@auth0/auth0-spa-js 2.11.3 → 2.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. package/README.md +4 -2
  2. package/dist/auth0-spa-js.development.js +6040 -920
  3. package/dist/auth0-spa-js.development.js.map +1 -1
  4. package/dist/auth0-spa-js.production.esm.js +1 -1
  5. package/dist/auth0-spa-js.production.esm.js.map +1 -1
  6. package/dist/auth0-spa-js.production.js +1 -1
  7. package/dist/auth0-spa-js.production.js.map +1 -1
  8. package/dist/auth0-spa-js.worker.development.js +13 -8
  9. package/dist/auth0-spa-js.worker.development.js.map +1 -1
  10. package/dist/auth0-spa-js.worker.production.js +1 -1
  11. package/dist/auth0-spa-js.worker.production.js.map +1 -1
  12. package/dist/lib/auth0-spa-js.cjs.js +6450 -913
  13. package/dist/lib/auth0-spa-js.cjs.js.map +1 -1
  14. package/dist/typings/Auth0Client.d.ts +51 -1
  15. package/dist/typings/errors.d.ts +15 -1
  16. package/dist/typings/global.d.ts +17 -2
  17. package/dist/typings/index.d.ts +3 -0
  18. package/dist/typings/mfa/MfaApiClient.d.ts +225 -0
  19. package/dist/typings/mfa/MfaContextManager.d.ts +79 -0
  20. package/dist/typings/mfa/constants.d.ts +23 -0
  21. package/dist/typings/mfa/errors.d.ts +117 -0
  22. package/dist/typings/mfa/index.d.ts +4 -0
  23. package/dist/typings/mfa/types.d.ts +181 -0
  24. package/dist/typings/mfa/utils.d.ts +23 -0
  25. package/dist/typings/utils.d.ts +2 -1
  26. package/dist/typings/version.d.ts +1 -1
  27. package/package.json +8 -4
  28. package/src/Auth0Client.ts +88 -5
  29. package/src/dpop/utils.ts +4 -1
  30. package/src/errors.ts +12 -1
  31. package/src/global.ts +41 -1
  32. package/src/http.ts +1 -1
  33. package/src/index.ts +22 -0
  34. package/src/mfa/MfaApiClient.ts +425 -0
  35. package/src/mfa/MfaContextManager.ts +128 -0
  36. package/src/mfa/constants.ts +48 -0
  37. package/src/mfa/errors.ts +154 -0
  38. package/src/mfa/index.ts +24 -0
  39. package/src/mfa/types.ts +209 -0
  40. package/src/mfa/utils.ts +41 -0
  41. package/src/utils.ts +7 -1
  42. package/src/version.ts +1 -1
package/dist/auth0-spa-js.production.js CHANGED
@@ -1,2 +1,2 @@
1
- !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).auth0={})}(this,(function(e){"use strict";function t(e,t){var o={};for(var n in e)Object.prototype.hasOwnProperty.call(e,n)&&t.indexOf(n)<0&&(o[n]=e[n]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var i=0;for(n=Object.getOwnPropertySymbols(e);i<n.length;i++)t.indexOf(n[i])<0&&Object.prototype.propertyIsEnumerable.call(e,n[i])&&(o[n[i]]=e[n[i]])}return o}"function"==typeof SuppressedError&&SuppressedError;var o="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function n(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function i(e,t){return e(t={exports:{}},t.exports),t.exports}var r=i((function(e,t){Object.defineProperty(t,"__esModule",{value:!0});var o=function(){function e(){var e=this;this.locked=new Map,this.addToLocked=function(t,o){var n=e.locked.get(t);void 0===n?void 0===o?e.locked.set(t,[]):e.locked.set(t,[o]):void 0!==o&&(n.unshift(o),e.locked.set(t,n))},this.isLocked=function(t){return e.locked.has(t)},this.lock=function(t){return new Promise((function(o,n){e.isLocked(t)?e.addToLocked(t,o):(e.addToLocked(t),o())}))},this.unlock=function(t){var o=e.locked.get(t);if(void 0!==o&&0!==o.length){var n=o.pop();e.locked.set(t,o),void 0!==n&&setTimeout(n,0)}else e.locked.delete(t)}}return e.getInstance=function(){return void 0===e.instance&&(e.instance=new e),e.instance},e}();t.default=function(){return o.getInstance()}}));n(r);var s=i((function(e,t){var n=o&&o.__awaiter||function(e,t,o,n){return new(o||(o=Promise))((function(i,r){function s(e){try{c(n.next(e))}catch(e){r(e)}}function a(e){try{c(n.throw(e))}catch(e){r(e)}}function c(e){e.done?i(e.value):new o((function(t){t(e.value)})).then(s,a)}c((n=n.apply(e,t||[])).next())}))},i=o&&o.__generator||function(e,t){var o,n,i,r,s={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return r={next:a(0),throw:a(1),return:a(2)},"function"==typeof Symbol&&(r[Symbol.iterator]=function(){return this}),r;function a(r){return function(a){return function(r){if(o)throw new TypeError("Generator is already executing.");for(;s;)try{if(o=1,n&&(i=2&r[0]?n.return:r[0]?n.throw||((i=n.return)&&i.call(n),0):n.next)&&!(i=i.call(n,r[1])).done)return i;switch(n=0,i&&(r=[2&r[0],i.value]),r[0]){case 0:case 1:i=r;break;case 4:return s.label++,{value:r[1],done:!1};case 5:s.label++,n=r[1],r=[0];continue;case 7:r=s.ops.pop(),s.trys.pop();continue;default:if(!(i=s.trys,(i=i.length>0&&i[i.length-1])||6!==r[0]&&2!==r[0])){s=0;continue}if(3===r[0]&&(!i||r[1]>i[0]&&r[1]<i[3])){s.label=r[1];break}if(6===r[0]&&s.label<i[1]){s.label=i[1],i=r;break}if(i&&s.label<i[2]){s.label=i[2],s.ops.push(r);break}i[2]&&s.ops.pop(),s.trys.pop();continue}r=t.call(e,s)}catch(e){r=[6,e],n=0}finally{o=i=0}if(5&r[0])throw r[1];return{value:r[0]?r[1]:void 0,done:!0}}([r,a])}}},s=o;Object.defineProperty(t,"__esModule",{value:!0});var a="browser-tabs-lock-key",c={key:function(e){return n(s,void 0,void 0,(function(){return i(this,(function(e){throw new Error("Unsupported")}))}))},getItem:function(e){return n(s,void 0,void 0,(function(){return i(this,(function(e){throw new Error("Unsupported")}))}))},clear:function(){return n(s,void 0,void 0,(function(){return i(this,(function(e){return[2,window.localStorage.clear()]}))}))},removeItem:function(e){return n(s,void 0,void 0,(function(){return i(this,(function(e){throw new Error("Unsupported")}))}))},setItem:function(e,t){return n(s,void 0,void 0,(function(){return i(this,(function(e){throw new Error("Unsupported")}))}))},keySync:function(e){return window.localStorage.key(e)},getItemSync:function(e){return window.localStorage.getItem(e)},clearSync:function(){return window.localStorage.clear()},removeItemSync:function(e){return window.localStorage.removeItem(e)},setItemSync:function(e,t){return window.localStorage.setItem(e,t)}};function u(e){return new Promise((function(t){return setTimeout(t,e)}))}function d(e){for(var t="0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz",o="",n=0;n<e;n++){o+=t[Math.floor(Math.random()*t.length)]}return o}var h=function(){function e(t){this.acquiredIatSet=new Set,this.storageHandler=void 0,this.id=Date.now().toString()+d(15),this.acquireLock=this.acquireLock.bind(this),this.releaseLock=this.releaseLock.bind(this),this.releaseLock__private__=this.releaseLock__private__.bind(this),this.waitForSomethingToChange=this.waitForSomethingToChange.bind(this),this.refreshLockWhileAcquired=this.refreshLockWhileAcquired.bind(this),this.storageHandler=t,void 0===e.waiters&&(e.waiters=[])}return e.prototype.acquireLock=function(t,o){return void 0===o&&(o=5e3),n(this,void 0,void 0,(function(){var n,r,s,h,l,p,m;return i(this,(function(i){switch(i.label){case 0:n=Date.now()+d(4),r=Date.now()+o,s=a+"-"+t,h=void 0===this.storageHandler?c:this.storageHandler,i.label=1;case 1:return Date.now()<r?[4,u(30)]:[3,8];case 2:return i.sent(),null!==h.getItemSync(s)?[3,5]:(l=this.id+"-"+t+"-"+n,[4,u(Math.floor(25*Math.random()))]);case 3:return i.sent(),h.setItemSync(s,JSON.stringify({id:this.id,iat:n,timeoutKey:l,timeAcquired:Date.now(),timeRefreshed:Date.now()})),[4,u(30)];case 4:return i.sent(),null!==(p=h.getItemSync(s))&&(m=JSON.parse(p)).id===this.id&&m.iat===n?(this.acquiredIatSet.add(n),this.refreshLockWhileAcquired(s,n),[2,!0]):[3,7];case 5:return e.lockCorrector(void 0===this.storageHandler?c:this.storageHandler),[4,this.waitForSomethingToChange(r)];case 6:i.sent(),i.label=7;case 7:return n=Date.now()+d(4),[3,1];case 8:return[2,!1]}}))}))},e.prototype.refreshLockWhileAcquired=function(e,t){return n(this,void 0,void 0,(function(){var o=this;return i(this,(function(s){return setTimeout((function(){return n(o,void 0,void 0,(function(){var o,n,s;return i(this,(function(i){switch(i.label){case 0:return[4,r.default().lock(t)];case 1:return i.sent(),this.acquiredIatSet.has(t)?(o=void 0===this.storageHandler?c:this.storageHandler,null===(n=o.getItemSync(e))?(r.default().unlock(t),[2]):((s=JSON.parse(n)).timeRefreshed=Date.now(),o.setItemSync(e,JSON.stringify(s)),r.default().unlock(t),this.refreshLockWhileAcquired(e,t),[2])):(r.default().unlock(t),[2])}}))}))}),1e3),[2]}))}))},e.prototype.waitForSomethingToChange=function(t){return n(this,void 0,void 0,(function(){return i(this,(function(o){switch(o.label){case 0:return[4,new Promise((function(o){var n=!1,i=Date.now(),r=!1;function s(){if(r||(window.removeEventListener("storage",s),e.removeFromWaiting(s),clearTimeout(a),r=!0),!n){n=!0;var t=50-(Date.now()-i);t>0?setTimeout(o,t):o(null)}}window.addEventListener("storage",s),e.addToWaiting(s);var a=setTimeout(s,Math.max(0,t-Date.now()))}))];case 1:return o.sent(),[2]}}))}))},e.addToWaiting=function(t){this.removeFromWaiting(t),void 0!==e.waiters&&e.waiters.push(t)},e.removeFromWaiting=function(t){void 0!==e.waiters&&(e.waiters=e.waiters.filter((function(e){return e!==t})))},e.notifyWaiters=function(){void 0!==e.waiters&&e.waiters.slice().forEach((function(e){return e()}))},e.prototype.releaseLock=function(e){return n(this,void 0,void 0,(function(){return i(this,(function(t){switch(t.label){case 0:return[4,this.releaseLock__private__(e)];case 1:return[2,t.sent()]}}))}))},e.prototype.releaseLock__private__=function(t){return n(this,void 0,void 0,(function(){var o,n,s,u;return i(this,(function(i){switch(i.label){case 0:return o=void 0===this.storageHandler?c:this.storageHandler,n=a+"-"+t,null===(s=o.getItemSync(n))?[2]:(u=JSON.parse(s)).id!==this.id?[3,2]:[4,r.default().lock(u.iat)];case 1:i.sent(),this.acquiredIatSet.delete(u.iat),o.removeItemSync(n),r.default().unlock(u.iat),e.notifyWaiters(),i.label=2;case 2:return[2]}}))}))},e.lockCorrector=function(t){for(var o=Date.now()-5e3,n=t,i=[],r=0;;){var s=n.keySync(r);if(null===s)break;i.push(s),r++}for(var c=!1,u=0;u<i.length;u++){var d=i[u];if(d.includes(a)){var h=n.getItemSync(d);if(null!==h){var l=JSON.parse(h);(void 0===l.timeRefreshed&&l.timeAcquired<o||void 0!==l.timeRefreshed&&l.timeRefreshed<o)&&(n.removeItemSync(d),c=!0)}}}c&&e.notifyWaiters()},e.waiters=void 0,e}();t.default=h})),a=n(s);const c={timeoutInSeconds:60},u="memory",d={name:"auth0-spa-js",version:"2.11.3"},h=()=>Date.now(),l="default";class p extends Error{constructor(e,t){super(t),this.error=e,this.error_description=t,Object.setPrototypeOf(this,p.prototype)}static fromPayload({error:e,error_description:t}){return new p(e,t)}}class m extends p{constructor(e,t,o,n=null){super(e,t),this.state=o,this.appState=n,Object.setPrototypeOf(this,m.prototype)}}class f extends p{constructor(e,t,o,n,i=null){super(e,t),this.connection=o,this.state=n,this.appState=i,Object.setPrototypeOf(this,f.prototype)}}class y extends p{constructor(){super("timeout","Timeout"),Object.setPrototypeOf(this,y.prototype)}}class g extends y{constructor(e){super(),this.popup=e,Object.setPrototypeOf(this,g.prototype)}}class w extends p{constructor(e){super("cancelled","Popup closed"),this.popup=e,Object.setPrototypeOf(this,w.prototype)}}class b extends p{constructor(){super("popup_open","Unable to open a popup for loginWithPopup - window.open returned `null`"),Object.setPrototypeOf(this,b.prototype)}}class k extends p{constructor(e,t,o){super(e,t),this.mfa_token=o,Object.setPrototypeOf(this,k.prototype)}}class v extends p{constructor(e,t){super("missing_refresh_token",`Missing Refresh Token (audience: '${I(e,["default"])}', scope: '${I(t)}')`),this.audience=e,this.scope=t,Object.setPrototypeOf(this,v.prototype)}}class _ extends p{constructor(e,t){super("missing_scopes",`Missing requested scopes after refresh (audience: '${I(e,["default"])}', missing scope: '${I(t)}')`),this.audience=e,this.scope=t,Object.setPrototypeOf(this,_.prototype)}}class S extends p{constructor(e){super("use_dpop_nonce","Server rejected DPoP proof: wrong nonce"),this.newDpopNonce=e,Object.setPrototypeOf(this,S.prototype)}}function I(e,t=[]){return e&&!t.includes(e)?e:""}const T=()=>window.crypto,P=()=>{const e="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";let t="";return Array.from(T().getRandomValues(new Uint8Array(43))).forEach((o=>t+=e[o%e.length])),t},O=e=>btoa(e),C=[{key:"name",type:["string"]},{key:"version",type:["string","number"]},{key:"env",type:["object"]}],j=e=>Object.keys(e).reduce(((t,o)=>{const n=C.find((e=>e.key===o));return n&&n.type.includes(typeof e[o])&&(t[o]=e[o]),t}),{}),x=e=>{var{clientId:o}=e,n=t(e,["clientId"]);return new URLSearchParams((e=>Object.keys(e).filter((t=>void 0!==e[t])).reduce(((t,o)=>Object.assign(Object.assign({},t),{[o]:e[o]})),{}))(Object.assign({client_id:o},n))).toString()},K=async e=>{const t=T().subtle.digest({name:"SHA-256"},(new TextEncoder).encode(e));return await t},z=e=>(e=>decodeURIComponent(atob(e).split("").map((e=>"%"+("00"+e.charCodeAt(0).toString(16)).slice(-2))).join("")))(e.replace(/_/g,"/").replace(/-/g,"+")),E=e=>{const t=new Uint8Array(e);return(e=>{const t={"+":"-","/":"_","=":""};return e.replace(/[+/=]/g,(e=>t[e]))})(window.btoa(String.fromCharCode(...Array.from(t))))},R=new TextEncoder,N=new TextDecoder;function A(e){return"string"==typeof e?R.encode(e):N.decode(e)}function D(e){if("number"!=typeof e.modulusLength||e.modulusLength<2048)throw new W(`${e.name} modulusLength must be at least 2048 bits`)}async function U(e,t,o){if(!1===o.usages.includes("sign"))throw new TypeError('private CryptoKey instances used for signing assertions must include "sign" in their "usages"');const n=`${Z(A(JSON.stringify(e)))}.${Z(A(JSON.stringify(t)))}`;return`${n}.${Z(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case"ECDSA":return{name:e.algorithm.name,hash:"SHA-256"};case"RSA-PSS":return D(e.algorithm),{name:e.algorithm.name,saltLength:32};case"RSASSA-PKCS1-v1_5":return D(e.algorithm),{name:e.algorithm.name};case"Ed25519":return{name:e.algorithm.name}}throw new H}(o),o,A(n)))}`}let L;if(Uint8Array.prototype.toBase64)L=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:!0}));else{const e=32768;L=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const o=[];for(let n=0;n<t.byteLength;n+=e)o.push(String.fromCharCode.apply(null,t.subarray(n,n+e)));return btoa(o.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}}function Z(e){return L(e)}class H extends Error{constructor(e){var t;super(null!=e?e:"operation not supported"),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor)}}class W extends Error{constructor(e){var t;super(e),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor)}}function J(e){switch(e.algorithm.name){case"RSA-PSS":return function(e){if("SHA-256"===e.algorithm.hash.name)return"PS256";throw new H("unsupported RsaHashedKeyAlgorithm hash name")}(e);case"RSASSA-PKCS1-v1_5":return function(e){if("SHA-256"===e.algorithm.hash.name)return"RS256";throw new H("unsupported RsaHashedKeyAlgorithm hash name")}(e);case"ECDSA":return function(e){if("P-256"===e.algorithm.namedCurve)return"ES256";throw new H("unsupported EcKeyAlgorithm namedCurve")}(e);case"Ed25519":return"Ed25519";default:throw new H("unsupported CryptoKey algorithm name")}}function X(e){return e instanceof CryptoKey}function V(e){return X(e)&&"public"===e.type}async function F(e,t,o,n,i,r){const s=null==e?void 0:e.privateKey,a=null==e?void 0:e.publicKey;if(!X(c=s)||"private"!==c.type)throw new TypeError('"keypair.privateKey" must be a private CryptoKey');var c;if(!V(a))throw new TypeError('"keypair.publicKey" must be a public CryptoKey');if(!0!==a.extractable)throw new TypeError('"keypair.publicKey.extractable" must be true');if("string"!=typeof t)throw new TypeError('"htu" must be a string');if("string"!=typeof o)throw new TypeError('"htm" must be a string');if(void 0!==n&&"string"!=typeof n)throw new TypeError('"nonce" must be a string or undefined');if(void 0!==i&&"string"!=typeof i)throw new TypeError('"accessToken" must be a string or undefined');if(void 0!==r&&("object"!=typeof r||null===r||Array.isArray(r)))throw new TypeError('"additional" must be an object');return U({alg:J(s),typ:"dpop+jwt",jwk:await G(a)},Object.assign(Object.assign({},r),{iat:Math.floor(Date.now()/1e3),jti:crypto.randomUUID(),htm:o,nonce:n,htu:t,ath:i?Z(await crypto.subtle.digest("SHA-256",A(i))):void 0}),s)}async function G(e){const{kty:t,e:o,n:n,x:i,y:r,crv:s}=await crypto.subtle.exportKey("jwk",e);return{kty:t,crv:s,e:o,n:n,x:i,y:r}}const M="dpop-nonce",Y=["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:token-exchange"];function $(){return async function(e,t){var o;let n;if("string"!=typeof e||0===e.length)throw new TypeError('"alg" must be a non-empty string');switch(e){case"PS256":n={name:"RSA-PSS",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case"RS256":n={name:"RSASSA-PKCS1-v1_5",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case"ES256":n={name:"ECDSA",namedCurve:"P-256"};break;case"Ed25519":n={name:"Ed25519"};break;default:throw new H}return crypto.subtle.generateKey(n,null!==(o=null==t?void 0:t.extractable)&&void 0!==o&&o,["sign","verify"])}("ES256",{extractable:!1})}function B(e){return async function(e){if(!V(e))throw new TypeError('"publicKey" must be a public CryptoKey');if(!0!==e.extractable)throw new TypeError('"publicKey.extractable" must be true');const t=await G(e);let o;switch(t.kty){case"EC":o={crv:t.crv,kty:t.kty,x:t.x,y:t.y};break;case"OKP":o={crv:t.crv,kty:t.kty,x:t.x};break;case"RSA":o={e:t.e,kty:t.kty,n:t.n};break;default:throw new H("unsupported JWK kty")}return Z(await crypto.subtle.digest({name:"SHA-256"},A(JSON.stringify(o))))}(e.publicKey)}function q({keyPair:e,url:t,method:o,nonce:n,accessToken:i}){const r=function(e){const t=new URL(e);return t.search="",t.hash="",t.href}(t);return F(e,r,o,n,i)}const Q=async(e,t)=>{const o=await fetch(e,t);return{ok:o.ok,json:await o.json(),headers:(n=o.headers,[...n].reduce(((e,[t,o])=>(e[t]=o,e)),{}))};var n},ee=async(e,t,o)=>{const n=new AbortController;let i;return t.signal=n.signal,Promise.race([Q(e,t),new Promise(((e,t)=>{i=setTimeout((()=>{n.abort(),t(new Error("Timeout when executing 'fetch'"))}),o)}))]).finally((()=>{clearTimeout(i)}))},te=async(e,t,o,n,i,r,s,a)=>{return c={auth:{audience:t,scope:o},timeout:i,fetchUrl:e,fetchOptions:n,useFormData:s,useMrrt:a},u=r,new Promise((function(e,t){const o=new MessageChannel;o.port1.onmessage=function(n){n.data.error?t(new Error(n.data.error)):e(n.data),o.port1.close()},u.postMessage(c,[o.port2])}));var c,u},oe=async(e,t,o,n,i,r,s=1e4,a)=>i?te(e,t,o,n,s,i,r,a):ee(e,n,s);async function ne(e,o,n,i,r,s,a,c,u,d){if(u){const t=await u.generateProof({url:e,method:r.method||"GET",nonce:await u.getNonce()});r.headers=Object.assign(Object.assign({},r.headers),{dpop:t})}let h,l=null;for(let t=0;t<3;t++)try{h=await oe(e,n,i,r,s,a,o,c),l=null;break}catch(e){l=e}if(l)throw l;const m=h.json,{error:f,error_description:y}=m,g=t(m,["error","error_description"]),{headers:w,ok:b}=h;let _;if(u&&(_=w["dpop-nonce"],_&&await u.setNonce(_)),!b){const t=y||`HTTP error. Unable to fetch ${e}`;if("mfa_required"===f)throw new k(f,t,g.mfa_token);if("missing_refresh_token"===f)throw new v(n,i);if("use_dpop_nonce"===f){if(!u||!_||d)throw new S(_);return ne(e,o,n,i,r,s,a,c,u,!0)}throw new p(f||"request_error",t)}return g}async function ie(e,o){var{baseUrl:n,timeout:i,audience:r,scope:s,auth0Client:a,useFormData:c,useMrrt:u,dpop:h}=e,p=t(e,["baseUrl","timeout","audience","scope","auth0Client","useFormData","useMrrt","dpop"]);const m="urn:ietf:params:oauth:grant-type:token-exchange"===p.grant_type,f="refresh_token"===p.grant_type&&u,y=Object.assign(Object.assign(Object.assign(Object.assign({},p),m&&r&&{audience:r}),m&&s&&{scope:s}),f&&{audience:r,scope:s}),g=c?x(y):JSON.stringify(y),w=(b=p.grant_type,Y.includes(b));var b;return await ne(`${n}/oauth/token`,i,r||l,s,{method:"POST",body:g,headers:{"Content-Type":c?"application/x-www-form-urlencoded":"application/json","Auth0-Client":btoa(JSON.stringify(j(a||d)))}},o,c,u,w?h:void 0)}const re=(...e)=>{return(t=e.filter(Boolean).join(" ").trim().split(/\s+/),Array.from(new Set(t))).join(" ");var t},se=(e,t,o)=>{let n;return o&&(n=e[o]),n||(n=e.default),re(n,t)},ae="@@auth0spajs@@",ce="@@user@@";class ue{constructor(e,t="@@auth0spajs@@",o){this.prefix=t,this.suffix=o,this.clientId=e.clientId,this.scope=e.scope,this.audience=e.audience}toKey(){return[this.prefix,this.clientId,this.audience,this.scope,this.suffix].filter(Boolean).join("::")}static fromKey(e){const[t,o,n,i]=e.split("::");return new ue({clientId:o,scope:i,audience:n},t)}static fromCacheEntry(e){const{scope:t,audience:o,client_id:n}=e;return new ue({scope:t,audience:o,clientId:n})}}class de{set(e,t){localStorage.setItem(e,JSON.stringify(t))}get(e){const t=window.localStorage.getItem(e);if(t)try{return JSON.parse(t)}catch(e){return}}remove(e){localStorage.removeItem(e)}allKeys(){return Object.keys(window.localStorage).filter((e=>e.startsWith(ae)))}}class he{constructor(){this.enclosedCache=function(){let e={};return{set(t,o){e[t]=o},get(t){const o=e[t];if(o)return o},remove(t){delete e[t]},allKeys:()=>Object.keys(e)}}()}}class le{constructor(e,t,o){this.cache=e,this.keyManifest=t,this.nowProvider=o||h}async setIdToken(e,t,o){var n;const i=this.getIdTokenCacheKey(e);await this.cache.set(i,{id_token:t,decodedToken:o}),await(null===(n=this.keyManifest)||void 0===n?void 0:n.add(i))}async getIdToken(e){const t=await this.cache.get(this.getIdTokenCacheKey(e.clientId));if(!t&&e.scope&&e.audience){const t=await this.get(e);if(!t)return;if(!t.id_token||!t.decodedToken)return;return{id_token:t.id_token,decodedToken:t.decodedToken}}if(t)return{id_token:t.id_token,decodedToken:t.decodedToken}}async get(e,t=0,o=!1,n){var i;let r=await this.cache.get(e.toKey());if(!r){const t=await this.getCacheKeys();if(!t)return;const i=this.matchExistingCacheKey(e,t);if(i&&(r=await this.cache.get(i)),!r&&o&&"cache-only"!==n)return this.getEntryWithRefreshToken(e,t)}if(!r)return;const s=await this.nowProvider(),a=Math.floor(s/1e3);return r.expiresAt-t<a?r.body.refresh_token?this.modifiedCachedEntry(r,e):(await this.cache.remove(e.toKey()),void await(null===(i=this.keyManifest)||void 0===i?void 0:i.remove(e.toKey()))):r.body}async modifiedCachedEntry(e,t){return e.body={refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope},await this.cache.set(t.toKey(),e),{refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope}}async set(e){var t;const o=new ue({clientId:e.client_id,scope:e.scope,audience:e.audience}),n=await this.wrapCacheEntry(e);await this.cache.set(o.toKey(),n),await(null===(t=this.keyManifest)||void 0===t?void 0:t.add(o.toKey()))}async remove(e,t,o){const n=new ue({clientId:e,scope:o,audience:t});await this.cache.remove(n.toKey())}async clear(e){var t;const o=await this.getCacheKeys();o&&(await o.filter((t=>!e||t.includes(e))).reduce((async(e,t)=>{await e,await this.cache.remove(t)}),Promise.resolve()),await(null===(t=this.keyManifest)||void 0===t?void 0:t.clear()))}async wrapCacheEntry(e){const t=await this.nowProvider();return{body:e,expiresAt:Math.floor(t/1e3)+e.expires_in}}async getCacheKeys(){var e;return this.keyManifest?null===(e=await this.keyManifest.get())||void 0===e?void 0:e.keys:this.cache.allKeys?this.cache.allKeys():void 0}getIdTokenCacheKey(e){return new ue({clientId:e},ae,ce).toKey()}matchExistingCacheKey(e,t){return t.filter((t=>{var o;const n=ue.fromKey(t),i=new Set(n.scope&&n.scope.split(" ")),r=(null===(o=e.scope)||void 0===o?void 0:o.split(" "))||[],s=n.scope&&r.reduce(((e,t)=>e&&i.has(t)),!0);return n.prefix===ae&&n.clientId===e.clientId&&n.audience===e.audience&&s}))[0]}async getEntryWithRefreshToken(e,t){var o;for(const n of t){const t=ue.fromKey(n);if(t.prefix===ae&&t.clientId===e.clientId){const t=await this.cache.get(n);if(null===(o=null==t?void 0:t.body)||void 0===o?void 0:o.refresh_token)return this.modifiedCachedEntry(t,e)}}}async updateEntry(e,t){var o;const n=await this.getCacheKeys();if(n)for(const i of n){const n=await this.cache.get(i);if((null===(o=null==n?void 0:n.body)||void 0===o?void 0:o.refresh_token)===e){const e=Object.assign(Object.assign({},n.body),{refresh_token:t});await this.set(e)}}}}class pe{constructor(e,t,o){this.storage=e,this.clientId=t,this.cookieDomain=o,this.storageKey=`a0.spajs.txs.${this.clientId}`}create(e){this.storage.save(this.storageKey,e,{daysUntilExpire:1,cookieDomain:this.cookieDomain})}get(){return this.storage.get(this.storageKey)}remove(){this.storage.remove(this.storageKey,{cookieDomain:this.cookieDomain})}}const me=e=>"number"==typeof e,fe=["iss","aud","exp","nbf","iat","jti","azp","nonce","auth_time","at_hash","c_hash","acr","amr","sub_jwk","cnf","sip_from_tag","sip_date","sip_callid","sip_cseq_num","sip_via_branch","orig","dest","mky","events","toe","txn","rph","sid","vot","vtm"],ye=e=>{if(!e.id_token)throw new Error("ID token is required but missing");const t=(e=>{const t=e.split("."),[o,n,i]=t;if(3!==t.length||!o||!n||!i)throw new Error("ID token could not be decoded");const r=JSON.parse(z(n)),s={__raw:e},a={};return Object.keys(r).forEach((e=>{s[e]=r[e],fe.includes(e)||(a[e]=r[e])})),{encoded:{header:o,payload:n,signature:i},header:JSON.parse(z(o)),claims:s,user:a}})(e.id_token);if(!t.claims.iss)throw new Error("Issuer (iss) claim must be a string present in the ID token");if(t.claims.iss!==e.iss)throw new Error(`Issuer (iss) claim mismatch in the ID token; expected "${e.iss}", found "${t.claims.iss}"`);if(!t.user.sub)throw new Error("Subject (sub) claim must be a string present in the ID token");if("RS256"!==t.header.alg)throw new Error(`Signature algorithm of "${t.header.alg}" is not supported. Expected the ID token to be signed with "RS256".`);if(!t.claims.aud||"string"!=typeof t.claims.aud&&!Array.isArray(t.claims.aud))throw new Error("Audience (aud) claim must be a string or array of strings present in the ID token");if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e.aud))throw new Error(`Audience (aud) claim mismatch in the ID token; expected "${e.aud}" but was not one of "${t.claims.aud.join(", ")}"`);if(t.claims.aud.length>1){if(!t.claims.azp)throw new Error("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");if(t.claims.azp!==e.aud)throw new Error(`Authorized Party (azp) claim mismatch in the ID token; expected "${e.aud}", found "${t.claims.azp}"`)}}else if(t.claims.aud!==e.aud)throw new Error(`Audience (aud) claim mismatch in the ID token; expected "${e.aud}" but found "${t.claims.aud}"`);if(e.nonce){if(!t.claims.nonce)throw new Error("Nonce (nonce) claim must be a string present in the ID token");if(t.claims.nonce!