@auth0/auth0-spa-js 2.16.0 → 2.17.1

package/dist/auth0-spa-js.development.js

@@ -1,7 +1,7 @@
 (function(global, factory) {
     typeof exports === "object" && typeof module !== "undefined" ? factory(exports) : typeof define === "function" && define.amd ? define([ "exports" ], factory) : (global = typeof globalThis !== "undefined" ? globalThis : global || self, 
     factory(global.auth0 = {}));
-})(this, (function(exports) {
+})(this, function(exports) {
     "use strict";
     function __rest(s, e) {
         var t = {};
@@ -15,7 +15,7 @@
         var e = new Error(message);
         return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
     };
-    var version = "2.16.0";
+    var version = "2.17.1";
     const DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS = 60;
     const DEFAULT_POPUP_CONFIG_OPTIONS = {
         timeoutInSeconds: DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS
@@ -27,6 +27,7 @@
     const MISSING_REFRESH_TOKEN_ERROR_MESSAGE = "Missing Refresh Token";
     const INVALID_REFRESH_TOKEN_ERROR_MESSAGE = "invalid refresh token";
     const USER_BLOCKED_ERROR_MESSAGE = "user is blocked";
+    const MFA_STEP_UP_ERROR_DESCRIPTION = "Multifactor authentication required";
     const DEFAULT_SCOPE = "openid profile email";
     const DEFAULT_SESSION_CHECK_EXPIRY_DAYS = 1;
     const DEFAULT_AUTH0_CLIENT = {
@@ -142,7 +143,7 @@
     };
     const runIframe = function runIframe(authorizeUrl, eventOrigin) {
         let timeoutInSeconds = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS;
-        return new Promise(((res, rej) => {
+        return new Promise((res, rej) => {
             const iframe = window.document.createElement("iframe");
             iframe.setAttribute("width", "0");
             iframe.setAttribute("height", "0");
@@ -154,10 +155,10 @@
                 }
             };
             let _iframeEventHandler;
-            const timeoutSetTimeoutId = setTimeout((() => {
+            const timeoutSetTimeoutId = setTimeout(() => {
                 rej(new TimeoutError);
                 removeIframe();
-            }), timeoutInSeconds * 1e3);
+            }, timeoutInSeconds * 1e3);
             _iframeEventHandler = function iframeEventHandler(e) {
                 if (e.origin != eventOrigin) return;
                 if (!e.data || e.data.type !== "authorization_response") return;
@@ -173,7 +174,7 @@
             window.addEventListener("message", _iframeEventHandler, false);
             window.document.body.appendChild(iframe);
             iframe.setAttribute("src", authorizeUrl);
-        }));
+        });
     };
     const openPopup = url => {
         const width = 400;
@@ -182,21 +183,21 @@
         const top = window.screenY + (window.innerHeight - height) / 2;
         return window.open(url, "auth0:authorize:popup", "left=".concat(left, ",top=").concat(top, ",width=").concat(width, ",height=").concat(height, ",resizable,scrollbars=yes,status=1"));
     };
-    const runPopup = config => new Promise(((resolve, reject) => {
+    const runPopup = config => new Promise((resolve, reject) => {
         let _popupEventListener;
-        const popupTimer = setInterval((() => {
+        const popupTimer = setInterval(() => {
             if (config.popup && config.popup.closed) {
                 clearInterval(popupTimer);
                 clearTimeout(timeoutId);
                 window.removeEventListener("message", _popupEventListener, false);
                 reject(new PopupCancelledError(config.popup));
             }
-        }), 1e3);
-        const timeoutId = setTimeout((() => {
+        }, 1e3);
+        const timeoutId = setTimeout(() => {
             clearInterval(popupTimer);
             reject(new PopupTimeoutError(config.popup));
             window.removeEventListener("message", _popupEventListener, false);
-        }), (config.timeoutInSeconds || DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS) * 1e3);
+        }, (config.timeoutInSeconds || DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS) * 1e3);
         _popupEventListener = function popupEventListener(e) {
             if (!e.data || e.data.type !== "authorization_response") {
                 return;
@@ -213,19 +214,19 @@
             resolve(e.data.response);
         };
         window.addEventListener("message", _popupEventListener);
-    }));
+    });
     const getCrypto = () => window.crypto;
     const createRandomString = () => {
         const charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";
         let random = "";
         const randomValues = Array.from(getCrypto().getRandomValues(new Uint8Array(43)));
-        randomValues.forEach((v => random += charset[v % charset.length]));
+        randomValues.forEach(v => random += charset[v % charset.length]);
         return random;
     };
     const encode$2 = value => btoa(value);
-    const stripUndefined = params => Object.keys(params).filter((k => typeof params[k] !== "undefined")).reduce(((acc, key) => Object.assign(Object.assign({}, acc), {
+    const stripUndefined = params => Object.keys(params).filter(k => typeof params[k] !== "undefined").reduce((acc, key) => Object.assign(Object.assign({}, acc), {
         [key]: params[key]
-    })), {});
+    }), {});
     const ALLOWED_AUTH0CLIENT_PROPERTIES = [ {
         key: "name",
         type: [ "string" ]
@@ -238,16 +239,16 @@
     } ];
     const stripAuth0Client = function stripAuth0Client(auth0Client) {
         let excludeEnv = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
-        return Object.keys(auth0Client).reduce(((acc, key) => {
+        return Object.keys(auth0Client).reduce((acc, key) => {
             if (excludeEnv && key === "env") {
                 return acc;
             }
-            const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find((p => p.key === key));
+            const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find(p => p.key === key);
             if (allowedProperty && allowedProperty.type.includes(typeof auth0Client[key])) {
                 acc[key] = auth0Client[key];
             }
             return acc;
-        }), {});
+        }, {});
     };
     const createQueryParams = _a => {
         var {clientId: client_id} = _a, params = __rest(_a, [ "clientId" ]);
@@ -267,9 +268,9 @@
             "/": "_",
             "=": ""
         };
-        return input.replace(/[+/=]/g, (m => b64Chars[m]));
+        return input.replace(/[+/=]/g, m => b64Chars[m]);
     };
-    const decodeB64 = input => decodeURIComponent(atob(input).split("").map((c => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2))).join(""));
+    const decodeB64 = input => decodeURIComponent(atob(input).split("").map(c => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join(""));
     const urlDecodeB64 = input => decodeB64(input.replace(/_/g, "/").replace(/-/g, "+"));
     const bufferToBase64UrlEncoded = input => {
         const ie11SafeInput = new Uint8Array(input);
@@ -301,11 +302,11 @@
         }
         return parseInt(value, 10) || undefined;
     };
-    const fromEntries = iterable => [ ...iterable ].reduce(((obj, _ref) => {
+    const fromEntries = iterable => [ ...iterable ].reduce((obj, _ref) => {
         let [key, val] = _ref;
         obj[key] = val;
         return obj;
-    }), {});
+    }, {});
     var commonjsGlobal = typeof globalThis !== "undefined" ? globalThis : typeof window !== "undefined" ? window : typeof global !== "undefined" ? global : typeof self !== "undefined" ? self : {};
     var browserTabsLock = {};
     var processLock = {};
@@ -335,14 +336,14 @@
                 return _this.locked.has(key);
             };
             this.lock = function(key) {
-                return new Promise((function(resolve, reject) {
+                return new Promise(function(resolve, reject) {
                     if (_this.isLocked(key)) {
                         _this.addToLocked(key, resolve);
                     } else {
                         _this.addToLocked(key);
                         resolve();
                     }
-                }));
+                });
             };
             this.unlock = function(key) {
                 var callbacks = _this.locked.get(key);
@@ -370,7 +371,7 @@
     }
     processLock.default = getLock;
     var __awaiter = commonjsGlobal && commonjsGlobal.__awaiter || function(thisArg, _arguments, P, generator) {
-        return new (P || (P = Promise))((function(resolve, reject) {
+        return new (P || (P = Promise))(function(resolve, reject) {
             function fulfilled(value) {
                 try {
                     step(generator.next(value));
@@ -386,12 +387,12 @@
                 }
             }
             function step(result) {
-                result.done ? resolve(result.value) : new P((function(resolve) {
+                result.done ? resolve(result.value) : new P(function(resolve) {
                     resolve(result.value);
-                })).then(fulfilled, rejected);
+                }).then(fulfilled, rejected);
             }
             step((generator = generator.apply(thisArg, _arguments || [])).next());
-        }));
+        });
     };
     var __generator = commonjsGlobal && commonjsGlobal.__generator || function(thisArg, body) {
         var _ = {
@@ -490,39 +491,39 @@
     var LOCK_STORAGE_KEY = "browser-tabs-lock-key";
     var DEFAULT_STORAGE_HANDLER = {
         key: function(index) {
-            return __awaiter(_this, void 0, void 0, (function() {
-                return __generator(this, (function(_a) {
+            return __awaiter(_this, void 0, void 0, function() {
+                return __generator(this, function(_a) {
                     throw new Error("Unsupported");
-                }));
-            }));
+                });
+            });
         },
         getItem: function(key) {
-            return __awaiter(_this, void 0, void 0, (function() {
-                return __generator(this, (function(_a) {
+            return __awaiter(_this, void 0, void 0, function() {
+                return __generator(this, function(_a) {
                     throw new Error("Unsupported");
-                }));
-            }));
+                });
+            });
         },
         clear: function() {
-            return __awaiter(_this, void 0, void 0, (function() {
-                return __generator(this, (function(_a) {
+            return __awaiter(_this, void 0, void 0, function() {
+                return __generator(this, function(_a) {
                     return [ 2, window.localStorage.clear() ];
-                }));
-            }));
+                });
+            });
         },
         removeItem: function(key) {
-            return __awaiter(_this, void 0, void 0, (function() {
-                return __generator(this, (function(_a) {
+            return __awaiter(_this, void 0, void 0, function() {
+                return __generator(this, function(_a) {
                     throw new Error("Unsupported");
-                }));
-            }));
+                });
+            });
         },
         setItem: function(key, value) {
-            return __awaiter(_this, void 0, void 0, (function() {
-                return __generator(this, (function(_a) {
+            return __awaiter(_this, void 0, void 0, function() {
+                return __generator(this, function(_a) {
                     throw new Error("Unsupported");
-                }));
-            }));
+                });
+            });
         },
         keySync: function(index) {
             return window.localStorage.key(index);
@@ -541,9 +542,9 @@
         }
     };
     function delay(milliseconds) {
-        return new Promise((function(resolve) {
+        return new Promise(function(resolve) {
             return setTimeout(resolve, milliseconds);
-        }));
+        });
     }
     function generateRandomString(length) {
         var CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz";
@@ -576,9 +577,9 @@
             if (timeout === void 0) {
                 timeout = 5e3;
             }
-            return __awaiter(this, void 0, void 0, (function() {
+            return __awaiter(this, void 0, void 0, function() {
                 var iat, MAX_TIME, STORAGE_KEY, STORAGE, lockObj, TIMEOUT_KEY, lockObjPostDelay, parsedLockObjPostDelay;
-                return __generator(this, (function(_a) {
+                return __generator(this, function(_a) {
                     switch (_a.label) {
                       case 0:
                         iat = Date.now() + generateRandomString(4);
@@ -637,17 +638,17 @@
                       case 8:
                         return [ 2, false ];
                     }
-                }));
-            }));
+                });
+            });
         };
         SuperTokensLock.prototype.refreshLockWhileAcquired = function(storageKey, iat) {
-            return __awaiter(this, void 0, void 0, (function() {
+            return __awaiter(this, void 0, void 0, function() {
                 var _this = this;
-                return __generator(this, (function(_a) {
-                    setTimeout((function() {
-                        return __awaiter(_this, void 0, void 0, (function() {
+                return __generator(this, function(_a) {
+                    setTimeout(function() {
+                        return __awaiter(_this, void 0, void 0, function() {
                             var STORAGE, lockObj, parsedLockObj;
-                            return __generator(this, (function(_a) {
+                            return __generator(this, function(_a) {
                                 switch (_a.label) {
                                   case 0:
                                     return [ 4, processLock_1.default().lock(iat) ];
@@ -672,19 +673,19 @@
                                     this.refreshLockWhileAcquired(storageKey, iat);
                                     return [ 2 ];
                                 }
-                            }));
-                        }));
-                    }), 1e3);
+                            });
+                        });
+                    }, 1e3);
                     return [ 2 ];
-                }));
-            }));
+                });
+            });
         };
         SuperTokensLock.prototype.waitForSomethingToChange = function(MAX_TIME) {
-            return __awaiter(this, void 0, void 0, (function() {
-                return __generator(this, (function(_a) {
+            return __awaiter(this, void 0, void 0, function() {
+                return __generator(this, function(_a) {
                     switch (_a.label) {
                       case 0:
-                        return [ 4, new Promise((function(resolve) {
+                        return [ 4, new Promise(function(resolve) {
                             var resolvedCalled = false;
                             var startedAt = Date.now();
                             var MIN_TIME_TO_WAIT = 50;
@@ -709,14 +710,14 @@
                             window.addEventListener("storage", stopWaiting);
                             SuperTokensLock.addToWaiting(stopWaiting);
                             var timeOutId = setTimeout(stopWaiting, Math.max(0, MAX_TIME - Date.now()));
-                        })) ];
+                        }) ];
 
                       case 1:
                         _a.sent();
                         return [ 2 ];
                     }
-                }));
-            }));
+                });
+            });
         };
         SuperTokensLock.addToWaiting = function(func) {
             this.removeFromWaiting(func);
@@ -729,22 +730,22 @@
             if (SuperTokensLock.waiters === undefined) {
                 return;
             }
-            SuperTokensLock.waiters = SuperTokensLock.waiters.filter((function(i) {
+            SuperTokensLock.waiters = SuperTokensLock.waiters.filter(function(i) {
                 return i !== func;
-            }));
+            });
         };
         SuperTokensLock.notifyWaiters = function() {
             if (SuperTokensLock.waiters === undefined) {
                 return;
             }
             var waiters = SuperTokensLock.waiters.slice();
-            waiters.forEach((function(i) {
+            waiters.forEach(function(i) {
                 return i();
-            }));
+            });
         };
         SuperTokensLock.prototype.releaseLock = function(lockKey) {
-            return __awaiter(this, void 0, void 0, (function() {
-                return __generator(this, (function(_a) {
+            return __awaiter(this, void 0, void 0, function() {
+                return __generator(this, function(_a) {
                     switch (_a.label) {
                       case 0:
                         return [ 4, this.releaseLock__private__(lockKey) ];
@@ -752,13 +753,13 @@
                       case 1:
                         return [ 2, _a.sent() ];
                     }
-                }));
-            }));
+                });
+            });
         };
         SuperTokensLock.prototype.releaseLock__private__ = function(lockKey) {
-            return __awaiter(this, void 0, void 0, (function() {
+            return __awaiter(this, void 0, void 0, function() {
                 var STORAGE, STORAGE_KEY, lockObj, parsedlockObj;
-                return __generator(this, (function(_a) {
+                return __generator(this, function(_a) {
                     switch (_a.label) {
                       case 0:
                         STORAGE = this.storageHandler === undefined ? DEFAULT_STORAGE_HANDLER : this.storageHandler;
@@ -782,8 +783,8 @@
