filterProtocolClaims)?r=this._settings.filterProtocolClaims:r=it;for(let i of r)st.includes(i)||delete t[i]}return t}mergeClaims(e,t){let r={...e};for(let[i,s]of Object.entries(t))if(r[i]!==s)if(Array.isArray(r[i])||Array.isArray(s))if(this._settings.mergeClaimsStrategy.array=="replace")r[i]=s;else{let n=Array.isArray(r[i])?r[i]:[r[i]];for(let o of Array.isArray(s)?s:[s])n.includes(o)||n.push(o);r[i]=n}else typeof r[i]=="object"&&typeof s=="object"?r[i]=this.mergeClaims(r[i],s):r[i]=s;return r}};var j=class{constructor(e,t){this.keys=e;this.nonce=t}};var oe=class{constructor(e,t){this._logger=new l("OidcClient");this.settings=e instanceof A?e:new A(e),this.metadataService=t!=null?t:new Z(this.settings),this._claimsService=new me(this.settings),this._validator=new ge(this.settings,this.metadataService,this._claimsService),this._tokenClient=new ee(this.settings,this.metadataService)}async createSigninRequest({state:e,request:t,request_uri:r,request_type:i,id_token_hint:s,login_hint:n,skipUserInfo:o,nonce:a,url_state:c,response_type:g=this.settings.response_type,scope:u=this.settings.scope,redirect_uri:p=this.settings.redirect_uri,prompt:h=this.settings.prompt,display:v=this.settings.display,max_age:J=this.settings.max_age,ui_locales:F=this.settings.ui_locales,acr_values:K=this.settings.acr_values,resource:O=this.settings.resource,response_mode:$=this.settings.response_mode,extraQueryParams:E=this.settings.extraQueryParams,extraTokenParams:P=this.settings.extraTokenParams,dpopJkt:_,omitScopeWhenRequesting:I=this.settings.omitScopeWhenRequesting}){let q=this._logger.create("createSigninRequest");if(g!=="code")throw new Error("Only the Authorization Code flow (with PKCE) is supported");let b=await this.metadataService.getAuthorizationEndpoint();q.debug("Received authorization endpoint",b);let B=await pe.create({url:b,authority:this.settings.authority,client_id:this.settings.client_id,redirect_uri:p,response_type:g,scope:u,state_data:e,url_state:c,prompt:h,display:v,max_age:J,ui_locales:F,id_token_hint:s,login_hint:n,acr_values:K,dpopJkt:_,resource:O,request:t,request_uri:r,extraQueryParams:E,extraTokenParams:P,request_type:i,response_mode:$,client_secret:this.settings.client_secret,skipUserInfo:o,nonce:a,disablePKCE:this.settings.disablePKCE,omitScopeWhenRequesting:I});await this.clearStaleState();let de=B.state;return await this.settings.stateStore.set(de.id,de.toStorageString()),B}async readSigninResponseState(e,t=!1){let r=this._logger.create("readSigninResponseState"),i=new L(G.readParams(e,this.settings.response_mode));if(!i.state)throw r.throw(new Error("No state in response")),null;let s=await this.settings.stateStore[t?"remove":"get"](i.state);if(!s)throw r.throw(new Error("No matching state found in storage")),null;return{state:await W.fromStorageString(s),response:i}}async processSigninResponse(e,t,r=!0){let i=this._logger.create("processSigninResponse"),{state:s,response:n}=await this.readSigninResponseState(e,r);if(i.debug("received state from storage; validating response"),this.settings.dpop&&this.settings.dpop.store){let o=await this.getDpopProof(this.settings.dpop.store);t={...t,DPoP:o}}try{await this._validator.validateSigninResponse(n,s,t)}catch(o){if(o instanceof V&&this.settings.dpop){let a=await this.getDpopProof(this.settings.dpop.store,o.nonce);t.DPoP=a,await this._validator.validateSigninResponse(n,s,t)}else throw o}return n}async getDpopProof(e,t){let r,i;return(await e.getAllKeys()).includes(this.settings.client_id)?(i=await e.get(this.settings.client_id),i.nonce!