UNPKG

piral-oidc

Version:

Plugin to integrate authentication using OpenID connect in Piral.

piral.io

smapiot/piral

1 lines • 71.6 kB
1
var piralOidc=(()=>{var z=Object.defineProperty;var Oe=Object.getOwnPropertyDescriptor;var qe=Object.getOwnPropertyNames;var Ne=Object.prototype.hasOwnProperty;var Me=(e,t)=>{for(var s in t)z(e,s,{get:t[s],enumerable:!0})},He=(e,t,s,i)=>{if(t&&typeof t=="object"||typeof t=="function")for(let r of qe(t))!Ne.call(e,r)&&r!==s&&z(e,r,{get:()=>t[r],enumerable:!(i=Oe(t,r))||i.enumerable});return e};var je=e=>He(z({},"__esModule",{value:!0}),e);var Et={};Me(Et,{LogLevel:()=>Ee,OidcErrorType:()=>Pe,createOidcApi:()=>De,setupOidcClient:()=>kt});function De(e){return t=>(t.on("before-fetch",e.extendHeaders),{getAccessToken(){return e.token()},getProfile(){return e.account()}})}var j=class extends Error{};j.prototype.name="InvalidTokenError";function $e(e){return decodeURIComponent(atob(e).replace(/(.)/g,(t,s)=>{let i=s.charCodeAt(0).toString(16).toUpperCase();return i.length<2&&(i="0"+i),"%"+i}))}function Je(e){let t=e.replace(/-/g,"+").replace(/_/g,"/");switch(t.length%4){case 0:break;case 2:t+="==";break;case 3:t+="=";break;default:throw new Error("base64 string is not of the correct length")}try{return $e(t)}catch{return atob(t)}}function re(e,t){if(typeof e!="string")throw new j("Invalid token specified: must be a string");t||(t={});let s=t.header===!0?0:1,i=e.split(".")[s];if(typeof i!="string")throw new j(`Invalid token specified: missing part #${s+1}`);let r;try{r=Je(i)}catch(n){throw new j(`Invalid token specified: invalid base64 for part #${s+1} (${n.message})`)}try{return JSON.parse(r)}catch(n){throw new j(`Invalid token specified: invalid json for part #${s+1} (${n.message})`)}}var We={debug:()=>{},info:()=>{},warn:()=>{},error:()=>{}},C,I,D=(e=>(e[e.NONE=0]="NONE",e[e.ERROR=1]="ERROR",e[e.WARN=2]="WARN",e[e.INFO=3]="INFO",e[e.DEBUG=4]="DEBUG",e))(D||{});(e=>{function t(){C=3,I=We}e.reset=t;function s(r){if(!(0<=r&&r<=4))throw new Error("Invalid log level");C=r}e.setLevel=s;function i(r){I=r}e.setLogger=i})(D||(D={}));var h=class x{constructor(t){this._name=t}debug(...t){C>=4&&I.debug(x._format(this._name,this._method),...t)}info(...t){C>=3&&I.info(x._format(this._name,this._method),...t)}warn(...t){C>=2&&I.warn(x._format(this._name,this._method),...t)}error(...t){C>=1&&I.error(x._format(this._name,this._method),...t)}throw(t){throw this.error(t),t}create(t){let s=Object.create(this);return s._method=t,s.debug("begin"),s}static createStatic(t,s){let i=new x(`${t}.${s}`);return i.debug("begin"),i}static _format(t,s){let i=`[${t}]`;return s?`${i} ${s}:`:i}static debug(t,...s){C>=4&&I.debug(x._format(t),...s)}static info(t,...s){C>=3&&I.info(x._format(t),...s)}static warn(t,...s){C>=2&&I.warn(x._format(t),...s)}static error(t,...s){C>=1&&I.error(x._format(t),...s)}};D.reset();var W=class{static decode(e){try{return re(e)}catch(t){throw h.error("JwtUtils.decode",t),t}}static async generateSignedJwt(e,t,s){let i=S.encodeBase64Url(new TextEncoder().encode(JSON.stringify(e))),r=S.encodeBase64Url(new TextEncoder().encode(JSON.stringify(t))),n=`${i}.${r}`,o=await window.crypto.subtle.sign({name:"ECDSA",hash:{name:"SHA-256"}},s,new TextEncoder().encode(n)),a=S.encodeBase64Url(new Uint8Array(o));return`${n}.${a}`}static async generateSignedJwtWithHmac(e,t,s){let i=S.encodeBase64Url(new TextEncoder().encode(JSON.stringify(e))),r=S.encodeBase64Url(new TextEncoder().encode(JSON.stringify(t))),n=`${i}.${r}`,o=await window.crypto.subtle.sign("HMAC",s,new TextEncoder().encode(n)),a=S.encodeBase64Url(new Uint8Array(o));return`${n}.${a}`}},Le="10000000-1000-4000-8000-100000000000",G=e=>btoa([...new Uint8Array(e)].map(t=>String.fromCharCode(t)).join("")),de=class P{static _randomWord(){let t=new Uint32Array(1);return crypto.getRandomValues(t),t[0]}static generateUUIDv4(){return Le.replace(/[018]/g,s=>(+s^P._randomWord()&15>>+s/4).toString(16)).replace(/-/g,"")}static generateCodeVerifier(){return P.generateUUIDv4()+P.generateUUIDv4()+P.generateUUIDv4()}static async generateCodeChallenge(t){if(!crypto.subtle)throw new Error("Crypto.subtle is available only in secure contexts (HTTPS).");try{let i=new TextEncoder().encode(t),r=await crypto.subtle.digest("SHA-256",i);return G(r).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}catch(s){throw h.error("CryptoUtils.generateCodeChallenge",s),s}}static generateBasicAuth(t,s){let r=new TextEncoder().encode([t,s].join(":"));return G(r)}static async hash(t,s){let i=new TextEncoder().encode(s),r=await crypto.subtle.digest(t,i);return new Uint8Array(r)}static async customCalculateJwkThumbprint(t){let s;switch(t.kty){case"RSA":s={e:t.e,kty:t.kty,n:t.n};break;case"EC":s={crv:t.crv,kty:t.kty,x:t.x,y:t.y};break;case"OKP":s={crv:t.crv,kty:t.kty,x:t.x};break;case"oct":s={crv:t.k,kty:t.kty};break;default:throw new Error("Unknown jwk type")}let i=await P.hash("SHA-256",JSON.stringify(s));return P.encodeBase64Url(i)}static async generateDPoPProof({url:t,accessToken:s,httpMethod:i,keyPair:r,nonce:n}){let o,a,c={jti:window.crypto.randomUUID(),htm:i??"GET",htu:t,iat:Math.floor(Date.now()/1e3)};s&&(o=await P.hash("SHA-256",s),a=P.encodeBase64Url(o),c.ath=a),n&&(c.nonce=n);try{let d=await crypto.subtle.exportKey("jwk",r.publicKey),l={alg:"ES256",typ:"dpop+jwt",jwk:{crv:d.crv,kty:d.kty,x:d.x,y:d.y}};return await W.generateSignedJwt(l,c,r.privateKey)}catch(d){throw d instanceof TypeError?new Error(`Error exporting dpop public key: ${d.message}`):d}}static async generateDPoPJkt(t){try{let s=await crypto.subtle.exportKey("jwk",t.publicKey);return await P.customCalculateJwkThumbprint(s)}catch(s){throw s instanceof TypeError?new Error(`Could not retrieve dpop keys from storage: ${s.message}`):s}}static async generateDPoPKeys(){return await window.crypto.subtle.generateKey({name:"ECDSA",namedCurve:"P-256"},!1,["sign","verify"])}static async generateClientAssertionJwt(t,s,i,r="HS256"){let n=Math.floor(Date.now()/1e3),o={alg:r,typ:"JWT"},a={iss:t,sub:t,aud:i,jti:P.generateUUIDv4(),exp:n+300,iat:n},d={HS256:"SHA-256",HS384:"SHA-384",HS512:"SHA-512"}[r];if(!d)throw new Error(`Unsupported algorithm: ${r}. Supported algorithms are: HS256, HS384, HS512`);let l=new TextEncoder,g=await crypto.subtle.importKey("raw",l.encode(s),{name:"HMAC",hash:d},!1,["sign"]);return await W.generateSignedJwtWithHmac(o,a,g)}};de.encodeBase64Url=e=>G(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_");var S=de,H=class{constructor(e){this._name=e,this._callbacks=[],this._logger=new h(`Event('${this._name}')`)}addHandler(e){return this._callbacks.push(e),()=>this.removeHandler(e)}removeHandler(e){let t=this._callbacks.lastIndexOf(e);t>=0&&this._callbacks.splice(t,1)}async raise(...e){this._logger.debug("raise:",...e);for(let t of this._callbacks)await t(...e)}},ne=class{static center({...e}){var t,s,i;return e.width==null&&(e.width=(t=[800,720,600,480].find(r=>r<=window.outerWidth/1.618))!