                       case 2:
                         return [ 2 ];
                     }
-                }));
-            }));
+                });
+            });
         };
         SuperTokensLock.lockCorrector = function(storageHandler) {
             var MIN_ALLOWED_TIME = Date.now() - 5e3;
@@ -823,16 +824,16 @@
     class WebLocksApiManager {
         async runWithLock(key, timeout, callback) {
             const controller = new AbortController;
-            const timeoutId = setTimeout((() => controller.abort()), timeout);
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
             try {
                 return await navigator.locks.request(key, {
                     mode: "exclusive",
                     signal: controller.signal
-                }, (async lock => {
+                }, async lock => {
                     clearTimeout(timeoutId);
                     if (!lock) throw new Error("Lock not available");
                     return await callback();
-                }));
+                });
             } catch (error) {
                 clearTimeout(timeoutId);
                 if ((error === null || error === void 0 ? void 0 : error.name) === "AbortError") throw new TimeoutError;
@@ -845,7 +846,7 @@
             this.activeLocks = new Set;
             this.lock = new _default;
             this.pagehideHandler = () => {
-                this.activeLocks.forEach((key => this.lock.releaseLock(key)));
+                this.activeLocks.forEach(key => this.lock.releaseLock(key));
                 this.activeLocks.clear();
             };
         }
@@ -1197,7 +1198,7 @@
     function isGrantTypeSupported(grantType) {
         return SUPPORTED_GRANT_TYPES.includes(grantType);
     }
-    const sendMessage = (message, to) => new Promise((function(resolve, reject) {
+    const sendMessage = (message, to) => new Promise(function(resolve, reject) {
         const messageChannel = new MessageChannel;
         messageChannel.port1.onmessage = function(event) {
             if (event.data.error) {
@@ -1208,7 +1209,7 @@
             messageChannel.port1.close();
         };
         to.postMessage(message, [ messageChannel.port2 ]);
-    }));
+    });
     const createAbortController = () => new AbortController;
     const dofetch = async (fetchUrl, fetchOptions) => {
         const response = await fetch(fetchUrl, fetchOptions);
@@ -1222,14 +1223,14 @@
         const controller = createAbortController();
         fetchOptions.signal = controller.signal;
         let timeoutId;
-        return Promise.race([ dofetch(fetchUrl, fetchOptions), new Promise(((_, reject) => {
-            timeoutId = setTimeout((() => {
+        return Promise.race([ dofetch(fetchUrl, fetchOptions), new Promise((_, reject) => {
+            timeoutId = setTimeout(() => {
                 controller.abort();
                 reject(new Error("Timeout when executing 'fetch'"));
-            }), timeout);
-        })) ]).finally((() => {
+            }, timeout);
+        }) ]).finally(() => {
             clearTimeout(timeoutId);
-        }));
+        });
     };
     const fetchWithWorker = async (fetchUrl, audience, scope, fetchOptions, timeout, worker, useFormData, useMrrt) => sendMessage({
         auth: {
@@ -1344,10 +1345,10 @@
         let requestedScopes = {
             [DEFAULT_AUDIENCE]: getUniqueScopes(openIdScope, ...extraScopes)
         };
-        Object.keys(authScopes).forEach((key => {
+        Object.keys(authScopes).forEach(key => {
             const audienceScopes = authScopes[key];
             requestedScopes[key] = getUniqueScopes(openIdScope, audienceScopes, ...extraScopes);
-        }));
+        });
         return requestedScopes;
     };
     const scopesToRequest = (authScopes, methodScopes, audience) => {
@@ -1410,7 +1411,7 @@
             localStorage.removeItem(key);
         }
         allKeys() {
-            return Object.keys(window.localStorage).filter((key => key.startsWith(CACHE_KEY_PREFIX)));
+            return Object.keys(window.localStorage).filter(key => key.startsWith(CACHE_KEY_PREFIX));
         }
     }
     class InMemoryCache {
@@ -1545,10 +1546,10 @@
             var _a;
             const keys = await this.getCacheKeys();
             if (!keys) return;
-            await keys.filter((key => clientId ? key.includes(clientId) : true)).reduce((async (memo, key) => {
+            await keys.filter(key => clientId ? key.includes(clientId) : true).reduce(async (memo, key) => {
                 await memo;
                 await this.cache.remove(key);
-            }), Promise.resolve());
+            }, Promise.resolve());
             await ((_a = this.keyManifest) === null || _a === void 0 ? void 0 : _a.clear());
         }
         async wrapCacheEntry(entry) {
@@ -1573,14 +1574,14 @@
             }, CACHE_KEY_PREFIX, CACHE_KEY_ID_TOKEN_SUFFIX).toKey();
         }
         matchExistingCacheKey(keyToMatch, allKeys) {
-            return allKeys.filter((key => {
+            return allKeys.filter(key => {
                 var _a;
                 const cacheKey = CacheKey.fromKey(key);
                 const scopeSet = new Set(cacheKey.scope && cacheKey.scope.split(" "));
                 const scopesToMatch = ((_a = keyToMatch.scope) === null || _a === void 0 ? void 0 : _a.split(" ")) || [];
-                const hasAllScopes = cacheKey.scope && scopesToMatch.reduce(((acc, current) => acc && scopeSet.has(current)), true);
+                const hasAllScopes = cacheKey.scope && scopesToMatch.reduce((acc, current) => acc && scopeSet.has(current), true);
                 return cacheKey.prefix === CACHE_KEY_PREFIX && cacheKey.clientId === keyToMatch.clientId && cacheKey.audience === keyToMatch.audience && hasAllScopes;
-            }))[0];
+            })[0];
         }
         async getEntryWithRefreshToken(keyToMatch, allKeys) {
             var _a;
@@ -1644,12 +1645,12 @@
             __raw: token
         };
         const user = {};
-        Object.keys(payloadJSON).forEach((k => {
+        Object.keys(payloadJSON).forEach(k => {
             claims[k] = payloadJSON[k];
             if (!idTokendecoded.includes(k)) {
                 user[k] = payloadJSON[k];
             }
-        }));
+        });
         return {
             encoded: {
                 header: header,
@@ -1941,15 +1942,15 @@
             return new Worker(url, options);
         };
     }
-    var WorkerFactory = createBase64WorkerFactory("Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwooZnVuY3Rpb24oKSB7CiAgICAidXNlIHN0cmljdCI7CiAgICBjbGFzcyBHZW5lcmljRXJyb3IgZXh0ZW5kcyBFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKSB7CiAgICAgICAgICAgIHN1cGVyKGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICAgICAgdGhpcy5lcnJvciA9IGVycm9yOwogICAgICAgICAgICB0aGlzLmVycm9yX2Rlc2NyaXB0aW9uID0gZXJyb3JfZGVzY3JpcHRpb247CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBHZW5lcmljRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICAgICAgc3RhdGljIGZyb21QYXlsb2FkKF9yZWYpIHsKICAgICAgICAgICAgbGV0IHtlcnJvcjogZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvcl9kZXNjcmlwdGlvbn0gPSBfcmVmOwogICAgICAgICAgICByZXR1cm4gbmV3IEdlbmVyaWNFcnJvcihlcnJvciwgZXJyb3JfZGVzY3JpcHRpb24pOwogICAgICAgIH0KICAgIH0KICAgIGNsYXNzIE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvciBleHRlbmRzIEdlbmVyaWNFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoYXVkaWVuY2UsIHNjb3BlKSB7CiAgICAgICAgICAgIHN1cGVyKCJtaXNzaW5nX3JlZnJlc2hfdG9rZW4iLCAiTWlzc2luZyBSZWZyZXNoIFRva2VuIChhdWRpZW5jZTogJyIuY29uY2F0KHZhbHVlT3JFbXB0eVN0cmluZyhhdWRpZW5jZSwgWyAiZGVmYXVsdCIgXSksICInLCBzY29wZTogJyIpLmNvbmNhdCh2YWx1ZU9yRW1wdHlTdHJpbmcoc2NvcGUpLCAiJykiKSk7CiAgICAgICAgICAgIHRoaXMuYXVkaWVuY2UgPSBhdWRpZW5jZTsKICAgICAgICAgICAgdGhpcy5zY29wZSA9IHNjb3BlOwogICAgICAgICAgICBPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcywgTWlzc2luZ1JlZnJlc2hUb2tlbkVycm9yLnByb3RvdHlwZSk7CiAgICAgICAgfQogICAgfQogICAgZnVuY3Rpb24gdmFsdWVPckVtcHR5U3RyaW5nKHZhbHVlKSB7CiAgICAgICAgbGV0IGV4Y2x1ZGUgPSBhcmd1bWVudHMubGVuZ3RoID4gMSAmJiBhcmd1bWVudHNbMV0gIT09IHVuZGVmaW5lZCA/IGFyZ3VtZW50c1sxXSA6IFtdOwogICAgICAgIHJldHVybiB2YWx1ZSAmJiAhZXhjbHVkZS5pbmNsdWRlcyh2YWx1ZSkgPyB2YWx1ZSA6ICIiOwogICAgfQogICAgZnVuY3Rpb24gX19yZXN0KHMsIGUpIHsKICAgICAgICB2YXIgdCA9IHt9OwogICAgICAgIGZvciAodmFyIHAgaW4gcykgaWYgKE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbChzLCBwKSAmJiBlLmluZGV4T2YocCkgPCAwKSB0W3BdID0gc1twXTsKICAgICAgICBpZiAocyAhPSBudWxsICYmIHR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzID09PSAiZnVuY3Rpb24iKSBmb3IgKHZhciBpID0gMCwgcCA9IE9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMocyk7IGkgPCBwLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgIGlmIChlLmluZGV4T2YocFtpXSkgPCAwICYmIE9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChzLCBwW2ldKSkgdFtwW2ldXSA9IHNbcFtpXV07CiAgICAgICAgfQogICAgICAgIHJldHVybiB0OwogICAgfQogICAgdHlwZW9mIFN1cHByZXNzZWRFcnJvciA9PT0gImZ1bmN0aW9uIiA/IFN1cHByZXNzZWRFcnJvciA6IGZ1bmN0aW9uKGVycm9yLCBzdXBwcmVzc2VkLCBtZXNzYWdlKSB7CiAgICAgICAgdmFyIGUgPSBuZXcgRXJyb3IobWVzc2FnZSk7CiAgICAgICAgcmV0dXJuIGUubmFtZSA9ICJTdXBwcmVzc2VkRXJyb3IiLCBlLmVycm9yID0gZXJyb3IsIGUuc3VwcHJlc3NlZCA9IHN1cHByZXNzZWQsIGU7CiAgICB9OwogICAgY29uc3Qgc3RyaXBVbmRlZmluZWQgPSBwYXJhbXMgPT4gT2JqZWN0LmtleXMocGFyYW1zKS5maWx0ZXIoKGsgPT4gdHlwZW9mIHBhcmFtc1trXSAhPT0gInVuZGVmaW5lZCIpKS5yZWR1Y2UoKChhY2MsIGtleSkgPT4gT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LCBhY2MpLCB7CiAgICAgICAgW2tleV06IHBhcmFtc1trZXldCiAgICB9KSksIHt9KTsKICAgIGNvbnN0IGNyZWF0ZVF1ZXJ5UGFyYW1zID0gX2EgPT4gewogICAgICAgIHZhciB7Y2xpZW50SWQ6IGNsaWVudF9pZH0gPSBfYSwgcGFyYW1zID0gX19yZXN0KF9hLCBbICJjbGllbnRJZCIgXSk7CiAgICAgICAgcmV0dXJuIG5ldyBVUkxTZWFyY2hQYXJhbXMoc3RyaXBVbmRlZmluZWQoT2JqZWN0LmFzc2lnbih7CiAgICAgICAgICAgIGNsaWVudF9pZDogY2xpZW50X2lkCiAgICAgICAgfSwgcGFyYW1zKSkpLnRvU3RyaW5nKCk7CiAgICB9OwogICAgY29uc3QgZnJvbUVudHJpZXMgPSBpdGVyYWJsZSA9PiBbIC4uLml0ZXJhYmxlIF0ucmVkdWNlKCgob2JqLCBfcmVmKSA9PiB7CiAgICAgICAgbGV0IFtrZXksIHZhbF0gPSBfcmVmOwogICAgICAgIG9ialtrZXldID0gdmFsOwogICAgICAgIHJldHVybiBvYmo7CiAgICB9KSwge30pOwogICAgbGV0IHJlZnJlc2hUb2tlbnMgPSB7fTsKICAgIGNvbnN0IGNhY2hlS2V5ID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gIiIuY29uY2F0KGF1ZGllbmNlLCAifCIpLmNvbmNhdChzY29wZSk7CiAgICBjb25zdCBjYWNoZUtleUNvbnRhaW5zQXVkaWVuY2UgPSAoYXVkaWVuY2UsIGNhY2hlS2V5KSA9PiBjYWNoZUtleS5zdGFydHNXaXRoKCIiLmNvbmNhdChhdWRpZW5jZSwgInwiKSk7CiAgICBjb25zdCBnZXRSZWZyZXNoVG9rZW4gPSAoYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldOwogICAgY29uc3Qgc2V0UmVmcmVzaFRva2VuID0gKHJlZnJlc2hUb2tlbiwgYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldID0gcmVmcmVzaFRva2VuOwogICAgY29uc3QgZGVsZXRlUmVmcmVzaFRva2VuID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gZGVsZXRlIHJlZnJlc2hUb2tlbnNbY2FjaGVLZXkoYXVkaWVuY2UsIHNjb3BlKV07CiAgICBjb25zdCB3YWl0ID0gdGltZSA9PiBuZXcgUHJvbWlzZSgocmVzb2x2ZSA9PiBzZXRUaW1lb3V0KHJlc29sdmUsIHRpbWUpKSk7CiAgICBjb25zdCBmb3JtRGF0YVRvT2JqZWN0ID0gZm9ybURhdGEgPT4gewogICAgICAgIGNvbnN0IHF1ZXJ5UGFyYW1zID0gbmV3IFVSTFNlYXJjaFBhcmFtcyhmb3JtRGF0YSk7CiAgICAgICAgY29uc3QgcGFyc2VkUXVlcnkgPSB7fTsKICAgICAgICBxdWVyeVBhcmFtcy5mb3JFYWNoKCgodmFsLCBrZXkpID0+IHsKICAgICAgICAgICAgcGFyc2VkUXVlcnlba2V5XSA9IHZhbDsKICAgICAgICB9KSk7CiAgICAgICAgcmV0dXJuIHBhcnNlZFF1ZXJ5OwogICAgfTsKICAgIGNvbnN0IHVwZGF0ZVJlZnJlc2hUb2tlbnMgPSAob2xkUmVmcmVzaFRva2VuLCBuZXdSZWZyZXNoVG9rZW4pID0+IHsKICAgICAgICBPYmplY3QuZW50cmllcyhyZWZyZXNoVG9rZW5zKS5mb3JFYWNoKChfcmVmID0+IHsKICAgICAgICAgICAgbGV0IFtrZXksIHRva2VuXSA9IF9yZWY7CiAgICAgICAgICAgIGlmICh0b2tlbiA9PT0gb2xkUmVmcmVzaFRva2VuKSB7CiAgICAgICAgICAgICAgICByZWZyZXNoVG9rZW5zW2tleV0gPSBuZXdSZWZyZXNoVG9rZW47CiAgICAgICAgICAgIH0KICAgICAgICB9KSk7CiAgICB9OwogICAgY29uc3QgY2hlY2tEb3duc2NvcGluZyA9IChzY29wZSwgYXVkaWVuY2UpID0+IHsKICAgICAgICBjb25zdCBmaW5kQ29pbmNpZGVuY2UgPSBPYmplY3Qua2V5cyhyZWZyZXNoVG9rZW5zKS5maW5kKChrZXkgPT4gewogICAgICAgICAgICBpZiAoa2V5ICE9PSAibGF0ZXN0X3JlZnJlc2hfdG9rZW4iKSB7CiAgICAgICAgICAgICAgICBjb25zdCBpc1NhbWVBdWRpZW5jZSA9IGNhY2hlS2V5Q29udGFpbnNBdWRpZW5jZShhdWRpZW5jZSwga2V5KTsKICAgICAgICAgICAgICAgIGNvbnN0IHNjb3Blc0tleSA9IGtleS5zcGxpdCgifCIpWzFdLnNwbGl0KCIgIik7CiAgICAgICAgICAgICAgICBjb25zdCByZXF1ZXN0ZWRTY29wZXMgPSBzY29wZS5zcGxpdCgiICIpOwogICAgICAgICAgICAgICAgY29uc3Qgc2NvcGVzQXJlSW5jbHVkZWQgPSByZXF1ZXN0ZWRTY29wZXMuZXZlcnkoKGtleSA9PiBzY29wZXNLZXkuaW5jbHVkZXMoa2V5KSkpOwogICAgICAgICAgICAgICAgcmV0dXJuIGlzU2FtZUF1ZGllbmNlICYmIHNjb3Blc0FyZUluY2x1ZGVkOwogICAgICAgICAgICB9CiAgICAgICAgfSkpOwogICAgICAgIHJldHVybiBmaW5kQ29pbmNpZGVuY2UgPyB0cnVlIDogZmFsc2U7CiAgICB9OwogICAgY29uc3QgbWVzc2FnZUhhbmRsZXIgPSBhc3luYyBfcmVmMiA9PiB7CiAgICAgICAgbGV0IHtkYXRhOiB7dGltZW91dDogdGltZW91dCwgYXV0aDogYXV0aCwgZmV0Y2hVcmw6IGZldGNoVXJsLCBmZXRjaE9wdGlvbnM6IGZldGNoT3B0aW9ucywgdXNlRm9ybURhdGE6IHVzZUZvcm1EYXRhLCB1c2VNcnJ0OiB1c2VNcnJ0fSwgcG9ydHM6IFtwb3J0XX0gPSBfcmVmMjsKICAgICAgICBsZXQgaGVhZGVycyA9IHt9OwogICAgICAgIGxldCBqc29uOwogICAgICAgIGxldCByZWZyZXNoVG9rZW47CiAgICAgICAgY29uc3Qge2F1ZGllbmNlOiBhdWRpZW5jZSwgc2NvcGU6IHNjb3BlfSA9IGF1dGggfHwge307CiAgICAgICAgdHJ5IHsKICAgICAgICAgICAgY29uc3QgYm9keSA9IHVzZUZvcm1EYXRhID8gZm9ybURhdGFUb09iamVjdChmZXRjaE9wdGlvbnMuYm9keSkgOiBKU09OLnBhcnNlKGZldGNoT3B0aW9ucy5ib2R5KTsKICAgICAgICAgICAgaWYgKCFib2R5LnJlZnJlc2hfdG9rZW4gJiYgYm9keS5ncmFudF90eXBlID09PSAicmVmcmVzaF90b2tlbiIpIHsKICAgICAgICAgICAgICAgIHJlZnJlc2hUb2tlbiA9IGdldFJlZnJlc2hUb2tlbihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgaWYgKCFyZWZyZXNoVG9rZW4gJiYgdXNlTXJydCkgewogICAgICAgICAgICAgICAgICAgIGNvbnN0IGxhdGVzdFJlZnJlc2hUb2tlbiA9IHJlZnJlc2hUb2tlbnNbImxhdGVzdF9yZWZyZXNoX3Rva2VuIl07CiAgICAgICAgICAgICAgICAgICAgY29uc3QgaXNEb3duc2NvcGluZyA9IGNoZWNrRG93bnNjb3Bpbmcoc2NvcGUsIGF1ZGllbmNlKTsKICAgICAgICAgICAgICAgICAgICBpZiAobGF0ZXN0UmVmcmVzaFRva2VuICYmICFpc0Rvd25zY29waW5nKSB7CiAgICAgICAgICAgICAgICAgICAgICAgIHJlZnJlc2hUb2tlbiA9IGxhdGVzdFJlZnJlc2hUb2tlbjsKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBpZiAoIXJlZnJlc2hUb2tlbikgewogICAgICAgICAgICAgICAgICAgIHRocm93IG5ldyBNaXNzaW5nUmVmcmVzaFRva2VuRXJyb3IoYXVkaWVuY2UsIHNjb3BlKTsKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIGZldGNoT3B0aW9ucy5ib2R5ID0gdXNlRm9ybURhdGEgPyBjcmVhdGVRdWVyeVBhcmFtcyhPYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sIGJvZHkpLCB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaF90b2tlbjogcmVmcmVzaFRva2VuCiAgICAgICAgICAgICAgICB9KSkgOiBKU09OLnN0cmluZ2lmeShPYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sIGJvZHkpLCB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaF90b2tlbjogcmVmcmVzaFRva2VuCiAgICAgICAgICAgICAgICB9KSk7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgbGV0IGFib3J0Q29udHJvbGxlcjsKICAgICAgICAgICAgaWYgKHR5cGVvZiBBYm9ydENvbnRyb2xsZXIgPT09ICJmdW5jdGlvbiIpIHsKICAgICAgICAgICAgICAgIGFib3J0Q29udHJvbGxlciA9IG5ldyBBYm9ydENvbnRyb2xsZXI7CiAgICAgICAgICAgICAgICBmZXRjaE9wdGlvbnMuc2lnbmFsID0gYWJvcnRDb250cm9sbGVyLnNpZ25hbDsKICAgICAgICAgICAgfQogICAgICAgICAgICBsZXQgcmVzcG9uc2U7CiAgICAgICAgICAgIHRyeSB7CiAgICAgICAgICAgICAgICByZXNwb25zZSA9IGF3YWl0IFByb21pc2UucmFjZShbIHdhaXQodGltZW91dCksIGZldGNoKGZldGNoVXJsLCBPYmplY3QuYXNzaWduKHt9LCBmZXRjaE9wdGlvbnMpKSBdKTsKICAgICAgICAgICAgfSBjYXRjaCAoZXJyb3IpIHsKICAgICAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgICAgIGVycm9yOiBlcnJvci5tZXNzYWdlCiAgICAgICAgICAgICAgICB9KTsKICAgICAgICAgICAgICAgIHJldHVybjsKICAgICAgICAgICAgfQogICAgICAgICAgICBpZiAoIXJlc3BvbnNlKSB7CiAgICAgICAgICAgICAgICBpZiAoYWJvcnRDb250cm9sbGVyKSBhYm9ydENvbnRyb2xsZXIuYWJvcnQoKTsKICAgICAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgICAgIGVycm9yOiAiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIgogICAgICAgICAgICAgICAgfSk7CiAgICAgICAgICAgICAgICByZXR1cm47CiAgICAgICAgICAgIH0KICAgICAgICAgICAgaGVhZGVycyA9IGZyb21FbnRyaWVzKHJlc3BvbnNlLmhlYWRlcnMpOwogICAgICAgICAgICBqc29uID0gYXdhaXQgcmVzcG9uc2UuanNvbigpOwogICAgICAgICAgICBpZiAoanNvbi5yZWZyZXNoX3Rva2VuKSB7CiAgICAgICAgICAgICAgICBpZiAodXNlTXJydCkgewogICAgICAgICAgICAgICAgICAgIHJlZnJlc2hUb2tlbnNbImxhdGVzdF9yZWZyZXNoX3Rva2VuIl0gPSBqc29uLnJlZnJlc2hfdG9rZW47CiAgICAgICAgICAgICAgICAgICAgdXBkYXRlUmVmcmVzaFRva2VucyhyZWZyZXNoVG9rZW4sIGpzb24ucmVmcmVzaF90b2tlbik7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBzZXRSZWZyZXNoVG9rZW4oanNvbi5yZWZyZXNoX3Rva2VuLCBhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgZGVsZXRlIGpzb24ucmVmcmVzaF90b2tlbjsKICAgICAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgICAgIGRlbGV0ZVJlZnJlc2hUb2tlbihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICB9CiAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgb2s6IHJlc3BvbnNlLm9rLAogICAgICAgICAgICAgICAganNvbjoganNvbiwKICAgICAgICAgICAgICAgIGhlYWRlcnM6IGhlYWRlcnMKICAgICAgICAgICAgfSk7CiAgICAgICAgfSBjYXRjaCAoZXJyb3IpIHsKICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICBvazogZmFsc2UsCiAgICAgICAgICAgICAgICBqc29uOiB7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6IGVycm9yLmVycm9yLAogICAgICAgICAgICAgICAgICAgIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvci5tZXNzYWdlCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgaGVhZGVyczogaGVhZGVycwogICAgICAgICAgICB9KTsKICAgICAgICB9CiAgICB9OwogICAgewogICAgICAgIGFkZEV2ZW50TGlzdGVuZXIoIm1lc3NhZ2UiLCBtZXNzYWdlSGFuZGxlcik7CiAgICB9Cn0pKCk7Cgo=", null, false);
