@absolutejs/auth 0.26.0-beta.1 → 0.26.0-beta.3

package/dist/htmx/index.js

@@ -1,7 +1,7 @@
 // @bun
 // node_modules/citra/dist/index.js
-var NUM_GENERATOR_BYTES = 32;
 var BASE64_BLOCK_SIZE = 4;
+var NUM_GENERATOR_BYTES = 32;
 var anilistProfileQuery = `query {
   Viewer {
     id
@@ -227,6 +227,25 @@ var providers = defineProviders({
       url: "https://auth.atlassian.com/oauth/token"
     }
   },
+  attio: {
+    authorizationUrl: "https://app.attio.com/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.attio.com/v2/self"
+    },
+    scopeRequired: true,
+    subject: ["workspace_id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://app.attio.com/oauth/token"
+    }
+  },
   auth0: {
     authorizationUrl: (config) => `https://${config.domain}/authorize`,
     isOIDC: true,
@@ -391,6 +410,25 @@ var providers = defineProviders({
       url: "https://www.bungie.net/Platform/App/OAuth/token"
     }
   },
+  close: {
+    authorizationUrl: "https://app.close.com/oauth2/authorize/",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.close.com/api/v1/me/"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.close.com/oauth2/token/"
+    }
+  },
   coinbase: {
     authorizationUrl: "https://www.coinbase.com/oauth/authorize",
     isOIDC: false,
@@ -660,6 +698,25 @@ var providers = defineProviders({
       url: (config) => `${config.baseURL}/oauth/token`
     }
   },
+  gohighlevel: {
+    authorizationUrl: "https://marketplace.gohighlevel.com/oauth/chooselocation",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://services.leadconnectorhq.com/users/me"
+    },
+    scopeRequired: true,
+    subject: ["id"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://services.leadconnectorhq.com/oauth/token"
+    }
+  },
   google: {
     authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
     email: ["email"],
@@ -695,6 +752,25 @@ var providers = defineProviders({
       url: "https://oauth2.googleapis.com/token"
     }
   },
+  hubspot: {
+    authorizationUrl: "https://app.hubspot.com/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.hubapi.com/oauth/v1/access-tokens/me"
+    },
+    scopeRequired: true,
+    subject: ["hub_id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://api.hubapi.com/oauth/v1/token"
+    }
+  },
   intuit: {
     authorizationUrl: "https://appcenter.intuit.com/connect/oauth2",
     isOIDC: true,
@@ -975,6 +1051,31 @@ var providers = defineProviders({
       url: (config) => `https://${config.tenantId}.b2clogin.com/${config.tenantId}/oauth2/v2.0/token`
     }
   },
+  monday: {
+    authorizationUrl: "https://auth.monday.com/oauth2/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      body: {
+        query: "query { me { id name email } }"
+      },
+      encoding: "application/json",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      method: "POST",
+      url: "https://api.monday.com/v2"
+    },
+    scopeRequired: true,
+    subject: ["data", "me", "id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://auth.monday.com/oauth2/token"
+    }
+  },
   myanimelist: {
     authorizationUrl: "https://myanimelist.net/v1/oauth2/authorize",
     isOIDC: false,
@@ -1106,6 +1207,25 @@ var providers = defineProviders({
       url: "https://www.patreon.com/api/oauth2/token"
     }
   },
+  pipedrive: {
+    authorizationUrl: "https://oauth.pipedrive.com/oauth/authorize",
+    isOIDC: false,
+    isRefreshable: true,
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: "https://api.pipedrive.com/v1/users/me"
+    },
+    scopeRequired: true,
+    subject: ["data", "id"],
+    subjectType: "number",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: "https://oauth.pipedrive.com/oauth/token"
+    }
+  },
   polar: {
     authorizationUrl: "https://polar.sh/oauth2/authorize",
     isOIDC: true,
@@ -1673,6 +1793,32 @@ var providers = defineProviders({
       url: "https://oauth.yandex.com/token"
     }
   },
+  zoho: {
