@auth0/auth0-spa-js 2.16.0 → 2.17.1

package/dist/lib/auth0-spa-js.cjs.js

@@ -18,7 +18,7 @@ typeof SuppressedError === "function" ? SuppressedError : function(error, suppre
     return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
 };
 
-var version = "2.16.0";
+var version = "2.17.1";
 
 const DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS = 60;
 
@@ -40,6 +40,8 @@ const INVALID_REFRESH_TOKEN_ERROR_MESSAGE = "invalid refresh token";
 
 const USER_BLOCKED_ERROR_MESSAGE = "user is blocked";
 
+const MFA_STEP_UP_ERROR_DESCRIPTION = "Multifactor authentication required";
+
 const DEFAULT_SCOPE = "openid profile email";
 
 const DEFAULT_SESSION_CHECK_EXPIRY_DAYS = 1;
@@ -173,7 +175,7 @@ const parseAuthenticationResult = queryString => {
 
 const runIframe = function runIframe(authorizeUrl, eventOrigin) {
     let timeoutInSeconds = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS;
-    return new Promise(((res, rej) => {
+    return new Promise((res, rej) => {
         const iframe = window.document.createElement("iframe");
         iframe.setAttribute("width", "0");
         iframe.setAttribute("height", "0");
@@ -185,10 +187,10 @@ const runIframe = function runIframe(authorizeUrl, eventOrigin) {
             }
         };
         let _iframeEventHandler;
-        const timeoutSetTimeoutId = setTimeout((() => {
+        const timeoutSetTimeoutId = setTimeout(() => {
             rej(new TimeoutError);
             removeIframe();
-        }), timeoutInSeconds * 1e3);
+        }, timeoutInSeconds * 1e3);
         _iframeEventHandler = function iframeEventHandler(e) {
             if (e.origin != eventOrigin) return;
             if (!e.data || e.data.type !== "authorization_response") return;
@@ -204,7 +206,7 @@ const runIframe = function runIframe(authorizeUrl, eventOrigin) {
         window.addEventListener("message", _iframeEventHandler, false);
         window.document.body.appendChild(iframe);
         iframe.setAttribute("src", authorizeUrl);
-    }));
+    });
 };
 
 const openPopup = url => {
@@ -215,21 +217,21 @@ const openPopup = url => {
     return window.open(url, "auth0:authorize:popup", "left=".concat(left, ",top=").concat(top, ",width=").concat(width, ",height=").concat(height, ",resizable,scrollbars=yes,status=1"));
 };
 
-const runPopup = config => new Promise(((resolve, reject) => {
+const runPopup = config => new Promise((resolve, reject) => {
     let _popupEventListener;
-    const popupTimer = setInterval((() => {
+    const popupTimer = setInterval(() => {
         if (config.popup && config.popup.closed) {
             clearInterval(popupTimer);
             clearTimeout(timeoutId);
             window.removeEventListener("message", _popupEventListener, false);
             reject(new PopupCancelledError(config.popup));
         }
-    }), 1e3);
-    const timeoutId = setTimeout((() => {
+    }, 1e3);
+    const timeoutId = setTimeout(() => {
         clearInterval(popupTimer);
         reject(new PopupTimeoutError(config.popup));
         window.removeEventListener("message", _popupEventListener, false);
-    }), (config.timeoutInSeconds || DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS) * 1e3);
+    }, (config.timeoutInSeconds || DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS) * 1e3);
     _popupEventListener = function popupEventListener(e) {
         if (!e.data || e.data.type !== "authorization_response") {
             return;
@@ -246,7 +248,7 @@ const runPopup = config => new Promise(((resolve, reject) => {
         resolve(e.data.response);
     };
     window.addEventListener("message", _popupEventListener);
-}));
+});
 
 const getCrypto = () => window.crypto;
 
@@ -254,15 +256,15 @@ const createRandomString = () => {
     const charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";
     let random = "";
     const randomValues = Array.from(getCrypto().getRandomValues(new Uint8Array(43)));
-    randomValues.forEach((v => random += charset[v % charset.length]));
+    randomValues.forEach(v => random += charset[v % charset.length]);
     return random;
 };
 
 const encode$2 = value => btoa(value);
 
-const stripUndefined = params => Object.keys(params).filter((k => typeof params[k] !== "undefined")).reduce(((acc, key) => Object.assign(Object.assign({}, acc), {
+const stripUndefined = params => Object.keys(params).filter(k => typeof params[k] !== "undefined").reduce((acc, key) => Object.assign(Object.assign({}, acc), {
     [key]: params[key]
-})), {});
+}), {});
 
 const ALLOWED_AUTH0CLIENT_PROPERTIES = [ {
     key: "name",
@@ -277,16 +279,16 @@ const ALLOWED_AUTH0CLIENT_PROPERTIES = [ {
 
 const stripAuth0Client = function stripAuth0Client(auth0Client) {
     let excludeEnv = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
-    return Object.keys(auth0Client).reduce(((acc, key) => {
+    return Object.keys(auth0Client).reduce((acc, key) => {
         if (excludeEnv && key === "env") {
             return acc;
         }
-        const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find((p => p.key === key));
+        const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find(p => p.key === key);
         if (allowedProperty && allowedProperty.type.includes(typeof auth0Client[key])) {
             acc[key] = auth0Client[key];
         }
         return acc;
-    }), {});
+    }, {});
 };
 
 const createQueryParams = _a => {
@@ -309,10 +311,10 @@ const urlEncodeB64 = input => {
         "/": "_",
         "=": ""
     };
-    return input.replace(/[+/=]/g, (m => b64Chars[m]));
+    return input.replace(/[+/=]/g, m => b64Chars[m]);
 };
 
-const decodeB64 = input => decodeURIComponent(atob(input).split("").map((c => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2))).join(""));
+const decodeB64 = input => decodeURIComponent(atob(input).split("").map(c => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join(""));
 
 const urlDecodeB64 = input => decodeB64(input.replace(/_/g, "/").replace(/-/g, "+"));
 
@@ -351,11 +353,11 @@ const parseNumber = value => {
     return parseInt(value, 10) || undefined;
 };
 
-const fromEntries = iterable => [ ...iterable ].reduce(((obj, _ref) => {
+const fromEntries = iterable => [ ...iterable ].reduce((obj, _ref) => {
     let [key, val] = _ref;
     obj[key] = val;
     return obj;
-}), {});
+}, {});
 
 var commonjsGlobal = typeof globalThis !== "undefined" ? globalThis : typeof window !== "undefined" ? window : typeof global !== "undefined" ? global : typeof self !== "undefined" ? self : {};
 
@@ -390,14 +392,14 @@ var ProcessLocking = function() {
             return _this.locked.has(key);
         };
         this.lock = function(key) {
-            return new Promise((function(resolve, reject) {
+            return new Promise(function(resolve, reject) {
                 if (_this.isLocked(key)) {
                     _this.addToLocked(key, resolve);
                 } else {
                     _this.addToLocked(key);
                     resolve();
                 }
-            }));
+            });
         };
         this.unlock = function(key) {
             var callbacks = _this.locked.get(key);
@@ -428,7 +430,7 @@ function getLock() {
 processLock.default = getLock;
 
 var __awaiter = commonjsGlobal && commonjsGlobal.__awaiter || function(thisArg, _arguments, P, generator) {
-    return new (P || (P = Promise))((function(resolve, reject) {
+    return new (P || (P = Promise))(function(resolve, reject) {
         function fulfilled(value) {
             try {
                 step(generator.next(value));
@@ -444,12 +446,12 @@ var __awaiter = commonjsGlobal && commonjsGlobal.__awaiter || function(thisArg,
             }
         }
         function step(result) {
-            result.done ? resolve(result.value) : new P((function(resolve) {
+            result.done ? resolve(result.value) : new P(function(resolve) {
                 resolve(result.value);
-            })).then(fulfilled, rejected);
+            }).then(fulfilled, rejected);
         }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
-    }));
+    });
 };
 
 var __generator = commonjsGlobal && commonjsGlobal.__generator || function(thisArg, body) {
@@ -554,39 +556,39 @@ var LOCK_STORAGE_KEY = "browser-tabs-lock-key";
 
 var DEFAULT_STORAGE_HANDLER = {
     key: function(index) {
-        return __awaiter(_this, void 0, void 0, (function() {
-            return __generator(this, (function(_a) {
+        return __awaiter(_this, void 0, void 0, function() {
+            return __generator(this, function(_a) {
                 throw new Error("Unsupported");
-            }));
-        }));
+            });
+        });
     },
     getItem: function(key) {
-        return __awaiter(_this, void 0, void 0, (function() {
-            return __generator(this, (function(_a) {
+        return __awaiter(_this, void 0, void 0, function() {
+            return __generator(this, function(_a) {
                 throw new Error("Unsupported");
-            }));
-        }));
+            });
+        });
     },
     clear: function() {
-        return __awaiter(_this, void 0, void 0, (function() {
-            return __generator(this, (function(_a) {
+        return __awaiter(_this, void 0, void 0, function() {
+            return __generator(this, function(_a) {
                 return [ 2, window.localStorage.clear() ];
-            }));
-        }));
+            });
+        });
     },
     removeItem: function(key) {
-        return __awaiter(_this, void 0, void 0, (function() {
-            return __generator(this, (function(_a) {
+        return __awaiter(_this, void 0, void 0, function() {
+            return __generator(this, function(_a) {
                 throw new Error("Unsupported");
-            }));
-        }));
+            });
+        });
     },
     setItem: function(key, value) {
-        return __awaiter(_this, void 0, void 0, (function() {
-            return __generator(this, (function(_a) {
+        return __awaiter(_this, void 0, void 0, function() {
+            return __generator(this, function(_a) {
                 throw new Error("Unsupported");
-            }));
-        }));
+            });
+        });
     },
     keySync: function(index) {
         return window.localStorage.key(index);
@@ -606,9 +608,9 @@ var DEFAULT_STORAGE_HANDLER = {
 };
 
 function delay(milliseconds) {
-    return new Promise((function(resolve) {
+    return new Promise(function(resolve) {
         return setTimeout(resolve, milliseconds);
-    }));
+    });
 }
 
 function generateRandomString(length) {
@@ -644,9 +646,9 @@ var SuperTokensLock = function() {
         if (timeout === void 0) {
             timeout = 5e3;
         }
-        return __awaiter(this, void 0, void 0, (function() {
+        return __awaiter(this, void 0, void 0, function() {
             var iat, MAX_TIME, STORAGE_KEY, STORAGE, lockObj, TIMEOUT_KEY, lockObjPostDelay, parsedLockObjPostDelay;
-            return __generator(this, (function(_a) {
+            return __generator(this, function(_a) {
                 switch (_a.label) {
                   case 0:
                     iat = Date.now() + generateRandomString(4);
@@ -705,17 +707,17 @@ var SuperTokensLock = function() {
                   case 8:
                     return [ 2, false ];
                 }
-            }));
-        }));
+            });
+        });
     };
     SuperTokensLock.prototype.refreshLockWhileAcquired = function(storageKey, iat) {
-        return __awaiter(this, void 0, void 0, (function() {
+        return __awaiter(this, void 0, void 0, function() {
             var _this = this;
-            return __generator(this, (function(_a) {
-                setTimeout((function() {
-                    return __awaiter(_this, void 0, void 0, (function() {
+            return __generator(this, function(_a) {
+                setTimeout(function() {
+                    return __awaiter(_this, void 0, void 0, function() {
                         var STORAGE, lockObj, parsedLockObj;
-                        return __generator(this, (function(_a) {
+                        return __generator(this, function(_a) {
                             switch (_a.label) {
                               case 0:
                                 return [ 4, processLock_1.default().lock(iat) ];
@@ -740,19 +742,19 @@ var SuperTokensLock = function() {
                                 this.refreshLockWhileAcquired(storageKey, iat);
                                 return [ 2 ];
                             }
-                        }));
-                    }));
-                }), 1e3);
+                        });
+                    });
+                }, 1e3);
                 return [ 2 ];
-            }));
-        }));
+            });
+        });
     };
     SuperTokensLock.prototype.waitForSomethingToChange = function(MAX_TIME) {
-        return __awaiter(this, void 0, void 0, (function() {
-            return __generator(this, (function(_a) {
+        return __awaiter(this, void 0, void 0, function() {
+            return __generator(this, function(_a) {
                 switch (_a.label) {
                   case 0:
-                    return [ 4, new Promise((function(resolve) {
+                    return [ 4, new Promise(function(resolve) {
                         var resolvedCalled = false;
                         var startedAt = Date.now();
                         var MIN_TIME_TO_WAIT = 50;
@@ -777,14 +779,14 @@ var SuperTokensLock = function() {
                         window.addEventListener("storage", stopWaiting);
                         SuperTokensLock.addToWaiting(stopWaiting);
                         var timeOutId = setTimeout(stopWaiting, Math.max(0, MAX_TIME - Date.now()));
-                    })) ];
+                    }) ];
 
                   case 1:
                     _a.sent();
                     return [ 2 ];
                 }
-            }));
-        }));
+            });
+        });
     };
     SuperTokensLock.addToWaiting = function(func) {
         this.removeFromWaiting(func);
@@ -797,22 +799,22 @@ var SuperTokensLock = function() {
         if (SuperTokensLock.waiters === undefined) {
             return;
         }
-        SuperTokensLock.waiters = SuperTokensLock.waiters.filter((function(i) {
+        SuperTokensLock.waiters = SuperTokensLock.waiters.filter(function(i) {
             return i !== func;
-        }));
+        });
     };
     SuperTokensLock.notifyWaiters = function() {
         if (SuperTokensLock.waiters === undefined) {
             return;
         }
         var waiters = SuperTokensLock.waiters.slice();
-        waiters.forEach((function(i) {
+        waiters.forEach(function(i) {
             return i();
-        }));
+        });
     };
     SuperTokensLock.prototype.releaseLock = function(lockKey) {
-        return __awaiter(this, void 0, void 0, (function() {
-            return __generator(this, (function(_a) {
+        return __awaiter(this, void 0, void 0, function() {
+            return __generator(this, function(_a) {
                 switch (_a.label) {
                   case 0:
                     return [ 4, this.releaseLock__private__(lockKey) ];
@@ -820,13 +822,13 @@ var SuperTokensLock = function() {
                   case 1:
                     return [ 2, _a.sent() ];
                 }
-            }));
-        }));
+            });
+        });
     };
     SuperTokensLock.prototype.releaseLock__private__ = function(lockKey) {
-        return __awaiter(this, void 0, void 0, (function() {
+        return __awaiter(this, void 0, void 0, function() {
             var STORAGE, STORAGE_KEY, lockObj, parsedlockObj;
-            return __generator(this, (function(_a) {
+            return __generator(this, function(_a) {
                 switch (_a.label) {
                   case 0:
                     STORAGE = this.storageHandler === undefined ? DEFAULT_STORAGE_HANDLER : this.storageHandler;
@@ -850,8 +852,8 @@ var SuperTokensLock = function() {
                   case 2:
                     return [ 2 ];
                 }
-            }));
-        }));
+            });
+        });
     };
     SuperTokensLock.lockCorrector = function(storageHandler) {
         var MIN_ALLOWED_TIME = Date.now() - 5e3;
@@ -893,16 +895,16 @@ var _default = browserTabsLock.default = SuperTokensLock;
 class WebLocksApiManager {
     async runWithLock(key, timeout, callback) {
         const controller = new AbortController;
-        const timeoutId = setTimeout((() => controller.abort()), timeout);
+        const timeoutId = setTimeout(() => controller.abort(), timeout);
         try {
             return await navigator.locks.request(key, {
                 mode: "exclusive",
                 signal: controller.signal
-            }, (async lock => {
+            }, async lock => {
                 clearTimeout(timeoutId);
                 if (!lock) throw new Error("Lock not available");
                 return await callback();
-            }));
+            });
         } catch (error) {
             clearTimeout(timeoutId);
             if ((error === null || error === void 0 ? void 0 : error.name) === "AbortError") throw new TimeoutError;
@@ -916,7 +918,7 @@ class LegacyLockManager {
         this.activeLocks = new Set;
         this.lock = new _default;
         this.pagehideHandler = () => {
-            this.activeLocks.forEach((key => this.lock.releaseLock(key)));
+            this.activeLocks.forEach(key => this.lock.releaseLock(key));
             this.activeLocks.clear();
         };
     }
@@ -1304,7 +1306,7 @@ function isGrantTypeSupported(grantType) {
     return SUPPORTED_GRANT_TYPES.includes(grantType);
 }
 
-const sendMessage = (message, to) => new Promise((function(resolve, reject) {
+const sendMessage = (message, to) => new Promise(function(resolve, reject) {
     const messageChannel = new MessageChannel;
     messageChannel.port1.onmessage = function(event) {
         if (event.data.error) {
@@ -1315,7 +1317,7 @@ const sendMessage = (message, to) => new Promise((function(resolve, reject) {
         messageChannel.port1.close();
     };
     to.postMessage(message, [ messageChannel.port2 ]);
-}));
+});
 
 const createAbortController = () => new AbortController;
 
@@ -1332,14 +1334,14 @@ const fetchWithoutWorker = async (fetchUrl, fetchOptions, timeout) => {
     const controller = createAbortController();
     fetchOptions.signal = controller.signal;
     let timeoutId;
-    return Promise.race([ dofetch(fetchUrl, fetchOptions), new Promise(((_, reject) => {
-        timeoutId = setTimeout((() => {
+    return Promise.race([ dofetch(fetchUrl, fetchOptions), new Promise((_, reject) => {
+        timeoutId = setTimeout(() => {
             controller.abort();
             reject(new Error("Timeout when executing 'fetch'"));
-        }), timeout);
-    })) ]).finally((() => {
+        }, timeout);
+    }) ]).finally(() => {
         clearTimeout(timeoutId);
-    }));
+    });
 };
 
 const fetchWithWorker = async (fetchUrl, audience, scope, fetchOptions, timeout, worker, useFormData, useMrrt) => sendMessage({
@@ -1461,10 +1463,10 @@ const injectDefaultScopes = function injectDefaultScopes(authScopes, openIdScope
     let requestedScopes = {
         [DEFAULT_AUDIENCE]: getUniqueScopes(openIdScope, ...extraScopes)
     };
-    Object.keys(authScopes).forEach((key => {
+    Object.keys(authScopes).forEach(key => {
         const audienceScopes = authScopes[key];
         requestedScopes[key] = getUniqueScopes(openIdScope, audienceScopes, ...extraScopes);
-    }));
+    });
     return requestedScopes;
 };
 