==e.nonce)throw new Error(`Nonce (nonce) claim mismatch in the ID token; expected "${e.nonce}", found "${t.claims.nonce}"`)}if(e.max_age&&!me(t.claims.auth_time))throw new Error("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");if(null==t.claims.exp||!me(t.claims.exp))throw new Error("Expiration Time (exp) claim must be a number present in the ID token");if(!me(t.claims.iat))throw new Error("Issued At (iat) claim must be a number present in the ID token");const o=e.leeway||60,n=new Date(e.now||Date.now()),i=new Date(0);if(i.setUTCSeconds(t.claims.exp+o),n>i)throw new Error(`Expiration Time (exp) claim error in the ID token; current time (${n}) is after expiration time (${i})`);if(null!=t.claims.nbf&&me(t.claims.nbf)){const e=new Date(0);if(e.setUTCSeconds(t.claims.nbf-o),n<e)throw new Error(`Not Before time (nbf) claim in the ID token indicates that this token can't be used just yet. Current time (${n}) is before ${e}`)}if(null!=t.claims.auth_time&&me(t.claims.auth_time)){const i=new Date(0);if(i.setUTCSeconds(parseInt(t.claims.auth_time)+e.max_age+o),n>i)throw new Error(`Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (${n}) is after last auth at ${i}`)}if(e.organization){const o=e.organization.trim();if(o.startsWith("org_")){const e=o;if(!t.claims.org_id)throw new Error("Organization ID (org_id) claim must be a string present in the ID token");if(e!==t.claims.org_id)throw new Error(`Organization ID (org_id) claim mismatch in the ID token; expected "${e}", found "${t.claims.org_id}"`)}else{const e=o.toLowerCase();if(!t.claims.org_name)throw new Error("Organization Name (org_name) claim must be a string present in the ID token");if(e!==t.claims.org_name)throw new Error(`Organization Name (org_name) claim mismatch in the ID token; expected "${e}", found "${t.claims.org_name}"`)}}return t};var ge=i((function(e,t){var n=o&&o.__assign||function(){return n=Object.assign||function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var i in t=arguments[o])Object.prototype.hasOwnProperty.call(t,i)&&(e[i]=t[i]);return e},n.apply(this,arguments)};function i(e,t){if(!t)return"";var o="; "+e;return!0===t?o:o+"="+t}function r(e,t,o){return encodeURIComponent(e).replace(/%(23|24|26|2B|5E|60|7C)/g,decodeURIComponent).replace(/\(/g,"%28").replace(/\)/g,"%29")+"="+encodeURIComponent(t).replace(/%(23|24|26|2B|3A|3C|3E|3D|2F|3F|40|5B|5D|5E|60|7B|7D|7C)/g,decodeURIComponent)+function(e){if("number"==typeof e.expires){var t=new Date;t.setMilliseconds(t.getMilliseconds()+864e5*e.expires),e.expires=t}return i("Expires",e.expires?e.expires.toUTCString():"")+i("Domain",e.domain)+i("Path",e.path)+i("Secure",e.secure)+i("SameSite",e.sameSite)}(o)}function s(e){for(var t={},o=e?e.split("; "):[],n=/(%[\dA-F]{2})+/gi,i=0;i<o.length;i++){var r=o[i].split("="),s=r.slice(1).join("=");'"'===s.charAt(0)&&(s=s.slice(1,-1));try{t[r[0].replace(n,decodeURIComponent)]=s.replace(n,decodeURIComponent)}catch(e){}}return t}function a(){return s(document.cookie)}function c(e,t,o){document.cookie=r(e,t,n({path:"/"},o))}t.__esModule=!0,t.encode=r,t.parse=s,t.getAll=a,t.get=function(e){return a()[e]},t.set=c,t.remove=function(e,t){c(e,"",n(n({},t),{expires:-1}))}}));n(ge),ge.encode,ge.parse,ge.getAll;var we=ge.get,be=ge.set,ke=ge.remove;const ve={get(e){const t=we(e);if(void 0!==t)return JSON.parse(t)},save(e,t,o){let n={};"https:"===window.location.protocol&&(n={secure:!0,sameSite:"none"}),(null==o?void 0:o.daysUntilExpire)&&(n.expires=o.daysUntilExpire),(null==o?void 0:o.cookieDomain)&&(n.domain=o.cookieDomain),be(e,JSON.stringify(t),n)},remove(e,t){let o={};(null==t?void 0:t.cookieDomain)&&(o.domain=t.cookieDomain),ke(e,o)}},_e={get(e){const t=ve.get(e);return t||ve.get(`_legacy_${e}`)},save(e,t,o){let n={};"https:"===window.location.protocol&&(n={secure:!0}),(null==o?void 0:o.daysUntilExpire)&&(n.expires=o.daysUntilExpire),(null==o?void 0:o.cookieDomain)&&(n.domain=o.cookieDomain),be(`_legacy_${e}`,JSON.stringify(t),n),ve.save(e,t,o)},remove(e,t){let o={};(null==t?void 0:t.cookieDomain)&&(o.domain=t.cookieDomain),ke(e,o),ve.remove(e,t),ve.remove(`_legacy_${e}`,t)}},Se={get(e){if("undefined"==typeof sessionStorage)return;const t=sessionStorage.getItem(e);return null!=t?JSON.parse(t):void 0},save(e,t){sessionStorage.setItem(e,JSON.stringify(t))},remove(e){sessionStorage.removeItem(e)}};var Ie;e.ResponseType=void 0,(Ie=e.ResponseType||(e.ResponseType={})).Code="code",Ie.ConnectCode="connect_code";function Te(e,t,o){var n=void 0===t?null:t,i=function(e,t){var o=atob(e);if(t){for(var n=new Uint8Array(o.length),i=0,r=o.length;i<r;++i)n[i]=o.charCodeAt(i);return String.fromCharCode.apply(null,new Uint16Array(n.buffer))}return o}(e,void 0!==o&&o),r=i.indexOf("\n",10)+1,s=i.substring(r)+(n?"//# sourceMappingURL="+n:""),a=new Blob([s],{type:"application/javascript"});return URL.createObjectURL(a)}var Pe,Oe,Ce,je,xe=(Pe="Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwohZnVuY3Rpb24oKXsidXNlIHN0cmljdCI7Y2xhc3MgZSBleHRlbmRzIEVycm9ye2NvbnN0cnVjdG9yKHQscil7c3VwZXIociksdGhpcy5lcnJvcj10LHRoaXMuZXJyb3JfZGVzY3JpcHRpb249cixPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcyxlLnByb3RvdHlwZSl9c3RhdGljIGZyb21QYXlsb2FkKHtlcnJvcjp0LGVycm9yX2Rlc2NyaXB0aW9uOnJ9KXtyZXR1cm4gbmV3IGUodCxyKX19Y2xhc3MgdCBleHRlbmRzIGV7Y29uc3RydWN0b3IoZSxzKXtzdXBlcigibWlzc2luZ19yZWZyZXNoX3Rva2VuIixgTWlzc2luZyBSZWZyZXNoIFRva2VuIChhdWRpZW5jZTogJyR7cihlLFsiZGVmYXVsdCJdKX0nLCBzY29wZTogJyR7cihzKX0nKWApLHRoaXMuYXVkaWVuY2U9ZSx0aGlzLnNjb3BlPXMsT2JqZWN0LnNldFByb3RvdHlwZU9mKHRoaXMsdC5wcm90b3R5cGUpfX1mdW5jdGlvbiByKGUsdD1bXSl7cmV0dXJuIGUmJiF0LmluY2x1ZGVzKGUpP2U6IiJ9ImZ1bmN0aW9uIj09dHlwZW9mIFN1cHByZXNzZWRFcnJvciYmU3VwcHJlc3NlZEVycm9yO2NvbnN0IHM9ZT0+e3ZhcntjbGllbnRJZDp0fT1lLHI9ZnVuY3Rpb24oZSx0KXt2YXIgcj17fTtmb3IodmFyIHMgaW4gZSlPYmplY3QucHJvdG90eXBlLmhhc093blByb3BlcnR5LmNhbGwoZSxzKSYmdC5pbmRleE9mKHMpPDAmJihyW3NdPWVbc10pO2lmKG51bGwhPWUmJiJmdW5jdGlvbiI9PXR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKXt2YXIgbz0wO2ZvcihzPU9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMoZSk7bzxzLmxlbmd0aDtvKyspdC5pbmRleE9mKHNbb10pPDAmJk9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChlLHNbb10pJiYocltzW29dXT1lW3Nbb11dKX1yZXR1cm4gcn0oZSxbImNsaWVudElkIl0pO3JldHVybiBuZXcgVVJMU2VhcmNoUGFyYW1zKChlPT5PYmplY3Qua2V5cyhlKS5maWx0ZXIoKHQ9PnZvaWQgMCE9PWVbdF0pKS5yZWR1Y2UoKCh0LHIpPT5PYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sdCkse1tyXTplW3JdfSkpLHt9KSkoT2JqZWN0LmFzc2lnbih7Y2xpZW50X2lkOnR9LHIpKSkudG9TdHJpbmcoKX07bGV0IG89e307Y29uc3Qgbj0oZSx0KT0+YCR7ZX18JHt0fWA7YWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsKGFzeW5jKHtkYXRhOnt0aW1lb3V0OmUsYXV0aDpyLGZldGNoVXJsOmksZmV0Y2hPcHRpb25zOmMsdXNlRm9ybURhdGE6YSx1c2VNcnJ0OmZ9LHBvcnRzOltwXX0pPT57bGV0IGgsdSxsPXt9O2NvbnN0e2F1ZGllbmNlOmQsc2NvcGU6eX09cnx8e307dHJ5e2NvbnN0IHI9YT8oZT0+e2NvbnN0IHQ9bmV3IFVSTFNlYXJjaFBhcmFtcyhlKSxyPXt9O3JldHVybiB0LmZvckVhY2goKChlLHQpPT57clt0XT1lfSkpLHJ9KShjLmJvZHkpOkpTT04ucGFyc2UoYy5ib2R5KTtpZighci5yZWZyZXNoX3Rva2VuJiYicmVmcmVzaF90b2tlbiI9PT1yLmdyYW50X3R5cGUpe2lmKHU9KChlLHQpPT5vW24oZSx0KV0pKGQseSksIXUmJmYpe2NvbnN0IGU9by5sYXRlc3RfcmVmcmVzaF90b2tlbix0PSgoZSx0KT0+e2NvbnN0IHI9T2JqZWN0LmtleXMobykuZmluZCgocj0+e2lmKCJsYXRlc3RfcmVmcmVzaF90b2tlbiIhPT1yKXtjb25zdCBzPSgoZSx0KT0+dC5zdGFydHNXaXRoKGAke2V9fGApKSh0LHIpLG89ci5zcGxpdCgifCIpWzFdLnNwbGl0KCIgIiksbj1lLnNwbGl0KCIgIikuZXZlcnkoKGU9Pm8uaW5jbHVkZXMoZSkpKTtyZXR1cm4gcyYmbn19KSk7cmV0dXJuISFyfSkoeSxkKTtlJiYhdCYmKHU9ZSl9aWYoIXUpdGhyb3cgbmV3IHQoZCx5KTtjLmJvZHk9YT9zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxyKSx7cmVmcmVzaF90b2tlbjp1fSkpOkpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxyKSx7cmVmcmVzaF90b2tlbjp1fSkpfWxldCBqLGs7ImZ1bmN0aW9uIj09dHlwZW9mIEFib3J0Q29udHJvbGxlciYmKGo9bmV3IEFib3J0Q29udHJvbGxlcixjLnNpZ25hbD1qLnNpZ25hbCk7dHJ5e2s9YXdhaXQgUHJvbWlzZS5yYWNlKFsoXz1lLG5ldyBQcm9taXNlKChlPT5zZXRUaW1lb3V0KGUsXykpKSksZmV0Y2goaSxPYmplY3QuYXNzaWduKHt9LGMpKV0pfWNhdGNoKGUpe3JldHVybiB2b2lkIHAucG9zdE1lc3NhZ2Uoe2Vycm9yOmUubWVzc2FnZX0pfWlmKCFrKXJldHVybiBqJiZqLmFib3J0KCksdm9pZCBwLnBvc3RNZXNzYWdlKHtlcnJvcjoiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIn0pO2c9ay5oZWFkZXJzLGw9Wy4uLmddLnJlZHVjZSgoKGUsW3Qscl0pPT4oZVt0XT1yLGUpKSx7fSksaD1hd2FpdCBrLmpzb24oKSxoLnJlZnJlc2hfdG9rZW4/KGYmJihvLmxhdGVzdF9yZWZyZXNoX3Rva2VuPWgucmVmcmVzaF90b2tlbixPPXUsYj1oLnJlZnJlc2hfdG9rZW4sT2JqZWN0LmVudHJpZXMobykuZm9yRWFjaCgoKFtlLHRdKT0+e3Q9PT1PJiYob1tlXT1iKX0pKSksKChlLHQscik9PntvW24odCxyKV09ZX0pKGgucmVmcmVzaF90b2tlbixkLHkpLGRlbGV0ZSBoLnJlZnJlc2hfdG9rZW4pOigoZSx0KT0+e2RlbGV0ZSBvW24oZSx0KV19KShkLHkpLHAucG9zdE1lc3NhZ2Uoe29rOmsub2ssanNvbjpoLGhlYWRlcnM6bH0pfWNhdGNoKGUpe3AucG9zdE1lc3NhZ2Uoe29rOiExLGpzb246e2Vycm9yOmUuZXJyb3IsZXJyb3JfZGVzY3JpcHRpb246ZS5tZXNzYWdlfSxoZWFkZXJzOmx9KX12YXIgTyxiLGcsX30pKX0oKTsKCg==",Oe=null,Ce=!1,function(e){return je=je||Te(Pe,Oe,Ce),new Worker(je,e)});const Ke={},ze=async(e,t=3)=>{for(let o=0;o<t;o++)if(await e())return!0;return!1};class Ee{constructor(e,t){this.cache=e,this.clientId=t,this.manifestKey=this.createManifestKeyFrom(this.clientId)}async add(e){var t;const o=new Set((null===(t=await this.cache.get(this.manifestKey))||void 0===t?void 0:t.keys)||[]);o.add(e),await this.cache.set(this.manifestKey,{keys:[...o]})}async remove(e){const t=await this.cache.get(this.manifestKey);if(t){const o=new Set(t.keys);return o.delete(e),o.size>0?await this.cache.set(this.manifestKey,{keys:[...o]}):await this.cache.remove(this.manifestKey)}}get(){return this.cache.get(this.manifestKey)}clear(){return this.cache.remove(this.manifestKey)}createManifestKeyFrom(e){return`@@auth0spajs@@::${e}`}}const Re="auth0.is.authenticated",Ne={memory:()=>(new he).enclosedCache,localstorage:()=>new de},Ae=e=>Ne[e],De=e=>{const{openUrl:o,onRedirect:n}=e,i=t(e,["openUrl","onRedirect"]);return Object.assign(Object.assign({},i),{openUrl:!1===o||o?o:n})},Ue=(e,t)=>{const o=(null==t?void 0:t.split(" "))||[];return((null==e?void 0:e.split(" "))||[]).every((e=>o.includes(e)))},Le={NONCE:"nonce",KEYPAIR:"keypair"};class Ze{constructor(e){this.clientId=e}getVersion(){return 1}createDbHandle(){const e=window.indexedDB.open("auth0-spa-js",this.getVersion());return new Promise(((t,o)=>{e.onupgradeneeded=()=>Object.values(Le).forEach((t=>e.result.createObjectStore(t))),e.onerror=()=>o(e.error),e.onsuccess=()=>t(e.result)}))}async getDbHandle(){return this.dbHandle||(this.dbHandle=await this.createDbHandle()),this.dbHandle}async executeDbRequest(e,t,o){const n=o((await this.getDbHandle()).transaction(e,t).objectStore(e));return new Promise(((e,t)=>{n.onsuccess=()=>e(n.result),n.onerror=()=>t(n.error)}))}buildKey(e){const t=e?`_${e}`:"auth0";return`${this.clientId}::${t}`}setNonce(e,t){return this.save(Le.NONCE,this.buildKey(t),e)}setKeyPair(e){return this.save(Le.KEYPAIR,this.buildKey(),e)}async save(e,t,o){await this.executeDbRequest(e,"readwrite",(e=>e.put(o,t)))}findNonce(e){return this.find(Le.NONCE,this.buildKey(e))}findKeyPair(){return this.find(Le.KEYPAIR,this.buildKey())}find(e,t){return this.executeDbRequest(e,"readonly",(e=>e.get(t)))}async deleteBy(e,t){const o=await this.executeDbRequest(e,"readonly",(e=>e.getAllKeys()));null==o||o.filter(t).map((t=>this.executeDbRequest(e,"readwrite",(e=>e.delete(t)))))}deleteByClientId(e,t){return this.deleteBy(e,(e=>"string"==typeof e&&e.startsWith(`${t}::`)))}clearNonces(){return this.deleteByClientId(Le.NONCE,this.clientId)}clearKeyPairs(){return this.deleteByClientId(Le.KEYPAIR,this.clientId)}}class He{constructor(e){this.storage=new Ze(e)}getNonce(e){return this.storage.findNonce(e)}setNonce(e,t){return this.storage.setNonce(e,t)}async getOrGenerateKeyPair(){let e=await this.storage.findKeyPair();return e||(e=await $(),await this.storage.setKeyPair(e)),e}async generateProof(e){const t=await this.getOrGenerateKeyPair();return q(Object.assign({keyPair:t},e))}async calculateThumbprint(){return B(await this.getOrGenerateKeyPair())}async clear(){await Promise.all([this.storage.clearNonces(),this.storage.clearKeyPairs()])}}var We;!function(e){e.Bearer="Bearer",e.DPoP="DPoP"}(We||(We={}));class Je{constructor(e,t){this.hooks=t,this.config=Object.assign(Object.assign({},e),{fetch:e.fetch||("undefined"==typeof window?fetch:window.fetch.bind(window))})}isAbsoluteUrl(e){return/^(https?:)?\/\//i.test(e)}buildUrl(e,t){if(t){if(this.isAbsoluteUrl(t))return t;if(e)return`${e.replace(/\/?\/$/,"")}/${t.replace(/^\/+/,"")}`}throw new TypeError("`url` must be absolute or `baseUrl` non-empty.")}getAccessToken(e){return this.config.getAccessToken?this.config.getAccessToken(e):this.hooks.getAccessToken(e)}extractUrl(e){return"string"==typeof e?e:e instanceof URL?e.href:e.url}buildBaseRequest(e,t){if(!this.config.baseUrl)return new Request(e,t);const o=this.buildUrl(this.config.baseUrl,this.extractUrl(e)),n=e instanceof Request?new Request(o,e):o;return new Request(n,t)}setAuthorizationHeader(e,t,o=We.Bearer){e.headers.set("authorization",`${o} ${t}`)}async setDpopProofHeader(e,t){if(!this.config.dpopNonceId)return;const o=await this.hooks.getDpopNonce(),n=await this.hooks.generateDpopProof({accessToken:t,method:e.method,nonce:o,url:e.url});e.headers.set("dpop",n)}async prepareRequest(e,t){const o=await this.getAccessToken(t);let n,i;"string"==typeof o?(n=this.config.dpopNonceId?We.DPoP:We.Bearer,i=o):(n=o.token_type,i=o.access_token),this.setAuthorizationHeader(e,i,n),n===We.DPoP&&await this.setDpopProofHeader(e,i)}getHeader(e,t){return Array.isArray(e)?new Headers(e).get(t)||"":"function"==typeof e.get?e.get(t)||"":e[t]||""}hasUseDpopNonceError(e){if(401!==e.status)return!1;const t=this.getHeader(e.headers,"www-authenticate");return t.includes("invalid_dpop_nonce")||t.includes("use_dpop_nonce")}async handleResponse(e,t){const o=this.getHeader(e.headers,M);if(o&&await this.hooks.setDpopNonce(o),!this.hasUseDpopNonceError(e))return e;if(!o||!t.onUseDpopNonceError)throw new S(o);return t.onUseDpopNonceError()}async internalFetchWithAuth(e,t,o,n){const i=this.buildBaseRequest(e,t);await this.prepareRequest(i,n);const r=await this.config.fetch(i);return this.handleResponse(r,o)}fetchWithAuth(e,t,o){const n={onUseDpopNonceError:()=>this.internalFetchWithAuth(e,t,Object.assign(Object.assign({},n),{onUseDpopNonceError:void 0}),o)};return this.internalFetchWithAuth(e,t,n,o)}}class Xe{constructor(e,t){this.myAccountFetcher=e,this.apiBase=t}async connectAccount(e){const t=await this.myAccountFetcher.fetchWithAuth(`${this.apiBase}v1/connected-accounts/connect`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async completeAccount(e){const t=await this.myAccountFetcher.fetchWithAuth(`${this.apiBase}v1/connected-accounts/complete`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async _handleResponse(e){let t;try{t=await e.text(),t=JSON.parse(t)}catch(o){throw new Ve({type:"invalid_json",status:e.status,title:"Invalid JSON response",detail:t||String(o)})}if(e.ok)return t;throw new Ve(t)}}class Ve extends Error{constructor({type:e,status:t,title:o,detail:n,validation_errors:i}){super(n),this.name="MyAccountApiError",this.type=e,this.status=t,this.title=o,this.detail=n,this.validation_errors=i,Object.setPrototypeOf(this,Ve.prototype)}}const Fe=new a;class Ge{constructor(e){let t,o;if(this.userCache=(new he).enclosedCache,this.activeLockKeys=new Set,this.defaultOptions={authorizationParams:{scope:"openid profile email"},useRefreshTokensFallback:!1,useFormData:!0},this._releaseLockOnPageHide=async()=>{const e=Array.from(this.activeLockKeys);for(const t of e)await Fe.releaseLock(t);this.activeLockKeys.clear(),window.removeEventListener("pagehide",this._releaseLockOnPageHide)},this.options=Object.assign(Object.assign(Object.assign({},this.defaultOptions),e),{authorizationParams:Object.assign(Object.assign({},this.defaultOptions.authorizationParams),e.authorizationParams)}),"undefined"!=typeof window&&(()=>{if(!T())throw new Error("For security reasons, `window.crypto` is required to run `auth0-spa-js`.");if(void 0===T().subtle)throw new Error("\n auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information.\n ")})(),e.cache&&e.cacheLocation&&console.warn("Both `cache` and `cacheLocation` options have been specified in the Auth0Client configuration; ignoring `cacheLocation` and using `cache`."),e.cache)o=e.cache;else{if(t=e.cacheLocation||u,!Ae(t))throw new Error(`Invalid cache location "${t}"`);o=Ae(t)()}this.httpTimeoutMs=e.httpTimeoutInSeconds?1e3*e.httpTimeoutInSeconds:1e4,this.cookieStorage=!1===e.legacySameSiteCookie?ve:_e,this.orgHintCookieName=`auth0.${this.options.clientId}.organization_hint`,this.isAuthenticatedCookieName=(e=>`auth0.${e}.is.authenticated`)(this.options.clientId),this.sessionCheckExpiryDays=e.sessionCheckExpiryDays||1;const n=e.useCookiesForTransactions?this.cookieStorage:Se;var i;this.scope=((e,t,...o)=>{if("object"!=typeof e)return{[l]:re(t,e,...o)};let n={[l]:re(t,...o)};return Object.keys(e).forEach((i=>{const r=e[i];n[i]=re(t,r,...o)})),n})(this.options.authorizationParams.scope,"openid",this.options.useRefreshTokens?"offline_access":""),this.transactionManager=new pe(n,this.options.clientId,this.options.cookieDomain),this.nowProvider=this.options.nowProvider||h,this.cacheManager=new le(o,o.allKeys?void 0:new Ee(o,this.options.clientId),this.nowProvider),this.dpop=this.options.useDpop?new He(this.options.clientId):void 0,this.domainUrl=(i=this.options.domain,/^https?:\/\//.test(i)?i:`https://${i}`),this.tokenIssuer=((e,t)=>e?e.startsWith("https://")?e:`https://${e}/`:`${t}/`)(this.options.issuer,this.domainUrl);const r=`${this.domainUrl}/me/`,s=this.createFetcher(Object.assign(Object.assign({},this.options.useDpop&&{dpopNonceId:"__auth0_my_account_api__"}),{getAccessToken:()=>this.getTokenSilently({authorizationParams:{scope:"create:me:connected_accounts",audience:r},detailedResponse:!0})}));this.myAccountApi=new Xe(s,r),"undefined"!=typeof window&&window.Worker&&this.options.useRefreshTokens&&t===u&&(this.options.workerUrl?this.worker=new Worker(this.options.workerUrl):this.worker=new xe)}_url(e){const t=encodeURIComponent(btoa(JSON.stringify(this.options.auth0Client||d)));return`${this.domainUrl}${e}&auth0Client=${t}`}_authorizeUrl(e){return this._url(`/authorize?${x(e)}`)}async _verifyIdToken(e,t,o){const n=await this.nowProvider();return ye({iss:this.tokenIssuer,aud:this.options.clientId,id_token:e,nonce:t,organization:o,leeway:this.options.leeway,max_age:(i=this.options.authorizationParams.max_age,"string"!=typeof i?i:parseInt(i,10)||void 0),now:n});var i}_processOrgHint(e){e?this.cookieStorage.save(this.orgHintCookieName,e,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}):this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain})}async _prepareAuthorizeUrl(e,t,o){var n;const i=O(P()),r=O(P()),s=P(),a=await K(s),c=E(a),u=await(null===(n=this.dpop)||void 0===n?void 0:n.calculateThumbprint()),d=((e,t,o,n,i,r,s,a,c)=>Object.assign(Object.assign(Object.assign({client_id:e.clientId},e.authorizationParams),o),{scope:se(t,o.scope,o.audience),response_type:"code",response_mode:a||"query",state:n,nonce:i,redirect_uri:s||e.authorizationParams.redirect_uri,code_challenge:r,code_challenge_method:"S256",dpop_jkt:c}))(this.options,this.scope,e,i,r,c,e.redirect_uri||this.options.authorizationParams.redirect_uri||o,null==t?void 0:t.response_mode,u),h=this._authorizeUrl(d);return{nonce:r,code_verifier:s,scope:d.scope,audience:d.audience||l,redirect_uri:d.redirect_uri,state:i,url:h}}async loginWithPopup(e,t){var o;if(e=e||{},!(t=t||{}).popup&&(t.popup=(e=>{const t=window.screenX+(window.innerWidth-400)/2,o=window.screenY+(window.innerHeight-600)/2;return window.open(e,"auth0:authorize:popup",`left=${t},top=${o},width=400,height=600,resizable,scrollbars=yes,status=1`)})(""),!t.popup))throw new b;const n=await this._prepareAuthorizeUrl(e.authorizationParams||{},{response_mode:"web_message"},window.location.origin);t.popup.location.href=n.url;const i=await(e=>new Promise(((t,o)=>{let n;const i=setInterval((()=>{e.popup&&e.popup.closed&&(clearInterval(i),clearTimeout(r),window.removeEventListener("message",n,!1),o(new w(e.popup)))}),1e3),r=setTimeout((()=>{clearInterval(i),o(new g(e.popup)),window.removeEventListener("message",n,!1)}),1e3*(e.timeoutInSeconds||60));n=function(s){if(s.data&&"authorization_response"===s.data.type){if(clearTimeout(r),clearInterval(i),window.removeEventListener("message",n,!1),!1!==e.closePopup&&e.popup.close(),s.data.response.error)return o(p.fromPayload(s.data.response));t(s.data.response)}},window.addEventListener("message",n)})))(Object.assign(Object.assign({},t),{timeoutInSeconds:t.timeoutInSeconds||this.options.authorizeTimeoutInSeconds||60}));if(n.state!==i.state)throw new p("state_mismatch","Invalid state");const r=(null===(o=e.authorizationParams)||void 0===o?void 0:o.organization)||this.options.authorizationParams.organization;await this._requestToken({audience:n.audience,scope:n.scope,code_verifier:n.code_verifier,grant_type:"authorization_code",code:i.code,redirect_uri:n.redirect_uri},{nonceIn:n.nonce,organization:r})}async getUser(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.user}async getIdTokenClaims(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.claims}async loginWithRedirect(o={}){var n;const i=De(o),{openUrl:r,fragment:s,appState:a}=i,c=t(i,["openUrl","fragment","appState"]),u=(null===(n=c.authorizationParams)||void 0===n?void 0:n.organization)||this.options.authorizationParams.organization,d=await this._prepareAuthorizeUrl(c.authorizationParams||{}),{url:h}=d,l=t(d,["url"]);this.transactionManager.create(Object.assign(Object.assign(Object.assign({},l),{appState:a,response_type:e.ResponseType.Code}),u&&{organization:u}));const p=s?`${h}#${s}`:h;r?await r(p):window.location.assign(p)}async handleRedirectCallback(t=window.location.href){const o=t.split("?").slice(1);if(0===o.length)throw new Error("There are no query params available for parsing.");const n=this.transactionManager.get();if(!n)throw new p("missing_transaction","Invalid state");this.transactionManager.remove();const i=(e=>{e.indexOf("#")>-1&&(e=e.substring(0,e.indexOf("#")));const t=new URLSearchParams(e);return{state:t.get("state"),code:t.get("code")||void 0,connect_code:t.get("connect_code")||void 0,error:t.get("error")||void 0,error_description:t.get("error_description")||void 0}})(o.join(""));return n.response_type===e.ResponseType.ConnectCode?this._handleConnectAccountRedirectCallback(i,n):this._handleLoginRedirectCallback(i,n)}async _handleLoginRedirectCallback(t,o){const{code:n,state:i,error:r,error_description:s}=t;if(r)throw new m(r,s||r,i,o.appState);if(!o.code_verifier||o.state&&o.state!==i)throw new p("state_mismatch","Invalid state");const a=o.organization,c=o.nonce,u=o.redirect_uri;return await this._requestToken(Object.assign({audience:o.audience,scope:o.scope,code_verifier:o.code_verifier,grant_type:"authorization_code",code:n},u?{redirect_uri:u}:{}),{nonceIn:c,organization:a}),{appState:o.appState,response_type:e.ResponseType.Code}}async _handleConnectAccountRedirectCallback(t,o){const{connect_code:n,state:i,error:r,error_description:s}=t;if(r)throw new f(r,s||r,o.connection,i,o.appState);if(!n)throw new p("missing_connect_code","Missing connect code");if(!(o.code_verifier&&o.state&&o.auth_session&&o.redirect_uri&&o.state===i))throw new p("state_mismatch","Invalid state");const a=await this.myAccountApi.completeAccount({auth_session:o.auth_session,connect_code:n,redirect_uri:o.redirect_uri,code_verifier:o.code_verifier});return Object.assign(Object.assign({},a),{appState:o.appState,response_type:e.ResponseType.ConnectCode})}async checkSession(e){if(!this.cookieStorage.get(this.isAuthenticatedCookieName)){if(!this.cookieStorage.get(Re))return;this.cookieStorage.save(this.isAuthenticatedCookieName,!0,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(Re)}try{await this.getTokenSilently(e)}catch(e){}}async getTokenSilently(e={}){var t,o;const n=Object.assign(Object.assign({cacheMode:"on"},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:se(this.scope,null===(t=e.authorizationParams)||void 0===t?void 0:t.scope,(null===(o=e.authorizationParams)||void 0===o?void 0:o.audience)||this.options.authorizationParams.audience)})}),i=await((e,t)=>{let o=Ke[t];return o||(o=e().finally((()=>{delete Ke[t],o=null})),Ke[t]=o),o})((()=>this._getTokenSilently(n)),`${this.options.clientId}::${n.authorizationParams.audience}::${n.authorizationParams.scope}`);return e.detailedResponse?i:null==i?void 0:i.access_token}async _getTokenSilently(e){const{cacheMode:o}=e,n=t(e,["cacheMode"]);if("off"!==o){const e=await this._getEntryFromCache({scope:n.authorizationParams.scope,audience:n.authorizationParams.audience||l,clientId:this.options.clientId,cacheMode:o});if(e)return e}if("cache-only"===o)return;const i=(r=this.options.clientId,s=n.authorizationParams.audience||"default",`auth0.lock.getTokenSilently.${r}.${s}`);var r,s;if(!await ze((()=>Fe.acquireLock(i,5e3)),10))throw new y;this.activeLockKeys.add(i),1===this.activeLockKeys.size&&window.addEventListener("pagehide",this._releaseLockOnPageHide);try{if("off"!==o){const e=await this._getEntryFromCache({scope:n.authorizationParams.scope,audience:n.authorizationParams.audience||l,clientId:this.options.clientId});if(e)return e}const e=this.options.useRefreshTokens?await this._getTokenUsingRefreshToken(n):await this._getTokenFromIFrame(n),{id_token:t,token_type:r,access_token:s,oauthTokenScope:a,expires_in:c}=e;return Object.assign(Object.assign({id_token:t,token_type:r,access_token:s},a?{scope:a}:null),{expires_in:c})}finally{await Fe.releaseLock(i),this.activeLockKeys.delete(i),0===this.activeLockKeys.size&&window.removeEventListener("pagehide",this._releaseLockOnPageHide)}}async getTokenWithPopup(e={},t={}){var o,n;const i=Object.assign(Object.assign({},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:se(this.scope,null===(o=e.authorizationParams)||void 0===o?void 0:o.scope,(null===(n=e.authorizationParams)||void 0===n?void 0:n.audience)||this.options.authorizationParams.audience)})});t=Object.assign(Object.assign({},c),t),await this.loginWithPopup(i,t);return(await this.cacheManager.get(new ue({scope:i.authorizationParams.scope,audience:i.authorizationParams.audience||l,clientId:this.options.clientId}),void 0,this.options.useMrrt)).access_token}async isAuthenticated(){return!!await this.getUser()}_buildLogoutUrl(e){null!==e.clientId?e.clientId=e.clientId||this.options.clientId:delete e.clientId;const o=e.logoutParams||{},{federated:n}=o,i=t(o,["federated"]),r=n?"&federated":"";return this._url(`/v2/logout?${x(Object.assign({clientId:e.clientId},i))}`)+r}async logout(e={}){var o;const n=De(e),{openUrl:i}=n,r=t(n,["openUrl"]);null===e.clientId?await this.cacheManager.clear():await this.cacheManager.clear(e.clientId||this.options.clientId),this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(this.isAuthenticatedCookieName,{cookieDomain:this.options.cookieDomain}),this.userCache.remove(ce),await(null===(o=this.dpop)||void 0===o?void 0:o.clear());const s=this._buildLogoutUrl(r);i?await i(s):!1!==i&&window.location.assign(s)}async _getTokenFromIFrame(e){const t=`auth0.lock.getTokenFromIFrame.