@auth0/auth0-spa-js 2.18.3 → 2.19.1

package/dist/auth0-spa-js.production.esm.js

@@ -1,2 +1,2 @@
-function e(e,t){this.v=e,this.k=t}function t(e,t,n){if("function"==typeof e?e===t:e.has(t))return arguments.length<3?t:n;throw new TypeError("Private element is not present on this object")}function n(t){return new e(t,0)}function o(e,t){if(t.has(e))throw new TypeError("Cannot initialize the same private elements twice on an object")}function r(e,n){return e.get(t(e,n))}function i(e,t,n){o(e,t),t.set(e,n)}function a(e,n,o){return e.set(t(e,n),o),o}function s(e,t,n){return(t=function(e){var t=function(e,t){if("object"!=typeof e||!e)return e;var n=e[Symbol.toPrimitive];if(void 0!==n){var o=n.call(e,t||"default");if("object"!=typeof o)return o;throw new TypeError("@@toPrimitive must return a primitive value.")}return("string"===t?String:Number)(e)}(e,"string");return"symbol"==typeof t?t:t+""}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function c(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);t&&(o=o.filter(function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable})),n.push.apply(n,o)}return n}function u(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?c(Object(n),!0).forEach(function(t){s(e,t,n[t])}):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):c(Object(n)).forEach(function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))})}return e}function l(e,t){if(null==e)return{};var n,o,r=function(e,t){if(null==e)return{};var n={};for(var o in e)if({}.hasOwnProperty.call(e,o)){if(-1!==t.indexOf(o))continue;n[o]=e[o]}return n}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(o=0;o<i.length;o++)n=i[o],-1===t.indexOf(n)&&{}.propertyIsEnumerable.call(e,n)&&(r[n]=e[n])}return r}function d(e){return function(){return new h(e.apply(this,arguments))}}function h(t){var n,o;function r(n,o){try{var a=t[n](o),s=a.value,c=s instanceof e;Promise.resolve(c?s.v:s).then(function(e){if(c){var o="return"===n&&s.k?n:"next";if(!s.k||e.done)return r(o,e);e=t[o](e).value}i(!!a.done,e)},function(e){r("throw",e)})}catch(e){i(2,e)}}function i(e,t){2===e?n.reject(t):n.resolve({value:t,done:e}),(n=n.next)?r(n.key,n.arg):o=null}this._invoke=function(e,t){return new Promise(function(i,a){var s={key:e,arg:t,resolve:i,reject:a,next:null};o?o=o.next=s:(n=o=s,r(e,t))})},"function"!=typeof t.return&&(this.return=void 0)}h.prototype["function"==typeof Symbol&&Symbol.asyncIterator||"@@asyncIterator"]=function(){return this},h.prototype.next=function(e){return this._invoke("next",e)},h.prototype.throw=function(e){return this._invoke("throw",e)},h.prototype.return=function(e){return this._invoke("return",e)};const p={timeoutInSeconds:60},f="memory",m={name:"auth0-spa-js",version:"2.18.3"},y=()=>Date.now(),w="default";class g extends Error{constructor(e,t){super(t),this.error=e,this.error_description=t,Object.setPrototypeOf(this,g.prototype)}static fromPayload(e){let{error:t,error_description:n}=e;return new g(t,n)}}class v extends g{constructor(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:null;super(e,t),this.state=n,this.appState=o,Object.setPrototypeOf(this,v.prototype)}}class b extends g{constructor(e,t,n,o){let r=arguments.length>4&&void 0!==arguments[4]?arguments[4]:null;super(e,t),this.connection=n,this.state=o,this.appState=r,Object.setPrototypeOf(this,b.prototype)}}class _ extends g{constructor(){super("timeout","Timeout"),Object.setPrototypeOf(this,_.prototype)}}class k extends _{constructor(e){super(),this.popup=e,Object.setPrototypeOf(this,k.prototype)}}class S extends g{constructor(e){super("cancelled","Popup closed"),this.popup=e,Object.setPrototypeOf(this,S.prototype)}}class T extends g{constructor(){super("popup_open","Unable to open a popup for loginWithPopup - window.open returned `null`"),Object.setPrototypeOf(this,T.prototype)}}class E extends g{constructor(e,t,n,o){super(e,t),this.mfa_token=n,this.mfa_requirements=o,Object.setPrototypeOf(this,E.prototype)}}class P extends g{constructor(e,t){super("missing_refresh_token","Missing Refresh Token (audience: '".concat(x(e,["default"]),"', scope: '").concat(x(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,P.prototype)}}class A extends g{constructor(e,t){super("missing_scopes","Missing requested scopes after refresh (audience: '".concat(x(e,["default"]),"', missing scope: '").concat(x(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,A.prototype)}}class I extends g{constructor(e){super("use_dpop_nonce","Server rejected DPoP proof: wrong nonce"),this.newDpopNonce=e,Object.setPrototypeOf(this,I.prototype)}}function x(e){return e&&!(arguments.length>1&&void 0!==arguments[1]?arguments[1]:[]).includes(e)?e:""}const R=["clientId"],C=()=>window.crypto,O=()=>{const e="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";let t="";for(;t.length<43;){const n=C().getRandomValues(new Uint8Array(43-t.length));for(const o of n)t.length<43&&o<198&&(t+=e[o%66])}return t},W=e=>btoa(e),K=[{key:"name",type:["string"]},{key:"version",type:["string","number"]},{key:"env",type:["object"]}],U=function(e){let t=arguments.length>1&&void 0!==arguments[1]&&arguments[1];return Object.keys(e).reduce((n,o)=>{if(t&&"env"===o)return n;const r=K.find(e=>e.key===o);return r&&r.type.includes(typeof e[o])&&(n[o]=e[o]),n},{})},D=e=>{let{clientId:t}=e,n=l(e,R);return new URLSearchParams((e=>Object.keys(e).filter(t=>void 0!==e[t]).reduce((t,n)=>u(u({},t),{},{[n]:e[n]}),{}))(u({client_id:t},n))).toString()},H=async e=>{const t=C().subtle.digest({name:"SHA-256"},(new TextEncoder).encode(e));return await t},L=e=>(e=>decodeURIComponent(atob(e).split("").map(e=>"%"+("00"+e.charCodeAt(0).toString(16)).slice(-2)).join("")))(e.replace(/_/g,"/").replace(/-/g,"+")),j=e=>{const t=new Uint8Array(e);return(e=>{const t={"+":"-","/":"_","=":""};return e.replace(/[+/=]/g,e=>t[e])})(window.btoa(String.fromCharCode(...Array.from(t))))};var M="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},N={},z={};Object.defineProperty(z,"__esModule",{value:!0});var J=function(){function e(){var e=this;this.locked=new Map,this.addToLocked=function(t,n){var o=e.locked.get(t);void 0===o?void 0===n?e.locked.set(t,[]):e.locked.set(t,[n]):void 0!==n&&(o.unshift(n),e.locked.set(t,o))},this.isLocked=function(t){return e.locked.has(t)},this.lock=function(t){return new Promise(function(n,o){e.isLocked(t)?e.addToLocked(t,n):(e.addToLocked(t),n())})},this.unlock=function(t){var n=e.locked.get(t);if(void 0!==n&&0!==n.length){var o=n.pop();e.locked.set(t,n),void 0!==o&&setTimeout(o,0)}else e.locked.delete(t)}}return e.getInstance=function(){return void 0===e.instance&&(e.instance=new e),e.instance},e}();z.default=function(){return J.getInstance()};var Z=M&&M.__awaiter||function(e,t,n,o){return new(n||(n=Promise))(function(r,i){function a(e){try{c(o.next(e))}catch(e){i(e)}}function s(e){try{c(o.throw(e))}catch(e){i(e)}}function c(e){e.done?r(e.value):new n(function(t){t(e.value)}).then(a,s)}c((o=o.apply(e,t||[])).next())})},V=M&&M.__generator||function(e,t){var n,o,r,i,a={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return i={next:s(0),throw:s(1),return:s(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function s(i){return function(s){return function(i){if(n)throw new TypeError("Generator is already executing.");for(;a;)try{if(n=1,o&&(r=2&i[0]?o.return:i[0]?o.throw||((r=o.return)&&r.call(o),0):o.next)&&!(r=r.call(o,i[1])).done)return r;switch(o=0,r&&(i=[2&i[0],r.value]),i[0]){case 0:case 1:r=i;break;case 4:return a.label++,{value:i[1],done:!1};case 5:a.label++,o=i[1],i=[0];continue;case 7:i=a.ops.pop(),a.trys.pop();continue;default:if(!(r=a.trys,(r=r.length>0&&r[r.length-1])||6!==i[0]&&2!