@@ -1532,7 +1534,7 @@ class LocalStorageCache {
         localStorage.removeItem(key);
     }
     allKeys() {
-        return Object.keys(window.localStorage).filter((key => key.startsWith(CACHE_KEY_PREFIX)));
+        return Object.keys(window.localStorage).filter(key => key.startsWith(CACHE_KEY_PREFIX));
     }
 }
 
@@ -1670,10 +1672,10 @@ class CacheManager {
         var _a;
         const keys = await this.getCacheKeys();
         if (!keys) return;
-        await keys.filter((key => clientId ? key.includes(clientId) : true)).reduce((async (memo, key) => {
+        await keys.filter(key => clientId ? key.includes(clientId) : true).reduce(async (memo, key) => {
             await memo;
             await this.cache.remove(key);
-        }), Promise.resolve());
+        }, Promise.resolve());
         await ((_a = this.keyManifest) === null || _a === void 0 ? void 0 : _a.clear());
     }
     async wrapCacheEntry(entry) {
@@ -1698,14 +1700,14 @@ class CacheManager {
         }, CACHE_KEY_PREFIX, CACHE_KEY_ID_TOKEN_SUFFIX).toKey();
     }
     matchExistingCacheKey(keyToMatch, allKeys) {
-        return allKeys.filter((key => {
+        return allKeys.filter(key => {
             var _a;
             const cacheKey = CacheKey.fromKey(key);
             const scopeSet = new Set(cacheKey.scope && cacheKey.scope.split(" "));
             const scopesToMatch = ((_a = keyToMatch.scope) === null || _a === void 0 ? void 0 : _a.split(" ")) || [];
-            const hasAllScopes = cacheKey.scope && scopesToMatch.reduce(((acc, current) => acc && scopeSet.has(current)), true);
+            const hasAllScopes = cacheKey.scope && scopesToMatch.reduce((acc, current) => acc && scopeSet.has(current), true);
             return cacheKey.prefix === CACHE_KEY_PREFIX && cacheKey.clientId === keyToMatch.clientId && cacheKey.audience === keyToMatch.audience && hasAllScopes;
-        }))[0];
+        })[0];
     }
     async getEntryWithRefreshToken(keyToMatch, allKeys) {
         var _a;
@@ -1774,12 +1776,12 @@ const decode$1 = token => {
         __raw: token
     };
     const user = {};
-    Object.keys(payloadJSON).forEach((k => {
+    Object.keys(payloadJSON).forEach(k => {
         claims[k] = payloadJSON[k];
         if (!idTokendecoded.includes(k)) {
             user[k] = payloadJSON[k];
         }
-    }));
+    });
     return {
         encoded: {
             header: header,
@@ -2095,17 +2097,17 @@ function createBase64WorkerFactory(base64, sourcemapArg, enableUnicodeArg) {
     };
 }
 