${this.options.clientId}`;if(!await ze((()=>Fe.acquireLock(t,5e3)),10))throw new y;try{const o=Object.assign(Object.assign({},e.authorizationParams),{prompt:"none"}),n=this.cookieStorage.get(this.orgHintCookieName);n&&!o.organization&&(o.organization=n);const{url:i,state:r,nonce:s,code_verifier:a,redirect_uri:c,scope:u,audience:d}=await this._prepareAuthorizeUrl(o,{response_mode:"web_message"},window.location.origin);if(window.crossOriginIsolated)throw new p("login_required","The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.");const h=e.timeoutInSeconds||this.options.authorizeTimeoutInSeconds;let l;try{l=new URL(this.domainUrl).origin}catch(e){l=this.domainUrl}const m=await((e,t,o=60)=>new Promise(((n,i)=>{const r=window.document.createElement("iframe");r.setAttribute("width","0"),r.setAttribute("height","0"),r.style.display="none";const s=()=>{window.document.body.contains(r)&&(window.document.body.removeChild(r),window.removeEventListener("message",a,!1))};let a;const c=setTimeout((()=>{i(new y),s()}),1e3*o);a=function(e){if(e.origin!=t)return;if(!e.data||"authorization_response"!==e.data.type)return;const o=e.source;o&&o.close(),e.data.response.error?i(p.fromPayload(e.data.response)):n(e.data.response),clearTimeout(c),window.removeEventListener("message",a,!1),setTimeout(s,2e3)},window.addEventListener("message",a,!1),window.document.body.appendChild(r),r.setAttribute("src",e)})))(i,l,h);if(r!==m.state)throw new p("state_mismatch","Invalid state");const f=await this._requestToken(Object.assign(Object.assign({},e.authorizationParams),{code_verifier:a,code:m.code,grant_type:"authorization_code",redirect_uri:c,timeout:e.authorizationParams.timeout||this.httpTimeoutMs}),{nonceIn:s,organization:o.organization});return Object.assign(Object.assign({},f),{scope:u,oauthTokenScope:f.scope,audience:d})}catch(e){throw"login_required"===e.error&&this.logout({openUrl:!1}),e}finally{await Fe.releaseLock(t)}}async _getTokenUsingRefreshToken(e){const t=await this.cacheManager.get(new ue({scope:e.authorizationParams.scope,audience:e.authorizationParams.audience||l,clientId:this.options.clientId}),void 0,this.options.useMrrt);if(!(t&&t.refresh_token||this.worker)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);throw new v(e.authorizationParams.audience||l,e.authorizationParams.scope)}const o=e.authorizationParams.redirect_uri||this.options.authorizationParams.redirect_uri||window.location.origin,n="number"==typeof e.timeoutInSeconds?1e3*e.timeoutInSeconds:null,i=((e,t,o,n)=>{var i;if(e&&o&&n){if(t.audience!==o)return t.scope;const e=n.split(" "),r=(null===(i=t.scope)||void 0===i?void 0:i.split(" "))||[],s=r.every((t=>e.includes(t)));return e.length>=r.length&&s?n:t.scope}return t.scope})(this.options.useMrrt,e.authorizationParams,null==t?void 0:t.audience,null==t?void 0:t.scope);try{const u=await this._requestToken(Object.assign(Object.assign(Object.assign({},e.authorizationParams),{grant_type:"refresh_token",refresh_token:t&&t.refresh_token,redirect_uri:o}),n&&{timeout:n}),{scopesToRequest:i});if(u.refresh_token&&(null==t?void 0:t.refresh_token)&&await this.cacheManager.updateEntry(t.refresh_token,u.refresh_token),this.options.useMrrt){if(r=null==t?void 0:t.audience,s=null==t?void 0:t.scope,a=e.authorizationParams.audience,c=e.authorizationParams.scope,r!==a||!Ue(c,s)){if(!Ue(i,u.scope)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);await this.cacheManager.remove(this.options.clientId,e.authorizationParams.audience,e.authorizationParams.scope);const t=((e,t)=>{const o=(null==e?void 0:e.split(" "))||[],n=(null==t?void 0:t.split(" "))||[];return o.filter((e=>-1==n.indexOf(e))).join(",")})(i,u.scope);throw new _(e.authorizationParams.audience||"default",t)}}}return Object.assign(Object.assign({},u),{scope:e.authorizationParams.scope,oauthTokenScope:u.scope,audience:e.authorizationParams.audience||l})}catch(t){if((t.message.indexOf("Missing Refresh Token")>-1||t.message&&t.message.indexOf("invalid refresh token")>-1)&&this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);throw t}var r,s,a,c}async _saveEntryInCache(e){const{id_token:o,decodedToken:n}=e,i=t(e,["id_token","decodedToken"]);this.userCache.set(ce,{id_token:o,decodedToken:n}),await this.cacheManager.setIdToken(this.options.clientId,e.id_token,e.decodedToken),await this.cacheManager.set(i)}async _getIdTokenFromCache(){const e=this.options.authorizationParams.audience||l,t=this.scope[e],o=await this.cacheManager.getIdToken(new ue({clientId:this.options.clientId,audience:e,scope:t})),n=this.userCache.get(ce);return o&&o.id_token===(null==n?void 0:n.id_token)?n:(this.userCache.set(ce,o),o)}async _getEntryFromCache({scope:e,audience:t,clientId:o,cacheMode:n}){const i=await this.cacheManager.get(new ue({scope:e,audience:t,clientId:o}),60,this.options.useMrrt,n);if(i&&i.access_token){const{token_type:e,access_token:t,oauthTokenScope:o,expires_in:n}=i,r=await this._getIdTokenFromCache();return r&&Object.assign(Object.assign({id_token:r.id_token,token_type:e||"Bearer",access_token:t},o?{scope:o}:null),{expires_in:n})}}async _requestToken(e,t){var o,n;const{nonceIn:i,organization:r,scopesToRequest:s}=t||{},a=await ie(Object.assign(Object.assign({baseUrl:this.domainUrl,client_id:this.options.clientId,auth0Client:this.options.auth0Client,useFormData:this.options.useFormData,timeout:this.httpTimeoutMs,useMrrt:this.options.useMrrt,dpop:this.dpop},e),{scope:s||e.scope}),this.worker),c=await this._verifyIdToken(a.id_token,i,r);if("authorization_code"===e.grant_type){const e=await this._getIdTokenFromCache();(null===(n=null===(o=null==e?void 0:e.decodedToken)||void 0===o?void 0:o.claims)||void 0===n?void 0:n.sub)&&e.decodedToken.claims.sub!==c.claims.sub&&(await this.cacheManager.clear(this.options.clientId),this.userCache.remove(ce))}return await this._saveEntryInCache(Object.assign(Object.assign(Object.assign(Object.assign({},a),{decodedToken:c,scope:e.scope,audience:e.audience||l}),a.scope?{oauthTokenScope:a.scope}:null),{client_id:this.options.clientId})),this.cookieStorage.save(this.isAuthenticatedCookieName,!0,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this._processOrgHint(r||c.claims.org_id),Object.assign(Object.assign({},a),{decodedToken:c})}async exchangeToken(e){return this._requestToken({grant_type:"urn:ietf:params:oauth:grant-type:token-exchange",subject_token:e.subject_token,subject_token_type:e.subject_token_type,scope:se(this.scope,e.scope,e.audience||this.options.authorizationParams.audience),audience:e.audience||this.options.authorizationParams.audience,organization:e.organization||this.options.authorizationParams.organization})}_assertDpop(e){if(!e)throw new Error("`useDpop` option must be enabled before using DPoP.")}getDpopNonce(e){return this._assertDpop(this.dpop),this.dpop.getNonce(e)}setDpopNonce(e,t){return this._assertDpop(this.dpop),this.dpop.setNonce(e,t)}generateDpopProof(e){return this._assertDpop(this.dpop),this.dpop.generateProof(e)}createFetcher(e={}){return new Je(e,{isDpopEnabled:()=>!!this.options.useDpop,getAccessToken:e=>{var t;return this.getTokenSilently({authorizationParams:{scope:null===(t=null==e?void 0:e.scope)||void 0===t?void 0:t.join(" "),audience:null==e?void 0:e.audience},detailedResponse:!0})},getDpopNonce:()=>this.getDpopNonce(e.dpopNonceId),setDpopNonce:t=>this.setDpopNonce(t,e.dpopNonceId),generateDpopProof:e=>this.generateDpopProof(e)})}async connectAccountWithRedirect(t){const{openUrl:o,appState:n,connection:i,scopes:r,authorization_params:s,redirectUri:a=this.options.authorizationParams.redirect_uri||window.location.origin}=t;if(!i)throw new Error("connection is required");const c=O(P()),u=P(),d=await K(u),h=E(d),{connect_uri:l,connect_params:p,auth_session:m}=await this.myAccountApi.connectAccount({connection:i,scopes:r,redirect_uri:a,state:c,code_challenge:h,code_challenge_method:"S256",authorization_params:s});this.transactionManager.create({state:c,code_verifier:u,auth_session:m,redirect_uri:a,appState:n,connection:i,response_type:e.ResponseType.ConnectCode});const f=new URL(l);f.searchParams.set("ticket",p.ticket),o?await o(f.toString()):window.location.assign(f)}}e.Auth0Client=Ge,e.AuthenticationError=m,e.CacheKey=ue,e.ConnectError=f,e.GenericError=p,e.InMemoryCache=he,e.LocalStorageCache=de,e.MfaRequiredError=k,e.MissingRefreshTokenError=v,e.MyAccountApiError=Ve,e.PopupCancelledError=w,e.PopupOpenError=b,e.PopupTimeoutError=g,e.TimeoutError=y,e.UseDpopNonceError=S,e.User=class{},e.createAuth0Client=async function(e){const t=new Ge(e);return await t.checkSession(),t},Object.defineProperty(e,"__esModule",{value:!0})}));
1
+ !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).auth0={})}(this,(function(e){"use strict";function t(e,t){var n={};for(var o in e)Object.prototype.hasOwnProperty.call(e,o)&&t.indexOf(o)<0&&(n[o]=e[o]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var r=0;for(o=Object.getOwnPropertySymbols(e);r<o.length;r++)t.indexOf(o[r])<0&&Object.prototype.propertyIsEnumerable.call(e,o[r])&&(n[o[r]]=e[o[r]])}return n}"function"==typeof SuppressedError&&SuppressedError;var n="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},o={},r={};Object.defineProperty(r,"__esModule",{value:!0});var i=function(){function e(){var e=this;this.locked=new Map,this.addToLocked=function(t,n){var o=e.locked.get(t);void 0===o?void 0===n?e.locked.set(t,[]):e.locked.set(t,[n]):void 0!==n&&(o.unshift(n),e.locked.set(t,o))},this.isLocked=function(t){return e.locked.has(t)},this.lock=function(t){return new Promise((function(n,o){e.isLocked(t)?e.addToLocked(t,n):(e.addToLocked(t),n())}))},this.unlock=function(t){var n=e.locked.get(t);if(void 0!==n&&0!==n.length){var o=n.pop();e.locked.set(t,n),void 0!==o&&setTimeout(o,0)}else e.locked.delete(t)}}return e.getInstance=function(){return void 0===e.instance&&(e.instance=new e),e.instance},e}();r.default=function(){return i.getInstance()};var a=n&&n.__awaiter||function(e,t,n,o){return new(n||(n=Promise))((function(r,i){function a(e){try{c(o.next(e))}catch(e){i(e)}}function s(e){try{c(o.throw(e))}catch(e){i(e)}}function c(e){e.done?r(e.value):new n((function(t){t(e.value)})).then(a,s)}c((o=o.apply(e,t||[])).next())}))},s=n&&n.__generator||function(e,t){var n,o,r,i,a={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return i={next:s(0),throw:s(1),return:s(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function s(i){return function(s){return function(i){if(n)throw new TypeError("Generator is already executing.");for(;a;)try{if(n=1,o&&(r=2&i[0]?o.return:i[0]?o.throw||((r=o.return)&&r.call(o),0):o.next)&&!(r=r.call(o,i[1])).done)return r;switch(o=0,r&&(i=[2&i[0],r.value]),i[0]){case 0:case 1:r=i;break;case 4:return a.label++,{value:i[1],done:!1};case 5:a.label++,o=i[1],i=[0];continue;case 7:i=a.ops.pop(),a.trys.pop();continue;default:if(!(r=a.trys,(r=r.length>0&&r[r.length-1])||6!==i[0]&&2!==i[0])){a=0;continue}if(3===i[0]&&(!r||i[1]>r[0]&&i[1]<r[3])){a.label=i[1];break}if(6===i[0]&&a.label<r[1]){a.label=r[1],r=i;break}if(r&&a.label<r[2]){a.label=r[2],a.ops.push(i);break}r[2]&&a.ops.pop(),a.trys.pop();continue}i=t.call(e,a)}catch(e){i=[6,e],o=0}finally{n=r=0}if(5&i[0])throw i[1];return{value:i[0]?i[1]:void 0,done:!0}}([i,s])}}},c=n;Object.defineProperty(o,"__esModule",{value:!0});var u=r,l="browser-tabs-lock-key",d={key:function(e){return a(c,void 0,void 0,(function(){return s(this,(function(e){throw new Error("Unsupported")}))}))},getItem:function(e){return a(c,void 0,void 0,(function(){return s(this,(function(e){throw new Error("Unsupported")}))}))},clear:function(){return a(c,void 0,void 0,(function(){return s(this,(function(e){return[2,window.localStorage.clear()]}))}))},removeItem:function(e){return a(c,void 0,void 0,(function(){return s(this,(function(e){throw new Error("Unsupported")}))}))},setItem:function(e,t){return a(c,void 0,void 0,(function(){return s(this,(function(e){throw new Error("Unsupported")}))}))},keySync:function(e){return window.localStorage.key(e)},getItemSync:function(e){return window.localStorage.getItem(e)},clearSync:function(){return window.localStorage.clear()},removeItemSync:function(e){return window.localStorage.removeItem(e)},setItemSync:function(e,t){return window.localStorage.setItem(e,t)}};function h(e){return new Promise((function(t){return setTimeout(t,e)}))}function p(e){for(var t="0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz",n="",o=0;o<e;o++){n+=t[Math.floor(Math.random()*t.length)]}return n}var f=function(){function e(t){this.acquiredIatSet=new Set,this.storageHandler=void 0,this.id=Date.now().toString()+p(15),this.acquireLock=this.acquireLock.bind(this),this.releaseLock=this.releaseLock.bind(this),this.releaseLock__private__=this.releaseLock__private__.bind(this),this.waitForSomethingToChange=this.waitForSomethingToChange.bind(this),this.refreshLockWhileAcquired=this.refreshLockWhileAcquired.bind(this),this.storageHandler=t,void 0===e.waiters&&(e.waiters=[])}return e.prototype.acquireLock=function(t,n){return void 0===n&&(n=5e3),a(this,void 0,void 0,(function(){var o,r,i,a,c,u,f;return s(this,(function(s){switch(s.label){case 0:o=Date.now()+p(4),r=Date.now()+n,i=l+"-"+t,a=void 0===this.storageHandler?d:this.storageHandler,s.label=1;case 1:return Date.now()<r?[4,h(30)]:[3,8];case 2:return s.sent(),null!==a.getItemSync(i)?[3,5]:(c=this.id+"-"+t+"-"+o,[4,h(Math.floor(25*Math.random()))]);case 3:return s.sent(),a.setItemSync(i,JSON.stringify({id:this.id,iat:o,timeoutKey:c,timeAcquired:Date.now(),timeRefreshed:Date.now()})),[4,h(30)];case 4:return s.sent(),null!==(u=a.getItemSync(i))&&(f=JSON.parse(u)).id===this.id&&f.iat===o?(this.acquiredIatSet.add(o),this.refreshLockWhileAcquired(i,o),[2,!0]):[3,7];case 5:return e.lockCorrector(void 0===this.storageHandler?d:this.storageHandler),[4,this.waitForSomethingToChange(r)];case 6:s.sent(),s.label=7;case 7:return o=Date.now()+p(4),[3,1];case 8:return[2,!1]}}))}))},e.prototype.refreshLockWhileAcquired=function(e,t){return a(this,void 0,void 0,(function(){var n=this;return s(this,(function(o){return setTimeout((function(){return a(n,void 0,void 0,(function(){var n,o,r;return s(this,(function(i){switch(i.label){case 0:return[4,u.default().lock(t)];case 1:return i.sent(),this.acquiredIatSet.has(t)?(n=void 0===this.storageHandler?d:this.storageHandler,null===(o=n.getItemSync(e))?(u.default().unlock(t),[2]):((r=JSON.parse(o)).timeRefreshed=Date.now(),n.setItemSync(e,JSON.stringify(r)),u.default().unlock(t),this.refreshLockWhileAcquired(e,t),[2])):(u.default().unlock(t),[2])}}))}))}),1e3),[2]}))}))},e.prototype.waitForSomethingToChange=function(t){return a(this,void 0,void 0,(function(){return s(this,(function(n){switch(n.label){case 0:return[4,new Promise((function(n){var o=!1,r=Date.now(),i=!1;function a(){if(i||(window.removeEventListener("storage",a),e.removeFromWaiting(a),clearTimeout(s),i=!0),!o){o=!0;var t=50-(Date.now()-r);t>0?setTimeout(n,t):n(null)}}window.addEventListener("storage",a),e.addToWaiting(a);var s=setTimeout(a,Math.max(0,t-Date.now()))}))];case 1:return n.sent(),[2]}}))}))},e.addToWaiting=function(t){this.removeFromWaiting(t),void 0!==e.waiters&&e.waiters.push(t)},e.removeFromWaiting=function(t){void 0!==e.waiters&&(e.waiters=e.waiters.filter((function(e){return e!==t})))},e.notifyWaiters=function(){void 0!==e.waiters&&e.waiters.slice().forEach((function(e){return e()}))},e.prototype.releaseLock=function(e){return a(this,void 0,void 0,(function(){return s(this,(function(t){switch(t.label){case 0:return[4,this.releaseLock__private__(e)];case 1:return[2,t.sent()]}}))}))},e.prototype.releaseLock__private__=function(t){return a(this,void 0,void 0,(function(){var n,o,r,i;return s(this,(function(a){switch(a.label){case 0:return n=void 0===this.storageHandler?d:this.storageHandler,o=l+"-"+t,null===(r=n.getItemSync(o))?[2]:(i=JSON.parse(r)).id!==this.id?[3,2]:[4,u.default().lock(i.iat)];case 1:a.sent(),this.acquiredIatSet.delete(i.iat),n.removeItemSync(o),u.default().unlock(i.iat),e.notifyWaiters(),a.label=2;case 2:return[2]}}))}))},e.lockCorrector=function(t){for(var n=Date.now()-5e3,o=t,r=[],i=0;;){var a=o.keySync(i);if(null===a)break;r.push(a),i++}for(var s=!1,c=0;c<r.length;c++){var u=r[c];if(u.includes(l)){var d=o.getItemSync(u);if(null!==d){var h=JSON.parse(d);(void 0===h.timeRefreshed&&h.timeAcquired<n||void 0!==h.timeRefreshed&&h.timeRefreshed<n)&&(o.removeItemSync(u),s=!0)}}}s&&e.notifyWaiters()},e.waiters=void 0,e}(),m=o.default=f;const y={timeoutInSeconds:60},w=1e4,g="memory",v={name:"auth0-spa-js",version:"2.13.0"},b=()=>Date.now(),_="default";class k extends Error{constructor(e,t){super(t),this.error=e,this.error_description=t,Object.setPrototypeOf(this,k.prototype)}static fromPayload(e){let{error:t,error_description:n}=e;return new k(t,n)}}class S extends k{constructor(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:null;super(e,t),this.state=n,this.appState=o,Object.setPrototypeOf(this,S.prototype)}}class T extends k{constructor(e,t,n,o){let r=arguments.length>4&&void 0!==arguments[4]?arguments[4]:null;super(e,t),this.connection=n,this.state=o,this.appState=r,Object.setPrototypeOf(this,T.prototype)}}class E extends k{constructor(){super("timeout","Timeout"),Object.setPrototypeOf(this,E.prototype)}}class A extends E{constructor(e){super(),this.popup=e,Object.setPrototypeOf(this,A.prototype)}}class P extends k{constructor(e){super("cancelled","Popup closed"),this.popup=e,Object.setPrototypeOf(this,P.prototype)}}class O extends k{constructor(){super("popup_open","Unable to open a popup for loginWithPopup - window.open returned `null`"),Object.setPrototypeOf(this,O.prototype)}}class R extends k{constructor(e,t,n,o){super(e,t),this.mfa_token=n,this.mfa_requirements=o,Object.setPrototypeOf(this,R.prototype)}}class x extends k{constructor(e,t){super("missing_refresh_token","Missing Refresh Token (audience: '".concat(j(e,["default"]),"', scope: '").concat(j(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,x.prototype)}}class I extends k{constructor(e,t){super("missing_scopes","Missing requested scopes after refresh (audience: '".concat(j(e,["default"]),"', missing scope: '").concat(j(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,I.prototype)}}class C extends k{constructor(e){super("use_dpop_nonce","Server rejected DPoP proof: wrong nonce"),this.newDpopNonce=e,Object.setPrototypeOf(this,C.prototype)}}function j(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:[];return e&&!t.includes(e)?e:""}const K=()=>window.crypto,D=()=>{const e="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";let t="";return Array.from(K().getRandomValues(new Uint8Array(43))).forEach((n=>t+=e[n%e.length])),t},U=e=>btoa(e),W=[{key:"name",type:["string"]},{key:"version",type:["string","number"]},{key:"env",type:["object"]}],L=function(e){let t=arguments.length>1&&void 0!==arguments[1]&&arguments[1];return Object.keys(e).reduce(((n,o)=>{if(t&&"env"===o)return n;const r=W.find((e=>e.key===o));return r&&r.type.includes(typeof e[o])&&(n[o]=e[o]),n}),{})},N=e=>{var{clientId:n}=e,o=t(e,["clientId"]);return new URLSearchParams((e=>Object.keys(e).filter((t=>void 0!==e[t])).reduce(((t,n)=>Object.assign(Object.assign({},t),{[n]:e[n]})),{}))(Object.assign({client_id:n},o))).toString()},z=async e=>{const t=K().subtle.digest({name:"SHA-256"},(new TextEncoder).encode(e));return await t},H=e=>(e=>decodeURIComponent(atob(e).split("").map((e=>"%"+("00"+e.charCodeAt(0).toString(16)).slice(-2))).join("")))(e.replace(/_/g,"/").replace(/-/g,"+")),M=e=>{const t=new Uint8Array(e);return(e=>{const t={"+":"-","/":"_","=":""};return e.replace(/[+/=]/g,(e=>t[e]))})(window.btoa(String.fromCharCode(...Array.from(t))))},J=new TextEncoder,F=new TextDecoder;function V(e){return"string"==typeof e?J.encode(e):F.decode(e)}function Z(e){if("number"!=typeof e.modulusLength||e.modulusLength<2048)throw new Y(`${e.name} modulusLength must be at least 2048 bits`)}async function q(e,t,n){if(!1===n.usages.includes("sign"))throw new TypeError('private CryptoKey instances used for signing assertions must include "sign" in their "usages"');const o=`${B(V(JSON.stringify(e)))}.${B(V(JSON.stringify(t)))}`;return`${o}.${B(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case"ECDSA":return{name:e.algorithm.name,hash:"SHA-256"};case"RSA-PSS":return Z(e.algorithm),{name:e.algorithm.name,saltLength:32};case"RSASSA-PKCS1-v1_5":return Z(e.algorithm),{name:e.algorithm.name};case"Ed25519":return{name:e.algorithm.name}}throw new X}(n),n,V(o)))}`}let G;if(Uint8Array.prototype.toBase64)G=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:!0}));else{const e=32768;G=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}}function B(e){return G(e)}class X extends Error{constructor(e){var t;super(null!=e?e:"operation not supported"),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor)}}class Y extends Error{constructor(e){var t;super(e),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor)}}function Q(e){switch(e.algorithm.name){case"RSA-PSS":return function(e){if("SHA-256"===e.algorithm.hash.name)return"PS256";throw new X("unsupported RsaHashedKeyAlgorithm hash name")}(e);case"RSASSA-PKCS1-v1_5":return function(e){if("SHA-256"===e.algorithm.hash.name)return"RS256";throw new X("unsupported RsaHashedKeyAlgorithm hash name")}(e);case"ECDSA":return function(e){if("P-256"===e.algorithm.namedCurve)return"ES256";throw new X("unsupported EcKeyAlgorithm namedCurve")}(e);case"Ed25519":return"Ed25519";default:throw new X("unsupported CryptoKey algorithm name")}}function $(e){return e instanceof CryptoKey}function ee(e){return $(e)&&"public"===e.type}async function te(e,t,n,o,r,i){const a=null==e?void 0:e.privateKey,s=null==e?void 0:e.publicKey;if(!$(c=a)||"private"!==c.type)throw new TypeError('"keypair.privateKey" must be a private CryptoKey');var c;if(!ee(s))throw new TypeError('"keypair.publicKey" must be a public CryptoKey');if(!0!==s.extractable)throw new TypeError('"keypair.publicKey.extractable" must be true');if("string"!=typeof t)throw new TypeError('"htu" must be a string');if("string"!=typeof n)throw new TypeError('"htm" must be a string');if(void 0!==o&&"string"!=typeof o)throw new TypeError('"nonce" must be a string or undefined');if(void 0!==r&&"string"!=typeof r)throw new TypeError('"accessToken" must be a string or undefined');if(void 0!==i&&("object"!=typeof i||null===i||Array.isArray(i)))throw new TypeError('"additional" must be an object');return q({alg:Q(a),typ:"dpop+jwt",jwk:await ne(s)},Object.assign(Object.assign({},i),{iat:Math.floor(Date.now()/1e3),jti:crypto.randomUUID(),htm:n,nonce:o,htu:t,ath:r?B(await crypto.subtle.digest("SHA-256",V(r))):void 0}),a)}async function ne(e){const{kty:t,e:n,n:o,x:r,y:i,crv:a}=await crypto.subtle.exportKey("jwk",e);return{kty:t,crv:a,e:n,n:o,x:r,y:i}}const oe="dpop-nonce",re=["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:token-exchange","http://auth0.com/oauth/grant-type/mfa-oob","http://auth0.com/oauth/grant-type/mfa-otp","http://auth0.com/oauth/grant-type/mfa-recovery-code"];function ie(){return async function(e,t){var n;let o;if("string"!=typeof e||0===e.length)throw new TypeError('"alg" must be a non-empty string');switch(e){case"PS256":o={name:"RSA-PSS",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case"RS256":o={name:"RSASSA-PKCS1-v1_5",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case"ES256":o={name:"ECDSA",namedCurve:"P-256"};break;case"Ed25519":o={name:"Ed25519"};break;default:throw new X}return crypto.subtle.generateKey(o,null!==(n=null==t?void 0:t.extractable)&&void 0!==n&&n,["sign","verify"])}("ES256",{extractable:!1})}function ae(e){return async function(e){if(!ee(e))throw new TypeError('"publicKey" must be a public CryptoKey');if(!0!==e.extractable)throw new TypeError('"publicKey.extractable" must be true');const t=await ne(e);let n;switch(t.kty){case"EC":n={crv:t.crv,kty:t.kty,x:t.x,y:t.y};break;case"OKP":n={crv:t.crv,kty:t.kty,x:t.x};break;case"RSA":n={e:t.e,kty:t.kty,n:t.n};break;default:throw new X("unsupported JWK kty")}return B(await crypto.subtle.digest({name:"SHA-256"},V(JSON.stringify(n))))}(e.publicKey)}function se(e){let{keyPair:t,url:n,method:o,nonce:r,accessToken:i}=e;const a=function(e){const t=new URL(e);return t.search="",t.hash="",t.href}(n);return te(t,a,o,r,i)}const ce=async(e,t)=>{const n=await fetch(e,t);return{ok:n.ok,json:await n.json(),headers:(o=n.headers,[...o].reduce(((e,t)=>{let[n,o]=t;return e[n]=o,e}),{}))};var o},ue=async(e,t,n)=>{const o=new AbortController;let r;return t.signal=o.signal,Promise.race([ce(e,t),new Promise(((e,t)=>{r=setTimeout((()=>{o.abort(),t(new Error("Timeout when executing 'fetch'"))}),n)}))]).finally((()=>{clearTimeout(r)}))},le=async(e,t,n,o,r,i,a,s)=>((e,t)=>new Promise((function(n,o){const r=new MessageChannel;r.port1.onmessage=function(e){e.data.error?o(new Error(e.data.error)):n(e.data),r.port1.close()},t.postMessage(e,[r.port2])})))({auth:{audience:t,scope:n},timeout:r,fetchUrl:e,fetchOptions:o,useFormData:a,useMrrt:s},i),de=async function(e,t,n,o,r,i){let a=arguments.length>6&&void 0!