==i[0])){a=0;continue}if(3===i[0]&&(!r||i[1]>r[0]&&i[1]<r[3])){a.label=i[1];break}if(6===i[0]&&a.label<r[1]){a.label=r[1],r=i;break}if(r&&a.label<r[2]){a.label=r[2],a.ops.push(i);break}r[2]&&a.ops.pop(),a.trys.pop();continue}i=t.call(e,a)}catch(e){i=[6,e],o=0}finally{n=r=0}if(5&i[0])throw i[1];return{value:i[0]?i[1]:void 0,done:!0}}([i,s])}}},X=M;Object.defineProperty(N,"__esModule",{value:!0});var G=z,F="browser-tabs-lock-key",Y={key:function(e){return Z(X,void 0,void 0,function(){return V(this,function(e){throw new Error("Unsupported")})})},getItem:function(e){return Z(X,void 0,void 0,function(){return V(this,function(e){throw new Error("Unsupported")})})},clear:function(){return Z(X,void 0,void 0,function(){return V(this,function(e){return[2,window.localStorage.clear()]})})},removeItem:function(e){return Z(X,void 0,void 0,function(){return V(this,function(e){throw new Error("Unsupported")})})},setItem:function(e,t){return Z(X,void 0,void 0,function(){return V(this,function(e){throw new Error("Unsupported")})})},keySync:function(e){return window.localStorage.key(e)},getItemSync:function(e){return window.localStorage.getItem(e)},clearSync:function(){return window.localStorage.clear()},removeItemSync:function(e){return window.localStorage.removeItem(e)},setItemSync:function(e,t){return window.localStorage.setItem(e,t)}};function q(e){return new Promise(function(t){return setTimeout(t,e)})}function B(e){for(var t="0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz",n="",o=0;o<e;o++){n+=t[Math.floor(61*Math.random())]}return n}var Q=function(){function e(t){this.acquiredIatSet=new Set,this.storageHandler=void 0,this.id=Date.now().toString()+B(15),this.acquireLock=this.acquireLock.bind(this),this.releaseLock=this.releaseLock.bind(this),this.releaseLock__private__=this.releaseLock__private__.bind(this),this.waitForSomethingToChange=this.waitForSomethingToChange.bind(this),this.refreshLockWhileAcquired=this.refreshLockWhileAcquired.bind(this),this.storageHandler=t,void 0===e.waiters&&(e.waiters=[])}return e.prototype.acquireLock=function(t,n){return void 0===n&&(n=5e3),Z(this,void 0,void 0,function(){var o,r,i,a,s,c,u;return V(this,function(l){switch(l.label){case 0:o=Date.now()+B(4),r=Date.now()+n,i=F+"-"+t,a=void 0===this.storageHandler?Y:this.storageHandler,l.label=1;case 1:return Date.now()<r?[4,q(30)]:[3,8];case 2:return l.sent(),null!==a.getItemSync(i)?[3,5]:(s=this.id+"-"+t+"-"+o,[4,q(Math.floor(25*Math.random()))]);case 3:return l.sent(),a.setItemSync(i,JSON.stringify({id:this.id,iat:o,timeoutKey:s,timeAcquired:Date.now(),timeRefreshed:Date.now()})),[4,q(30)];case 4:return l.sent(),null!==(c=a.getItemSync(i))&&(u=JSON.parse(c)).id===this.id&&u.iat===o?(this.acquiredIatSet.add(o),this.refreshLockWhileAcquired(i,o),[2,!0]):[3,7];case 5:return e.lockCorrector(void 0===this.storageHandler?Y:this.storageHandler),[4,this.waitForSomethingToChange(r)];case 6:l.sent(),l.label=7;case 7:return o=Date.now()+B(4),[3,1];case 8:return[2,!1]}})})},e.prototype.refreshLockWhileAcquired=function(e,t){return Z(this,void 0,void 0,function(){var n=this;return V(this,function(o){return setTimeout(function(){return Z(n,void 0,void 0,function(){var n,o,r;return V(this,function(i){switch(i.label){case 0:return[4,G.default().lock(t)];case 1:return i.sent(),this.acquiredIatSet.has(t)?(n=void 0===this.storageHandler?Y:this.storageHandler,null===(o=n.getItemSync(e))?(G.default().unlock(t),[2]):((r=JSON.parse(o)).timeRefreshed=Date.now(),n.setItemSync(e,JSON.stringify(r)),G.default().unlock(t),this.refreshLockWhileAcquired(e,t),[2])):(G.default().unlock(t),[2])}})})},1e3),[2]})})},e.prototype.waitForSomethingToChange=function(t){return Z(this,void 0,void 0,function(){return V(this,function(n){switch(n.label){case 0:return[4,new Promise(function(n){var o=!1,r=Date.now(),i=!1;function a(){if(i||(window.removeEventListener("storage",a),e.removeFromWaiting(a),clearTimeout(s),i=!0),!o){o=!0;var t=50-(Date.now()-r);t>0?setTimeout(n,t):n(null)}}window.addEventListener("storage",a),e.addToWaiting(a);var s=setTimeout(a,Math.max(0,t-Date.now()))})];case 1:return n.sent(),[2]}})})},e.addToWaiting=function(t){this.removeFromWaiting(t),void 0!==e.waiters&&e.waiters.push(t)},e.removeFromWaiting=function(t){void 0!==e.waiters&&(e.waiters=e.waiters.filter(function(e){return e!==t}))},e.notifyWaiters=function(){void 0!==e.waiters&&e.waiters.slice().forEach(function(e){return e()})},e.prototype.releaseLock=function(e){return Z(this,void 0,void 0,function(){return V(this,function(t){switch(t.label){case 0:return[4,this.releaseLock__private__(e)];case 1:return[2,t.sent()]}})})},e.prototype.releaseLock__private__=function(t){return Z(this,void 0,void 0,function(){var n,o,r,i;return V(this,function(a){switch(a.label){case 0:return n=void 0===this.storageHandler?Y:this.storageHandler,o=F+"-"+t,null===(r=n.getItemSync(o))?[2]:(i=JSON.parse(r)).id!==this.id?[3,2]:[4,G.default().lock(i.iat)];case 1:a.sent(),this.acquiredIatSet.delete(i.iat),n.removeItemSync(o),G.default().unlock(i.iat),e.notifyWaiters(),a.label=2;case 2:return[2]}})})},e.lockCorrector=function(t){for(var n=Date.now()-5e3,o=t,r=[],i=0;;){var a=o.keySync(i);if(null===a)break;r.push(a),i++}for(var s=!1,c=0;c<r.length;c++){var u=r[c];if(u.includes(F)){var l=o.getItemSync(u);if(null!==l){var d=JSON.parse(l);(void 0===d.timeRefreshed&&d.timeAcquired<n||void 0!==d.timeRefreshed&&d.timeRefreshed<n)&&(o.removeItemSync(u),s=!0)}}}s&&e.notifyWaiters()},e.waiters=void 0,e}(),$=N.default=Q;class ee{async runWithLock(e,t,n){const o=new AbortController,r=setTimeout(()=>o.abort(),t);try{return await navigator.locks.request(e,{mode:"exclusive",signal:o.signal},async e=>{if(clearTimeout(r),!e)throw new Error("Lock not available");return await n()})}catch(e){if(clearTimeout(r),"AbortError"===(null==e?void 0:e.name))throw new _;throw e}}}class te{constructor(){s(this,"lock",void 0),s(this,"activeLocks",new Set),s(this,"pagehideHandler",void 0),this.lock=new $,this.pagehideHandler=()=>{this.activeLocks.forEach(e=>this.lock.releaseLock(e)),this.activeLocks.clear()}}async runWithLock(e,t,n){let o=!1;for(let n=0;n<10&&!o;n++)o=await this.lock.acquireLock(e,t);if(!o)throw new _;this.activeLocks.add(e),1===this.activeLocks.size&&"undefined"!=typeof window&&window.addEventListener("pagehide",this.pagehideHandler);try{return await n()}finally{this.activeLocks.delete(e),await this.lock.releaseLock(e),0===this.activeLocks.size&&"undefined"!=typeof window&&window.removeEventListener("pagehide",this.pagehideHandler)}}}function ne(){return"undefined"!=typeof navigator&&"function"==typeof(null===(e=navigator.locks)||void 0===e?void 0:e.request)?new ee:new te;var e}let oe=null;const re=new TextEncoder,ie=new TextDecoder;function ae(e){return"string"==typeof e?re.encode(e):ie.decode(e)}function se(e){if("number"!=typeof e.modulusLength||e.modulusLength<2048)throw new he(`${e.name} modulusLength must be at least 2048 bits`)}async function ce(e,t,n){if(!1===n.usages.includes("sign"))throw new TypeError('private CryptoKey instances used for signing assertions must include "sign" in their "usages"');const o=`${le(ae(JSON.stringify(e)))}.${le(ae(JSON.stringify(t)))}`;return`${o}.${le(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case"ECDSA":return{name:e.algorithm.name,hash:"SHA-256"};case"RSA-PSS":return se(e.algorithm),{name:e.algorithm.name,saltLength:32};case"RSASSA-PKCS1-v1_5":return se(e.algorithm),{name:e.algorithm.name};case"Ed25519":return{name:e.algorithm.name}}throw new de}(n),n,ae(o)))}`}let ue;if(Uint8Array.prototype.toBase64)ue=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:!0}));else{const e=32768;ue=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}}function le(e){return ue(e)}class de extends Error{constructor(e){var t;super(null!=e?e:"operation not supported"),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor)}}class he extends Error{constructor(e){var t;super(e),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor)}}function pe(e){switch(e.algorithm.name){case"RSA-PSS":return function(e){if("SHA-256"===e.algorithm.hash.name)return"PS256";throw new de("unsupported RsaHashedKeyAlgorithm hash name")}(e);case"RSASSA-PKCS1-v1_5":return function(e){if("SHA-256"===e.algorithm.hash.name)return"RS256";throw new de("unsupported RsaHashedKeyAlgorithm hash name")}(e);case"ECDSA":return function(e){if("P-256"===e.algorithm.namedCurve)return"ES256";throw new de("unsupported EcKeyAlgorithm namedCurve")}(e);case"Ed25519":return"Ed25519";default:throw new de("unsupported CryptoKey algorithm name")}}function fe(e){return e instanceof CryptoKey}function me(e){return fe(e)&&"public"===e.type}async function ye(e,t,n,o,r,i){const a=null==e?void 0:e.privateKey,s=null==e?void 0:e.publicKey;if(!fe(c=a)||"private"!==c.type)throw new TypeError('"keypair.privateKey" must be a private CryptoKey');var c;if(!me(s))throw new TypeError('"keypair.publicKey" must be a public CryptoKey');if(!0!