-var WorkerFactory = createBase64WorkerFactory("Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwooZnVuY3Rpb24oKSB7CiAgICAidXNlIHN0cmljdCI7CiAgICBjbGFzcyBHZW5lcmljRXJyb3IgZXh0ZW5kcyBFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKSB7CiAgICAgICAgICAgIHN1cGVyKGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICAgICAgdGhpcy5lcnJvciA9IGVycm9yOwogICAgICAgICAgICB0aGlzLmVycm9yX2Rlc2NyaXB0aW9uID0gZXJyb3JfZGVzY3JpcHRpb247CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBHZW5lcmljRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICAgICAgc3RhdGljIGZyb21QYXlsb2FkKF9yZWYpIHsKICAgICAgICAgICAgbGV0IHtlcnJvcjogZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvcl9kZXNjcmlwdGlvbn0gPSBfcmVmOwogICAgICAgICAgICByZXR1cm4gbmV3IEdlbmVyaWNFcnJvcihlcnJvciwgZXJyb3JfZGVzY3JpcHRpb24pOwogICAgICAgIH0KICAgIH0KICAgIGNsYXNzIE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvciBleHRlbmRzIEdlbmVyaWNFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoYXVkaWVuY2UsIHNjb3BlKSB7CiAgICAgICAgICAgIHN1cGVyKCJtaXNzaW5nX3JlZnJlc2hfdG9rZW4iLCAiTWlzc2luZyBSZWZyZXNoIFRva2VuIChhdWRpZW5jZTogJyIuY29uY2F0KHZhbHVlT3JFbXB0eVN0cmluZyhhdWRpZW5jZSwgWyAiZGVmYXVsdCIgXSksICInLCBzY29wZTogJyIpLmNvbmNhdCh2YWx1ZU9yRW1wdHlTdHJpbmcoc2NvcGUpLCAiJykiKSk7CiAgICAgICAgICAgIHRoaXMuYXVkaWVuY2UgPSBhdWRpZW5jZTsKICAgICAgICAgICAgdGhpcy5zY29wZSA9IHNjb3BlOwogICAgICAgICAgICBPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcywgTWlzc2luZ1JlZnJlc2hUb2tlbkVycm9yLnByb3RvdHlwZSk7CiAgICAgICAgfQogICAgfQogICAgZnVuY3Rpb24gdmFsdWVPckVtcHR5U3RyaW5nKHZhbHVlKSB7CiAgICAgICAgbGV0IGV4Y2x1ZGUgPSBhcmd1bWVudHMubGVuZ3RoID4gMSAmJiBhcmd1bWVudHNbMV0gIT09IHVuZGVmaW5lZCA/IGFyZ3VtZW50c1sxXSA6IFtdOwogICAgICAgIHJldHVybiB2YWx1ZSAmJiAhZXhjbHVkZS5pbmNsdWRlcyh2YWx1ZSkgPyB2YWx1ZSA6ICIiOwogICAgfQogICAgZnVuY3Rpb24gX19yZXN0KHMsIGUpIHsKICAgICAgICB2YXIgdCA9IHt9OwogICAgICAgIGZvciAodmFyIHAgaW4gcykgaWYgKE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbChzLCBwKSAmJiBlLmluZGV4T2YocCkgPCAwKSB0W3BdID0gc1twXTsKICAgICAgICBpZiAocyAhPSBudWxsICYmIHR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzID09PSAiZnVuY3Rpb24iKSBmb3IgKHZhciBpID0gMCwgcCA9IE9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMocyk7IGkgPCBwLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgIGlmIChlLmluZGV4T2YocFtpXSkgPCAwICYmIE9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChzLCBwW2ldKSkgdFtwW2ldXSA9IHNbcFtpXV07CiAgICAgICAgfQogICAgICAgIHJldHVybiB0OwogICAgfQogICAgdHlwZW9mIFN1cHByZXNzZWRFcnJvciA9PT0gImZ1bmN0aW9uIiA/IFN1cHByZXNzZWRFcnJvciA6IGZ1bmN0aW9uKGVycm9yLCBzdXBwcmVzc2VkLCBtZXNzYWdlKSB7CiAgICAgICAgdmFyIGUgPSBuZXcgRXJyb3IobWVzc2FnZSk7CiAgICAgICAgcmV0dXJuIGUubmFtZSA9ICJTdXBwcmVzc2VkRXJyb3IiLCBlLmVycm9yID0gZXJyb3IsIGUuc3VwcHJlc3NlZCA9IHN1cHByZXNzZWQsIGU7CiAgICB9OwogICAgY29uc3Qgc3RyaXBVbmRlZmluZWQgPSBwYXJhbXMgPT4gT2JqZWN0LmtleXMocGFyYW1zKS5maWx0ZXIoKGsgPT4gdHlwZW9mIHBhcmFtc1trXSAhPT0gInVuZGVmaW5lZCIpKS5yZWR1Y2UoKChhY2MsIGtleSkgPT4gT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LCBhY2MpLCB7CiAgICAgICAgW2tleV06IHBhcmFtc1trZXldCiAgICB9KSksIHt9KTsKICAgIGNvbnN0IGNyZWF0ZVF1ZXJ5UGFyYW1zID0gX2EgPT4gewogICAgICAgIHZhciB7Y2xpZW50SWQ6IGNsaWVudF9pZH0gPSBfYSwgcGFyYW1zID0gX19yZXN0KF9hLCBbICJjbGllbnRJZCIgXSk7CiAgICAgICAgcmV0dXJuIG5ldyBVUkxTZWFyY2hQYXJhbXMoc3RyaXBVbmRlZmluZWQoT2JqZWN0LmFzc2lnbih7CiAgICAgICAgICAgIGNsaWVudF9pZDogY2xpZW50X2lkCiAgICAgICAgfSwgcGFyYW1zKSkpLnRvU3RyaW5nKCk7CiAgICB9OwogICAgY29uc3QgZnJvbUVudHJpZXMgPSBpdGVyYWJsZSA9PiBbIC4uLml0ZXJhYmxlIF0ucmVkdWNlKCgob2JqLCBfcmVmKSA9PiB7CiAgICAgICAgbGV0IFtrZXksIHZhbF0gPSBfcmVmOwogICAgICAgIG9ialtrZXldID0gdmFsOwogICAgICAgIHJldHVybiBvYmo7CiAgICB9KSwge30pOwogICAgbGV0IHJlZnJlc2hUb2tlbnMgPSB7fTsKICAgIGNvbnN0IGNhY2hlS2V5ID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gIiIuY29uY2F0KGF1ZGllbmNlLCAifCIpLmNvbmNhdChzY29wZSk7CiAgICBjb25zdCBjYWNoZUtleUNvbnRhaW5zQXVkaWVuY2UgPSAoYXVkaWVuY2UsIGNhY2hlS2V5KSA9PiBjYWNoZUtleS5zdGFydHNXaXRoKCIiLmNvbmNhdChhdWRpZW5jZSwgInwiKSk7CiAgICBjb25zdCBnZXRSZWZyZXNoVG9rZW4gPSAoYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldOwogICAgY29uc3Qgc2V0UmVmcmVzaFRva2VuID0gKHJlZnJlc2hUb2tlbiwgYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldID0gcmVmcmVzaFRva2VuOwogICAgY29uc3QgZGVsZXRlUmVmcmVzaFRva2VuID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gZGVsZXRlIHJlZnJlc2hUb2tlbnNbY2FjaGVLZXkoYXVkaWVuY2UsIHNjb3BlKV07CiAgICBjb25zdCB3YWl0ID0gdGltZSA9PiBuZXcgUHJvbWlzZSgocmVzb2x2ZSA9PiBzZXRUaW1lb3V0KHJlc29sdmUsIHRpbWUpKSk7CiAgICBjb25zdCBmb3JtRGF0YVRvT2JqZWN0ID0gZm9ybURhdGEgPT4gewogICAgICAgIGNvbnN0IHF1ZXJ5UGFyYW1zID0gbmV3IFVSTFNlYXJjaFBhcmFtcyhmb3JtRGF0YSk7CiAgICAgICAgY29uc3QgcGFyc2VkUXVlcnkgPSB7fTsKICAgICAgICBxdWVyeVBhcmFtcy5mb3JFYWNoKCgodmFsLCBrZXkpID0+IHsKICAgICAgICAgICAgcGFyc2VkUXVlcnlba2V5XSA9IHZhbDsKICAgICAgICB9KSk7CiAgICAgICAgcmV0dXJuIHBhcnNlZFF1ZXJ5OwogICAgfTsKICAgIGNvbnN0IHVwZGF0ZVJlZnJlc2hUb2tlbnMgPSAob2xkUmVmcmVzaFRva2VuLCBuZXdSZWZyZXNoVG9rZW4pID0+IHsKICAgICAgICBPYmplY3QuZW50cmllcyhyZWZyZXNoVG9rZW5zKS5mb3JFYWNoKChfcmVmID0+IHsKICAgICAgICAgICAgbGV0IFtrZXksIHRva2VuXSA9IF9yZWY7CiAgICAgICAgICAgIGlmICh0b2tlbiA9PT0gb2xkUmVmcmVzaFRva2VuKSB7CiAgICAgICAgICAgICAgICByZWZyZXNoVG9rZW5zW2tleV0gPSBuZXdSZWZyZXNoVG9rZW47CiAgICAgICAgICAgIH0KICAgICAgICB9KSk7CiAgICB9OwogICAgY29uc3QgY2hlY2tEb3duc2NvcGluZyA9IChzY29wZSwgYXVkaWVuY2UpID0+IHsKICAgICAgICBjb25zdCBmaW5kQ29pbmNpZGVuY2UgPSBPYmplY3Qua2V5cyhyZWZyZXNoVG9rZW5zKS5maW5kKChrZXkgPT4gewogICAgICAgICAgICBpZiAoa2V5ICE9PSAibGF0ZXN0X3JlZnJlc2hfdG9rZW4iKSB7CiAgICAgICAgICAgICAgICBjb25zdCBpc1NhbWVBdWRpZW5jZSA9IGNhY2hlS2V5Q29udGFpbnNBdWRpZW5jZShhdWRpZW5jZSwga2V5KTsKICAgICAgICAgICAgICAgIGNvbnN0IHNjb3Blc0tleSA9IGtleS5zcGxpdCgifCIpWzFdLnNwbGl0KCIgIik7CiAgICAgICAgICAgICAgICBjb25zdCByZXF1ZXN0ZWRTY29wZXMgPSBzY29wZS5zcGxpdCgiICIpOwogICAgICAgICAgICAgICAgY29uc3Qgc2NvcGVzQXJlSW5jbHVkZWQgPSByZXF1ZXN0ZWRTY29wZXMuZXZlcnkoKGtleSA9PiBzY29wZXNLZXkuaW5jbHVkZXMoa2V5KSkpOwogICAgICAgICAgICAgICAgcmV0dXJuIGlzU2FtZUF1ZGllbmNlICYmIHNjb3Blc0FyZUluY2x1ZGVkOwogICAgICAgICAgICB9CiAgICAgICAgfSkpOwogICAgICAgIHJldHVybiBmaW5kQ29pbmNpZGVuY2UgPyB0cnVlIDogZmFsc2U7CiAgICB9OwogICAgY29uc3QgbWVzc2FnZUhhbmRsZXIgPSBhc3luYyBfcmVmMiA9PiB7CiAgICAgICAgbGV0IHtkYXRhOiB7dGltZW91dDogdGltZW91dCwgYXV0aDogYXV0aCwgZmV0Y2hVcmw6IGZldGNoVXJsLCBmZXRjaE9wdGlvbnM6IGZldGNoT3B0aW9ucywgdXNlRm9ybURhdGE6IHVzZUZvcm1EYXRhLCB1c2VNcnJ0OiB1c2VNcnJ0fSwgcG9ydHM6IFtwb3J0XX0gPSBfcmVmMjsKICAgICAgICBsZXQgaGVhZGVycyA9IHt9OwogICAgICAgIGxldCBqc29uOwogICAgICAgIGxldCByZWZyZXNoVG9rZW47CiAgICAgICAgY29uc3Qge2F1ZGllbmNlOiBhdWRpZW5jZSwgc2NvcGU6IHNjb3BlfSA9IGF1dGggfHwge307CiAgICAgICAgdHJ5IHsKICAgICAgICAgICAgY29uc3QgYm9keSA9IHVzZUZvcm1EYXRhID8gZm9ybURhdGFUb09iamVjdChmZXRjaE9wdGlvbnMuYm9keSkgOiBKU09OLnBhcnNlKGZldGNoT3B0aW9ucy5ib2R5KTsKICAgICAgICAgICAgaWYgKCFib2R5LnJlZnJlc2hfdG9rZW4gJiYgYm9keS5ncmFudF90eXBlID09PSAicmVmcmVzaF90b2tlbiIpIHsKICAgICAgICAgICAgICAgIHJlZnJlc2hUb2tlbiA9IGdldFJlZnJlc2hUb2tlbihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgaWYgKCFyZWZyZXNoVG9rZW4gJiYgdXNlTXJydCkgewogICAgICAgICAgICAgICAgICAgIGNvbnN0IGxhdGVzdFJlZnJlc2hUb2tlbiA9IHJlZnJlc2hUb2tlbnNbImxhdGVzdF9yZWZyZXNoX3Rva2VuIl07CiAgICAgICAgICAgICAgICAgICAgY29uc3QgaXNEb3duc2NvcGluZyA9IGNoZWNrRG93bnNjb3Bpbmcoc2NvcGUsIGF1ZGllbmNlKTsKICAgICAgICAgICAgICAgICAgICBpZiAobGF0ZXN0UmVmcmVzaFRva2VuICYmICFpc0Rvd25zY29waW5nKSB7CiAgICAgICAgICAgICAgICAgICAgICAgIHJlZnJlc2hUb2tlbiA9IGxhdGVzdFJlZnJlc2hUb2tlbjsKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBpZiAoIXJlZnJlc2hUb2tlbikgewogICAgICAgICAgICAgICAgICAgIHRocm93IG5ldyBNaXNzaW5nUmVmcmVzaFRva2VuRXJyb3IoYXVkaWVuY2UsIHNjb3BlKTsKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIGZldGNoT3B0aW9ucy5ib2R5ID0gdXNlRm9ybURhdGEgPyBjcmVhdGVRdWVyeVBhcmFtcyhPYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sIGJvZHkpLCB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaF90b2tlbjogcmVmcmVzaFRva2VuCiAgICAgICAgICAgICAgICB9KSkgOiBKU09OLnN0cmluZ2lmeShPYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sIGJvZHkpLCB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaF90b2tlbjogcmVmcmVzaFRva2VuCiAgICAgICAgICAgICAgICB9KSk7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgbGV0IGFib3J0Q29udHJvbGxlcjsKICAgICAgICAgICAgaWYgKHR5cGVvZiBBYm9ydENvbnRyb2xsZXIgPT09ICJmdW5jdGlvbiIpIHsKICAgICAgICAgICAgICAgIGFib3J0Q29udHJvbGxlciA9IG5ldyBBYm9ydENvbnRyb2xsZXI7CiAgICAgICAgICAgICAgICBmZXRjaE9wdGlvbnMuc2lnbmFsID0gYWJvcnRDb250cm9sbGVyLnNpZ25hbDsKICAgICAgICAgICAgfQogICAgICAgICAgICBsZXQgcmVzcG9uc2U7CiAgICAgICAgICAgIHRyeSB7CiAgICAgICAgICAgICAgICByZXNwb25zZSA9IGF3YWl0IFByb21pc2UucmFjZShbIHdhaXQodGltZW91dCksIGZldGNoKGZldGNoVXJsLCBPYmplY3QuYXNzaWduKHt9LCBmZXRjaE9wdGlvbnMpKSBdKTsKICAgICAgICAgICAgfSBjYXRjaCAoZXJyb3IpIHsKICAgICAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgICAgIGVycm9yOiBlcnJvci5tZXNzYWdlCiAgICAgICAgICAgICAgICB9KTsKICAgICAgICAgICAgICAgIHJldHVybjsKICAgICAgICAgICAgfQogICAgICAgICAgICBpZiAoIXJlc3BvbnNlKSB7CiAgICAgICAgICAgICAgICBpZiAoYWJvcnRDb250cm9sbGVyKSBhYm9ydENvbnRyb2xsZXIuYWJvcnQoKTsKICAgICAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgICAgIGVycm9yOiAiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIgogICAgICAgICAgICAgICAgfSk7CiAgICAgICAgICAgICAgICByZXR1cm47CiAgICAgICAgICAgIH0KICAgICAgICAgICAgaGVhZGVycyA9IGZyb21FbnRyaWVzKHJlc3BvbnNlLmhlYWRlcnMpOwogICAgICAgICAgICBqc29uID0gYXdhaXQgcmVzcG9uc2UuanNvbigpOwogICAgICAgICAgICBpZiAoanNvbi5yZWZyZXNoX3Rva2VuKSB7CiAgICAgICAgICAgICAgICBpZiAodXNlTXJydCkgewogICAgICAgICAgICAgICAgICAgIHJlZnJlc2hUb2tlbnNbImxhdGVzdF9yZWZyZXNoX3Rva2VuIl0gPSBqc29uLnJlZnJlc2hfdG9rZW47CiAgICAgICAgICAgICAgICAgICAgdXBkYXRlUmVmcmVzaFRva2VucyhyZWZyZXNoVG9rZW4sIGpzb24ucmVmcmVzaF90b2tlbik7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBzZXRSZWZyZXNoVG9rZW4oanNvbi5yZWZyZXNoX3Rva2VuLCBhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgZGVsZXRlIGpzb24ucmVmcmVzaF90b2tlbjsKICAgICAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgICAgIGRlbGV0ZVJlZnJlc2hUb2tlbihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICB9CiAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgb2s6IHJlc3BvbnNlLm9rLAogICAgICAgICAgICAgICAganNvbjoganNvbiwKICAgICAgICAgICAgICAgIGhlYWRlcnM6IGhlYWRlcnMKICAgICAgICAgICAgfSk7CiAgICAgICAgfSBjYXRjaCAoZXJyb3IpIHsKICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICBvazogZmFsc2UsCiAgICAgICAgICAgICAgICBqc29uOiB7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6IGVycm9yLmVycm9yLAogICAgICAgICAgICAgICAgICAgIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvci5tZXNzYWdlCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgaGVhZGVyczogaGVhZGVycwogICAgICAgICAgICB9KTsKICAgICAgICB9CiAgICB9OwogICAgewogICAgICAgIGFkZEV2ZW50TGlzdGVuZXIoIm1lc3NhZ2UiLCBtZXNzYWdlSGFuZGxlcik7CiAgICB9Cn0pKCk7Cgo=", null, false);
+var WorkerFactory = createBase64WorkerFactory("Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwooZnVuY3Rpb24oKSB7CiAgICAidXNlIHN0cmljdCI7CiAgICBjbGFzcyBHZW5lcmljRXJyb3IgZXh0ZW5kcyBFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKSB7CiAgICAgICAgICAgIHN1cGVyKGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICAgICAgdGhpcy5lcnJvciA9IGVycm9yOwogICAgICAgICAgICB0aGlzLmVycm9yX2Rlc2NyaXB0aW9uID0gZXJyb3JfZGVzY3JpcHRpb247CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBHZW5lcmljRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICAgICAgc3RhdGljIGZyb21QYXlsb2FkKF9yZWYpIHsKICAgICAgICAgICAgbGV0IHtlcnJvcjogZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvcl9kZXNjcmlwdGlvbn0gPSBfcmVmOwogICAgICAgICAgICByZXR1cm4gbmV3IEdlbmVyaWNFcnJvcihlcnJvciwgZXJyb3JfZGVzY3JpcHRpb24pOwogICAgICAgIH0KICAgIH0KICAgIGNsYXNzIE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvciBleHRlbmRzIEdlbmVyaWNFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoYXVkaWVuY2UsIHNjb3BlKSB7CiAgICAgICAgICAgIHN1cGVyKCJtaXNzaW5nX3JlZnJlc2hfdG9rZW4iLCAiTWlzc2luZyBSZWZyZXNoIFRva2VuIChhdWRpZW5jZTogJyIuY29uY2F0KHZhbHVlT3JFbXB0eVN0cmluZyhhdWRpZW5jZSwgWyAiZGVmYXVsdCIgXSksICInLCBzY29wZTogJyIpLmNvbmNhdCh2YWx1ZU9yRW1wdHlTdHJpbmcoc2NvcGUpLCAiJykiKSk7CiAgICAgICAgICAgIHRoaXMuYXVkaWVuY2UgPSBhdWRpZW5jZTsKICAgICAgICAgICAgdGhpcy5zY29wZSA9IHNjb3BlOwogICAgICAgICAgICBPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcywgTWlzc2luZ1JlZnJlc2hUb2tlbkVycm9yLnByb3RvdHlwZSk7CiAgICAgICAgfQogICAgfQogICAgZnVuY3Rpb24gdmFsdWVPckVtcHR5U3RyaW5nKHZhbHVlKSB7CiAgICAgICAgbGV0IGV4Y2x1ZGUgPSBhcmd1bWVudHMubGVuZ3RoID4gMSAmJiBhcmd1bWVudHNbMV0gIT09IHVuZGVmaW5lZCA/IGFyZ3VtZW50c1sxXSA6IFtdOwogICAgICAgIHJldHVybiB2YWx1ZSAmJiAhZXhjbHVkZS5pbmNsdWRlcyh2YWx1ZSkgPyB2YWx1ZSA6ICIiOwogICAgfQogICAgZnVuY3Rpb24gX19yZXN0KHMsIGUpIHsKICAgICAgICB2YXIgdCA9IHt9OwogICAgICAgIGZvciAodmFyIHAgaW4gcykgaWYgKE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbChzLCBwKSAmJiBlLmluZGV4T2YocCkgPCAwKSB0W3BdID0gc1twXTsKICAgICAgICBpZiAocyAhPSBudWxsICYmIHR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzID09PSAiZnVuY3Rpb24iKSBmb3IgKHZhciBpID0gMCwgcCA9IE9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMocyk7IGkgPCBwLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgIGlmIChlLmluZGV4T2YocFtpXSkgPCAwICYmIE9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChzLCBwW2ldKSkgdFtwW2ldXSA9IHNbcFtpXV07CiAgICAgICAgfQogICAgICAgIHJldHVybiB0OwogICAgfQogICAgdHlwZW9mIFN1cHByZXNzZWRFcnJvciA9PT0gImZ1bmN0aW9uIiA/IFN1cHByZXNzZWRFcnJvciA6IGZ1bmN0aW9uKGVycm9yLCBzdXBwcmVzc2VkLCBtZXNzYWdlKSB7CiAgICAgICAgdmFyIGUgPSBuZXcgRXJyb3IobWVzc2FnZSk7CiAgICAgICAgcmV0dXJuIGUubmFtZSA9ICJTdXBwcmVzc2VkRXJyb3IiLCBlLmVycm9yID0gZXJyb3IsIGUuc3VwcHJlc3NlZCA9IHN1cHByZXNzZWQsIGU7CiAgICB9OwogICAgY29uc3Qgc3RyaXBVbmRlZmluZWQgPSBwYXJhbXMgPT4gT2JqZWN0LmtleXMocGFyYW1zKS5maWx0ZXIoayA9PiB0eXBlb2YgcGFyYW1zW2tdICE9PSAidW5kZWZpbmVkIikucmVkdWNlKChhY2MsIGtleSkgPT4gT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LCBhY2MpLCB7CiAgICAgICAgW2tleV06IHBhcmFtc1trZXldCiAgICB9KSwge30pOwogICAgY29uc3QgY3JlYXRlUXVlcnlQYXJhbXMgPSBfYSA9PiB7CiAgICAgICAgdmFyIHtjbGllbnRJZDogY2xpZW50X2lkfSA9IF9hLCBwYXJhbXMgPSBfX3Jlc3QoX2EsIFsgImNsaWVudElkIiBdKTsKICAgICAgICByZXR1cm4gbmV3IFVSTFNlYXJjaFBhcmFtcyhzdHJpcFVuZGVmaW5lZChPYmplY3QuYXNzaWduKHsKICAgICAgICAgICAgY2xpZW50X2lkOiBjbGllbnRfaWQKICAgICAgICB9LCBwYXJhbXMpKSkudG9TdHJpbmcoKTsKICAgIH07CiAgICBjb25zdCBmcm9tRW50cmllcyA9IGl0ZXJhYmxlID0+IFsgLi4uaXRlcmFibGUgXS5yZWR1Y2UoKG9iaiwgX3JlZikgPT4gewogICAgICAgIGxldCBba2V5LCB2YWxdID0gX3JlZjsKICAgICAgICBvYmpba2V5XSA9IHZhbDsKICAgICAgICByZXR1cm4gb2JqOwogICAgfSwge30pOwogICAgbGV0IHJlZnJlc2hUb2tlbnMgPSB7fTsKICAgIGNvbnN0IGNhY2hlS2V5ID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gIiIuY29uY2F0KGF1ZGllbmNlLCAifCIpLmNvbmNhdChzY29wZSk7CiAgICBjb25zdCBjYWNoZUtleUNvbnRhaW5zQXVkaWVuY2UgPSAoYXVkaWVuY2UsIGNhY2hlS2V5KSA9PiBjYWNoZUtleS5zdGFydHNXaXRoKCIiLmNvbmNhdChhdWRpZW5jZSwgInwiKSk7CiAgICBjb25zdCBnZXRSZWZyZXNoVG9rZW4gPSAoYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldOwogICAgY29uc3Qgc2V0UmVmcmVzaFRva2VuID0gKHJlZnJlc2hUb2tlbiwgYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldID0gcmVmcmVzaFRva2VuOwogICAgY29uc3QgZGVsZXRlUmVmcmVzaFRva2VuID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gZGVsZXRlIHJlZnJlc2hUb2tlbnNbY2FjaGVLZXkoYXVkaWVuY2UsIHNjb3BlKV07CiAgICBjb25zdCB3YWl0ID0gdGltZSA9PiBuZXcgUHJvbWlzZShyZXNvbHZlID0+IHNldFRpbWVvdXQocmVzb2x2ZSwgdGltZSkpOwogICAgY29uc3QgZm9ybURhdGFUb09iamVjdCA9IGZvcm1EYXRhID0+IHsKICAgICAgICBjb25zdCBxdWVyeVBhcmFtcyA9IG5ldyBVUkxTZWFyY2hQYXJhbXMoZm9ybURhdGEpOwogICAgICAgIGNvbnN0IHBhcnNlZFF1ZXJ5ID0ge307CiAgICAgICAgcXVlcnlQYXJhbXMuZm9yRWFjaCgodmFsLCBrZXkpID0+IHsKICAgICAgICAgICAgcGFyc2VkUXVlcnlba2V5XSA9IHZhbDsKICAgICAgICB9KTsKICAgICAgICByZXR1cm4gcGFyc2VkUXVlcnk7CiAgICB9OwogICAgY29uc3QgdXBkYXRlUmVmcmVzaFRva2VucyA9IChvbGRSZWZyZXNoVG9rZW4sIG5ld1JlZnJlc2hUb2tlbikgPT4gewogICAgICAgIE9iamVjdC5lbnRyaWVzKHJlZnJlc2hUb2tlbnMpLmZvckVhY2goX3JlZiA9PiB7CiAgICAgICAgICAgIGxldCBba2V5LCB0b2tlbl0gPSBfcmVmOwogICAgICAgICAgICBpZiAodG9rZW4gPT09IG9sZFJlZnJlc2hUb2tlbikgewogICAgICAgICAgICAgICAgcmVmcmVzaFRva2Vuc1trZXldID0gbmV3UmVmcmVzaFRva2VuOwogICAgICAgICAgICB9CiAgICAgICAgfSk7CiAgICB9OwogICAgY29uc3QgY2hlY2tEb3duc2NvcGluZyA9IChzY29wZSwgYXVkaWVuY2UpID0+IHsKICAgICAgICBjb25zdCBmaW5kQ29pbmNpZGVuY2UgPSBPYmplY3Qua2V5cyhyZWZyZXNoVG9rZW5zKS5maW5kKGtleSA9PiB7CiAgICAgICAgICAgIGlmIChrZXkgIT09ICJsYXRlc3RfcmVmcmVzaF90b2tlbiIpIHsKICAgICAgICAgICAgICAgIGNvbnN0IGlzU2FtZUF1ZGllbmNlID0gY2FjaGVLZXlDb250YWluc0F1ZGllbmNlKGF1ZGllbmNlLCBrZXkpOwogICAgICAgICAgICAgICAgY29uc3Qgc2NvcGVzS2V5ID0ga2V5LnNwbGl0KCJ8IilbMV0uc3BsaXQoIiAiKTsKICAgICAgICAgICAgICAgIGNvbnN0IHJlcXVlc3RlZFNjb3BlcyA9IHNjb3BlLnNwbGl0KCIgIik7CiAgICAgICAgICAgICAgICBjb25zdCBzY29wZXNBcmVJbmNsdWRlZCA9IHJlcXVlc3RlZFNjb3Blcy5ldmVyeShrZXkgPT4gc2NvcGVzS2V5LmluY2x1ZGVzKGtleSkpOwogICAgICAgICAgICAgICAgcmV0dXJuIGlzU2FtZUF1ZGllbmNlICYmIHNjb3Blc0FyZUluY2x1ZGVkOwogICAgICAgICAgICB9CiAgICAgICAgfSk7CiAgICAgICAgcmV0dXJuIGZpbmRDb2luY2lkZW5jZSA/IHRydWUgOiBmYWxzZTsKICAgIH07CiAgICBjb25zdCBtZXNzYWdlSGFuZGxlciA9IGFzeW5jIF9yZWYyID0+IHsKICAgICAgICBsZXQge2RhdGE6IHt0aW1lb3V0OiB0aW1lb3V0LCBhdXRoOiBhdXRoLCBmZXRjaFVybDogZmV0Y2hVcmwsIGZldGNoT3B0aW9uczogZmV0Y2hPcHRpb25zLCB1c2VGb3JtRGF0YTogdXNlRm9ybURhdGEsIHVzZU1ycnQ6IHVzZU1ycnR9LCBwb3J0czogW3BvcnRdfSA9IF9yZWYyOwogICAgICAgIGxldCBoZWFkZXJzID0ge307CiAgICAgICAgbGV0IGpzb247CiAgICAgICAgbGV0IHJlZnJlc2hUb2tlbjsKICAgICAgICBjb25zdCB7YXVkaWVuY2U6IGF1ZGllbmNlLCBzY29wZTogc2NvcGV9ID0gYXV0aCB8fCB7fTsKICAgICAgICB0cnkgewogICAgICAgICAgICBjb25zdCBib2R5ID0gdXNlRm9ybURhdGEgPyBmb3JtRGF0YVRvT2JqZWN0KGZldGNoT3B0aW9ucy5ib2R5KSA6IEpTT04ucGFyc2UoZmV0Y2hPcHRpb25zLmJvZHkpOwogICAgICAgICAgICBpZiAoIWJvZHkucmVmcmVzaF90b2tlbiAmJiBib2R5LmdyYW50X3R5cGUgPT09ICJyZWZyZXNoX3Rva2VuIikgewogICAgICAgICAgICAgICAgcmVmcmVzaFRva2VuID0gZ2V0UmVmcmVzaFRva2VuKGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgICAgICBpZiAoIXJlZnJlc2hUb2tlbiAmJiB1c2VNcnJ0KSB7CiAgICAgICAgICAgICAgICAgICAgY29uc3QgbGF0ZXN0UmVmcmVzaFRva2VuID0gcmVmcmVzaFRva2Vuc1sibGF0ZXN0X3JlZnJlc2hfdG9rZW4iXTsKICAgICAgICAgICAgICAgICAgICBjb25zdCBpc0Rvd25zY29waW5nID0gY2hlY2tEb3duc2NvcGluZyhzY29wZSwgYXVkaWVuY2UpOwogICAgICAgICAgICAgICAgICAgIGlmIChsYXRlc3RSZWZyZXNoVG9rZW4gJiYgIWlzRG93bnNjb3BpbmcpIHsKICAgICAgICAgICAgICAgICAgICAgICAgcmVmcmVzaFRva2VuID0gbGF0ZXN0UmVmcmVzaFRva2VuOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIGlmICghcmVmcmVzaFRva2VuKSB7CiAgICAgICAgICAgICAgICAgICAgdGhyb3cgbmV3IE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvcihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgZmV0Y2hPcHRpb25zLmJvZHkgPSB1c2VGb3JtRGF0YSA/IGNyZWF0ZVF1ZXJ5UGFyYW1zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSwgYm9keSksIHsKICAgICAgICAgICAgICAgICAgICByZWZyZXNoX3Rva2VuOiByZWZyZXNoVG9rZW4KICAgICAgICAgICAgICAgIH0pKSA6IEpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSwgYm9keSksIHsKICAgICAgICAgICAgICAgICAgICByZWZyZXNoX3Rva2VuOiByZWZyZXNoVG9rZW4KICAgICAgICAgICAgICAgIH0pKTsKICAgICAgICAgICAgfQogICAgICAgICAgICBsZXQgYWJvcnRDb250cm9sbGVyOwogICAgICAgICAgICBpZiAodHlwZW9mIEFib3J0Q29udHJvbGxlciA9PT0gImZ1bmN0aW9uIikgewogICAgICAgICAgICAgICAgYWJvcnRDb250cm9sbGVyID0gbmV3IEFib3J0Q29udHJvbGxlcjsKICAgICAgICAgICAgICAgIGZldGNoT3B0aW9ucy5zaWduYWwgPSBhYm9ydENvbnRyb2xsZXIuc2lnbmFsOwogICAgICAgICAgICB9CiAgICAgICAgICAgIGxldCByZXNwb25zZTsKICAgICAgICAgICAgdHJ5IHsKICAgICAgICAgICAgICAgIHJlc3BvbnNlID0gYXdhaXQgUHJvbWlzZS5yYWNlKFsgd2FpdCh0aW1lb3V0KSwgZmV0Y2goZmV0Y2hVcmwsIE9iamVjdC5hc3NpZ24oe30sIGZldGNoT3B0aW9ucykpIF0pOwogICAgICAgICAgICB9IGNhdGNoIChlcnJvcikgewogICAgICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6IGVycm9yLm1lc3NhZ2UKICAgICAgICAgICAgICAgIH0pOwogICAgICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICB9CiAgICAgICAgICAgIGlmICghcmVzcG9uc2UpIHsKICAgICAgICAgICAgICAgIGlmIChhYm9ydENvbnRyb2xsZXIpIGFib3J0Q29udHJvbGxlci5hYm9ydCgpOwogICAgICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6ICJUaW1lb3V0IHdoZW4gZXhlY3V0aW5nICdmZXRjaCciCiAgICAgICAgICAgICAgICB9KTsKICAgICAgICAgICAgICAgIHJldHVybjsKICAgICAgICAgICAgfQogICAgICAgICAgICBoZWFkZXJzID0gZnJvbUVudHJpZXMocmVzcG9uc2UuaGVhZGVycyk7CiAgICAgICAgICAgIGpzb24gPSBhd2FpdCByZXNwb25zZS5qc29uKCk7CiAgICAgICAgICAgIGlmIChqc29uLnJlZnJlc2hfdG9rZW4pIHsKICAgICAgICAgICAgICAgIGlmICh1c2VNcnJ0KSB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaFRva2Vuc1sibGF0ZXN0X3JlZnJlc2hfdG9rZW4iXSA9IGpzb24ucmVmcmVzaF90b2tlbjsKICAgICAgICAgICAgICAgICAgICB1cGRhdGVSZWZyZXNoVG9rZW5zKHJlZnJlc2hUb2tlbiwganNvbi5yZWZyZXNoX3Rva2VuKTsKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIHNldFJlZnJlc2hUb2tlbihqc29uLnJlZnJlc2hfdG9rZW4sIGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgICAgICBkZWxldGUganNvbi5yZWZyZXNoX3Rva2VuOwogICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgZGVsZXRlUmVmcmVzaFRva2VuKGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICBvazogcmVzcG9uc2Uub2ssCiAgICAgICAgICAgICAgICBqc29uOiBqc29uLAogICAgICAgICAgICAgICAgaGVhZGVyczogaGVhZGVycwogICAgICAgICAgICB9KTsKICAgICAgICB9IGNhdGNoIChlcnJvcikgewogICAgICAgICAgICBwb3J0LnBvc3RNZXNzYWdlKHsKICAgICAgICAgICAgICAgIG9rOiBmYWxzZSwKICAgICAgICAgICAgICAgIGpzb246IHsKICAgICAgICAgICAgICAgICAgICBlcnJvcjogZXJyb3IuZXJyb3IsCiAgICAgICAgICAgICAgICAgICAgZXJyb3JfZGVzY3JpcHRpb246IGVycm9yLm1lc3NhZ2UKICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICBoZWFkZXJzOiBoZWFkZXJzCiAgICAgICAgICAgIH0pOwogICAgICAgIH0KICAgIH07CiAgICB7CiAgICAgICAgYWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsIG1lc3NhZ2VIYW5kbGVyKTsKICAgIH0KfSkoKTsKCg==", null, false);
 