=null?t:360),(s=e.left)!=null||(e.left=Math.max(0,Math.round(window.screenX+(window.outerWidth-e.width)/2))),e.height!=null&&((i=e.top)!=null||(e.top=Math.max(0,Math.round(window.screenY+(window.outerHeight-e.height)/2)))),e}static serialize(e){return Object.entries(e).filter(([,t])=>t!=null).map(([t,s])=>`${t}=${typeof s!="boolean"?s:s?"yes":"no"}`).join(",")}},M=class L extends H{constructor(){super(...arguments),this._logger=new h(`Timer('${this._name}')`),this._timerHandle=null,this._expiration=0,this._callback=()=>{let t=this._expiration-L.getEpochTime();this._logger.debug("timer completes in",t),this._expiration<=L.getEpochTime()&&(this.cancel(),super.raise())}}static getEpochTime(){return Math.floor(Date.now()/1e3)}init(t){let s=this._logger.create("init");t=Math.max(Math.floor(t),1);let i=L.getEpochTime()+t;if(this.expiration===i&&this._timerHandle){s.debug("skipping since already initialized for expiration at",this.expiration);return}this.cancel(),s.debug("using duration",t),this._expiration=i;let r=Math.min(t,5);this._timerHandle=setInterval(this._callback,r*1e3)}get expiration(){return this._expiration}cancel(){this._logger.create("cancel"),this._timerHandle&&(clearInterval(this._timerHandle),this._timerHandle=null)}},Q=class{static readParams(e,t="query"){if(!e)throw new TypeError("Invalid URL");let i=new URL(e,"http://127.0.0.1")[t==="fragment"?"hash":"search"];return new URLSearchParams(i.slice(1))}},J=";",$=class extends Error{constructor(e,t){var s,i,r;if(super(e.error_description||e.error||""),this.form=t,this.name="ErrorResponse",!e.error)throw h.error("ErrorResponse","No error passed"),new Error("No error passed");this.error=e.error,this.error_description=(s=e.error_description)!=null?s:null,this.error_uri=(i=e.error_uri)!=null?i:null,this.state=e.userState,this.session_state=(r=e.session_state)!=null?r:null,this.url_state=e.url_state}},te=class extends Error{constructor(e){super(e),this.name="ErrorTimeout"}},Ke=class{constructor(e){this._logger=new h("AccessTokenEvents"),this._expiringTimer=new M("Access token expiring"),this._expiredTimer=new M("Access token expired"),this._expiringNotificationTimeInSeconds=e.expiringNotificationTimeInSeconds}async load(e){let t=this._logger.create("load");if(e.access_token&&e.expires_in!==void 0){let s=e.expires_in;if(t.debug("access token present, remaining duration:",s),s>0){let r=s-this._expiringNotificationTimeInSeconds;r<=0&&(r=1),t.debug("registering expiring timer, raising in",r,"seconds"),this._expiringTimer.init(r)}else t.debug("canceling existing expiring timer because we're past expiration."),this._expiringTimer.cancel();let i=s+1;t.debug("registering expired timer, raising in",i,"seconds"),this._expiredTimer.init(i)}else this._expiringTimer.cancel(),this._expiredTimer.cancel()}async unload(){this._logger.debug("unload: canceling existing access token timers"),this._expiringTimer.cancel(),this._expiredTimer.cancel()}addAccessTokenExpiring(e){return this._expiringTimer.addHandler(e)}removeAccessTokenExpiring(e){this._expiringTimer.removeHandler(e)}addAccessTokenExpired(e){return this._expiredTimer.addHandler(e)}removeAccessTokenExpired(e){this._expiredTimer.removeHandler(e)}},Fe=class{constructor(e,t,s,i,r){this._callback=e,this._client_id=t,this._intervalInSeconds=i,this._stopOnError=r,this._logger=new h("CheckSessionIFrame"),this._timer=null,this._session_state=null,this._message=o=>{o.origin===this._frame_origin&&o.source===this._frame.contentWindow&&(o.data==="error"?(this._logger.error("error message from check session op iframe"),this._stopOnError&&this.stop()):o.data==="changed"?(this._logger.debug("changed message from check session op iframe"),this.stop(),this._callback()):this._logger.debug(o.data+" message from check session op iframe"))};let n=new URL(s);this._frame_origin=n.origin,this._frame=window.document.createElement("iframe"),this._frame.style.visibility="hidden",this._frame.style.position="fixed",this._frame.style.left="-1000px",this._frame.style.top="0",this._frame.width="0",this._frame.height="0",this._frame.src=n.href}load(){return new Promise(e=>{this._frame.onload=()=>{e()},window.document.body.appendChild(this._frame),window.addEventListener("message",this._message,!1)})}start(e){if(this._session_state===e)return;this._logger.create("start"),this.stop(),this._session_state=e;let t=()=>{!this._frame.contentWindow||!this._session_state||this._frame.contentWindow.postMessage(this._client_id+" "+this._session_state,this._frame_origin)};t(),this._timer=setInterval(t,this._intervalInSeconds*1e3)}stop(){this._logger.create("stop"),this._session_state=null,this._timer&&(clearInterval(this._timer),this._timer=null)}},le=class{constructor(){this._logger=new h("InMemoryWebStorage"),this._data={}}clear(){this._logger.create("clear"),this._data={}}getItem(e){return this._logger.create(`getItem('${e}')`),this._data[e]}setItem(e,t){this._logger.create(`setItem('${e}')`),this._data[e]=t}removeItem(e){this._logger.create(`removeItem('${e}')`),delete this._data[e]}get length(){return Object.getOwnPropertyNames(this._data).length}key(e){return Object.getOwnPropertyNames(this._data)[e]}},X=class extends Error{constructor(e,t){super(t),this.name="ErrorDPoPNonce",this.nonce=e}},se=class{constructor(e=[],t=null,s={}){this._jwtHandler=t,this._extraHeaders=s,this._logger=new h("JsonService"),this._contentTypes=[],this._contentTypes.push(...e,"application/json"),t&&this._contentTypes.push("application/jwt")}async fetchWithTimeout(e,t={}){let{timeoutInSeconds:s,...i}=t;if(!s)return await fetch(e,i);let r=new