==t&&t&&(i.nonce=t,await e.set(this.settings.client_id,i))):(r=await m.generateDPoPKeys(),i=new j(r,t),await e.set(this.settings.client_id,i)),await m.generateDPoPProof({url:await this.metadataService.getTokenEndpoint(!1),httpMethod:"POST",keyPair:i.keys,nonce:i.nonce})}async processResourceOwnerPasswordCredentials({username:e,password:t,skipUserInfo:r=!1,extraTokenParams:i={}}){let s=await this._tokenClient.exchangeCredentials({username:e,password:t,...i}),n=new L(new URLSearchParams);return Object.assign(n,s),await this._validator.validateCredentialsResponse(n,r),n}async useRefreshToken({state:e,redirect_uri:t,resource:r,timeoutInSeconds:i,extraHeaders:s,extraTokenParams:n}){var u;let o=this._logger.create("useRefreshToken"),a;if(this.settings.refreshTokenAllowedScope===void 0)a=e.scope;else{let p=this.settings.refreshTokenAllowedScope.split(" ");a=(((u=e.scope)==null?void 0:u.split(" "))||[]).filter(v=>p.includes(v)).join(" ")}if(this.settings.dpop&&this.settings.dpop.store){let p=await this.getDpopProof(this.settings.dpop.store);s={...s,DPoP:p}}let c;try{c=await this._tokenClient.exchangeRefreshToken({refresh_token:e.refresh_token,scope:a,redirect_uri:t,resource:r,timeoutInSeconds:i,extraHeaders:s,...n})}catch(p){if(p instanceof V&&this.settings.dpop)s.DPoP=await this.getDpopProof(this.settings.dpop.store,p.nonce),c=await this._tokenClient.exchangeRefreshToken({refresh_token:e.refresh_token,scope:a,redirect_uri:t,resource:r,timeoutInSeconds:i,extraHeaders:s,...n});else throw p}let g=new L(new URLSearchParams);return Object.assign(g,c),o.debug("validating response",g),await this._validator.validateRefreshResponse(g,{...e,scope:a}),g}async createSignoutRequest({state:e,id_token_hint:t,client_id:r,request_type:i,url_state:s,post_logout_redirect_uri:n=this.settings.post_logout_redirect_uri,extraQueryParams:o=this.settings.extraQueryParams}={}){let a=this._logger.create("createSignoutRequest"),c=await this.metadataService.getEndSessionEndpoint();if(!c)throw a.throw(new Error("No end session endpoint")),null;a.debug("Received end session endpoint",c),!r&&n&&!t&&(r=this.settings.client_id);let g=new he({url:c,id_token_hint:t,client_id:r,post_logout_redirect_uri:n,state_data:e,extraQueryParams:o,request_type:i,url_state:s});await this.clearStaleState();let u=g.state;return u&&(a.debug("Signout request has state to persist"),await this.settings.stateStore.set(u.id,u.toStorageString())),g}async readSignoutResponseState(e,t=!1){let r=this._logger.create("readSignoutResponseState"),i=new te(G.readParams(e,this.settings.response_mode));if(!i.state){if(r.debug("No state in response"),i.error)throw r.warn("Response was error:",i.error),new S(i);return{state:void 0,response:i}}let s=await this.settings.stateStore[t?"remove":"get"](i.state);if(!s)throw r.throw(new Error("No matching state found in storage")),null;return{state:await k.fromStorageString(s),response:i}}async processSignoutResponse(e){let t=this._logger.create("processSignoutResponse"),{state:r,response:i}=await this.readSignoutResponseState(e,!0);return r?(t.debug("Received state from storage; validating response"),this._validator.validateSignoutResponse(i,r)):t.debug("No state from storage; skipping response validation"),i}clearStaleState(){return this._logger.create("clearStaleState"),k.clearStaleState(this.settings.stateStore,this.settings.staleStateAgeInSeconds)}async revokeToken(e,t){return this._logger.create("revokeToken"),await this._tokenClient.revoke({token:e,token_type_hint:t})}};var re=class{constructor(e){this._userManager=e;this._logger=new l("SessionMonitor");this._start=async e=>{let t=e.session_state;if(!t)return;let r=this._logger.create("_start");if(e.profile?