 const singlePromiseMap = {};
 
 const singlePromise = (cb, key) => {
     let promise = singlePromiseMap[key];
     if (!promise) {
-        promise = cb().finally((() => {
+        promise = cb().finally(() => {
             delete singlePromiseMap[key];
             promise = null;
-        }));
+        });
         singlePromiseMap[key] = promise;
     }
     return promise;
@@ -2195,13 +2197,13 @@ const patchOpenUrlWithOnRedirect = options => {
 const allScopesAreIncluded = (scopeToInclude, scopes) => {
     const scopeGroup = (scopes === null || scopes === void 0 ? void 0 : scopes.split(" ")) || [];
     const scopesToInclude = (scopeToInclude === null || scopeToInclude === void 0 ? void 0 : scopeToInclude.split(" ")) || [];
-    return scopesToInclude.every((key => scopeGroup.includes(key)));
+    return scopesToInclude.every(key => scopeGroup.includes(key));
 };
 
 const getMissingScopes = (requestedScope, respondedScope) => {
     const requestedScopes = (requestedScope === null || requestedScope === void 0 ? void 0 : requestedScope.split(" ")) || [];
     const respondedScopes = (respondedScope === null || respondedScope === void 0 ? void 0 : respondedScope.split(" ")) || [];
-    const missingScopes = requestedScopes.filter((scope => respondedScopes.indexOf(scope) == -1));
+    const missingScopes = requestedScopes.filter(scope => respondedScopes.indexOf(scope) == -1);
     return missingScopes.join(",");
 };
 
@@ -2213,7 +2215,7 @@ const getScopeToRequest = (useMrrt, authorizationParams, cachedAudience, cachedS
         }
         const cachedScopes = cachedScope.split(" ");
         const newScopes = ((_a = authorizationParams.scope) === null || _a === void 0 ? void 0 : _a.split(" ")) || [];
-        const newScopesAreIncluded = newScopes.every((scope => cachedScopes.includes(scope)));
+        const newScopesAreIncluded = newScopes.every(scope => cachedScopes.includes(scope));
         return cachedScopes.length >= newScopes.length && newScopesAreIncluded ? cachedScope : authorizationParams.scope;
     }
     return authorizationParams.scope;
@@ -2246,11 +2248,11 @@ class DpopStorage {
     }
     createDbHandle() {
         const req = window.indexedDB.open(NAME, this.getVersion());
-        return new Promise(((resolve, reject) => {
-            req.onupgradeneeded = () => Object.values(TABLES).forEach((t => req.result.createObjectStore(t)));
+        return new Promise((resolve, reject) => {
+            req.onupgradeneeded = () => Object.values(TABLES).forEach(t => req.result.createObjectStore(t));
             req.onerror = () => reject(req.error);
             req.onsuccess = () => resolve(req.result);
-        }));
+        });
     }
     async getDbHandle() {
         if (!this.dbHandle) {
@@ -2263,10 +2265,10 @@ class DpopStorage {
         const txn = db.transaction(table, mode);
         const store = txn.objectStore(table);
         const request = requestFactory(store);
-        return new Promise(((resolve, reject) => {
+        return new Promise((resolve, reject) => {
             request.onsuccess = () => resolve(request.result);
             request.onerror = () => reject(request.error);
-        }));
+        });
     }
     buildKey(id) {
         const finalId = id ? "_".concat(id) : AUTH0_NONCE_ID;
@@ -2279,7 +2281,7 @@ class DpopStorage {
         return this.save(TABLES.KEYPAIR, this.buildKey(), keyPair);
     }
     async save(table, key, obj) {
-        return void await this.executeDbRequest(table, "readwrite", (table => table.put(obj, key)));
+        return void await this.executeDbRequest(table, "readwrite", table => table.put(obj, key));
     }
     findNonce(id) {
         return this.find(TABLES.NONCE, this.buildKey(id));
@@ -2288,14 +2290,14 @@ class DpopStorage {
         return this.find(TABLES.KEYPAIR, this.buildKey());
     }
     find(table, key) {
-        return this.executeDbRequest(table, "readonly", (table => table.get(key)));
+        return this.executeDbRequest(table, "readonly", table => table.get(key));
     }
     async deleteBy(table, predicate) {
-        const allKeys = await this.executeDbRequest(table, "readonly", (table => table.getAllKeys()));
-        allKeys === null || allKeys === void 0 ? void 0 : allKeys.filter(predicate).map((k => this.executeDbRequest(table, "readwrite", (table => table.delete(k)))));
+        const allKeys = await this.executeDbRequest(table, "readonly", table => table.getAllKeys());
+        allKeys === null || allKeys === void 0 ? void 0 : allKeys.filter(predicate).map(k => this.executeDbRequest(table, "readwrite", table => table.delete(k)));
     }
     deleteByClientId(table, clientId) {
-        return this.deleteBy(table, (k => typeof k === "string" && k.startsWith("".concat(clientId, "::"))));
+        return this.deleteBy(table, k => typeof k === "string" && k.startsWith("".concat(clientId, "::")));
     }
     clearNonces() {
         return this.deleteByClientId(TABLES.NONCE, this.clientId);
@@ -2625,9 +2627,9 @@ function ownKeys(e, r) {
     var t = Object.keys(e);
     if (Object.getOwnPropertySymbols) {
         var o = Object.getOwnPropertySymbols(e);
-        r && (o = o.filter((function(r) {
+        r && (o = o.filter(function(r) {
             return Object.getOwnPropertyDescriptor(e, r).enumerable;
-        }))), t.push.apply(t, o);
+        })), t.push.apply(t, o);
     }
     return t;
 }
@@ -2635,11 +2637,11 @@ function ownKeys(e, r) {
 function _objectSpread2(e) {
     for (var r = 1; r < arguments.length; r++) {
         var t = null != arguments[r] ? arguments[r] : {};
-        r % 2 ? ownKeys(Object(t), !0).forEach((function(r) {
+        r % 2 ? ownKeys(Object(t), !0).forEach(function(r) {
             _defineProperty(e, r, t[r]);
-        })) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach((function(r) {
+        }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function(r) {
             Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r));
-        }));
+        });
     }
     return e;
 }
@@ -2691,16 +2693,16 @@ function AsyncGenerator(e) {
     function resume(r, t) {
         try {
             var n = e[r](t), o = n.value, u = o instanceof _OverloadYield;
-            Promise.resolve(u ? o.v : o).then((function(t) {
+            Promise.resolve(u ? o.v : o).then(function(t) {
                 if (u) {
                     var i = "return" === r ? "return" : "next";
                     if (!o.k || t.done) return resume(i, t);
                     t = e[i](t).value;
                 }
                 settle(n.done ? "return" : "normal", t);
-            }), (function(e) {
+            }, function(e) {
                 resume("throw", e);
-            }));
+            });
         } catch (e) {
             settle("throw", e);
         }
@@ -2727,7 +2729,7 @@ function AsyncGenerator(e) {
         (r = r.next) ? resume(r.key, r.arg) : t = null;
     }
     this._invoke = function(e, n) {
-        return new Promise((function(o, u) {
+        return new Promise(function(o, u) {
             var i = {
                 key: e,
                 arg: n,
@@ -2736,7 +2738,7 @@ function AsyncGenerator(e) {
                 next: null
             };
             t ? t = t.next = i : (r = t = i, resume(e, n));
-        }));
+        });
     }, "function" != typeof e.return && (this.return = void 0);
 }
 
@@ -2756,7 +2758,7 @@ let USER_AGENT$2;
 
 if (typeof navigator === "undefined" || !((_navigator$userAgent$2 = navigator.userAgent) !== null && _navigator$userAgent$2 !== void 0 && (_navigator$userAgent$$2 = _navigator$userAgent$2.startsWith) !== null && _navigator$userAgent$$2 !== void 0 && _navigator$userAgent$$2.call(_navigator$userAgent$2, "Mozilla/5.0 "))) {
     const NAME = "oauth4webapi";
-    const VERSION = "v3.8.3";
+    const VERSION = "v3.8.5";
     USER_AGENT$2 = "".concat(NAME, "/").concat(VERSION);
 }
 
@@ -2986,7 +2988,7 @@ async function performDiscovery$1(input, urlName, transform, options) {
 }
 
 async function discoveryRequest(issuerIdentifier, options) {
-    return performDiscovery$1(issuerIdentifier, "issuerIdentifier", (url => {
+    return performDiscovery$1(issuerIdentifier, "issuerIdentifier", url => {
         switch (options === null || options === void 0 ? void 0 : options.algorithm) {
           case undefined:
           case "oidc":
@@ -3001,7 +3003,7 @@ async function discoveryRequest(issuerIdentifier, options) {
             throw CodedTypeError$1('"options.algorithm" must be "oidc" (default), or "oauth2"', ERR_INVALID_ARG_VALUE$1);
         }
         return url;
-    }), options);
+    }, options);
 }
 
 function assertNumber(input, allow0, it, code, cause) {
@@ -4349,10 +4351,10 @@ function concat() {
     for (var _len = arguments.length, buffers = new Array(_len), _key = 0; _key < _len; _key++) {
         buffers[_key] = arguments[_key];
     }
-    const size = buffers.reduce(((acc, _ref) => {
+    const size = buffers.reduce((acc, _ref) => {
         let {length: length} = _ref;
         return acc + length;
-    }), 0);
+    }, 0);
     const buf = new Uint8Array(size);
     let i = 0;
     for (const buffer of buffers) {
@@ -4404,6 +4406,145 @@ function decode(input) {
     }
 }
 
+const unusable = function unusable(name) {
+    let prop = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : "algorithm.name";
+    return new TypeError("CryptoKey does not support this operation, its ".concat(prop, " must be ").concat(name));
+};
+
+const isAlgorithm = (algorithm, name) => algorithm.name === name;
+
+function getHashLength(hash) {
+    return parseInt(hash.name.slice(4), 10);
+}
+
+function checkHashLength(algorithm, expected) {
+    const actual = getHashLength(algorithm.hash);
+    if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
+}
+
+function getNamedCurve(alg) {
+    switch (alg) {
+      case "ES256":
+        return "P-256";
+
+      case "ES384":
+        return "P-384";
+
+      case "ES512":
+        return "P-521";
+
+      default:
+        throw new Error("unreachable");
+    }
+}
+
+function checkUsage(key, usage) {
+    if (usage && !key.usages.includes(usage)) {
+        throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(usage, "."));
+    }
+}
+
+function checkSigCryptoKey(key, alg, usage) {
+    switch (alg) {
+      case "HS256":
+      case "HS384":
+      case "HS512":
+        {
+            if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
+            checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+            break;
+        }
+
+      case "RS256":
+      case "RS384":
+      case "RS512":
+        {
+            if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
+            checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+            break;
+        }
+
+      case "PS256":
+      case "PS384":
+      case "PS512":
+        {
+            if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
+            checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
+            break;
+        }
+
+      case "Ed25519":
+      case "EdDSA":
+        {
+            if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
+            break;
+        }
+
+      case "ML-DSA-44":
+      case "ML-DSA-65":
+      case "ML-DSA-87":
+        {
+            if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
+            break;
+        }
+
+      case "ES256":
+      case "ES384":
+      case "ES512":
+        {
+            if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
+            const expected = getNamedCurve(alg);
+            const actual = key.algorithm.namedCurve;
+            if (actual !== expected) throw unusable(expected, "algorithm.namedCurve");
+            break;
+        }
+
+      default:
+        throw new TypeError("CryptoKey does not support this operation");
+    }
+    checkUsage(key, usage);
+}
+
+function message(msg, actual) {
+    for (var _len = arguments.length, types = new Array(_len > 2 ? _len - 2 : 0), _key = 2; _key < _len; _key++) {
+        types[_key - 2] = arguments[_key];
+    }
+    types = types.filter(Boolean);
+    if (types.length > 2) {
+        const last = types.pop();
+        msg += "one of type ".concat(types.join(", "), ", or ").concat(last, ".");
+    } else if (types.length === 2) {
+        msg += "one of type ".concat(types[0], " or ").concat(types[1], ".");
+    } else {
+        msg += "of type ".concat(types[0], ".");
+    }
+    if (actual == null) {
+        msg += " Received ".concat(actual);
+    } else if (typeof actual === "function" && actual.name) {
+        msg += " Received function ".concat(actual.name);
+    } else if (typeof actual === "object" && actual != null) {
+        var _actual$constructor;
+        if ((_actual$constructor = actual.constructor) !== null && _actual$constructor !== void 0 && _actual$constructor.name) {
+            msg += " Received an instance of ".concat(actual.constructor.name);
+        }
+    }
+    return msg;
+}
+
+const invalidKeyInput = function invalidKeyInput(actual) {
+    for (var _len2 = arguments.length, types = new Array(_len2 > 1 ? _len2 - 1 : 0), _key2 = 1; _key2 < _len2; _key2++) {
+        types[_key2 - 1] = arguments[_key2];
+    }
+    return message("Key must be ", actual, ...types);
+};
+
+const withAlg = function withAlg(alg, actual) {
+    for (var _len3 = arguments.length, types = new Array(_len3 > 2 ? _len3 - 2 : 0), _key3 = 2; _key3 < _len3; _key3++) {
+        types[_key3 - 2] = arguments[_key3];
+    }
+    return message("Key for the ".concat(alg, " algorithm must be "), actual, ...types);
+};
+
 class JOSEError extends Error {
     constructor(message, options) {
         var _Error$captureStackTr;
@@ -4581,207 +4722,486 @@ class JWSSignatureVerificationFailed extends JOSEError {
 
 _defineProperty(JWSSignatureVerificationFailed, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
 
-const unusable = function unusable(name) {
-    let prop = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : "algorithm.name";
-    return new TypeError("CryptoKey does not support this operation, its ".concat(prop, " must be ").concat(name));
+const isCryptoKey = key => {
+    if ((key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "CryptoKey") return true;
+    try {
+        return key instanceof CryptoKey;
+    } catch (_unused) {
+        return false;
+    }
 };
 
-const isAlgorithm = (algorithm, name) => algorithm.name === name;
-
-function getHashLength(hash) {
-    return parseInt(hash.name.slice(4), 10);
-}
+const isKeyObject = key => (key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "KeyObject";
 
-function getNamedCurve(alg) {
-    switch (alg) {
-      case "ES256":
-        return "P-256";
+const isKeyLike = key => isCryptoKey(key) || isKeyObject(key);
 
-      case "ES384":
-        return "P-384";
+function decodeBase64url(value, label, ErrorClass) {
+    try {
+        return decode(value);
+    } catch (_unused) {
+        throw new ErrorClass("Failed to base64url decode the ".concat(label));
+    }
+}
 