AbortController,n=setTimeout(()=>r.abort(),s*1e3);try{return await fetch(e,{...t,signal:r.signal})}catch(o){throw o instanceof DOMException&&o.name==="AbortError"?new te("Network timed out"):o}finally{clearTimeout(n)}}async getJson(e,{token:t,credentials:s,timeoutInSeconds:i}={}){let r=this._logger.create("getJson"),n={Accept:this._contentTypes.join(", ")};t&&(r.debug("token passed, setting Authorization header"),n.Authorization="Bearer "+t),this._appendExtraHeaders(n);let o;try{r.debug("url:",e),o=await this.fetchWithTimeout(e,{method:"GET",headers:n,timeoutInSeconds:i,credentials:s})}catch(d){throw r.error("Network Error"),d}r.debug("HTTP response received, status",o.status);let a=o.headers.get("Content-Type");if(a&&!this._contentTypes.find(d=>a.startsWith(d))&&r.throw(new Error(`Invalid response Content-Type: ${a??"undefined"}, from URL: ${e}`)),o.ok&&this._jwtHandler&&a?.startsWith("application/jwt"))return await this._jwtHandler(await o.text());let c;try{c=await o.json()}catch(d){throw r.error("Error parsing JSON response",d),o.ok?d:new Error(`${o.statusText} (${o.status})`)}if(!o.ok)throw r.error("Error from server:",c),c.error?new $(c):new Error(`${o.statusText} (${o.status}): ${JSON.stringify(c)}`);return c}async postForm(e,{body:t,basicAuth:s,timeoutInSeconds:i,initCredentials:r,extraHeaders:n}){let o=this._logger.create("postForm"),a={Accept:this._contentTypes.join(", "),"Content-Type":"application/x-www-form-urlencoded",...n};s!==void 0&&(a.Authorization="Basic "+s),this._appendExtraHeaders(a);let c;try{o.debug("url:",e),c=await this.fetchWithTimeout(e,{method:"POST",headers:a,body:t,timeoutInSeconds:i,credentials:r})}catch(u){throw o.error("Network error"),u}o.debug("HTTP response received, status",c.status);let d=c.headers.get("Content-Type");if(d&&!this._contentTypes.find(u=>d.startsWith(u)))throw new Error(`Invalid response Content-Type: ${d??"undefined"}, from URL: ${e}`);let l=await c.text(),g={};if(l)try{g=JSON.parse(l)}catch(u){throw o.error("Error parsing JSON response",u),c.ok?u:new Error(`${c.statusText} (${c.status})`)}if(!c.ok){if(o.error("Error from server:",g),c.headers.has("dpop-nonce")){let u=c.headers.get("dpop-nonce");throw new X(u,`${JSON.stringify(g)}`)}throw g.error?new $(g,t):new Error(`${c.statusText} (${c.status}): ${JSON.stringify(g)}`)}return g}_appendExtraHeaders(e){let t=this._logger.create("appendExtraHeaders"),s=Object.keys(this._extraHeaders),i=["accept","content-type"],r=["authorization"];s.length!==0&&s.forEach(n=>{if(i.includes(n.toLocaleLowerCase())){t.warn("Protected header could not be set",n,i);return}if(r.includes(n.toLocaleLowerCase())&&Object.keys(e).includes(n)){t.warn("Header could not be overridden",n,r);return}let o=typeof this._extraHeaders[n]=="function"?this._extraHeaders[n]():this._extraHeaders[n];o&&o!==""&&(e[n]=o)})}},ze=class{constructor(e){this._settings=e,this._logger=new h("MetadataService"),this._signingKeys=null,this._metadata=null,this._metadataUrl=this._settings.metadataUrl,this._jsonService=new se(["application/jwk-set+json"],null,this._settings.extraHeaders),this._settings.signingKeys&&(this._logger.debug("using signingKeys from settings"),this._signingKeys=this._settings.signingKeys),this._settings.metadata&&(this._logger.debug("using metadata from settings"),this._metadata=this._settings.metadata),this._settings.fetchRequestCredentials&&(this._logger.debug("using fetchRequestCredentials from settings"),this._fetchRequestCredentials=this._settings.fetchRequestCredentials)}resetSigningKeys(){this._signingKeys=null}async getMetadata(){let e=this._logger.create("getMetadata");if(this._metadata)return e.debug("using cached values"),this._metadata;if(!this._metadataUrl)throw e.throw(new Error("No authority or metadataUrl configured on settings")),null;e.debug("getting metadata from",this._metadataUrl);let t=await this._jsonService.getJson(this._metadataUrl,{credentials:this._fetchRequestCredentials,timeoutInSeconds:this._settings.requestTimeoutInSeconds});return e.debug("merging remote JSON with seed metadata"),this._metadata=Object.assign({},t,this._settings.metadataSeed),this._metadata}getIssuer(){return this._getMetadataProperty("issuer")}getAuthorizationEndpoint(){return this._getMetadataProperty("authorization_endpoint")}getUserInfoEndpoint(){return this._getMetadataProperty("userinfo_endpoint")}getTokenEndpoint(e=!0){return this._getMetadataProperty("token_endpoint",e)}getCheckSessionIframe(){return this._getMetadataProperty("check_session_iframe",!0)}getEndSessionEndpoint(){return this._getMetadataProperty("end_session_endpoint",!0)}getRevocationEndpoint(e=!0){return this._getMetadataProperty("revocation_endpoint",e)}getKeysEndpoint(e=!0){return this._getMetadataProperty("jwks_uri",e)}async _getMetadataProperty(e,t=!1){let s=this._logger.create(`_getMetadataProperty('${e}')`),i=await this.getMetadata();if(s.debug("resolved"),i[e]===void 0){if(t===!0){s.warn("Metadata does not contain optional property");return}s.throw(new Error("Metadata does not contain property "+e))}return i[e]}async getSigningKeys(){let e=this._logger.create("getSigningKeys");if(this._signingKeys)return e.debug("returning signingKeys from cache"),this._signingKeys;let t=await this.getKeysEndpoint(!1);e.debug("got jwks_uri",t);let s=await this._jsonService.getJson(t,{timeoutInSeconds:this._settings.requestTimeoutInSeconds});if(e.debug("got key set",s),!Array.isArray(s.keys))throw e.throw(new Error("Missing keys on keyset")),null;return this._signingKeys=s.keys,this._signingKeys}},ge=class{constructor({prefix:e="oidc.",store:t=localStorage}={}){this._logger=new h("WebStorageStateStore"),this._store=t,this._prefix=e}async set(e,t){this._logger.create(`set('${e}')`),e=this._prefix+e,await this._store.setItem(e,t)}async get(e){return this._logger.create(`get('${e}')`),e=this._prefix+e,await this._store.getItem(e)}async remove(e){this._logger.create(`remove('${e}')`),e=this._prefix+e;let t=await this._store.getItem(e);return await this._store.removeItem(e),t}async getAllKeys(){this._logger.create("getAllKeys");let e=await this._store.length,t=[];for(let s=0;s<e;s++){let i=await this._store.key(s);i&&i.indexOf(this._prefix)===0&&t.push(i.substr(this._prefix.length))}return