+    authorizationUrl: (config) => `https://accounts.zoho.${config.region ?? "com"}/oauth/v2/auth`,
+    isOIDC: false,
+    isRefreshable: true,
+    PKCEMethod: "S256",
+    profileRequest: {
+      authIn: "header",
+      encoding: "application/json",
+      method: "GET",
+      url: (config) => `https://accounts.zoho.${config.region ?? "com"}/oauth/user/info`
+    },
+    revocationRequest: {
+      authIn: "query",
+      encoding: "application/x-www-form-urlencoded",
+      tokenParamName: "token",
+      url: (config) => `https://accounts.zoho.${config.region ?? "com"}/oauth/v2/token/revoke`
+    },
+    scopeRequired: true,
+    subject: ["ZUID"],
+    subjectType: "string",
+    tokenRequest: {
+      authIn: "body",
+      encoding: "application/x-www-form-urlencoded",
+      url: (config) => `https://accounts.zoho.${config.region ?? "com"}/oauth/v2/token`
+    }
+  },
   zoom: {
     authorizationUrl: "https://zoom.us/oauth/authorize",
     email: ["email"],
@@ -1707,18 +1853,32 @@ var providers = defineProviders({
     }
   }
 });
-var isValidProviderOption = (option) => Object.hasOwn(providers, option);
-var isRefreshableProviderOption = (option) => {
-  if (!isValidProviderOption(option))
+var hasClientSecret = (credentials) => {
+  if (typeof credentials !== "object" || credentials === null)
     return false;
-  const provider = providers[option];
-  return provider.isRefreshable;
+  const secret = Reflect.get(credentials, "clientSecret");
+  return typeof secret === "string";
 };
-var isRevocableProviderOption = (option) => {
+var isExpectedType = (value, kind) => {
+  switch (kind) {
+    case "string":
+      return typeof value === "string";
+    case "number":
+      return typeof value === "number";
+    case "boolean":
+      return typeof value === "boolean";
+    case "object":
+      return typeof value === "object" && value !== null;
+    default:
+      return false;
+  }
+};
+var isObject = (value) => value !== null && typeof value === "object" && !Array.isArray(value) && Object.prototype.toString.call(value) === "[object Object]";
+var isOIDCProviderOption = (option) => {
   if (!isValidProviderOption(option))
     return false;
   const provider = providers[option];
-  return provider.revocationRequest !== undefined;
+  return provider.isOIDC;
 };
 var isPKCEProviderOption = (option) => {
   if (!isValidProviderOption(option))
@@ -1726,39 +1886,27 @@ var isPKCEProviderOption = (option) => {
   const provider = providers[option];
   return provider.PKCEMethod !== undefined;
 };
-var isOIDCProviderOption = (option) => {
+var isRefreshableOAuth2Client = (providerName, _client) => isRefreshableProviderOption(providerName);
+var isRefreshableProviderOption = (option) => {
   if (!isValidProviderOption(option))
     return false;
   const provider = providers[option];
-  return provider.isOIDC;
+  return provider.isRefreshable;
 };
-var isScopeRequiredProviderOption = (option) => {
+var isRevocableOAuth2Client = (providerName, _client) => isRevocableProviderOption(providerName);
+var isRevocableProviderOption = (option) => {
   if (!isValidProviderOption(option))
     return false;
   const provider = providers[option];
-  return provider.scopeRequired;
+  return provider.revocationRequest !== undefined;
 };
-var isRefreshableOAuth2Client = (providerName, client) => isRefreshableProviderOption(providerName);
-var isRevocableOAuth2Client = (providerName, client) => isRevocableProviderOption(providerName);
-var hasClientSecret = (credentials) => {
-  if (typeof credentials !== "object" || credentials === null)
+var isScopeRequiredProviderOption = (option) => {
+  if (!isValidProviderOption(option))
     return false;
-  const secret = Reflect.get(credentials, "clientSecret");
-  return typeof secret === "string";
-};
-var isObject = (x) => x !== null && typeof x === "object" && !Array.isArray(x) && Object.prototype.toString.call(x) === "[object Object]";
-var isExpectedType = (value, kind) => {
-  switch (kind) {
-    case "string":