-      case "ES512":
-        return "P-521";
+const isObjectLike = value => typeof value === "object" && value !== null;
 
-      default:
-        throw new Error("unreachable");
+function isObject(input) {
+    if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
+        return false;
     }
+    if (Object.getPrototypeOf(input) === null) {
+        return true;
+    }
+    let proto = input;
+    while (Object.getPrototypeOf(proto) !== null) {
+        proto = Object.getPrototypeOf(proto);
+    }
+    return Object.getPrototypeOf(input) === proto;
 }
 
-function checkUsage(key, usage) {
-    if (usage && !key.usages.includes(usage)) {
-        throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(usage, "."));
+function isDisjoint() {
+    for (var _len = arguments.length, headers = new Array(_len), _key = 0; _key < _len; _key++) {
+        headers[_key] = arguments[_key];
+    }
+    const sources = headers.filter(Boolean);
+    if (sources.length === 0 || sources.length === 1) {
+        return true;
+    }
+    let acc;
+    for (const header of sources) {
+        const parameters = Object.keys(header);
+        if (!acc || acc.size === 0) {
+            acc = new Set(parameters);
+            continue;
+        }
+        for (const parameter of parameters) {
+            if (acc.has(parameter)) {
+                return false;
+            }
+            acc.add(parameter);
+        }
+    }
+    return true;
+}
+
+const isJWK = key => isObject(key) && typeof key.kty === "string";
+
+const isPrivateJWK = key => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+
+const isPublicJWK = key => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
+
+const isSecretJWK = key => key.kty === "oct" && typeof key.k === "string";
+
+function checkKeyLength(alg, key) {
+    if (alg.startsWith("RS") || alg.startsWith("PS")) {
+        const {modulusLength: modulusLength} = key.algorithm;
+        if (typeof modulusLength !== "number" || modulusLength < 2048) {
+            throw new TypeError("".concat(alg, " requires key modulusLength to be 2048 bits or larger"));
+        }
     }
 }
 
-function checkSigCryptoKey(key, alg, usage) {
+function subtleAlgorithm(alg, algorithm) {
+    const hash = "SHA-".concat(alg.slice(-3));
     switch (alg) {
       case "HS256":
       case "HS384":
       case "HS512":
-        {
-            if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
-            const expected = parseInt(alg.slice(2), 10);
-            const actual = getHashLength(key.algorithm.hash);
-            if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
-            break;
-        }
+        return {
+            hash: hash,
+            name: "HMAC"
+        };
+
+      case "PS256":
+      case "PS384":
+      case "PS512":
+        return {
+            hash: hash,
+            name: "RSA-PSS",
+            saltLength: parseInt(alg.slice(-3), 10) >> 3
+        };
 
       case "RS256":
       case "RS384":
       case "RS512":
-        {
-            if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
-            const expected = parseInt(alg.slice(2), 10);
-            const actual = getHashLength(key.algorithm.hash);
-            if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
-            break;
+        return {
+            hash: hash,
+            name: "RSASSA-PKCS1-v1_5"
+        };
+
+      case "ES256":
+      case "ES384":
+      case "ES512":
+        return {
+            hash: hash,
+            name: "ECDSA",
+            namedCurve: algorithm.namedCurve
+        };
+
+      case "Ed25519":
+      case "EdDSA":
+        return {
+            name: "Ed25519"
+        };
+
+      case "ML-DSA-44":
+      case "ML-DSA-65":
+      case "ML-DSA-87":
+        return {
+            name: alg
+        };
+
+      default:
+        throw new JOSENotSupported("alg ".concat(alg, " is not supported either by JOSE or your javascript runtime"));
+    }
+}
+
+async function getSigKey(alg, key, usage) {
+    if (key instanceof Uint8Array) {
+        if (!alg.startsWith("HS")) {
+            throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
         }
+        return crypto.subtle.importKey("raw", key, {
+            hash: "SHA-".concat(alg.slice(-3)),
+            name: "HMAC"
+        }, false, [ usage ]);
+    }
+    checkSigCryptoKey(key, alg, usage);
+    return key;
+}
 
-      case "PS256":
-      case "PS384":
-      case "PS512":
+async function verify(alg, key, signature, data) {
+    const cryptoKey = await getSigKey(alg, key, "verify");
+    checkKeyLength(alg, cryptoKey);
+    const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+    try {
+        return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+    } catch (_unused) {
+        return false;
+    }
+}
+
+const unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
+
+function subtleMapping(jwk) {
+    let algorithm;
+    let keyUsages;
+    switch (jwk.kty) {
+      case "AKP":
         {
-            if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
-            const expected = parseInt(alg.slice(2), 10);
-            const actual = getHashLength(key.algorithm.hash);
-            if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
+            switch (jwk.alg) {
+              case "ML-DSA-44":
+              case "ML-DSA-65":
+              case "ML-DSA-87":
+                algorithm = {
+                    name: jwk.alg
+                };
+                keyUsages = jwk.priv ? [ "sign" ] : [ "verify" ];
+                break;
+
+              default:
+                throw new JOSENotSupported(unsupportedAlg);
+            }
             break;
         }
 
-      case "Ed25519":
-      case "EdDSA":
+      case "RSA":
         {
-            if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
+            switch (jwk.alg) {
+              case "PS256":
+              case "PS384":
+              case "PS512":
+                algorithm = {
+                    name: "RSA-PSS",
+                    hash: "SHA-".concat(jwk.alg.slice(-3))
+                };
+                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
+                break;
+
+              case "RS256":
+              case "RS384":
+              case "RS512":
+                algorithm = {
+                    name: "RSASSA-PKCS1-v1_5",
+                    hash: "SHA-".concat(jwk.alg.slice(-3))
+                };
+                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
+                break;
+
+              case "RSA-OAEP":
+              case "RSA-OAEP-256":
+              case "RSA-OAEP-384":
+              case "RSA-OAEP-512":
+                algorithm = {
+                    name: "RSA-OAEP",
+                    hash: "SHA-".concat(parseInt(jwk.alg.slice(-3), 10) || 1)
+                };
+                keyUsages = jwk.d ? [ "decrypt", "unwrapKey" ] : [ "encrypt", "wrapKey" ];
+                break;
+
+              default:
+                throw new JOSENotSupported(unsupportedAlg);
+            }
             break;
         }
 
-      case "ML-DSA-44":
-      case "ML-DSA-65":
-      case "ML-DSA-87":
+      case "EC":
         {
-            if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
+            switch (jwk.alg) {
+              case "ES256":
+              case "ES384":
+              case "ES512":
+                algorithm = {
+                    name: "ECDSA",
+                    namedCurve: {
+                        ES256: "P-256",
+                        ES384: "P-384",
+                        ES512: "P-521"
+                    }[jwk.alg]
+                };
+                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
+                break;
+
+              case "ECDH-ES":
+              case "ECDH-ES+A128KW":
+              case "ECDH-ES+A192KW":
+              case "ECDH-ES+A256KW":
+                algorithm = {
+                    name: "ECDH",
+                    namedCurve: jwk.crv
+                };
+                keyUsages = jwk.d ? [ "deriveBits" ] : [];
+                break;
+
+              default:
+                throw new JOSENotSupported(unsupportedAlg);
+            }
             break;
         }
 
-      case "ES256":
-      case "ES384":
-      case "ES512":
+      case "OKP":
         {
-            if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
-            const expected = getNamedCurve(alg);
-            const actual = key.algorithm.namedCurve;
-            if (actual !== expected) throw unusable(expected, "algorithm.namedCurve");
+            switch (jwk.alg) {
+              case "Ed25519":
+              case "EdDSA":
+                algorithm = {
+                    name: "Ed25519"
+                };
+                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
+                break;
+
+              case "ECDH-ES":
+              case "ECDH-ES+A128KW":
+              case "ECDH-ES+A192KW":
+              case "ECDH-ES+A256KW":
+                algorithm = {
+                    name: jwk.crv
+                };
+                keyUsages = jwk.d ? [ "deriveBits" ] : [];
+                break;
+
+              default:
+                throw new JOSENotSupported(unsupportedAlg);
+            }
             break;
         }
 
       default:
-        throw new TypeError("CryptoKey does not support this operation");
+        throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
     }
-    checkUsage(key, usage);
+    return {
+        algorithm: algorithm,
+        keyUsages: keyUsages
+    };
 }
 
-function message(msg, actual) {
-    for (var _len = arguments.length, types = new Array(_len > 2 ? _len - 2 : 0), _key = 2; _key < _len; _key++) {
-        types[_key - 2] = arguments[_key];
-    }
-    types = types.filter(Boolean);
-    if (types.length > 2) {
-        const last = types.pop();
-        msg += "one of type ".concat(types.join(", "), ", or ").concat(last, ".");
-    } else if (types.length === 2) {
-        msg += "one of type ".concat(types[0], " or ").concat(types[1], ".");
-    } else {
-        msg += "of type ".concat(types[0], ".");
+async function jwkToKey(jwk) {
+    var _jwk$ext, _jwk$key_ops;
+    if (!jwk.alg) {
+        throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
     }
-    if (actual == null) {
-        msg += " Received ".concat(actual);
-    } else if (typeof actual === "function" && actual.name) {
-        msg += " Received function ".concat(actual.name);
-    } else if (typeof actual === "object" && actual != null) {
-        var _actual$constructor;
-        if ((_actual$constructor = actual.constructor) !== null && _actual$constructor !== void 0 && _actual$constructor.name) {
-            msg += " Received an instance of ".concat(actual.constructor.name);
-        }
+    const {algorithm: algorithm, keyUsages: keyUsages} = subtleMapping(jwk);
+    const keyData = _objectSpread2({}, jwk);
+    if (keyData.kty !== "AKP") {
+        delete keyData.alg;
     }
-    return msg;
+    delete keyData.use;
+    return crypto.subtle.importKey("jwk", keyData, algorithm, (_jwk$ext = jwk.ext) !== null && _jwk$ext !== void 0 ? _jwk$ext : jwk.d || jwk.priv ? false : true, (_jwk$key_ops = jwk.key_ops) !== null && _jwk$key_ops !== void 0 ? _jwk$key_ops : keyUsages);
 }
 
-const invalidKeyInput = function invalidKeyInput(actual) {
-    for (var _len2 = arguments.length, types = new Array(_len2 > 1 ? _len2 - 1 : 0), _key2 = 1; _key2 < _len2; _key2++) {
-        types[_key2 - 1] = arguments[_key2];
+const unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
+
+let cache;
+
+const handleJWK = async function handleJWK(key, jwk, alg) {
+    let freeze = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
+    cache || (cache = new WeakMap);
+    let cached = cache.get(key);
+    if (cached !== null && cached !== void 0 && cached[alg]) {
+        return cached[alg];
     }
-    return message("Key must be ", actual, ...types);
+    const cryptoKey = await jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
+        alg: alg
+    }));
+    if (freeze) Object.freeze(key);
+    if (!cached) {
+        cache.set(key, {
+            [alg]: cryptoKey
+        });
+    } else {
+        cached[alg] = cryptoKey;
+    }
+    return cryptoKey;
 };
 
-const withAlg = function withAlg(alg, actual) {
-    for (var _len3 = arguments.length, types = new Array(_len3 > 2 ? _len3 - 2 : 0), _key3 = 2; _key3 < _len3; _key3++) {
-        types[_key3 - 2] = arguments[_key3];
+const handleKeyObject = (keyObject, alg) => {
+    cache || (cache = new WeakMap);
+    let cached = cache.get(keyObject);
+    if (cached !== null && cached !== void 0 && cached[alg]) {
+        return cached[alg];
     }
-    return message("Key for the ".concat(alg, " algorithm must be "), actual, ...types);
-};
+    const isPublic = keyObject.type === "public";
+    const extractable = isPublic ? true : false;
+    let cryptoKey;
+    if (keyObject.asymmetricKeyType === "x25519") {
+        switch (alg) {
+          case "ECDH-ES":
+          case "ECDH-ES+A128KW":
+          case "ECDH-ES+A192KW":
+          case "ECDH-ES+A256KW":
+            break;
 
-const isCryptoKey = key => {
-    if ((key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "CryptoKey") return true;
-    try {
-        return key instanceof CryptoKey;
-    } catch (_unused) {
-        return false;
+          default:
+            throw new TypeError(unusableForAlg);
+        }
+        cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : [ "deriveBits" ]);
+    }
+    if (keyObject.asymmetricKeyType === "ed25519") {
+        if (alg !== "EdDSA" && alg !== "Ed25519") {
+            throw new TypeError(unusableForAlg);
+        }
+        cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [ isPublic ? "verify" : "sign" ]);
+    }
+    switch (keyObject.asymmetricKeyType) {
+      case "ml-dsa-44":
+      case "ml-dsa-65":
+      case "ml-dsa-87":
+        {
+            if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
+                throw new TypeError(unusableForAlg);
+            }
+            cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [ isPublic ? "verify" : "sign" ]);
+        }
+    }
+    if (keyObject.asymmetricKeyType === "rsa") {
+        let hash;
+        switch (alg) {
+          case "RSA-OAEP":
+            hash = "SHA-1";
+            break;
+
+          case "RS256":
+          case "PS256":
+          case "RSA-OAEP-256":
+            hash = "SHA-256";
+            break;
+
+          case "RS384":
+          case "PS384":
+          case "RSA-OAEP-384":
+            hash = "SHA-384";
+            break;
+
+          case "RS512":
+          case "PS512":
+          case "RSA-OAEP-512":
+            hash = "SHA-512";
+            break;
+
+          default:
+            throw new TypeError(unusableForAlg);
+        }
+        if (alg.startsWith("RSA-OAEP")) {
+            return keyObject.toCryptoKey({
+                name: "RSA-OAEP",
+                hash: hash
+            }, extractable, isPublic ? [ "encrypt" ] : [ "decrypt" ]);
+        }
+        cryptoKey = keyObject.toCryptoKey({
+            name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+            hash: hash
+        }, extractable, [ isPublic ? "verify" : "sign" ]);
+    }
+    if (keyObject.asymmetricKeyType === "ec") {
+        var _keyObject$asymmetric;
+        const nist = new Map([ [ "prime256v1", "P-256" ], [ "secp384r1", "P-384" ], [ "secp521r1", "P-521" ] ]);
+        const namedCurve = nist.get((_keyObject$asymmetric = keyObject.asymmetricKeyDetails) === null || _keyObject$asymmetric === void 0 ? void 0 : _keyObject$asymmetric.namedCurve);
+        if (!namedCurve) {
+            throw new TypeError(unusableForAlg);
+        }
+        const expectedCurve = {
+            ES256: "P-256",
+            ES384: "P-384",
+            ES512: "P-521"
+        };
+        if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
+            cryptoKey = keyObject.toCryptoKey({
+                name: "ECDSA",
+                namedCurve: namedCurve
+            }, extractable, [ isPublic ? "verify" : "sign" ]);
+        }
+        if (alg.startsWith("ECDH-ES")) {
+            cryptoKey = keyObject.toCryptoKey({
+                name: "ECDH",
+                namedCurve: namedCurve
+            }, extractable, isPublic ? [] : [ "deriveBits" ]);
+        }
+    }
+    if (!cryptoKey) {
+        throw new TypeError(unusableForAlg);
+    }
+    if (!cached) {
+        cache.set(keyObject, {
+            [alg]: cryptoKey
+        });
+    } else {
+        cached[alg] = cryptoKey;
     }
+    return cryptoKey;
 };
 
-const isKeyObject = key => (key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "KeyObject";
-
-const isKeyLike = key => isCryptoKey(key) || isKeyObject(key);
-
-function isDisjoint() {
-    for (var _len = arguments.length, headers = new Array(_len), _key = 0; _key < _len; _key++) {
-        headers[_key] = arguments[_key];
+async function normalizeKey(key, alg) {
+    if (key instanceof Uint8Array) {
+        return key;
     }
-    const sources = headers.filter(Boolean);
-    if (sources.length === 0 || sources.length === 1) {
-        return true;
+    if (isCryptoKey(key)) {
+        return key;
     }
-    let acc;
-    for (const header of sources) {
-        const parameters = Object.keys(header);
-        if (!acc || acc.size === 0) {
-            acc = new Set(parameters);
-            continue;
+    if (isKeyObject(key)) {
+        if (key.type === "secret") {
+            return key.export();
         }
-        for (const parameter of parameters) {
-            if (acc.has(parameter)) {
-                return false;
+        if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
+            try {
+                return handleKeyObject(key, alg);
+            } catch (err) {
+                if (err instanceof TypeError) {
+                    throw err;
+                }
             }
-            acc.add(parameter);
         }
+        let jwk = key.export({
+            format: "jwk"
+        });
+        return handleJWK(key, jwk, alg);
     }
-    return true;
-}
-
-const isObjectLike = value => typeof value === "object" && value !== null;
-
-function isObject(input) {
-    if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
-        return false;
-    }
-    if (Object.getPrototypeOf(input) === null) {
-        return true;
-    }
-    let proto = input;
-    while (Object.getPrototypeOf(proto) !== null) {
-        proto = Object.getPrototypeOf(proto);
-    }
-    return Object.getPrototypeOf(input) === proto;
-}
-
-function checkKeyLength(alg, key) {
-    if (alg.startsWith("RS") || alg.startsWith("PS")) {
-        const {modulusLength: modulusLength} = key.algorithm;
-        if (typeof modulusLength !== "number" || modulusLength < 2048) {
-            throw new TypeError("".concat(alg, " requires key modulusLength to be 2048 bits or larger"));
+    if (isJWK(key)) {
+        if (key.k) {
+            return decode(key.k);
         }
+        return handleJWK(key, key, alg, true);
     }
+    throw new Error("unreachable");
 }
 