(this._sub=e.profile.sub,r.debug("session_state",t,", sub",this._sub)):(this._sub=void 0,r.debug("session_state",t,", anonymous user")),this._checkSessionIFrame){this._checkSessionIFrame.start(t);return}try{let i=await this._userManager.metadataService.getCheckSessionIframe();if(i){r.debug("initializing check session iframe");let s=this._userManager.settings.client_id,n=this._userManager.settings.checkSessionIntervalInSeconds,o=this._userManager.settings.stopCheckSessionOnError,a=new Y(this._callback,s,i,n,o);await a.load(),this._checkSessionIFrame=a,a.start(t)}else r.warn("no check session iframe found in the metadata")}catch(i){r.error("Error from getCheckSessionIframe:",i instanceof Error?i.message:i)}};this._stop=()=>{let e=this._logger.create("_stop");if(this._sub=void 0,this._checkSessionIFrame&&this._checkSessionIFrame.stop(),this._userManager.settings.monitorAnonymousSession){let t=setInterval(async()=>{clearInterval(t);try{let r=await this._userManager.querySessionStatus();if(r){let i={session_state:r.session_state,profile:r.sub?{sub:r.sub}:null};this._start(i)}}catch(r){e.error("error from querySessionStatus",r instanceof Error?r.message:r)}},1e3)}};this._callback=async()=>{let e=this._logger.create("_callback");try{let t=await this._userManager.querySessionStatus(),r=!0;t&&this._checkSessionIFrame?t.sub===this._sub?(r=!1,this._checkSessionIFrame.start(t.session_state),e.debug("same sub still logged in at OP, session state has changed, restarting check session iframe; session_state",t.session_state),await this._userManager.events._raiseUserSessionChanged()):e.debug("different subject signed into OP",t.sub):e.debug("subject no longer signed into OP"),r?this._sub?await this._userManager.events._raiseUserSignedOut():await this._userManager.events._raiseUserSignedIn():e.debug("no change in session detected, no event to raise")}catch(t){this._sub&&(e.debug("Error calling queryCurrentSigninSession; raising signed out event",t),await this._userManager.events._raiseUserSignedOut())}};e||this._logger.throw(new Error("No user manager passed")),this._userManager.events.addUserLoaded(this._start),this._userManager.events.addUserUnloaded(this._stop),this._init().catch(t=>{this._logger.error(t)})}async _init(){this._logger.create("_init");let e=await this._userManager.getUser();if(e)this._start(e);else if(this._userManager.settings.monitorAnonymousSession){let t=await this._userManager.querySessionStatus();if(t){let r={session_state:t.session_state,profile:t.sub?{sub:t.sub}:null};this._start(r)}}}};var H=class d{constructor(e){var t;this.id_token=e.id_token,this.session_state=(t=e.session_state)!=null?t:null,this.access_token=e.access_token,this.refresh_token=e.refresh_token,this.token_type=e.token_type,this.scope=e.scope,this.profile=e.profile,this.expires_at=e.expires_at,this.state=e.userState,this.url_state=e.url_state}get expires_in(){if(this.expires_at!==void 0)return this.expires_at-f.getEpochTime()}set expires_in(e){e!==void 0&&(this.expires_at=Math.floor(e)+f.getEpochTime())}get expired(){let e=this.expires_in;if(e!==void 0)return e<=0}get scopes(){var e,t;return(t=(e=this.scope)==null?void 0:e.split(" "))!=null?t:[]}toStorageString(){return new l("User").create("toStorageString"),JSON.stringify({id_token:this.id_token,session_state:this.session_state,access_token:this.access_token,refresh_token:this.refresh_token,token_type:this.token_type,scope:this.scope,profile:this.profile,expires_at:this.expires_at})}static fromStorageString(e){return l.createStatic("User","fromStorageString"),new d(JSON.parse(e))}};var Ae="oidc-client",ie=class{constructor(){this._abort=new w("Window navigation aborted");this._disposeHandlers=new Set;this._window=null}async navigate(e){let t=this._logger.create("navigate");if(!this._window)throw new Error("Attempted to navigate on a disposed window");t.debug("setting URL in window"),this._window.location.replace(e.url);let{url:r,keepOpen:i}=await new Promise((s,n)=>{let o=a=>{var u;let c=a.data,g=(u=e.scriptOrigin)!=null?u:window.location.origin;if(!(a.origin!==g||(c==null?void 0:c.source)!==Ae)){try{let p=G.readParams(c.url,e.response_mode).get("state");if(p||t.warn("no state found in response url"),a.source!==this._window&&p!