t}},Be="code",Ve="openid",Ge="client_secret_post",Qe=900,Y=class{constructor({authority:e,metadataUrl:t,metadata:s,signingKeys:i,metadataSeed:r,client_id:n,client_secret:o,response_type:a=Be,scope:c=Ve,redirect_uri:d,post_logout_redirect_uri:l,client_authentication:g=Ge,token_endpoint_auth_signing_alg:u="HS256",prompt:v,display:U,max_age:A,ui_locales:O,acr_values:q,resource:T,response_mode:N,filterProtocolClaims:b=!0,loadUserInfo:_=!1,requestTimeoutInSeconds:f,staleStateAgeInSeconds:R=Qe,mergeClaimsStrategy:E={array:"replace"},disablePKCE:p=!1,stateStore:w,revokeTokenAdditionalContentTypes:m,fetchRequestCredentials:y,refreshTokenAllowedScope:Te,extraQueryParams:Re={},extraTokenParams:xe={},extraHeaders:Ce={},dpop:Ie,omitScopeWhenRequesting:Ue=!1}){var ie;if(this.authority=e,t?this.metadataUrl=t:(this.metadataUrl=e,e&&(this.metadataUrl.endsWith("/")||(this.metadataUrl+="/"),this.metadataUrl+=".well-known/openid-configuration")),this.metadata=s,this.metadataSeed=r,this.signingKeys=i,this.client_id=n,this.client_secret=o,this.response_type=a,this.scope=c,this.redirect_uri=d,this.post_logout_redirect_uri=l,this.client_authentication=g,this.token_endpoint_auth_signing_alg=u,this.prompt=v,this.display=U,this.max_age=A,this.ui_locales=O,this.acr_values=q,this.resource=T,this.response_mode=N,this.filterProtocolClaims=b??!0,this.loadUserInfo=!!_,this.staleStateAgeInSeconds=R,this.mergeClaimsStrategy=E,this.omitScopeWhenRequesting=Ue,this.disablePKCE=!!p,this.revokeTokenAdditionalContentTypes=m,this.fetchRequestCredentials=y||"same-origin",this.requestTimeoutInSeconds=f,w)this.stateStore=w;else{let Ae=typeof window<"u"?window.localStorage:new le;this.stateStore=new ge({store:Ae})}if(this.refreshTokenAllowedScope=Te,this.extraQueryParams=Re,this.extraTokenParams=xe,this.extraHeaders=Ce,this.dpop=Ie,this.dpop&&!((ie=this.dpop)!=null&&ie.store))throw new Error("A DPoPStore is required when dpop is enabled")}},Xe=class{constructor(e,t){this._settings=e,this._metadataService=t,this._logger=new h("UserInfoService"),this._getClaimsFromJwt=async s=>{let i=this._logger.create("_getClaimsFromJwt");try{let r=W.decode(s);return i.debug("JWT decoding successful"),r}catch(r){throw i.error("Error parsing JWT response"),r}},this._jsonService=new se(void 0,this._getClaimsFromJwt,this._settings.extraHeaders)}async getClaims(e){let t=this._logger.create("getClaims");e||this._logger.throw(new Error("No token passed"));let s=await this._metadataService.getUserInfoEndpoint();t.debug("got userinfo url",s);let i=await this._jsonService.getJson(s,{token:e,credentials:this._settings.fetchRequestCredentials,timeoutInSeconds:this._settings.requestTimeoutInSeconds});return t.debug("got claims",i),i}},he=class{constructor(e,t){this._settings=e,this._metadataService=t,this._logger=new h("TokenClient"),this._jsonService=new se(this._settings.revokeTokenAdditionalContentTypes,null,this._settings.extraHeaders)}async exchangeCode({grant_type:e="authorization_code",redirect_uri:t=this._settings.redirect_uri,client_id:s=this._settings.client_id,client_secret:i=this._settings.client_secret,extraHeaders:r,...n}){let o=this._logger.create("exchangeCode");s||o.throw(new Error("A client_id is required")),t||o.throw(new Error("A redirect_uri is required")),n.code||o.throw(new Error("A code is required"));let a=new URLSearchParams({grant_type:e,redirect_uri:t});for(let[g,u]of Object.entries(n))u!=null&&a.set(g,u);if((this._settings.client_authentication==="client_secret_basic"||this._settings.client_authentication==="client_secret_jwt")&&i==null)throw o.throw(new Error("A client_secret is required")),null;let c,d=await this._metadataService.getTokenEndpoint(!1);switch(this._settings.client_authentication){case"client_secret_basic":c=S.generateBasicAuth(s,i);break;case"client_secret_post":a.append("client_id",s),i&&a.append("client_secret",i);break;case"client_secret_jwt":{let g=await S.generateClientAssertionJwt(s,i,d,this._settings.token_endpoint_auth_signing_alg);a.append("client_id",s),a.append("client_assertion_type","urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),a.append("client_assertion",g);break}}o.debug("got token endpoint");let l=await this._jsonService.postForm(d,{body:a,basicAuth:c,timeoutInSeconds:this._settings.requestTimeoutInSeconds,initCredentials:this._settings.fetchRequestCredentials,extraHeaders:r});return o.debug("got response"),l}async exchangeCredentials({grant_type:e="password",client_id:t=this._settings.client_id,client_secret:s=this._settings.client_secret,scope:i=this._settings.scope,...r}){let n=this._logger.create("exchangeCredentials");t||n.throw(new Error("A client_id is required"));let o=new URLSearchParams({grant_type:e});this._settings.omitScopeWhenRequesting||o.set("scope",i);for(let[l,g]of Object.entries(r))g!=null&&o.set(l,g);if((this._settings.client_authentication==="client_secret_basic"||this._settings.client_authentication==="client_secret_jwt")&&s==null)throw n.throw(new Error("A client_secret is required")),null;let a,c=await this._metadataService.getTokenEndpoint(!1);switch(this._settings.client_authentication){case"client_secret_basic":a=S.generateBasicAuth(t,s);break;case"client_secret_post":o.append("client_id",t),s&&o.append("client_secret",s);break;case"client_secret_jwt":{let l=await S.generateClientAssertionJwt(t,s,c,this._settings.token_endpoint_auth_signing_alg);o.append("client_id",t),o.append("client_assertion_type","urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),o.append("client_assertion",l);break}}n.debug("got token endpoint");let d=await this._jsonService.postForm(c,{body:o,basicAuth:a,timeoutInSeconds:this._settings.requestTimeoutInSeconds,initCredentials:this._settings.fetchRequestCredentials});return n.debug("got response"),d}async exchangeRefreshToken({grant_type:e="refresh_token",client_id:t=this._settings.client_id,client_secret:s=this._settings.client_secret,timeoutInSeconds:i,extraHeaders:r,...n}){let o=this._logger.create("exchangeRefreshToken");t||o.throw(new Error("A client_id is required")),n.refresh_token||o.throw(new Error("A refresh_token is required"));let a=new URLSearchParams({grant_type:e});for(let[g,u]of Object.entries(n))Array.isArray(u)?u.forEach(v=>a.append(g,v)):u!