 const bytesEqual = (a, b) => {
@@ -4931,217 +5351,61 @@ const genericImport = async (keyFormat, keyData, alg, options) => {
       case "ECDH-ES+A128KW":
       case "ECDH-ES+A192KW":
       case "ECDH-ES+A256KW":
-        {
-            try {
-                const namedCurve = options.getNamedCurve(keyData);
-                algorithm = namedCurve === "X25519" ? {
-                    name: "X25519"
-                } : {
-                    name: "ECDH",
-                    namedCurve: namedCurve
-                };
-            } catch (cause) {
-                throw new JOSENotSupported("Invalid or unsupported key format");
-            }
-            keyUsages = isPublic ? [] : [ "deriveBits" ];
-            break;
-        }
-
-      case "Ed25519":
-      case "EdDSA":
-        algorithm = {
-            name: "Ed25519"
-        };
-        keyUsages = getSigUsages();
-        break;
-
-      case "ML-DSA-44":
-      case "ML-DSA-65":
-      case "ML-DSA-87":
-        algorithm = {
-            name: alg
-        };
-        keyUsages = getSigUsages();
-        break;
-
-      default:
-        throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
-    }
-    return crypto.subtle.importKey(keyFormat, keyData, algorithm, (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : isPublic ? true : false, keyUsages);
-};
-
-const processPEMData = (pem, pattern) => decodeBase64(pem.replace(pattern, ""));
-
-const fromPKCS8 = (pem, alg, options) => {
-    var _alg$startsWith;
-    const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
-    let opts = options;
-    if (alg !== null && alg !== void 0 && (_alg$startsWith = alg.startsWith) !== null && _alg$startsWith !== void 0 && _alg$startsWith.call(alg, "ECDH-ES")) {
-        opts || (opts = {});
-        opts.getNamedCurve = keyData => {
-            const state = createASN1State(keyData);
-            parsePKCS8Header(state);
-            return parseECAlgorithmIdentifier(state);
-        };
-    }
-    return genericImport("pkcs8", keyData, alg, opts);
-};
-
-function subtleMapping(jwk) {
-    let algorithm;
-    let keyUsages;
-    switch (jwk.kty) {
-      case "AKP":
-        {
-            switch (jwk.alg) {
-              case "ML-DSA-44":
-              case "ML-DSA-65":
-              case "ML-DSA-87":
-                algorithm = {
-                    name: jwk.alg
-                };
-                keyUsages = jwk.priv ? [ "sign" ] : [ "verify" ];
-                break;
-
-              default:
-                throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-            }
-            break;
-        }
-
-      case "RSA":
-        {
-            switch (jwk.alg) {
-              case "PS256":
-              case "PS384":
-              case "PS512":
-                algorithm = {
-                    name: "RSA-PSS",
-                    hash: "SHA-".concat(jwk.alg.slice(-3))
-                };
-                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
-                break;
-
-              case "RS256":
-              case "RS384":
-              case "RS512":
-                algorithm = {
-                    name: "RSASSA-PKCS1-v1_5",
-                    hash: "SHA-".concat(jwk.alg.slice(-3))
-                };
-                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
-                break;
-
-              case "RSA-OAEP":
-              case "RSA-OAEP-256":
-              case "RSA-OAEP-384":
-              case "RSA-OAEP-512":
-                algorithm = {
-                    name: "RSA-OAEP",
-                    hash: "SHA-".concat(parseInt(jwk.alg.slice(-3), 10) || 1)
-                };
-                keyUsages = jwk.d ? [ "decrypt", "unwrapKey" ] : [ "encrypt", "wrapKey" ];
-                break;
-
-              default:
-                throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-            }
-            break;
-        }
-
-      case "EC":
-        {
-            switch (jwk.alg) {
-              case "ES256":
-                algorithm = {
-                    name: "ECDSA",
-                    namedCurve: "P-256"
-                };
-                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
-                break;
-
-              case "ES384":
-                algorithm = {
-                    name: "ECDSA",
-                    namedCurve: "P-384"
-                };
-                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
-                break;
-
-              case "ES512":
-                algorithm = {
-                    name: "ECDSA",
-                    namedCurve: "P-521"
-                };
-                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
-                break;
-
-              case "ECDH-ES":
-              case "ECDH-ES+A128KW":
-              case "ECDH-ES+A192KW":
-              case "ECDH-ES+A256KW":
-                algorithm = {
-                    name: "ECDH",
-                    namedCurve: jwk.crv
-                };
-                keyUsages = jwk.d ? [ "deriveBits" ] : [];
-                break;
-
-              default:
-                throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-            }
-            break;
-        }
-
-      case "OKP":
-        {
-            switch (jwk.alg) {
-              case "Ed25519":
-              case "EdDSA":
-                algorithm = {
-                    name: "Ed25519"
-                };
-                keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
-                break;
-
-              case "ECDH-ES":
-              case "ECDH-ES+A128KW":
-              case "ECDH-ES+A192KW":
-              case "ECDH-ES+A256KW":
-                algorithm = {
-                    name: jwk.crv
+        {
+            try {
+                const namedCurve = options.getNamedCurve(keyData);
+                algorithm = namedCurve === "X25519" ? {
+                    name: "X25519"
+                } : {
+                    name: "ECDH",
+                    namedCurve: namedCurve
                 };
-                keyUsages = jwk.d ? [ "deriveBits" ] : [];
-                break;
-
-              default:
-                throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+            } catch (cause) {
+                throw new JOSENotSupported("Invalid or unsupported key format");
             }
+            keyUsages = isPublic ? [] : [ "deriveBits" ];
             break;
         }
 
+      case "Ed25519":
+      case "EdDSA":
+        algorithm = {
+            name: "Ed25519"
+        };
+        keyUsages = getSigUsages();
+        break;
+
+      case "ML-DSA-44":
+      case "ML-DSA-65":
+      case "ML-DSA-87":
+        algorithm = {
+            name: alg
+        };
+        keyUsages = getSigUsages();
+        break;
+
       default:
-        throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+        throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
     }
-    return {
-        algorithm: algorithm,
-        keyUsages: keyUsages
-    };
-}
+    return crypto.subtle.importKey(keyFormat, keyData, algorithm, (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : isPublic ? true : false, keyUsages);
+};
 
-async function jwkToKey(jwk) {
-    var _jwk$ext, _jwk$key_ops;
-    if (!jwk.alg) {
-        throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-    }
-    const {algorithm: algorithm, keyUsages: keyUsages} = subtleMapping(jwk);
-    const keyData = _objectSpread2({}, jwk);
-    if (keyData.kty !== "AKP") {
-        delete keyData.alg;
+const processPEMData = (pem, pattern) => decodeBase64(pem.replace(pattern, ""));
+
+const fromPKCS8 = (pem, alg, options) => {
+    var _alg$startsWith;
+    const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
+    let opts = options;
+    if (alg !== null && alg !== void 0 && (_alg$startsWith = alg.startsWith) !== null && _alg$startsWith !== void 0 && _alg$startsWith.call(alg, "ECDH-ES")) {
+        opts || (opts = {});
+        opts.getNamedCurve = keyData => {
+            const state = createASN1State(keyData);
+            parsePKCS8Header(state);
+            return parseECAlgorithmIdentifier(state);
+        };
     }
-    delete keyData.use;
-    return crypto.subtle.importKey("jwk", keyData, algorithm, (_jwk$ext = jwk.ext) !== null && _jwk$ext !== void 0 ? _jwk$ext : jwk.d || jwk.priv ? false : true, (_jwk$key_ops = jwk.key_ops) !== null && _jwk$key_ops !== void 0 ? _jwk$key_ops : keyUsages);
-}
+    return genericImport("pkcs8", keyData, alg, opts);
+};
 
 async function importPKCS8(pkcs8, alg, options) {
     if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) {
@@ -5190,241 +5454,53 @@ async function importJWK(jwk, alg, options) {
       case "EC":
       case "OKP":
         return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
-            alg: alg,
-            ext: ext
-        }));
-
-      default:
-        throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
-    }
-}
-
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-    if (joseHeader.crit !== undefined && (protectedHeader === null || protectedHeader === void 0 ? void 0 : protectedHeader.crit) === undefined) {
-        throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
-    }
-    if (!protectedHeader || protectedHeader.crit === undefined) {
-        return new Set;
-    }
-    if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input => typeof input !== "string" || input.length === 0))) {
-        throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-    }
-    let recognized;
-    if (recognizedOption !== undefined) {
-        recognized = new Map([ ...Object.entries(recognizedOption), ...recognizedDefault.entries() ]);
-    } else {
-        recognized = recognizedDefault;
-    }
-    for (const parameter of protectedHeader.crit) {
-        if (!recognized.has(parameter)) {
-            throw new JOSENotSupported('Extension Header Parameter "'.concat(parameter, '" is not recognized'));
-        }
-        if (joseHeader[parameter] === undefined) {
-            throw new Err('Extension Header Parameter "'.concat(parameter, '" is missing'));
-        }
-        if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
-            throw new Err('Extension Header Parameter "'.concat(parameter, '" MUST be integrity protected'));
-        }
-    }
-    return new Set(protectedHeader.crit);
-}
-
-function validateAlgorithms(option, algorithms) {
-    if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s => typeof s !== "string")))) {
-        throw new TypeError('"'.concat(option, '" option must be an array of strings'));
-    }
-    if (!algorithms) {
-        return undefined;
-    }
-    return new Set(algorithms);
-}
-
-const isJWK = key => isObject(key) && typeof key.kty === "string";
-
-const isPrivateJWK = key => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-
-const isPublicJWK = key => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
-
-const isSecretJWK = key => key.kty === "oct" && typeof key.k === "string";
-
-let cache;
-
-const handleJWK = async function handleJWK(key, jwk, alg) {
-    let freeze = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
-    cache || (cache = new WeakMap);
-    let cached = cache.get(key);
-    if (cached !== null && cached !== void 0 && cached[alg]) {
-        return cached[alg];
-    }
-    const cryptoKey = await jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
-        alg: alg
-    }));
-    if (freeze) Object.freeze(key);
-    if (!cached) {
-        cache.set(key, {
-            [alg]: cryptoKey
-        });
-    } else {
-        cached[alg] = cryptoKey;
-    }
-    return cryptoKey;
-};
-
-const handleKeyObject = (keyObject, alg) => {
-    cache || (cache = new WeakMap);
-    let cached = cache.get(keyObject);
-    if (cached !== null && cached !== void 0 && cached[alg]) {
-        return cached[alg];
-    }
-    const isPublic = keyObject.type === "public";
-    const extractable = isPublic ? true : false;
-    let cryptoKey;
-    if (keyObject.asymmetricKeyType === "x25519") {
-        switch (alg) {
-          case "ECDH-ES":
-          case "ECDH-ES+A128KW":
-          case "ECDH-ES+A192KW":
-          case "ECDH-ES+A256KW":
-            break;
-
-          default:
-            throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-        }
-        cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : [ "deriveBits" ]);
-    }
-    if (keyObject.asymmetricKeyType === "ed25519") {
-        if (alg !== "EdDSA" && alg !== "Ed25519") {
-            throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-        }
-        cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [ isPublic ? "verify" : "sign" ]);
-    }
-    switch (keyObject.asymmetricKeyType) {
-      case "ml-dsa-44":
-      case "ml-dsa-65":
-      case "ml-dsa-87":
-        {
-            if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-                throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-            }
-            cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [ isPublic ? "verify" : "sign" ]);
-        }
-    }
-    if (keyObject.asymmetricKeyType === "rsa") {
-        let hash;
-        switch (alg) {
-          case "RSA-OAEP":
-            hash = "SHA-1";
-            break;
-
-          case "RS256":
-          case "PS256":
-          case "RSA-OAEP-256":
-            hash = "SHA-256";
-            break;
-
-          case "RS384":
-          case "PS384":
-          case "RSA-OAEP-384":
-            hash = "SHA-384";
-            break;
-
-          case "RS512":
-          case "PS512":
-          case "RSA-OAEP-512":
-            hash = "SHA-512";
-            break;
-
-          default:
-            throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-        }
-        if (alg.startsWith("RSA-OAEP")) {
-            return keyObject.toCryptoKey({
-                name: "RSA-OAEP",
-                hash: hash
-            }, extractable, isPublic ? [ "encrypt" ] : [ "decrypt" ]);
-        }
-        cryptoKey = keyObject.toCryptoKey({
-            name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
-            hash: hash
-        }, extractable, [ isPublic ? "verify" : "sign" ]);
-    }
-    if (keyObject.asymmetricKeyType === "ec") {
-        var _keyObject$asymmetric;
-        const nist = new Map([ [ "prime256v1", "P-256" ], [ "secp384r1", "P-384" ], [ "secp521r1", "P-521" ] ]);
-        const namedCurve = nist.get((_keyObject$asymmetric = keyObject.asymmetricKeyDetails) === null || _keyObject$asymmetric === void 0 ? void 0 : _keyObject$asymmetric.namedCurve);
-        if (!namedCurve) {
-            throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-        }
-        if (alg === "ES256" && namedCurve === "P-256") {
-            cryptoKey = keyObject.toCryptoKey({
-                name: "ECDSA",
-                namedCurve: namedCurve
-            }, extractable, [ isPublic ? "verify" : "sign" ]);
-        }
-        if (alg === "ES384" && namedCurve === "P-384") {
-            cryptoKey = keyObject.toCryptoKey({
-                name: "ECDSA",
-                namedCurve: namedCurve
-            }, extractable, [ isPublic ? "verify" : "sign" ]);
-        }
-        if (alg === "ES512" && namedCurve === "P-521") {
-            cryptoKey = keyObject.toCryptoKey({
-                name: "ECDSA",
-                namedCurve: namedCurve
-            }, extractable, [ isPublic ? "verify" : "sign" ]);
-        }
-        if (alg.startsWith("ECDH-ES")) {
-            cryptoKey = keyObject.toCryptoKey({
-                name: "ECDH",
-                namedCurve: namedCurve
-            }, extractable, isPublic ? [] : [ "deriveBits" ]);
-        }
-    }
-    if (!cryptoKey) {
-        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    }
-    if (!cached) {
-        cache.set(keyObject, {
-            [alg]: cryptoKey
-        });
-    } else {
-        cached[alg] = cryptoKey;
+            alg: alg,
+            ext: ext
+        }));
+
+      default:
+        throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
     }
-    return cryptoKey;
-};
+}
 
-async function normalizeKey(key, alg) {
-    if (key instanceof Uint8Array) {
-        return key;
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+    if (joseHeader.crit !== undefined && (protectedHeader === null || protectedHeader === void 0 ? void 0 : protectedHeader.crit) === undefined) {
+        throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
     }
-    if (isCryptoKey(key)) {
-        return key;
+    if (!protectedHeader || protectedHeader.crit === undefined) {
+        return new Set;
     }
-    if (isKeyObject(key)) {
-        if (key.type === "secret") {
-            return key.export();
+    if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some(input => typeof input !== "string" || input.length === 0)) {
+        throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+    }
+    let recognized;
+    if (recognizedOption !== undefined) {
+        recognized = new Map([ ...Object.entries(recognizedOption), ...recognizedDefault.entries() ]);
+    } else {
+        recognized = recognizedDefault;
+    }
+    for (const parameter of protectedHeader.crit) {
+        if (!recognized.has(parameter)) {
+            throw new JOSENotSupported('Extension Header Parameter "'.concat(parameter, '" is not recognized'));
         }
-        if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
-            try {
-                return handleKeyObject(key, alg);
-            } catch (err) {
-                if (err instanceof TypeError) {
-                    throw err;
-                }
-            }
+        if (joseHeader[parameter] === undefined) {
+            throw new Err('Extension Header Parameter "'.concat(parameter, '" is missing'));
         }
-        let jwk = key.export({
-            format: "jwk"
-        });
-        return handleJWK(key, jwk, alg);
-    }
-    if (isJWK(key)) {
-        if (key.k) {
-            return decode(key.k);
+        if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+            throw new Err('Extension Header Parameter "'.concat(parameter, '" MUST be integrity protected'));
         }
-        return handleJWK(key, key, alg, true);
     }
-    throw new Error("unreachable");
+    return new Set(protectedHeader.crit);
+}
+
+function validateAlgorithms(option, algorithms) {
+    if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some(s => typeof s !== "string"))) {
+        throw new TypeError('"'.concat(option, '" option must be an array of strings'));
+    }
+    if (!algorithms) {
+        return undefined;
+    }
+    return new Set(algorithms);
 }
 
 const tag = key => key === null || key === void 0 ? void 0 : key[Symbol.toStringTag];
@@ -5564,7 +5640,7 @@ let USER_AGENT$1;
 
 if (typeof navigator === "undefined" || !((_navigator$userAgent$1 = navigator.userAgent) !== null && _navigator$userAgent$1 !== void 0 && (_navigator$userAgent$$1 = _navigator$userAgent$1.startsWith) !== null && _navigator$userAgent$$1 !== void 0 && _navigator$userAgent$$1.call(_navigator$userAgent$1, "Mozilla/5.0 "))) {
     const NAME = "openid-client";
-    const VERSION = "v6.8.1";
+    const VERSION = "v6.8.2";
     USER_AGENT$1 = "".concat(NAME, "/").concat(VERSION);
     headers = {
         "user-agent": USER_AGENT$1
@@ -5776,7 +5852,7 @@ async function performDiscovery(server, options) {
         method: "GET",
         redirect: "manual",
         signal: signal
-    })).then((response => processDiscoveryResponse(_nodiscoverycheck, response))).catch(errorHandler);
+    })).then(response => processDiscoveryResponse(_nodiscoverycheck, response)).catch(errorHandler);
     if (resolve && new URL(as.issuer).href !== server.href) {
         handleEntraId(server, as, options) || handleB2Clogin(server, options) || (() => {
             throw new ClientError("discovered metadata issuer does not match the expected issuer", {
@@ -5951,7 +6027,7 @@ async function handleRetryAfter(response, currentInterval, signal) {
 }
 
 function wait(duration, signal) {
-    return new Promise(((resolve, reject) => {
+    return new Promise((resolve, reject) => {
         const waitStep = remaining => {
             try {
                 signal.throwIfAborted();
@@ -5964,10 +6040,10 @@ function wait(duration, signal) {
                 return;
             }
             const currentWait = Math.min(remaining, 5);
-            setTimeout((() => waitStep(remaining - currentWait)), currentWait * 1e3);
+            setTimeout(() => waitStep(remaining - currentWait), currentWait * 1e3);
         };
         waitStep(duration);
-    }));
+    });
 }
 
 async function initiateBackchannelAuthentication(config, parameters) {
@@ -5978,7 +6054,7 @@ async function initiateBackchannelAuthentication(config, parameters) {
         [allowInsecureRequests$1]: !tlsOnly,
         headers: new Headers(headers),
         signal: signal(timeout)
-    }).then((response => processBackchannelAuthenticationResponse(as, c, response))).catch(errorHandler);
+    }).then(response => processBackchannelAuthenticationResponse(as, c, response)).catch(errorHandler);
 }
 
 async function pollBackchannelAuthenticationGrant(config, backchannelAuthenticationResponse, parameters, options) {
@@ -6305,7 +6381,7 @@ async function genericGrantRequest(config, grantType, parameters, options) {
         DPoP: options === null || options === void 0 ? void 0 : options.DPoP,
         headers: new Headers(headers),
         signal: signal(timeout)
-    }).then((response => {
+    }).then(response => {
         let recognizedTokenTypes;
         if (grantType === "urn:ietf:params:oauth:grant-type:token-exchange") {
             recognizedTokenTypes = {
@@ -6316,91 +6392,11 @@ async function genericGrantRequest(config, grantType, parameters, options) {
             [jweDecrypt]: decrypt,
             recognizedTokenTypes: recognizedTokenTypes
         });
-    })).catch(errorHandler);
+    }).catch(errorHandler);
     addHelpers(result);
     return result;
 }
 