==arguments[6]?arguments[6]:w,s=arguments.length>7?arguments[7]:void 0;return r?le(e,t,n,o,a,r,i,s):ue(e,o,a)};async function he(e,n,o,r,i,a,s,c,u,l){if(u){const t=await u.generateProof({url:e,method:i.method||"GET",nonce:await u.getNonce()});i.headers=Object.assign(Object.assign({},i.headers),{dpop:t})}let d,h=null;for(let t=0;t<3;t++)try{d=await de(e,o,r,i,a,s,n,c),h=null;break}catch(e){h=e}if(h)throw h;const p=d.json,{error:f,error_description:m}=p,y=t(p,["error","error_description"]),{headers:w,ok:g}=d;let v;if(u&&(v=w["dpop-nonce"],v&&await u.setNonce(v)),!g){const t=m||"HTTP error. Unable to fetch ".concat(e);if("mfa_required"===f)throw new R(f,t,y.mfa_token,y.mfa_requirements);if("missing_refresh_token"===f)throw new x(o,r);if("use_dpop_nonce"===f){if(!u||!v||l)throw new C(v);return he(e,n,o,r,i,a,s,c,u,!0)}throw new k(f||"request_error",t)}return y}async function pe(e,n){var{baseUrl:o,timeout:r,audience:i,scope:a,auth0Client:s,useFormData:c,useMrrt:u,dpop:l}=e,d=t(e,["baseUrl","timeout","audience","scope","auth0Client","useFormData","useMrrt","dpop"]);const h="urn:ietf:params:oauth:grant-type:token-exchange"===d.grant_type,p="refresh_token"===d.grant_type&&u,f=Object.assign(Object.assign(Object.assign(Object.assign({},d),h&&i&&{audience:i}),h&&a&&{scope:a}),p&&{audience:i,scope:a}),m=c?N(f):JSON.stringify(f),y=(w=d.grant_type,re.includes(w));var w;return await he("".concat(o,"/oauth/token"),r,i||_,a,{method:"POST",body:m,headers:{"Content-Type":c?"application/x-www-form-urlencoded":"application/json","Auth0-Client":btoa(JSON.stringify(L(s||v)))}},n,c,u,y?l:void 0)}const fe=e=>Array.from(new Set(e)),me=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];return fe(t.filter(Boolean).join(" ").trim().split(/\s+/)).join(" ")},ye=(e,t,n)=>{let o;return n&&(o=e[n]),o||(o=e.default),me(o,t)},we="@@auth0spajs@@",ge="@@user@@";class ve{constructor(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:we,n=arguments.length>2?arguments[2]:void 0;this.prefix=t,this.suffix=n,this.clientId=e.clientId,this.scope=e.scope,this.audience=e.audience}toKey(){return[this.prefix,this.clientId,this.audience,this.scope,this.suffix].filter(Boolean).join("::")}static fromKey(e){const[t,n,o,r]=e.split("::");return new ve({clientId:n,scope:r,audience:o},t)}static fromCacheEntry(e){const{scope:t,audience:n,client_id:o}=e;return new ve({scope:t,audience:n,clientId:o})}}class be{set(e,t){localStorage.setItem(e,JSON.stringify(t))}get(e){const t=window.localStorage.getItem(e);if(t)try{return JSON.parse(t)}catch(e){return}}remove(e){localStorage.removeItem(e)}allKeys(){return Object.keys(window.localStorage).filter((e=>e.startsWith(we)))}}class _e{constructor(){this.enclosedCache=function(){let e={};return{set(t,n){e[t]=n},get(t){const n=e[t];if(n)return n},remove(t){delete e[t]},allKeys:()=>Object.keys(e)}}()}}class ke{constructor(e,t,n){this.cache=e,this.keyManifest=t,this.nowProvider=n||b}async setIdToken(e,t,n){var o;const r=this.getIdTokenCacheKey(e);await this.cache.set(r,{id_token:t,decodedToken:n}),await(null===(o=this.keyManifest)||void 0===o?void 0:o.add(r))}async getIdToken(e){const t=await this.cache.get(this.getIdTokenCacheKey(e.clientId));if(!t&&e.scope&&e.audience){const t=await this.get(e);if(!t)return;if(!t.id_token||!t.decodedToken)return;return{id_token:t.id_token,decodedToken:t.decodedToken}}if(t)return{id_token:t.id_token,decodedToken:t.decodedToken}}async get(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:0,n=arguments.length>2&&void 0!==arguments[2]&&arguments[2],o=arguments.length>3?arguments[3]:void 0;var r;let i=await this.cache.get(e.toKey());if(!i){const t=await this.getCacheKeys();if(!t)return;const r=this.matchExistingCacheKey(e,t);if(r&&(i=await this.cache.get(r)),!i&&n&&"cache-only"!==o)return this.getEntryWithRefreshToken(e,t)}if(!i)return;const a=await this.nowProvider(),s=Math.floor(a/1e3);return i.expiresAt-t<s?i.body.refresh_token?this.modifiedCachedEntry(i,e):(await this.cache.remove(e.toKey()),void await(null===(r=this.keyManifest)||void 0===r?void 0:r.remove(e.toKey()))):i.body}async modifiedCachedEntry(e,t){return e.body={refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope},await this.cache.set(t.toKey(),e),{refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope}}async set(e){var t;const n=new ve({clientId:e.client_id,scope:e.scope,audience:e.audience}),o=await this.wrapCacheEntry(e);await this.cache.set(n.toKey(),o),await(null===(t=this.keyManifest)||void 0===t?void 0:t.add(n.toKey()))}async remove(e,t,n){const o=new ve({clientId:e,scope:n,audience:t});await this.cache.remove(o.toKey())}async clear(e){var t;const n=await this.getCacheKeys();n&&(await n.filter((t=>!e||t.includes(e))).reduce((async(e,t)=>{await e,await this.cache.remove(t)}),Promise.resolve()),await(null===(t=this.keyManifest)||void 0===t?void 0:t.clear()))}async wrapCacheEntry(e){const t=await this.nowProvider();return{body:e,expiresAt:Math.floor(t/1e3)+e.expires_in}}async getCacheKeys(){var e;return this.keyManifest?null===(e=await this.keyManifest.get())||void 0===e?void 0:e.keys:this.cache.allKeys?this.cache.allKeys():void 0}getIdTokenCacheKey(e){return new ve({clientId:e},we,ge).toKey()}matchExistingCacheKey(e,t){return t.filter((t=>{var n;const o=ve.fromKey(t),r=new Set(o.scope&&o.scope.split(" ")),i=(null===(n=e.scope)||void 0===n?void 0:n.split(" "))||[],a=o.scope&&i.reduce(((e,t)=>e&&r.has(t)),!0);return o.prefix===we&&o.clientId===e.clientId&&o.audience===e.audience&&a}))[0]}async getEntryWithRefreshToken(e,t){var n;for(const o of t){const t=ve.fromKey(o);if(t.prefix===we&&t.clientId===e.clientId){const t=await this.cache.get(o);if(null===(n=null==t?void 0:t.body)||void 0===n?void 0:n.refresh_token)return this.modifiedCachedEntry(t,e)}}}async updateEntry(e,t){var n;const o=await this.getCacheKeys();if(o)for(const r of o){const o=await this.cache.get(r);if((null===(n=null==o?void 0:o.body)||void 0===n?void 0:n.refresh_token)===e){const e=Object.assign(Object.assign({},o.body),{refresh_token:t});await this.set(e)}}}}class Se{constructor(e,t,n){this.storage=e,this.clientId=t,this.cookieDomain=n,this.storageKey="".concat("a0.spajs.txs",".").concat(this.clientId)}create(e){this.storage.save(this.storageKey,e,{daysUntilExpire:1,cookieDomain:this.cookieDomain})}get(){return this.storage.get(this.storageKey)}remove(){this.storage.remove(this.storageKey,{cookieDomain:this.cookieDomain})}}const Te=e=>"number"==typeof e,Ee=["iss","aud","exp","nbf","iat","jti","azp","nonce","auth_time","at_hash","c_hash","acr","amr","sub_jwk","cnf","sip_from_tag","sip_date","sip_callid","sip_cseq_num","sip_via_branch","orig","dest","mky","events","toe","txn","rph","sid","vot","vtm"],Ae=e=>{if(!e.id_token)throw new Error("ID token is required but missing");const t=(e=>{const t=e.split("."),[n,o,r]=t;if(3!==t.length||!n||!o||!r)throw new Error("ID token could not be decoded");const i=JSON.parse(H(o)),a={__raw:e},s={};return Object.keys(i).forEach((e=>{a[e]=i[e],Ee.includes(e)||(s[e]=i[e])})),{encoded:{header:n,payload:o,signature:r},header:JSON.parse(H(n)),claims:a,user:s}})(e.id_token);if(!t.claims.iss)throw new Error("Issuer (iss) claim must be a string present in the ID token");if(t.claims.iss!==e.iss)throw new Error('Issuer (iss) claim mismatch in the ID token; expected "'.concat(e.iss,'", found "').concat(t.claims.iss,'"'));if(!t.user.sub)throw new Error("Subject (sub) claim must be a string present in the ID token");if("RS256"!==t.header.alg)throw new Error('Signature algorithm of "'.concat(t.header.alg,'" is not supported. Expected the ID token to be signed with "RS256".'));if(!t.claims.aud||"string"!=typeof t.claims.aud&&!Array.isArray(t.claims.aud))throw new Error("Audience (aud) claim must be a string or array of strings present in the ID token");if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e.aud))throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but was not one of "').concat(t.claims.aud.join(", "),'"'));if(t.claims.aud.length>1){if(!t.claims.azp)throw new Error("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");if(t.claims.azp!==e.aud)throw new Error('Authorized Party (azp) claim mismatch in the ID token; expected "'.concat(e.aud,'", found "').concat(t.claims.azp,'"'))}}else if(t.claims.aud!==e.aud)throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but found "').concat(t.claims.aud,'"'));if(e.nonce){if(!t.claims.nonce)throw new Error("Nonce (nonce) claim must be a string present in the ID token");if(t.claims.nonce!==e.nonce)throw new Error('Nonce (nonce) claim mismatch in the ID token; expected "'.concat(e.nonce,'", found "').concat(t.claims.nonce,'"'))}if(e.max_age&&!Te(t.claims.auth_time))throw new Error("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");if(null==t.claims.exp||!Te(t.claims.exp))throw new Error("Expiration Time (exp) claim must be a number present in the ID token");if(!Te(t.claims.iat))throw new Error("Issued At (iat) claim must be a number present in the ID token");const n=e.leeway||60,o=new Date(e.now||Date.now()),r=new Date(0);if(r.setUTCSeconds(t.claims.exp+n),o>r)throw new Error("Expiration Time (exp) claim error in the ID token; current time (".concat(o,") is after expiration time (").concat(r,")"));if(null!=t.claims.nbf&&Te(t.claims.nbf)){const e=new Date(0);if(e.setUTCSeconds(t.claims.nbf-n),o<e)throw new Error("Not Before time (nbf) claim in the ID token indicates that this token can't be used just yet. Current time (".concat(o,") is before ").concat(e))}if(null!=t.claims.auth_time&&Te(t.claims.auth_time)){const r=new Date(0);if(r.setUTCSeconds(parseInt(t.claims.auth_time)+e.max_age+n),o>r)throw new Error("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (".concat(o,") is after last auth at ").concat(r))}if(e.organization){const n=e.organization.trim();if(n.startsWith("org_")){const e=n;if(!t.claims.org_id)throw new Error("Organization ID (org_id) claim must be a string present in the ID token");if(e!==t.claims.org_id)throw new Error('Organization ID (org_id) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_id,'"'))}else{const e=n.toLowerCase();if(!t.claims.org_name)throw new Error("Organization Name (org_name) claim must be a string present in the ID token");if(e!==t.claims.org_name)throw new Error('Organization Name (org_name) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_name,'"'))}}return t};var Pe=n&&n.__assign||function(){return Pe=Object.assign||function(e){for(var t,n=1,o=arguments.length;n<o;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},Pe.apply(this,arguments)};function Oe(e,t){if(!t)return"";var n="; "+e;return!0===t?n:n+"="+t}function Re(e,t,n){return encodeURIComponent(e).replace(/%(23|24|26|2B|5E|60|7C)/g,decodeURIComponent).replace(/\(/g,"%28").replace(/\)/g,"%29")+"="+encodeURIComponent(t).replace(/%(23|24|26|2B|3A|3C|3E|3D|2F|3F|40|5B|5D|5E|60|7B|7D|7C)/g,decodeURIComponent)+function(e){if("number"==typeof e.expires){var t=new Date;t.setMilliseconds(t.getMilliseconds()+864e5*e.expires),e.expires=t}return Oe("Expires",e.expires?e.expires.toUTCString():"")+Oe("Domain",e.domain)+Oe("Path",e.path)+Oe("Secure",e.secure)+Oe("SameSite",e.sameSite)}(n)}function xe(){return function(e){for(var t={},n=e?e.split("; "):[],o=/(%[\dA-F]{2})+/gi,r=0;r<n.length;r++){var i=n[r].split("="),a=i.slice(1).join("=");'"'===a.charAt(0)&&(a=a.slice(1,-1));try{t[i[0].replace(o,decodeURIComponent)]=a.replace(o,decodeURIComponent)}catch(e){}}return t}(document.cookie)}var Ie=function(e){return xe()[e]};function Ce(e,t,n){document.cookie=Re(e,t,Pe({path:"/"},n))}var je=Ce;var Ke=function(e,t){Ce(e,"",Pe(Pe({},t),{expires:-1}))};const De={get(e){const t=Ie(e);if(void 0!==t)return JSON.parse(t)},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:!0,sameSite:"none"}),(null==n?void 0:n.daysUntilExpire)&&(o.expires=n.daysUntilExpire),(null==n?void 0:n.cookieDomain)&&(o.domain=n.cookieDomain),je(e,JSON.stringify(t),o)},remove(e,t){let n={};(null==t?void 0:t.cookieDomain)&&(n.domain=t.cookieDomain),Ke(e,n)}},Ue="_legacy_",We={get(e){const t=De.get(e);return t||De.get("".concat(Ue).concat(e))},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:!0}),(null==n?void 0:n.daysUntilExpire)&&(o.expires=n.daysUntilExpire),(null==n?void 0:n.cookieDomain)&&(o.domain=n.cookieDomain),je("".concat(Ue).concat(e),JSON.stringify(t),o),De.save(e,t,n)},remove(e,t){let n={};(null==t?void 0:t.cookieDomain)&&(n.domain=t.cookieDomain),Ke(e,n),De.remove(e,t),De.remove("".concat(Ue).concat(e),t)}},Le={get(e){if("undefined"==typeof sessionStorage)return;const t=sessionStorage.getItem(e);return null!=t?JSON.parse(t):void 0},save(e,t){sessionStorage.setItem(e,JSON.stringify(t))},remove(e){sessionStorage.removeItem(e)}};var Ne;e.ResponseType=void 0,(Ne=e.ResponseType||(e.ResponseType={})).Code="code",Ne.ConnectCode="connect_code";function ze(e,t,n){var o=void 0===t?null:t,r=function(e,t){var n=atob(e);if(t){for(var o=new Uint8Array(n.length),r=0,i=n.length;r<i;++r)o[r]=n.charCodeAt(r);return String.fromCharCode.apply(null,new Uint16Array(o.buffer))}return n}(e,void 0!==n&&n),i=r.indexOf("\n",10)+1,a=r.substring(i)+(o?"//# sourceMappingURL="+o:""),s=new Blob([a],{type:"application/javascript"});return URL.createObjectURL(s)}var He,Me,Je,Fe,Ve=(He="Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwohZnVuY3Rpb24oKXsidXNlIHN0cmljdCI7Y2xhc3MgZSBleHRlbmRzIEVycm9ye2NvbnN0cnVjdG9yKHQscil7c3VwZXIociksdGhpcy5lcnJvcj10LHRoaXMuZXJyb3JfZGVzY3JpcHRpb249cixPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcyxlLnByb3RvdHlwZSl9c3RhdGljIGZyb21QYXlsb2FkKHQpe2xldHtlcnJvcjpyLGVycm9yX2Rlc2NyaXB0aW9uOnN9PXQ7cmV0dXJuIG5ldyBlKHIscyl9fWNsYXNzIHQgZXh0ZW5kcyBle2NvbnN0cnVjdG9yKGUscyl7c3VwZXIoIm1pc3NpbmdfcmVmcmVzaF90b2tlbiIsIk1pc3NpbmcgUmVmcmVzaCBUb2tlbiAoYXVkaWVuY2U6ICciLmNvbmNhdChyKGUsWyJkZWZhdWx0Il0pLCInLCBzY29wZTogJyIpLmNvbmNhdChyKHMpLCInKSIpKSx0aGlzLmF1ZGllbmNlPWUsdGhpcy5zY29wZT1zLE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLHQucHJvdG90eXBlKX19ZnVuY3Rpb24gcihlKXtsZXQgdD1hcmd1bWVudHMubGVuZ3RoPjEmJnZvaWQgMCE9PWFyZ3VtZW50c1sxXT9hcmd1bWVudHNbMV06W107cmV0dXJuIGUmJiF0LmluY2x1ZGVzKGUpP2U6IiJ9ImZ1bmN0aW9uIj09dHlwZW9mIFN1cHByZXNzZWRFcnJvciYmU3VwcHJlc3NlZEVycm9yO2NvbnN0IHM9ZT0+e3ZhcntjbGllbnRJZDp0fT1lLHI9ZnVuY3Rpb24oZSx0KXt2YXIgcj17fTtmb3IodmFyIHMgaW4gZSlPYmplY3QucHJvdG90eXBlLmhhc093blByb3BlcnR5LmNhbGwoZSxzKSYmdC5pbmRleE9mKHMpPDAmJihyW3NdPWVbc10pO2lmKG51bGwhPWUmJiJmdW5jdGlvbiI9PXR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKXt2YXIgbz0wO2ZvcihzPU9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMoZSk7bzxzLmxlbmd0aDtvKyspdC5pbmRleE9mKHNbb10pPDAmJk9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChlLHNbb10pJiYocltzW29dXT1lW3Nbb11dKX1yZXR1cm4gcn0oZSxbImNsaWVudElkIl0pO3JldHVybiBuZXcgVVJMU2VhcmNoUGFyYW1zKChlPT5PYmplY3Qua2V5cyhlKS5maWx0ZXIoKHQ9PnZvaWQgMCE9PWVbdF0pKS5yZWR1Y2UoKCh0LHIpPT5PYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sdCkse1tyXTplW3JdfSkpLHt9KSkoT2JqZWN0LmFzc2lnbih7Y2xpZW50X2lkOnR9LHIpKSkudG9TdHJpbmcoKX07bGV0IG89e307Y29uc3Qgbj0oZSx0KT0+IiIuY29uY2F0KGUsInwiKS5jb25jYXQodCk7YWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsKGFzeW5jIGU9PntsZXQgcixjLHtkYXRhOnt0aW1lb3V0OmksYXV0aDphLGZldGNoVXJsOmYsZmV0Y2hPcHRpb25zOmwsdXNlRm9ybURhdGE6cCx1c2VNcnJ0Omh9LHBvcnRzOlt1XX09ZSxkPXt9O2NvbnN0e2F1ZGllbmNlOmcsc2NvcGU6eX09YXx8e307dHJ5e2NvbnN0IGU9cD8oZT0+e2NvbnN0IHQ9bmV3IFVSTFNlYXJjaFBhcmFtcyhlKSxyPXt9O3JldHVybiB0LmZvckVhY2goKChlLHQpPT57clt0XT1lfSkpLHJ9KShsLmJvZHkpOkpTT04ucGFyc2UobC5ib2R5KTtpZighZS5yZWZyZXNoX3Rva2VuJiYicmVmcmVzaF90b2tlbiI9PT1lLmdyYW50X3R5cGUpe2lmKGM9KChlLHQpPT5vW24oZSx0KV0pKGcseSksIWMmJmgpe2NvbnN0IGU9by5sYXRlc3RfcmVmcmVzaF90b2tlbix0PSgoZSx0KT0+e2NvbnN0IHI9T2JqZWN0LmtleXMobykuZmluZCgocj0+e2lmKCJsYXRlc3RfcmVmcmVzaF90b2tlbiIhPT1yKXtjb25zdCBzPSgoZSx0KT0+dC5zdGFydHNXaXRoKCIiLmNvbmNhdChlLCJ8IikpKSh0LHIpLG89ci5zcGxpdCgifCIpWzFdLnNwbGl0KCIgIiksbj1lLnNwbGl0KCIgIikuZXZlcnkoKGU9Pm8uaW5jbHVkZXMoZSkpKTtyZXR1cm4gcyYmbn19KSk7cmV0dXJuISFyfSkoeSxnKTtlJiYhdCYmKGM9ZSl9aWYoIWMpdGhyb3cgbmV3IHQoZyx5KTtsLmJvZHk9cD9zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpOkpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpfWxldCBhLGs7ImZ1bmN0aW9uIj09dHlwZW9mIEFib3J0Q29udHJvbGxlciYmKGE9bmV3IEFib3J0Q29udHJvbGxlcixsLnNpZ25hbD1hLnNpZ25hbCk7dHJ5e2s9YXdhaXQgUHJvbWlzZS5yYWNlKFsoaj1pLG5ldyBQcm9taXNlKChlPT5zZXRUaW1lb3V0KGUsaikpKSksZmV0Y2goZixPYmplY3QuYXNzaWduKHt9LGwpKV0pfWNhdGNoKGUpe3JldHVybiB2b2lkIHUucG9zdE1lc3NhZ2Uoe2Vycm9yOmUubWVzc2FnZX0pfWlmKCFrKXJldHVybiBhJiZhLmFib3J0KCksdm9pZCB1LnBvc3RNZXNzYWdlKHtlcnJvcjoiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIn0pO189ay5oZWFkZXJzLGQ9Wy4uLl9dLnJlZHVjZSgoKGUsdCk9PntsZXRbcixzXT10O3JldHVybiBlW3JdPXMsZX0pLHt9KSxyPWF3YWl0IGsuanNvbigpLHIucmVmcmVzaF90b2tlbj8oaCYmKG8ubGF0ZXN0X3JlZnJlc2hfdG9rZW49ci5yZWZyZXNoX3Rva2VuLE89YyxiPXIucmVmcmVzaF90b2tlbixPYmplY3QuZW50cmllcyhvKS5mb3JFYWNoKChlPT57bGV0W3Qscl09ZTtyPT09TyYmKG9bdF09Yil9KSkpLCgoZSx0LHIpPT57b1tuKHQscildPWV9KShyLnJlZnJlc2hfdG9rZW4sZyx5KSxkZWxldGUgci5yZWZyZXNoX3Rva2VuKTooKGUsdCk9PntkZWxldGUgb1tuKGUsdCldfSkoZyx5KSx1LnBvc3RNZXNzYWdlKHtvazprLm9rLGpzb246cixoZWFkZXJzOmR9KX1jYXRjaChlKXt1LnBvc3RNZXNzYWdlKHtvazohMSxqc29uOntlcnJvcjplLmVycm9yLGVycm9yX2Rlc2NyaXB0aW9uOmUubWVzc2FnZX0saGVhZGVyczpkfSl9dmFyIE8sYixfLGp9KSl9KCk7Cgo=",Me=null,Je=!1,function(e){return Fe=Fe||ze(He,Me,Je),new Worker(Fe,e)});const Ze={},qe=async function(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:3;for(let n=0;n<t;n++)if(await e())return!0;return!1};class Ge{constructor(e,t){this.cache=e,this.clientId=t,this.manifestKey=this.createManifestKeyFrom(this.clientId)}async add(e){var t;const n=new Set((null===(t=await this.cache.get(this.manifestKey))||void 0===t?void 0:t.keys)||[]);n.add(e),await this.cache.set(this.manifestKey,{keys:[...n]})}async remove(e){const t=await this.cache.get(this.manifestKey);if(t){const n=new Set(t.keys);return n.delete(e),n.size>0?await this.cache.set(this.manifestKey,{keys:[...n]}):await this.cache.remove(this.manifestKey)}}get(){return this.cache.get(this.manifestKey)}clear(){return this.cache.remove(this.manifestKey)}createManifestKeyFrom(e){return"".concat(we,"::").concat(e)}}const Be="auth0.is.authenticated",Xe={memory:()=>(new _e).enclosedCache,localstorage:()=>new be},Ye=e=>Xe[e],Qe=e=>{const{openUrl:n,onRedirect:o}=e,r=t(e,["openUrl","onRedirect"]);return Object.assign(Object.assign({},r),{openUrl:!1===n||n?n:o})},$e=(e,t)=>{const n=(null==t?void 0:t.split(" "))||[];return((null==e?void 0:e.split(" "))||[]).every((e=>n.includes(e)))},et={NONCE:"nonce",KEYPAIR:"keypair"};class tt{constructor(e){this.clientId=e}getVersion(){return 1}createDbHandle(){const e=window.indexedDB.open("auth0-spa-js",this.getVersion());return new Promise(((t,n)=>{e.onupgradeneeded=()=>Object.values(et).forEach((t=>e.result.createObjectStore(t))),e.onerror=()=>n(e.error),e.onsuccess=()=>t(e.result)}))}async getDbHandle(){return this.dbHandle||(this.dbHandle=await this.createDbHandle()),this.dbHandle}async executeDbRequest(e,t,n){const o=n((await this.getDbHandle()).transaction(e,t).objectStore(e));return new Promise(((e,t)=>{o.onsuccess=()=>e(o.result),o.onerror=()=>t(o.error)}))}buildKey(e){const t=e?"_".concat(e):"auth0";return"".concat(this.clientId,"::").concat(t)}setNonce(e,t){return this.save(et.NONCE,this.buildKey(t),e)}setKeyPair(e){return this.save(et.KEYPAIR,this.buildKey(),e)}async save(e,t,n){await this.executeDbRequest(e,"readwrite",(e=>e.put(n,t)))}findNonce(e){return this.find(et.NONCE,this.buildKey(e))}findKeyPair(){return this.find(et.KEYPAIR,this.buildKey())}find(e,t){return this.executeDbRequest(e,"readonly",(e=>e.get(t)))}async deleteBy(e,t){const n=await this.executeDbRequest(e,"readonly",(e=>e.getAllKeys()));null==n||n.filter(t).map((t=>this.executeDbRequest(e,"readwrite",(e=>e.delete(t)))))}deleteByClientId(e,t){return this.deleteBy(e,(e=>"string"==typeof e&&e.startsWith("".concat(t,"::"))))}clearNonces(){return this.deleteByClientId(et.NONCE,this.clientId)}clearKeyPairs(){return this.deleteByClientId(et.KEYPAIR,this.clientId)}}class nt{constructor(e){this.storage=new tt(e)}getNonce(e){return this.storage.findNonce(e)}setNonce(e,t){return this.storage.setNonce(e,t)}async getOrGenerateKeyPair(){let e=await this.storage.findKeyPair();return e||(e=await ie(),await this.storage.setKeyPair(e)),e}async generateProof(e){const t=await this.getOrGenerateKeyPair();return se(Object.assign({keyPair:t},e))}async calculateThumbprint(){return ae(await this.getOrGenerateKeyPair())}async clear(){await Promise.all([this.storage.clearNonces(),this.storage.clearKeyPairs()])}}var ot;!function(e){e.Bearer="Bearer",e.DPoP="DPoP"}(ot||(ot={}));class rt{constructor(e,t){this.hooks=t,this.config=Object.assign(Object.assign({},e),{fetch:e.fetch||("undefined"==typeof window?fetch:window.fetch.bind(window))})}isAbsoluteUrl(e){return/^(https?:)?\/\//i.test(e)}buildUrl(e,t){if(t){if(this.isAbsoluteUrl(t))return t;if(e)return"".concat(e.replace(/\/?\/$/,""),"/").concat(t.replace(/^\/+/,""))}throw new TypeError("`url` must be absolute or `baseUrl` non-empty.")}getAccessToken(e){return this.config.getAccessToken?this.config.getAccessToken(e):this.hooks.getAccessToken(e)}extractUrl(e){return"string"==typeof e?e:e instanceof URL?e.href:e.url}buildBaseRequest(e,t){if(!this.config.baseUrl)return new Request(e,t);const n=this.buildUrl(this.config.baseUrl,this.extractUrl(e)),o=e instanceof Request?new Request(n,e):n;return new Request(o,t)}setAuthorizationHeader(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:ot.Bearer;e.headers.set("authorization","".concat(n," ").concat(t))}async setDpopProofHeader(e,t){if(!this.config.dpopNonceId)return;const n=await this.hooks.getDpopNonce(),o=await this.hooks.generateDpopProof({accessToken:t,method:e.method,nonce:n,url:e.url});e.headers.set("dpop",o)}async prepareRequest(e,t){const n=await this.getAccessToken(t);let o,r;"string"==typeof n?(o=this.config.dpopNonceId?ot.DPoP:ot.Bearer,r=n):(o=n.token_type,r=n.access_token),this.setAuthorizationHeader(e,r,o),o===ot.DPoP&&await this.setDpopProofHeader(e,r)}getHeader(e,t){return Array.isArray(e)?new Headers(e).get(t)||"":"function"==typeof e.get?e.get(t)||"":e[t]||""}hasUseDpopNonceError(e){if(401!==e.status)return!1;const t=this.getHeader(e.headers,"www-authenticate");return t.includes("invalid_dpop_nonce")||t.includes("use_dpop_nonce")}async handleResponse(e,t){const n=this.getHeader(e.headers,oe);if(n&&await this.hooks.setDpopNonce(n),!this.hasUseDpopNonceError(e))return e;if(!n||!t.onUseDpopNonceError)throw new C(n);return t.onUseDpopNonceError()}async internalFetchWithAuth(e,t,n,o){const r=this.buildBaseRequest(e,t);await this.prepareRequest(r,o);const i=await this.config.fetch(r);return this.handleResponse(i,n)}fetchWithAuth(e,t,n){const o={onUseDpopNonceError:()=>this.internalFetchWithAuth(e,t,Object.assign(Object.assign({},o),{onUseDpopNonceError:void 0}),n)};return this.internalFetchWithAuth(e,t,o,n)}}class it{constructor(e,t){this.myAccountFetcher=e,this.apiBase=t}async connectAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/connect"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async completeAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/complete"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async _handleResponse(e){let t;try{t=await e.text(),t=JSON.parse(t)}catch(n){throw new at({type:"invalid_json",status:e.status,title:"Invalid JSON response",detail:t||String(n)})}if(e.ok)return t;throw new at(t)}}class at extends Error{constructor(e){let{type:t,status:n,title:o,detail:r,validation_errors:i}=e;super(r),this.name="MyAccountApiError",this.type=t,this.status=n,this.title=o,this.detail=r,this.validation_errors=i,Object.setPrototypeOf(this,at.prototype)}}const st={otp:{authenticatorTypes:["otp"]},sms:{authenticatorTypes:["oob"],oobChannels:["sms"]},email:{authenticatorTypes:["oob"],oobChannels:["email"]},push:{authenticatorTypes:["oob"],oobChannels:["auth0"]},voice:{authenticatorTypes:["oob"],oobChannels:["voice"]}},ct="http://auth0.com/oauth/grant-type/mfa-otp",ut="http://auth0.com/oauth/grant-type/mfa-oob",lt="http://auth0.com/oauth/grant-type/mfa-recovery-code";function dt(e,t){this.v=e,this.k=t}function ht(e,t,n){if("function"==typeof e?e===t:e.has(t))return arguments.length<3?t:n;throw new TypeError("Private element is not present on this object")}function pt(e){return new dt(e,0)}function ft(e,t){if(t.has(e))throw new TypeError("Cannot initialize the same private elements twice on an object")}function mt(e,t){return e.get(ht(e,t))}function yt(e,t,n){ft(e,t),t.set(e,n)}function wt(e,t,n){return e.set(ht(e,t),n),n}function gt(e,t,n){return(t=function(e){var t=function(e,t){if("object"!=typeof e||!e)return e;var n=e[Symbol.toPrimitive];if(void 0!==n){var o=n.call(e,t||"default");if("object"!=typeof o)return o;throw new TypeError("@@toPrimitive must return a primitive value.")}return("string"===t?String:Number)(e)}(e,"string");return"symbol"==typeof t?t:t+""}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function vt(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);t&&(o=o.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,o)}return n}function bt(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?vt(Object(n),!0).forEach((function(t){gt(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):vt(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}function _t(e,t){if(null==e)return{};var n,o,r=function(e,t){if(null==e)return{};var n={};for(var o in e)if({}.hasOwnProperty.call(e,o)){if(-1!==t.indexOf(o))continue;n[o]=e[o]}return n}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(o=0;o<i.length;o++)n=i[o],-1===t.indexOf(n)&&{}.propertyIsEnumerable.call(e,n)&&(r[n]=e[n])}return r}function kt(e){return function(){return new St(e.apply(this,arguments))}}function St(e){var t,n;function o(t,n){try{var i=e[t](n),a=i.value,s=a instanceof dt;Promise.resolve(s?a.v:a).then((function(n){if(s){var c="return"===t?"return":"next";if(!a.k||n.done)return o(c,n);n=e[c](n).value}r(i.done?"return":"normal",n)}),(function(e){o("throw",e)}))}catch(e){r("throw",e)}}function r(e,r){switch(e){case"return":t.resolve({value:r,done:!0});break;case"throw":t.reject(r);break;default:t.resolve({value:r,done:!1})}(t=t.next)?o(t.key,t.arg):n=null}this._invoke=function(e,r){return new Promise((function(i,a){var s={key:e,arg:r,resolve:i,reject:a,next:null};n?n=n.next=s:(t=n=s,o(e,r))}))},"function"!=typeof e.return&&(this.return=void 0)}var Tt,Et;let At;if(St.prototype["function"==typeof Symbol&&Symbol.asyncIterator||"@@asyncIterator"]=function(){return this},St.prototype.next=function(e){return this._invoke("next",e)},St.prototype.throw=function(e){return this._invoke("throw",e)},St.prototype.return=function(e){return this._invoke("return",e)},"undefined"==typeof navigator||null===(Tt=navigator.userAgent)||void 0===Tt||null===(Et=Tt.startsWith)||void 0===Et||!Et.call(Tt,"Mozilla/5.0 ")){const e="v3.8.3";At="".concat("oauth4webapi","/").concat(e)}function Pt(e,t){if(null==e)return!1;try{return e instanceof t||Object.getPrototypeOf(e)[Symbol.toStringTag]===t.prototype[Symbol.toStringTag]}catch(e){return!1}}const Ot="ERR_INVALID_ARG_VALUE",Rt="ERR_INVALID_ARG_TYPE";function xt(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}const It=Symbol(),Ct=Symbol(),jt=Symbol(),Kt=Symbol(),Dt=Symbol(),Ut=Symbol(),Wt=new TextEncoder,Lt=new TextDecoder;function Nt(e){return"string"==typeof e?Wt.encode(e):Lt.decode(e)}let zt,Ht;if(Uint8Array.prototype.toBase64)zt=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:!0}));else{const e=32768;zt=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}}function Mt(e){return"string"==typeof e?Ht(e):zt(e)}Ht=Uint8Array.fromBase64?e=>{try{return Uint8Array.fromBase64(e,{alphabet:"base64url"})}catch(e){throw xt("The input to be decoded is not correctly encoded.",Ot,e)}}:e=>{try{const t=atob(e.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"")),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}catch(e){throw xt("The input to be decoded is not correctly encoded.",Ot,e)}};class Jt extends Error{constructor(e,t){var n;super(e,t),gt(this,"code",void 0),this.name=this.constructor.name,this.code=Jn,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}class Ft extends Error{constructor(e,t){var n;super(e,t),gt(this,"code",void 0),this.name=this.constructor.name,null!=t&&t.code&&(this.code=null==t?void 0:t.code),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}function Vt(e,t,n){return new Ft(e,{code:t,cause:n})}function Zt(e,t){if(function(e,t){if(!