-      return typeof value === "string";
-    case "number":
-      return typeof value === "number";
-    case "boolean":
-      return typeof value === "boolean";
-    case "object":
-      return typeof value === "object" && value !== null;
-  }
+  const provider = providers[option];
+  return provider.scopeRequired;
 };
+var isValidProviderOption = (option) => Object.hasOwn(providers, option);
 var createOAuth2FetchError = async (response) => {
   const clone = response.clone();
   const prefix = `HTTP ${response.status} ${response.statusText} for ${response.url}`;
@@ -1774,15 +1922,44 @@ ${text}`);
   }
   return new Error(prefix);
 };
-var encodeBase64 = (input) => {
-  let raw;
-  if (typeof input === "string") {
-    raw = input;
-  } else {
-    const bytes = input instanceof Uint8Array ? input : new Uint8Array(input);
-    raw = bytes.reduce((acc, byte) => acc + String.fromCharCode(byte), "");
+var createOAuth2Request = ({
+  url,
+  body,
+  authIn,
+  headers,
+  encoding,
+  clientId,
+  clientSecret
+}) => {
+  const oauthHeaders = new Headers(headers);
+  oauthHeaders.set("Accept", "application/json");
+  oauthHeaders.set("User-Agent", "citra");
+  if (authIn === "header") {
+    if (!clientSecret) {
+      throw new Error("clientSecret required for header auth");
+    }
+    oauthHeaders.set("Authorization", `Basic ${encodeBase64(`${clientId}:${clientSecret}`)}`);
   }
-  return btoa(raw);
+  if (encoding === "application/json") {
+    oauthHeaders.set("Content-Type", "application/json");
+    return new Request(url, {
+      body: JSON.stringify(body),
+      headers: oauthHeaders,
+      method: "POST"
+    });
+  }
+  oauthHeaders.set("Content-Type", "application/x-www-form-urlencoded");
+  const entries = body instanceof URLSearchParams ? Array.from(body.entries()) : Object.entries(body).filter((entry) => typeof entry[1] === "string");
+  const params = new URLSearchParams(entries);
+  if (authIn === "body") {
+    params.set("client_id", clientId);
+    clientSecret && params.set("client_secret", clientSecret);
+  }
+  return new Request(url, {
+    body: params.toString(),
+    headers: oauthHeaders,
+    method: "POST"
+  });
 };
 var decodeBase64 = (input, toUint8Array = false) => {
   const b64 = input.replace(/-/g, "+").replace(/_/g, "/") + "==".slice(0, (BASE64_BLOCK_SIZE - input.length % BASE64_BLOCK_SIZE) % BASE64_BLOCK_SIZE);
@@ -1796,12 +1973,6 @@ var decodeBase64 = (input, toUint8Array = false) => {
   }
   return bytes;
 };
-var hmacSha256 = async (message, secret) => {
-  const encoder = new TextEncoder;
-  const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { hash: "SHA-256", name: "HMAC" }, false, ["sign"]);
-  const sigBuffer = await crypto.subtle.sign("HMAC", key, encoder.encode(message));
-  return Array.from(new Uint8Array(sigBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
-};
 var decodeJWT = (tokenString) => {
   const [headerSegment, payloadSegment, signatureSegment] = tokenString.split(".");
   if (!headerSegment || !payloadSegment || !signatureSegment) {
@@ -1811,7 +1982,18 @@ var decodeJWT = (tokenString) => {
   if (typeof decodedPayload !== "string") {
     throw new Error("Expected JWT payload to be a UTF-8 string");
   }
-  return JSON.parse(decodedPayload);
+  const claims = JSON.parse(decodedPayload);
+  return claims;
+};
+var encodeBase64 = (input) => {
+  let raw;
+  if (typeof input === "string") {
+    raw = input;
+  } else {
+    const bytes = input instanceof Uint8Array ? input : new Uint8Array(input);
+    raw = bytes.reduce((acc, byte) => acc + String.fromCharCode(byte), "");
+  }
+  return btoa(raw);
 };
 var getWithingsProps = async (config) => {
   const timestamp = Math.floor(Date.now() / 1000);
@@ -1822,7 +2004,9 @@ var getWithingsProps = async (config) => {
   nonceUrl.searchParams.set("client_id", config.clientId);
   nonceUrl.searchParams.set("timestamp", timestamp.toString());
   nonceUrl.searchParams.set("signature", hashedSignature);