==s.extractable)throw new TypeError('"keypair.publicKey.extractable" must be true');if("string"!=typeof t)throw new TypeError('"htu" must be a string');if("string"!=typeof n)throw new TypeError('"htm" must be a string');if(void 0!==o&&"string"!=typeof o)throw new TypeError('"nonce" must be a string or undefined');if(void 0!==r&&"string"!=typeof r)throw new TypeError('"accessToken" must be a string or undefined');if(void 0!==i&&("object"!=typeof i||null===i||Array.isArray(i)))throw new TypeError('"additional" must be an object');return ce({alg:pe(a),typ:"dpop+jwt",jwk:await we(s)},Object.assign(Object.assign({},i),{iat:Math.floor(Date.now()/1e3),jti:crypto.randomUUID(),htm:n,nonce:o,htu:t,ath:r?le(await crypto.subtle.digest("SHA-256",ae(r))):void 0}),a)}async function we(e){const{kty:t,e:n,n:o,x:r,y:i,crv:a}=await crypto.subtle.exportKey("jwk",e);return{kty:t,crv:a,e:n,n:o,x:r,y:i}}const ge="dpop-nonce",ve=["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:token-exchange","http://auth0.com/oauth/grant-type/mfa-oob","http://auth0.com/oauth/grant-type/mfa-otp","http://auth0.com/oauth/grant-type/mfa-recovery-code"];function be(){return async function(e,t){var n;let o;if("string"!=typeof e||0===e.length)throw new TypeError('"alg" must be a non-empty string');switch(e){case"PS256":o={name:"RSA-PSS",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case"RS256":o={name:"RSASSA-PKCS1-v1_5",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case"ES256":o={name:"ECDSA",namedCurve:"P-256"};break;case"Ed25519":o={name:"Ed25519"};break;default:throw new de}return crypto.subtle.generateKey(o,null!==(n=null==t?void 0:t.extractable)&&void 0!==n&&n,["sign","verify"])}("ES256",{extractable:!1})}function _e(e){return async function(e){if(!me(e))throw new TypeError('"publicKey" must be a public CryptoKey');if(!0!==e.extractable)throw new TypeError('"publicKey.extractable" must be true');const t=await we(e);let n;switch(t.kty){case"EC":n={crv:t.crv,kty:t.kty,x:t.x,y:t.y};break;case"OKP":n={crv:t.crv,kty:t.kty,x:t.x};break;case"RSA":n={e:t.e,kty:t.kty,n:t.n};break;default:throw new de("unsupported JWK kty")}return le(await crypto.subtle.digest({name:"SHA-256"},ae(JSON.stringify(n))))}(e.publicKey)}function ke(e){let{keyPair:t,url:n,method:o,nonce:r,accessToken:i}=e;const a=function(e){const t=new URL(e);return t.search="",t.hash="",t.href}(n);return ye(t,a,o,r,i)}const Se=["error","error_description"],Te=async(e,t)=>{const n=await fetch(e,t);return{ok:n.ok,json:await n.json(),headers:(o=n.headers,[...o].reduce((e,t)=>{let[n,o]=t;return e[n]=o,e},{}))};var o},Ee=async(e,t,n)=>{const o=new AbortController;let r;return t.signal=o.signal,Promise.race([Te(e,t),new Promise((e,t)=>{r=setTimeout(()=>{o.abort(),t(new Error("Timeout when executing 'fetch'"))},n)})]).finally(()=>{clearTimeout(r)})},Pe=async(e,t,n,o,r,i,a,s)=>((e,t)=>new Promise(function(n,o){const r=new MessageChannel;r.port1.onmessage=function(e){e.data.error?o(new Error(e.data.error)):n(e.data),r.port1.close()},t.postMessage(e,[r.port2])}))({auth:{audience:t,scope:n},timeout:r,fetchUrl:e,fetchOptions:o,useFormData:a,useMrrt:s},i),Ae=async function(e,t,n,o,r,i){let a=arguments.length>6&&void 0!==arguments[6]?arguments[6]:1e4;return r?Pe(e,t,n,o,a,r,i,arguments.length>7?arguments[7]:void 0):Ee(e,o,a)};async function Ie(e,t,n,o,r,i,a,s,c,d){if(c){const t=await c.generateProof({url:e,method:r.method||"GET",nonce:await c.getNonce()});r.headers=u(u({},r.headers),{},{dpop:t})}let h,p=null;for(let c=0;c<3;c++)try{h=await Ae(e,n,o,r,i,a,t,s),p=null;break}catch(e){p=e}if(p)throw p;const{json:{error:f,error_description:m},headers:y,ok:w}=h,v=l(h.json,Se);let b;if(c&&(b=y[ge],b&&await c.setNonce(b)),!w){const u=m||"HTTP error. Unable to fetch ".concat(e);if("mfa_required"===f)throw new E(f,u,v.mfa_token,v.mfa_requirements);if("missing_refresh_token"===f)throw new P(n,o);if("use_dpop_nonce"===f){if(!c||!b||d)throw new I(b);return Ie(e,t,n,o,r,i,a,s,c,!0)}throw new g(f||"request_error",u)}return v}const xe=["baseUrl","timeout","audience","scope","auth0Client","useFormData","useMrrt","dpop"];async function Re(e,t){let{baseUrl:n,timeout:o,audience:r,scope:i,auth0Client:a,useFormData:s,useMrrt:c,dpop:d}=e,h=l(e,xe);const p="urn:ietf:params:oauth:grant-type:token-exchange"===h.grant_type,f="refresh_token"===h.grant_type&&c,y=u(u(u(u({},h),p&&r&&{audience:r}),p&&i&&{scope:i}),f&&{audience:r,scope:i}),g=s?D(y):JSON.stringify(y),v=(b=h.grant_type,ve.includes(b));var b;return await Ie("".concat(n,"/oauth/token"),o,r||w,i,{method:"POST",body:g,headers:{"Content-Type":s?"application/x-www-form-urlencoded":"application/json","Auth0-Client":btoa(JSON.stringify(U(a||m)))}},t,s,c,v?d:void 0)}const Ce=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];return(o=t.filter(Boolean).join(" ").trim().split(/\s+/),Array.from(new Set(o))).join(" ");var o},Oe=(e,t,n)=>{let o;return n&&(o=e[n]),o||(o=e[w]),Ce(o,t)},We="@@auth0spajs@@",Ke="@@user@@";class Ue{constructor(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:We,n=arguments.length>2?arguments[2]:void 0;this.prefix=t,this.suffix=n,s(this,"clientId",void 0),s(this,"scope",void 0),s(this,"audience",void 0),this.clientId=e.clientId,this.scope=e.scope,this.audience=e.audience}toKey(){return[this.prefix,this.clientId,this.audience,this.scope,this.suffix].filter(Boolean).join("::")}static fromKey(e){const[t,n,o,r]=e.split("::");return new Ue({clientId:n,scope:r,audience:o},t)}static fromCacheEntry(e){const{scope:t,audience:n,client_id:o}=e;return new Ue({scope:t,audience:n,clientId:o})}}class De{set(e,t){localStorage.setItem(e,JSON.stringify(t))}get(e){const t=window.localStorage.getItem(e);if(t)try{return JSON.parse(t)}catch(e){return}}remove(e){localStorage.removeItem(e)}allKeys(){return Object.keys(window.localStorage).filter(e=>e.startsWith(We))}}class He{constructor(){s(this,"enclosedCache",function(){let e={};return{set(t,n){e[t]=n},get(t){const n=e[t];if(n)return n},remove(t){delete e[t]},allKeys:()=>Object.keys(e)}}())}}class Le{constructor(e,t,n){this.cache=e,this.keyManifest=t,s(this,"nowProvider",void 0),this.nowProvider=n||y}async setIdToken(e,t,n){var o;const r=this.getIdTokenCacheKey(e);await this.cache.set(r,{id_token:t,decodedToken:n}),await(null===(o=this.keyManifest)||void 0===o?void 0:o.add(r))}async getIdToken(e){const t=await this.cache.get(this.getIdTokenCacheKey(e.clientId));if(!t&&e.scope&&e.audience){const t=await this.get(e);if(!t)return;if(!t.id_token||!t.decodedToken)return;return{id_token:t.id_token,decodedToken:t.decodedToken}}if(t)return{id_token:t.id_token,decodedToken:t.decodedToken}}async get(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:0,n=arguments.length>2&&void 0!==arguments[2]&&arguments[2],o=arguments.length>3?arguments[3]:void 0,r=await this.cache.get(e.toKey());if(!r){const t=await this.getCacheKeys();if(!t)return;const i=this.matchExistingCacheKey(e,t);if(i&&(r=await this.cache.get(i)),!r&&n&&"cache-only"!==o)return this.getEntryWithRefreshToken(e,t)}if(!r)return;const i=await this.nowProvider(),a=Math.floor(i/1e3);var s;return r.expiresAt-t<a?r.body.refresh_token?this.modifiedCachedEntry(r,e):(await this.cache.remove(e.toKey()),void await(null===(s=this.keyManifest)||void 0===s?void 0:s.remove(e.toKey()))):r.body}async modifiedCachedEntry(e,t){return e.body={refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope},await this.cache.set(t.toKey(),e),{refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope}}async set(e){var t;const n=new Ue({clientId:e.client_id,scope:e.scope,audience:e.audience}),o=await this.wrapCacheEntry(e);await this.cache.set(n.toKey(),o),await(null===(t=this.keyManifest)||void 0===t?void 0:t.add(n.toKey()))}async remove(e,t,n){const o=new Ue({clientId:e,scope:n,audience:t});await this.cache.remove(o.toKey())}async clear(e){var t;const n=await this.getCacheKeys();n&&(await n.filter(t=>!e||t.includes(e)).reduce(async(e,t)=>{await e,await this.cache.remove(t)},Promise.resolve()),await(null===(t=this.keyManifest)||void 0===t?void 0:t.clear()))}async wrapCacheEntry(e){const t=await this.nowProvider();return{body:e,expiresAt:Math.floor(t/1e3)+e.expires_in}}async getCacheKeys(){var e;return this.keyManifest?null===(e=await this.keyManifest.get())||void 0===e?void 0:e.keys:this.cache.allKeys?this.cache.allKeys():void 0}getIdTokenCacheKey(e){return new Ue({clientId:e},We,Ke).toKey()}matchExistingCacheKey(e,t){return t.filter(t=>{var n;const o=Ue.fromKey(t),r=new Set(o.scope&&o.scope.split(" ")),i=(null===(n=e.scope)||void 0===n?void 0:n.split(" "))||[],a=o.scope&&i.reduce((e,t)=>e&&r.has(t),!0);return o.prefix===We&&o.clientId===e.clientId&&o.audience===e.audience&&a})[0]}async getEntryWithRefreshToken(e,t){for(const o of t){const t=Ue.fromKey(o);if(t.prefix===We&&t.clientId===e.clientId){var n;const t=await this.cache.get(o);if(null!