-function subtleAlgorithm(alg, algorithm) {
-    const hash = "SHA-".concat(alg.slice(-3));
-    switch (alg) {
-      case "HS256":
-      case "HS384":
-      case "HS512":
-        return {
-            hash: hash,
-            name: "HMAC"
-        };
-
-      case "PS256":
-      case "PS384":
-      case "PS512":
-        return {
-            hash: hash,
-            name: "RSA-PSS",
-            saltLength: parseInt(alg.slice(-3), 10) >> 3
-        };
-
-      case "RS256":
-      case "RS384":
-      case "RS512":
-        return {
-            hash: hash,
-            name: "RSASSA-PKCS1-v1_5"
-        };
-
-      case "ES256":
-      case "ES384":
-      case "ES512":
-        return {
-            hash: hash,
-            name: "ECDSA",
-            namedCurve: algorithm.namedCurve
-        };
-
-      case "Ed25519":
-      case "EdDSA":
-        return {
-            name: "Ed25519"
-        };
-
-      case "ML-DSA-44":
-      case "ML-DSA-65":
-      case "ML-DSA-87":
-        return {
-            name: alg
-        };
-
-      default:
-        throw new JOSENotSupported("alg ".concat(alg, " is not supported either by JOSE or your javascript runtime"));
-    }
-}
-
-async function getSigKey(alg, key, usage) {
-    if (key instanceof Uint8Array) {
-        if (!alg.startsWith("HS")) {
-            throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-        }
-        return crypto.subtle.importKey("raw", key, {
-            hash: "SHA-".concat(alg.slice(-3)),
-            name: "HMAC"
-        }, false, [ usage ]);
-    }
-    checkSigCryptoKey(key, alg, usage);
-    return key;
-}
-
-async function verify(alg, key, signature, data) {
-    const cryptoKey = await getSigKey(alg, key, "verify");
-    checkKeyLength(alg, cryptoKey);
-    const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
-    try {
-        return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-    } catch (_unused) {
-        return false;
-    }
-}
-
 async function flattenedVerify(jws, key, options) {
     if (!isObject(jws)) {
         throw new JWSInvalid("Flattened JWS must be an object");
@@ -6463,12 +6459,7 @@ async function flattenedVerify(jws, key, options) {
     }
     checkKeyType(alg, key, "verify");
     const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
-    let signature;
-    try {
-        signature = decode(jws.signature);
-    } catch (_unused2) {
-        throw new JWSInvalid("Failed to base64url decode the signature");
-    }
+    const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
     const k = await normalizeKey(key, alg);
     const verified = await verify(alg, k, signature, data);
     if (!verified) {
@@ -6476,11 +6467,7 @@ async function flattenedVerify(jws, key, options) {
     }
     let payload;
     if (b64) {
-        try {
-            payload = decode(jws.payload);
-        } catch (_unused3) {
-            throw new JWSInvalid("Failed to base64url decode the payload");
-        }
+        payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
     } else if (typeof jws.payload === "string") {
         payload = encoder.encode(jws.payload);
     } else {
@@ -6767,7 +6754,7 @@ class LocalJWKSet {
     async getKey(protectedHeader, token) {
         const {alg: alg, kid: kid} = _objectSpread2(_objectSpread2({}, protectedHeader), token === null || token === void 0 ? void 0 : token.header);
         const kty = getKtyFromAlg(alg);
-        const candidates = _classPrivateFieldGet2(_jwks$1, this).keys.filter((jwk => {
+        const candidates = _classPrivateFieldGet2(_jwks$1, this).keys.filter(jwk => {
             let candidate = kty === jwk.kty;
             if (candidate && typeof kid === "string") {
                 candidate = kid === jwk.kid;
@@ -6802,7 +6789,7 @@ class LocalJWKSet {
                 }
             }
             return candidate;
-        }));
+        });
         const {0: jwk, length: length} = candidates;
         if (length === 0) {
             throw new JWKSNoMatchingKey;
@@ -6810,13 +6797,13 @@ class LocalJWKSet {
         if (length !== 1) {
             const error = new JWKSMultipleMatchingKeys;
             const _cached = _classPrivateFieldGet2(_cached2, this);
-            error[Symbol.asyncIterator] = _wrapAsyncGenerator((function*() {
+            error[Symbol.asyncIterator] = _wrapAsyncGenerator(function*() {
                 for (const jwk of candidates) {
                     try {
                         yield yield _awaitAsyncGenerator(importWithAlgCache(_cached, jwk, alg));
                     } catch (_unused) {}
                 }
-            }));
+            });
             throw error;
         }
         return importWithAlgCache(_classPrivateFieldGet2(_cached2, this), jwk, alg);
@@ -6861,7 +6848,7 @@ let USER_AGENT;
 
 if (typeof navigator === "undefined" || !((_navigator$userAgent = navigator.userAgent) !== null && _navigator$userAgent !== void 0 && (_navigator$userAgent$ = _navigator$userAgent.startsWith) !== null && _navigator$userAgent$ !== void 0 && _navigator$userAgent$.call(_navigator$userAgent, "Mozilla/5.0 "))) {
     const NAME = "jose";
-    const VERSION = "v6.1.3";
+    const VERSION = "v6.2.1";
     USER_AGENT = "".concat(NAME, "/").concat(VERSION);
 }
 
@@ -6874,12 +6861,12 @@ async function fetchJwks(url, headers, signal) {
         signal: signal,
         redirect: "manual",
         headers: headers
-    }).catch((err => {
+    }).catch(err => {
         if (err.name === "TimeoutError") {
             throw new JWKSTimeout;
         }
         throw err;
-    }));
+    });
     if (response.status !== 200) {
         throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
     }
@@ -6994,7 +6981,7 @@ class RemoteJWKSet {
         if (_classPrivateFieldGet2(_pendingFetch, this) && isCloudflareWorkers()) {
             _classPrivateFieldSet2(_pendingFetch, this, undefined);
         }
-        _classPrivateFieldGet2(_pendingFetch, this) || _classPrivateFieldSet2(_pendingFetch, this, fetchJwks(_classPrivateFieldGet2(_url, this).href, _classPrivateFieldGet2(_headers, this), AbortSignal.timeout(_classPrivateFieldGet2(_timeoutDuration, this)), _classPrivateFieldGet2(_customFetch$1, this)).then((json => {
+        _classPrivateFieldGet2(_pendingFetch, this) || _classPrivateFieldSet2(_pendingFetch, this, fetchJwks(_classPrivateFieldGet2(_url, this).href, _classPrivateFieldGet2(_headers, this), AbortSignal.timeout(_classPrivateFieldGet2(_timeoutDuration, this)), _classPrivateFieldGet2(_customFetch$1, this)).then(json => {
             _classPrivateFieldSet2(_local, this, createLocalJWKSet(json));
             if (_classPrivateFieldGet2(_cache, this)) {
                 _classPrivateFieldGet2(_cache, this).uat = Date.now();
@@ -7002,10 +6989,10 @@ class RemoteJWKSet {
             }
             _classPrivateFieldSet2(_jwksTimestamp, this, Date.now());
             _classPrivateFieldSet2(_pendingFetch, this, undefined);
-        })).catch((err => {
+        }).catch(err => {
             _classPrivateFieldSet2(_pendingFetch, this, undefined);
             throw err;
-        })));
+        }));
         await _classPrivateFieldGet2(_pendingFetch, this);
     }
 }
@@ -7047,7 +7034,7 @@ function createRemoteJWKSet(url, options) {
 
 const _excluded = [ "mfaToken" ], _excluded2 = [ "mfaToken" ];
 
-var _baseUrl, _clientId, _customFetch, _configuration, _serverMetadata, _options, _jwks, _Class8_brand;
+var _baseUrl, _clientId, _customFetch, _entries, _ttlMs, _maxEntries, _configuration, _serverMetadata, _clientAuthPromise, _options, _customFetch2, _jwks, _discoveryCache, _inFlightDiscovery, _jwksCache, _Class9_brand;
 
 var NotSupportedError = class NotSupportedError extends Error {
     constructor(code, message) {
@@ -7153,12 +7140,12 @@ var MissingClientAuthError = class MissingClientAuthError extends Error {
 };
 
 function stripUndefinedProperties(value) {
-    return Object.entries(value).filter((_ref => {
+    return Object.entries(value).filter(_ref => {
         let [, value2] = _ref;
         return typeof value2 !== "undefined";
-    })).reduce(((acc, curr) => _objectSpread2(_objectSpread2({}, acc), {}, {
+    }).reduce((acc, curr) => _objectSpread2(_objectSpread2({}, acc), {}, {
         [curr[0]]: curr[1]
-    })), {});
+    }), {});
 }
 
 var MfaError$1 = class MfaError extends Error {
@@ -7230,7 +7217,9 @@ function transformEnrollmentResponse(api) {
             oobChannel: api.oob_channel,
             oobCode: api.oob_code,
             bindingMethod: api.binding_method,
-            id: api.id
+            id: api.id,
+            barcodeUri: api.barcode_uri,
+            recoveryCodes: api.recovery_codes
         };
     }
     throw new Error("Unexpected authenticator type: ".concat(api.authenticator_type));
@@ -7351,6 +7340,42 @@ class MfaClient {
     }
 });
 
+function createTelemetryFetch(baseFetch, config) {
+    if (config.enabled === false) {
+        return baseFetch;
+    }
+    const telemetryData = {
+        name: config.name,
+        version: config.version
+    };
+    const headerValue = btoa(JSON.stringify(telemetryData));
+    return async (input, init) => {
+        const headers = input instanceof Request ? new Headers(input.headers) : new Headers;
+        if (init !== null && init !== void 0 && init.headers) {
+            const initHeaders = new Headers(init.headers);
+            initHeaders.forEach((value, key) => {
+                headers.set(key, value);
+            });
+        }
+        headers.set("Auth0-Client", headerValue);
+        return baseFetch(input, _objectSpread2(_objectSpread2({}, init), {}, {
+            headers: headers
+        }));
+    };
+}
+
+function getTelemetryConfig(config) {
+    var _config$name, _config$version;
+    if ((config === null || config === void 0 ? void 0 : config.enabled) === false) {
+        return config;
+    }
+    return {
+        enabled: true,
+        name: (_config$name = config === null || config === void 0 ? void 0 : config.name) !== null && _config$name !== void 0 ? _config$name : "@auth0/auth0-auth-js",
+        version: (_config$version = config === null || config === void 0 ? void 0 : config.version) !== null && _config$version !== void 0 ? _config$version : "1.5.0"
+    };
+}
+
 var TokenResponse = class _TokenResponse {
     constructor(accessToken, expiresAt, idToken, refreshToken, scope, claims, authorizationDetails) {
         _defineProperty(this, "accessToken", void 0);
@@ -7379,6 +7404,81 @@ var TokenResponse = class _TokenResponse {
     }
 };
 
+var LruCache = (_entries = new WeakMap, _ttlMs = new WeakMap, _maxEntries = new WeakMap, 
+class LruCache {
+    constructor(maxEntries, ttlMs) {
+        _classPrivateFieldInitSpec(this, _entries, new Map);
+        _classPrivateFieldInitSpec(this, _ttlMs, void 0);
+        _classPrivateFieldInitSpec(this, _maxEntries, void 0);
+        _classPrivateFieldSet2(_maxEntries, this, Math.max(1, Math.floor(maxEntries)));
+        _classPrivateFieldSet2(_ttlMs, this, Math.max(0, Math.floor(ttlMs)));
+    }
+    get(key) {
+        const entry = _classPrivateFieldGet2(_entries, this).get(key);
+        if (!entry) {
+            return;
+        }
+        if (Date.now() >= entry.expiresAt) {
+            _classPrivateFieldGet2(_entries, this).delete(key);
+            return;
+        }
+        _classPrivateFieldGet2(_entries, this).delete(key);
+        _classPrivateFieldGet2(_entries, this).set(key, entry);
+        return entry.value;
+    }
+    set(key, value) {
+        if (_classPrivateFieldGet2(_entries, this).has(key)) {
+            _classPrivateFieldGet2(_entries, this).delete(key);
+        }
+        _classPrivateFieldGet2(_entries, this).set(key, {
+            value: value,
+            expiresAt: Date.now() + _classPrivateFieldGet2(_ttlMs, this)
+        });
+        while (_classPrivateFieldGet2(_entries, this).size > _classPrivateFieldGet2(_maxEntries, this)) {
+            const oldestKey = _classPrivateFieldGet2(_entries, this).keys().next().value;
+            if (oldestKey === void 0) {
+                break;
+            }
+            _classPrivateFieldGet2(_entries, this).delete(oldestKey);
+        }
+    }
+});
+
+var globalCaches = new Map;
+
+function getGlobalCache(key) {
+    return globalCaches.get(key);
+}
+
+function getGlobalCacheKey(maxEntries, ttlMs) {
+    return "".concat(maxEntries, ":").concat(ttlMs);
+}
+
+function resolveCacheConfig(options) {
+    const ttlSeconds = typeof (options === null || options === void 0 ? void 0 : options.ttl) === "number" ? options.ttl : 600;
+    const maxEntries = typeof (options === null || options === void 0 ? void 0 : options.maxEntries) === "number" && options.maxEntries > 0 ? options.maxEntries : 100;
+    const ttlMs = ttlSeconds * 1e3;
+    return {
+        ttlMs: ttlMs,
+        maxEntries: maxEntries
+    };
+}
+
+var DiscoveryCacheFactory = class {
+    static createDiscoveryCache(config) {
+        const cacheKey = getGlobalCacheKey(config.maxEntries, config.ttlMs);
+        let cache = getGlobalCache(cacheKey);
+        if (!cache) {
+            cache = new LruCache(config.maxEntries, config.ttlMs);
+            globalCaches.set(cacheKey, cache);
+        }
+        return cache;
+    }
+    static createJwksCache() {
+        return {};
+    }
+};
+
 var DEFAULT_SCOPES = "openid profile email offline_access";
 
 var MAX_ARRAY_VALUES_PER_KEY = 20;
@@ -7411,9 +7511,9 @@ function appendExtraParams(params, extra) {
             if (parameterValue.length > MAX_ARRAY_VALUES_PER_KEY) {
                 throw new TokenExchangeError("Parameter '".concat(parameterKey, "' exceeds maximum array size of ").concat(MAX_ARRAY_VALUES_PER_KEY));
             }
-            parameterValue.forEach((arrayItem => {
+            parameterValue.forEach(arrayItem => {
                 params.append(parameterKey, arrayItem);
-            }));
+            });
         } else {
             params.append(parameterKey, parameterValue);
         }
@@ -7430,39 +7530,58 @@ var SUBJECT_TYPE_ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token";
 
 var REQUESTED_TOKEN_TYPE_FEDERATED_CONNECTION_ACCESS_TOKEN = "http://auth0.com/oauth/token-type/federated-connection-access-token";
 