+    var WorkerFactory = createBase64WorkerFactory("Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwooZnVuY3Rpb24oKSB7CiAgICAidXNlIHN0cmljdCI7CiAgICBjbGFzcyBHZW5lcmljRXJyb3IgZXh0ZW5kcyBFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKSB7CiAgICAgICAgICAgIHN1cGVyKGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICAgICAgdGhpcy5lcnJvciA9IGVycm9yOwogICAgICAgICAgICB0aGlzLmVycm9yX2Rlc2NyaXB0aW9uID0gZXJyb3JfZGVzY3JpcHRpb247CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBHZW5lcmljRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICAgICAgc3RhdGljIGZyb21QYXlsb2FkKF9yZWYpIHsKICAgICAgICAgICAgbGV0IHtlcnJvcjogZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvcl9kZXNjcmlwdGlvbn0gPSBfcmVmOwogICAgICAgICAgICByZXR1cm4gbmV3IEdlbmVyaWNFcnJvcihlcnJvciwgZXJyb3JfZGVzY3JpcHRpb24pOwogICAgICAgIH0KICAgIH0KICAgIGNsYXNzIE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvciBleHRlbmRzIEdlbmVyaWNFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoYXVkaWVuY2UsIHNjb3BlKSB7CiAgICAgICAgICAgIHN1cGVyKCJtaXNzaW5nX3JlZnJlc2hfdG9rZW4iLCAiTWlzc2luZyBSZWZyZXNoIFRva2VuIChhdWRpZW5jZTogJyIuY29uY2F0KHZhbHVlT3JFbXB0eVN0cmluZyhhdWRpZW5jZSwgWyAiZGVmYXVsdCIgXSksICInLCBzY29wZTogJyIpLmNvbmNhdCh2YWx1ZU9yRW1wdHlTdHJpbmcoc2NvcGUpLCAiJykiKSk7CiAgICAgICAgICAgIHRoaXMuYXVkaWVuY2UgPSBhdWRpZW5jZTsKICAgICAgICAgICAgdGhpcy5zY29wZSA9IHNjb3BlOwogICAgICAgICAgICBPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcywgTWlzc2luZ1JlZnJlc2hUb2tlbkVycm9yLnByb3RvdHlwZSk7CiAgICAgICAgfQogICAgfQogICAgZnVuY3Rpb24gdmFsdWVPckVtcHR5U3RyaW5nKHZhbHVlKSB7CiAgICAgICAgbGV0IGV4Y2x1ZGUgPSBhcmd1bWVudHMubGVuZ3RoID4gMSAmJiBhcmd1bWVudHNbMV0gIT09IHVuZGVmaW5lZCA/IGFyZ3VtZW50c1sxXSA6IFtdOwogICAgICAgIHJldHVybiB2YWx1ZSAmJiAhZXhjbHVkZS5pbmNsdWRlcyh2YWx1ZSkgPyB2YWx1ZSA6ICIiOwogICAgfQogICAgZnVuY3Rpb24gX19yZXN0KHMsIGUpIHsKICAgICAgICB2YXIgdCA9IHt9OwogICAgICAgIGZvciAodmFyIHAgaW4gcykgaWYgKE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbChzLCBwKSAmJiBlLmluZGV4T2YocCkgPCAwKSB0W3BdID0gc1twXTsKICAgICAgICBpZiAocyAhPSBudWxsICYmIHR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzID09PSAiZnVuY3Rpb24iKSBmb3IgKHZhciBpID0gMCwgcCA9IE9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMocyk7IGkgPCBwLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgIGlmIChlLmluZGV4T2YocFtpXSkgPCAwICYmIE9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChzLCBwW2ldKSkgdFtwW2ldXSA9IHNbcFtpXV07CiAgICAgICAgfQogICAgICAgIHJldHVybiB0OwogICAgfQogICAgdHlwZW9mIFN1cHByZXNzZWRFcnJvciA9PT0gImZ1bmN0aW9uIiA/IFN1cHByZXNzZWRFcnJvciA6IGZ1bmN0aW9uKGVycm9yLCBzdXBwcmVzc2VkLCBtZXNzYWdlKSB7CiAgICAgICAgdmFyIGUgPSBuZXcgRXJyb3IobWVzc2FnZSk7CiAgICAgICAgcmV0dXJuIGUubmFtZSA9ICJTdXBwcmVzc2VkRXJyb3IiLCBlLmVycm9yID0gZXJyb3IsIGUuc3VwcHJlc3NlZCA9IHN1cHByZXNzZWQsIGU7CiAgICB9OwogICAgY29uc3Qgc3RyaXBVbmRlZmluZWQgPSBwYXJhbXMgPT4gT2JqZWN0LmtleXMocGFyYW1zKS5maWx0ZXIoayA9PiB0eXBlb2YgcGFyYW1zW2tdICE9PSAidW5kZWZpbmVkIikucmVkdWNlKChhY2MsIGtleSkgPT4gT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LCBhY2MpLCB7CiAgICAgICAgW2tleV06IHBhcmFtc1trZXldCiAgICB9KSwge30pOwogICAgY29uc3QgY3JlYXRlUXVlcnlQYXJhbXMgPSBfYSA9PiB7CiAgICAgICAgdmFyIHtjbGllbnRJZDogY2xpZW50X2lkfSA9IF9hLCBwYXJhbXMgPSBfX3Jlc3QoX2EsIFsgImNsaWVudElkIiBdKTsKICAgICAgICByZXR1cm4gbmV3IFVSTFNlYXJjaFBhcmFtcyhzdHJpcFVuZGVmaW5lZChPYmplY3QuYXNzaWduKHsKICAgICAgICAgICAgY2xpZW50X2lkOiBjbGllbnRfaWQKICAgICAgICB9LCBwYXJhbXMpKSkudG9TdHJpbmcoKTsKICAgIH07CiAgICBjb25zdCBmcm9tRW50cmllcyA9IGl0ZXJhYmxlID0+IFsgLi4uaXRlcmFibGUgXS5yZWR1Y2UoKG9iaiwgX3JlZikgPT4gewogICAgICAgIGxldCBba2V5LCB2YWxdID0gX3JlZjsKICAgICAgICBvYmpba2V5XSA9IHZhbDsKICAgICAgICByZXR1cm4gb2JqOwogICAgfSwge30pOwogICAgbGV0IHJlZnJlc2hUb2tlbnMgPSB7fTsKICAgIGNvbnN0IGNhY2hlS2V5ID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gIiIuY29uY2F0KGF1ZGllbmNlLCAifCIpLmNvbmNhdChzY29wZSk7CiAgICBjb25zdCBjYWNoZUtleUNvbnRhaW5zQXVkaWVuY2UgPSAoYXVkaWVuY2UsIGNhY2hlS2V5KSA9PiBjYWNoZUtleS5zdGFydHNXaXRoKCIiLmNvbmNhdChhdWRpZW5jZSwgInwiKSk7CiAgICBjb25zdCBnZXRSZWZyZXNoVG9rZW4gPSAoYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldOwogICAgY29uc3Qgc2V0UmVmcmVzaFRva2VuID0gKHJlZnJlc2hUb2tlbiwgYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldID0gcmVmcmVzaFRva2VuOwogICAgY29uc3QgZGVsZXRlUmVmcmVzaFRva2VuID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gZGVsZXRlIHJlZnJlc2hUb2tlbnNbY2FjaGVLZXkoYXVkaWVuY2UsIHNjb3BlKV07CiAgICBjb25zdCB3YWl0ID0gdGltZSA9PiBuZXcgUHJvbWlzZShyZXNvbHZlID0+IHNldFRpbWVvdXQocmVzb2x2ZSwgdGltZSkpOwogICAgY29uc3QgZm9ybURhdGFUb09iamVjdCA9IGZvcm1EYXRhID0+IHsKICAgICAgICBjb25zdCBxdWVyeVBhcmFtcyA9IG5ldyBVUkxTZWFyY2hQYXJhbXMoZm9ybURhdGEpOwogICAgICAgIGNvbnN0IHBhcnNlZFF1ZXJ5ID0ge307CiAgICAgICAgcXVlcnlQYXJhbXMuZm9yRWFjaCgodmFsLCBrZXkpID0+IHsKICAgICAgICAgICAgcGFyc2VkUXVlcnlba2V5XSA9IHZhbDsKICAgICAgICB9KTsKICAgICAgICByZXR1cm4gcGFyc2VkUXVlcnk7CiAgICB9OwogICAgY29uc3QgdXBkYXRlUmVmcmVzaFRva2VucyA9IChvbGRSZWZyZXNoVG9rZW4sIG5ld1JlZnJlc2hUb2tlbikgPT4gewogICAgICAgIE9iamVjdC5lbnRyaWVzKHJlZnJlc2hUb2tlbnMpLmZvckVhY2goX3JlZiA9PiB7CiAgICAgICAgICAgIGxldCBba2V5LCB0b2tlbl0gPSBfcmVmOwogICAgICAgICAgICBpZiAodG9rZW4gPT09IG9sZFJlZnJlc2hUb2tlbikgewogICAgICAgICAgICAgICAgcmVmcmVzaFRva2Vuc1trZXldID0gbmV3UmVmcmVzaFRva2VuOwogICAgICAgICAgICB9CiAgICAgICAgfSk7CiAgICB9OwogICAgY29uc3QgY2hlY2tEb3duc2NvcGluZyA9IChzY29wZSwgYXVkaWVuY2UpID0+IHsKICAgICAgICBjb25zdCBmaW5kQ29pbmNpZGVuY2UgPSBPYmplY3Qua2V5cyhyZWZyZXNoVG9rZW5zKS5maW5kKGtleSA9PiB7CiAgICAgICAgICAgIGlmIChrZXkgIT09ICJsYXRlc3RfcmVmcmVzaF90b2tlbiIpIHsKICAgICAgICAgICAgICAgIGNvbnN0IGlzU2FtZUF1ZGllbmNlID0gY2FjaGVLZXlDb250YWluc0F1ZGllbmNlKGF1ZGllbmNlLCBrZXkpOwogICAgICAgICAgICAgICAgY29uc3Qgc2NvcGVzS2V5ID0ga2V5LnNwbGl0KCJ8IilbMV0uc3BsaXQoIiAiKTsKICAgICAgICAgICAgICAgIGNvbnN0IHJlcXVlc3RlZFNjb3BlcyA9IHNjb3BlLnNwbGl0KCIgIik7CiAgICAgICAgICAgICAgICBjb25zdCBzY29wZXNBcmVJbmNsdWRlZCA9IHJlcXVlc3RlZFNjb3Blcy5ldmVyeShrZXkgPT4gc2NvcGVzS2V5LmluY2x1ZGVzKGtleSkpOwogICAgICAgICAgICAgICAgcmV0dXJuIGlzU2FtZUF1ZGllbmNlICYmIHNjb3Blc0FyZUluY2x1ZGVkOwogICAgICAgICAgICB9CiAgICAgICAgfSk7CiAgICAgICAgcmV0dXJuIGZpbmRDb2luY2lkZW5jZSA/IHRydWUgOiBmYWxzZTsKICAgIH07CiAgICBjb25zdCBtZXNzYWdlSGFuZGxlciA9IGFzeW5jIF9yZWYyID0+IHsKICAgICAgICBsZXQge2RhdGE6IHt0aW1lb3V0OiB0aW1lb3V0LCBhdXRoOiBhdXRoLCBmZXRjaFVybDogZmV0Y2hVcmwsIGZldGNoT3B0aW9uczogZmV0Y2hPcHRpb25zLCB1c2VGb3JtRGF0YTogdXNlRm9ybURhdGEsIHVzZU1ycnQ6IHVzZU1ycnR9LCBwb3J0czogW3BvcnRdfSA9IF9yZWYyOwogICAgICAgIGxldCBoZWFkZXJzID0ge307CiAgICAgICAgbGV0IGpzb247CiAgICAgICAgbGV0IHJlZnJlc2hUb2tlbjsKICAgICAgICBjb25zdCB7YXVkaWVuY2U6IGF1ZGllbmNlLCBzY29wZTogc2NvcGV9ID0gYXV0aCB8fCB7fTsKICAgICAgICB0cnkgewogICAgICAgICAgICBjb25zdCBib2R5ID0gdXNlRm9ybURhdGEgPyBmb3JtRGF0YVRvT2JqZWN0KGZldGNoT3B0aW9ucy5ib2R5KSA6IEpTT04ucGFyc2UoZmV0Y2hPcHRpb25zLmJvZHkpOwogICAgICAgICAgICBpZiAoIWJvZHkucmVmcmVzaF90b2tlbiAmJiBib2R5LmdyYW50X3R5cGUgPT09ICJyZWZyZXNoX3Rva2VuIikgewogICAgICAgICAgICAgICAgcmVmcmVzaFRva2VuID0gZ2V0UmVmcmVzaFRva2VuKGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgICAgICBpZiAoIXJlZnJlc2hUb2tlbiAmJiB1c2VNcnJ0KSB7CiAgICAgICAgICAgICAgICAgICAgY29uc3QgbGF0ZXN0UmVmcmVzaFRva2VuID0gcmVmcmVzaFRva2Vuc1sibGF0ZXN0X3JlZnJlc2hfdG9rZW4iXTsKICAgICAgICAgICAgICAgICAgICBjb25zdCBpc0Rvd25zY29waW5nID0gY2hlY2tEb3duc2NvcGluZyhzY29wZSwgYXVkaWVuY2UpOwogICAgICAgICAgICAgICAgICAgIGlmIChsYXRlc3RSZWZyZXNoVG9rZW4gJiYgIWlzRG93bnNjb3BpbmcpIHsKICAgICAgICAgICAgICAgICAgICAgICAgcmVmcmVzaFRva2VuID0gbGF0ZXN0UmVmcmVzaFRva2VuOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIGlmICghcmVmcmVzaFRva2VuKSB7CiAgICAgICAgICAgICAgICAgICAgdGhyb3cgbmV3IE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvcihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgZmV0Y2hPcHRpb25zLmJvZHkgPSB1c2VGb3JtRGF0YSA/IGNyZWF0ZVF1ZXJ5UGFyYW1zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSwgYm9keSksIHsKICAgICAgICAgICAgICAgICAgICByZWZyZXNoX3Rva2VuOiByZWZyZXNoVG9rZW4KICAgICAgICAgICAgICAgIH0pKSA6IEpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSwgYm9keSksIHsKICAgICAgICAgICAgICAgICAgICByZWZyZXNoX3Rva2VuOiByZWZyZXNoVG9rZW4KICAgICAgICAgICAgICAgIH0pKTsKICAgICAgICAgICAgfQogICAgICAgICAgICBsZXQgYWJvcnRDb250cm9sbGVyOwogICAgICAgICAgICBpZiAodHlwZW9mIEFib3J0Q29udHJvbGxlciA9PT0gImZ1bmN0aW9uIikgewogICAgICAgICAgICAgICAgYWJvcnRDb250cm9sbGVyID0gbmV3IEFib3J0Q29udHJvbGxlcjsKICAgICAgICAgICAgICAgIGZldGNoT3B0aW9ucy5zaWduYWwgPSBhYm9ydENvbnRyb2xsZXIuc2lnbmFsOwogICAgICAgICAgICB9CiAgICAgICAgICAgIGxldCByZXNwb25zZTsKICAgICAgICAgICAgdHJ5IHsKICAgICAgICAgICAgICAgIHJlc3BvbnNlID0gYXdhaXQgUHJvbWlzZS5yYWNlKFsgd2FpdCh0aW1lb3V0KSwgZmV0Y2goZmV0Y2hVcmwsIE9iamVjdC5hc3NpZ24oe30sIGZldGNoT3B0aW9ucykpIF0pOwogICAgICAgICAgICB9IGNhdGNoIChlcnJvcikgewogICAgICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6IGVycm9yLm1lc3NhZ2UKICAgICAgICAgICAgICAgIH0pOwogICAgICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICB9CiAgICAgICAgICAgIGlmICghcmVzcG9uc2UpIHsKICAgICAgICAgICAgICAgIGlmIChhYm9ydENvbnRyb2xsZXIpIGFib3J0Q29udHJvbGxlci5hYm9ydCgpOwogICAgICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6ICJUaW1lb3V0IHdoZW4gZXhlY3V0aW5nICdmZXRjaCciCiAgICAgICAgICAgICAgICB9KTsKICAgICAgICAgICAgICAgIHJldHVybjsKICAgICAgICAgICAgfQogICAgICAgICAgICBoZWFkZXJzID0gZnJvbUVudHJpZXMocmVzcG9uc2UuaGVhZGVycyk7CiAgICAgICAgICAgIGpzb24gPSBhd2FpdCByZXNwb25zZS5qc29uKCk7CiAgICAgICAgICAgIGlmIChqc29uLnJlZnJlc2hfdG9rZW4pIHsKICAgICAgICAgICAgICAgIGlmICh1c2VNcnJ0KSB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaFRva2Vuc1sibGF0ZXN0X3JlZnJlc2hfdG9rZW4iXSA9IGpzb24ucmVmcmVzaF90b2tlbjsKICAgICAgICAgICAgICAgICAgICB1cGRhdGVSZWZyZXNoVG9rZW5zKHJlZnJlc2hUb2tlbiwganNvbi5yZWZyZXNoX3Rva2VuKTsKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIHNldFJlZnJlc2hUb2tlbihqc29uLnJlZnJlc2hfdG9rZW4sIGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgICAgICBkZWxldGUganNvbi5yZWZyZXNoX3Rva2VuOwogICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgZGVsZXRlUmVmcmVzaFRva2VuKGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICBvazogcmVzcG9uc2Uub2ssCiAgICAgICAgICAgICAgICBqc29uOiBqc29uLAogICAgICAgICAgICAgICAgaGVhZGVyczogaGVhZGVycwogICAgICAgICAgICB9KTsKICAgICAgICB9IGNhdGNoIChlcnJvcikgewogICAgICAgICAgICBwb3J0LnBvc3RNZXNzYWdlKHsKICAgICAgICAgICAgICAgIG9rOiBmYWxzZSwKICAgICAgICAgICAgICAgIGpzb246IHsKICAgICAgICAgICAgICAgICAgICBlcnJvcjogZXJyb3IuZXJyb3IsCiAgICAgICAgICAgICAgICAgICAgZXJyb3JfZGVzY3JpcHRpb246IGVycm9yLm1lc3NhZ2UKICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICBoZWFkZXJzOiBoZWFkZXJzCiAgICAgICAgICAgIH0pOwogICAgICAgIH0KICAgIH07CiAgICB7CiAgICAgICAgYWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsIG1lc3NhZ2VIYW5kbGVyKTsKICAgIH0KfSkoKTsKCg==", null, false);
     const singlePromiseMap = {};
     const singlePromise = (cb, key) => {
         let promise = singlePromiseMap[key];
         if (!promise) {
-            promise = cb().finally((() => {
+            promise = cb().finally(() => {
                 delete singlePromiseMap[key];
                 promise = null;
-            }));
+            });
             singlePromiseMap[key] = promise;
         }
         return promise;
@@ -2026,12 +2027,12 @@
     const allScopesAreIncluded = (scopeToInclude, scopes) => {
         const scopeGroup = (scopes === null || scopes === void 0 ? void 0 : scopes.split(" ")) || [];
         const scopesToInclude = (scopeToInclude === null || scopeToInclude === void 0 ? void 0 : scopeToInclude.split(" ")) || [];
-        return scopesToInclude.every((key => scopeGroup.includes(key)));
+        return scopesToInclude.every(key => scopeGroup.includes(key));
     };
     const getMissingScopes = (requestedScope, respondedScope) => {
         const requestedScopes = (requestedScope === null || requestedScope === void 0 ? void 0 : requestedScope.split(" ")) || [];
         const respondedScopes = (respondedScope === null || respondedScope === void 0 ? void 0 : respondedScope.split(" ")) || [];
-        const missingScopes = requestedScopes.filter((scope => respondedScopes.indexOf(scope) == -1));
+        const missingScopes = requestedScopes.filter(scope => respondedScopes.indexOf(scope) == -1);
         return missingScopes.join(",");
     };
     const getScopeToRequest = (useMrrt, authorizationParams, cachedAudience, cachedScope) => {
@@ -2042,7 +2043,7 @@
             }
             const cachedScopes = cachedScope.split(" ");
             const newScopes = ((_a = authorizationParams.scope) === null || _a === void 0 ? void 0 : _a.split(" ")) || [];
-            const newScopesAreIncluded = newScopes.every((scope => cachedScopes.includes(scope)));
+            const newScopesAreIncluded = newScopes.every(scope => cachedScopes.includes(scope));
             return cachedScopes.length >= newScopes.length && newScopesAreIncluded ? cachedScope : authorizationParams.scope;
         }
         return authorizationParams.scope;
@@ -2069,11 +2070,11 @@
         }
         createDbHandle() {
             const req = window.indexedDB.open(NAME, this.getVersion());
-            return new Promise(((resolve, reject) => {
-                req.onupgradeneeded = () => Object.values(TABLES).forEach((t => req.result.createObjectStore(t)));
+            return new Promise((resolve, reject) => {
+                req.onupgradeneeded = () => Object.values(TABLES).forEach(t => req.result.createObjectStore(t));
                 req.onerror = () => reject(req.error);
                 req.onsuccess = () => resolve(req.result);
-            }));
+            });
         }
         async getDbHandle() {
             if (!this.dbHandle) {
@@ -2086,10 +2087,10 @@
             const txn = db.transaction(table, mode);
             const store = txn.objectStore(table);
             const request = requestFactory(store);
-            return new Promise(((resolve, reject) => {
+            return new Promise((resolve, reject) => {
                 request.onsuccess = () => resolve(request.result);
                 request.onerror = () => reject(request.error);
-            }));
+            });
         }
         buildKey(id) {
             const finalId = id ? "_".concat(id) : AUTH0_NONCE_ID;
@@ -2102,7 +2103,7 @@
             return this.save(TABLES.KEYPAIR, this.buildKey(), keyPair);
         }
         async save(table, key, obj) {
-            return void await this.executeDbRequest(table, "readwrite", (table => table.put(obj, key)));
+            return void await this.executeDbRequest(table, "readwrite", table => table.put(obj, key));
         }
         findNonce(id) {
             return this.find(TABLES.NONCE, this.buildKey(id));
@@ -2111,14 +2112,14 @@
             return this.find(TABLES.KEYPAIR, this.buildKey());
         }
         find(table, key) {
-            return this.executeDbRequest(table, "readonly", (table => table.get(key)));
+            return this.executeDbRequest(table, "readonly", table => table.get(key));
         }
         async deleteBy(table, predicate) {
-            const allKeys = await this.executeDbRequest(table, "readonly", (table => table.getAllKeys()));
-            allKeys === null || allKeys === void 0 ? void 0 : allKeys.filter(predicate).map((k => this.executeDbRequest(table, "readwrite", (table => table.delete(k)))));
+            const allKeys = await this.executeDbRequest(table, "readonly", table => table.getAllKeys());
+            allKeys === null || allKeys === void 0 ? void 0 : allKeys.filter(predicate).map(k => this.executeDbRequest(table, "readwrite", table => table.delete(k)));
         }
         deleteByClientId(table, clientId) {
-            return this.deleteBy(table, (k => typeof k === "string" && k.startsWith("".concat(clientId, "::"))));
+            return this.deleteBy(table, k => typeof k === "string" && k.startsWith("".concat(clientId, "::")));
         }
         clearNonces() {
             return this.deleteByClientId(TABLES.NONCE, this.clientId);
@@ -2428,20 +2429,20 @@
         var t = Object.keys(e);
         if (Object.getOwnPropertySymbols) {
             var o = Object.getOwnPropertySymbols(e);
-            r && (o = o.filter((function(r) {
+            r && (o = o.filter(function(r) {
                 return Object.getOwnPropertyDescriptor(e, r).enumerable;
-            }))), t.push.apply(t, o);
+            })), t.push.apply(t, o);
         }
         return t;
     }
     function _objectSpread2(e) {
         for (var r = 1; r < arguments.length; r++) {
             var t = null != arguments[r] ? arguments[r] : {};
-            r % 2 ? ownKeys(Object(t), !0).forEach((function(r) {
+            r % 2 ? ownKeys(Object(t), !0).forEach(function(r) {
                 _defineProperty(e, r, t[r]);
-            })) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach((function(r) {
+            }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function(r) {
                 Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r));
-            }));
+            });
         }
         return e;
     }
@@ -2487,16 +2488,16 @@
         function resume(r, t) {
             try {
                 var n = e[r](t), o = n.value, u = o instanceof _OverloadYield;
-                Promise.resolve(u ? o.v : o).then((function(t) {
+                Promise.resolve(u ? o.v : o).then(function(t) {
                     if (u) {
                         var i = "return" === r ? "return" : "next";
                         if (!o.k || t.done) return resume(i, t);
                         t = e[i](t).value;
                     }
                     settle(n.done ? "return" : "normal", t);
-                }), (function(e) {
+                }, function(e) {
                     resume("throw", e);
-                }));
+                });
             } catch (e) {
                 settle("throw", e);
             }
@@ -2523,7 +2524,7 @@
             (r = r.next) ? resume(r.key, r.arg) : t = null;
         }
         this._invoke = function(e, n) {
-            return new Promise((function(o, u) {
+            return new Promise(function(o, u) {
                 var i = {
                     key: e,
                     arg: n,
@@ -2532,7 +2533,7 @@
                     next: null
                 };
                 t ? t = t.next = i : (r = t = i, resume(e, n));
-            }));
+            });
         }, "function" != typeof e.return && (this.return = void 0);
     }
     AsyncGenerator.prototype["function" == typeof Symbol && Symbol.asyncIterator || "@@asyncIterator"] = function() {
@@ -2548,7 +2549,7 @@
     let USER_AGENT$2;
     if (typeof navigator === "undefined" || !((_navigator$userAgent$2 = navigator.userAgent) !== null && _navigator$userAgent$2 !== void 0 && (_navigator$userAgent$$2 = _navigator$userAgent$2.startsWith) !== null && _navigator$userAgent$$2 !== void 0 && _navigator$userAgent$$2.call(_navigator$userAgent$2, "Mozilla/5.0 "))) {
         const NAME = "oauth4webapi";
-        const VERSION = "v3.8.3";
+        const VERSION = "v3.8.5";
         USER_AGENT$2 = "".concat(NAME, "/").concat(VERSION);
     }
     function looseInstanceOf(input, expected) {