-  const nonceResponse = await fetch(nonceUrl.toString(), {
+  const nonceTarget = nonceUrl.toString();
+  const nonceResponse = await fetch(nonceTarget, {
+    ...h2IfHttps(nonceTarget),
     method: "POST"
   });
   const nonceData = await nonceResponse.json();
@@ -1834,44 +2018,15 @@ var getWithingsProps = async (config) => {
   }
   return;
 };
-var createOAuth2Request = ({
-  url,
-  body,
-  authIn,
-  headers,
-  encoding,
-  clientId,
-  clientSecret
-}) => {
-  const oauthHeaders = new Headers(headers);
-  oauthHeaders.set("Accept", "application/json");
-  oauthHeaders.set("User-Agent", "citra");
-  if (authIn === "header") {
-    if (!clientSecret) {
-      throw new Error("clientSecret required for header auth");
-    }
-    oauthHeaders.set("Authorization", `Basic ${encodeBase64(`${clientId}:${clientSecret}`)}`);
-  }
-  if (encoding === "application/json") {
-    oauthHeaders.set("Content-Type", "application/json");
-    return new Request(url, {
-      body: JSON.stringify(body),
-      headers: oauthHeaders,
-      method: "POST"
-    });
-  }
-  oauthHeaders.set("Content-Type", "application/x-www-form-urlencoded");
-  const entries = body instanceof URLSearchParams ? Array.from(body.entries()) : Object.entries(body).filter((entry) => typeof entry[1] === "string");
-  const params = new URLSearchParams(entries);
-  if (authIn === "body") {
-    params.set("client_id", clientId);
-    clientSecret && params.set("client_secret", clientSecret);
-  }
-  return new Request(url, {
-    body: params.toString(),
-    headers: oauthHeaders,
-    method: "POST"
-  });
+var h2IfHttps = (url) => {
+  const init = url.startsWith("https://") ? { protocol: "http2" } : {};
+  return init;
+};
+var hmacSha256 = async (message, secret) => {
+  const encoder = new TextEncoder;
+  const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { hash: "SHA-256", name: "HMAC" }, false, ["sign"]);
+  const sigBuffer = await crypto.subtle.sign("HMAC", key, encoder.encode(message));
+  return Array.from(new Uint8Array(sigBuffer)).map((byte) => byte.toString(16).padStart(2, "0")).join("");
 };
 var extractPropFromIdentity = (identity, keys, propType) => {
   let value = identity;
@@ -1896,9 +2051,7 @@ var setPropInIdentity = (identity, keys, value) => {
   let cursor = identity;
   for (const key of keys.slice(0, -1)) {
     const next = cursor[key];
-    if (!isObject(next)) {
-      cursor[key] = {};
-    }
+    cursor[key] = isObject(next) ? next : {};
     cursor = cursor[key];
   }
   cursor[keys[keys.length - 1]] = value;
@@ -1930,18 +2083,251 @@ var createRandomBase64UrlGenerator = (length) => () => {
 var generateCodeVerifier = createRandomBase64UrlGenerator(NUM_GENERATOR_BYTES);
 var generateState = createRandomBase64UrlGenerator(NUM_GENERATOR_BYTES);
 var base64Url = (input) => encodeBase64(input).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+var ALG_ES256 = "ES256";
+var ALG_RS256 = "RS256";
+var CLOCK_SKEW_SECONDS = 60;
+var DEFAULT_SCOPES = ["openid", "email", "profile"];
+var JWKS_REFETCH_COOLDOWN_MS = 60000;
+var JWT_SEGMENT_COUNT = 3;
+var MILLISECONDS_PER_SECOND = 1000;
+var trimTrailingSlash = (value) => value.endsWith("/") ? value.slice(0, -1) : value;
+var fetchJson = async (url) => {
+  const response = await fetch(url, {
+    headers: { accept: "application/json" }
+  });
+  if (!response.ok) {
+    throw new Error(`Request to ${url} failed with status ${response.status}`);
+  }
+  return response.json();
+};
+var decodeJsonSegment = (segment) => {
+  const decoded = decodeBase64(segment);
+  if (typeof decoded !== "string") {
+    throw new Error("Expected a base64url-encoded JWT segment");
+  }
+  const parsed = JSON.parse(decoded);
+  if (typeof parsed !== "object" || parsed === null) {
+    throw new Error("Expected a JWT segment to decode to a JSON object");
+  }
+  return parsed;
+};
+var importVerificationKey = (jwk, alg) => {
+  if (alg === ALG_RS256) {