=t&&null!==(n=t.body)&&void 0!==n&&n.refresh_token)return this.modifiedCachedEntry(t,e)}}}async updateEntry(e,t){const n=await this.getCacheKeys();if(n)for(const r of n){var o;const n=await this.cache.get(r);(null==n||null===(o=n.body)||void 0===o?void 0:o.refresh_token)===e&&(n.body.refresh_token=t,await this.cache.set(r,n))}}}class je{constructor(e,t,n){this.storage=e,this.clientId=t,this.cookieDomain=n,s(this,"storageKey",void 0),this.storageKey="".concat("a0.spajs.txs",".").concat(this.clientId)}create(e){this.storage.save(this.storageKey,e,{daysUntilExpire:1,cookieDomain:this.cookieDomain})}get(){return this.storage.get(this.storageKey)}remove(){this.storage.remove(this.storageKey,{cookieDomain:this.cookieDomain})}}const Me=e=>"number"==typeof e,Ne=["iss","aud","exp","nbf","iat","jti","azp","nonce","auth_time","at_hash","c_hash","acr","amr","sub_jwk","cnf","sip_from_tag","sip_date","sip_callid","sip_cseq_num","sip_via_branch","orig","dest","mky","events","toe","txn","rph","sid","vot","vtm"],ze=e=>{if(!e.id_token)throw new Error("ID token is required but missing");const t=(e=>{const t=e.split("."),[n,o,r]=t;if(3!==t.length||!n||!o||!r)throw new Error("ID token could not be decoded");const i=JSON.parse(L(o)),a={__raw:e},s={};return Object.keys(i).forEach(e=>{a[e]=i[e],Ne.includes(e)||(s[e]=i[e])}),{encoded:{header:n,payload:o,signature:r},header:JSON.parse(L(n)),claims:a,user:s}})(e.id_token);if(!t.claims.iss)throw new Error("Issuer (iss) claim must be a string present in the ID token");if(t.claims.iss!==e.iss)throw new Error('Issuer (iss) claim mismatch in the ID token; expected "'.concat(e.iss,'", found "').concat(t.claims.iss,'"'));if(!t.user.sub)throw new Error("Subject (sub) claim must be a string present in the ID token");if("RS256"!==t.header.alg)throw new Error('Signature algorithm of "'.concat(t.header.alg,'" is not supported. Expected the ID token to be signed with "RS256".'));if(!t.claims.aud||"string"!=typeof t.claims.aud&&!Array.isArray(t.claims.aud))throw new Error("Audience (aud) claim must be a string or array of strings present in the ID token");if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e.aud))throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but was not one of "').concat(t.claims.aud.join(", "),'"'));if(t.claims.aud.length>1){if(!t.claims.azp)throw new Error("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");if(t.claims.azp!==e.aud)throw new Error('Authorized Party (azp) claim mismatch in the ID token; expected "'.concat(e.aud,'", found "').concat(t.claims.azp,'"'))}}else if(t.claims.aud!==e.aud)throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but found "').concat(t.claims.aud,'"'));if(e.nonce){if(!t.claims.nonce)throw new Error("Nonce (nonce) claim must be a string present in the ID token");if(t.claims.nonce!==e.nonce)throw new Error('Nonce (nonce) claim mismatch in the ID token; expected "'.concat(e.nonce,'", found "').concat(t.claims.nonce,'"'))}if(e.max_age&&!Me(t.claims.auth_time))throw new Error("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");if(null==t.claims.exp||!Me(t.claims.exp))throw new Error("Expiration Time (exp) claim must be a number present in the ID token");if(!Me(t.claims.iat))throw new Error("Issued At (iat) claim must be a number present in the ID token");const n=e.leeway||60,o=new Date(e.now||Date.now()),r=new Date(0);if(r.setUTCSeconds(t.claims.exp+n),o>r)throw new Error("Expiration Time (exp) claim error in the ID token; current time (".concat(o,") is after expiration time (").concat(r,")"));if(null!=t.claims.nbf&&Me(t.claims.nbf)){const e=new Date(0);if(e.setUTCSeconds(t.claims.nbf-n),o<e)throw new Error("Not Before time (nbf) claim in the ID token indicates that this token can't be used just yet. Current time (".concat(o,") is before ").concat(e))}if(null!=t.claims.auth_time&&Me(t.claims.auth_time)){const r=new Date(0);if(r.setUTCSeconds(parseInt(t.claims.auth_time)+e.max_age+n),o>r)throw new Error("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (".concat(o,") is after last auth at ").concat(r))}if(e.organization){const n=e.organization.trim();if(n.startsWith("org_")){const e=n;if(!t.claims.org_id)throw new Error("Organization ID (org_id) claim must be a string present in the ID token");if(e!==t.claims.org_id)throw new Error('Organization ID (org_id) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_id,'"'))}else{const e=n.toLowerCase();if(!t.claims.org_name)throw new Error("Organization Name (org_name) claim must be a string present in the ID token");if(e!==t.claims.org_name)throw new Error('Organization Name (org_name) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_name,'"'))}}return t};var Je=M&&M.__assign||function(){return Je=Object.assign||function(e){for(var t,n=1,o=arguments.length;n<o;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},Je.apply(this,arguments)};function Ze(e,t){if(!t)return"";var n="; "+e;return!0===t?n:n+"="+t}function Ve(e,t,n){return encodeURIComponent(e).replace(/%(23|24|26|2B|5E|60|7C)/g,decodeURIComponent).replace(/\(/g,"%28").replace(/\)/g,"%29")+"="+encodeURIComponent(t).replace(/%(23|24|26|2B|3A|3C|3E|3D|2F|3F|40|5B|5D|5E|60|7B|7D|7C)/g,decodeURIComponent)+function(e){if("number"==typeof e.expires){var t=new Date;t.setMilliseconds(t.getMilliseconds()+864e5*e.expires),e.expires=t}return Ze("Expires",e.expires?e.expires.toUTCString():"")+Ze("Domain",e.domain)+Ze("Path",e.path)+Ze("Secure",e.secure)+Ze("SameSite",e.sameSite)}(n)}function Xe(){return function(e){for(var t={},n=e?e.split("; "):[],o=/(%[\dA-F]{2})+/gi,r=0;r<n.length;r++){var i=n[r].split("="),a=i.slice(1).join("=");'"'===a.charAt(0)&&(a=a.slice(1,-1));try{t[i[0].replace(o,decodeURIComponent)]=a.replace(o,decodeURIComponent)}catch(e){}}return t}(document.cookie)}var Ge=function(e){return Xe()[e]};function Fe(e,t,n){document.cookie=Ve(e,t,Je({path:"/"},n))}var Ye=Fe;var qe=function(e,t){Fe(e,"",Je(Je({},t),{expires:-1}))};const Be={get(e){const t=Ge(e);if(void 0!==t)return JSON.parse(t)},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:!0,sameSite:"none"}),null!=n&&n.daysUntilExpire&&(o.expires=n.daysUntilExpire),null!=n&&n.cookieDomain&&(o.domain=n.cookieDomain),Ye(e,JSON.stringify(t),o)},remove(e,t){let n={};null!=t&&t.cookieDomain&&(n.domain=t.cookieDomain),qe(e,n)}},Qe="_legacy_",$e={get(e){const t=Be.get(e);return t||Be.get("".concat(Qe).concat(e))},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:!0}),null!=n&&n.daysUntilExpire&&(o.expires=n.daysUntilExpire),null!=n&&n.cookieDomain&&(o.domain=n.cookieDomain),Ye("".concat(Qe).concat(e),JSON.stringify(t),o),Be.save(e,t,n)},remove(e,t){let n={};null!=t&&t.cookieDomain&&(n.domain=t.cookieDomain),qe(e,n),Be.remove(e,t),Be.remove("".concat(Qe).concat(e),t)}},et={get(e){if("undefined"==typeof sessionStorage)return;const t=sessionStorage.getItem(e);return null!=t?JSON.parse(t):void 0},save(e,t){sessionStorage.setItem(e,JSON.stringify(t))},remove(e){sessionStorage.removeItem(e)}};let tt=function(e){return e.Code="code",e.ConnectCode="connect_code",e}({});class nt{constructor(){s(this,"name",void 0),s(this,"given_name",void 0),s(this,"family_name",void 0),s(this,"middle_name",void 0),s(this,"nickname",void 0),s(this,"preferred_username",void 0),s(this,"profile",void 0),s(this,"picture",void 0),s(this,"website",void 0),s(this,"email",void 0),s(this,"email_verified",void 0),s(this,"gender",void 0),s(this,"birthdate",void 0),s(this,"zoneinfo",void 0),s(this,"locale",void 0),s(this,"phone_number",void 0),s(this,"phone_number_verified",void 0),s(this,"address",void 0),s(this,"updated_at",void 0),s(this,"sub",void 0)}}function ot(e,t,n){var o=void 0===t?null:t,r=function(e,t){var n=atob(e);if(t){for(var o=new Uint8Array(n.length),r=0,i=n.length;r<i;++r)o[r]=n.charCodeAt(r);return String.fromCharCode.apply(null,new Uint16Array(o.buffer))}return n}(e,void 0!