-var AuthClient = (_configuration = new WeakMap, _serverMetadata = new WeakMap, _options = new WeakMap, 
-_jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
+var AuthClient = (_configuration = new WeakMap, _serverMetadata = new WeakMap, _clientAuthPromise = new WeakMap, 
+_options = new WeakMap, _customFetch2 = new WeakMap, _jwks = new WeakMap, _discoveryCache = new WeakMap, 
+_inFlightDiscovery = new WeakMap, _jwksCache = new WeakMap, _Class9_brand = new WeakSet, 
+class AuthClient {
     constructor(_options2) {
-        _classPrivateMethodInitSpec(this, _Class8_brand);
+        var _options2$customFetch;
+        _classPrivateMethodInitSpec(this, _Class9_brand);
         _classPrivateFieldInitSpec(this, _configuration, void 0);
         _classPrivateFieldInitSpec(this, _serverMetadata, void 0);
+        _classPrivateFieldInitSpec(this, _clientAuthPromise, void 0);
         _classPrivateFieldInitSpec(this, _options, void 0);
+        _classPrivateFieldInitSpec(this, _customFetch2, void 0);
         _classPrivateFieldInitSpec(this, _jwks, void 0);
+        _classPrivateFieldInitSpec(this, _discoveryCache, void 0);
+        _classPrivateFieldInitSpec(this, _inFlightDiscovery, void 0);
+        _classPrivateFieldInitSpec(this, _jwksCache, void 0);
         _defineProperty(this, "mfa", void 0);
         _classPrivateFieldSet2(_options, this, _options2);
         if (_options2.useMtls && !_options2.customFetch) {
             throw new NotSupportedError("mtls_without_custom_fetch_not_supported", "Using mTLS without a custom fetch implementation is not supported");
         }
+        _classPrivateFieldSet2(_customFetch2, this, createTelemetryFetch((_options2$customFetch = _options2.customFetch) !== null && _options2$customFetch !== void 0 ? _options2$customFetch : function() {
+            return fetch(...arguments);
+        }, getTelemetryConfig(_options2.telemetry)));
+        const cacheConfig = resolveCacheConfig(_options2.discoveryCache);
+        _classPrivateFieldSet2(_discoveryCache, this, DiscoveryCacheFactory.createDiscoveryCache(cacheConfig));
+        _classPrivateFieldSet2(_inFlightDiscovery, this, new Map);
+        _classPrivateFieldSet2(_jwksCache, this, DiscoveryCacheFactory.createJwksCache());
         this.mfa = new MfaClient({
             domain: _classPrivateFieldGet2(_options, this).domain,
             clientId: _classPrivateFieldGet2(_options, this).clientId,
-            customFetch: _classPrivateFieldGet2(_options, this).customFetch
+            customFetch: _classPrivateFieldGet2(_customFetch2, this)
         });
     }
+    async getServerMetadata() {
+        const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
+        return serverMetadata;
+    }
     async buildAuthorizationUrl(options) {
-        const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         if (options !== null && options !== void 0 && options.pushedAuthorizationRequests && !serverMetadata.pushed_authorization_request_endpoint) {
             throw new NotSupportedError("par_not_supported_error", "The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");
         }
         try {
-            return await _assertClassBrand(_Class8_brand, this, _buildAuthorizationUrl).call(this, options);
+            return await _assertClassBrand(_Class9_brand, this, _buildAuthorizationUrl).call(this, options);
         } catch (e) {
             throw new BuildAuthorizationUrlError(e);
         }
     }
     async buildLinkUserUrl(options) {
         try {
-            const result = await _assertClassBrand(_Class8_brand, this, _buildAuthorizationUrl).call(this, {
+            const result = await _assertClassBrand(_Class9_brand, this, _buildAuthorizationUrl).call(this, {
                 authorizationParams: _objectSpread2(_objectSpread2({}, options.authorizationParams), {}, {
                     requested_connection: options.connection,
                     requested_connection_scope: options.connectionScope,
@@ -7480,7 +7599,7 @@ _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
     }
     async buildUnlinkUserUrl(options) {
         try {
-            const result = await _assertClassBrand(_Class8_brand, this, _buildAuthorizationUrl).call(this, {
+            const result = await _assertClassBrand(_Class9_brand, this, _buildAuthorizationUrl).call(this, {
                 authorizationParams: _objectSpread2(_objectSpread2({}, options.authorizationParams), {}, {
                     requested_connection: options.connection,
                     scope: "openid unlink_account",
@@ -7496,7 +7615,7 @@ _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
         }
     }
     async backchannelAuthentication(options) {
-        const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         const additionalParams = stripUndefinedProperties(_objectSpread2(_objectSpread2({}, _classPrivateFieldGet2(_options, this).authorizationParams), options === null || options === void 0 ? void 0 : options.authorizationParams));
         const params = new URLSearchParams(_objectSpread2(_objectSpread2({
             scope: DEFAULT_SCOPES
@@ -7524,7 +7643,7 @@ _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
         }
     }
     async initiateBackchannelAuthentication(options) {
-        const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         const additionalParams = stripUndefinedProperties(_objectSpread2(_objectSpread2({}, _classPrivateFieldGet2(_options, this).authorizationParams), options === null || options === void 0 ? void 0 : options.authorizationParams));
         const params = new URLSearchParams(_objectSpread2(_objectSpread2({
             scope: DEFAULT_SCOPES
@@ -7556,7 +7675,7 @@ _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
     }
     async backchannelAuthenticationGrant(_ref2) {
         let {authReqId: authReqId} = _ref2;
-        const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         const params = new URLSearchParams({
             auth_req_id: authReqId
         });
@@ -7591,10 +7710,10 @@ _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
         }
     }
     async exchangeToken(options) {
-        return "connection" in options ? _assertClassBrand(_Class8_brand, this, _exchangeTokenVaultToken).call(this, options) : _assertClassBrand(_Class8_brand, this, _exchangeProfileToken).call(this, options);
+        return "connection" in options ? _assertClassBrand(_Class9_brand, this, _exchangeTokenVaultToken).call(this, options) : _assertClassBrand(_Class9_brand, this, _exchangeProfileToken).call(this, options);
     }
     async getTokenByCode(url, options) {
-        const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         try {
             const tokenEndpointResponse = await authorizationCodeGrant(configuration, url, {
                 pkceCodeVerifier: options.codeVerifier
@@ -7605,16 +7724,23 @@ _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
         }
     }
     async getTokenByRefreshToken(options) {
-        const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
+        const additionalParameters = new URLSearchParams;
+        if (options.audience) {
+            additionalParameters.append("audience", options.audience);
+        }
+        if (options.scope) {
+            additionalParameters.append("scope", options.scope);
+        }
         try {
-            const tokenEndpointResponse = await refreshTokenGrant(configuration, options.refreshToken);
+            const tokenEndpointResponse = await refreshTokenGrant(configuration, options.refreshToken, additionalParameters);
             return TokenResponse.fromTokenEndpointResponse(tokenEndpointResponse);
         } catch (e) {
             throw new TokenByRefreshTokenError("The access token has expired and there was an error while trying to refresh it.", e);
         }
     }
     async getTokenByClientCredentials(options) {
-        const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         try {
             const params = new URLSearchParams({
                 audience: options.audience
@@ -7629,7 +7755,7 @@ _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
         }
     }
     async buildLogoutUrl(options) {
-        const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+        const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
         if (!serverMetadata.end_session_endpoint) {
             const url = new URL("https://".concat(_classPrivateFieldGet2(_options, this).domain, "/v2/logout"));
             url.searchParams.set("returnTo", options.returnTo);
@@ -7641,9 +7767,13 @@ _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
         });
     }
     async verifyLogoutToken(options) {
-        const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
-        _classPrivateFieldGet2(_jwks, this) || _classPrivateFieldSet2(_jwks, this, createRemoteJWKSet(new URL(serverMetadata.jwks_uri), {
-            [customFetch]: _classPrivateFieldGet2(_options, this).customFetch
+        const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
+        const cacheConfig = resolveCacheConfig(_classPrivateFieldGet2(_options, this).discoveryCache);
+        const jwksUri = serverMetadata.jwks_uri;
+        _classPrivateFieldGet2(_jwks, this) || _classPrivateFieldSet2(_jwks, this, createRemoteJWKSet(new URL(jwksUri), {
+            cacheMaxAge: cacheConfig.ttlMs,
+            [customFetch]: _classPrivateFieldGet2(_customFetch2, this),
+            [jwksCache]: _classPrivateFieldGet2(_jwksCache, this)
         }));
         const {payload: payload} = await jwtVerify(options.logoutToken, _classPrivateFieldGet2(_jwks, this), {
             issuer: serverMetadata.issuer,
@@ -7682,6 +7812,18 @@ _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
     }
 });
 
+function _getDiscoveryCacheKey() {
+    const domain = _classPrivateFieldGet2(_options, this).domain.toLowerCase();
+    return "".concat(domain, "|mtls:").concat(_classPrivateFieldGet2(_options, this).useMtls ? "1" : "0");
+}
+
+async function _createConfiguration(serverMetadata) {
+    const clientAuth = await _assertClassBrand(_Class9_brand, this, _getClientAuth).call(this);
+    const configuration = new Configuration(serverMetadata, _classPrivateFieldGet2(_options, this).clientId, _classPrivateFieldGet2(_options, this).clientSecret, clientAuth);
+    configuration[customFetch$1] = _classPrivateFieldGet2(_customFetch2, this);
+    return configuration;
+}
+
 async function _discover() {
     if (_classPrivateFieldGet2(_configuration, this) && _classPrivateFieldGet2(_serverMetadata, this)) {
         return {
@@ -7689,14 +7831,58 @@ async function _discover() {
             serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
         };
     }
-    const clientAuth = await _assertClassBrand(_Class8_brand, this, _getClientAuth).call(this);
-    _classPrivateFieldSet2(_configuration, this, await discovery(new URL("https://".concat(_classPrivateFieldGet2(_options, this).domain)), _classPrivateFieldGet2(_options, this).clientId, {
-        use_mtls_endpoint_aliases: _classPrivateFieldGet2(_options, this).useMtls
-    }, clientAuth, {
-        [customFetch$1]: _classPrivateFieldGet2(_options, this).customFetch
-    }));
-    _classPrivateFieldSet2(_serverMetadata, this, _classPrivateFieldGet2(_configuration, this).serverMetadata());
-    _classPrivateFieldGet2(_configuration, this)[customFetch$1] = _classPrivateFieldGet2(_options, this).customFetch || fetch;
+    const cacheKey = _assertClassBrand(_Class9_brand, this, _getDiscoveryCacheKey).call(this);
+    const cached = _classPrivateFieldGet2(_discoveryCache, this).get(cacheKey);
+    if (cached) {
+        _classPrivateFieldSet2(_serverMetadata, this, cached.serverMetadata);
+        _classPrivateFieldSet2(_configuration, this, await _assertClassBrand(_Class9_brand, this, _createConfiguration).call(this, cached.serverMetadata));
+        return {
+            configuration: _classPrivateFieldGet2(_configuration, this),
+            serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
+        };
+    }
+    const inFlight = _classPrivateFieldGet2(_inFlightDiscovery, this).get(cacheKey);
+    if (inFlight) {
+        const entry = await inFlight;
+        _classPrivateFieldSet2(_serverMetadata, this, entry.serverMetadata);
+        _classPrivateFieldSet2(_configuration, this, await _assertClassBrand(_Class9_brand, this, _createConfiguration).call(this, entry.serverMetadata));
+        return {
+            configuration: _classPrivateFieldGet2(_configuration, this),
+            serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
+        };
+    }
+    const discoveryPromise = (async () => {
+        const clientAuth = await _assertClassBrand(_Class9_brand, this, _getClientAuth).call(this);
+        const configuration = await discovery(new URL("https://".concat(_classPrivateFieldGet2(_options, this).domain)), _classPrivateFieldGet2(_options, this).clientId, {
+            use_mtls_endpoint_aliases: _classPrivateFieldGet2(_options, this).useMtls
+        }, clientAuth, {
+            [customFetch$1]: _classPrivateFieldGet2(_customFetch2, this)
+        });
+        const serverMetadata = configuration.serverMetadata();
+        _classPrivateFieldGet2(_discoveryCache, this).set(cacheKey, {
+            serverMetadata: serverMetadata
+        });
+        return {
+            configuration: configuration,
+            serverMetadata: serverMetadata
+        };
+    })();
+    const inFlightEntry = discoveryPromise.then(_ref3 => {
+        let {serverMetadata: serverMetadata} = _ref3;
+        return {
+            serverMetadata: serverMetadata
+        };
+    });
+    void inFlightEntry.catch(() => void 0);
+    _classPrivateFieldGet2(_inFlightDiscovery, this).set(cacheKey, inFlightEntry);
+    try {
+        const {configuration: configuration, serverMetadata: serverMetadata} = await discoveryPromise;
+        _classPrivateFieldSet2(_configuration, this, configuration);
+        _classPrivateFieldSet2(_serverMetadata, this, serverMetadata);
+        _classPrivateFieldGet2(_configuration, this)[customFetch$1] = _classPrivateFieldGet2(_customFetch2, this);
+    } finally {
+        _classPrivateFieldGet2(_inFlightDiscovery, this).delete(cacheKey);
+    }
     return {
         configuration: _classPrivateFieldGet2(_configuration, this),
         serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
@@ -7705,7 +7891,7 @@ async function _discover() {
 
 async function _exchangeTokenVaultToken(options) {
     var _options$subjectToken, _options$requestedTok;
-    const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+    const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
     if ("audience" in options || "resource" in options) {
         throw new TokenExchangeError("audience and resource parameters are not supported for Token Vault exchanges");
     }
@@ -7732,7 +7918,7 @@ async function _exchangeTokenVaultToken(options) {
 }
 
 async function _exchangeProfileToken(options) {
-    const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+    const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
     validateSubjectToken(options.subjectToken);
     const tokenRequestParams = new URLSearchParams({
         subject_token_type: options.subjectTokenType,
@@ -7760,21 +7946,29 @@ async function _exchangeProfileToken(options) {
 }
 
 async function _getClientAuth() {
-    if (!_classPrivateFieldGet2(_options, this).clientSecret && !_classPrivateFieldGet2(_options, this).clientAssertionSigningKey && !_classPrivateFieldGet2(_options, this).useMtls) {
-        throw new MissingClientAuthError;
-    }
-    if (_classPrivateFieldGet2(_options, this).useMtls) {
-        return TlsClientAuth();
-    }
-    let clientPrivateKey = _classPrivateFieldGet2(_options, this).clientAssertionSigningKey;
-    if (clientPrivateKey && !(clientPrivateKey instanceof CryptoKey)) {
-        clientPrivateKey = await importPKCS8(clientPrivateKey, _classPrivateFieldGet2(_options, this).clientAssertionSigningAlg || "RS256");
+    if (!_classPrivateFieldGet2(_clientAuthPromise, this)) {
+        _classPrivateFieldSet2(_clientAuthPromise, this, (async () => {
+            if (!_classPrivateFieldGet2(_options, this).clientSecret && !_classPrivateFieldGet2(_options, this).clientAssertionSigningKey && !_classPrivateFieldGet2(_options, this).useMtls) {
+                throw new MissingClientAuthError;
+            }
+            if (_classPrivateFieldGet2(_options, this).useMtls) {
+                return TlsClientAuth();
+            }
+            let clientPrivateKey = _classPrivateFieldGet2(_options, this).clientAssertionSigningKey;
+            if (clientPrivateKey && !(clientPrivateKey instanceof CryptoKey)) {
+                clientPrivateKey = await importPKCS8(clientPrivateKey, _classPrivateFieldGet2(_options, this).clientAssertionSigningAlg || "RS256");
+            }
+            return clientPrivateKey ? PrivateKeyJwt(clientPrivateKey) : ClientSecretPost(_classPrivateFieldGet2(_options, this).clientSecret);
+        })().catch(error => {
+            _classPrivateFieldSet2(_clientAuthPromise, this, void 0);
+            throw error;
+        }));
     }
-    return clientPrivateKey ? PrivateKeyJwt(clientPrivateKey) : ClientSecretPost(_classPrivateFieldGet2(_options, this).clientSecret);
+    return _classPrivateFieldGet2(_clientAuthPromise, this);
 }
 
 async function _buildAuthorizationUrl(options) {
-    const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
+    const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
     const codeChallengeMethod = "S256";
     const codeVerifier = randomPKCECodeVerifier();
     const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
@@ -7899,15 +8093,15 @@ class MfaApiClient {
         if (!((_a = context === null || context === void 0 ? void 0 : context.mfaRequirements) === null || _a === void 0 ? void 0 : _a.challenge) || context.mfaRequirements.challenge.length === 0) {
             throw new MfaListAuthenticatorsError("invalid_request", "challengeType is required and must contain at least one challenge type, please check mfa_required error payload");
         }
-        const challengeTypes = context.mfaRequirements.challenge.map((c => c.type));
+        const challengeTypes = context.mfaRequirements.challenge.map(c => c.type);
         try {
             const allAuthenticators = await this.authJsMfaClient.listAuthenticators({
                 mfaToken: mfaToken
             });
-            return allAuthenticators.filter((auth => {
+            return allAuthenticators.filter(auth => {
                 if (!auth.type) return false;
                 return challengeTypes.includes(auth.type);
-            }));
+            });
         } catch (error) {
             if (error instanceof MfaListAuthenticatorsError$1) {
                 throw new MfaListAuthenticatorsError((_b = error.cause) === null || _b === void 0 ? void 0 : _b.error, error.message);
@@ -8273,7 +8467,7 @@ class Auth0Client {
                 scope: scopesToRequest(this.scope, (_a = options.authorizationParams) === null || _a === void 0 ? void 0 : _a.scope, ((_b = options.authorizationParams) === null || _b === void 0 ? void 0 : _b.audience) || this.options.authorizationParams.audience)
             })
         });
-        const result = await singlePromise((() => this._getTokenSilently(localOptions)), "".concat(this.options.clientId, "::").concat(localOptions.authorizationParams.audience, "::").concat(localOptions.authorizationParams.scope));
+        const result = await singlePromise(() => this._getTokenSilently(localOptions), "".concat(this.options.clientId, "::").concat(localOptions.authorizationParams.audience, "::").concat(localOptions.authorizationParams.scope));
         return options.detailedResponse ? result : result === null || result === void 0 ? void 0 : result.access_token;
     }
     async _getTokenSilently(options) {
@@ -8294,7 +8488,7 @@ class Auth0Client {
         }
         const lockKey = buildGetTokenSilentlyLockKey(this.options.clientId, getTokenOptions.authorizationParams.audience || "default");
         try {
-            return await this.lockManager.runWithLock(lockKey, 5e3, (async () => {
+            return await this.lockManager.runWithLock(lockKey, 5e3, async () => {
                 if (cacheMode !== "off") {
                     const entry = await this._getEntryFromCache({
                         scope: getTokenOptions.authorizationParams.scope,
@@ -8316,7 +8510,7 @@ class Auth0Client {
                 } : null), {
                     expires_in: expires_in
                 });
-            }));
+            });
         } catch (error) {
             if (this._isInteractiveError(error) && this.options.interactiveErrorHandler === "popup") {
                 return await this._handleInteractiveErrorWithPopup(getTokenOptions);
@@ -8325,7 +8519,10 @@ class Auth0Client {
         }
     }
     _isInteractiveError(error) {
-        return error instanceof MfaRequiredError;
+        return error instanceof MfaRequiredError || error instanceof GenericError && this._isIframeMfaError(error);
+    }
+    _isIframeMfaError(error) {
+        return error.error === "login_required" && error.error_description === MFA_STEP_UP_ERROR_DESCRIPTION;
     }
     async _handleInteractiveErrorWithPopup(options) {
         try {
@@ -8407,7 +8604,7 @@ class Auth0Client {
     async _getTokenFromIFrame(options) {
         const iframeLockKey = buildIframeLockKey(this.options.clientId);
         try {
-            return await this.lockManager.runWithLock(iframeLockKey, 5e3, (async () => {
+            return await this.lockManager.runWithLock(iframeLockKey, 5e3, async () => {
                 const params = Object.assign(Object.assign({}, options.authorizationParams), {
                     prompt: "none"
                 });
@@ -8447,12 +8644,15 @@ class Auth0Client {
                     oauthTokenScope: tokenResult.scope,
                     audience: audience
                 });
-            }));
+            });
         } catch (e) {
             if (e.error === "login_required") {
-                this.logout({
-                    openUrl: false
-                });
+                const shouldSkipLogoutForMfaStepUp = e instanceof GenericError && this._isIframeMfaError(e) && this.options.interactiveErrorHandler === "popup";
+                if (!shouldSkipLogoutForMfaStepUp) {
+                    this.logout({
+                        openUrl: false
+                    });
+                }
             }
             throw e;
         }