+    return crypto.subtle.importKey("jwk", jwk, { hash: "SHA-256", name: "RSASSA-PKCS1-v1_5" }, false, ["verify"]);
+  }
+  if (alg === ALG_ES256) {
+    return crypto.subtle.importKey("jwk", jwk, { name: "ECDSA", namedCurve: "P-256" }, false, ["verify"]);
+  }
+  throw new Error(`Unsupported id_token signing algorithm "${alg}"`);
+};
+var verifySignature = (key, alg, signingInput, signature) => {
+  const algorithm = alg === ALG_ES256 ? { hash: "SHA-256", name: "ECDSA" } : { name: "RSASSA-PKCS1-v1_5" };
+  return crypto.subtle.verify(algorithm, key, new Uint8Array(signature), new TextEncoder().encode(signingInput));
+};
+var selectKey = (jwks, kid) => jwks.find((jwk) => kid === undefined || jwk.kid === kid);
+var assertClaims = (payload, expected) => {
+  const aud = Reflect.get(payload, "aud");
+  const exp = Reflect.get(payload, "exp");
+  const iss = Reflect.get(payload, "iss");
+  const sub = Reflect.get(payload, "sub");
+  const audiences = Array.isArray(aud) ? aud : [aud];
+  const nowSeconds = Math.floor(Date.now() / MILLISECONDS_PER_SECOND);
+  if (iss !== expected.issuer) {
+    throw new Error('id_token "iss" does not match the provider issuer');
+  }
+  if (typeof sub !== "string" || sub.length === 0) {
+    throw new Error('id_token is missing "sub"');
+  }
+  if (!audiences.includes(expected.audience)) {
+    throw new Error('id_token "aud" does not include the client id');
+  }
+  if (typeof exp !== "number" || exp + CLOCK_SKEW_SECONDS < nowSeconds) {
+    throw new Error("id_token has expired");
+  }
+  if (expected.nonce !== undefined && Reflect.get(payload, "nonce") !== expected.nonce) {
+    throw new Error('id_token "nonce" does not match');
+  }
+  const claims = { ...payload, aud, exp, iss, sub };
+  return claims;
+};
+var verifyIdToken = async ({
+  audience,
+  idToken,
+  issuer,
+  jwks,
+  nonce
+}) => {
+  const segments = idToken.split(".");
+  const [headerSegment, payloadSegment, signatureSegment] = segments;
+  if (segments.length !== JWT_SEGMENT_COUNT || headerSegment === undefined || payloadSegment === undefined || signatureSegment === undefined) {
+    throw new Error("Invalid id_token: expected three segments");
+  }
+  const header = decodeJsonSegment(headerSegment);
+  const alg = Reflect.get(header, "alg");
+  const kid = Reflect.get(header, "kid");
+  if (typeof alg !== "string") {
+    throw new Error('id_token header is missing "alg"');
+  }
+  const jwk = selectKey(jwks, typeof kid === "string" ? kid : undefined);
+  if (jwk === undefined) {
+    throw new Error('No JWKS key matches the id_token "kid"');
+  }
+  const key = await importVerificationKey(jwk, alg);
+  const signature = decodeBase64(signatureSegment, true);
+  if (typeof signature === "string") {
+    throw new Error("Failed to decode the id_token signature");
+  }
+  const isValid = await verifySignature(key, alg, `${headerSegment}.${payloadSegment}`, signature);
+  if (!isValid) {
+    throw new Error("id_token signature verification failed");
+  }
+  return assertClaims(decodeJsonSegment(payloadSegment), {
+    audience,
+    issuer,
+    nonce
+  });
+};
+var toDiscoveryDocument = (value, expectedIssuer) => {
+  if (typeof value !== "object" || value === null) {
+    throw new Error("OIDC discovery document is not a JSON object");
+  }
+  const issuer = Reflect.get(value, "issuer");
+  const authorizationEndpoint = Reflect.get(value, "authorization_endpoint");
+  const tokenEndpoint = Reflect.get(value, "token_endpoint");
+  const jwksUri = Reflect.get(value, "jwks_uri");
+  const userinfoEndpoint = Reflect.get(value, "userinfo_endpoint");
+  if (typeof issuer !== "string" || typeof authorizationEndpoint !== "string" || typeof tokenEndpoint !== "string" || typeof jwksUri !== "string") {
+    throw new Error("OIDC discovery document is missing required endpoints");
+  }
+  if (trimTrailingSlash(issuer) !== trimTrailingSlash(expectedIssuer)) {
+    throw new Error(`OIDC discovery issuer "${issuer}" does not match configured issuer "${expectedIssuer}"`);