==n&&n),i=r.indexOf("\n",10)+1,a=r.substring(i)+(o?"//# sourceMappingURL="+o:""),s=new Blob([a],{type:"application/javascript"});return URL.createObjectURL(s)}var rt,it,at,st,ct=(rt="Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwohZnVuY3Rpb24oKXsidXNlIHN0cmljdCI7ZnVuY3Rpb24gZShlLHIsdCl7cmV0dXJuKHI9ZnVuY3Rpb24oZSl7dmFyIHI9ZnVuY3Rpb24oZSxyKXtpZigib2JqZWN0IiE9dHlwZW9mIGV8fCFlKXJldHVybiBlO3ZhciB0PWVbU3ltYm9sLnRvUHJpbWl0aXZlXTtpZih2b2lkIDAhPT10KXt2YXIgbj10LmNhbGwoZSxyfHwiZGVmYXVsdCIpO2lmKCJvYmplY3QiIT10eXBlb2YgbilyZXR1cm4gbjt0aHJvdyBuZXcgVHlwZUVycm9yKCJAQHRvUHJpbWl0aXZlIG11c3QgcmV0dXJuIGEgcHJpbWl0aXZlIHZhbHVlLiIpfXJldHVybigic3RyaW5nIj09PXI/U3RyaW5nOk51bWJlcikoZSl9KGUsInN0cmluZyIpO3JldHVybiJzeW1ib2wiPT10eXBlb2Ygcj9yOnIrIiJ9KHIpKWluIGU/T2JqZWN0LmRlZmluZVByb3BlcnR5KGUscix7dmFsdWU6dCxlbnVtZXJhYmxlOiEwLGNvbmZpZ3VyYWJsZTohMCx3cml0YWJsZTohMH0pOmVbcl09dCxlfWZ1bmN0aW9uIHIoZSxyKXt2YXIgdD1PYmplY3Qua2V5cyhlKTtpZihPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKXt2YXIgbj1PYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKGUpO3ImJihuPW4uZmlsdGVyKGZ1bmN0aW9uKHIpe3JldHVybiBPYmplY3QuZ2V0T3duUHJvcGVydHlEZXNjcmlwdG9yKGUscikuZW51bWVyYWJsZX0pKSx0LnB1c2guYXBwbHkodCxuKX1yZXR1cm4gdH1mdW5jdGlvbiB0KHQpe2Zvcih2YXIgbj0xO248YXJndW1lbnRzLmxlbmd0aDtuKyspe3ZhciBvPW51bGwhPWFyZ3VtZW50c1tuXT9hcmd1bWVudHNbbl06e307biUyP3IoT2JqZWN0KG8pLCEwKS5mb3JFYWNoKGZ1bmN0aW9uKHIpe2UodCxyLG9bcl0pfSk6T2JqZWN0LmdldE93blByb3BlcnR5RGVzY3JpcHRvcnM/T2JqZWN0LmRlZmluZVByb3BlcnRpZXModCxPYmplY3QuZ2V0T3duUHJvcGVydHlEZXNjcmlwdG9ycyhvKSk6cihPYmplY3QobykpLmZvckVhY2goZnVuY3Rpb24oZSl7T2JqZWN0LmRlZmluZVByb3BlcnR5KHQsZSxPYmplY3QuZ2V0T3duUHJvcGVydHlEZXNjcmlwdG9yKG8sZSkpfSl9cmV0dXJuIHR9Y2xhc3MgbiBleHRlbmRzIEVycm9ye2NvbnN0cnVjdG9yKGUscil7c3VwZXIociksdGhpcy5lcnJvcj1lLHRoaXMuZXJyb3JfZGVzY3JpcHRpb249cixPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcyxuLnByb3RvdHlwZSl9c3RhdGljIGZyb21QYXlsb2FkKGUpe2xldHtlcnJvcjpyLGVycm9yX2Rlc2NyaXB0aW9uOnR9PWU7cmV0dXJuIG5ldyBuKHIsdCl9fWNsYXNzIG8gZXh0ZW5kcyBue2NvbnN0cnVjdG9yKGUscil7c3VwZXIoIm1pc3NpbmdfcmVmcmVzaF90b2tlbiIsIk1pc3NpbmcgUmVmcmVzaCBUb2tlbiAoYXVkaWVuY2U6ICciLmNvbmNhdChzKGUsWyJkZWZhdWx0Il0pLCInLCBzY29wZTogJyIpLmNvbmNhdChzKHIpLCInKSIpKSx0aGlzLmF1ZGllbmNlPWUsdGhpcy5zY29wZT1yLE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLG8ucHJvdG90eXBlKX19ZnVuY3Rpb24gcyhlKXtyZXR1cm4gZSYmIShhcmd1bWVudHMubGVuZ3RoPjEmJnZvaWQgMCE9PWFyZ3VtZW50c1sxXT9hcmd1bWVudHNbMV06W10pLmluY2x1ZGVzKGUpP2U6IiJ9Y29uc3QgaT1bImNsaWVudElkIl0sYz1lPT57bGV0e2NsaWVudElkOnJ9PWUsbj1mdW5jdGlvbihlLHIpe2lmKG51bGw9PWUpcmV0dXJue307dmFyIHQsbixvPWZ1bmN0aW9uKGUscil7aWYobnVsbD09ZSlyZXR1cm57fTt2YXIgdD17fTtmb3IodmFyIG4gaW4gZSlpZih7fS5oYXNPd25Qcm9wZXJ0eS5jYWxsKGUsbikpe2lmKC0xIT09ci5pbmRleE9mKG4pKWNvbnRpbnVlO3Rbbl09ZVtuXX1yZXR1cm4gdH0oZSxyKTtpZihPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKXt2YXIgcz1PYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKGUpO2ZvcihuPTA7bjxzLmxlbmd0aDtuKyspdD1zW25dLC0xPT09ci5pbmRleE9mKHQpJiZ7fS5wcm9wZXJ0eUlzRW51bWVyYWJsZS5jYWxsKGUsdCkmJihvW3RdPWVbdF0pfXJldHVybiBvfShlLGkpO3JldHVybiBuZXcgVVJMU2VhcmNoUGFyYW1zKChlPT5PYmplY3Qua2V5cyhlKS5maWx0ZXIocj0+dm9pZCAwIT09ZVtyXSkucmVkdWNlKChyLG4pPT50KHQoe30scikse30se1tuXTplW25dfSkse30pKSh0KHtjbGllbnRfaWQ6cn0sbikpKS50b1N0cmluZygpfTtsZXQgYT17fSxsPW51bGw7Y29uc3QgdT0oZSxyKT0+IiIuY29uY2F0KGUsInwiKS5jb25jYXQociksZj1hc3luYyBlPT57bGV0IHIsbix7ZGF0YTp7dGltZW91dDpzLGF1dGg6aSxmZXRjaFVybDpsLGZldGNoT3B0aW9uczpmLHVzZUZvcm1EYXRhOnAsdXNlTXJydDpofSxwb3J0czpbZF19PWUseT17fTtjb25zdHthdWRpZW5jZTpiLHNjb3BlOk99PWl8fHt9O3RyeXtjb25zdCBlPXA/KGU9Pntjb25zdCByPW5ldyBVUkxTZWFyY2hQYXJhbXMoZSksdD17fTtyZXR1cm4gci5mb3JFYWNoKChlLHIpPT57dFtyXT1lfSksdH0pKGYuYm9keSk6SlNPTi5wYXJzZShmLmJvZHkpO2lmKCFlLnJlZnJlc2hfdG9rZW4mJiJyZWZyZXNoX3Rva2VuIj09PWUuZ3JhbnRfdHlwZSl7aWYobj0oKGUscik9PmFbdShlLHIpXSkoYixPKSwhbiYmaCl7Y29uc3QgZT1hLmxhdGVzdF9yZWZyZXNoX3Rva2VuLHI9KChlLHIpPT57Y29uc3QgdD1PYmplY3Qua2V5cyhhKS5maW5kKHQ9PntpZigibGF0ZXN0X3JlZnJlc2hfdG9rZW4iIT09dCl7Y29uc3Qgbj0oKGUscik9PnIuc3RhcnRzV2l0aCgiIi5jb25jYXQoZSwifCIpKSkocix0KSxvPXQuc3BsaXQoInwiKVsxXS5zcGxpdCgiICIpLHM9ZS5zcGxpdCgiICIpLmV2ZXJ5KGU9Pm8uaW5jbHVkZXMoZSkpO3JldHVybiBuJiZzfX0pO3JldHVybiEhdH0pKE8sYik7ZSYmIXImJihuPWUpfWlmKCFuKXRocm93IG5ldyBvKGIsTyk7Zi5ib2R5PXA/Yyh0KHQoe30sZSkse30se3JlZnJlc2hfdG9rZW46bn0pKTpKU09OLnN0cmluZ2lmeSh0KHQoe30sZSkse30se3JlZnJlc2hfdG9rZW46bn0pKX1sZXQgaSx2OyJmdW5jdGlvbiI9PXR5cGVvZiBBYm9ydENvbnRyb2xsZXImJihpPW5ldyBBYm9ydENvbnRyb2xsZXIsZi5zaWduYWw9aS5zaWduYWwpO3RyeXt2PWF3YWl0IFByb21pc2UucmFjZShbKGo9cyxuZXcgUHJvbWlzZShlPT5zZXRUaW1lb3V0KGUsaikpKSxmZXRjaChsLHQoe30sZikpXSl9Y2F0Y2goZSl7cmV0dXJuIHZvaWQgZC5wb3N0TWVzc2FnZSh7ZXJyb3I6ZS5tZXNzYWdlfSl9aWYoIXYpcmV0dXJuIGkmJmkuYWJvcnQoKSx2b2lkIGQucG9zdE1lc3NhZ2Uoe2Vycm9yOiJUaW1lb3V0IHdoZW4gZXhlY3V0aW5nICdmZXRjaCcifSk7dz12LmhlYWRlcnMseT1bLi4ud10ucmVkdWNlKChlLHIpPT57bGV0W3Qsbl09cjtyZXR1cm4gZVt0XT1uLGV9LHt9KSxyPWF3YWl0IHYuanNvbigpLHIucmVmcmVzaF90b2tlbj8oaCYmKGEubGF0ZXN0X3JlZnJlc2hfdG9rZW49ci5yZWZyZXNoX3Rva2VuLGc9bixtPXIucmVmcmVzaF90b2tlbixPYmplY3QuZW50cmllcyhhKS5mb3JFYWNoKGU9PntsZXRbcix0XT1lO3Q9PT1nJiYoYVtyXT1tKX0pKSwoKGUscix0KT0+e2FbdShyLHQpXT1lfSkoci5yZWZyZXNoX3Rva2VuLGIsTyksZGVsZXRlIHIucmVmcmVzaF90b2tlbik6KChlLHIpPT57ZGVsZXRlIGFbdShlLHIpXX0pKGIsTyksZC5wb3N0TWVzc2FnZSh7b2s6di5vayxqc29uOnIsaGVhZGVyczp5fSl9Y2F0Y2goZSl7ZC5wb3N0TWVzc2FnZSh7b2s6ITEsanNvbjp7ZXJyb3I6ZS5lcnJvcixlcnJvcl9kZXNjcmlwdGlvbjplLm1lc3NhZ2V9LGhlYWRlcnM6eX0pfXZhciBnLG0sdyxqfTthZGRFdmVudExpc3RlbmVyKCJtZXNzYWdlIixlPT57Y29uc3R7ZGF0YTpyLHBvcnRzOnR9PWUsW25dPXQ7aWYoInR5cGUiaW4gciYmImluaXQiPT09ci50eXBlKXtpZihudWxsPT09bCl0cnl7bmV3IFVSTChyLmFsbG93ZWRCYXNlVXJsKSxsPXIuYWxsb3dlZEJhc2VVcmx9Y2F0Y2goZSl7cmV0dXJufX1lbHNlImZldGNoVXJsImluIHImJihlPT57aWYoIWwpcmV0dXJuITE7dHJ5e2NvbnN0IHI9bmV3IFVSTChsKS5vcmlnaW4sdD1uZXcgVVJMKGUuZmV0Y2hVcmwpO3JldHVybiB0Lm9yaWdpbj09PXImJiIvb2F1dGgvdG9rZW4iPT09dC5wYXRobmFtZX1jYXRjaChlKXtyZXR1cm4hMX19KShyKT9mKGUpOm51bGw9PW58fG4ucG9zdE1lc3NhZ2Uoe29rOiExLGpzb246e2Vycm9yOiJpbnZhbGlkX2ZldGNoX3VybCIsZXJyb3JfZGVzY3JpcHRpb246IlVuYXV0aG9yaXplZCBmZXRjaCBVUkwifSxoZWFkZXJzOnt9fSl9KX0oKTsKCg==",it=null,at=!1,function(e){return st=st||ot(rt,it,at),new Worker(st,e)});const ut={};class lt{constructor(e,t){this.cache=e,this.clientId=t,s(this,"manifestKey",void 0),this.manifestKey=this.createManifestKeyFrom(this.clientId)}async add(e){var t;const n=new Set((null===(t=await this.cache.get(this.manifestKey))||void 0===t?void 0:t.keys)||[]);n.add(e),await this.cache.set(this.manifestKey,{keys:[...n]})}async remove(e){const t=await this.cache.get(this.manifestKey);if(t){const n=new Set(t.keys);return n.delete(e),n.size>0?await this.cache.set(this.manifestKey,{keys:[...n]}):await this.cache.remove(this.manifestKey)}}get(){return this.cache.get(this.manifestKey)}clear(){return this.cache.remove(this.manifestKey)}createManifestKeyFrom(e){return"".concat(We,"::").concat(e)}}const dt=["openUrl","onRedirect"],ht="auth0.is.authenticated",pt={memory:()=>(new He).enclosedCache,localstorage:()=>new De},ft=e=>pt[e],mt=e=>{const{openUrl:t,onRedirect:n}=e;return u(u({},l(e,dt)),{},{openUrl:!1===t||t?t:n})},yt=(e,t)=>{const n=(null==t?void 0:t.split(" "))||[];return((null==e?void 0:e.split(" "))||[]).every(e=>n.includes(e))},wt={NONCE:"nonce",KEYPAIR:"keypair"};class gt{constructor(e){s(this,"clientId",void 0),s(this,"dbHandle",void 0),this.clientId=e}getVersion(){return 1}createDbHandle(){const e=window.indexedDB.open("auth0-spa-js",this.getVersion());return new Promise((t,n)=>{e.onupgradeneeded=()=>Object.values(wt).forEach(t=>e.result.createObjectStore(t)),e.onerror=()=>n(e.error),e.onsuccess=()=>t(e.result)})}async getDbHandle(){return this.dbHandle||(this.dbHandle=await this.createDbHandle()),this.dbHandle}async executeDbRequest(e,t,n){const o=n((await this.getDbHandle()).transaction(e,t).objectStore(e));return new Promise((e,t)=>{o.onsuccess=()=>e(o.result),o.onerror=()=>t(o.error)})}buildKey(e){const t=e?"