@@ -2747,7 +2748,7 @@
         });
     }
     async function discoveryRequest(issuerIdentifier, options) {
-        return performDiscovery$1(issuerIdentifier, "issuerIdentifier", (url => {
+        return performDiscovery$1(issuerIdentifier, "issuerIdentifier", url => {
             switch (options === null || options === void 0 ? void 0 : options.algorithm) {
               case undefined:
               case "oidc":
@@ -2762,7 +2763,7 @@
                 throw CodedTypeError$1('"options.algorithm" must be "oidc" (default), or "oauth2"', ERR_INVALID_ARG_VALUE$1);
             }
             return url;
-        }), options);
+        }, options);
     }
     function assertNumber(input, allow0, it, code, cause) {
         try {
@@ -3998,10 +3999,10 @@
         for (var _len = arguments.length, buffers = new Array(_len), _key = 0; _key < _len; _key++) {
             buffers[_key] = arguments[_key];
         }
-        const size = buffers.reduce(((acc, _ref) => {
+        const size = buffers.reduce((acc, _ref) => {
             let {length: length} = _ref;
             return acc + length;
-        }), 0);
+        }, 0);
         const buf = new Uint8Array(size);
         let i = 0;
         for (const buffer of buffers) {
@@ -4049,6 +4050,135 @@
             throw new TypeError("The input to be decoded is not correctly encoded.");
         }
     }
+    const unusable = function unusable(name) {
+        let prop = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : "algorithm.name";
+        return new TypeError("CryptoKey does not support this operation, its ".concat(prop, " must be ").concat(name));
+    };
+    const isAlgorithm = (algorithm, name) => algorithm.name === name;
+    function getHashLength(hash) {
+        return parseInt(hash.name.slice(4), 10);
+    }
+    function checkHashLength(algorithm, expected) {
+        const actual = getHashLength(algorithm.hash);
+        if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
+    }
+    function getNamedCurve(alg) {
+        switch (alg) {
+          case "ES256":
+            return "P-256";
+
+          case "ES384":
+            return "P-384";
+
+          case "ES512":
+            return "P-521";
+
+          default:
+            throw new Error("unreachable");
+        }
+    }
+    function checkUsage(key, usage) {
+        if (usage && !key.usages.includes(usage)) {
+            throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(usage, "."));
+        }
+    }
+    function checkSigCryptoKey(key, alg, usage) {
+        switch (alg) {
+          case "HS256":
+          case "HS384":
+          case "HS512":
+            {
+                if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
+                checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+                break;
+            }
+
+          case "RS256":
+          case "RS384":
+          case "RS512":
+            {
+                if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
+                checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+                break;
+            }
+
+          case "PS256":
+          case "PS384":
+          case "PS512":
+            {
+                if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
+                checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+                break;
+            }
+
+          case "Ed25519":
+          case "EdDSA":
+            {
+                if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
+                break;
+            }
+
+          case "ML-DSA-44":
+          case "ML-DSA-65":
+          case "ML-DSA-87":
+            {
+                if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
+                break;
+            }
+
+          case "ES256":
+          case "ES384":
+          case "ES512":
+            {
+                if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
+                const expected = getNamedCurve(alg);
+                const actual = key.algorithm.namedCurve;
+                if (actual !== expected) throw unusable(expected, "algorithm.namedCurve");
+                break;
+            }
+
+          default:
+            throw new TypeError("CryptoKey does not support this operation");
+        }
+        checkUsage(key, usage);
+    }
+    function message(msg, actual) {
+        for (var _len = arguments.length, types = new Array(_len > 2 ? _len - 2 : 0), _key = 2; _key < _len; _key++) {
+            types[_key - 2] = arguments[_key];
+        }
+        types = types.filter(Boolean);
+        if (types.length > 2) {
+            const last = types.pop();
+            msg += "one of type ".concat(types.join(", "), ", or ").concat(last, ".");
+        } else if (types.length === 2) {
+            msg += "one of type ".concat(types[0], " or ").concat(types[1], ".");
+        } else {
+            msg += "of type ".concat(types[0], ".");
+        }
+        if (actual == null) {
+            msg += " Received ".concat(actual);
+        } else if (typeof actual === "function" && actual.name) {
+            msg += " Received function ".concat(actual.name);
+        } else if (typeof actual === "object" && actual != null) {
+            var _actual$constructor;
+            if ((_actual$constructor = actual.constructor) !== null && _actual$constructor !== void 0 && _actual$constructor.name) {
+                msg += " Received an instance of ".concat(actual.constructor.name);
+            }
+        }
+        return msg;
+    }
+    const invalidKeyInput = function invalidKeyInput(actual) {
+        for (var _len2 = arguments.length, types = new Array(_len2 > 1 ? _len2 - 1 : 0), _key2 = 1; _key2 < _len2; _key2++) {
+            types[_key2 - 1] = arguments[_key2];
+        }
+        return message("Key must be ", actual, ...types);
+    };
+    const withAlg = function withAlg(alg, actual) {
+        for (var _len3 = arguments.length, types = new Array(_len3 > 2 ? _len3 - 2 : 0), _key3 = 2; _key3 < _len3; _key3++) {
+            types[_key3 - 2] = arguments[_key3];
+        }
+        return message("Key for the ".concat(alg, " algorithm must be "), actual, ...types);
+    };
     class JOSEError extends Error {
         constructor(message, options) {
             var _Error$captureStackTr;
@@ -4196,147 +4326,37 @@
         }
     }
     _defineProperty(JWSSignatureVerificationFailed, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
-    const unusable = function unusable(name) {
-        let prop = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : "algorithm.name";
-        return new TypeError("CryptoKey does not support this operation, its ".concat(prop, " must be ").concat(name));
+    const isCryptoKey = key => {
+        if ((key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "CryptoKey") return true;
+        try {
+            return key instanceof CryptoKey;
+        } catch (_unused) {
+            return false;
+        }
     };
-    const isAlgorithm = (algorithm, name) => algorithm.name === name;
-    function getHashLength(hash) {
-        return parseInt(hash.name.slice(4), 10);
-    }
-    function getNamedCurve(alg) {
-        switch (alg) {
-          case "ES256":
-            return "P-256";
-
-          case "ES384":
-            return "P-384";
-
-          case "ES512":
-            return "P-521";
-
-          default:
-            throw new Error("unreachable");
+    const isKeyObject = key => (key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "KeyObject";
+    const isKeyLike = key => isCryptoKey(key) || isKeyObject(key);
+    function decodeBase64url(value, label, ErrorClass) {
+        try {
+            return decode(value);
+        } catch (_unused) {
+            throw new ErrorClass("Failed to base64url decode the ".concat(label));
         }
     }
-    function checkUsage(key, usage) {
-        if (usage && !key.usages.includes(usage)) {
-            throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(usage, "."));
+    const isObjectLike = value => typeof value === "object" && value !== null;
+    function isObject(input) {
+        if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+            return false;
         }
+        if (Object.getPrototypeOf(input) === null) {
+            return true;
+        }
+        let proto = input;
+        while (Object.getPrototypeOf(proto) !== null) {
+            proto = Object.getPrototypeOf(proto);
+        }
+        return Object.getPrototypeOf(input) === proto;
     }
-    function checkSigCryptoKey(key, alg, usage) {
-        switch (alg) {
-          case "HS256":
-          case "HS384":
-          case "HS512":
-            {
-                if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
-                const expected = parseInt(alg.slice(2), 10);
-                const actual = getHashLength(key.algorithm.hash);
-                if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
-                break;
-            }
-
-          case "RS256":
-          case "RS384":
-          case "RS512":
-            {
-                if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
-                const expected = parseInt(alg.slice(2), 10);
-                const actual = getHashLength(key.algorithm.hash);
-                if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
-                break;
-            }
-
-          case "PS256":
-          case "PS384":
-          case "PS512":
-            {
-                if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
-                const expected = parseInt(alg.slice(2), 10);
-                const actual = getHashLength(key.algorithm.hash);
-                if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
-                break;
-            }
-
-          case "Ed25519":
-          case "EdDSA":
-            {
-                if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
-                break;
-            }
-
-          case "ML-DSA-44":
-          case "ML-DSA-65":
-          case "ML-DSA-87":
-            {
-                if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
-                break;
-            }
-
-          case "ES256":
-          case "ES384":
-          case "ES512":
-            {
-                if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
-                const expected = getNamedCurve(alg);
-                const actual = key.algorithm.namedCurve;
-                if (actual !== expected) throw unusable(expected, "algorithm.namedCurve");
-                break;
-            }
-
-          default:
-            throw new TypeError("CryptoKey does not support this operation");
-        }
-        checkUsage(key, usage);
-    }
-    function message(msg, actual) {
-        for (var _len = arguments.length, types = new Array(_len > 2 ? _len - 2 : 0), _key = 2; _key < _len; _key++) {
-            types[_key - 2] = arguments[_key];
-        }
-        types = types.filter(Boolean);
-        if (types.length > 2) {
-            const last = types.pop();
-            msg += "one of type ".concat(types.join(", "), ", or ").concat(last, ".");
-        } else if (types.length === 2) {
-            msg += "one of type ".concat(types[0], " or ").concat(types[1], ".");
-        } else {
-            msg += "of type ".concat(types[0], ".");
-        }
-        if (actual == null) {
-            msg += " Received ".concat(actual);
-        } else if (typeof actual === "function" && actual.name) {
-            msg += " Received function ".concat(actual.name);
-        } else if (typeof actual === "object" && actual != null) {
-            var _actual$constructor;
-            if ((_actual$constructor = actual.constructor) !== null && _actual$constructor !== void 0 && _actual$constructor.name) {
-                msg += " Received an instance of ".concat(actual.constructor.name);
-            }
-        }
-        return msg;
-    }
-    const invalidKeyInput = function invalidKeyInput(actual) {
-        for (var _len2 = arguments.length, types = new Array(_len2 > 1 ? _len2 - 1 : 0), _key2 = 1; _key2 < _len2; _key2++) {
-            types[_key2 - 1] = arguments[_key2];
-        }
-        return message("Key must be ", actual, ...types);
-    };
-    const withAlg = function withAlg(alg, actual) {
-        for (var _len3 = arguments.length, types = new Array(_len3 > 2 ? _len3 - 2 : 0), _key3 = 2; _key3 < _len3; _key3++) {
-            types[_key3 - 2] = arguments[_key3];
-        }
-        return message("Key for the ".concat(alg, " algorithm must be "), actual, ...types);
-    };
-    const isCryptoKey = key => {
-        if ((key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "CryptoKey") return true;
-        try {
-            return key instanceof CryptoKey;
-        } catch (_unused) {
-            return false;
-        }
-    };
-    const isKeyObject = key => (key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "KeyObject";
-    const isKeyLike = key => isCryptoKey(key) || isKeyObject(key);
     function isDisjoint() {
         for (var _len = arguments.length, headers = new Array(_len), _key = 0; _key < _len; _key++) {
             headers[_key] = arguments[_key];
@@ -4361,20 +4381,10 @@
         }
         return true;
     }
-    const isObjectLike = value => typeof value === "object" && value !== null;
-    function isObject(input) {
-        if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-            return false;
-        }
-        if (Object.getPrototypeOf(input) === null) {
-            return true;
-        }
-        let proto = input;
-        while (Object.getPrototypeOf(proto) !== null) {
-            proto = Object.getPrototypeOf(proto);
-        }
-        return Object.getPrototypeOf(input) === proto;
-    }
+    const isJWK = key => isObject(key) && typeof key.kty === "string";
+    const isPrivateJWK = key => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+    const isPublicJWK = key => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
+    const isSecretJWK = key => key.kty === "oct" && typeof key.k === "string";
     function checkKeyLength(alg, key) {
         if (alg.startsWith("RS") || alg.startsWith("PS")) {
             const {modulusLength: modulusLength} = key.algorithm;
@@ -4383,198 +4393,84 @@
             }
         }
     }
-    const bytesEqual = (a, b) => {
-        if (a.byteLength !== b.length) return false;
-        for (let i = 0; i < a.byteLength; i++) {
-            if (a[i] !== b[i]) return false;
-        }
-        return true;
-    };
-    const createASN1State = data => ({
-        data: data,
-        pos: 0
-    });
-    const parseLength = state => {
-        const first = state.data[state.pos++];
-        if (first & 128) {
-            const lengthOfLen = first & 127;
-            let length = 0;
-            for (let i = 0; i < lengthOfLen; i++) {
-                length = length << 8 | state.data[state.pos++];
-            }
-            return length;
-        }
-        return first;
-    };
-    const expectTag = (state, expectedTag, errorMessage) => {
-        if (state.data[state.pos++] !== expectedTag) {
-            throw new Error(errorMessage);
-        }
-    };
-    const getSubarray = (state, length) => {
-        const result = state.data.subarray(state.pos, state.pos + length);
-        state.pos += length;
-        return result;
-    };
-    const parseAlgorithmOID = state => {
-        expectTag(state, 6, "Expected algorithm OID");
-        const oidLen = parseLength(state);
-        return getSubarray(state, oidLen);
-    };
-    function parsePKCS8Header(state) {
-        expectTag(state, 48, "Invalid PKCS#8 structure");
-        parseLength(state);
-        expectTag(state, 2, "Expected version field");
-        const verLen = parseLength(state);
-        state.pos += verLen;
-        expectTag(state, 48, "Expected algorithm identifier");
-        const algIdLen = parseLength(state);
-        const algIdStart = state.pos;
-        return {
-            algIdStart: algIdStart,
-            algIdLength: algIdLen
-        };
-    }
-    const parseECAlgorithmIdentifier = state => {
-        const algOid = parseAlgorithmOID(state);
-        if (bytesEqual(algOid, [ 43, 101, 110 ])) {
-            return "X25519";
-        }
-        if (!bytesEqual(algOid, [ 42, 134, 72, 206, 61, 2, 1 ])) {
-            throw new Error("Unsupported key algorithm");
-        }
-        expectTag(state, 6, "Expected curve OID");
-        const curveOidLen = parseLength(state);
-        const curveOid = getSubarray(state, curveOidLen);
-        for (const {name: name, oid: oid} of [ {
-            name: "P-256",
-            oid: [ 42, 134, 72, 206, 61, 3, 1, 7 ]
-        }, {
-            name: "P-384",
-            oid: [ 43, 129, 4, 0, 34 ]
-        }, {
-            name: "P-521",
-            oid: [ 43, 129, 4, 0, 35 ]
-        } ]) {
-            if (bytesEqual(curveOid, oid)) {
-                return name;
-            }
-        }
-        throw new Error("Unsupported named curve");
-    };
-    const genericImport = async (keyFormat, keyData, alg, options) => {
-        var _options$extractable;
-        let algorithm;
-        let keyUsages;
-        const isPublic = keyFormat === "spki";
-        const getSigUsages = () => isPublic ? [ "verify" ] : [ "sign" ];
-        const getEncUsages = () => isPublic ? [ "encrypt", "wrapKey" ] : [ "decrypt", "unwrapKey" ];
+    function subtleAlgorithm(alg, algorithm) {
+        const hash = "SHA-".concat(alg.slice(-3));
         switch (alg) {
+          case "HS256":
+          case "HS384":
+          case "HS512":
+            return {