+  }
+  return {
+    authorization_endpoint: authorizationEndpoint,
+    issuer,
+    jwks_uri: jwksUri,
+    token_endpoint: tokenEndpoint,
+    userinfo_endpoint: typeof userinfoEndpoint === "string" ? userinfoEndpoint : undefined
+  };
+};
+var fetchDiscoveryDocument = async (issuer) => {
+  const base = trimTrailingSlash(issuer);
+  const document = await fetchJson(`${base}/.well-known/openid-configuration`);
+  return toDiscoveryDocument(document, issuer);
+};
+var fetchJwks = async (jwksUri) => {
+  const body = await fetchJson(jwksUri);
+  const value = Reflect.get(body ?? {}, "keys");
+  if (!Array.isArray(value)) {
+    throw new Error('JWKS response is missing a "keys" array');
+  }
+  const keys = value;
+  return keys;
+};
+var createOIDCClient = async (config) => {
+  const discovery = await fetchDiscoveryDocument(config.issuer);
+  const scopes = config.scopes !== undefined && config.scopes.length > 0 ? config.scopes : DEFAULT_SCOPES;
+  let cachedJwks;
+  let jwksFetchedAtMs = 0;
+  const resolveJwks = async (forceRefresh) => {
+    const isStale = Date.now() - jwksFetchedAtMs > JWKS_REFETCH_COOLDOWN_MS;
+    if (cachedJwks === undefined || forceRefresh && isStale) {
+      cachedJwks = await fetchJwks(discovery.jwks_uri);
+      jwksFetchedAtMs = Date.now();
+    }
+    return cachedJwks;
+  };
+  const createAuthorizationUrl = async (options) => {
+    const url = new URL(discovery.authorization_endpoint);
+    const challenge = await createS256CodeChallenge(options.codeVerifier);
+    const { searchParams } = url;
+    searchParams.set("client_id", config.clientId);
+    searchParams.set("code_challenge", challenge);
+    searchParams.set("code_challenge_method", "S256");
+    searchParams.set("redirect_uri", config.redirectUri);
+    searchParams.set("response_type", "code");
+    searchParams.set("scope", (options.scope ?? scopes).join(" "));
+    searchParams.set("state", options.state);
+    if (options.nonce !== undefined) {
+      searchParams.set("nonce", options.nonce);
+    }
+    return url;
+  };
+  const validateAuthorizationCode = async (options) => {
+    const body = new URLSearchParams;
+    body.set("client_id", config.clientId);
+    body.set("client_secret", config.clientSecret);
+    body.set("code", options.code);
+    body.set("code_verifier", options.codeVerifier);
+    body.set("grant_type", "authorization_code");
+    body.set("redirect_uri", config.redirectUri);
+    const response = await fetch(discovery.token_endpoint, {
+      body,
+      headers: {
+        accept: "application/json",
+        "content-type": "application/x-www-form-urlencoded"
+      },
+      method: "POST"
+    });
+    if (!response.ok) {
+      throw new Error(`OIDC token request failed with status ${response.status}`);
+    }
+    const tokens = await response.json();
+    return tokens;
+  };
+  const verifyToken = async (idToken, options) => {
+    const jwks = await resolveJwks(false);
+    const params = {
+      audience: config.clientId,
+      idToken,
+      issuer: discovery.issuer,
+      nonce: options?.nonce
+    };
+    try {
+      return await verifyIdToken({ ...params, jwks });
+    } catch (error) {
+      const refreshed = await resolveJwks(true);
+      if (refreshed === jwks)
+        throw error;
+      return verifyIdToken({ ...params, jwks: refreshed });
+    }
+  };
+  const fetchUserProfile = async (accessToken) => {
+    if (discovery.userinfo_endpoint === undefined) {
+      throw new Error("OIDC provider does not expose a userinfo endpoint");
+    }
+    const response = await fetch(discovery.userinfo_endpoint, {
+      headers: {
+        accept: "application/json",
+        authorization: `Bearer ${accessToken}`
+      }
+    });
+    if (!response.ok) {
+      throw new Error(`OIDC userinfo request failed with status ${response.status}`);
+    }
+    const profile = await response.json();
+    return profile;
+  };
+  return {
+    createAuthorizationUrl,