_".concat(e):"auth0";return"".concat(this.clientId,"::").concat(t)}setNonce(e,t){return this.save(wt.NONCE,this.buildKey(t),e)}setKeyPair(e){return this.save(wt.KEYPAIR,this.buildKey(),e)}async save(e,t,n){await this.executeDbRequest(e,"readwrite",e=>e.put(n,t))}findNonce(e){return this.find(wt.NONCE,this.buildKey(e))}findKeyPair(){return this.find(wt.KEYPAIR,this.buildKey())}find(e,t){return this.executeDbRequest(e,"readonly",e=>e.get(t))}async deleteBy(e,t){const n=await this.executeDbRequest(e,"readonly",e=>e.getAllKeys());null==n||n.filter(t).map(t=>this.executeDbRequest(e,"readwrite",e=>e.delete(t)))}deleteByClientId(e,t){return this.deleteBy(e,e=>"string"==typeof e&&e.startsWith("".concat(t,"::")))}clearNonces(){return this.deleteByClientId(wt.NONCE,this.clientId)}clearKeyPairs(){return this.deleteByClientId(wt.KEYPAIR,this.clientId)}}class vt{constructor(e){s(this,"storage",void 0),this.storage=new gt(e)}getNonce(e){return this.storage.findNonce(e)}setNonce(e,t){return this.storage.setNonce(e,t)}async getOrGenerateKeyPair(){let e=await this.storage.findKeyPair();return e||(e=await be(),await this.storage.setKeyPair(e)),e}async generateProof(e){return ke(u({keyPair:await this.getOrGenerateKeyPair()},e))}async calculateThumbprint(){return _e(await this.getOrGenerateKeyPair())}async clear(){await Promise.all([this.storage.clearNonces(),this.storage.clearKeyPairs()])}}var bt=function(e){return e.Bearer="Bearer",e.DPoP="DPoP",e}(bt||{});class _t{constructor(e,t){s(this,"config",void 0),s(this,"hooks",void 0),this.hooks=t,this.config=u(u({},e),{},{fetch:e.fetch||("undefined"==typeof window?fetch:window.fetch.bind(window))})}isAbsoluteUrl(e){return/^(https?:)?\/\//i.test(e)}buildUrl(e,t){if(t){if(this.isAbsoluteUrl(t))return t;if(e)return"".concat(e.replace(/\/?\/$/,""),"/").concat(t.replace(/^\/+/,""))}throw new TypeError("`url` must be absolute or `baseUrl` non-empty.")}getAccessToken(e){return this.config.getAccessToken?this.config.getAccessToken(e):this.hooks.getAccessToken(e)}extractUrl(e){return"string"==typeof e?e:e instanceof URL?e.href:e.url}buildBaseRequest(e,t){if(!this.config.baseUrl)return new Request(e,t);const n=this.buildUrl(this.config.baseUrl,this.extractUrl(e)),o=e instanceof Request?new Request(n,e):n;return new Request(o,t)}setAuthorizationHeader(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:bt.Bearer;e.headers.set("authorization","".concat(n," ").concat(t))}async setDpopProofHeader(e,t){if(!this.config.dpopNonceId)return;const n=await this.hooks.getDpopNonce(),o=await this.hooks.generateDpopProof({accessToken:t,method:e.method,nonce:n,url:e.url});e.headers.set("dpop",o)}async prepareRequest(e,t){const n=await this.getAccessToken(t);let o,r;"string"==typeof n?(o=this.config.dpopNonceId?bt.DPoP:bt.Bearer,r=n):(o=n.token_type,r=n.access_token),this.setAuthorizationHeader(e,r,o),o===bt.DPoP&&await this.setDpopProofHeader(e,r)}getHeader(e,t){return Array.isArray(e)?new Headers(e).get(t)||"":"function"==typeof e.get?e.get(t)||"":e[t]||""}hasUseDpopNonceError(e){if(401!==e.status)return!1;const t=this.getHeader(e.headers,"www-authenticate");return t.includes("invalid_dpop_nonce")||t.includes("use_dpop_nonce")}async handleResponse(e,t){const n=this.getHeader(e.headers,ge);if(n&&await this.hooks.setDpopNonce(n),!this.hasUseDpopNonceError(e))return e;if(!n||!t.onUseDpopNonceError)throw new I(n);return t.onUseDpopNonceError()}async internalFetchWithAuth(e,t,n,o){const r=this.buildBaseRequest(e,t);await this.prepareRequest(r,o);const i=await this.config.fetch(r);return this.handleResponse(i,n)}fetchWithAuth(e,t,n){const o={onUseDpopNonceError:()=>this.internalFetchWithAuth(e,t,u(u({},o),{},{onUseDpopNonceError:void 0}),n)};return this.internalFetchWithAuth(e,t,o,n)}}class kt{constructor(e,t){this.myAccountFetcher=e,this.apiBase=t}async connectAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/connect"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async completeAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/complete"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async _handleResponse(e){let t;try{t=await e.text(),t=JSON.parse(t)}catch(n){throw new St({type:"invalid_json",status:e.status,title:"Invalid JSON response",detail:t||String(n)})}if(e.ok)return t;throw new St(t)}}class St extends Error{constructor(e){let{type:t,status:n,title:o,detail:r,validation_errors:i}=e;super(r),s(this,"type",void 0),s(this,"status",void 0),s(this,"title",void 0),s(this,"detail",void 0),s(this,"validation_errors",void 0),this.name="MyAccountApiError",this.type=t,this.status=n,this.title=o,this.detail=r,this.validation_errors=i,Object.setPrototypeOf(this,St.prototype)}}const Tt={otp:{authenticatorTypes:["otp"]},sms:{authenticatorTypes:["oob"],oobChannels:["sms"]},email:{authenticatorTypes:["oob"],oobChannels:["email"]},push:{authenticatorTypes:["oob"],oobChannels:["auth0"]},voice:{authenticatorTypes:["oob"],oobChannels:["voice"]}},Et="http://auth0.com/oauth/grant-type/mfa-otp",Pt="http://auth0.com/oauth/grant-type/mfa-oob",At="http://auth0.com/oauth/grant-type/mfa-recovery-code";var It,xt;let Rt;if("undefined"==typeof navigator||null===(It=navigator.userAgent)||void 0===It||null===(xt=It.startsWith)||void 0===xt||!xt.call(It,"Mozilla/5.0 ")){const e="v3.8.5";Rt="".concat("oauth4webapi","/").concat(e)}function Ct(e,t){if(null==e)return!1;try{return e instanceof t||Object.getPrototypeOf(e)[Symbol.toStringTag]===t.prototype[Symbol.toStringTag]}catch(e){return!1}}const Ot="ERR_INVALID_ARG_VALUE",Wt="ERR_INVALID_ARG_TYPE";function Kt(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}const Ut=Symbol(),Dt=Symbol(),Ht=Symbol(),Lt=Symbol(),jt=Symbol(),Mt=Symbol(),Nt=new TextEncoder,zt=new TextDecoder;function Jt(e){return"string"==typeof e?Nt.encode(e):zt.decode(e)}let Zt,Vt;if(Uint8Array.prototype.toBase64)Zt=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:!0}));else{const e=32768;Zt=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}}function Xt(e){return"string"==typeof e?Vt(e):Zt(e)}Vt=Uint8Array.fromBase64?e=>{try{return Uint8Array.fromBase64(e,{alphabet:"base64url"})}catch(e){throw Kt("The input to be decoded is not correctly encoded.",Ot,e)}}:e=>{try{const t=atob(e.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"")),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}catch(e){throw Kt("The input to be decoded is not correctly encoded.",Ot,e)}};class Gt extends Error{constructor(e,t){var n;super(e,t),s(this,"code",void 0),this.name=this.constructor.name,this.code=Yn,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}class Ft extends Error{constructor(e,t){var n;super(e,t),s(this,"code",void 0),this.name=this.constructor.name,null!=t&&t.code&&(this.code=null==t?void 0:t.code),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}function Yt(e,t,n){return new Ft(e,{code:t,cause:n})}function qt(e,t){if(function(e,t){if(!(e instanceof CryptoKey))throw Kt("".concat(t," must be a CryptoKey"),Wt)}(e,t),"private"!==e.type)throw Kt("".concat(t," must be a private CryptoKey"),Ot)}function Bt(e){return null!==e&&"object"==typeof e&&!Array.isArray(e)}function Qt(e){Ct(e,Headers)&&(e=Object.fromEntries(e.entries()));const t=new Headers(null!=e?e:{});if(Rt&&!t.has("user-agent")&&t.set("user-agent",Rt),t.has("authorization"))throw Kt('"options.headers" must not include the "authorization" header name',Ot);return t}function $t(e,t){if(void 0!==t){if("function"==typeof t&&(t=t(e.href)),!(t instanceof AbortSignal))throw Kt('"options.signal" must return or be an instance of AbortSignal',Wt);return t}}function en(e){return e.includes("//")?e.replace("//","/"):e}async function tn(e,t){return async function(e,t,n,o){if(!(e instanceof URL))throw Kt('"'.concat(t,'" must be an instance of URL'),Wt);yn(e,!0!==(null==o?void 0:o[Ut]));const r=n(new URL(e.href)),i=Qt(null==o?void 0:o.headers);return i.set("accept","application/json"),((null==o?void 0:o[Lt])||fetch)(r.href,{body:void 0,headers:Object.fromEntries(i.entries()),method:"GET",redirect:"manual",signal:$t(r,null==o?void 0:o.signal)})}(e,"issuerIdentifier",e=>{switch(null==t?void 0:t.algorithm){case void 0:case"oidc":!function(e,t){e.pathname=en("".concat(e.pathname,"/").concat(t))}(e,".well-known/openid-configuration");break;case"oauth2":!function(e,t){let n=arguments.length>2&&void 0!==arguments[2]&&arguments[2];"/"===e.pathname?e.pathname=t:e.pathname=en("".concat(t,"/").concat(n?e.pathname:e.pathname.replace(/(\/)$/,"")))}(e,".well-known/oauth-authorization-server");break;default:throw Kt('"options.algorithm" must be "oidc" (default), or "oauth2"',Ot)}return e},t)}function nn(e,t,n,o,r){try{if("number"!=typeof e||!Number.isFinite(e))throw Kt("".concat(n," must be a number"),Wt,r);if(e>0)return;if(t){if(0!==e)throw Kt("".concat(n," must be a non-negative number"),Ot,r);return}throw Kt("".concat(n," must be a positive number"),Ot,r)}catch(e){if(o)throw Yt(e.message,o,r);throw e}}function on(e,t,n,o){try{if("string"!