+                hash: hash,
+                name: "HMAC"
+            };
+
           case "PS256":
           case "PS384":
           case "PS512":
-            algorithm = {
+            return {
+                hash: hash,
                 name: "RSA-PSS",
-                hash: "SHA-".concat(alg.slice(-3))
+                saltLength: parseInt(alg.slice(-3), 10) >> 3
             };
-            keyUsages = getSigUsages();
-            break;
 
           case "RS256":
           case "RS384":
           case "RS512":
-            algorithm = {
-                name: "RSASSA-PKCS1-v1_5",
-                hash: "SHA-".concat(alg.slice(-3))
-            };
-            keyUsages = getSigUsages();
-            break;
-
-          case "RSA-OAEP":
-          case "RSA-OAEP-256":
-          case "RSA-OAEP-384":
-          case "RSA-OAEP-512":
-            algorithm = {
-                name: "RSA-OAEP",
-                hash: "SHA-".concat(parseInt(alg.slice(-3), 10) || 1)
+            return {
+                hash: hash,
+                name: "RSASSA-PKCS1-v1_5"
             };
-            keyUsages = getEncUsages();
-            break;
 
           case "ES256":
           case "ES384":
           case "ES512":
-            {
-                const curveMap = {
-                    ES256: "P-256",
-                    ES384: "P-384",
-                    ES512: "P-521"
-                };
-                algorithm = {
-                    name: "ECDSA",
-                    namedCurve: curveMap[alg]
-                };
-                keyUsages = getSigUsages();
-                break;
-            }
-
-          case "ECDH-ES":
-          case "ECDH-ES+A128KW":
-          case "ECDH-ES+A192KW":
-          case "ECDH-ES+A256KW":
-            {
-                try {
-                    const namedCurve = options.getNamedCurve(keyData);
-                    algorithm = namedCurve === "X25519" ? {
-                        name: "X25519"
-                    } : {
-                        name: "ECDH",
-                        namedCurve: namedCurve
-                    };
-                } catch (cause) {
-                    throw new JOSENotSupported("Invalid or unsupported key format");
-                }
-                keyUsages = isPublic ? [] : [ "deriveBits" ];
-                break;
-            }
+            return {
+                hash: hash,
+                name: "ECDSA",
+                namedCurve: algorithm.namedCurve
+            };
 
           case "Ed25519":
           case "EdDSA":
-            algorithm = {
+            return {
                 name: "Ed25519"
             };
-            keyUsages = getSigUsages();
-            break;
 
           case "ML-DSA-44":
           case "ML-DSA-65":
           case "ML-DSA-87":
-            algorithm = {
+            return {
                 name: alg
             };
-            keyUsages = getSigUsages();
-            break;
 
           default:
-            throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
+            throw new JOSENotSupported("alg ".concat(alg, " is not supported either by JOSE or your javascript runtime"));
         }
-        return crypto.subtle.importKey(keyFormat, keyData, algorithm, (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : isPublic ? true : false, keyUsages);
-    };
-    const processPEMData = (pem, pattern) => decodeBase64(pem.replace(pattern, ""));
-    const fromPKCS8 = (pem, alg, options) => {
-        var _alg$startsWith;
-        const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
-        let opts = options;
-        if (alg !== null && alg !== void 0 && (_alg$startsWith = alg.startsWith) !== null && _alg$startsWith !== void 0 && _alg$startsWith.call(alg, "ECDH-ES")) {
-            opts || (opts = {});
-            opts.getNamedCurve = keyData => {
-                const state = createASN1State(keyData);
-                parsePKCS8Header(state);
-                return parseECAlgorithmIdentifier(state);
-            };
+    }
+    async function getSigKey(alg, key, usage) {
+        if (key instanceof Uint8Array) {
+            if (!alg.startsWith("HS")) {
+                throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+            }
+            return crypto.subtle.importKey("raw", key, {
+                hash: "SHA-".concat(alg.slice(-3)),
+                name: "HMAC"
+            }, false, [ usage ]);
         }
-        return genericImport("pkcs8", keyData, alg, opts);
-    };
+        checkSigCryptoKey(key, alg, usage);
+        return key;
+    }
+    async function verify(alg, key, signature, data) {
+        const cryptoKey = await getSigKey(alg, key, "verify");
+        checkKeyLength(alg, cryptoKey);
+        const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+        try {
+            return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+        } catch (_unused) {
+            return false;
+        }
+    }
+    const unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
     function subtleMapping(jwk) {
         let algorithm;
         let keyUsages;
@@ -4592,7 +4488,7 @@
                     break;
 
                   default:
-                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+                    throw new JOSENotSupported(unsupportedAlg);
                 }
                 break;
             }
@@ -4632,7 +4528,7 @@
                     break;
 
                   default:
-                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+                    throw new JOSENotSupported(unsupportedAlg);
                 }
                 break;
             }
@@ -4641,25 +4537,15 @@
             {
                 switch (jwk.alg) {
                   case "ES256":
-                    algorithm = {
-                        name: "ECDSA",
-                        namedCurve: "P-256"
-                    };
-                    keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
-                    break;
-
                   case "ES384":
-                    algorithm = {
-                        name: "ECDSA",
-                        namedCurve: "P-384"
-                    };
-                    keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
-                    break;
-
                   case "ES512":
                     algorithm = {
                         name: "ECDSA",
-                        namedCurve: "P-521"
+                        namedCurve: {
+                            ES256: "P-256",
+                            ES384: "P-384",
+                            ES512: "P-521"
+                        }[jwk.alg]
                     };
                     keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
                     break;
@@ -4676,7 +4562,7 @@
                     break;
 
                   default:
-                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+                    throw new JOSENotSupported(unsupportedAlg);
                 }
                 break;
             }
@@ -4703,7 +4589,7 @@
                     break;
 
                   default:
-                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+                    throw new JOSENotSupported(unsupportedAlg);
                 }
                 break;
             }
@@ -4729,102 +4615,7 @@
         delete keyData.use;
         return crypto.subtle.importKey("jwk", keyData, algorithm, (_jwk$ext = jwk.ext) !== null && _jwk$ext !== void 0 ? _jwk$ext : jwk.d || jwk.priv ? false : true, (_jwk$key_ops = jwk.key_ops) !== null && _jwk$key_ops !== void 0 ? _jwk$key_ops : keyUsages);
     }
-    async function importPKCS8(pkcs8, alg, options) {
-        if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) {
-            throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
-        }
-        return fromPKCS8(pkcs8, alg, options);
-    }
-    async function importJWK(jwk, alg, options) {
-        var _options$extractable;
-        if (!isObject(jwk)) {
-            throw new TypeError("JWK must be an object");
-        }
-        let ext;
-        alg !== null && alg !== void 0 ? alg : alg = jwk.alg;
-        ext !== null && ext !== void 0 ? ext : ext = (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : jwk.ext;
-        switch (jwk.kty) {
-          case "oct":
-            if (typeof jwk.k !== "string" || !jwk.k) {
-                throw new TypeError('missing "k" (Key Value) Parameter value');
-            }
-            return decode(jwk.k);
-
-          case "RSA":
-            if ("oth" in jwk && jwk.oth !== undefined) {
-                throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-            }
-            return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
-                alg: alg,
-                ext: ext
-            }));
-
-          case "AKP":
-            {
-                if (typeof jwk.alg !== "string" || !jwk.alg) {
-                    throw new TypeError('missing "alg" (Algorithm) Parameter value');
-                }
-                if (alg !== undefined && alg !== jwk.alg) {
-                    throw new TypeError("JWK alg and alg option value mismatch");
-                }
-                return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
-                    ext: ext
-                }));
-            }
-
-          case "EC":
-          case "OKP":
-            return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
-                alg: alg,
-                ext: ext
-            }));
-
-          default:
-            throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
-        }
-    }
-    function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-        if (joseHeader.crit !== undefined && (protectedHeader === null || protectedHeader === void 0 ? void 0 : protectedHeader.crit) === undefined) {
-            throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-        }
-        if (!protectedHeader || protectedHeader.crit === undefined) {
-            return new Set;
-        }
-        if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input => typeof input !== "string" || input.length === 0))) {
-            throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-        }
-        let recognized;
-        if (recognizedOption !== undefined) {
-            recognized = new Map([ ...Object.entries(recognizedOption), ...recognizedDefault.entries() ]);
-        } else {
-            recognized = recognizedDefault;
-        }
-        for (const parameter of protectedHeader.crit) {
-            if (!recognized.has(parameter)) {
-                throw new JOSENotSupported('Extension Header Parameter "'.concat(parameter, '" is not recognized'));
-            }
-            if (joseHeader[parameter] === undefined) {
-                throw new Err('Extension Header Parameter "'.concat(parameter, '" is missing'));
-            }
-            if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-                throw new Err('Extension Header Parameter "'.concat(parameter, '" MUST be integrity protected'));
-            }
-        }
-        return new Set(protectedHeader.crit);
-    }
-    function validateAlgorithms(option, algorithms) {
-        if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s => typeof s !== "string")))) {
-            throw new TypeError('"'.concat(option, '" option must be an array of strings'));
-        }
-        if (!algorithms) {
-            return undefined;
-        }
-        return new Set(algorithms);
-    }
-    const isJWK = key => isObject(key) && typeof key.kty === "string";
-    const isPrivateJWK = key => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-    const isPublicJWK = key => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
-    const isSecretJWK = key => key.kty === "oct" && typeof key.k === "string";
+    const unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
     let cache;
     const handleJWK = async function handleJWK(key, jwk, alg) {
         let freeze = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
@@ -4864,13 +4655,13 @@
                 break;
 
               default:
-                throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+                throw new TypeError(unusableForAlg);
             }
             cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : [ "deriveBits" ]);
         }
         if (keyObject.asymmetricKeyType === "ed25519") {
             if (alg !== "EdDSA" && alg !== "Ed25519") {
-                throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+                throw new TypeError(unusableForAlg);
             }
             cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [ isPublic ? "verify" : "sign" ]);
         }
@@ -4880,7 +4671,7 @@
           case "ml-dsa-87":
             {
                 if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-                    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+                    throw new TypeError(unusableForAlg);
                 }
                 cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [ isPublic ? "verify" : "sign" ]);
             }
@@ -4911,7 +4702,7 @@
                 break;
 
               default:
-                throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+                throw new TypeError(unusableForAlg);
             }
             if (alg.startsWith("RSA-OAEP")) {
                 return keyObject.toCryptoKey({
@@ -4929,21 +4720,14 @@
             const nist = new Map([ [ "prime256v1", "P-256" ], [ "secp384r1", "P-384" ], [ "secp521r1", "P-521" ] ]);
             const namedCurve = nist.get((_keyObject$asymmetric = keyObject.asymmetricKeyDetails) === null || _keyObject$asymmetric === void 0 ? void 0 : _keyObject$asymmetric.namedCurve);
             if (!namedCurve) {
-                throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-            }
-            if (alg === "ES256" && namedCurve === "P-256") {
-                cryptoKey = keyObject.toCryptoKey({
-                    name: "ECDSA",
-                    namedCurve: namedCurve
-                }, extractable, [ isPublic ? "verify" : "sign" ]);
+                throw new TypeError(unusableForAlg);
             }
-            if (alg === "ES384" && namedCurve === "P-384") {
-                cryptoKey = keyObject.toCryptoKey({
-                    name: "ECDSA",
-                    namedCurve: namedCurve
-                }, extractable, [ isPublic ? "verify" : "sign" ]);
-            }
-            if (alg === "ES512" && namedCurve === "P-521") {
+            const expectedCurve = {
+                ES256: "P-256",
+                ES384: "P-384",
+                ES512: "P-521"
+            };
+            if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
                 cryptoKey = keyObject.toCryptoKey({
                     name: "ECDSA",
                     namedCurve: namedCurve
@@ -4956,50 +4740,334 @@
                 }, extractable, isPublic ? [] : [ "deriveBits" ]);
             }
         }
-        if (!cryptoKey) {
-            throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        if (!cryptoKey) {
+            throw new TypeError(unusableForAlg);
+        }
+        if (!cached) {
+            cache.set(keyObject, {
+                [alg]: cryptoKey
+            });
+        } else {
+            cached[alg] = cryptoKey;
+        }
+        return cryptoKey;
+    };
+    async function normalizeKey(key, alg) {
+        if (key instanceof Uint8Array) {
+            return key;
+        }
+        if (isCryptoKey(key)) {
+            return key;
+        }
+        if (isKeyObject(key)) {
+            if (key.type === "secret") {
+                return key.export();
+            }
+            if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
+                try {
+                    return handleKeyObject(key, alg);
+                } catch (err) {
+                    if (err instanceof TypeError) {
+                        throw err;
+                    }
+                }
+            }
+            let jwk = key.export({
+                format: "jwk"
+            });
+            return handleJWK(key, jwk, alg);
+        }
+        if (isJWK(key)) {
+            if (key.k) {
+                return decode(key.k);
+            }
+            return handleJWK(key, key, alg, true);
+        }
+        throw new Error("unreachable");
+    }
+    const bytesEqual = (a, b) => {
+        if (a.byteLength !== b.length) return false;
+        for (let i = 0; i < a.byteLength; i++) {
+            if (a[i] !== b[i]) return false;
+        }
+        return true;
+    };
+    const createASN1State = data => ({
+        data: data,
+        pos: 0
+    });
+    const parseLength = state => {
+        const first = state.data[state.pos++];
+        if (first & 128) {
+            const lengthOfLen = first & 127;
+            let length = 0;
+            for (let i = 0; i < lengthOfLen; i++) {
+                length = length << 8 | state.data[state.pos++];
+            }
+            return length;
+        }
+        return first;
+    };
+    const expectTag = (state, expectedTag, errorMessage) => {
+        if (state.data[state.pos++] !== expectedTag) {
+            throw new Error(errorMessage);
+        }
+    };
+    const getSubarray = (state, length) => {
+        const result = state.data.subarray(state.pos, state.pos + length);
+        state.pos += length;
+        return result;
+    };
+    const parseAlgorithmOID = state => {
+        expectTag(state, 6, "Expected algorithm OID");
+        const oidLen = parseLength(state);
+        return getSubarray(state, oidLen);