+    discovery,
+    fetchUserProfile,
+    validateAuthorizationCode,
+    verifyIdToken: verifyToken
+  };
+};
+var oidcProviderOptions = Object.keys(providers).filter(isOIDCProviderOption);
+var pkceProviderOptions = Object.keys(providers).filter(isPKCEProviderOption);
 var providerOptions = Object.keys(providers).filter(isValidProviderOption);
 var refreshableProviderOptions = Object.keys(providers).filter(isRefreshableProviderOption);
-var oidcProviderOptions = Object.keys(providers).filter(isOIDCProviderOption);
 var revocableProviderOptions = Object.keys(providers).filter(isRevocableProviderOption);
 var scopeRequiredProviderOptions = Object.keys(providers).filter(isScopeRequiredProviderOption);
-var pkceProviderOptions = Object.keys(providers).filter(isPKCEProviderOption);
 var createOAuth2Client = async (providerName, config) => {
   const meta = providers[providerName];
   const isConfigPropertyFunction = (cfgProp) => typeof cfgProp === "function";
   const resolveConfigProp = async (cfgProp) => {
     const result = isConfigPropertyFunction(cfgProp) ? cfgProp(config) : cfgProp;
-    return await result;
+    return result;
   };
   const authorizationUrl = await resolveConfigProp(meta.authorizationUrl);
   const tokenUrl = await resolveConfigProp(meta.tokenRequest.url);
@@ -1993,18 +2379,22 @@ var createOAuth2Client = async (providerName, config) => {
         headerEntries = rawHeaders;
       else if (rawHeaders && typeof rawHeaders === "object")
         headerEntries = Object.entries(rawHeaders);
-      const profileHeaders = Object.fromEntries(headerEntries.filter(([, v]) => v !== ""));
+      const profileHeaders = Object.fromEntries(headerEntries.filter(([, value]) => value !== ""));
       if (authIn === "header") {
         profileHeaders.Authorization = `Bearer ${accessToken}`;
       } else {
         endpoint.searchParams.append("access_token", accessToken);
       }
       const init = { headers: profileHeaders, method };
-      if (method === "POST" && resolvedBody != null) {
+      if (method === "POST" && resolvedBody !== undefined) {
         profileHeaders["Content-Type"] = encoding;
         init.body = encoding === "application/json" ? JSON.stringify(resolvedBody) : new URLSearchParams(resolvedBody).toString();
       }
-      const response = await fetch(endpoint.toString(), init);
+      const profileTarget = endpoint.toString();
+      const response = await fetch(profileTarget, {
+        ...h2IfHttps(profileTarget),
+        ...init
+      });
       if (!response.ok)
         throw await createOAuth2FetchError(response);
       return response.json();
@@ -2029,7 +2419,9 @@ var createOAuth2Client = async (providerName, config) => {
         encoding,
         url: tokenUrl
       });
-      const response = await fetch(request);
+      const response = await fetch(request, {
+        ...h2IfHttps(request.url)
+      });
       if (!response.ok)
         throw await createOAuth2FetchError(response);
       return response.json();
@@ -2083,7 +2475,9 @@ var createOAuth2Client = async (providerName, config) => {
           url: `${endpoint.toString()}?${tokenParamName}=${token}`
         });
       }
-      const response = await fetch(request);
+      const response = await fetch(request, {
+        ...h2IfHttps(request.url)
+      });
       if (!response.ok)
         throw await createOAuth2FetchError(response);
     },
@@ -2115,7 +2509,9 @@ var createOAuth2Client = async (providerName, config) => {
         encoding,
         url: tokenUrl
       });
-      const response = await fetch(request);
+      const response = await fetch(request, {
+        ...h2IfHttps(request.url)
+      });
       if (!response.ok)
         throw await createOAuth2FetchError(response);
       return response.json();
@@ -2208,5 +2604,5 @@ export {
   escapeHtml
 };
 
-//# debugId=B47ECE588E07832964756E2164756E21
+//# debugId=E36225136305103F64756E2164756E21
 //# sourceMappingURL=index.js.map