=typeof e)throw Kt("".concat(t," must be a string"),Wt,o);if(0===e.length)throw Kt("".concat(t," must not be empty"),Ot,o)}catch(e){if(n)throw Yt(e.message,n,o);throw e}}function rn(e){!function(e,t){if(Cn(e)!==t)throw function(e){let t='"response" content-type must be ';for(var n=arguments.length,o=new Array(n>1?n-1:0),r=1;r<n;r++)o[r-1]=arguments[r];if(o.length>2){const e=o.pop();t+="".concat(o.join(", "),", or ").concat(e)}else 2===o.length?t+="".concat(o[0]," or ").concat(o[1]):t+=o[0];return Yt(t,$n,e)}(e,t)}(e,"application/json")}function an(){return Xt(crypto.getRandomValues(new Uint8Array(32)))}function sn(e){switch(e.algorithm.name){case"RSA-PSS":return function(e){switch(e.algorithm.hash.name){case"SHA-256":return"PS256";case"SHA-384":return"PS384";case"SHA-512":return"PS512";default:throw new Gt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case"RSASSA-PKCS1-v1_5":return function(e){switch(e.algorithm.hash.name){case"SHA-256":return"RS256";case"SHA-384":return"RS384";case"SHA-512":return"RS512";default:throw new Gt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case"ECDSA":return function(e){switch(e.algorithm.namedCurve){case"P-256":return"ES256";case"P-384":return"ES384";case"P-521":return"ES512";default:throw new Gt("unsupported EcKeyAlgorithm namedCurve",{cause:e})}}(e);case"Ed25519":case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return e.algorithm.name;case"EdDSA":return"Ed25519";default:throw new Gt("unsupported CryptoKey algorithm name",{cause:e})}}function cn(e){const t=null==e?void 0:e[Dt];return"number"==typeof t&&Number.isFinite(t)?t:0}function un(e){const t=null==e?void 0:e[Ht];return"number"==typeof t&&Number.isFinite(t)&&-1!==Math.sign(t)?t:30}function ln(){return Math.floor(Date.now()/1e3)}function dn(e){if("object"!=typeof e||null===e)throw Kt('"as" must be an object',Wt);on(e.issuer,'"as.issuer"')}function hn(e){if("object"!=typeof e||null===e)throw Kt('"client" must be an object',Wt);on(e.client_id,'"client.client_id"')}function pn(e){return on(e,'"clientSecret"'),(t,n,o,r)=>{o.set("client_id",n.client_id),o.set("client_secret",e)}}function fn(e,t){const{key:n,kid:o}=(r=e)instanceof CryptoKey?{key:r}:(null==r?void 0:r.key)instanceof CryptoKey?(void 0!==r.kid&&on(r.kid,'"kid"'),{key:r.key,kid:r.kid}):{};var r;return qt(n,'"clientPrivateKey.key"'),async(e,r,i,a)=>{var s;const c={alg:sn(n),kid:o},u=function(e,t){const n=ln()+cn(t);return{jti:an(),aud:e.issuer,exp:n+60,iat:n,nbf:n,iss:t.client_id,sub:t.client_id}}(e,r);null==t||null===(s=t[jt])||void 0===s||s.call(t,c,u),i.set("client_id",r.client_id),i.set("client_assertion_type","urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),i.set("client_assertion",await async function(e,t,n){if(!n.usages.includes("sign"))throw Kt('CryptoKey instances used for signing assertions must include "sign" in their "usages"',Ot);const o="".concat(Xt(Jt(JSON.stringify(e))),".").concat(Xt(Jt(JSON.stringify(t)))),r=Xt(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case"ECDSA":return{name:e.algorithm.name,hash:lo(e)};case"RSA-PSS":switch(uo(e),e.algorithm.hash.name){case"SHA-256":case"SHA-384":case"SHA-512":return{name:e.algorithm.name,saltLength:parseInt(e.algorithm.hash.name.slice(-3),10)>>3};default:throw new Gt("unsupported RSA-PSS hash name",{cause:e})}case"RSASSA-PKCS1-v1_5":return uo(e),e.algorithm.name;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":case"Ed25519":return e.algorithm.name}throw new Gt("unsupported CryptoKey algorithm name",{cause:e})}(n),n,Jt(o)));return"".concat(o,".").concat(r)}(c,u,n))}}const mn=URL.parse?(e,t)=>URL.parse(e,t):(e,t)=>{try{return new URL(e,t)}catch(e){return null}};function yn(e,t){if(t&&"https:"!==e.protocol)throw Yt("only requests to HTTPS are allowed",to,e);if("https:"!==e.protocol&&"http:"!==e.protocol)throw Yt("only HTTP and HTTPS requests are allowed",no,e)}function wn(e,t,n,o){let r;if("string"!=typeof e||!(r=mn(e)))throw Yt("authorization server metadata does not contain a valid ".concat(n?'"as.mtls_endpoint_aliases.'.concat(t,'"'):'"as.'.concat(t,'"')),void 0===e?ao:so,{attribute:n?"mtls_endpoint_aliases.".concat(t):t});return yn(r,o),r}function gn(e,t,n,o){return n&&e.mtls_endpoint_aliases&&t in e.mtls_endpoint_aliases?wn(e.mtls_endpoint_aliases[t],t,n,o):wn(e[t],t,n,o)}class vn extends Error{constructor(e,t){var n;super(e,t),s(this,"cause",void 0),s(this,"code",void 0),s(this,"error",void 0),s(this,"status",void 0),s(this,"error_description",void 0),s(this,"response",void 0),this.name=this.constructor.name,this.code=Fn,this.cause=t.cause,this.error=t.cause.error,this.status=t.response.status,this.error_description=t.cause.error_description,Object.defineProperty(this,"response",{enumerable:!1,value:t.response}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}class bn extends Error{constructor(e,t){var n,o;super(e,t),s(this,"cause",void 0),s(this,"code",void 0),s(this,"error",void 0),s(this,"error_description",void 0),this.name=this.constructor.name,this.code=qn,this.cause=t.cause,this.error=t.cause.get("error"),this.error_description=null!==(n=t.cause.get("error_description"))&&void 0!==n?n:void 0,null===(o=Error.captureStackTrace)||void 0===o||o.call(Error,this,this.constructor)}}class _n extends Error{constructor(e,t){var n;super(e,t),s(this,"cause",void 0),s(this,"code",void 0),s(this,"response",void 0),s(this,"status",void 0),this.name=this.constructor.name,this.code=Gn,this.cause=t.cause,this.status=t.response.status,this.response=t.response,Object.defineProperty(this,"response",{enumerable:!1}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}const kn="[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+",Sn="("+kn+')\\s*=\\s*"((?:[^"\\\\]|\\\\[\\s\\S])*)"',Tn="("+kn+")\\s*=\\s*("+kn+")",En=new RegExp("^[,\\s]*("+kn+")"),Pn=new RegExp("^[,\\s]*"+Sn+"[,\\s]*(.*)"),An=new RegExp("^[,\\s]*"+Tn+"[,\\s]*(.*)"),In=new RegExp("^([a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2})(?:$|[,\\s])(.*)");async function xn(e,t,n){if(e.status!==t){let t;var o;if(function(e){let t;if(t=function(e){if(!Ct(e,Response))throw Kt('"response" must be an instance of Response',Wt);const t=e.headers.get("www-authenticate");if(null===t)return;const n=[];let o=t;for(;o;){var r;let e=o.match(En);const t=null===(r=e)||void 0===r?void 0:r[1].toLowerCase();if(!t)return;const i=o.substring(e[0].length);if(i&&!i.match(/^[\s,]/))return;const a=i.match(/^\s+(.*)$/),s=!!a;o=a?a[1]:void 0;const c={};let u;if(s)for(;o;){let t,n;if(e=o.match(Pn)){if([,t,n,o]=e,n.includes("\\"))try{n=JSON.parse('"'.concat(n,'"'))}catch(e){}c[t.toLowerCase()]=n}else{if(!(e=o.match(An))){if(e=o.match(In)){if(Object.keys(c).length)break;[,u,o]=e;break}return}[,t,n,o]=e,c[t.toLowerCase()]=n}}else o=i||void 0;const l={scheme:t,parameters:c};u&&(l.token68=u),n.push(l)}return n.length?n:void 0}(e))throw new _n("server responded with a challenge in the WWW-Authenticate HTTP Header",{cause:t,response:e})}(e),t=await async function(e){if(e.status>399&&e.status<500){co(e),rn(e);try{const t=await e.clone().json();if(Bt(t)&&"string"==typeof t.error&&t.error.length)return t}catch(e){}}}(e))throw await(null===(o=e.body)||void 0===o?void 0:o.cancel()),new vn("server responded with an error in the response body",{cause:t,response:e});throw Yt('"response" is not a conform '.concat(n," response (unexpected HTTP status code)"),eo,e)}}function Rn(e){if(!Mn.has(e))throw Kt('"options.DPoP" is not a valid DPoPHandle',Ot)}function Cn(e){var t;return null===(t=e.headers.get("content-type"))||void 0===t?void 0:t.split(";")[0]}async function On(e,t,n,o,r,i,a){return await n(e,t,r,i),i.set("content-type","application/x-www-form-urlencoded;charset=UTF-8"),((null==a?void 0:a[Lt])||fetch)(o.href,{body:r,headers:Object.fromEntries(i.entries()),method:"POST",redirect:"manual",signal:$t(o,null==a?void 0:a.signal)})}async function Wn(e,t,n,o,r,i){var a;const s=gn(e,"token_endpoint",t.use_mtls_endpoint_aliases,!0!==(null==i?void 0:i[Ut]));r.set("grant_type",o);const c=Qt(null==i?void 0:i.headers);c.set("accept","application/json"),void 0!