+    };
+    function parsePKCS8Header(state) {
+        expectTag(state, 48, "Invalid PKCS#8 structure");
+        parseLength(state);
+        expectTag(state, 2, "Expected version field");
+        const verLen = parseLength(state);
+        state.pos += verLen;
+        expectTag(state, 48, "Expected algorithm identifier");
+        const algIdLen = parseLength(state);
+        const algIdStart = state.pos;
+        return {
+            algIdStart: algIdStart,
+            algIdLength: algIdLen
+        };
+    }
+    const parseECAlgorithmIdentifier = state => {
+        const algOid = parseAlgorithmOID(state);
+        if (bytesEqual(algOid, [ 43, 101, 110 ])) {
+            return "X25519";
+        }
+        if (!bytesEqual(algOid, [ 42, 134, 72, 206, 61, 2, 1 ])) {
+            throw new Error("Unsupported key algorithm");
+        }
+        expectTag(state, 6, "Expected curve OID");
+        const curveOidLen = parseLength(state);
+        const curveOid = getSubarray(state, curveOidLen);
+        for (const {name: name, oid: oid} of [ {
+            name: "P-256",
+            oid: [ 42, 134, 72, 206, 61, 3, 1, 7 ]
+        }, {
+            name: "P-384",
+            oid: [ 43, 129, 4, 0, 34 ]
+        }, {
+            name: "P-521",
+            oid: [ 43, 129, 4, 0, 35 ]
+        } ]) {
+            if (bytesEqual(curveOid, oid)) {
+                return name;
+            }
+        }
+        throw new Error("Unsupported named curve");
+    };
+    const genericImport = async (keyFormat, keyData, alg, options) => {
+        var _options$extractable;
+        let algorithm;
+        let keyUsages;
+        const isPublic = keyFormat === "spki";
+        const getSigUsages = () => isPublic ? [ "verify" ] : [ "sign" ];
+        const getEncUsages = () => isPublic ? [ "encrypt", "wrapKey" ] : [ "decrypt", "unwrapKey" ];
+        switch (alg) {
+          case "PS256":
+          case "PS384":
+          case "PS512":
+            algorithm = {
+                name: "RSA-PSS",
+                hash: "SHA-".concat(alg.slice(-3))
+            };
+            keyUsages = getSigUsages();
+            break;
+
+          case "RS256":
+          case "RS384":
+          case "RS512":
+            algorithm = {
+                name: "RSASSA-PKCS1-v1_5",
+                hash: "SHA-".concat(alg.slice(-3))
+            };
+            keyUsages = getSigUsages();
+            break;
+
+          case "RSA-OAEP":
+          case "RSA-OAEP-256":
+          case "RSA-OAEP-384":
+          case "RSA-OAEP-512":
+            algorithm = {
+                name: "RSA-OAEP",
+                hash: "SHA-".concat(parseInt(alg.slice(-3), 10) || 1)
+            };
+            keyUsages = getEncUsages();
+            break;
+
+          case "ES256":
+          case "ES384":
+          case "ES512":
+            {
+                const curveMap = {
+                    ES256: "P-256",
+                    ES384: "P-384",
+                    ES512: "P-521"
+                };
+                algorithm = {
+                    name: "ECDSA",
+                    namedCurve: curveMap[alg]
+                };
+                keyUsages = getSigUsages();
+                break;
+            }
+
+          case "ECDH-ES":
+          case "ECDH-ES+A128KW":
+          case "ECDH-ES+A192KW":
+          case "ECDH-ES+A256KW":
+            {
+                try {
+                    const namedCurve = options.getNamedCurve(keyData);
+                    algorithm = namedCurve === "X25519" ? {
+                        name: "X25519"
+                    } : {
+                        name: "ECDH",
+                        namedCurve: namedCurve
+                    };
+                } catch (cause) {
+                    throw new JOSENotSupported("Invalid or unsupported key format");
+                }
+                keyUsages = isPublic ? [] : [ "deriveBits" ];
+                break;
+            }
+
+          case "Ed25519":
+          case "EdDSA":
+            algorithm = {
+                name: "Ed25519"
+            };
+            keyUsages = getSigUsages();
+            break;
+
+          case "ML-DSA-44":
+          case "ML-DSA-65":
+          case "ML-DSA-87":
+            algorithm = {
+                name: alg
+            };
+            keyUsages = getSigUsages();
+            break;
+
+          default:
+            throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
+        }
+        return crypto.subtle.importKey(keyFormat, keyData, algorithm, (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : isPublic ? true : false, keyUsages);
+    };
+    const processPEMData = (pem, pattern) => decodeBase64(pem.replace(pattern, ""));
+    const fromPKCS8 = (pem, alg, options) => {
+        var _alg$startsWith;
+        const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
+        let opts = options;
+        if (alg !== null && alg !== void 0 && (_alg$startsWith = alg.startsWith) !== null && _alg$startsWith !== void 0 && _alg$startsWith.call(alg, "ECDH-ES")) {
+            opts || (opts = {});
+            opts.getNamedCurve = keyData => {
+                const state = createASN1State(keyData);
+                parsePKCS8Header(state);
+                return parseECAlgorithmIdentifier(state);
+            };
+        }
+        return genericImport("pkcs8", keyData, alg, opts);
+    };
+    async function importPKCS8(pkcs8, alg, options) {
+        if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) {
+            throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
+        }
+        return fromPKCS8(pkcs8, alg, options);
+    }
+    async function importJWK(jwk, alg, options) {
+        var _options$extractable;
+        if (!isObject(jwk)) {
+            throw new TypeError("JWK must be an object");
+        }
+        let ext;
+        alg !== null && alg !== void 0 ? alg : alg = jwk.alg;
+        ext !== null && ext !== void 0 ? ext : ext = (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : jwk.ext;
+        switch (jwk.kty) {
+          case "oct":
+            if (typeof jwk.k !== "string" || !jwk.k) {
+                throw new TypeError('missing "k" (Key Value) Parameter value');
+            }
+            return decode(jwk.k);
+
+          case "RSA":
+            if ("oth" in jwk && jwk.oth !== undefined) {
+                throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+            }
+            return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
+                alg: alg,
+                ext: ext
+            }));
+
+          case "AKP":
+            {
+                if (typeof jwk.alg !== "string" || !jwk.alg) {
+                    throw new TypeError('missing "alg" (Algorithm) Parameter value');
+                }
+                if (alg !== undefined && alg !== jwk.alg) {
+                    throw new TypeError("JWK alg and alg option value mismatch");
+                }
+                return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
+                    ext: ext
+                }));
+            }
+
+          case "EC":
+          case "OKP":
+            return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
+                alg: alg,
+                ext: ext
+            }));
+
+          default:
+            throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+        }
+    }
+    function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+        if (joseHeader.crit !== undefined && (protectedHeader === null || protectedHeader === void 0 ? void 0 : protectedHeader.crit) === undefined) {
+            throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
         }
-        if (!cached) {
-            cache.set(keyObject, {
-                [alg]: cryptoKey
-            });
-        } else {
-            cached[alg] = cryptoKey;
+        if (!protectedHeader || protectedHeader.crit === undefined) {
+            return new Set;
         }
-        return cryptoKey;
-    };
-    async function normalizeKey(key, alg) {
-        if (key instanceof Uint8Array) {
-            return key;
+        if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some(input => typeof input !== "string" || input.length === 0)) {
+            throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
         }
-        if (isCryptoKey(key)) {
-            return key;
+        let recognized;
+        if (recognizedOption !== undefined) {
+            recognized = new Map([ ...Object.entries(recognizedOption), ...recognizedDefault.entries() ]);
+        } else {
+            recognized = recognizedDefault;
         }
-        if (isKeyObject(key)) {
-            if (key.type === "secret") {
-                return key.export();
+        for (const parameter of protectedHeader.crit) {
+            if (!recognized.has(parameter)) {
+                throw new JOSENotSupported('Extension Header Parameter "'.concat(parameter, '" is not recognized'));
             }
-            if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
-                try {
-                    return handleKeyObject(key, alg);
-                } catch (err) {
-                    if (err instanceof TypeError) {
-                        throw err;
-                    }
-                }
+            if (joseHeader[parameter] === undefined) {
+                throw new Err('Extension Header Parameter "'.concat(parameter, '" is missing'));
             }
-            let jwk = key.export({
-                format: "jwk"
-            });
-            return handleJWK(key, jwk, alg);
-        }
-        if (isJWK(key)) {
-            if (key.k) {
-                return decode(key.k);
+            if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+                throw new Err('Extension Header Parameter "'.concat(parameter, '" MUST be integrity protected'));
             }
-            return handleJWK(key, key, alg, true);
         }
-        throw new Error("unreachable");
+        return new Set(protectedHeader.crit);
+    }
+    function validateAlgorithms(option, algorithms) {
+        if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some(s => typeof s !== "string"))) {
+            throw new TypeError('"'.concat(option, '" option must be an array of strings'));
+        }
+        if (!algorithms) {
+            return undefined;
+        }
+        return new Set(algorithms);
     }
     const tag = key => key === null || key === void 0 ? void 0 : key[Symbol.toStringTag];
     const jwkMatchesOp = (alg, key, usage) => {
@@ -5130,7 +5198,7 @@
     let USER_AGENT$1;
     if (typeof navigator === "undefined" || !((_navigator$userAgent$1 = navigator.userAgent) !== null && _navigator$userAgent$1 !== void 0 && (_navigator$userAgent$$1 = _navigator$userAgent$1.startsWith) !== null && _navigator$userAgent$$1 !== void 0 && _navigator$userAgent$$1.call(_navigator$userAgent$1, "Mozilla/5.0 "))) {
         const NAME = "openid-client";
-        const VERSION = "v6.8.1";
+        const VERSION = "v6.8.2";
         USER_AGENT$1 = "".concat(NAME, "/").concat(VERSION);
         headers = {
             "user-agent": USER_AGENT$1
@@ -5320,7 +5388,7 @@
             method: "GET",
             redirect: "manual",
             signal: signal
-        })).then((response => processDiscoveryResponse(_nodiscoverycheck, response))).catch(errorHandler);
+        })).then(response => processDiscoveryResponse(_nodiscoverycheck, response)).catch(errorHandler);
         if (resolve && new URL(as.issuer).href !== server.href) {
             handleEntraId(server, as, options) || handleB2Clogin(server, options) || (() => {
                 throw new ClientError("discovered metadata issuer does not match the expected issuer", {
@@ -5486,7 +5554,7 @@
         }
     }
     function wait(duration, signal) {
-        return new Promise(((resolve, reject) => {
+        return new Promise((resolve, reject) => {
             const waitStep = remaining => {
                 try {
                     signal.throwIfAborted();
@@ -5499,10 +5567,10 @@
                     return;
                 }
                 const currentWait = Math.min(remaining, 5);
-                setTimeout((() => waitStep(remaining - currentWait)), currentWait * 1e3);
+                setTimeout(() => waitStep(remaining - currentWait), currentWait * 1e3);
             };
             waitStep(duration);
-        }));
+        });
     }
     async function initiateBackchannelAuthentication(config, parameters) {
         checkConfig(config);
@@ -5512,7 +5580,7 @@
             [allowInsecureRequests$1]: !tlsOnly,
             headers: new Headers(headers),
             signal: signal(timeout)
-        }).then((response => processBackchannelAuthenticationResponse(as, c, response))).catch(errorHandler);
+        }).then(response => processBackchannelAuthenticationResponse(as, c, response)).catch(errorHandler);
     }
     async function pollBackchannelAuthenticationGrant(config, backchannelAuthenticationResponse, parameters, options) {
         var _backchannelAuthentic, _options$signal2;
@@ -5824,7 +5892,7 @@
             DPoP: options === null || options === void 0 ? void 0 : options.DPoP,
             headers: new Headers(headers),
             signal: signal(timeout)
-        }).then((response => {
+        }).then(response => {
             let recognizedTokenTypes;
             if (grantType === "urn:ietf:params:oauth:grant-type:token-exchange") {
                 recognizedTokenTypes = {
@@ -5835,87 +5903,10 @@
                 [jweDecrypt]: decrypt,
                 recognizedTokenTypes: recognizedTokenTypes
             });
-        })).catch(errorHandler);
+        }).catch(errorHandler);
         addHelpers(result);
         return result;
     }
-    function subtleAlgorithm(alg, algorithm) {
-        const hash = "SHA-".concat(alg.slice(-3));
-        switch (alg) {
-          case "HS256":
-          case "HS384":
-          case "HS512":
-            return {
-                hash: hash,
-                name: "HMAC"
-            };
-
-          case "PS256":
-          case "PS384":
-          case "PS512":
-            return {
-                hash: hash,
-                name: "RSA-PSS",
-                saltLength: parseInt(alg.slice(-3), 10) >> 3
-            };
-
-          case "RS256":
-          case "RS384":
-          case "RS512":
-            return {
-                hash: hash,
-                name: "RSASSA-PKCS1-v1_5"
-            };
-
-          case "ES256":
-          case "ES384":
-          case "ES512":
-            return {
-                hash: hash,
-                name: "ECDSA",
-                namedCurve: algorithm.namedCurve
-            };
-
-          case "Ed25519":
-          case "EdDSA":
-            return {
-                name: "Ed25519"
-            };
-
-          case "ML-DSA-44":
-          case "ML-DSA-65":
-          case "ML-DSA-87":
-            return {
-                name: alg
-            };
-
-          default:
-            throw new JOSENotSupported("alg ".concat(alg, " is not supported either by JOSE or your javascript runtime"));
-        }
-    }
-    async function getSigKey(alg, key, usage) {
-        if (key instanceof Uint8Array) {
-            if (!alg.startsWith("HS")) {
-                throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-            }
-            return crypto.subtle.importKey("raw", key, {
-                hash: "SHA-".concat(alg.slice(-3)),
-                name: "HMAC"
-            }, false, [ usage ]);
-        }
-        checkSigCryptoKey(key, alg, usage);
-        return key;
-    }
-    async function verify(alg, key, signature, data) {
-        const cryptoKey = await getSigKey(alg, key, "verify");
-        checkKeyLength(alg, cryptoKey);
-        const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
-        try {
-            return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-        } catch (_unused) {
-            return false;
-        }
-    }
     async function flattenedVerify(jws, key, options) {
         if (!isObject(jws)) {
             throw new JWSInvalid("Flattened JWS must be an object");
@@ -5978,12 +5969,7 @@
         }
         checkKeyType(alg, key, "verify");
         const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
-        let signature;
-        try {
-            signature = decode(jws.signature);
-        } catch (_unused2) {
-            throw new JWSInvalid("Failed to base64url decode the signature");
-        }
+        const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
         const k = await normalizeKey(key, alg);
         const verified = await verify(alg, k, signature, data);
         if (!verified) {
@@ -5991,11 +5977,7 @@
         }
         let payload;
         if (b64) {
-            try {
-                payload = decode(jws.payload);
-            } catch (_unused3) {
-                throw new JWSInvalid("Failed to base64url decode the payload");
-            }
+            payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
         } else if (typeof jws.payload === "string") {
             payload = encoder.encode(jws.payload);
         } else {
@@ -6263,7 +6245,7 @@
         async getKey(protectedHeader, token) {
             const {alg: alg, kid: kid} = _objectSpread2(_objectSpread2({}, protectedHeader), token === null || token === void 0 ? void 0 : token.header);
             const kty = getKtyFromAlg(alg);
-            const candidates = _classPrivateFieldGet2(_jwks$1, this).keys.filter((jwk => {
+            const candidates = _classPrivateFieldGet2(_jwks$1, this).keys.filter(jwk => {
                 let candidate = kty === jwk.kty;