(e instanceof CryptoKey))throw xt("".concat(t," must be a CryptoKey"),Rt)}(e,t),"private"!==e.type)throw xt("".concat(t," must be a private CryptoKey"),Ot)}function qt(e){return null!==e&&"object"==typeof e&&!Array.isArray(e)}function Gt(e){Pt(e,Headers)&&(e=Object.fromEntries(e.entries()));const t=new Headers(null!=e?e:{});if(At&&!t.has("user-agent")&&t.set("user-agent",At),t.has("authorization"))throw xt('"options.headers" must not include the "authorization" header name',Ot);return t}function Bt(e,t){if(void 0!==t){if("function"==typeof t&&(t=t(e.href)),!(t instanceof AbortSignal))throw xt('"options.signal" must return or be an instance of AbortSignal',Rt);return t}}function Xt(e){return e.includes("//")?e.replace("//","/"):e}async function Yt(e,t){return async function(e,t,n,o){if(!(e instanceof URL))throw xt('"'.concat(t,'" must be an instance of URL'),Rt);hn(e,!0!==(null==o?void 0:o[It]));const r=n(new URL(e.href)),i=Gt(null==o?void 0:o.headers);return i.set("accept","application/json"),((null==o?void 0:o[Kt])||fetch)(r.href,{body:void 0,headers:Object.fromEntries(i.entries()),method:"GET",redirect:"manual",signal:Bt(r,null==o?void 0:o.signal)})}(e,"issuerIdentifier",(e=>{switch(null==t?void 0:t.algorithm){case void 0:case"oidc":!function(e,t){e.pathname=Xt("".concat(e.pathname,"/").concat(t))}(e,".well-known/openid-configuration");break;case"oauth2":!function(e,t){let n=arguments.length>2&&void 0!==arguments[2]&&arguments[2];"/"===e.pathname?e.pathname=t:e.pathname=Xt("".concat(t,"/").concat(n?e.pathname:e.pathname.replace(/(\/)$/,"")))}(e,".well-known/oauth-authorization-server");break;default:throw xt('"options.algorithm" must be "oidc" (default), or "oauth2"',Ot)}return e}),t)}function Qt(e,t,n,o,r){try{if("number"!=typeof e||!Number.isFinite(e))throw xt("".concat(n," must be a number"),Rt,r);if(e>0)return;if(t){if(0!==e)throw xt("".concat(n," must be a non-negative number"),Ot,r);return}throw xt("".concat(n," must be a positive number"),Ot,r)}catch(e){if(o)throw Vt(e.message,o,r);throw e}}function $t(e,t,n,o){try{if("string"!=typeof e)throw xt("".concat(t," must be a string"),Rt,o);if(0===e.length)throw xt("".concat(t," must not be empty"),Ot,o)}catch(e){if(n)throw Vt(e.message,n,o);throw e}}function en(e){!function(e,t){if(En(e)!==t)throw function(e){let t='"response" content-type must be ';for(var n=arguments.length,o=new Array(n>1?n-1:0),r=1;r<n;r++)o[r-1]=arguments[r];if(o.length>2){const e=o.pop();t+="".concat(o.join(", "),", or ").concat(e)}else 2===o.length?t+="".concat(o[0]," or ").concat(o[1]):t+=o[0];return Vt(t,qn,e)}(e,t)}(e,"application/json")}function tn(){return Mt(crypto.getRandomValues(new Uint8Array(32)))}function nn(e){switch(e.algorithm.name){case"RSA-PSS":return function(e){switch(e.algorithm.hash.name){case"SHA-256":return"PS256";case"SHA-384":return"PS384";case"SHA-512":return"PS512";default:throw new Jt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case"RSASSA-PKCS1-v1_5":return function(e){switch(e.algorithm.hash.name){case"SHA-256":return"RS256";case"SHA-384":return"RS384";case"SHA-512":return"RS512";default:throw new Jt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case"ECDSA":return function(e){switch(e.algorithm.namedCurve){case"P-256":return"ES256";case"P-384":return"ES384";case"P-521":return"ES512";default:throw new Jt("unsupported EcKeyAlgorithm namedCurve",{cause:e})}}(e);case"Ed25519":case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return e.algorithm.name;case"EdDSA":return"Ed25519";default:throw new Jt("unsupported CryptoKey algorithm name",{cause:e})}}function on(e){const t=null==e?void 0:e[Ct];return"number"==typeof t&&Number.isFinite(t)?t:0}function rn(e){const t=null==e?void 0:e[jt];return"number"==typeof t&&Number.isFinite(t)&&-1!==Math.sign(t)?t:30}function an(){return Math.floor(Date.now()/1e3)}function sn(e){if("object"!=typeof e||null===e)throw xt('"as" must be an object',Rt);$t(e.issuer,'"as.issuer"')}function cn(e){if("object"!=typeof e||null===e)throw xt('"client" must be an object',Rt);$t(e.client_id,'"client.client_id"')}function un(e){return $t(e,'"clientSecret"'),(t,n,o,r)=>{o.set("client_id",n.client_id),o.set("client_secret",e)}}function ln(e,t){const{key:n,kid:o}=(r=e)instanceof CryptoKey?{key:r}:(null==r?void 0:r.key)instanceof CryptoKey?(void 0!==r.kid&&$t(r.kid,'"kid"'),{key:r.key,kid:r.kid}):{};var r;return Zt(n,'"clientPrivateKey.key"'),async(e,r,i,a)=>{var s;const c={alg:nn(n),kid:o},u=function(e,t){const n=an()+on(t);return{jti:tn(),aud:e.issuer,exp:n+60,iat:n,nbf:n,iss:t.client_id,sub:t.client_id}}(e,r);null==t||null===(s=t[Dt])||void 0===s||s.call(t,c,u),i.set("client_id",r.client_id),i.set("client_assertion_type","urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),i.set("client_assertion",await async function(e,t,n){if(!n.usages.includes("sign"))throw xt('CryptoKey instances used for signing assertions must include "sign" in their "usages"',Ot);const o="".concat(Mt(Nt(JSON.stringify(e))),".").concat(Mt(Nt(JSON.stringify(t)))),r=Mt(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case"ECDSA":return{name:e.algorithm.name,hash:ro(e)};case"RSA-PSS":switch(oo(e),e.algorithm.hash.name){case"SHA-256":case"SHA-384":case"SHA-512":return{name:e.algorithm.name,saltLength:parseInt(e.algorithm.hash.name.slice(-3),10)>>3};default:throw new Jt("unsupported RSA-PSS hash name",{cause:e})}case"RSASSA-PKCS1-v1_5":return oo(e),e.algorithm.name;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":case"Ed25519":return e.algorithm.name}throw new Jt("unsupported CryptoKey algorithm name",{cause:e})}(n),n,Nt(o)));return"".concat(o,".").concat(r)}(c,u,n))}}const dn=URL.parse?(e,t)=>URL.parse(e,t):(e,t)=>{try{return new URL(e,t)}catch(e){return null}};function hn(e,t){if(t&&"https:"!==e.protocol)throw Vt("only requests to HTTPS are allowed",Bn,e);if("https:"!==e.protocol&&"http:"!==e.protocol)throw Vt("only HTTP and HTTPS requests are allowed",Xn,e)}function pn(e,t,n,o){let r;if("string"!=typeof e||!(r=dn(e)))throw Vt("authorization server metadata does not contain a valid ".concat(n?'"as.mtls_endpoint_aliases.'.concat(t,'"'):'"as.'.concat(t,'"')),void 0===e?eo:to,{attribute:n?"mtls_endpoint_aliases.".concat(t):t});return hn(r,o),r}function fn(e,t,n,o){return n&&e.mtls_endpoint_aliases&&t in e.mtls_endpoint_aliases?pn(e.mtls_endpoint_aliases[t],t,n,o):pn(e[t],t,n,o)}class mn extends Error{constructor(e,t){var n;super(e,t),gt(this,"cause",void 0),gt(this,"code",void 0),gt(this,"error",void 0),gt(this,"status",void 0),gt(this,"error_description",void 0),gt(this,"response",void 0),this.name=this.constructor.name,this.code=Mn,this.cause=t.cause,this.error=t.cause.error,this.status=t.response.status,this.error_description=t.cause.error_description,Object.defineProperty(this,"response",{enumerable:!1,value:t.response}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}class yn extends Error{constructor(e,t){var n,o;super(e,t),gt(this,"cause",void 0),gt(this,"code",void 0),gt(this,"error",void 0),gt(this,"error_description",void 0),this.name=this.constructor.name,this.code=Fn,this.cause=t.cause,this.error=t.cause.get("error"),this.error_description=null!==(n=t.cause.get("error_description"))&&void 0!==n?n:void 0,null===(o=Error.captureStackTrace)||void 0===o||o.call(Error,this,this.constructor)}}class wn extends Error{constructor(e,t){var n;super(e,t),gt(this,"cause",void 0),gt(this,"code",void 0),gt(this,"response",void 0),gt(this,"status",void 0),this.name=this.constructor.name,this.code=Hn,this.cause=t.cause,this.status=t.response.status,this.response=t.response,Object.defineProperty(this,"response",{enumerable:!1}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}const gn="[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+",vn=new RegExp("^[,\\s]*("+gn+")"),bn=new RegExp('^[,\\s]*([a-zA-Z0-9!#$%&\\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*"((?:[^"\\\\]|\\\\[\\s\\S])*)"[,\\s]*(.*)'),_n=new RegExp("^[,\\s]*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)[,\\s]*(.*)"),kn=new RegExp("^([a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2})(?:$|[,\\s])(.*)");async function Sn(e,t,n){if(e.status!==t){let t;var o;if(function(e){let t;if(t=function(e){if(!Pt(e,Response))throw xt('"response" must be an instance of Response',Rt);const t=e.headers.get("www-authenticate");if(null===t)return;const n=[];let o=t;for(;o;){var r;let e=o.match(vn);const t=null===(r=e)||void 0===r?void 0:r[1].toLowerCase();if(!t)return;const i=o.substring(e[0].length);if(i&&!i.match(/^[\s,]/))return;const a=i.match(/^\s+(.*)$/),s=!!a;o=a?a[1]:void 0;const c={};let u;if(s)for(;o;){let t,n;if(e=o.match(bn)){if([,t,n,o]=e,n.includes("\\"))try{n=JSON.parse('"'.concat(n,'"'))}catch(e){}c[t.toLowerCase()]=n}else{if(!(e=o.match(_n))){if(e=o.match(kn)){if(Object.keys(c).length)break;[,u,o]=e;break}return}[,t,n,o]=e,c[t.toLowerCase()]=n}}else o=i||void 0;const l={scheme:t,parameters:c};u&&(l.token68=u),n.push(l)}return n.length?n:void 0}(e))throw new wn("server responded with a challenge in the WWW-Authenticate HTTP Header",{cause:t,response:e})}(e),t=await async function(e){if(e.status>399&&e.status<500){no(e),en(e);try{const t=await e.clone().json();if(qt(t)&&"string"==typeof t.error&&t.error.length)return t}catch(e){}}}(e))throw await(null===(o=e.body)||void 0===o?void 0:o.cancel()),new mn("server responded with an error in the response body",{cause:t,response:e});throw Vt('"response" is not a conform '.concat(n," response (unexpected HTTP status code)"),Gn,e)}}function Tn(e){if(!Kn.has(e))throw xt('"options.DPoP" is not a valid DPoPHandle',Ot)}function En(e){var t;return null===(t=e.headers.get("content-type"))||void 0===t?void 0:t.split(";")[0]}async function An(e,t,n,o,r,i,a){return await n(e,t,r,i),i.set("content-type","application/x-www-form-urlencoded;charset=UTF-8"),((null==a?void 0:a[Kt])||fetch)(o.href,{body:r,headers:Object.fromEntries(i.entries()),method:"POST",redirect:"manual",signal:Bt(o,null==a?void 0:a.signal)})}async function Pn(e,t,n,o,r,i){var a;const s=fn(e,"token_endpoint",t.use_mtls_endpoint_aliases,!0!==(null==i?void 0:i[It]));r.set("grant_type",o);const c=Gt(null==i?void 0:i.headers);c.set("accept","application/json"),void 0!==(null==i?void 0:i.DPoP)&&(Tn(i.DPoP),await i.DPoP.addProof(s,c,"POST"));const u=await An(e,t,n,s,r,c,i);return null==i||null===(a=i.DPoP)||void 0===a||a.cacheNonce(u,s),u}const On=new WeakMap,Rn=new WeakMap;function xn(e){if(!e.id_token)return;const t=On.get(e);if(!t)throw xt('"ref" was already garbage collected or did not resolve from the proper sources',Ot);return t}async function In(e,t,n,o,r,i){if(sn(e),cn(t),!Pt(n,Response))throw xt('"response" must be an instance of Response',Rt);await Sn(n,200,"Token Endpoint"),no(n);const a=await ho(n);if($t(a.access_token,'"response" body "access_token" property',Zn,{body:a}),$t(a.token_type,'"response" body "token_type" property',Zn,{body:a}),a.token_type=a.token_type.toLowerCase(),void 0!==a.expires_in){let e="number"!=typeof a.expires_in?parseFloat(a.expires_in):a.expires_in;Qt(e,!0,'"response" body "expires_in" property',Zn,{body:a}),a.expires_in=e}if(void 0!==a.refresh_token&&$t(a.refresh_token,'"response" body "refresh_token" property',Zn,{body:a}),void 0!==a.scope&&"string"!=typeof a.scope)throw Vt('"response" body "scope" property must be a string',Zn,{body:a});if(void 0!==a.id_token){$t(a.id_token,'"response" body "id_token" property',Zn,{body:a});const i=["aud","exp","iat","iss","sub"];!0===t.require_auth_time&&i.push("auth_time"),void 0!==t.default_max_age&&(Qt(t.default_max_age,!0,'"client.default_max_age"'),i.push("auth_time")),null!=o&&o.length&&i.push(...o);const{claims:s,jwt:c}=await async function(e,t,n,o,r){let i,a,{0:s,1:c,length:u}=e.split(".");if(5===u){if(void 0===r)throw new Jt("JWE decryption is not configured",{cause:e});e=await r(e),({0:s,1:c,length:u}=e.split("."))}if(3!==u)throw Vt("Invalid JWT",Zn,e);try{i=JSON.parse(Nt(Mt(s)))}catch(e){throw Vt("failed to parse JWT Header body as base64url encoded JSON",Vn,e)}if(!qt(i))throw Vt("JWT Header must be a top level object",Zn,e);if(t(i),void 0!==i.crit)throw new Jt('no JWT "crit" header parameter extensions are supported',{cause:{header:i}});try{a=JSON.parse(Nt(Mt(c)))}catch(e){throw Vt("failed to parse JWT Payload body as base64url encoded JSON",Vn,e)}if(!qt(a))throw Vt("JWT Payload must be a top level object",Zn,e);const l=an()+n;if(void 0!==a.exp){if("number"!=typeof a.exp)throw Vt('unexpected JWT "exp" (expiration time) claim type',Zn,{claims:a});if(a.exp<=l-o)throw Vt('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp',Yn,{claims:a,now:l,tolerance:o,claim:"exp"})}if(void 0!==a.iat&&"number"!=typeof a.iat)throw Vt('unexpected JWT "iat" (issued at) claim type',Zn,{claims:a});if(void 0!==a.iss&&"string"!=typeof a.iss)throw Vt('unexpected JWT "iss" (issuer) claim type',Zn,{claims:a});if(void 0!==a.nbf){if("number"!=typeof a.nbf)throw Vt('unexpected JWT "nbf" (not before) claim type',Zn,{claims:a});if(a.nbf>l+o)throw Vt('unexpected JWT "nbf" (not before) claim value',Yn,{claims:a,now:l,tolerance:o,claim:"nbf"})}if(void 0!==a.aud&&"string"!=typeof a.aud&&!Array.isArray(a.aud))throw Vt('unexpected JWT "aud" (audience) claim type',Zn,{claims:a});return{header:i,claims:a,jwt:e}}(a.id_token,ao.bind(void 0,t.id_token_signed_response_alg,e.id_token_signing_alg_values_supported,"RS256"),on(t),rn(t),r).then(Wn.bind(void 0,i)).then(jn.bind(void 0,e)).then(Cn.bind(void 0,t.client_id));if(Array.isArray(s.aud)&&1!==s.aud.length){if(void 0===s.azp)throw Vt('ID Token "aud" (audience) claim includes additional untrusted audiences',Qn,{claims:s,claim:"aud"});if(s.azp!==t.client_id)throw Vt('unexpected ID Token "azp" (authorized party) claim value',Qn,{expected:t.client_id,claims:s,claim:"azp"})}void 0!==s.auth_time&&Qt(s.auth_time,!0,'ID Token "auth_time" (authentication time)',Zn,{claims:s}),Rn.set(n,c),On.set(a,s)}if(void 0!==(null==i?void 0:i[a.token_type]))i[a.token_type](n,a);else if("dpop"!==a.token_type&&"bearer"!==a.token_type)throw new Jt("unsupported `token_type` value",{cause:{body:a}});return a}function Cn(e,t){if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e))throw Vt('unexpected JWT "aud" (audience) claim value',Qn,{expected:e,claims:t.claims,claim:"aud"})}else if(t.claims.aud!==e)throw Vt('unexpected JWT "aud" (audience) claim value',Qn,{expected:e,claims:t.claims,claim:"aud"});return t}function jn(e,t){var n,o;const r=null!==(n=null===(o=e[fo])||void 0===o?void 0:o.call(e,t))&&void 0!==n?n:e.issuer;if(t.claims.iss!==r)throw Vt('unexpected JWT "iss" (issuer) claim value',Qn,{expected:r,claims:t.claims,claim:"iss"});return t}const Kn=new WeakSet;const Dn=Symbol();const Un={aud:"audience",c_hash:"code hash",client_id:"client id",exp:"expiration time",iat:"issued at",iss:"issuer",jti:"jwt id",nonce:"nonce",s_hash:"state hash",sub:"subject",ath:"access token hash",htm:"http method",htu:"http uri",cnf:"confirmation",auth_time:"authentication time"};function Wn(e,t){for(const n of e)if(void 0===t.claims[n])throw Vt('JWT "'.concat(n,'" (').concat(Un[n],") claim missing"),Zn,{claims:t.claims});return t}const Ln=Symbol(),Nn=Symbol();async function zn(e,t,n,o){return"string"==typeof(null==o?void 0:o.expectedNonce)||"number"==typeof(null==o?void 0:o.maxAge)||null!=o&&o.requireIdToken?async function(e,t,n,o,r,i,a){const s=[];switch(o){case void 0:o=Ln;break;case Ln:break;default:$t(o,'"expectedNonce" argument'),s.push("nonce")}switch(null!=r||(r=t.default_max_age),r){case void 0:r=Nn;break;case Nn:break;default:Qt(r,!0,'"maxAge" argument'),s.push("auth_time")}const c=await In(e,t,n,s,i,a);$t(c.id_token,'"response" body "id_token" property',Zn,{body:c});const u=xn(c);if(r!==Nn){const e=an()+on(t),n=rn(t);if(u.auth_time+r<e-n)throw Vt("too much time has elapsed since the last End-User authentication",Yn,{claims:u,now:e,tolerance:n,claim:"auth_time"})}if(o===Ln){if(void 0!==u.nonce)throw Vt('unexpected ID Token "nonce" claim value',Qn,{expected:void 0,claims:u,claim:"nonce"})}else if(u.nonce!==o)throw Vt('unexpected ID Token "nonce" claim value',Qn,{expected:o,claims:u,claim:"nonce"});return c}(e,t,n,o.expectedNonce,o.maxAge,o[Ut],o.recognizedTokenTypes):async function(e,t,n,o,r){const i=await In(e,t,n,void 0,o,r),a=xn(i);if(a){if(void 0!==t.default_max_age){Qt(t.default_max_age,!0,'"client.default_max_age"');const e=an()+on(t),n=rn(t);if(a.auth_time+t.default_max_age<e-n)throw Vt("too much time has elapsed since the last End-User authentication",Yn,{claims:a,now:e,tolerance:n,claim:"auth_time"})}if(void 0!==a.nonce)throw Vt('unexpected ID Token "nonce" claim value',Qn,{expected:void 0,claims:a,claim:"nonce"})}return i}(e,t,n,null==o?void 0:o[Ut],null==o?void 0:o.recognizedTokenTypes)}const Hn="OAUTH_WWW_AUTHENTICATE_CHALLENGE",Mn="OAUTH_RESPONSE_BODY_ERROR",Jn="OAUTH_UNSUPPORTED_OPERATION",Fn="OAUTH_AUTHORIZATION_RESPONSE_ERROR",Vn="OAUTH_PARSE_ERROR",Zn="OAUTH_INVALID_RESPONSE",qn="OAUTH_RESPONSE_IS_NOT_JSON",Gn="OAUTH_RESPONSE_IS_NOT_CONFORM",Bn="OAUTH_HTTP_REQUEST_FORBIDDEN",Xn="OAUTH_REQUEST_PROTOCOL_FORBIDDEN",Yn="OAUTH_JWT_TIMESTAMP_CHECK_FAILED",Qn="OAUTH_JWT_CLAIM_COMPARISON_FAILED",$n="OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED",eo="OAUTH_MISSING_SERVER_METADATA",to="OAUTH_INVALID_SERVER_METADATA";function no(e){if(e.bodyUsed)throw xt('"response" body has been used already',Ot)}function oo(e){const{algorithm:t}=e;if("number"!=typeof t.modulusLength||t.modulusLength<2048)throw new Jt("unsupported ".concat(t.name," modulusLength"),{cause:e})}function ro(e){const{algorithm:t}=e;switch(t.namedCurve){case"P-256":return"SHA-256";case"P-384":return"SHA-384";case"P-521":return"SHA-512";default:throw new Jt("unsupported ECDSA namedCurve",{cause:e})}}async function io(e){if("POST"!==e.method)throw xt("form_post responses are expected to use the POST method",Ot,{cause:e});if("application/x-www-form-urlencoded"!==En(e))throw xt("form_post responses are expected to use the application/x-www-form-urlencoded content-type",Ot,{cause:e});return async function(e){if(e.bodyUsed)throw xt("form_post Request instances must contain a readable body",Ot,{cause:e});return e.text()}(e)}function ao(e,t,n,o){if(void 0===e)if(Array.isArray(t)){if(!t.includes(o.alg))throw Vt('unexpected JWT "alg" header parameter',Zn,{header:o,expected:t,reason:"authorization server metadata"})}else{if(void 0===n)throw Vt('missing client or server configuration to verify used JWT "alg" header parameter',void 0,{client:e,issuer:t,fallback:n});if("string"==typeof n?o.alg!==n:"function"==typeof n?!n(o.alg):!n.includes(o.alg))throw Vt('unexpected JWT "alg" header parameter',Zn,{header:o,expected:n,reason:"default value"})}else if("string"==typeof e?o.alg!==e:!e.includes(o.alg))throw Vt('unexpected JWT "alg" header parameter',Zn,{header:o,expected:e,reason:"client configuration"})}function so(e,t){const{0:n,length:o}=e.getAll(t);if(o>1)throw Vt('"'.concat(t,'" parameter must be provided only once'),Zn);return n}const co=Symbol(),uo=Symbol();function lo(e,t,n,o){if(sn(e),cn(t),n instanceof URL&&(n=n.searchParams),!(n instanceof URLSearchParams))throw xt('"parameters" must be an instance of URLSearchParams, or URL',Rt);if(so(n,"response"))throw Vt('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()',Zn,{parameters:n});const r=so(n,"iss"),i=so(n,"state");if(!r&&e.authorization_response_iss_parameter_supported)throw Vt('response parameter "iss" (issuer) missing',Zn,{parameters:n});if(r&&r!==e.issuer)throw Vt('unexpected "iss" (issuer) response parameter value',Zn,{expected:e.issuer,parameters:n});switch(o){case void 0:case uo:if(void 0!==i)throw Vt('unexpected "state" response parameter encountered',Zn,{expected:void 0,parameters:n});break;case co:break;default:if($t(o,'"expectedState" argument'),i!==o)throw Vt(void 0===i?'response parameter "state" missing':'unexpected "state" response parameter value',Zn,{expected:o,parameters:n})}if(so(n,"error"))throw new yn("authorization response from the server is an error",{cause:n});const a=so(n,"id_token"),s=so(n,"token");if(void 0!==a||void 0!==s)throw new Jt("implicit and hybrid flows are not supported");return c=new URLSearchParams(n),Kn.add(c),c;var c}async function ho(e){let t,n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:en;try{t=await e.json()}catch(t){throw n(e),Vt('failed to parse "response" body as JSON',Vn,t)}if(!qt(t))throw Vt('"response" body must be a top level object',Zn,{body:t});return t}const po=Symbol(),fo=Symbol(),mo=new TextEncoder,yo=new TextDecoder;function wo(e){const t=new Uint8Array(e.length);for(let n=0;n<e.length;n++){const o=e.charCodeAt(n);if(o>127)throw new TypeError("non-ASCII string encountered in encode()");t[n]=o}return t}function go(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);const t=atob(e),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}function vo(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64("string"==typeof e?e:yo.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=yo.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/");try{return go(t)}catch(e){throw new TypeError("The input to be decoded is not correctly encoded.")}}class bo extends Error{constructor(e,t){var n;super(e,t),gt(this,"code","ERR_JOSE_GENERIC"),this.name=this.constructor.name,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}gt(bo,"code","ERR_JOSE_GENERIC");class _o extends bo{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),gt(this,"code","ERR_JWT_CLAIM_VALIDATION_FAILED"),gt(this,"claim",void 0),gt(this,"reason",void 0),gt(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t}}gt(_o,"code","ERR_JWT_CLAIM_VALIDATION_FAILED");class ko extends bo{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),gt(this,"code","ERR_JWT_EXPIRED"),gt(this,"claim",void 0),gt(this,"reason",void 0),gt(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t}}gt(ko,"code","ERR_JWT_EXPIRED");class So extends bo{constructor(){super(...arguments),gt(this,"code","ERR_JOSE_ALG_NOT_ALLOWED")}}gt(So,"code","ERR_JOSE_ALG_NOT_ALLOWED");class To extends bo{constructor(){super(...arguments),gt(this,"code","ERR_JOSE_NOT_SUPPORTED")}}gt(To,"code","ERR_JOSE_NOT_SUPPORTED");gt(class extends bo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"decryption operation failed",arguments.length>1?arguments[1]:void 0),gt(this,"code","ERR_JWE_DECRYPTION_FAILED")}},"code","ERR_JWE_DECRYPTION_FAILED");gt(class extends bo{constructor(){super(...arguments),gt(this,"code","ERR_JWE_INVALID")}},"code","ERR_JWE_INVALID");class Eo extends bo{constructor(){super(...arguments),gt(this,"code","ERR_JWS_INVALID")}}gt(Eo,"code","ERR_JWS_INVALID");class Ao extends bo{constructor(){super(...arguments),gt(this,"code","ERR_JWT_INVALID")}}gt(Ao,"code","ERR_JWT_INVALID");gt(class extends bo{constructor(){super(...arguments),gt(this,"code","ERR_JWK_INVALID")}},"code","ERR_JWK_INVALID");class Po extends bo{constructor(){super(...arguments),gt(this,"code","ERR_JWKS_INVALID")}}gt(Po,"code","ERR_JWKS_INVALID");class Oo extends bo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"no applicable key found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),gt(this,"code","ERR_JWKS_NO_MATCHING_KEY")}}gt(Oo,"code","ERR_JWKS_NO_MATCHING_KEY");class Ro extends bo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"multiple matching keys found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),gt(this,Symbol.asyncIterator,void 0),gt(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS")}}gt(Ro,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");class xo extends bo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"request timed out",arguments.length>1?arguments[1]:void 0),gt(this,"code","ERR_JWKS_TIMEOUT")}}gt(xo,"code","ERR_JWKS_TIMEOUT");class Io extends bo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"signature verification failed",arguments.length>1?arguments[1]:void 0),gt(this,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED")}}gt(Io,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED");const Co=function(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"algorithm.name";return new TypeError("CryptoKey does not support this operation, its ".concat(t," must be ").concat(e))},jo=(e,t)=>e.name===t;function Ko(e){return parseInt(e.name.slice(4),10)}function Do(e,t,n){switch(t){case"HS256":case"HS384":case"HS512":{if(!jo(e.algorithm,"HMAC"))throw Co("HMAC");const n=parseInt(t.slice(2),10);if(Ko(e.algorithm.hash)!==n)throw Co("SHA-".concat(n),"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!jo(e.algorithm,"RSASSA-PKCS1-v1_5"))throw Co("RSASSA-PKCS1-v1_5");const n=parseInt(t.slice(2),10);if(Ko(e.algorithm.hash)!==n)throw Co("SHA-".concat(n),"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!jo(e.algorithm,"RSA-PSS"))throw Co("RSA-PSS");const n=parseInt(t.slice(2),10);if(Ko(e.algorithm.hash)!==n)throw Co("SHA-".concat(n),"algorithm.hash");break}case"Ed25519":case"EdDSA":if(!jo(e.algorithm,"Ed25519"))throw Co("Ed25519");break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":if(!jo(e.algorithm,t))throw Co(t);break;case"ES256":case"ES384":case"ES512":{if(!jo(e.algorithm,"ECDSA"))throw Co("ECDSA");const n=function(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}(t);if(e.algorithm.namedCurve!==n)throw Co(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}!function(e,t){if(t&&!e.usages.includes(t))throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(t,"."))}(e,n)}function Uo(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if((o=o.filter(Boolean)).length>2){const t=o.pop();e+="one of type ".concat(o.join(", "),", or ").concat(t,".")}else 2===o.length?e+="one of type ".concat(o[0]," or ").concat(o[1],"."):e+="of type ".concat(o[0],".");if(null==t)e+=" Received ".concat(t);else if("function"==typeof t&&t.name)e+=" Received function ".concat(t.name);else if("object"==typeof t&&null!=t){var i;null!==(i=t.constructor)&&void 0!==i&&i.name&&(e+=" Received an instance of ".concat(t.constructor.name))}return e}const Wo=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];return Uo("Key for the ".concat(e," algorithm must be "),t,...o)},Lo=e=>{if("CryptoKey"===(null==e?void 0:e[Symbol.toStringTag]))return!0;try{return e instanceof CryptoKey}catch(e){return!1}},No=e=>"KeyObject"===(null==e?void 0:e[Symbol.toStringTag]),zo=e=>Lo(e)||No(e);function Ho(e){if("object"!=typeof(t=e)||null===t||"[object Object]"!==Object.prototype.toString.call(e))return!1;var t;if(null===Object.getPrototypeOf(e))return!0;let n=e;for(;null!==Object.getPrototypeOf(n);)n=Object.getPrototypeOf(n);return Object.getPrototypeOf(e)===n}const Mo=(e,t)=>{if(e.byteLength!==t.length)return!1;for(let n=0;n<e.byteLength;n++)if(e[n]!