=null&&a.set(g,u);if((this._settings.client_authentication==="client_secret_basic"||this._settings.client_authentication==="client_secret_jwt")&&s==null)throw o.throw(new Error("A client_secret is required")),null;let c,d=await this._metadataService.getTokenEndpoint(!1);switch(this._settings.client_authentication){case"client_secret_basic":c=S.generateBasicAuth(t,s);break;case"client_secret_post":a.append("client_id",t),s&&a.append("client_secret",s);break;case"client_secret_jwt":{let g=await S.generateClientAssertionJwt(t,s,d,this._settings.token_endpoint_auth_signing_alg);a.append("client_id",t),a.append("client_assertion_type","urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),a.append("client_assertion",g);break}}o.debug("got token endpoint");let l=await this._jsonService.postForm(d,{body:a,basicAuth:c,timeoutInSeconds:i,initCredentials:this._settings.fetchRequestCredentials,extraHeaders:r});return o.debug("got response"),l}async revoke(e){var t;let s=this._logger.create("revoke");e.token||s.throw(new Error("A token is required"));let i=await this._metadataService.getRevocationEndpoint(!1);s.debug(`got revocation endpoint, revoking ${(t=e.token_type_hint)!=null?t:"default token type"}`);let r=new URLSearchParams;for(let[n,o]of Object.entries(e))o!=null&&r.set(n,o);r.set("client_id",this._settings.client_id),this._settings.client_secret&&r.set("client_secret",this._settings.client_secret),await this._jsonService.postForm(i,{body:r,timeoutInSeconds:this._settings.requestTimeoutInSeconds}),s.debug("got response")}},Ye=class{constructor(e,t,s){this._settings=e,this._metadataService=t,this._claimsService=s,this._logger=new h("ResponseValidator"),this._userInfoService=new Xe(this._settings,this._metadataService),this._tokenClient=new he(this._settings,this._metadataService)}async validateSigninResponse(e,t,s){let i=this._logger.create("validateSigninResponse");this._processSigninState(e,t),i.debug("state processed"),await this._processCode(e,t,s),i.debug("code processed"),e.isOpenId&&this._validateIdTokenAttributes(e),i.debug("tokens validated"),await this._processClaims(e,t?.skipUserInfo,e.isOpenId),i.debug("claims processed")}async validateCredentialsResponse(e,t){let s=this._logger.create("validateCredentialsResponse"),i=e.isOpenId&&!!e.id_token;i&&this._validateIdTokenAttributes(e),s.debug("tokens validated"),await this._processClaims(e,t,i),s.debug("claims processed")}async validateRefreshResponse(e,t){var s,i;let r=this._logger.create("validateRefreshResponse");e.userState=t.data,(s=e.session_state)!=null||(e.session_state=t.session_state),(i=e.scope)!=null||(e.scope=t.scope),e.isOpenId&&e.id_token&&(this._validateIdTokenAttributes(e,t.id_token),r.debug("ID Token validated")),e.id_token||(e.id_token=t.id_token,e.profile=t.profile);let n=e.isOpenId&&!!e.id_token;await this._processClaims(e,!1,n),r.debug("claims processed")}validateSignoutResponse(e,t){let s=this._logger.create("validateSignoutResponse");if(t.id!==e.state&&s.throw(new Error("State does not match")),s.debug("state validated"),e.userState=t.data,e.error)throw s.warn("Response was error",e.error),new $(e)}_processSigninState(e,t){var s;let i=this._logger.create("_processSigninState");if(t.id!==e.state&&i.throw(new Error("State does not match")),t.client_id||i.throw(new Error("No client_id on state")),t.authority||i.throw(new Error("No authority on state")),this._settings.authority!==t.authority&&i.throw(new Error("authority mismatch on settings vs. signin state")),this._settings.client_id&&this._settings.client_id!==t.client_id&&i.throw(new Error("client_id mismatch on settings vs. signin state")),i.debug("state validated"),e.userState=t.data,e.url_state=t.url_state,(s=e.scope)!=null||(e.scope=t.scope),e.error)throw i.warn("Response was error",e.error),new $(e);t.code_verifier&&!e.code&&i.throw(new Error("Expected code in response"))}async _processClaims(e,t=!1,s=!0){let i=this._logger.create("_processClaims");if(e.profile=this._claimsService.filterProtocolClaims(e.profile),t||!this._settings.loadUserInfo||!e.access_token){i.debug("not loading user info");return}i.debug("loading user info");let r=await this._userInfoService.getClaims(e.access_token);i.debug("user info claims received from user info endpoint"),s&&r.sub!==e.profile.sub&&i.throw(new Error("subject from UserInfo response does not match subject in ID Token")),e.profile=this._claimsService.mergeClaims(e.profile,this._claimsService.filterProtocolClaims(r)),i.debug("user info claims received, updated profile:",e.profile)}async _processCode(e,t,s){let i=this._logger.create("_processCode");if(e.code){i.debug("Validating code");let r=await this._tokenClient.exchangeCode({client_id:t.client_id,client_secret:t.client_secret,code:e.code,redirect_uri:t.redirect_uri,code_verifier:t.code_verifier,extraHeaders:s,...t.extraTokenParams});Object.assign(e,r)}else i.debug("No code to process")}_validateIdTokenAttributes(e,t){var s;let i=this._logger.create("_validateIdTokenAttributes");i.debug("decoding ID Token JWT");let r=W.decode((s=e.id_token)!=null?s:"");if(r.sub||i.throw(new Error("ID Token is missing a subject claim")),t){let n=W.decode(t);r.sub!==n.sub&&i.throw(new Error("sub in id_token does not match current sub")),r.auth_time&&r.auth_time!==n.auth_time&&i.throw(new Error("auth_time in id_token does not match original auth_time")),r.azp&&r.azp!==n.azp&&i.throw(new Error("azp in id_token does not match original azp")),!r.azp&&n.azp&&i.throw(new Error("azp not in id_token, but present in original id_token"))}e.profile=r}},K=class Z{constructor(t){this.id=t.id||S.generateUUIDv4(),this.data=t.data,t.created&&t.created>0?this.created=t.created:this.created=M.getEpochTime(),this.request_type=t.request_type,this.url_state=t.url_state}toStorageString(){return new h("State").create("toStorageString"),JSON.stringify({id:this.id,data:this.data,created:this.created,request_type:this.request_type,url_state:this.url_state})}static fromStorageString(t){return h.createStatic("State","fromStorageString"),Promise.resolve(new Z(JSON.parse(t)))}static async clearStaleState(t,s){let i=h.createStatic("State","clearStaleState"),r=M.getEpochTime()-s,n=await t.getAllKeys();i.debug("got keys",n);for(let o=0;o<n.length;o++){let a=n[o],c=await t.get(a),d=!1;if(c)try{let l=await Z.fromStorageString(c);i.debug("got item from