==e.state)return}catch{this._dispose(),n(new Error("Invalid response from window"))}s(c)}};window.addEventListener("message",o,!1),this._disposeHandlers.add(()=>window.removeEventListener("message",o,!1)),this._disposeHandlers.add(this._abort.addHandler(a=>{this._dispose(),n(a)}))});return t.debug("got response from window"),this._dispose(),i||this.close(),{url:r}}_dispose(){this._logger.create("_dispose");for(let e of this._disposeHandlers)e();this._disposeHandlers.clear()}static _notifyParent(e,t,r=!1,i=window.location.origin){e.postMessage({source:Ae,url:t,keepOpen:r},i)}};var xe={location:!1,toolbar:!1,height:640,closePopupWindowAfterInSeconds:-1},Re="_blank",nt=60,ot=2,Te=10,se=class extends A{constructor(e){let{popup_redirect_uri:t=e.redirect_uri,popup_post_logout_redirect_uri:r=e.post_logout_redirect_uri,popupWindowFeatures:i=xe,popupWindowTarget:s=Re,redirectMethod:n="assign",redirectTarget:o="self",iframeNotifyParentOrigin:a=e.iframeNotifyParentOrigin,iframeScriptOrigin:c=e.iframeScriptOrigin,requestTimeoutInSeconds:g,silent_redirect_uri:u=e.redirect_uri,silentRequestTimeoutInSeconds:p,automaticSilentRenew:h=!0,validateSubOnSilentRenew:v=!0,includeIdTokenInSilentRenew:J=!1,monitorSession:F=!1,monitorAnonymousSession:K=!1,checkSessionIntervalInSeconds:O=ot,query_status_response_type:$="code",stopCheckSessionOnError:E=!0,revokeTokenTypes:P=["access_token","refresh_token"],revokeTokensOnSignout:_=!1,includeIdTokenInSilentSignout:I=!1,accessTokenExpiringNotificationTimeInSeconds:q=nt,userStore:b}=e;if(super(e),this.popup_redirect_uri=t,this.popup_post_logout_redirect_uri=r,this.popupWindowFeatures=i,this.popupWindowTarget=s,this.redirectMethod=n,this.redirectTarget=o,this.iframeNotifyParentOrigin=a,this.iframeScriptOrigin=c,this.silent_redirect_uri=u,this.silentRequestTimeoutInSeconds=p||g||Te,this.automaticSilentRenew=h,this.validateSubOnSilentRenew=v,this.includeIdTokenInSilentRenew=J,this.monitorSession=F,this.monitorAnonymousSession=K,this.checkSessionIntervalInSeconds=O,this.stopCheckSessionOnError=E,this.query_status_response_type=$,this.revokeTokenTypes=P,this.revokeTokensOnSignout=_,this.includeIdTokenInSilentSignout=I,this.accessTokenExpiringNotificationTimeInSeconds=q,b)this.userStore=b;else{let B=typeof window!="undefined"?window.sessionStorage:new M;this.userStore=new D({store:B})}}};var ae=class d extends ie{constructor({silentRequestTimeoutInSeconds:t=Te}){super();this._logger=new l("IFrameWindow");this._timeoutInSeconds=t,this._frame=d.createHiddenIframe(),this._window=this._frame.contentWindow}static createHiddenIframe(){let t=window.document.createElement("iframe");return t.style.visibility="hidden",t.style.position="fixed",t.style.left="-1000px",t.style.top="0",t.width="0",t.height="0",window.document.body.appendChild(t),t}async navigate(t){this._logger.debug("navigate: Using timeout of:",this._timeoutInSeconds);let r=setTimeout(()=>void this._abort.raise(new C("IFrame timed out without a response")),this._timeoutInSeconds*1e3);return this._disposeHandlers.add(()=>clearTimeout(r)),await super.navigate(t)}close(){var t;this._frame&&(this._frame.parentNode&&(this._frame.addEventListener("load",r=>{var s;let i=r.target;(s=i.parentNode)==null||s.removeChild(i),this._abort.raise(new Error("IFrame removed from DOM"))},!0),(t=this._frame.contentWindow)==null||t.location.replace("about:blank")),this._frame=null),this._window=null}static notifyParent(t,r){return super._notifyParent(window.parent,t,!1,r)}};var _e=class{constructor(e){this._settings=e;this._logger=new l("IFrameNavigator")}async prepare({silentRequestTimeoutInSeconds:e=this._settings.silentRequestTimeoutInSeconds}){return new ae({silentRequestTimeoutInSeconds:e})}async callback(e){this._logger.create("callback"),ae.notifyParent(e,this._settings.iframeNotifyParentOrigin)}};var at=500,ct=1e3,ce=class extends ie{constructor({popupWindowTarget:t=Re,popupWindowFeatures:r={},popupSignal:i}){super();this._logger=new