==t[n])return!1;return!0},Jo=e=>{const t=e.data[e.pos++];if(128&t){const n=127&t;let o=0;for(let t=0;t<n;t++)o=o<<8|e.data[e.pos++];return o}return t},Fo=(e,t,n)=>{if(e.data[e.pos++]!==t)throw new Error(n)},Vo=(e,t)=>{const n=e.data.subarray(e.pos,e.pos+t);return e.pos+=t,n};const Zo=e=>{const t=(e=>{Fo(e,6,"Expected algorithm OID");const t=Jo(e);return Vo(e,t)})(e);if(Mo(t,[43,101,110]))return"X25519";if(!Mo(t,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");Fo(e,6,"Expected curve OID");const n=Jo(e),o=Vo(e,n);for(const{name:e,oid:t}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(Mo(o,t))return e;throw new Error("Unsupported named curve")},qo=async(e,t,n,o)=>{var r;let i,a;const s="spki"===e,c=()=>s?["verify"]:["sign"];switch(n){case"PS256":case"PS384":case"PS512":i={name:"RSA-PSS",hash:"SHA-".concat(n.slice(-3))},a=c();break;case"RS256":case"RS384":case"RS512":i={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(n.slice(-3))},a=c();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":i={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(n.slice(-3),10)||1)},a=s?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":case"ES384":case"ES512":i={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[n]},a=c();break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":try{const e=o.getNamedCurve(t);i="X25519"===e?{name:"X25519"}:{name:"ECDH",namedCurve:e}}catch(e){throw new To("Invalid or unsupported key format")}a=s?[]:["deriveBits"];break;case"Ed25519":case"EdDSA":i={name:"Ed25519"},a=c();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":i={name:n},a=c();break;default:throw new To('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(e,t,i,null!==(r=null==o?void 0:o.extractable)&&void 0!==r?r:!!s,a)},Go=(e,t,n)=>{var o;const r=((e,t)=>go(e.replace(t,"")))(e,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);let i=n;return null!=t&&null!==(o=t.startsWith)&&void 0!==o&&o.call(t,"ECDH-ES")&&(i||(i={}),i.getNamedCurve=e=>{const t={data:e,pos:0};return function(e){Fo(e,48,"Invalid PKCS#8 structure"),Jo(e),Fo(e,2,"Expected version field");const t=Jo(e);e.pos+=t,Fo(e,48,"Expected algorithm identifier");const n=Jo(e);e.pos}(t),Zo(t)}),qo("pkcs8",r,t,i)};async function Bo(e){var t,n;if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');const{algorithm:o,keyUsages:r}=function(e){let t,n;switch(e.kty){case"AKP":switch(e.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":t={name:e.alg},n=e.priv?["sign"]:["verify"];break;default:throw new To('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case"RSA":switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(e.alg.slice(-3),10)||1)},n=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new To('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case"EC":switch(e.alg){case"ES256":t={name:"ECDSA",namedCurve:"P-256"},n=e.d?["sign"]:["verify"];break;case"ES384":t={name:"ECDSA",namedCurve:"P-384"},n=e.d?["sign"]:["verify"];break;case"ES512":t={name:"ECDSA",namedCurve:"P-521"},n=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new To('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case"OKP":switch(e.alg){case"Ed25519":case"EdDSA":t={name:"Ed25519"},n=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new To('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;default:throw new To('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:t,keyUsages:n}}(e),i=bt({},e);return"AKP"!==i.kty&&delete i.alg,delete i.use,crypto.subtle.importKey("jwk",i,o,null!==(t=e.ext)&&void 0!==t?t:!e.d&&!e.priv,null!==(n=e.key_ops)&&void 0!==n?n:r)}const Xo=e=>Ho(e)&&"string"==typeof e.kty;let Yo;const Qo=async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]&&arguments[3];Yo||(Yo=new WeakMap);let r=Yo.get(e);if(null!=r&&r[n])return r[n];const i=await Bo(bt(bt({},t),{},{alg:n}));return o&&Object.freeze(e),r?r[n]=i:Yo.set(e,{[n]:i}),i};async function $o(e,t){if(e instanceof Uint8Array)return e;if(Lo(e))return e;if(No(e)){if("secret"===e.type)return e.export();if("toCryptoKey"in e&&"function"==typeof e.toCryptoKey)try{return((e,t)=>{Yo||(Yo=new WeakMap);let n=Yo.get(e);if(null!=n&&n[t])return n[t];const o="public"===e.type,r=!!o;let i;if("x25519"===e.asymmetricKeyType){switch(t){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}i=e.toCryptoKey(e.asymmetricKeyType,r,o?[]:["deriveBits"])}if("ed25519"===e.asymmetricKeyType){if("EdDSA"!==t&&"Ed25519"!==t)throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"])}switch(e.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"])}if("rsa"===e.asymmetricKeyType){let n;switch(t){case"RSA-OAEP":n="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":n="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":n="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":n="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:n},r,o?["encrypt"]:["decrypt"]);i=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:n},r,[o?"verify":"sign"])}if("ec"===e.asymmetricKeyType){var a;const n=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(null===(a=e.asymmetricKeyDetails)||void 0===a?void 0:a.namedCurve);if(!n)throw new TypeError("given KeyObject instance cannot be used for this algorithm");"ES256"===t&&"P-256"===n&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),"ES384"===t&&"P-384"===n&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),"ES512"===t&&"P-521"===n&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),t.startsWith("ECDH-ES")&&(i=e.toCryptoKey({name:"ECDH",namedCurve:n},r,o?[]:["deriveBits"]))}if(!i)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return n?n[t]=i:Yo.set(e,{[t]:i}),i})(e,t)}catch(e){if(e instanceof TypeError)throw e}let n=e.export({format:"jwk"});return Qo(e,n,t)}if(Xo(e))return e.k?vo(e.k):Qo(e,e,t,!0);throw new Error("unreachable")}const er=e=>null==e?void 0:e[Symbol.toStringTag],tr=(e,t,n)=>{if(void 0!==t.use){let e;switch(n){case"sign":case"verify":e="sig";break;case"encrypt":case"decrypt":e="enc"}if(t.use!==e)throw new TypeError('Invalid key for this operation, its "use" must be "'.concat(e,'" when present'))}if(void 0!==t.alg&&t.alg!==e)throw new TypeError('Invalid key for this operation, its "alg" must be "'.concat(e,'" when present'));if(Array.isArray(t.key_ops)){var o,r;let i;switch(!0){case"sign"===n||"verify"===n:case"dir"===e:case e.includes("CBC-HS"):i=n;break;case e.startsWith("PBES2"):i="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(e):i=!e.includes("GCM")&&e.endsWith("KW")?"encrypt"===n?"wrapKey":"unwrapKey":n;break;case"encrypt"===n&&e.startsWith("RSA"):i="wrapKey";break;case"decrypt"===n:i=e.startsWith("RSA")?"unwrapKey":"deriveBits"}if(i&&!1===(null===(o=t.key_ops)||void 0===o||null===(r=o.includes)||void 0===r?void 0:r.call(o,i)))throw new TypeError('Invalid key for this operation, its "key_ops" must include "'.concat(i,'" when present'))}return!0};function nr(e,t,n){switch(e.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":((e,t,n)=>{if(!(t instanceof Uint8Array)){if(Xo(t)){if((e=>"oct"===e.kty&&"string"==typeof e.k)(t)&&tr(e,t,n))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!zo(t))throw new TypeError(Wo(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if("secret"!==t.type)throw new TypeError("".concat(er(t),' instances for symmetric algorithms must be of type "secret"'))}})(e,t,n);break;default:((e,t,n)=>{if(Xo(t))switch(n){case"decrypt":case"sign":if((e=>"oct"!==e.kty&&("AKP"===e.kty&&"string"==typeof e.priv||"string"==typeof e.d))(t)&&tr(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if((e=>"oct"!==e.kty&&void 0===e.d&&void 0===e.priv)(t)&&tr(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!zo(t))throw new TypeError(Wo(e,t,"CryptoKey","KeyObject","JSON Web Key"));if("secret"===t.type)throw new TypeError("".concat(er(t),' instances for asymmetric algorithms must not be of type "secret"'));if("public"===t.type)switch(n){case"sign":throw new TypeError("".concat(er(t),' instances for asymmetric algorithm signing must be of type "private"'));case"decrypt":throw new TypeError("".concat(er(t),' instances for asymmetric algorithm decryption must be of type "private"'))}if("private"===t.type)switch(n){case"verify":throw new TypeError("".concat(er(t),' instances for asymmetric algorithm verifying must be of type "public"'));case"encrypt":throw new TypeError("".concat(er(t),' instances for asymmetric algorithm encryption must be of type "public"'))}})(e,t,n)}}var or,rr;let ir,ar;if("undefined"==typeof navigator||null===(or=navigator.userAgent)||void 0===or||null===(rr=or.startsWith)||void 0===rr||!rr.call(or,"Mozilla/5.0 ")){const e="v6.8.1";ar="".concat("openid-client","/").concat(e),ir={"user-agent":ar}}const sr=e=>cr.get(e);let cr,ur;function lr(e){return void 0!==e?un(e):(ur||(ur=new WeakMap),(e,t,n,o)=>{let r;return(r=ur.get(t))||(!function(e,t){if("string"!=typeof e)throw fr("".concat(t," must be a string"),pr);if(0===e.length)throw fr("".concat(t," must not be empty"),hr)}(t.client_secret,'"metadata.client_secret"'),r=un(t.client_secret),ur.set(t,r)),r(e,t,n,o)})}const dr=Kt,hr="ERR_INVALID_ARG_VALUE",pr="ERR_INVALID_ARG_TYPE";function fr(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}function mr(e){return async function(e){return $t(e,"codeVerifier"),Mt(await crypto.subtle.digest("SHA-256",Nt(e)))}(e)}function yr(){return tn()}class wr extends Error{constructor(e,t){var n;super(e,t),gt(this,"code",void 0),this.name=this.constructor.name,this.code=null==t?void 0:t.code,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}function gr(e,t,n){return new wr(e,{cause:t,code:n})}function vr(e){if(e instanceof TypeError||e instanceof wr||e instanceof mn||e instanceof yn||e instanceof wn)throw e;if(e instanceof Ft)switch(e.code){case Bn:throw gr("only requests to HTTPS are allowed",e,e.code);case Xn:throw gr("only requests to HTTP or HTTPS are allowed",e,e.code);case Gn:throw gr("unexpected HTTP response status code",e.cause,e.code);case qn:throw gr("unexpected response content-type",e.cause,e.code);case Vn:throw gr("parsing error occured",e,e.code);case Zn:throw gr("invalid response encountered",e,e.code);case Qn:throw gr("unexpected JWT claim value encountered",e,e.code);case $n:throw gr("unexpected JSON attribute value encountered",e,e.code);case Yn:throw gr("JWT timestamp claim value failed validation",e,e.code);default:throw gr(e.message,e,e.code)}if(e instanceof Jt)throw gr("unsupported operation",e,e.code);if(e instanceof DOMException)switch(e.name){case"OperationError":throw gr("runtime operation error",e,Jn);case"NotSupportedError":throw gr("runtime unsupported operation",e,Jn);case"TimeoutError":throw gr("operation timed out",e,"OAUTH_TIMEOUT");case"AbortError":throw gr("operation aborted",e,"OAUTH_ABORT")}throw new wr("something went wrong",{cause:e})}async function br(e,t,n,o,r){const i=await async function(e,t){var n,o;if(!(e instanceof URL))throw fr('"server" must be an instance of URL',pr);const r=!e.href.includes("/.well-known/"),i=null!==(n=null==t?void 0:t.timeout)&&void 0!==n?n:30,a=AbortSignal.timeout(1e3*i),s=await(r?Yt(e,{algorithm:null==t?void 0:t.algorithm,[Kt]:null==t?void 0:t[dr],[It]:null==t||null===(o=t.execute)||void 0===o?void 0:o.includes(Or),signal:a,headers:new Headers(ir)}):((null==t?void 0:t[dr])||fetch)((hn(e,null==t||null===(c=t.execute)||void 0===c||!c.includes(Or)),e.href),{headers:Object.fromEntries(new Headers(bt({accept:"application/json"},ir)).entries()),body:void 0,method:"GET",redirect:"manual",signal:a})).then((e=>async function(e,t){const n=e;if(!(n instanceof URL)&&n!==po)throw xt('"expectedIssuerIdentifier" must be an instance of URL',Rt);if(!Pt(t,Response))throw xt('"response" must be an instance of Response',Rt);if(200!==t.status)throw Vt('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)',Gn,t);no(t);const o=await ho(t);if($t(o.issuer,'"response" body "issuer" property',Zn,{body:o}),n!==po&&new URL(o.issuer).href!==n.href)throw Vt('"response" body "issuer" property does not match the expected value',$n,{expected:n.href,body:o,attribute:"issuer"});return o}(po,e))).catch(vr);var c;r&&new URL(s.issuer).href!==e.href&&(function(e,t,n){return!("https://login.microsoftonline.com"!==e.origin||null!=n&&n.algorithm&&"oidc"!==n.algorithm||(t[_r]=!0,0))}(e,s,t)||function(e,t){return!(!e.hostname.endsWith(".b2clogin.com")||null!=t&&t.algorithm&&"oidc"!==t.algorithm)}(e,t)||(()=>{throw new wr("discovered metadata issuer does not match the expected issuer",{code:$n,cause:{expected:e.href,body:s,attribute:"issuer"}})})());return s}(e,r),a=new kr(i,t,n,o);let s=sr(a);if(null!=r&&r[dr]&&(s.fetch=r[dr]),null!=r&&r.timeout&&(s.timeout=r.timeout),null!=r&&r.execute)for(const e of r.execute)e(a);return a}new TextDecoder;const _r=Symbol();class kr{constructor(e,t,n,o){var r,i,a,s,c;if("string"!=typeof t||!t.length)throw fr('"clientId" must be a non-empty string',pr);if("string"==typeof n&&(n={client_secret:n}),void 0!==(null===(r=n)||void 0===r?void 0:r.client_id)&&t!==n.client_id)throw fr('"clientId" and "metadata.client_id" must be the same',hr);const u=bt(bt({},structuredClone(n)),{},{client_id:t});let l;u[Ct]=null!==(i=null===(a=n)||void 0===a?void 0:a[Ct])&&void 0!==i?i:0,u[jt]=null!==(s=null===(c=n)||void 0===c?void 0:c[jt])&&void 0!==s?s:30,l=o||("string"==typeof u.client_secret&&u.client_secret.length?lr(u.client_secret):(e,t,n,o)=>{n.set("client_id",t.client_id)});let d=Object.freeze(u);const h=structuredClone(e);_r in e&&(h[fo]=t=>{let{claims:{tid:n}}=t;return e.issuer.replace("{tenantid}",n)});let p=Object.freeze(h);cr||(cr=new WeakMap),cr.set(this,{__proto__:null,as:p,c:d,auth:l,tlsOnly:!0,jwksCache:{}})}serverMetadata(){const e=structuredClone(sr(this).as);return function(e){Object.defineProperties(e,function(e){return{supportsPKCE:{__proto__:null,value(){var t;let n=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"S256";return!0===(null===(t=e.code_challenge_methods_supported)||void 0===t?void 0:t.includes(n))}}}}(e))}(e),e}clientMetadata(){return structuredClone(sr(this).c)}get timeout(){return sr(this).timeout}set timeout(e){sr(this).timeout=e}get[dr](){return sr(this).fetch}set[dr](e){sr(this).fetch=e}}function Sr(e){Object.defineProperties(e,function(e){let t;if(void 0!==e.expires_in){const n=new Date;n.setSeconds(n.getSeconds()+e.expires_in),t=n.getTime()}return{expiresIn:{__proto__:null,value(){if(t){const e=Date.now();return t>e?Math.floor((t-e)/1e3):0}}},claims:{__proto__:null,value(){try{return xn(this)}catch(e){return}}}}}(e))}async function Tr(e,t,n){var o;let r=arguments.length>3&&void 0!==arguments[3]&&arguments[3];const i=null===(o=e.headers.get("retry-after"))||void 0===o?void 0:o.trim();if(void 0===i)return;let a;if(/^\d+$/.test(i))a=parseInt(i,10);else{const e=new Date(i);if(Number.isFinite(e.getTime())){const t=new Date,n=e.getTime()-t.getTime();n>0&&(a=Math.ceil(n/1e3))}}if(r&&!Number.isFinite(a))throw new Ft("invalid Retry-After header value",{cause:e});a>t&&await Er(a-t,n)}function Er(e,t){return new Promise(((n,o)=>{const r=e=>{try{t.throwIfAborted()}catch(e){return void o(e)}if(e<=0)return void n();const i=Math.min(e,5);setTimeout((()=>r(e-i)),1e3*i)};r(e)}))}async function Ar(e,t){Kr(e);const{as:n,c:o,auth:r,fetch:i,tlsOnly:a,timeout:s}=sr(e);return async function(e,t,n,o,r){sn(e),cn(t);const i=fn(e,"backchannel_authentication_endpoint",t.use_mtls_endpoint_aliases,!0!==(null==r?void 0:r[It])),a=new URLSearchParams(o);a.set("client_id",t.client_id);const s=Gt(null==r?void 0:r.headers);return s.set("accept","application/json"),An(e,t,n,i,a,s,r)}(n,o,r,t,{[Kt]:i,[It]:!a,headers:new Headers(ir),signal:Dr(s)}).then((e=>async function(e,t,n){if(sn(e),cn(t),!Pt(n,Response))throw xt('"response" must be an instance of Response',Rt);await Sn(n,200,"Backchannel Authentication Endpoint"),no(n);const o=await ho(n);$t(o.auth_req_id,'"response" body "auth_req_id" property',Zn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return Qt(r,!0,'"response" body "expires_in" property',Zn,{body:o}),o.expires_in=r,void 0!==o.interval&&Qt(o.interval,!1,'"response" body "interval" property',Zn,{body:o}),o}(n,o,e))).catch(vr)}async function Pr(e,t,n,o){var r,i;Kr(e),n=new URLSearchParams(n);let a=null!==(r=t.interval)&&void 0!==r?r:5;const s=null!==(i=null==o?void 0:o.signal)&&void 0!==i?i:AbortSignal.timeout(1e3*t.expires_in);try{await Er(a,s)}catch(e){vr(e)}const{as:c,c:u,auth:l,fetch:d,tlsOnly:h,nonRepudiation:p,timeout:f,decrypt:m}=sr(e),y=(r,i)=>Pr(e,bt(bt({},t),{},{interval:r}),n,bt(bt({},o),{},{signal:s,flag:i})),w=await async function(e,t,n,o,r){sn(e),cn(t),$t(o,'"authReqId"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("auth_req_id",o),Pn(e,t,n,"urn:openid:params:grant-type:ciba",i,r)}(c,u,l,t.auth_req_id,{[Kt]:d,[It]:!h,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(ir),signal:s.aborted?s:Dr(f)}).catch(vr);var g;if(503===w.status&&w.headers.has("retry-after"))return await Tr(w,a,s,!0),await(null===(g=w.body)||void 0===g?void 0:g.cancel()),y(a);const v=async function(e,t,n,o){return In(e,t,n,void 0,null==o?void 0:o[Ut],null==o?void 0:o.recognizedTokenTypes)}(c,u,w,{[Ut]:m});let b;try{b=await v}catch(e){if(Ur(e,o))return y(a,Wr);if(e instanceof mn)switch(e.error){case"slow_down":a+=5;case"authorization_pending":return await Tr(e.response,a,s),y(a)}vr(e)}return b.id_token&&await(null==p?void 0:p(w)),Sr(b),b}function Or(e){sr(e).tlsOnly=!1}async function Rr(e,t,n,o,r){if(Kr(e),!((null==r?void 0:r.flag)===Wr||t instanceof URL||function(e,t){try{return Object.getPrototypeOf(e)[Symbol.toStringTag]===t}catch(e){return!1}}(t,"Request")))throw fr('"currentUrl" must be an instance of URL, or Request',pr);let i,a;const{as:s,c:c,auth:u,fetch:l,tlsOnly:d,jarm:h,hybrid:p,nonRepudiation:f,timeout:m,decrypt:y,implicit:w}=sr(e);if((null==r?void 0:r.flag)===Wr)i=r.authResponse,a=r.redirectUri;else{if(!(t instanceof URL)){const e=t;switch(t=new URL(t.url),e.method){case"GET":break;case"POST":const n=new URLSearchParams(await io(e));if(p)t.hash=n.toString();else for(const[e,o]of n.entries())t.searchParams.append(e,o);break;default:throw fr("unexpected Request HTTP method",hr)}}switch(a=function(e){return(e=new URL(e)).search="",e.hash="",e.href}(t),!0){case!!h:i=await h(t,null==n?void 0:n.expectedState);break;case!!p:i=await p(t,null==n?void 0:n.expectedNonce,null==n?void 0:n.expectedState,null==n?void 0:n.maxAge);break;case!!w:throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");default:try{i=lo(s,c,t.searchParams,null==n?void 0:n.expectedState)}catch(e){vr(e)}}}const g=await async function(e,t,n,o,r,i,a){if(sn(e),cn(t),!Kn.has(o))throw xt('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()',Ot);$t(r,'"redirectUri"');const s=so(o,"code");if(!s)throw Vt('no authorization code in "callbackParameters"',Zn);const c=new URLSearchParams(null==a?void 0:a.additionalParameters);return c.set("redirect_uri",r),c.set("code",s),i!==Dn&&($t(i,'"codeVerifier"'),c.set("code_verifier",i)),Pn(e,t,n,"authorization_code",c,a)}(s,c,u,i,a,(null==n?void 0:n.pkceCodeVerifier)||Dn,{additionalParameters:o,[Kt]:l,[It]:!d,DPoP:null==r?void 0:r.DPoP,headers:new Headers(ir),signal:Dr(m)}).catch(vr);"string"!=typeof(null==n?void 0:n.expectedNonce)&&"number"!=typeof(null==n?void 0:n.maxAge)||(n.idTokenExpected=!0);const v=zn(s,c,g,{expectedNonce:null==n?void 0:n.expectedNonce,maxAge:null==n?void 0:n.maxAge,requireIdToken:null==n?void 0:n.idTokenExpected,[Ut]:y});let b;try{b=await v}catch(t){if(Ur(t,r))return Rr(e,void 0,n,o,bt(bt({},r),{},{flag:Wr,authResponse:i,redirectUri:a}));vr(t)}return b.id_token&&await(null==f?void 0:f(g)),Sr(b),b}async function xr(e,t,n,o){Kr(e),n=new URLSearchParams(n);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,nonRepudiation:u,timeout:l,decrypt:d}=sr(e),h=await async function(e,t,n,o,r){sn(e),cn(t),$t(o,'"refreshToken"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("refresh_token",o),Pn(e,t,n,"refresh_token",i,r)}(r,i,a,t,{[Kt]:s,[It]:!c,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(ir),signal:Dr(l)}).catch(vr),p=async function(e,t,n,o){return In(e,t,n,void 0,null==o?void 0:o[Ut],null==o?void 0:o.recognizedTokenTypes)}(r,i,h,{[Ut]:d});let f;try{f=await p}catch(r){if(Ur(r,o))return xr(e,t,n,bt(bt({},o),{},{flag:Wr}));vr(r)}return f.id_token&&await(null==u?void 0:u(h)),Sr(f),f}async function Ir(e,t,n){Kr(e),t=new URLSearchParams(t);const{as:o,c:r,auth:i,fetch:a,tlsOnly:s,timeout:c}=sr(e),u=await async function(e,t,n,o,r){return sn(e),cn(t),Pn(e,t,n,"client_credentials",new URLSearchParams(o),r)}(o,r,i,t,{[Kt]:a,[It]:!s,DPoP:null==n?void 0:n.DPoP,headers:new Headers(ir),signal:Dr(c)}).catch(vr),l=async function(e,t,n,o){return In(e,t,n,void 0,null==o?void 0:o[Ut],null==o?void 0:o.recognizedTokenTypes)}(o,r,u);let d;try{d=await l}catch(o){if(Ur(o,n))return Ir(e,t,bt(bt({},n),{},{flag:Wr}));vr(o)}return Sr(d),d}function Cr(e,t){Kr(e);const{as:n,c:o,tlsOnly:r,hybrid:i,jarm:a,implicit:s}=sr(e),c=fn(n,"authorization_endpoint",!1,r);if((t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id),!t.has("request_uri")&&!t.has("request")){if(t.has("response_type")||t.set("response_type",i?"code id_token":s?"id_token":"code"),s&&!t.has("nonce"))throw fr("response_type=id_token clients must provide a nonce parameter in their authorization request parameters",hr);a&&t.set("response_mode","jwt")}for(const[e,n]of t.entries())c.searchParams.append(e,n);return c}async function jr(e,t,n){Kr(e);const o=Cr(e,t),{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:u}=sr(e),l=await async function(e,t,n,o,r){var i;sn(e),cn(t);const a=fn(e,"pushed_authorization_request_endpoint",t.use_mtls_endpoint_aliases,!0!==(null==r?void 0:r[It])),s=new URLSearchParams(o);s.set("client_id",t.client_id);const c=Gt(null==r?void 0:r.headers);c.set("accept","application/json"),void 0!==(null==r?void 0:r.DPoP)&&(Tn(r.DPoP),await r.DPoP.addProof(a,c,"POST"));const u=await An(e,t,n,a,s,c,r);return null==r||null===(i=r.DPoP)||void 0===i||i.cacheNonce(u,a),u}(r,i,a,o.searchParams,{[Kt]:s,[It]:!c,DPoP:null==n?void 0:n.DPoP,headers:new Headers(ir),signal:Dr(u)}).catch(vr),d=async function(e,t,n){if(sn(e),cn(t),!Pt(n,Response))throw xt('"response" must be an instance of Response',Rt);await Sn(n,201,"Pushed Authorization Request Endpoint"),no(n);const o=await ho(n);$t(o.request_uri,'"response" body "request_uri" property',Zn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return Qt(r,!0,'"response" body "expires_in" property',Zn,{body:o}),o.expires_in=r,o}(r,i,l);let h;try{h=await d}catch(o){if(Ur(o,n))return jr(e,t,bt(bt({},n),{},{flag:Wr}));vr(o)}return Cr(e,{request_uri:h.request_uri})}function Kr(e){if(!(e instanceof kr))throw fr('"config" must be an instance of Configuration',pr);if(Object.getPrototypeOf(e)!==kr.prototype)throw fr("subclassing Configuration is not allowed",hr)}function Dr(e){return e?AbortSignal.timeout(1e3*e):void 0}function Ur(e,t){return!(null==t||!t.DPoP||t.flag===Wr)&&function(e){if(e instanceof wn){const{0:t,length:n}=e.cause;return 1===n&&"dpop"===t.scheme&&"use_dpop_nonce"===t.parameters.error}return e instanceof mn&&"use_dpop_nonce"===e.error}(e)}Object.freeze(kr.prototype);const Wr=Symbol();async function Lr(e,t,n,o){Kr(e);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:u,decrypt:l}=sr(e),d=await async function(e,t,n,o,r,i){return sn(e),cn(t),$t(o,'"grantType"'),Pn(e,t,n,o,new URLSearchParams(r),i)}(r,i,a,t,new URLSearchParams(n),{[Kt]:s,[It]:!c,DPoP:null==o?void 0:o.DPoP,headers:new Headers(ir),signal:Dr(u)}).then((e=>{let n;return"urn:ietf:params:oauth:grant-type:token-exchange"===t&&(n={n_a:()=>{}}),async function(e,t,n,o){return In(e,t,n,void 0,null==o?void 0:o[Ut],null==o?void 0:o.recognizedTokenTypes)}(r,i,e,{[Ut]:l,recognizedTokenTypes:n})})).catch(vr);return Sr(d),d}async function Nr(e,t,n){if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(function(e){for(var t=arguments.length,n=new Array(t>1?t-1:0),o=1;o<t;o++)n[o-1]=arguments[o];return Uo("Key must be ",e,...n)}(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:"SHA-".concat(e.slice(-3)),name:"HMAC"},!1,[n])}return Do(t,e,n),t}async function zr(e,t,n,o){const r=await Nr(e,t,"verify");!function(e,t){if(e.startsWith("RS")||e.startsWith("PS")){const{modulusLength:n}=t.algorithm;if("number"!=typeof n||n<2048)throw new TypeError("".concat(e," requires key modulusLength to be 2048 bits or larger"))}}(e,r);const i=function(e,t){const n="SHA-".concat(e.slice(-3));switch(e){case"HS256":case"HS384":case"HS512":return{hash:n,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:n,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:n,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:n,name:"ECDSA",namedCurve:t.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:e};default:throw new To("alg ".concat(e," is not supported either by JOSE or your javascript runtime"))}}(e,r.algorithm);try{return await crypto.subtle.verify(i,r,n,o)}catch(e){return!1}}async function Hr(e,t,n){if(!Ho(e))throw new Eo("Flattened JWS must be an object");if(void 0===e.protected&&void 0===e.header)throw new Eo('Flattened JWS must have either of the "protected" or "header" members');if(void 0!==e.protected&&"string"!=typeof e.protected)throw new Eo("JWS Protected Header incorrect type");if(void 0===e.payload)throw new Eo("JWS Payload missing");if("string"!=typeof e.signature)throw new Eo("JWS Signature missing or incorrect type");if(void 0!==e.header&&!Ho(e.header))throw new Eo("JWS Unprotected Header incorrect type");let o={};if(e.protected)try{const t=vo(e.protected);o=JSON.parse(yo.decode(t))}catch(e){throw new Eo("JWS Protected Header is invalid")}if(!function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.filter(Boolean);if(0===o.length||1===o.length)return!0;let r;for(const e of o){const t=Object.keys(e);if(r&&0!==r.size)for(const e of t){if(r.has(e))return!1;r.add(e)}else r=new Set(t)}return!0}(o,e.header))throw new Eo("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");const r=bt(bt({},o),e.header),i=function(e,t,n,o,r){if(void 0!==r.crit&&void 0===(null==o?void 0:o.crit))throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!o||void 0===o.crit)return new Set;if(!Array.isArray(o.crit)||0===o.crit.length||o.crit.some((e=>"string"!=typeof e||0===e.length)))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;i=void 0!==n?new Map([...Object.entries(n),...t.entries()]):t;for(const t of o.crit){if(!i.has(t))throw new To('Extension Header Parameter "'.concat(t,'" is not recognized'));if(void 0===r[t])throw new e('Extension Header Parameter "'.concat(t,'" is missing'));if(i.get(t)&&void 0===o[t])throw new e('Extension Header Parameter "'.concat(t,'" MUST be integrity protected'))}return new Set(o.crit)}(Eo,new Map([["b64",!0]]),null==n?void 0:n.crit,o,r);let a=!0;if(i.has("b64")&&(a=o.b64,"boolean"!