key:",a,l.created),l.created<=r&&(d=!0)}catch(l){i.error("Error parsing state for key:",a,l),d=!0}else i.debug("no item in storage for key:",a),d=!0;d&&(i.debug("removed item for key:",a),t.remove(a))}}},ue=class ee extends K{constructor(t){super(t),this.code_verifier=t.code_verifier,this.code_challenge=t.code_challenge,this.authority=t.authority,this.client_id=t.client_id,this.redirect_uri=t.redirect_uri,this.scope=t.scope,this.client_secret=t.client_secret,this.extraTokenParams=t.extraTokenParams,this.response_mode=t.response_mode,this.skipUserInfo=t.skipUserInfo}static async create(t){let s=t.code_verifier===!0?S.generateCodeVerifier():t.code_verifier||void 0,i=s?await S.generateCodeChallenge(s):void 0;return new ee({...t,code_verifier:s,code_challenge:i})}toStorageString(){return new h("SigninState").create("toStorageString"),JSON.stringify({id:this.id,data:this.data,created:this.created,request_type:this.request_type,url_state:this.url_state,code_verifier:this.code_verifier,authority:this.authority,client_id:this.client_id,redirect_uri:this.redirect_uri,scope:this.scope,client_secret:this.client_secret,extraTokenParams:this.extraTokenParams,response_mode:this.response_mode,skipUserInfo:this.skipUserInfo})}static fromStorageString(t){h.createStatic("SigninState","fromStorageString");let s=JSON.parse(t);return ee.create(s)}},_e=class pe{constructor(t){this.url=t.url,this.state=t.state}static async create({url:t,authority:s,client_id:i,redirect_uri:r,response_type:n,scope:o,state_data:a,response_mode:c,request_type:d,client_secret:l,nonce:g,url_state:u,resource:v,skipUserInfo:U,extraQueryParams:A,extraTokenParams:O,disablePKCE:q,dpopJkt:T,omitScopeWhenRequesting:N,...b}){if(!t)throw this._logger.error("create: No url passed"),new Error("url");if(!i)throw this._logger.error("create: No client_id passed"),new Error("client_id");if(!r)throw this._logger.error("create: No redirect_uri passed"),new Error("redirect_uri");if(!n)throw this._logger.error("create: No response_type passed"),new Error("response_type");if(!o)throw this._logger.error("create: No scope passed"),new Error("scope");if(!s)throw this._logger.error("create: No authority passed"),new Error("authority");let _=await ue.create({data:a,request_type:d,url_state:u,code_verifier:!q,client_id:i,authority:s,redirect_uri:r,response_mode:c,client_secret:l,scope:o,extraTokenParams:O,skipUserInfo:U}),f=new URL(t);f.searchParams.append("client_id",i),f.searchParams.append("redirect_uri",r),f.searchParams.append("response_type",n),N||f.searchParams.append("scope",o),g&&f.searchParams.append("nonce",g),T&&f.searchParams.append("dpop_jkt",T);let R=_.id;u&&(R=`${R}${J}${u}`),f.searchParams.append("state",R),_.code_challenge&&(f.searchParams.append("code_challenge",_.code_challenge),f.searchParams.append("code_challenge_method","S256")),v&&(Array.isArray(v)?v:[v]).forEach(p=>f.searchParams.append("resource",p));for(let[E,p]of Object.entries({response_mode:c,...b,...A}))p!=null&&f.searchParams.append(E,p.toString());return new pe({url:f.href,state:_})}};_e._logger=new h("SigninRequest");var Ze=_e,et="openid",B=class{constructor(e){if(this.access_token="",this.token_type="",this.profile={},this.state=e.get("state"),this.session_state=e.get("session_state"),this.state){let t=decodeURIComponent(this.state).split(J);this.state=t[0],t.length>1&&(this.url_state=t.slice(1).join(J))}this.error=e.get("error"),this.error_description=e.get("error_description"),this.error_uri=e.get("error_uri"),this.code=e.get("code")}get expires_in(){if(this.expires_at!==void 0)return this.expires_at-M.getEpochTime()}set expires_in(e){typeof e=="string"&&(e=Number(e)),e!==void 0&&e>=0&&(this.expires_at=Math.floor(e)+M.getEpochTime())}get isOpenId(){var e;return((e=this.scope)==null?void 0:e.split(" ").includes(et))||!!this.id_token}},tt=class{constructor({url:e,state_data:t,id_token_hint:s,post_logout_redirect_uri:i,extraQueryParams:r,request_type:n,client_id:o,url_state:a}){if(this._logger=new h("SignoutRequest"),!e)throw this._logger.error("ctor: No url passed"),new Error("url");let c=new URL(e);if(s&&c.searchParams.append("id_token_hint",s),o&&c.searchParams.append("client_id",o),i&&(c.searchParams.append("post_logout_redirect_uri",i),t||a)){this.state=new K({data:t,request_type:n,url_state:a});let d=this.state.id;a&&(d=`${d}${J}${a}`),c.searchParams.append("state",d)}for(let[d,l]of Object.entries({...r}))l!=null&&c.searchParams.append(d,l.toString());this.url=c.href}},st=class{constructor(e){if(this.state=e.get("state"),this.state){let t=decodeURIComponent(this.state).split(J);this.state=t[0],t.length>1&&(this.url_state=t.slice(1).join(J))}this.error=e.get("error"),this.error_description=e.get("error_description"),this.error_uri=e.get("error_uri")}},it=["nbf","jti","auth_time","nonce","acr","amr","azp","at_hash"],rt=["sub","iss","aud","exp","iat"],nt=class{constructor(e){this._settings=e,this._logger=new h("ClaimsService")}filterProtocolClaims(e){let t={...e};if(this._settings.filterProtocolClaims){let s;Array.isArray(this._settings.filterProtocolClaims)?s=this._settings.filterProtocolClaims:s=it;for(let i of s)rt.includes(i)||delete t[i]}return t}mergeClaims(e,t){let s={...e};for(let[i,r]of Object.entries(t))if(s[i]!==r)if(Array.isArray(s[i])||Array.isArray(r))if(this._settings.mergeClaimsStrategy.array=="replace")s[i]=r;else{let n=Array.isArray(s[i])?s[i]:[s[i]];for(let o of Array.isArray(r)?r:[r])n.includes(o)||n.push(o);s[i]=n}else typeof s[i]=="object"&&typeof r=="object"?s[i]=this.mergeClaims(s[i],r):s[i]=r;return s}},fe=class{constructor(e,t){this.keys=e,this.nonce=t}},ot=class{constructor(e,t){this._logger=new h("OidcClient"),this.settings=e instanceof Y?e:new Y(e),this.metadataService=t??new ze(this.settings),this._claimsService=new nt(this.settings),this._validator=new Ye(this.settings,this.metadataService,this._claimsService),this._tokenClient=new he(this.settings,this.metadataService)}async createSigninRequest({state:e,request:t,request_uri:s,request_type:i,id_token_hint:r,login_hint:n,skipUserInfo:o,nonce:a,url_state:c,response_type:d=this.settings.response_type,scope:l=this.settings.scope,redirect_uri:g=this.settings.redirect_uri,prompt:u=this.settings.prompt,display:v=this.settings.display,max_age:U=this.settings.max_age,ui_locales:A=this.settings.ui_locales,acr_values:O=this.settings.acr_values,resource:q=this.settings.resource,response_mode:T=this.settings.response_mode,extraQueryParams:N=this.settings.extraQueryParams,extraTokenParams:b=this.settings.extraTokenParams,dpopJkt:_,omitScopeWhenRequesting:f=this.settings.omitScopeWhenRequesting}){let R=this._logger.create("createSigninRequest");if(d!