                 if (candidate && typeof kid === "string") {
                     candidate = kid === jwk.kid;
@@ -6298,7 +6280,7 @@
                     }
                 }
                 return candidate;
-            }));
+            });
             const {0: jwk, length: length} = candidates;
             if (length === 0) {
                 throw new JWKSNoMatchingKey;
@@ -6306,13 +6288,13 @@
             if (length !== 1) {
                 const error = new JWKSMultipleMatchingKeys;
                 const _cached = _classPrivateFieldGet2(_cached2, this);
-                error[Symbol.asyncIterator] = _wrapAsyncGenerator((function*() {
+                error[Symbol.asyncIterator] = _wrapAsyncGenerator(function*() {
                     for (const jwk of candidates) {
                         try {
                             yield yield _awaitAsyncGenerator(importWithAlgCache(_cached, jwk, alg));
                         } catch (_unused) {}
                     }
-                }));
+                });
                 throw error;
             }
             return importWithAlgCache(_classPrivateFieldGet2(_cached2, this), jwk, alg);
@@ -6351,7 +6333,7 @@
     let USER_AGENT;
     if (typeof navigator === "undefined" || !((_navigator$userAgent = navigator.userAgent) !== null && _navigator$userAgent !== void 0 && (_navigator$userAgent$ = _navigator$userAgent.startsWith) !== null && _navigator$userAgent$ !== void 0 && _navigator$userAgent$.call(_navigator$userAgent, "Mozilla/5.0 "))) {
         const NAME = "jose";
-        const VERSION = "v6.1.3";
+        const VERSION = "v6.2.1";
         USER_AGENT = "".concat(NAME, "/").concat(VERSION);
     }
     const customFetch = Symbol();
@@ -6362,12 +6344,12 @@
             signal: signal,
             redirect: "manual",
             headers: headers
-        }).catch((err => {
+        }).catch(err => {
             if (err.name === "TimeoutError") {
                 throw new JWKSTimeout;
             }
             throw err;
-        }));
+        });
         if (response.status !== 200) {
             throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
         }
@@ -6469,7 +6451,7 @@
             if (_classPrivateFieldGet2(_pendingFetch, this) && isCloudflareWorkers()) {
                 _classPrivateFieldSet2(_pendingFetch, this, undefined);
             }
-            _classPrivateFieldGet2(_pendingFetch, this) || _classPrivateFieldSet2(_pendingFetch, this, fetchJwks(_classPrivateFieldGet2(_url, this).href, _classPrivateFieldGet2(_headers, this), AbortSignal.timeout(_classPrivateFieldGet2(_timeoutDuration, this)), _classPrivateFieldGet2(_customFetch$1, this)).then((json => {
+            _classPrivateFieldGet2(_pendingFetch, this) || _classPrivateFieldSet2(_pendingFetch, this, fetchJwks(_classPrivateFieldGet2(_url, this).href, _classPrivateFieldGet2(_headers, this), AbortSignal.timeout(_classPrivateFieldGet2(_timeoutDuration, this)), _classPrivateFieldGet2(_customFetch$1, this)).then(json => {
                 _classPrivateFieldSet2(_local, this, createLocalJWKSet(json));
                 if (_classPrivateFieldGet2(_cache, this)) {
                     _classPrivateFieldGet2(_cache, this).uat = Date.now();
@@ -6477,10 +6459,10 @@
                 }
                 _classPrivateFieldSet2(_jwksTimestamp, this, Date.now());
                 _classPrivateFieldSet2(_pendingFetch, this, undefined);
-            })).catch((err => {
+            }).catch(err => {
                 _classPrivateFieldSet2(_pendingFetch, this, undefined);
                 throw err;
-            })));
+            }));
             await _classPrivateFieldGet2(_pendingFetch, this);
         }
     }
@@ -6519,7 +6501,7 @@
         return remoteJWKSet;
     }
     const _excluded = [ "mfaToken" ], _excluded2 = [ "mfaToken" ];
-    var _baseUrl, _clientId, _customFetch, _configuration, _serverMetadata, _options, _jwks, _Class8_brand;
+    var _baseUrl, _clientId, _customFetch, _entries, _ttlMs, _maxEntries, _configuration, _serverMetadata, _clientAuthPromise, _options, _customFetch2, _jwks, _discoveryCache, _inFlightDiscovery, _jwksCache, _Class9_brand;
     var NotSupportedError = class NotSupportedError extends Error {
         constructor(code, message) {
             super(message);
@@ -6611,12 +6593,12 @@
         }
     };
     function stripUndefinedProperties(value) {
-        return Object.entries(value).filter((_ref => {
+        return Object.entries(value).filter(_ref => {
             let [, value2] = _ref;
             return typeof value2 !== "undefined";
-        })).reduce(((acc, curr) => _objectSpread2(_objectSpread2({}, acc), {}, {
+        }).reduce((acc, curr) => _objectSpread2(_objectSpread2({}, acc), {}, {
             [curr[0]]: curr[1]
-        })), {});
+        }), {});
     }
     var MfaError$1 = class MfaError extends Error {
         constructor(code, message, cause) {
@@ -6681,7 +6663,9 @@
                 oobChannel: api.oob_channel,
                 oobCode: api.oob_code,
                 bindingMethod: api.binding_method,
-                id: api.id
+                id: api.id,
+                barcodeUri: api.barcode_uri,
+                recoveryCodes: api.recovery_codes
             };
         }
         throw new Error("Unexpected authenticator type: ".concat(api.authenticator_type));
@@ -6799,6 +6783,40 @@
             return transformChallengeResponse(apiResponse);
         }
     });
+    function createTelemetryFetch(baseFetch, config) {
+        if (config.enabled === false) {
+            return baseFetch;
+        }
+        const telemetryData = {
+            name: config.name,
+            version: config.version
+        };
+        const headerValue = btoa(JSON.stringify(telemetryData));
+        return async (input, init) => {
+            const headers = input instanceof Request ? new Headers(input.headers) : new Headers;
+            if (init !== null && init !== void 0 && init.headers) {
+                const initHeaders = new Headers(init.headers);
+                initHeaders.forEach((value, key) => {
+                    headers.set(key, value);
+                });
+            }
+            headers.set("Auth0-Client", headerValue);
+            return baseFetch(input, _objectSpread2(_objectSpread2({}, init), {}, {
+                headers: headers
+            }));
+        };
+    }
+    function getTelemetryConfig(config) {
+        var _config$name, _config$version;
+        if ((config === null || config === void 0 ? void 0 : config.enabled) === false) {
+            return config;
+        }
+        return {
+            enabled: true,
+            name: (_config$name = config === null || config === void 0 ? void 0 : config.name) !== null && _config$name !== void 0 ? _config$name : "@auth0/auth0-auth-js",
+            version: (_config$version = config === null || config === void 0 ? void 0 : config.version) !== null && _config$version !== void 0 ? _config$version : "1.5.0"
+        };
+    }
     var TokenResponse = class _TokenResponse {
         constructor(accessToken, expiresAt, idToken, refreshToken, scope, claims, authorizationDetails) {
             _defineProperty(this, "accessToken", void 0);
@@ -6826,6 +6844,75 @@
             return tokenResponse;
         }
     };
+    var LruCache = (_entries = new WeakMap, _ttlMs = new WeakMap, _maxEntries = new WeakMap, 
+    class LruCache {
+        constructor(maxEntries, ttlMs) {
+            _classPrivateFieldInitSpec(this, _entries, new Map);
+            _classPrivateFieldInitSpec(this, _ttlMs, void 0);
+            _classPrivateFieldInitSpec(this, _maxEntries, void 0);
+            _classPrivateFieldSet2(_maxEntries, this, Math.max(1, Math.floor(maxEntries)));
+            _classPrivateFieldSet2(_ttlMs, this, Math.max(0, Math.floor(ttlMs)));
+        }
+        get(key) {
+            const entry = _classPrivateFieldGet2(_entries, this).get(key);
+            if (!entry) {
+                return;
+            }
+            if (Date.now() >= entry.expiresAt) {
+                _classPrivateFieldGet2(_entries, this).delete(key);
+                return;
+            }
+            _classPrivateFieldGet2(_entries, this).delete(key);
+            _classPrivateFieldGet2(_entries, this).set(key, entry);
+            return entry.value;
+        }
+        set(key, value) {
+            if (_classPrivateFieldGet2(_entries, this).has(key)) {
+                _classPrivateFieldGet2(_entries, this).delete(key);
+            }
+            _classPrivateFieldGet2(_entries, this).set(key, {
+                value: value,
+                expiresAt: Date.now() + _classPrivateFieldGet2(_ttlMs, this)
+            });
+            while (_classPrivateFieldGet2(_entries, this).size > _classPrivateFieldGet2(_maxEntries, this)) {
+                const oldestKey = _classPrivateFieldGet2(_entries, this).keys().next().value;
+                if (oldestKey === void 0) {
+                    break;
+                }
+                _classPrivateFieldGet2(_entries, this).delete(oldestKey);
+            }
+        }
+    });
+    var globalCaches = new Map;
+    function getGlobalCache(key) {
+        return globalCaches.get(key);
+    }
+    function getGlobalCacheKey(maxEntries, ttlMs) {
+        return "".concat(maxEntries, ":").concat(ttlMs);
+    }
+    function resolveCacheConfig(options) {
+        const ttlSeconds = typeof (options === null || options === void 0 ? void 0 : options.ttl) === "number" ? options.ttl : 600;
+        const maxEntries = typeof (options === null || options === void 0 ? void 0 : options.maxEntries) === "number" && options.maxEntries > 0 ? options.maxEntries : 100;
+        const ttlMs = ttlSeconds * 1e3;
+        return {
+            ttlMs: ttlMs,
+            maxEntries: maxEntries
+        };
+    }
+    var DiscoveryCacheFactory = class {
+        static createDiscoveryCache(config) {
+            const cacheKey = getGlobalCacheKey(config.maxEntries, config.ttlMs);
+            let cache = getGlobalCache(cacheKey);
+            if (!cache) {
+                cache = new LruCache(config.maxEntries, config.ttlMs);
+                globalCaches.set(cacheKey, cache);
+            }
+            return cache;
+        }
+        static createJwksCache() {
+            return {};
+        }
+    };
     var DEFAULT_SCOPES = "openid profile email offline_access";
     var MAX_ARRAY_VALUES_PER_KEY = 20;
     var PARAM_DENYLIST = Object.freeze(new Set([ "grant_type", "client_id", "client_secret", "client_assertion", "client_assertion_type", "subject_token", "subject_token_type", "requested_token_type", "actor_token", "actor_token_type", "audience", "aud", "resource", "resources", "resource_indicator", "scope", "connection", "login_hint", "organization", "assertion" ]));
@@ -6854,9 +6941,9 @@
                 if (parameterValue.length > MAX_ARRAY_VALUES_PER_KEY) {
                     throw new TokenExchangeError("Parameter '".concat(parameterKey, "' exceeds maximum array size of ").concat(MAX_ARRAY_VALUES_PER_KEY));
                 }
-                parameterValue.forEach((arrayItem => {
+                parameterValue.forEach(arrayItem => {
                     params.append(parameterKey, arrayItem);
-                }));
+                });
             } else {
                 params.append(parameterKey, parameterValue);
             }
@@ -6867,39 +6954,58 @@
     var SUBJECT_TYPE_REFRESH_TOKEN = "urn:ietf:params:oauth:token-type:refresh_token";
     var SUBJECT_TYPE_ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token";
     var REQUESTED_TOKEN_TYPE_FEDERATED_CONNECTION_ACCESS_TOKEN = "http://auth0.com/oauth/token-type/federated-connection-access-token";
-    var AuthClient = (_configuration = new WeakMap, _serverMetadata = new WeakMap, _options = new WeakMap, 
-    _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
+    var AuthClient = (_configuration = new WeakMap, _serverMetadata = new WeakMap, _clientAuthPromise = new WeakMap, 
+    _options = new WeakMap, _customFetch2 = new WeakMap, _jwks = new WeakMap, _discoveryCache = new WeakMap, 
+    _inFlightDiscovery = new WeakMap, _jwksCache = new WeakMap, _Class9_brand = new WeakSet, 
+    class AuthClient {
         constructor(_options2) {
-            _classPrivateMethodInitSpec(this, _Class8_brand);
+            var _options2$customFetch;
+            _classPrivateMethodInitSpec(this, _Class9_brand);
             _classPrivateFieldInitSpec(this, _configuration, void 0);
             _classPrivateFieldInitSpec(this, _serverMetadata, void 0);
+            _classPrivateFieldInitSpec(this, _clientAuthPromise, void 0);
             _classPrivateFieldInitSpec(this, _options, void 0);
+            _classPrivateFieldInitSpec(this, _customFetch2, void 0);
             _classPrivateFieldInitSpec(this, _jwks, void 0);
+            _classPrivateFieldInitSpec(this, _discoveryCache, void 0);
+            _classPrivateFieldInitSpec(this, _inFlightDiscovery, void 0);
+            _classPrivateFieldInitSpec(this, _jwksCache, void 0);
             _defineProperty(this, "mfa", void 0);
             _classPrivateFieldSet2(_options, this, _options2);
             if (_options2.useMtls && !_options2.customFetch) {
                 throw new NotSupportedError("mtls_without_custom_fetch_not_supported", "Using mTLS without a custom fetch implementation is not supported");
             }
+            _classPrivateFieldSet2(_customFetch2, this, createTelemetryFetch((_options2$customFetch = _options2.customFetch) !== null && _options2$customFetch !== void 0 ? _options2$customFetch : function() {
+                return fetch(...arguments);
+            }, getTelemetryConfig(_options2.telemetry)));
+            const cacheConfig = resolveCacheConfig(_options2.discoveryCache);
+            _classPrivateFieldSet2(_discoveryCache, this, DiscoveryCacheFactory.createDiscoveryCache(cacheConfig));
+            _classPrivateFieldSet2(_inFlightDiscovery, this, new Map);
+            _classPrivateFieldSet2(_jwksCache, this, DiscoveryCacheFactory.createJwksCache());
             this.mfa = new MfaClient({
                 domain: _classPrivateFieldGet2(_options, this).domain,
                 clientId: _classPrivateFieldGet2(_options, this).clientId,
-                customFetch: _classPrivateFieldGet2(_options, this).customFetch
+                customFetch: _classPrivateFieldGet2(_customFetch2, this)
             });
         }
+        async getServerMetadata() {
+            const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
+            return serverMetadata;
+        }
         async buildAuthorizationUrl(options) {
-            const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+            const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
             if (options !== null && options !== void 0 && options.pushedAuthorizationRequests && !serverMetadata.pushed_authorization_request_endpoint) {
                 throw new NotSupportedError("par_not_supported_error", "The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");
             }
             try {
-                return await _assertClassBrand(_Class8_brand, this, _buildAuthorizationUrl).call(this, options);
+                return await _assertClassBrand(_Class9_brand, this, _buildAuthorizationUrl).call(this, options);
             } catch (e) {
                 throw new BuildAuthorizationUrlError(e);
             }
         }
         async buildLinkUserUrl(options) {
             try {
-                const result = await _assertClassBrand(_Class8_brand, this, _buildAuthorizationUrl).call(this, {
+                const result = await _assertClassBrand(_Class9_brand, this, _buildAuthorizationUrl).call(this, {
                     authorizationParams: _objectSpread2(_objectSpread2({}, options.authorizationParams), {}, {
                         requested_connection: options.connection,
                         requested_connection_scope: options.connectionScope,
@@ -6917,7 +7023,7 @@
         }
         async buildUnlinkUserUrl(options) {
             try {
-                const result = await _assertClassBrand(_Class8_brand, this, _buildAuthorizationUrl).call(this, {
+                const result = await _assertClassBrand(_Class9_brand, this, _buildAuthorizationUrl).call(this, {
                     authorizationParams: _objectSpread2(_objectSpread2({}, options.authorizationParams), {}, {
                         requested_connection: options.connection,
                         scope: "openid unlink_account",
@@ -6933,7 +7039,7 @@
             }
         }
         async backchannelAuthentication(options) {
-            const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+            const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
             const additionalParams = stripUndefinedProperties(_objectSpread2(_objectSpread2({}, _classPrivateFieldGet2(_options, this).authorizationParams), options === null || options === void 0 ? void 0 : options.authorizationParams));
             const params = new URLSearchParams(_objectSpread2(_objectSpread2({
                 scope: DEFAULT_SCOPES
@@ -6961,7 +7067,7 @@
             }
         }
         async initiateBackchannelAuthentication(options) {
-            const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+            const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
             const additionalParams = stripUndefinedProperties(_objectSpread2(_objectSpread2({}, _classPrivateFieldGet2(_options, this).authorizationParams), options === null || options === void 0 ? void 0 : options.authorizationParams));
             const params = new URLSearchParams(_objectSpread2(_objectSpread2({