=typeof a))throw new Eo('The "b64" (base64url-encode payload) Header Parameter must be a boolean');const{alg:s}=r;if("string"!=typeof s||!s)throw new Eo('JWS "alg" (Algorithm) Header Parameter missing or invalid');const c=n&&function(e,t){if(void 0!==t&&(!Array.isArray(t)||t.some((e=>"string"!=typeof e))))throw new TypeError('"'.concat(e,'" option must be an array of strings'));if(t)return new Set(t)}("algorithms",n.algorithms);if(c&&!c.has(s))throw new So('"alg" (Algorithm) Header Parameter value not allowed');if(a){if("string"!=typeof e.payload)throw new Eo("JWS Payload must be a string")}else if("string"!=typeof e.payload&&!(e.payload instanceof Uint8Array))throw new Eo("JWS Payload must be a string or an Uint8Array instance");let u=!1;"function"==typeof t&&(t=await t(o,e),u=!0),nr(s,t,"verify");const l=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.reduce(((e,t)=>{let{length:n}=t;return e+n}),0),r=new Uint8Array(o);let i=0;for(const e of t)r.set(e,i),i+=e.length;return r}(void 0!==e.protected?wo(e.protected):new Uint8Array,wo("."),"string"==typeof e.payload?a?wo(e.payload):mo.encode(e.payload):e.payload);let d;try{d=vo(e.signature)}catch(e){throw new Eo("Failed to base64url decode the signature")}const h=await $o(t,s);if(!await zr(s,h,d,l))throw new Io;let p;if(a)try{p=vo(e.payload)}catch(e){throw new Eo("Failed to base64url decode the payload")}else p="string"==typeof e.payload?mo.encode(e.payload):e.payload;const f={payload:p};return void 0!==e.protected&&(f.protectedHeader=o),void 0!==e.header&&(f.unprotectedHeader=e.header),u?bt(bt({},f),{},{key:h}):f}const Mr=e=>Math.floor(e.getTime()/1e3),Jr=86400,Fr=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function Vr(e){const t=Fr.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");const n=parseFloat(t[2]);let o;switch(t[3].toLowerCase()){case"sec":case"secs":case"second":case"seconds":case"s":o=Math.round(n);break;case"minute":case"minutes":case"min":case"mins":case"m":o=Math.round(60*n);break;case"hour":case"hours":case"hr":case"hrs":case"h":o=Math.round(3600*n);break;case"day":case"days":case"d":o=Math.round(n*Jr);break;case"week":case"weeks":case"w":o=Math.round(604800*n);break;default:o=Math.round(31557600*n)}return"-"===t[1]||"ago"===t[4]?-o:o}const Zr=e=>e.includes("/")?e.toLowerCase():"application/".concat(e.toLowerCase()),qr=(e,t)=>"string"==typeof e?t.includes(e):!!Array.isArray(e)&&t.some(Set.prototype.has.bind(new Set(e)));async function Gr(e,t,n){var o;const r=await async function(e,t,n){if(e instanceof Uint8Array&&(e=yo.decode(e)),"string"!=typeof e)throw new Eo("Compact JWS must be a string or Uint8Array");const{0:o,1:r,2:i,length:a}=e.split(".");if(3!==a)throw new Eo("Invalid Compact JWS");const s=await Hr({payload:r,protected:o,signature:i},t,n),c={payload:s.payload,protectedHeader:s.protectedHeader};return"function"==typeof t?bt(bt({},c),{},{key:s.key}):c}(e,t,n);if(null!==(o=r.protectedHeader.crit)&&void 0!==o&&o.includes("b64")&&!1===r.protectedHeader.b64)throw new Ao("JWTs MUST NOT use unencoded payload");const i=function(e,t){let n,o=arguments.length>2&&void 0!==arguments[2]?arguments[2]:{};try{n=JSON.parse(yo.decode(t))}catch(e){}if(!Ho(n))throw new Ao("JWT Claims Set must be a top-level JSON object");const{typ:r}=o;if(r&&("string"!=typeof e.typ||Zr(e.typ)!==Zr(r)))throw new _o('unexpected "typ" JWT header value',n,"typ","check_failed");const{requiredClaims:i=[],issuer:a,subject:s,audience:c,maxTokenAge:u}=o,l=[...i];void 0!==u&&l.push("iat"),void 0!==c&&l.push("aud"),void 0!==s&&l.push("sub"),void 0!==a&&l.push("iss");for(const e of new Set(l.reverse()))if(!(e in n))throw new _o('missing required "'.concat(e,'" claim'),n,e,"missing");if(a&&!(Array.isArray(a)?a:[a]).includes(n.iss))throw new _o('unexpected "iss" claim value',n,"iss","check_failed");if(s&&n.sub!==s)throw new _o('unexpected "sub" claim value',n,"sub","check_failed");if(c&&!qr(n.aud,"string"==typeof c?[c]:c))throw new _o('unexpected "aud" claim value',n,"aud","check_failed");let d;switch(typeof o.clockTolerance){case"string":d=Vr(o.clockTolerance);break;case"number":d=o.clockTolerance;break;case"undefined":d=0;break;default:throw new TypeError("Invalid clockTolerance option type")}const{currentDate:h}=o,p=Mr(h||new Date);if((void 0!==n.iat||u)&&"number"!=typeof n.iat)throw new _o('"iat" claim must be a number',n,"iat","invalid");if(void 0!==n.nbf){if("number"!=typeof n.nbf)throw new _o('"nbf" claim must be a number',n,"nbf","invalid");if(n.nbf>p+d)throw new _o('"nbf" claim timestamp check failed',n,"nbf","check_failed")}if(void 0!==n.exp){if("number"!=typeof n.exp)throw new _o('"exp" claim must be a number',n,"exp","invalid");if(n.exp<=p-d)throw new ko('"exp" claim timestamp check failed',n,"exp","check_failed")}if(u){const e=p-n.iat;if(e-d>("number"==typeof u?u:Vr(u)))throw new ko('"iat" claim timestamp check failed (too far in the past)',n,"iat","check_failed");if(e<0-d)throw new _o('"iat" claim timestamp check failed (it should be in the past)',n,"iat","check_failed")}return n}(r.protectedHeader,r.payload,n),a={payload:i,protectedHeader:r.protectedHeader};return"function"==typeof t?bt(bt({},a),{},{key:r.key}):a}function Br(e){return Ho(e)}var Xr,Yr,Qr=new WeakMap,$r=new WeakMap;class ei{constructor(e){if(yt(this,Qr,void 0),yt(this,$r,new WeakMap),!function(e){return e&&"object"==typeof e&&Array.isArray(e.keys)&&e.keys.every(Br)}(e))throw new Po("JSON Web Key Set malformed");wt(Qr,this,structuredClone(e))}jwks(){return mt(Qr,this)}async getKey(e,t){const{alg:n,kid:o}=bt(bt({},e),null==t?void 0:t.header),r=function(e){switch("string"==typeof e&&e.slice(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";case"ML":return"AKP";default:throw new To('Unsupported "alg" value for a JSON Web Key Set')}}(n),i=mt(Qr,this).keys.filter((e=>{let t=r===e.kty;if(t&&"string"==typeof o&&(t=o===e.kid),!t||"string"!=typeof e.alg&&"AKP"!==r||(t=n===e.alg),t&&"string"==typeof e.use&&(t="sig"===e.use),t&&Array.isArray(e.key_ops)&&(t=e.key_ops.includes("verify")),t)switch(n){case"ES256":t="P-256"===e.crv;break;case"ES384":t="P-384"===e.crv;break;case"ES512":t="P-521"===e.crv;break;case"Ed25519":case"EdDSA":t="Ed25519"===e.crv}return t})),{0:a,length:s}=i;if(0===s)throw new Oo;if(1!==s){const e=new Ro,t=mt($r,this);throw e[Symbol.asyncIterator]=kt((function*(){for(const e of i)try{yield yield pt(ti(t,e,n))}catch(e){}})),e}return ti(mt($r,this),a,n)}}async function ti(e,t,n){const o=e.get(t)||e.set(t,{}).get(t);if(void 0===o[n]){const e=await async function(e,t,n){var o;if(!Ho(e))throw new TypeError("JWK must be an object");let r;switch(null!=t||(t=e.alg),null!=r||(r=null!==(o=null==n?void 0:n.extractable)&&void 0!==o?o:e.ext),e.kty){case"oct":if("string"!=typeof e.k||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return vo(e.k);case"RSA":if("oth"in e&&void 0!==e.oth)throw new To('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');return Bo(bt(bt({},e),{},{alg:t,ext:r}));case"AKP":if("string"!=typeof e.alg||!e.alg)throw new TypeError('missing "alg" (Algorithm) Parameter value');if(void 0!==t&&t!==e.alg)throw new TypeError("JWK alg and alg option value mismatch");return Bo(bt(bt({},e),{},{ext:r}));case"EC":case"OKP":return Bo(bt(bt({},e),{},{alg:t,ext:r}));default:throw new To('Unsupported "kty" (Key Type) Parameter value')}}(bt(bt({},t),{},{ext:!0}),n);if(e instanceof Uint8Array||"public"!==e.type)throw new Po("JSON Web Key Set members must be public keys");o[n]=e}return o[n]}function ni(e){const t=new ei(e),n=async(e,n)=>t.getKey(e,n);return Object.defineProperties(n,{jwks:{value:()=>structuredClone(t.jwks()),enumerable:!1,configurable:!1,writable:!1}}),n}let oi;if("undefined"==typeof navigator||null===(Xr=navigator.userAgent)||void 0===Xr||null===(Yr=Xr.startsWith)||void 0===Yr||!Yr.call(Xr,"Mozilla/5.0 ")){const e="v6.1.3";oi="".concat("jose","/").concat(e)}const ri=Symbol();const ii=Symbol();var ai=new WeakMap,si=new WeakMap,ci=new WeakMap,ui=new WeakMap,li=new WeakMap,di=new WeakMap,hi=new WeakMap,pi=new WeakMap,fi=new WeakMap,mi=new WeakMap;class yi{constructor(e,t){if(yt(this,ai,void 0),yt(this,si,void 0),yt(this,ci,void 0),yt(this,ui,void 0),yt(this,li,void 0),yt(this,di,void 0),yt(this,hi,void 0),yt(this,pi,void 0),yt(this,fi,void 0),yt(this,mi,void 0),!(e instanceof URL))throw new TypeError("url must be an instance of URL");var n,o;wt(ai,this,new URL(e.href)),wt(si,this,"number"==typeof(null==t?void 0:t.timeoutDuration)?null==t?void 0:t.timeoutDuration:5e3),wt(ci,this,"number"==typeof(null==t?void 0:t.cooldownDuration)?null==t?void 0:t.cooldownDuration:3e4),wt(ui,this,"number"==typeof(null==t?void 0:t.cacheMaxAge)?null==t?void 0:t.cacheMaxAge:6e5),wt(hi,this,new Headers(null==t?void 0:t.headers)),oi&&!mt(hi,this).has("User-Agent")&&mt(hi,this).set("User-Agent",oi),mt(hi,this).has("accept")||(mt(hi,this).set("accept","application/json"),mt(hi,this).append("accept","application/jwk-set+json")),wt(pi,this,null==t?void 0:t[ri]),void 0!==(null==t?void 0:t[ii])&&(wt(mi,this,null==t?void 0:t[ii]),n=null==t?void 0:t[ii],o=mt(ui,this),"object"==typeof n&&null!==n&&"uat"in n&&"number"==typeof n.uat&&!(Date.now()-n.uat>=o)&&"jwks"in n&&Ho(n.jwks)&&Array.isArray(n.jwks.keys)&&Array.prototype.every.call(n.jwks.keys,Ho)&&(wt(li,this,mt(mi,this).uat),wt(fi,this,ni(mt(mi,this).jwks))))}pendingFetch(){return!!mt(di,this)}coolingDown(){return"number"==typeof mt(li,this)&&Date.now()<mt(li,this)+mt(ci,this)}fresh(){return"number"==typeof mt(li,this)&&Date.now()<mt(li,this)+mt(ui,this)}jwks(){var e;return null===(e=mt(fi,this))||void 0===e?void 0:e.jwks()}async getKey(e,t){mt(fi,this)&&this.fresh()||await this.reload();try{return await mt(fi,this).call(this,e,t)}catch(n){if(n instanceof Oo&&!1===this.coolingDown())return await this.reload(),mt(fi,this).call(this,e,t);throw n}}async reload(){mt(di,this)&&("undefined"!=typeof WebSocketPair||"undefined"!=typeof navigator&&"Cloudflare-Workers"===navigator.userAgent||"undefined"!=typeof EdgeRuntime&&"vercel"===EdgeRuntime)&&wt(di,this,void 0),mt(di,this)||wt(di,this,async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:fetch;const r=await o(e,{method:"GET",signal:n,redirect:"manual",headers:t}).catch((e=>{if("TimeoutError"===e.name)throw new xo;throw e}));if(200!==r.status)throw new bo("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await r.json()}catch(e){throw new bo("Failed to parse the JSON Web Key Set HTTP response as JSON")}}(mt(ai,this).href,mt(hi,this),AbortSignal.timeout(mt(si,this)),mt(pi,this)).then((e=>{wt(fi,this,ni(e)),mt(mi,this)&&(mt(mi,this).uat=Date.now(),mt(mi,this).jwks=e),wt(li,this,Date.now()),wt(di,this,void 0)})).catch((e=>{throw wt(di,this,void 0),e}))),await mt(di,this)}}const wi=["mfaToken"],gi=["mfaToken"];var vi,bi,_i,ki,Si,Ti,Ei,Ai,Pi=class extends Error{constructor(e,t){super(t),gt(this,"code",void 0),this.name="NotSupportedError",this.code=e}},Oi=class extends Error{constructor(e,t,n){super(t),gt(this,"cause",void 0),gt(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message}}},Ri=class extends Oi{constructor(e,t){super("token_by_code_error",e,t),this.name="TokenByCodeError"}},xi=class extends Oi{constructor(e,t){super("token_by_client_credentials_error",e,t),this.name="TokenByClientCredentialsError"}},Ii=class extends Oi{constructor(e,t){super("token_by_refresh_token_error",e,t),this.name="TokenByRefreshTokenError"}},Ci=class extends Oi{constructor(e,t){super("token_for_connection_error",e,t),this.name="TokenForConnectionErrorCode"}},ji=class extends Oi{constructor(e,t){super("token_exchange_error",e,t),this.name="TokenExchangeError"}},Ki=class extends Error{constructor(e){super(e),gt(this,"code","verify_logout_token_error"),this.name="VerifyLogoutTokenError"}},Di=class extends Oi{constructor(e){super("backchannel_authentication_error","There was an error when trying to use Client-Initiated Backchannel Authentication.",e),gt(this,"code","backchannel_authentication_error"),this.name="BackchannelAuthenticationError"}},Ui=class extends Oi{constructor(e){super("build_authorization_url_error","There was an error when trying to build the authorization URL.",e),this.name="BuildAuthorizationUrlError"}},Wi=class extends Oi{constructor(e){super("build_link_user_url_error","There was an error when trying to build the Link User URL.",e),this.name="BuildLinkUserUrlError"}},Li=class extends Oi{constructor(e){super("build_unlink_user_url_error","There was an error when trying to build the Unlink User URL.",e),this.name="BuildUnlinkUserUrlError"}},Ni=class extends Error{constructor(){super("The client secret or client assertion signing key must be provided."),gt(this,"code","missing_client_auth_error"),this.name="MissingClientAuthError"}};function zi(e){return Object.entries(e).filter((e=>{let[,t]=e;return void 0!==t})).reduce(((e,t)=>bt(bt({},e),{},{[t[0]]:t[1]})),{})}var Hi=class extends Error{constructor(e,t,n){super(t),gt(this,"cause",void 0),gt(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message}}},Mi=class extends Hi{constructor(e,t){super("mfa_list_authenticators_error",e,t),this.name="MfaListAuthenticatorsError"}},Ji=class extends Hi{constructor(e,t){super("mfa_enrollment_error",e,t),this.name="MfaEnrollmentError"}},Fi=class extends Hi{constructor(e,t){super("mfa_delete_authenticator_error",e,t),this.name="MfaDeleteAuthenticatorError"}},Vi=class extends Hi{constructor(e,t){super("mfa_challenge_error",e,t),this.name="MfaChallengeError"}};function Zi(e){return{id:e.id,authenticatorType:e.authenticator_type,active:e.active,name:e.name,oobChannels:e.oob_channels,type:e.type}}var qi=(vi=new WeakMap,bi=new WeakMap,_i=new WeakMap,class{constructor(e){var t;yt(this,vi,void 0),yt(this,bi,void 0),yt(this,_i,void 0),wt(vi,this,"https://".concat(e.domain)),wt(bi,this,e.clientId),wt(_i,this,null!==(t=e.customFetch)&&void 0!==t?t:function(){return fetch(...arguments)})}async listAuthenticators(e){const t="".concat(mt(vi,this),"/mfa/authenticators"),{mfaToken:n}=e,o=await mt(_i,this).call(this,t,{method:"GET",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!o.ok){const e=await o.json();throw new Mi(e.error_description||"Failed to list authenticators",e)}return(await o.json()).map(Zi)}async enrollAuthenticator(e){const t="".concat(mt(vi,this),"/mfa/associate"),{mfaToken:n}=e,o=_t(e,wi),r={authenticator_types:o.authenticatorTypes};"oobChannels"in o&&(r.oob_channels=o.oobChannels),"phoneNumber"in o&&o.phoneNumber&&(r.phone_number=o.phoneNumber),"email"in o&&o.email&&(r.email=o.email);const i=await mt(_i,this).call(this,t,{method:"POST",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"},body:JSON.stringify(r)});if(!i.ok){const e=await i.json();throw new Ji(e.error_description||"Failed to enroll authenticator",e)}return function(e){if("otp"===e.authenticator_type)return{authenticatorType:"otp",secret:e.secret,barcodeUri:e.barcode_uri,recoveryCodes:e.recovery_codes,id:e.id};if("oob"===e.authenticator_type)return{authenticatorType:"oob",oobChannel:e.oob_channel,oobCode:e.oob_code,bindingMethod:e.binding_method,id:e.id};throw new Error("Unexpected authenticator type: ".concat(e.authenticator_type))}(await i.json())}async deleteAuthenticator(e){const{authenticatorId:t,mfaToken:n}=e,o="".concat(mt(vi,this),"/mfa/authenticators/").concat(encodeURIComponent(t)),r=await mt(_i,this).call(this,o,{method:"DELETE",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!r.ok){const e=await r.json();throw new Fi(e.error_description||"Failed to delete authenticator",e)}}async challengeAuthenticator(e){const t="".concat(mt(vi,this),"/mfa/challenge"),{mfaToken:n}=e,o=_t(e,gi),r={mfa_token:n,client_id:mt(bi,this),challenge_type:o.challengeType};o.authenticatorId&&(r.authenticator_id=o.authenticatorId);const i=await mt(_i,this).call(this,t,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(r)});if(!i.ok){const e=await i.json();throw new Vi(e.error_description||"Failed to challenge authenticator",e)}return function(e){const t={challengeType:e.challenge_type};return void 0!==e.oob_code&&(t.oobCode=e.oob_code),void 0!==e.binding_method&&(t.bindingMethod=e.binding_method),t}(await i.json())}}),Gi=class e{constructor(e,t,n,o,r,i,a){gt(this,"accessToken",void 0),gt(this,"idToken",void 0),gt(this,"refreshToken",void 0),gt(this,"expiresAt",void 0),gt(this,"scope",void 0),gt(this,"claims",void 0),gt(this,"authorizationDetails",void 0),gt(this,"tokenType",void 0),gt(this,"issuedTokenType",void 0),this.accessToken=e,this.idToken=n,this.refreshToken=o,this.expiresAt=t,this.scope=r,this.claims=i,this.authorizationDetails=a}static fromTokenEndpointResponse(t){const n=t.id_token?t.claims():void 0,o=new e(t.access_token,Math.floor(Date.now()/1e3)+Number(t.expires_in),t.id_token,t.refresh_token,t.scope,n,t.authorization_details);return o.tokenType=t.token_type,o.issuedTokenType=t.issued_token_type,o}},Bi="openid profile email offline_access",Xi=Object.freeze(new Set(["grant_type","client_id","client_secret","client_assertion","client_assertion_type","subject_token","subject_token_type","requested_token_type","actor_token","actor_token_type","audience","aud","resource","resources","resource_indicator","scope","connection","login_hint","organization","assertion"]));function Yi(e){if(null==e)throw new ji("subject_token is required");if("string"!=typeof e)throw new ji("subject_token must be a string");if(0===e.trim().length)throw new ji("subject_token cannot be blank or whitespace");if(e!==e.trim())throw new ji("subject_token must not include leading or trailing whitespace");if(/^bearer\s+/i.test(e))throw new ji("subject_token must not include the 'Bearer ' prefix")}function Qi(e,t){if(t)for(const[n,o]of Object.entries(t))if(!Xi.has(n))if(Array.isArray(o)){if(o.length>20)throw new ji("Parameter '".concat(n,"' exceeds maximum array size of ").concat(20));o.forEach((t=>{e.append(n,t)}))}else e.append(n,o)}var $i="urn:ietf:params:oauth:token-type:access_token",ea=(ki=new WeakMap,Si=new WeakMap,Ti=new WeakMap,Ei=new WeakMap,Ai=new WeakSet,class{constructor(e){if(function(e,t){ft(e,t),t.add(e)}(this,Ai),yt(this,ki,void 0),yt(this,Si,void 0),yt(this,Ti,void 0),yt(this,Ei,void 0),gt(this,"mfa",void 0),wt(Ti,this,e),e.useMtls&&!e.customFetch)throw new Pi("mtls_without_custom_fetch_not_supported","Using mTLS without a custom fetch implementation is not supported");this.mfa=new qi({domain:mt(Ti,this).domain,clientId:mt(Ti,this).clientId,customFetch:mt(Ti,this).customFetch})}async buildAuthorizationUrl(e){const{serverMetadata:t}=await ht(Ai,this,ta).call(this);if(null!=e&&e.pushedAuthorizationRequests&&!t.pushed_authorization_request_endpoint)throw new Pi("par_not_supported_error","The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");try{return await ht(Ai,this,ia).call(this,e)}catch(e){throw new Ui(e)}}async buildLinkUserUrl(e){try{const t=await ht(Ai,this,ia).call(this,{authorizationParams:bt(bt({},e.authorizationParams),{},{requested_connection:e.connection,requested_connection_scope:e.connectionScope,scope:"openid link_account offline_access",id_token_hint:e.idToken})});return{linkUserUrl:t.authorizationUrl,codeVerifier:t.codeVerifier}}catch(e){throw new Wi(e)}}async buildUnlinkUserUrl(e){try{const t=await ht(Ai,this,ia).call(this,{authorizationParams:bt(bt({},e.authorizationParams),{},{requested_connection:e.connection,scope:"openid unlink_account",id_token_hint:e.idToken})});return{unlinkUserUrl:t.authorizationUrl,codeVerifier:t.codeVerifier}}catch(e){throw new Li(e)}}async backchannelAuthentication(e){const{configuration:t,serverMetadata:n}=await ht(Ai,this,ta).call(this),o=zi(bt(bt({},mt(Ti,this).authorizationParams),null==e?void 0:e.authorizationParams)),r=new URLSearchParams(bt(bt({scope:Bi},o),{},{client_id:mt(Ti,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:n.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&r.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&r.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await Ar(t,r),n=await Pr(t,e);return Gi.fromTokenEndpointResponse(n)}catch(e){throw new Di(e)}}async initiateBackchannelAuthentication(e){const{configuration:t,serverMetadata:n}=await ht(Ai,this,ta).call(this),o=zi(bt(bt({},mt(Ti,this).authorizationParams),null==e?void 0:e.authorizationParams)),r=new URLSearchParams(bt(bt({scope:Bi},o),{},{client_id:mt(Ti,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:n.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&r.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&r.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await Ar(t,r);return{authReqId:e.auth_req_id,expiresIn:e.expires_in,interval:e.interval}}catch(e){throw new Di(e)}}async backchannelAuthenticationGrant(e){let{authReqId:t}=e;const{configuration:n}=await ht(Ai,this,ta).call(this),o=new URLSearchParams({auth_req_id:t});try{const e=await Lr(n,"urn:openid:params:grant-type:ciba",o);return Gi.fromTokenEndpointResponse(e)}catch(e){throw new Di(e)}}async getTokenForConnection(e){var t;if(e.refreshToken&&e.accessToken)throw new Ci("Either a refresh or access token should be specified, but not both.");const n=null!==(t=e.accessToken)&&void 0!==t?t:e.refreshToken;if(!n)throw new Ci("Either a refresh or access token must be specified.");try{return await this.exchangeToken({connection:e.connection,subjectToken:n,subjectTokenType:e.accessToken?$i:"urn:ietf:params:oauth:token-type:refresh_token",loginHint:e.loginHint})}catch(e){if(e instanceof ji)throw new Ci(e.message,e.cause);throw e}}async exchangeToken(e){return"connection"in e?ht(Ai,this,na).call(this,e):ht(Ai,this,oa).call(this,e)}async getTokenByCode(e,t){const{configuration:n}=await ht(Ai,this,ta).call(this);try{const o=await Rr(n,e,{pkceCodeVerifier:t.codeVerifier});return Gi.fromTokenEndpointResponse(o)}catch(e){throw new Ri("There was an error while trying to request a token.",e)}}async getTokenByRefreshToken(e){const{configuration:t}=await ht(Ai,this,ta).call(this);try{const n=await xr(t,e.refreshToken);return Gi.fromTokenEndpointResponse(n)}catch(e){throw new Ii("The access token has expired and there was an error while trying to refresh it.",e)}}async getTokenByClientCredentials(e){const{configuration:t}=await ht(Ai,this,ta).call(this);try{const n=new URLSearchParams({audience:e.audience});e.organization&&n.append("organization",e.organization);const o=await Ir(t,n);return Gi.fromTokenEndpointResponse(o)}catch(e){throw new xi("There was an error while trying to request a token.",e)}}async buildLogoutUrl(e){const{configuration:t,serverMetadata:n}=await ht(Ai,this,ta).call(this);if(!n.end_session_endpoint){const t=new URL("https://".concat(mt(Ti,this).domain,"/v2/logout"));return t.searchParams.set("returnTo",e.returnTo),t.searchParams.set("client_id",mt(Ti,this).clientId),t}return function(e,t){Kr(e);const{as:n,c:o,tlsOnly:r}=sr(e),i=fn(n,"end_session_endpoint",!1,r);(t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id);for(const[e,n]of t.entries())i.searchParams.append(e,n);return i}(t,{post_logout_redirect_uri:e.returnTo})}async verifyLogoutToken(e){const{serverMetadata:t}=await ht(Ai,this,ta).call(this);mt(Ei,this)||wt(Ei,this,function(e,t){const n=new yi(e,t),o=async(e,t)=>n.getKey(e,t);return Object.defineProperties(o,{coolingDown:{get:()=>n.coolingDown(),enumerable:!0,configurable:!1},fresh:{get:()=>n.fresh(),enumerable:!0,configurable:!1},reload:{value:()=>n.reload(),enumerable:!0,configurable:!1,writable:!1},reloading:{get:()=>n.pendingFetch(),enumerable:!0,configurable:!1},jwks:{value:()=>n.jwks(),enumerable:!0,configurable:!1,writable:!1}}),o}(new URL(t.jwks_uri),{[ri]:mt(Ti,this).customFetch}));const{payload:n}=await Gr(e.logoutToken,mt(Ei,this),{issuer:t.issuer,audience:mt(Ti,this).clientId,algorithms:["RS256"],requiredClaims:["iat"]});if(!("sid"in n)&&!("sub"in n))throw new Ki('either "sid" or "sub" (or both) claims must be present');if("sid"in n&&"string"!=typeof n.sid)throw new Ki('"sid" claim must be a string');if("sub"in n&&"string"!=typeof n.sub)throw new Ki('"sub" claim must be a string');if("nonce"in n)throw new Ki('"nonce" claim is prohibited');if(!("events"in n))throw new Ki('"events" claim is missing');if("object"!=typeof n.events||null===n.events)throw new Ki('"events" claim must be an object');if(!("http://schemas.openid.net/event/backchannel-logout"in n.events))throw new Ki('"http://schemas.openid.net/event/backchannel-logout" member is missing in the "events" claim');if("object"!=typeof n.events["http://schemas.openid.net/event/backchannel-logout"])throw new Ki('"http://schemas.openid.net/event/backchannel-logout" member in the "events" claim must be an object');return{sid:n.sid,sub:n.sub}}});async function ta(){if(mt(ki,this)&&mt(Si,this))return{configuration:mt(ki,this),serverMetadata:mt(Si,this)};const e=await ht(Ai,this,ra).call(this);return wt(ki,this,await br(new URL("https://".concat(mt(Ti,this).domain)),mt(Ti,this).clientId,{use_mtls_endpoint_aliases:mt(Ti,this).useMtls},e,{[dr]:mt(Ti,this).customFetch})),wt(Si,this,mt(ki,this).serverMetadata()),mt(ki,this)[dr]=mt(Ti,this).customFetch||fetch,{configuration:mt(ki,this),serverMetadata:mt(Si,this)}}async function na(e){var t,n;const{configuration:o}=await ht(Ai,this,ta).call(this);if("audience"in e||"resource"in e)throw new ji("audience and resource parameters are not supported for Token Vault exchanges");Yi(e.subjectToken);const r=new URLSearchParams({connection:e.connection,subject_token:e.subjectToken,subject_token_type:null!==(t=e.subjectTokenType)&&void 0!==t?t:$i,requested_token_type:null!==(n=e.requestedTokenType)&&void 0!==n?n:"http://auth0.com/oauth/token-type/federated-connection-access-token"});e.loginHint&&r.append("login_hint",e.loginHint),e.scope&&r.append("scope",e.scope),Qi(r,e.extra);try{const e=await Lr(o,"urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token",r);return Gi.fromTokenEndpointResponse(e)}catch(t){throw new ji("Failed to exchange token for connection '".concat(e.connection,"'."),t)}}async function oa(e){const{configuration:t}=await ht(Ai,this,ta).call(this);Yi(e.subjectToken);const n=new URLSearchParams({subject_token_type:e.subjectTokenType,subject_token:e.subjectToken});e.audience&&n.append("audience",e.audience),e.scope&&n.append("scope",e.scope),e.requestedTokenType&&n.append("requested_token_type",e.requestedTokenType),e.organization&&n.append("organization",e.organization),Qi(n,e.extra);try{const e=await Lr(t,"urn:ietf:params:oauth:grant-type:token-exchange",n);return Gi.fromTokenEndpointResponse(e)}catch(t){throw new ji("Failed to exchange token of type '".concat(e.subjectTokenType,"'").concat(e.audience?" for audience '".concat(e.audience,"'"):"","."),t)}}async function ra(){if(!mt(Ti,this).clientSecret&&!mt(Ti,this).clientAssertionSigningKey&&!mt(Ti,this).useMtls)throw new Ni;if(mt(Ti,this).useMtls)return(e,t,n,o)=>{n.set("client_id",t.client_id)};let e=mt(Ti,this).clientAssertionSigningKey;return!e||e instanceof CryptoKey||(e=await async function(e,t,n){if("string"!