=="code")throw new Error("Only the Authorization Code flow (with PKCE) is supported");let E=await this.metadataService.getAuthorizationEndpoint();R.debug("Received authorization endpoint",E);let p=await Ze.create({url:E,authority:this.settings.authority,client_id:this.settings.client_id,redirect_uri:g,response_type:d,scope:l,state_data:e,url_state:c,prompt:u,display:v,max_age:U,ui_locales:A,id_token_hint:r,login_hint:n,acr_values:O,dpopJkt:_,resource:q,request:t,request_uri:s,extraQueryParams:N,extraTokenParams:b,request_type:i,response_mode:T,client_secret:this.settings.client_secret,skipUserInfo:o,nonce:a,disablePKCE:this.settings.disablePKCE,omitScopeWhenRequesting:f});await this.clearStaleState();let w=p.state;return await this.settings.stateStore.set(w.id,w.toStorageString()),p}async readSigninResponseState(e,t=!1){let s=this._logger.create("readSigninResponseState"),i=new B(Q.readParams(e,this.settings.response_mode));if(!i.state)throw s.throw(new Error("No state in response")),null;let r=await this.settings.stateStore[t?"remove":"get"](i.state);if(!r)throw s.throw(new Error("No matching state found in storage")),null;return{state:await ue.fromStorageString(r),response:i}}async processSigninResponse(e,t,s=!0){let i=this._logger.create("processSigninResponse"),{state:r,response:n}=await this.readSigninResponseState(e,s);if(i.debug("received state from storage; validating response"),this.settings.dpop&&this.settings.dpop.store){let o=await this.getDpopProof(this.settings.dpop.store);t={...t,DPoP:o}}try{await this._validator.validateSigninResponse(n,r,t)}catch(o){if(o instanceof X&&this.settings.dpop){let a=await this.getDpopProof(this.settings.dpop.store,o.nonce);t.DPoP=a,await this._validator.validateSigninResponse(n,r,t)}else throw o}return n}async getDpopProof(e,t){let s,i;return(await e.getAllKeys()).includes(this.settings.client_id)?(i=await e.get(this.settings.client_id),i.nonce!==t&&t&&(i.nonce=t,await e.set(this.settings.client_id,i))):(s=await S.generateDPoPKeys(),i=new fe(s,t),await e.set(this.settings.client_id,i)),await S.generateDPoPProof({url:await this.metadataService.getTokenEndpoint(!1),httpMethod:"POST",keyPair:i.keys,nonce:i.nonce})}async processResourceOwnerPasswordCredentials({username:e,password:t,skipUserInfo:s=!1,extraTokenParams:i={}}){let r=await this._tokenClient.exchangeCredentials({username:e,password:t,...i}),n=new B(new URLSearchParams);return Object.assign(n,r),await this._validator.validateCredentialsResponse(n,s),n}async useRefreshToken({state:e,redirect_uri:t,resource:s,timeoutInSeconds:i,extraHeaders:r,extraTokenParams:n}){var o;let a=this._logger.create("useRefreshToken"),c;if(this.settings.refreshTokenAllowedScope===void 0)c=e.scope;else{let g=this.settings.refreshTokenAllowedScope.split(" ");c=(((o=e.scope)==null?void 0:o.split(" "))||[]).filter(v=>g.includes(v)).join(" ")}if(this.settings.dpop&&this.settings.dpop.store){let g=await this.getDpopProof(this.settings.dpop.store);r={...r,DPoP:g}}let d;try{d=await this._tokenClient.exchangeRefreshToken({refresh_token:e.refresh_token,scope:c,redirect_uri:t,resource:s,timeoutInSeconds:i,extraHeaders:r,...n})}catch(g){if(g instanceof X&&this.settings.dpop)r.DPoP=await this.getDpopProof(this.settings.dpop.store,g.nonce),d=await this._tokenClient.exchangeRefreshToken({refresh_token:e.refresh_token,scope:c,redirect_uri:t,resource:s,timeoutInSeconds:i,extraHeaders:r,...n});else throw g}let l=new B(new URLSearchParams);return Object.assign(l,d),a.debug("validating response",l),await this._validator.validateRefreshResponse(l,{...e,scope:c}),l}async createSignoutRequest({state:e,id_token_hint:t,client_id:s,request_type:i,url_state:r,post_logout_redirect_uri:n=this.settings.post_logout_redirect_uri,extraQueryParams:o=this.settings.extraQueryParams}={}){let a=this._logger.create("createSignoutRequest"),c=await this.metadataService.getEndSessionEndpoint();if(!c)throw a.throw(new Error("No end session endpoint")),null;a.debug("Received end session endpoint",c),!s&&n&&!t&&(s=this.settings.client_id);let d=new tt({url:c,id_token_hint:t,client_id:s,post_logout_redirect_uri:n,state_data:e,extraQueryParams:o,request_type:i,url_state:r});await this.clearStaleState();let l=d.state;return l&&(a.debug("Signout request has state to persist"),await this.settings.stateStore.set(l.id,l.toStorageString())),d}async readSignoutResponseState(e,t=!1){let s=this._logger.create("readSignoutResponseState"),i=new st(Q.readParams(e,this.settings.response_mode));if(!i.state){if(s.debug("No state in response"),i.error)throw s.warn("Response was error:",i.error),new $(i);return{state:void 0,response:i}}let r=await this.settings.stateStore[t?"remove":"get"](i.state);if(!r)throw s.throw(new Error("No matching state found in storage")),null;return{state:await K.fromStorageString(r),response:i}}async processSignoutResponse(e){let t=this._logger.create("processSignoutResponse"),{state:s,response:i}=await this.readSignoutResponseState(e,!0);return s?(t.debug("Received state from storage; validating response"),this._validator.validateSignoutResponse(i,s)):t.debug("No state from storage; skipping response validation"),i}clearStaleState(){return this._logger.create("clearStaleState"),K.clearStaleState(this.settings.stateStore,this.settings.staleStateAgeInSeconds)}async revokeToken(e,t){return this._logger.create("revokeToken"),await this._tokenClient.revoke({token:e,token_type_hint:t})}},at=class{constructor(e){this._userManager=e,this._logger=new h("SessionMonitor"),this._start=async t=>{let s=t.session_state;if(!s)return;let i=this._logger.create("_start");if(t.profile?