                 scope: DEFAULT_SCOPES
@@ -6993,7 +7099,7 @@
         }
         async backchannelAuthenticationGrant(_ref2) {
             let {authReqId: authReqId} = _ref2;
-            const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+            const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
             const params = new URLSearchParams({
                 auth_req_id: authReqId
             });
@@ -7028,10 +7134,10 @@
             }
         }
         async exchangeToken(options) {
-            return "connection" in options ? _assertClassBrand(_Class8_brand, this, _exchangeTokenVaultToken).call(this, options) : _assertClassBrand(_Class8_brand, this, _exchangeProfileToken).call(this, options);
+            return "connection" in options ? _assertClassBrand(_Class9_brand, this, _exchangeTokenVaultToken).call(this, options) : _assertClassBrand(_Class9_brand, this, _exchangeProfileToken).call(this, options);
         }
         async getTokenByCode(url, options) {
-            const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+            const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
             try {
                 const tokenEndpointResponse = await authorizationCodeGrant(configuration, url, {
                     pkceCodeVerifier: options.codeVerifier
@@ -7042,16 +7148,23 @@
             }
         }
         async getTokenByRefreshToken(options) {
-            const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+            const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
+            const additionalParameters = new URLSearchParams;
+            if (options.audience) {
+                additionalParameters.append("audience", options.audience);
+            }
+            if (options.scope) {
+                additionalParameters.append("scope", options.scope);
+            }
             try {
-                const tokenEndpointResponse = await refreshTokenGrant(configuration, options.refreshToken);
+                const tokenEndpointResponse = await refreshTokenGrant(configuration, options.refreshToken, additionalParameters);
                 return TokenResponse.fromTokenEndpointResponse(tokenEndpointResponse);
             } catch (e) {
                 throw new TokenByRefreshTokenError("The access token has expired and there was an error while trying to refresh it.", e);
             }
         }
         async getTokenByClientCredentials(options) {
-            const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+            const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
             try {
                 const params = new URLSearchParams({
                     audience: options.audience
@@ -7066,7 +7179,7 @@
             }
         }
         async buildLogoutUrl(options) {
-            const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+            const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
             if (!serverMetadata.end_session_endpoint) {
                 const url = new URL("https://".concat(_classPrivateFieldGet2(_options, this).domain, "/v2/logout"));
                 url.searchParams.set("returnTo", options.returnTo);
@@ -7078,9 +7191,13 @@
             });
         }
         async verifyLogoutToken(options) {
-            const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
-            _classPrivateFieldGet2(_jwks, this) || _classPrivateFieldSet2(_jwks, this, createRemoteJWKSet(new URL(serverMetadata.jwks_uri), {
-                [customFetch]: _classPrivateFieldGet2(_options, this).customFetch
+            const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
+            const cacheConfig = resolveCacheConfig(_classPrivateFieldGet2(_options, this).discoveryCache);
+            const jwksUri = serverMetadata.jwks_uri;
+            _classPrivateFieldGet2(_jwks, this) || _classPrivateFieldSet2(_jwks, this, createRemoteJWKSet(new URL(jwksUri), {
+                cacheMaxAge: cacheConfig.ttlMs,
+                [customFetch]: _classPrivateFieldGet2(_customFetch2, this),
+                [jwksCache]: _classPrivateFieldGet2(_jwksCache, this)
             }));
             const {payload: payload} = await jwtVerify(options.logoutToken, _classPrivateFieldGet2(_jwks, this), {
                 issuer: serverMetadata.issuer,
@@ -7118,6 +7235,16 @@
             };
         }
     });
+    function _getDiscoveryCacheKey() {
+        const domain = _classPrivateFieldGet2(_options, this).domain.toLowerCase();
+        return "".concat(domain, "|mtls:").concat(_classPrivateFieldGet2(_options, this).useMtls ? "1" : "0");
+    }
+    async function _createConfiguration(serverMetadata) {
+        const clientAuth = await _assertClassBrand(_Class9_brand, this, _getClientAuth).call(this);
+        const configuration = new Configuration(serverMetadata, _classPrivateFieldGet2(_options, this).clientId, _classPrivateFieldGet2(_options, this).clientSecret, clientAuth);
+        configuration[customFetch$1] = _classPrivateFieldGet2(_customFetch2, this);
+        return configuration;
+    }
     async function _discover() {
         if (_classPrivateFieldGet2(_configuration, this) && _classPrivateFieldGet2(_serverMetadata, this)) {
             return {
@@ -7125,14 +7252,58 @@
                 serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
             };
         }
-        const clientAuth = await _assertClassBrand(_Class8_brand, this, _getClientAuth).call(this);
-        _classPrivateFieldSet2(_configuration, this, await discovery(new URL("https://".concat(_classPrivateFieldGet2(_options, this).domain)), _classPrivateFieldGet2(_options, this).clientId, {
-            use_mtls_endpoint_aliases: _classPrivateFieldGet2(_options, this).useMtls
-        }, clientAuth, {
-            [customFetch$1]: _classPrivateFieldGet2(_options, this).customFetch
-        }));
-        _classPrivateFieldSet2(_serverMetadata, this, _classPrivateFieldGet2(_configuration, this).serverMetadata());
-        _classPrivateFieldGet2(_configuration, this)[customFetch$1] = _classPrivateFieldGet2(_options, this).customFetch || fetch;
+        const cacheKey = _assertClassBrand(_Class9_brand, this, _getDiscoveryCacheKey).call(this);
+        const cached = _classPrivateFieldGet2(_discoveryCache, this).get(cacheKey);
+        if (cached) {
+            _classPrivateFieldSet2(_serverMetadata, this, cached.serverMetadata);
+            _classPrivateFieldSet2(_configuration, this, await _assertClassBrand(_Class9_brand, this, _createConfiguration).call(this, cached.serverMetadata));
+            return {
+                configuration: _classPrivateFieldGet2(_configuration, this),
+                serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
+            };
+        }
+        const inFlight = _classPrivateFieldGet2(_inFlightDiscovery, this).get(cacheKey);
+        if (inFlight) {
+            const entry = await inFlight;
+            _classPrivateFieldSet2(_serverMetadata, this, entry.serverMetadata);
+            _classPrivateFieldSet2(_configuration, this, await _assertClassBrand(_Class9_brand, this, _createConfiguration).call(this, entry.serverMetadata));
+            return {
+                configuration: _classPrivateFieldGet2(_configuration, this),
+                serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
+            };
+        }
+        const discoveryPromise = (async () => {
+            const clientAuth = await _assertClassBrand(_Class9_brand, this, _getClientAuth).call(this);
+            const configuration = await discovery(new URL("https://".concat(_classPrivateFieldGet2(_options, this).domain)), _classPrivateFieldGet2(_options, this).clientId, {
+                use_mtls_endpoint_aliases: _classPrivateFieldGet2(_options, this).useMtls
+            }, clientAuth, {
+                [customFetch$1]: _classPrivateFieldGet2(_customFetch2, this)
+            });
+            const serverMetadata = configuration.serverMetadata();
+            _classPrivateFieldGet2(_discoveryCache, this).set(cacheKey, {
+                serverMetadata: serverMetadata
+            });
+            return {
+                configuration: configuration,
+                serverMetadata: serverMetadata
+            };
+        })();
+        const inFlightEntry = discoveryPromise.then(_ref3 => {
+            let {serverMetadata: serverMetadata} = _ref3;
+            return {
+                serverMetadata: serverMetadata
+            };
+        });
+        void inFlightEntry.catch(() => void 0);
+        _classPrivateFieldGet2(_inFlightDiscovery, this).set(cacheKey, inFlightEntry);
+        try {
+            const {configuration: configuration, serverMetadata: serverMetadata} = await discoveryPromise;
+            _classPrivateFieldSet2(_configuration, this, configuration);
+            _classPrivateFieldSet2(_serverMetadata, this, serverMetadata);
+            _classPrivateFieldGet2(_configuration, this)[customFetch$1] = _classPrivateFieldGet2(_customFetch2, this);
+        } finally {
+            _classPrivateFieldGet2(_inFlightDiscovery, this).delete(cacheKey);
+        }
         return {
             configuration: _classPrivateFieldGet2(_configuration, this),
             serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
@@ -7140,7 +7311,7 @@
     }
     async function _exchangeTokenVaultToken(options) {
         var _options$subjectToken, _options$requestedTok;
-        const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         if ("audience" in options || "resource" in options) {
             throw new TokenExchangeError("audience and resource parameters are not supported for Token Vault exchanges");
         }
@@ -7166,7 +7337,7 @@
         }
     }
     async function _exchangeProfileToken(options) {
-        const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         validateSubjectToken(options.subjectToken);
         const tokenRequestParams = new URLSearchParams({
             subject_token_type: options.subjectTokenType,
@@ -7193,20 +7364,28 @@
         }
     }
     async function _getClientAuth() {
-        if (!_classPrivateFieldGet2(_options, this).clientSecret && !_classPrivateFieldGet2(_options, this).clientAssertionSigningKey && !_classPrivateFieldGet2(_options, this).useMtls) {
-            throw new MissingClientAuthError;
-        }
-        if (_classPrivateFieldGet2(_options, this).useMtls) {
-            return TlsClientAuth();
-        }
-        let clientPrivateKey = _classPrivateFieldGet2(_options, this).clientAssertionSigningKey;
-        if (clientPrivateKey && !(clientPrivateKey instanceof CryptoKey)) {
-            clientPrivateKey = await importPKCS8(clientPrivateKey, _classPrivateFieldGet2(_options, this).clientAssertionSigningAlg || "RS256");
+        if (!_classPrivateFieldGet2(_clientAuthPromise, this)) {
+            _classPrivateFieldSet2(_clientAuthPromise, this, (async () => {
+                if (!_classPrivateFieldGet2(_options, this).clientSecret && !_classPrivateFieldGet2(_options, this).clientAssertionSigningKey && !_classPrivateFieldGet2(_options, this).useMtls) {
+                    throw new MissingClientAuthError;
+                }
+                if (_classPrivateFieldGet2(_options, this).useMtls) {
+                    return TlsClientAuth();
+                }
+                let clientPrivateKey = _classPrivateFieldGet2(_options, this).clientAssertionSigningKey;
+                if (clientPrivateKey && !(clientPrivateKey instanceof CryptoKey)) {
+                    clientPrivateKey = await importPKCS8(clientPrivateKey, _classPrivateFieldGet2(_options, this).clientAssertionSigningAlg || "RS256");
+                }
+                return clientPrivateKey ? PrivateKeyJwt(clientPrivateKey) : ClientSecretPost(_classPrivateFieldGet2(_options, this).clientSecret);
+            })().catch(error => {
+                _classPrivateFieldSet2(_clientAuthPromise, this, void 0);
+                throw error;
+            }));
         }
-        return clientPrivateKey ? PrivateKeyJwt(clientPrivateKey) : ClientSecretPost(_classPrivateFieldGet2(_options, this).clientSecret);
+        return _classPrivateFieldGet2(_clientAuthPromise, this);
     }
     async function _buildAuthorizationUrl(options) {
-        const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         const codeChallengeMethod = "S256";
         const codeVerifier = randomPKCECodeVerifier();
         const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
@@ -7322,15 +7501,15 @@
             if (!((_a = context === null || context === void 0 ? void 0 : context.mfaRequirements) === null || _a === void 0 ? void 0 : _a.challenge) || context.mfaRequirements.challenge.length === 0) {
                 throw new MfaListAuthenticatorsError("invalid_request", "challengeType is required and must contain at least one challenge type, please check mfa_required error payload");
             }
-            const challengeTypes = context.mfaRequirements.challenge.map((c => c.type));
+            const challengeTypes = context.mfaRequirements.challenge.map(c => c.type);
             try {
                 const allAuthenticators = await this.authJsMfaClient.listAuthenticators({
                     mfaToken: mfaToken
                 });
-                return allAuthenticators.filter((auth => {
+                return allAuthenticators.filter(auth => {
                     if (!auth.type) return false;
                     return challengeTypes.includes(auth.type);
-                }));
+                });
             } catch (error) {
                 if (error instanceof MfaListAuthenticatorsError$1) {
                     throw new MfaListAuthenticatorsError((_b = error.cause) === null || _b === void 0 ? void 0 : _b.error, error.message);
@@ -7695,7 +7874,7 @@
                     scope: scopesToRequest(this.scope, (_a = options.authorizationParams) === null || _a === void 0 ? void 0 : _a.scope, ((_b = options.authorizationParams) === null || _b === void 0 ? void 0 : _b.audience) || this.options.authorizationParams.audience)
                 })
             });
-            const result = await singlePromise((() => this._getTokenSilently(localOptions)), "".concat(this.options.clientId, "::").concat(localOptions.authorizationParams.audience, "::").concat(localOptions.authorizationParams.scope));
+            const result = await singlePromise(() => this._getTokenSilently(localOptions), "".concat(this.options.clientId, "::").concat(localOptions.authorizationParams.audience, "::").concat(localOptions.authorizationParams.scope));
             return options.detailedResponse ? result : result === null || result === void 0 ? void 0 : result.access_token;
         }
         async _getTokenSilently(options) {
@@ -7716,7 +7895,7 @@
             }
             const lockKey = buildGetTokenSilentlyLockKey(this.options.clientId, getTokenOptions.authorizationParams.audience || "default");
             try {
-                return await this.lockManager.runWithLock(lockKey, 5e3, (async () => {
+                return await this.lockManager.runWithLock(lockKey, 5e3, async () => {
                     if (cacheMode !== "off") {
                         const entry = await this._getEntryFromCache({
                             scope: getTokenOptions.authorizationParams.scope,
@@ -7738,7 +7917,7 @@
                     } : null), {
                         expires_in: expires_in
                     });
-                }));
+                });
             } catch (error) {
                 if (this._isInteractiveError(error) && this.options.interactiveErrorHandler === "popup") {
                     return await this._handleInteractiveErrorWithPopup(getTokenOptions);
@@ -7747,7 +7926,10 @@
             }
         }
         _isInteractiveError(error) {
-            return error instanceof MfaRequiredError;
+            return error instanceof MfaRequiredError || error instanceof GenericError && this._isIframeMfaError(error);
+        }
+        _isIframeMfaError(error) {
+            return error.error === "login_required" && error.error_description === MFA_STEP_UP_ERROR_DESCRIPTION;
         }
         async _handleInteractiveErrorWithPopup(options) {
             try {
@@ -7829,7 +8011,7 @@
         async _getTokenFromIFrame(options) {
             const iframeLockKey = buildIframeLockKey(this.options.clientId);
             try {
-                return await this.lockManager.runWithLock(iframeLockKey, 5e3, (async () => {
+                return await this.lockManager.runWithLock(iframeLockKey, 5e3, async () => {
                     const params = Object.assign(Object.assign({}, options.authorizationParams), {
                         prompt: "none"
                     });
@@ -7869,12 +8051,15 @@
                         oauthTokenScope: tokenResult.scope,
                         audience: audience
                     });
-                }));
+                });
             } catch (e) {
                 if (e.error === "login_required") {
-                    this.logout({
-                        openUrl: false
-                    });
+                    const shouldSkipLogoutForMfaStepUp = e instanceof GenericError && this._isIframeMfaError(e) && this.options.interactiveErrorHandler === "popup";
+                    if (!shouldSkipLogoutForMfaStepUp) {
+                        this.logout({
+                            openUrl: false
+                        });
+                    }
                 }
                 throw e;
             }
@@ -8153,5 +8338,5 @@
     Object.defineProperty(exports, "__esModule", {
         value: true
     });
-}));
+});
 //# sourceMappingURL=auth0-spa-js.development.js.map