=typeof e||0!==e.indexOf("-----BEGIN PRIVATE KEY-----"))throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Go(e,t,n)}(e,mt(Ti,this).clientAssertionSigningAlg||"RS256")),e?function(e,t){return ln(e,t)}(e):lr(mt(Ti,this).clientSecret)}async function ia(e){const{configuration:t}=await ht(Ai,this,ta).call(this),n=yr(),o=await mr(n),r=zi(bt(bt({},mt(Ti,this).authorizationParams),null==e?void 0:e.authorizationParams)),i=new URLSearchParams(bt(bt({scope:Bi},r),{},{client_id:mt(Ti,this).clientId,code_challenge:o,code_challenge_method:"S256"}));return{authorizationUrl:null!=e&&e.pushedAuthorizationRequests?await jr(t,i):await Cr(t,i),codeVerifier:n}}class aa extends k{constructor(e,t){super(e,t),Object.setPrototypeOf(this,aa.prototype)}static fromPayload(e){let{error:t,error_description:n}=e;return new aa(t,n)}}class sa extends aa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,sa.prototype)}}class ca extends aa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,ca.prototype)}}class ua extends aa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,ua.prototype)}}class la extends aa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,la.prototype)}}class da extends aa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,da.prototype)}}class ha{constructor(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:6e5;this.contexts=new Map,this.ttlMs=e}set(e,t){this.cleanup(),this.contexts.set(e,Object.assign(Object.assign({},t),{createdAt:Date.now()}))}get(e){const t=this.contexts.get(e);if(t){if(!(Date.now()-t.createdAt>this.ttlMs))return t;this.contexts.delete(e)}}remove(e){this.contexts.delete(e)}cleanup(){const e=Date.now();for(const[t,n]of this.contexts)e-n.createdAt>this.ttlMs&&this.contexts.delete(t)}get size(){return this.contexts.size}}class pa{constructor(e,t){this.authJsMfaClient=e,this.auth0Client=t,this.contextManager=new ha}setMFAAuthDetails(e,t,n,o){this.contextManager.set(e,{scope:t,audience:n,mfaRequirements:o})}async getAuthenticators(e){var t,n;const o=this.contextManager.get(e);if(!(null===(t=null==o?void 0:o.mfaRequirements)||void 0===t?void 0:t.challenge)||0===o.mfaRequirements.challenge.length)throw new sa("invalid_request","challengeType is required and must contain at least one challenge type, please check mfa_required error payload");const r=o.mfaRequirements.challenge.map((e=>e.type));try{return(await this.authJsMfaClient.listAuthenticators({mfaToken:e})).filter((e=>!!e.type&&r.includes(e.type)))}catch(e){if(e instanceof Mi)throw new sa(null===(n=e.cause)||void 0===n?void 0:n.error,e.message);throw e}}async enroll(e){var t;const n=function(e){const t=st[e.factorType];return Object.assign(Object.assign(Object.assign({mfaToken:e.mfaToken,authenticatorTypes:t.authenticatorTypes},t.oobChannels&&{oobChannels:t.oobChannels}),"phoneNumber"in e&&{phoneNumber:e.phoneNumber}),"email"in e&&{email:e.email})}(e);try{return await this.authJsMfaClient.enrollAuthenticator(n)}catch(e){if(e instanceof Ji)throw new ca(null===(t=e.cause)||void 0===t?void 0:t.error,e.message);throw e}}async challenge(e){var t;try{const t={challengeType:e.challengeType,mfaToken:e.mfaToken};return e.authenticatorId&&(t.authenticatorId=e.authenticatorId),await this.authJsMfaClient.challengeAuthenticator(t)}catch(e){if(e instanceof Vi)throw new ua(null===(t=e.cause)||void 0===t?void 0:t.error,e.message);throw e}}async getEnrollmentFactors(e){const t=this.contextManager.get(e);if(!t||!t.mfaRequirements)throw new da("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");return t.mfaRequirements.enroll&&0!==t.mfaRequirements.enroll.length?t.mfaRequirements.enroll:[]}async verify(e){const t=this.contextManager.get(e.mfaToken);if(!t)throw new la("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");const n=function(e){return"otp"in e&&e.otp?ct:"oobCode"in e&&e.oobCode?ut:"recoveryCode"in e&&e.recoveryCode?lt:void 0}(e);if(!n)throw new la("invalid_request","Unable to determine grant type. Provide one of: otp, oobCode, or recoveryCode.");const o=t.scope,r=t.audience;try{const t=await this.auth0Client._requestTokenForMfa({grant_type:n,mfaToken:e.mfaToken,scope:o,audience:r,otp:e.otp,oob_code:e.oobCode,binding_code:e.bindingCode,recovery_code:e.recoveryCode});return this.contextManager.remove(e.mfaToken),t}catch(e){if(e instanceof R)this.setMFAAuthDetails(e.mfa_token,o,r,e.mfa_requirements);else if(e instanceof la)throw new la(e.error,e.error_description);throw e}}}const fa=new m;class ma{constructor(e){let t,n;if(this.userCache=(new _e).enclosedCache,this.activeLockKeys=new Set,this.defaultOptions={authorizationParams:{scope:"openid profile email"},useRefreshTokensFallback:!1,useFormData:!0},this._releaseLockOnPageHide=async()=>{const e=Array.from(this.activeLockKeys);for(const t of e)await fa.releaseLock(t);this.activeLockKeys.clear(),window.removeEventListener("pagehide",this._releaseLockOnPageHide)},this.options=Object.assign(Object.assign(Object.assign({},this.defaultOptions),e),{authorizationParams:Object.assign(Object.assign({},this.defaultOptions.authorizationParams),e.authorizationParams)}),"undefined"!=typeof window&&(()=>{if(!K())throw new Error("For security reasons, `window.crypto` is required to run `auth0-spa-js`.");if(void 0===K().subtle)throw new Error("\n auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information.\n ")})(),e.cache&&e.cacheLocation&&console.warn("Both `cache` and `cacheLocation` options have been specified in the Auth0Client configuration; ignoring `cacheLocation` and using `cache`."),e.cache)n=e.cache;else{if(t=e.cacheLocation||g,!Ye(t))throw new Error('Invalid cache location "'.concat(t,'"'));n=Ye(t)()}var o;this.httpTimeoutMs=e.httpTimeoutInSeconds?1e3*e.httpTimeoutInSeconds:w,this.cookieStorage=!1===e.legacySameSiteCookie?De:We,this.orgHintCookieName=(o=this.options.clientId,"auth0.".concat(o,".organization_hint")),this.isAuthenticatedCookieName=(e=>"auth0.".concat(e,".is.authenticated"))(this.options.clientId),this.sessionCheckExpiryDays=e.sessionCheckExpiryDays||1;const r=e.useCookiesForTransactions?this.cookieStorage:Le;var i;this.scope=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if("object"!=typeof e)return{[_]:me(t,e,...o)};let i={[_]:me(t,...o)};return Object.keys(e).forEach((n=>{const r=e[n];i[n]=me(t,r,...o)})),i}(this.options.authorizationParams.scope,"openid",this.options.useRefreshTokens?"offline_access":""),this.transactionManager=new Se(r,this.options.clientId,this.options.cookieDomain),this.nowProvider=this.options.nowProvider||b,this.cacheManager=new ke(n,n.allKeys?void 0:new Ge(n,this.options.clientId),this.nowProvider),this.dpop=this.options.useDpop?new nt(this.options.clientId):void 0,this.domainUrl=(i=this.options.domain,/^https?:\/\//.test(i)?i:"https://".concat(i)),this.tokenIssuer=((e,t)=>e?e.startsWith("https://")?e:"https://".concat(e,"/"):"".concat(t,"/"))(this.options.issuer,this.domainUrl);const a="".concat(this.domainUrl,"/me/"),s=this.createFetcher(Object.assign(Object.assign({},this.options.useDpop&&{dpopNonceId:"__auth0_my_account_api__"}),{getAccessToken:()=>this.getTokenSilently({authorizationParams:{scope:"create:me:connected_accounts",audience:a},detailedResponse:!0})}));this.myAccountApi=new it(s,a),this.authJsClient=new ea({domain:this.options.domain,clientId:this.options.clientId}),this.mfa=new pa(this.authJsClient.mfa,this),"undefined"!=typeof window&&window.Worker&&this.options.useRefreshTokens&&t===g&&(this.options.workerUrl?this.worker=new Worker(this.options.workerUrl):this.worker=new Ve)}getConfiguration(){return Object.freeze({domain:this.options.domain,clientId:this.options.clientId})}_url(e){const t=this.options.auth0Client||v,n=L(t,!0),o=encodeURIComponent(btoa(JSON.stringify(n)));return"".concat(this.domainUrl).concat(e,"&auth0Client=").concat(o)}_authorizeUrl(e){return this._url("/authorize?".concat(N(e)))}async _verifyIdToken(e,t,n){const o=await this.nowProvider();return Ae({iss:this.tokenIssuer,aud:this.options.clientId,id_token:e,nonce:t,organization:n,leeway:this.options.leeway,max_age:(r=this.options.authorizationParams.max_age,"string"!=typeof r?r:parseInt(r,10)||void 0),now:o});var r}_processOrgHint(e){e?this.cookieStorage.save(this.orgHintCookieName,e,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}):this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain})}async _prepareAuthorizeUrl(e,t,n){var o;const r=U(D()),i=U(D()),a=D(),s=await z(a),c=M(s),u=await(null===(o=this.dpop)||void 0===o?void 0:o.calculateThumbprint()),l=((e,t,n,o,r,i,a,s,c)=>Object.assign(Object.assign(Object.assign({client_id:e.clientId},e.authorizationParams),n),{scope:ye(t,n.scope,n.audience),response_type:"code",response_mode:s||"query",state:o,nonce:r,redirect_uri:a||e.authorizationParams.redirect_uri,code_challenge:i,code_challenge_method:"S256",dpop_jkt:c}))(this.options,this.scope,e,r,i,c,e.redirect_uri||this.options.authorizationParams.redirect_uri||n,null==t?void 0:t.response_mode,u),d=this._authorizeUrl(l);return{nonce:i,code_verifier:a,scope:l.scope,audience:l.audience||_,redirect_uri:l.redirect_uri,state:r,url:d}}async loginWithPopup(e,t){var n;if(e=e||{},!(t=t||{}).popup&&(t.popup=(e=>{const t=window.screenX+(window.innerWidth-400)/2,n=window.screenY+(window.innerHeight-600)/2;return window.open(e,"auth0:authorize:popup","left=".concat(t,",top=").concat(n,",width=").concat(400,",height=").concat(600,",resizable,scrollbars=yes,status=1"))})(""),!t.popup))throw new O;const o=await this._prepareAuthorizeUrl(e.authorizationParams||{},{response_mode:"web_message"},window.location.origin);t.popup.location.href=o.url;const r=await(e=>new Promise(((t,n)=>{let o;const r=setInterval((()=>{e.popup&&e.popup.closed&&(clearInterval(r),clearTimeout(i),window.removeEventListener("message",o,!1),n(new P(e.popup)))}),1e3),i=setTimeout((()=>{clearInterval(r),n(new A(e.popup)),window.removeEventListener("message",o,!1)}),1e3*(e.timeoutInSeconds||60));o=function(a){if(a.data&&"authorization_response"===a.data.type){if(clearTimeout(i),clearInterval(r),window.removeEventListener("message",o,!1),!1!==e.closePopup&&e.popup.close(),a.data.response.error)return n(k.fromPayload(a.data.response));t(a.data.response)}},window.addEventListener("message",o)})))(Object.assign(Object.assign({},t),{timeoutInSeconds:t.timeoutInSeconds||this.options.authorizeTimeoutInSeconds||60}));if(o.state!==r.state)throw new k("state_mismatch","Invalid state");const i=(null===(n=e.authorizationParams)||void 0===n?void 0:n.organization)||this.options.authorizationParams.organization;await this._requestToken({audience:o.audience,scope:o.scope,code_verifier:o.code_verifier,grant_type:"authorization_code",code:r.code,redirect_uri:o.redirect_uri},{nonceIn:o.nonce,organization:i})}async getUser(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.user}async getIdTokenClaims(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.claims}async loginWithRedirect(){var n;const o=Qe(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),{openUrl:r,fragment:i,appState:a}=o,s=t(o,["openUrl","fragment","appState"]),c=(null===(n=s.authorizationParams)||void 0===n?void 0:n.organization)||this.options.authorizationParams.organization,u=await this._prepareAuthorizeUrl(s.authorizationParams||{}),{url:l}=u,d=t(u,["url"]);this.transactionManager.create(Object.assign(Object.assign(Object.assign({},d),{appState:a,response_type:e.ResponseType.Code}),c&&{organization:c}));const h=i?"".concat(l,"#").concat(i):l;r?await r(h):window.location.assign(h)}async handleRedirectCallback(){const t=(arguments.length>0&&void 0!==arguments[0]?arguments[0]:window.location.href).split("?").slice(1);if(0===t.length)throw new Error("There are no query params available for parsing.");const n=this.transactionManager.get();if(!n)throw new k("missing_transaction","Invalid state");this.transactionManager.remove();const o=(e=>{e.indexOf("#")>-1&&(e=e.substring(0,e.indexOf("#")));const t=new URLSearchParams(e);return{state:t.get("state"),code:t.get("code")||void 0,connect_code:t.get("connect_code")||void 0,error:t.get("error")||void 0,error_description:t.get("error_description")||void 0}})(t.join(""));return n.response_type===e.ResponseType.ConnectCode?this._handleConnectAccountRedirectCallback(o,n):this._handleLoginRedirectCallback(o,n)}async _handleLoginRedirectCallback(t,n){const{code:o,state:r,error:i,error_description:a}=t;if(i)throw new S(i,a||i,r,n.appState);if(!n.code_verifier||n.state&&n.state!==r)throw new k("state_mismatch","Invalid state");const s=n.organization,c=n.nonce,u=n.redirect_uri;return await this._requestToken(Object.assign({audience:n.audience,scope:n.scope,code_verifier:n.code_verifier,grant_type:"authorization_code",code:o},u?{redirect_uri:u}:{}),{nonceIn:c,organization:s}),{appState:n.appState,response_type:e.ResponseType.Code}}async _handleConnectAccountRedirectCallback(t,n){const{connect_code:o,state:r,error:i,error_description:a}=t;if(i)throw new T(i,a||i,n.connection,r,n.appState);if(!o)throw new k("missing_connect_code","Missing connect code");if(!(n.code_verifier&&n.state&&n.auth_session&&n.redirect_uri&&n.state===r))throw new k("state_mismatch","Invalid state");const s=await this.myAccountApi.completeAccount({auth_session:n.auth_session,connect_code:o,redirect_uri:n.redirect_uri,code_verifier:n.code_verifier});return Object.assign(Object.assign({},s),{appState:n.appState,response_type:e.ResponseType.ConnectCode})}async checkSession(e){if(!this.cookieStorage.get(this.isAuthenticatedCookieName)){if(!this.cookieStorage.get(Be))return;this.cookieStorage.save(this.isAuthenticatedCookieName,!0,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(Be)}try{await this.getTokenSilently(e)}catch(e){}}async getTokenSilently(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};var t,n;const o=Object.assign(Object.assign({cacheMode:"on"},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:ye(this.scope,null===(t=e.authorizationParams)||void 0===t?void 0:t.scope,(null===(n=e.authorizationParams)||void 0===n?void 0:n.audience)||this.options.authorizationParams.audience)})}),r=await((e,t)=>{let n=Ze[t];return n||(n=e().finally((()=>{delete Ze[t],n=null})),Ze[t]=n),n})((()=>this._getTokenSilently(o)),"".concat(this.options.clientId,"::").concat(o.authorizationParams.audience,"::").concat(o.authorizationParams.scope));return e.detailedResponse?r:null==r?void 0:r.access_token}async _getTokenSilently(e){const{cacheMode:n}=e,o=t(e,["cacheMode"]);if("off"!==n){const e=await this._getEntryFromCache({scope:o.authorizationParams.scope,audience:o.authorizationParams.audience||_,clientId:this.options.clientId,cacheMode:n});if(e)return e}if("cache-only"===n)return;const r=(i=this.options.clientId,a=o.authorizationParams.audience||"default","".concat("auth0.lock.getTokenSilently",".").concat(i,".").concat(a));var i,a;if(!await qe((()=>fa.acquireLock(r,5e3)),10))throw new E;this.activeLockKeys.add(r),1===this.activeLockKeys.size&&window.addEventListener("pagehide",this._releaseLockOnPageHide);try{if("off"!==n){const e=await this._getEntryFromCache({scope:o.authorizationParams.scope,audience:o.authorizationParams.audience||_,clientId:this.options.clientId});if(e)return e}const e=this.options.useRefreshTokens?await this._getTokenUsingRefreshToken(o):await this._getTokenFromIFrame(o),{id_token:t,token_type:i,access_token:a,oauthTokenScope:s,expires_in:c}=e;return Object.assign(Object.assign({id_token:t,token_type:i,access_token:a},s?{scope:s}:null),{expires_in:c})}finally{await fa.releaseLock(r),this.activeLockKeys.delete(r),0===this.activeLockKeys.size&&window.removeEventListener("pagehide",this._releaseLockOnPageHide)}}async getTokenWithPopup(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{},t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{};var n,o;const r=Object.assign(Object.assign({},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:ye(this.scope,null===(n=e.authorizationParams)||void 0===n?void 0:n.scope,(null===(o=e.authorizationParams)||void 0===o?void 0:o.audience)||this.options.authorizationParams.audience)})});t=Object.assign(Object.assign({},y),t),await this.loginWithPopup(r,t);return(await this.cacheManager.get(new ve({scope:r.authorizationParams.scope,audience:r.authorizationParams.audience||_,clientId:this.options.clientId}),void 0,this.options.useMrrt)).access_token}async isAuthenticated(){return!!await this.getUser()}_buildLogoutUrl(e){null!==e.clientId?e.clientId=e.clientId||this.options.clientId:delete e.clientId;const n=e.logoutParams||{},{federated:o}=n,r=t(n,["federated"]),i=o?"&federated":"";return this._url("/v2/logout?".concat(N(Object.assign({clientId:e.clientId},r))))+i}async logout(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};var n;const o=Qe(e),{openUrl:r}=o,i=t(o,["openUrl"]);null===e.clientId?await this.cacheManager.clear():await this.cacheManager.clear(e.clientId||this.options.clientId),this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(this.isAuthenticatedCookieName,{cookieDomain:this.options.cookieDomain}),this.userCache.remove(ge),await(null===(n=this.dpop)||void 0===n?void 0:n.clear());const a=this._buildLogoutUrl(i);r?await r(a):!1!==r&&window.location.assign(a)}async _getTokenFromIFrame(e){const t=(n=this.options.clientId,"".concat("auth0.lock.getTokenFromIFrame",".").concat(n));var n;if(!await qe((()=>fa.acquireLock(t,5e3)),10))throw new E;try{const n=Object.assign(Object.assign({},e.authorizationParams),{prompt:"none"}),o=this.cookieStorage.get(this.orgHintCookieName);o&&!n.organization&&(n.organization=o);const{url:r,state:i,nonce:a,code_verifier:s,redirect_uri:c,scope:u,audience:l}=await this._prepareAuthorizeUrl(n,{response_mode:"web_message"},window.location.origin);if(window.crossOriginIsolated)throw new k("login_required","The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.");const d=e.timeoutInSeconds||this.options.authorizeTimeoutInSeconds;let h;try{h=new URL(this.domainUrl).origin}catch(e){h=this.domainUrl}const p=await function(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:60;return new Promise(((o,r)=>{const i=window.document.createElement("iframe");i.setAttribute("width","0"),i.setAttribute("height","0"),i.style.display="none";const a=()=>{window.document.body.contains(i)&&(window.document.body.removeChild(i),window.removeEventListener("message",s,!1))};let s;const c=setTimeout((()=>{r(new E),a()}),1e3*n);s=function(e){if(e.origin!=t)return;if(!e.data||"authorization_response"!==e.data.type)return;const n=e.source;n&&n.close(),e.data.response.error?r(k.fromPayload(e.data.response)):o(e.data.response),clearTimeout(c),window.removeEventListener("message",s,!1),setTimeout(a,2e3)},window.addEventListener("message",s,!1),window.document.body.appendChild(i),i.setAttribute("src",e)}))}(r,h,d);if(i!==p.state)throw new k("state_mismatch","Invalid state");const f=await this._requestToken(Object.assign(Object.assign({},e.authorizationParams),{code_verifier:s,code:p.code,grant_type:"authorization_code",redirect_uri:c,timeout:e.authorizationParams.timeout||this.httpTimeoutMs}),{nonceIn:a,organization:n.organization});return Object.assign(Object.assign({},f),{scope:u,oauthTokenScope:f.scope,audience:l})}catch(e){throw"login_required"===e.error&&this.logout({openUrl:!1}),e}finally{await fa.releaseLock(t)}}async _getTokenUsingRefreshToken(e){var t,n;const o=await this.cacheManager.get(new ve({scope:e.authorizationParams.scope,audience:e.authorizationParams.audience||_,clientId:this.options.clientId}),void 0,this.options.useMrrt);if(!(o&&o.refresh_token||this.worker)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);throw new x(e.authorizationParams.audience||_,e.authorizationParams.scope)}const r=e.authorizationParams.redirect_uri||this.options.authorizationParams.redirect_uri||window.location.origin,i="number"==typeof e.timeoutInSeconds?1e3*e.timeoutInSeconds:null,a=((e,t,n,o)=>{var r;if(e&&n&&o){if(t.audience!==n)return t.scope;const e=o.split(" "),i=(null===(r=t.scope)||void 0===r?void 0:r.split(" "))||[],a=i.every((t=>e.includes(t)));return e.length>=i.length&&a?o:t.scope}return t.scope})(this.options.useMrrt,e.authorizationParams,null==o?void 0:o.audience,null==o?void 0:o.scope);try{const t=await this._requestToken(Object.assign(Object.assign(Object.assign({},e.authorizationParams),{grant_type:"refresh_token",refresh_token:o&&o.refresh_token,redirect_uri:r}),i&&{timeout:i}),{scopesToRequest:a});if(t.refresh_token&&(null==o?void 0:o.refresh_token)&&await this.cacheManager.updateEntry(o.refresh_token,t.refresh_token),this.options.useMrrt){if(s=null==o?void 0:o.audience,c=null==o?void 0:o.scope,u=e.authorizationParams.audience,l=e.authorizationParams.scope,s!==u||!$e(l,c)){if(!$e(a,t.scope)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);await this.cacheManager.remove(this.options.clientId,e.authorizationParams.audience,e.authorizationParams.scope);const n=((e,t)=>{const n=(null==e?void 0:e.split(" "))||[],o=(null==t?void 0:t.split(" "))||[];return n.filter((e=>-1==o.indexOf(e))).join(",")})(a,t.scope);throw new I(e.authorizationParams.audience||"default",n)}}}return Object.assign(Object.assign({},t),{scope:e.authorizationParams.scope,oauthTokenScope:t.scope,audience:e.authorizationParams.audience||_})}catch(o){if((o.message.indexOf("Missing Refresh Token")>-1||o.message&&o.message.indexOf("invalid refresh token")>-1)&&this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);throw o instanceof R&&this.mfa.setMFAAuthDetails(o.mfa_token,null===(t=e.authorizationParams)||void 0===t?void 0:t.scope,null===(n=e.authorizationParams)||void 0===n?void 0:n.audience,o.mfa_requirements),o}var s,c,u,l}async _saveEntryInCache(e){const{id_token:n,decodedToken:o}=e,r=t(e,["id_token","decodedToken"]);this.userCache.set(ge,{id_token:n,decodedToken:o}),await this.cacheManager.setIdToken(this.options.clientId,e.id_token,e.decodedToken),await this.cacheManager.set(r)}async _getIdTokenFromCache(){const e=this.options.authorizationParams.audience||_,t=this.scope[e],n=await this.cacheManager.getIdToken(new ve({clientId:this.options.clientId,audience:e,scope:t})),o=this.userCache.get(ge);return n&&n.id_token===(null==o?void 0:o.id_token)?o:(this.userCache.set(ge,n),n)}async _getEntryFromCache(e){let{scope:t,audience:n,clientId:o,cacheMode:r}=e;const i=await this.cacheManager.get(new ve({scope:t,audience:n,clientId:o}),60,this.options.useMrrt,r);if(i&&i.access_token){const{token_type:e,access_token:t,oauthTokenScope:n,expires_in:o}=i,r=await this._getIdTokenFromCache();return r&&Object.assign(Object.assign({id_token:r.id_token,token_type:e||"Bearer",access_token:t},n?{scope:n}:null),{expires_in:o})}}async _requestToken(e,t){var n,o;const{nonceIn:r,organization:i,scopesToRequest:a}=t||{},s=await pe(Object.assign(Object.assign({baseUrl:this.domainUrl,client_id:this.options.clientId,auth0Client:this.options.auth0Client,useFormData:this.options.useFormData,timeout:this.httpTimeoutMs,useMrrt:this.options.useMrrt,dpop:this.dpop},e),{scope:a||e.scope}),this.worker),c=await this._verifyIdToken(s.id_token,r,i);if("authorization_code"===e.grant_type){const e=await this._getIdTokenFromCache();(null===(o=null===(n=null==e?void 0:e.decodedToken)||void 0===n?void 0:n.claims)||void 0===o?void 0:o.sub)&&e.decodedToken.claims.sub!==c.claims.sub&&(await this.cacheManager.clear(this.options.clientId),this.userCache.remove(ge))}return await this._saveEntryInCache(Object.assign(Object.assign(Object.assign(Object.assign({},s),{decodedToken:c,scope:e.scope,audience:e.audience||_}),s.scope?{oauthTokenScope:s.scope}:null),{client_id:this.options.clientId})),this.cookieStorage.save(this.isAuthenticatedCookieName,!0,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this._processOrgHint(i||c.claims.org_id),Object.assign(Object.assign({},s),{decodedToken:c})}async exchangeToken(e){return this._requestToken({grant_type:"urn:ietf:params:oauth:grant-type:token-exchange",subject_token:e.subject_token,subject_token_type:e.subject_token_type,scope:ye(this.scope,e.scope,e.audience||this.options.authorizationParams.audience),audience:e.audience||this.options.authorizationParams.audience,organization:e.organization||this.options.authorizationParams.organization})}_assertDpop(e){if(!e)throw new Error("`useDpop` option must be enabled before using DPoP.")}getDpopNonce(e){return this._assertDpop(this.dpop),this.dpop.getNonce(e)}setDpopNonce(e,t){return this._assertDpop(this.dpop),this.dpop.setNonce(e,t)}generateDpopProof(e){return this._assertDpop(this.dpop),this.dpop.generateProof(e)}createFetcher(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};return new rt(e,{isDpopEnabled:()=>!!this.options.useDpop,getAccessToken:e=>{var t;return this.getTokenSilently({authorizationParams:{scope:null===(t=null==e?void 0:e.scope)||void 0===t?void 0:t.join(" "),audience:null==e?void 0:e.audience},detailedResponse:!0})},getDpopNonce:()=>this.getDpopNonce(e.dpopNonceId),setDpopNonce:t=>this.setDpopNonce(t,e.dpopNonceId),generateDpopProof:e=>this.generateDpopProof(e)})}async connectAccountWithRedirect(t){const{openUrl:n,appState:o,connection:r,scopes:i,authorization_params:a,redirectUri:s=this.options.authorizationParams.redirect_uri||window.location.origin}=t;if(!r)throw new Error("connection is required");const c=U(D()),u=D(),l=await z(u),d=M(l),{connect_uri:h,connect_params:p,auth_session:f}=await this.myAccountApi.connectAccount({connection:r,scopes:i,redirect_uri:s,state:c,code_challenge:d,code_challenge_method:"S256",authorization_params:a});this.transactionManager.create({state:c,code_verifier:u,auth_session:f,redirect_uri:s,appState:o,connection:r,response_type:e.ResponseType.ConnectCode});const m=new URL(h);m.searchParams.set("ticket",p.ticket),n?await n(m.toString()):window.location.assign(m)}async _requestTokenForMfa(e,n){const{mfaToken:o}=e,r=t(e,["mfaToken"]);return this._requestToken(Object.assign(Object.assign({},r),{mfa_token:o}),n)}}e.Auth0Client=ma,e.AuthenticationError=S,e.CacheKey=ve,e.ConnectError=T,e.GenericError=k,e.InMemoryCache=_e,e.LocalStorageCache=be,e.MfaApiClient=pa,e.MfaChallengeError=ua,e.MfaEnrollmentError=ca,e.MfaEnrollmentFactorsError=da,e.MfaError=aa,e.MfaListAuthenticatorsError=sa,e.MfaRequiredError=R,e.MfaVerifyError=la,e.MissingRefreshTokenError=x,e.MyAccountApiError=at,e.PopupCancelledError=P,e.PopupOpenError=O,e.PopupTimeoutError=A,e.TimeoutError=E,e.UseDpopNonceError=C,e.User=class{},e.createAuth0Client=async function(e){const t=new ma(e);return await t.checkSession(),t},Object.defineProperty(e,"__esModule",{value:!0})}));
2
2
  //# sourceMappingURL=auth0-spa-js.production.js.map