(this._sub=t.profile.sub,i.debug("session_state",s,", sub",this._sub)):(this._sub=void 0,i.debug("session_state",s,", anonymous user")),this._checkSessionIFrame){this._checkSessionIFrame.start(s);return}try{let r=await this._userManager.metadataService.getCheckSessionIframe();if(r){i.debug("initializing check session iframe");let n=this._userManager.settings.client_id,o=this._userManager.settings.checkSessionIntervalInSeconds,a=this._userManager.settings.stopCheckSessionOnError,c=new Fe(this._callback,n,r,o,a);await c.load(),this._checkSessionIFrame=c,c.start(s)}else i.warn("no check session iframe found in the metadata")}catch(r){i.error("Error from getCheckSessionIframe:",r instanceof Error?r.message:r)}},this._stop=()=>{let t=this._logger.create("_stop");if(this._sub=void 0,this._checkSessionIFrame&&this._checkSessionIFrame.stop(),this._userManager.settings.monitorAnonymousSession){let s=setInterval(async()=>{clearInterval(s);try{let i=await this._userManager.querySessionStatus();if(i){let r={session_state:i.session_state,profile:i.sub?{sub:i.sub}:null};this._start(r)}}catch(i){t.error("error from querySessionStatus",i instanceof Error?i.message:i)}},1e3)}},this._callback=async()=>{let t=this._logger.create("_callback");try{let s=await this._userManager.querySessionStatus(),i=!0;s&&this._checkSessionIFrame?s.sub===this._sub?(i=!1,this._checkSessionIFrame.start(s.session_state),t.debug("same sub still logged in at OP, session state has changed, restarting check session iframe; session_state",s.session_state),await this._userManager.events._raiseUserSessionChanged()):t.debug("different subject signed into OP",s.sub):t.debug("subject no longer signed into OP"),i?this._sub?await this._userManager.events._raiseUserSignedOut():await this._userManager.events._raiseUserSignedIn():t.debug("no change in session detected, no event to raise")}catch(s){this._sub&&(t.debug("Error calling queryCurrentSigninSession; raising signed out event",s),await this._userManager.events._raiseUserSignedOut())}},e||this._logger.throw(new Error("No user manager passed")),this._userManager.events.addUserLoaded(this._start),this._userManager.events.addUserUnloaded(this._stop),this._init().catch(t=>{this._logger.error(t)})}async _init(){this._logger.create("_init");let e=await this._userManager.getUser();if(e)this._start(e);else if(this._userManager.settings.monitorAnonymousSession){let t=await this._userManager.querySessionStatus();if(t){let s={session_state:t.session_state,profile:t.sub?{sub:t.sub}:null};this._start(s)}}}},V=class we{constructor(t){var s;this.id_token=t.id_token,this.session_state=(s=t.session_state)!=null?s:null,this.access_token=t.access_token,this.refresh_token=t.refresh_token,this.token_type=t.token_type,this.scope=t.scope,this.profile=t.profile,this.expires_at=t.expires_at,this.state=t.userState,this.url_state=t.url_state}get expires_in(){if(this.expires_at!==void 0)return this.expires_at-M.getEpochTime()}set expires_in(t){t!==void 0&&(this.expires_at=Math.floor(t)+M.getEpochTime())}get expired(){let t=this.expires_in;if(t!==void 0)return t<=0}get scopes(){var t,s;return(s=(t=this.scope)==null?void 0:t.split(" "))!=null?s:[]}toStorageString(){return new h("User").create("toStorageString"),JSON.stringify({id_token:this.id_token,session_state:this.session_state,access_token:this.access_token,refresh_token:this.refresh_token,token_type:this.token_type,scope:this.scope,profile:this.profile,expires_at:this.expires_at})}static fromStorageString(t){return h.createStatic("User","fromStorageString"),new we(JSON.parse(t))}},oe="oidc-client",me=class{constructor(){this._abort=new H("Window navigation aborted"),this._disposeHandlers=new Set,this._window=null}async navigate(e){let t=this._logger.create("navigate");if(!this._window)throw new Error("Attempted to navigate on a disposed window");t.debug("setting URL in window"),this._window.location.replace(e.url);let{url:s,keepOpen:i}=await new Promise((r,n)=>{let o=c=>{var d;let l=c.data,g=(d=e.scriptOrigin)!=null?d:window.location.origin;if(!(c.origin!==g||l?.source!==oe)){try{let u=Q.readParams(l.url,e.response_mode).get("state");if(u||t.warn("no state found in response url"),c.source!==this._window&&u!==e.state)return}catch{this._dispose(),n(new Error("Invalid response from window"))}r(l)}};window.addEventListener("message",o,!1),this._disposeHandlers.add(()=>window.removeEventListener("message",o,!1));let a=new BroadcastChannel(`oidc-client-popup-${e.state}`);a.addEventListener("message",o,!1),this._disposeHandlers.add(()=>a.close()),this._disposeHandlers.add(this._abort.addHandler(c=>{this._dispose(),n(c)}))});return t.debug("got response from window"),this._dispose(),i||this.close(),{url:s}}_dispose(){this._logger.create("_dispose");for(let e of this._disposeHandlers)e();this._disposeHandlers.clear()}static _notifyParent(e,t,s=!1,i=window.location.origin){let r={source:oe,url:t,keepOpen:s},n=new h("_notifyParent");if(e)n.debug("With parent. Using parent.postMessage."),e.postMessage(r,i);else{n.debug("No parent. Using BroadcastChannel.");let o=new URL(t).searchParams.get("state");if(!o)throw new Error("No parent and no state in URL. Can't complete notification.");let a=new BroadcastChannel(`oidc-client-popup-${o}`);a.postMessage(r),a.close()}}},Se={location:!1,toolbar:!1,height:640,closePopupWindowAfterInSeconds:-1},ve="_blank",ct=60,dt=2,ye=10,lt=class extends Y{constructor(e){let{popup_redirect_uri:t=e.redirect_uri,popup_post_logout_redirect_uri:s=e.post_logout_redirect_uri,popupWindowFeatures:i=Se,popupWindowTarget:r=ve,redirectMethod:n="assign",redirectTarget:o="self",iframeNotifyParentOrigin:a=e.iframeNotifyParentOrigin,iframeScriptOrigin:c=e.iframeScriptOrigin,requestTimeoutInSeconds:d,silent_redirect_uri:l=e.redirect_uri,silentRequestTimeoutInSeconds:g,automaticSilentRenew:u=!0,validateSubOnSilentRenew:v=!0,includeIdTokenInSilentRenew:U=!1,monitorSession:A=!1,monitorAnonymousSession:O=!1,checkSessionIntervalInSeconds:q=dt,query_status_response_type:T="code",stopCheckSessionOnError:N=!0,revokeTokenTypes:b=["access_token","refresh_token"],revokeTokensOnSignout:_=!1,includeIdTokenInSilentSignout:f=!1,accessTokenExpiringNotificationTimeInSeconds:R=ct,userStore:E}=e;if(super(e),this.popup_redirect_uri=t,this.popup_post_logout_redirect_uri=s,this.popupWindowFeatures=i,this.popupWindowTarget=r,this.redirectMethod=n,this.redirectTarget=o,this.iframeNotifyParentOrigin=a,this.iframeScriptOrigin=c,this.silent_redirect_uri=l,this.silentRequestTimeoutInSeconds=g||d||ye,this.automaticSilentRene