==(null==i?void 0:i.DPoP)&&(Rn(i.DPoP),await i.DPoP.addProof(s,c,"POST"));const u=await On(e,t,n,s,r,c,i);return null==i||null===(a=i.DPoP)||void 0===a||a.cacheNonce(u,s),u}const Kn=new WeakMap,Un=new WeakMap;function Dn(e){if(!e.id_token)return;const t=Kn.get(e);if(!t)throw Kt('"ref" was already garbage collected or did not resolve from the proper sources',Ot);return t}async function Hn(e,t,n,o,r,i){if(dn(e),hn(t),!Ct(n,Response))throw Kt('"response" must be an instance of Response',Wt);await xn(n,200,"Token Endpoint"),co(n);const a=await go(n);if(on(a.access_token,'"response" body "access_token" property',Qn,{body:a}),on(a.token_type,'"response" body "token_type" property',Qn,{body:a}),a.token_type=a.token_type.toLowerCase(),void 0!==a.expires_in){let e="number"!=typeof a.expires_in?parseFloat(a.expires_in):a.expires_in;nn(e,!0,'"response" body "expires_in" property',Qn,{body:a}),a.expires_in=e}if(void 0!==a.refresh_token&&on(a.refresh_token,'"response" body "refresh_token" property',Qn,{body:a}),void 0!==a.scope&&"string"!=typeof a.scope)throw Yt('"response" body "scope" property must be a string',Qn,{body:a});if(void 0!==a.id_token){on(a.id_token,'"response" body "id_token" property',Qn,{body:a});const i=["aud","exp","iat","iss","sub"];!0===t.require_auth_time&&i.push("auth_time"),void 0!==t.default_max_age&&(nn(t.default_max_age,!0,'"client.default_max_age"'),i.push("auth_time")),null!=o&&o.length&&i.push(...o);const{claims:s,jwt:c}=await async function(e,t,n,o,r){let i,a,{0:s,1:c,length:u}=e.split(".");if(5===u){if(void 0===r)throw new Gt("JWE decryption is not configured",{cause:e});e=await r(e),({0:s,1:c,length:u}=e.split("."))}if(3!==u)throw Yt("Invalid JWT",Qn,e);try{i=JSON.parse(Jt(Xt(s)))}catch(e){throw Yt("failed to parse JWT Header body as base64url encoded JSON",Bn,e)}if(!Bt(i))throw Yt("JWT Header must be a top level object",Qn,e);if(t(i),void 0!==i.crit)throw new Gt('no JWT "crit" header parameter extensions are supported',{cause:{header:i}});try{a=JSON.parse(Jt(Xt(c)))}catch(e){throw Yt("failed to parse JWT Payload body as base64url encoded JSON",Bn,e)}if(!Bt(a))throw Yt("JWT Payload must be a top level object",Qn,e);const l=ln()+n;if(void 0!==a.exp){if("number"!=typeof a.exp)throw Yt('unexpected JWT "exp" (expiration time) claim type',Qn,{claims:a});if(a.exp<=l-o)throw Yt('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp',oo,{claims:a,now:l,tolerance:o,claim:"exp"})}if(void 0!==a.iat&&"number"!=typeof a.iat)throw Yt('unexpected JWT "iat" (issued at) claim type',Qn,{claims:a});if(void 0!==a.iss&&"string"!=typeof a.iss)throw Yt('unexpected JWT "iss" (issuer) claim type',Qn,{claims:a});if(void 0!==a.nbf){if("number"!=typeof a.nbf)throw Yt('unexpected JWT "nbf" (not before) claim type',Qn,{claims:a});if(a.nbf>l+o)throw Yt('unexpected JWT "nbf" (not before) claim value',oo,{claims:a,now:l,tolerance:o,claim:"nbf"})}if(void 0!==a.aud&&"string"!=typeof a.aud&&!Array.isArray(a.aud))throw Yt('unexpected JWT "aud" (audience) claim type',Qn,{claims:a});return{header:i,claims:a,jwt:e}}(a.id_token,po.bind(void 0,t.id_token_signed_response_alg,e.id_token_signing_alg_values_supported,"RS256"),cn(t),un(t),r).then(Jn.bind(void 0,i)).then(jn.bind(void 0,e)).then(Ln.bind(void 0,t.client_id));if(Array.isArray(s.aud)&&1!==s.aud.length){if(void 0===s.azp)throw Yt('ID Token "aud" (audience) claim includes additional untrusted audiences',ro,{claims:s,claim:"aud"});if(s.azp!==t.client_id)throw Yt('unexpected ID Token "azp" (authorized party) claim value',ro,{expected:t.client_id,claims:s,claim:"azp"})}void 0!==s.auth_time&&nn(s.auth_time,!0,'ID Token "auth_time" (authentication time)',Qn,{claims:s}),Un.set(n,c),Kn.set(a,s)}if(void 0!==(null==i?void 0:i[a.token_type]))i[a.token_type](n,a);else if("dpop"!==a.token_type&&"bearer"!==a.token_type)throw new Gt("unsupported `token_type` value",{cause:{body:a}});return a}function Ln(e,t){if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e))throw Yt('unexpected JWT "aud" (audience) claim value',ro,{expected:e,claims:t.claims,claim:"aud"})}else if(t.claims.aud!==e)throw Yt('unexpected JWT "aud" (audience) claim value',ro,{expected:e,claims:t.claims,claim:"aud"});return t}function jn(e,t){var n,o;const r=null!==(n=null===(o=e[bo])||void 0===o?void 0:o.call(e,t))&&void 0!==n?n:e.issuer;if(t.claims.iss!==r)throw Yt('unexpected JWT "iss" (issuer) claim value',ro,{expected:r,claims:t.claims,claim:"iss"});return t}const Mn=new WeakSet;const Nn=Symbol();const zn={aud:"audience",c_hash:"code hash",client_id:"client id",exp:"expiration time",iat:"issued at",iss:"issuer",jti:"jwt id",nonce:"nonce",s_hash:"state hash",sub:"subject",ath:"access token hash",htm:"http method",htu:"http uri",cnf:"confirmation",auth_time:"authentication time"};function Jn(e,t){for(const n of e)if(void 0===t.claims[n])throw Yt('JWT "'.concat(n,'" (').concat(zn[n],") claim missing"),Qn,{claims:t.claims});return t}const Zn=Symbol(),Vn=Symbol();async function Xn(e,t,n,o){return"string"==typeof(null==o?void 0:o.expectedNonce)||"number"==typeof(null==o?void 0:o.maxAge)||null!=o&&o.requireIdToken?async function(e,t,n,o,r,i,a){const s=[];switch(o){case void 0:o=Zn;break;case Zn:break;default:on(o,'"expectedNonce" argument'),s.push("nonce")}switch(null!=r||(r=t.default_max_age),r){case void 0:r=Vn;break;case Vn:break;default:nn(r,!0,'"maxAge" argument'),s.push("auth_time")}const c=await Hn(e,t,n,s,i,a);on(c.id_token,'"response" body "id_token" property',Qn,{body:c});const u=Dn(c);if(r!==Vn){const e=ln()+cn(t),n=un(t);if(u.auth_time+r<e-n)throw Yt("too much time has elapsed since the last End-User authentication",oo,{claims:u,now:e,tolerance:n,claim:"auth_time"})}if(o===Zn){if(void 0!==u.nonce)throw Yt('unexpected ID Token "nonce" claim value',ro,{expected:void 0,claims:u,claim:"nonce"})}else if(u.nonce!==o)throw Yt('unexpected ID Token "nonce" claim value',ro,{expected:o,claims:u,claim:"nonce"});return c}(e,t,n,o.expectedNonce,o.maxAge,o[Mt],o.recognizedTokenTypes):async function(e,t,n,o,r){const i=await Hn(e,t,n,void 0,o,r),a=Dn(i);if(a){if(void 0!==t.default_max_age){nn(t.default_max_age,!0,'"client.default_max_age"');const e=ln()+cn(t),n=un(t);if(a.auth_time+t.default_max_age<e-n)throw Yt("too much time has elapsed since the last End-User authentication",oo,{claims:a,now:e,tolerance:n,claim:"auth_time"})}if(void 0!==a.nonce)throw Yt('unexpected ID Token "nonce" claim value',ro,{expected:void 0,claims:a,claim:"nonce"})}return i}(e,t,n,null==o?void 0:o[Mt],null==o?void 0:o.recognizedTokenTypes)}const Gn="OAUTH_WWW_AUTHENTICATE_CHALLENGE",Fn="OAUTH_RESPONSE_BODY_ERROR",Yn="OAUTH_UNSUPPORTED_OPERATION",qn="OAUTH_AUTHORIZATION_RESPONSE_ERROR",Bn="OAUTH_PARSE_ERROR",Qn="OAUTH_INVALID_RESPONSE",$n="OAUTH_RESPONSE_IS_NOT_JSON",eo="OAUTH_RESPONSE_IS_NOT_CONFORM",to="OAUTH_HTTP_REQUEST_FORBIDDEN",no="OAUTH_REQUEST_PROTOCOL_FORBIDDEN",oo="OAUTH_JWT_TIMESTAMP_CHECK_FAILED",ro="OAUTH_JWT_CLAIM_COMPARISON_FAILED",io="OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED",ao="OAUTH_MISSING_SERVER_METADATA",so="OAUTH_INVALID_SERVER_METADATA";function co(e){if(e.bodyUsed)throw Kt('"response" body has been used already',Ot)}function uo(e){const{algorithm:t}=e;if("number"!=typeof t.modulusLength||t.modulusLength<2048)throw new Gt("unsupported ".concat(t.name," modulusLength"),{cause:e})}function lo(e){const{algorithm:t}=e;switch(t.namedCurve){case"P-256":return"SHA-256";case"P-384":return"SHA-384";case"P-521":return"SHA-512";default:throw new Gt("unsupported ECDSA namedCurve",{cause:e})}}async function ho(e){if("POST"!==e.method)throw Kt("form_post responses are expected to use the POST method",Ot,{cause:e});if("application/x-www-form-urlencoded"!==Cn(e))throw Kt("form_post responses are expected to use the application/x-www-form-urlencoded content-type",Ot,{cause:e});return async function(e){if(e.bodyUsed)throw Kt("form_post Request instances must contain a readable body",Ot,{cause:e});return e.text()}(e)}function po(e,t,n,o){if(void 0===e)if(Array.isArray(t)){if(!t.includes(o.alg))throw Yt('unexpected JWT "alg" header parameter',Qn,{header:o,expected:t,reason:"authorization server metadata"})}else{if(void 0===n)throw Yt('missing client or server configuration to verify used JWT "alg" header parameter',void 0,{client:e,issuer:t,fallback:n});if("string"==typeof n?o.alg!==n:"function"==typeof n?!n(o.alg):!n.includes(o.alg))throw Yt('unexpected JWT "alg" header parameter',Qn,{header:o,expected:n,reason:"default value"})}else if("string"==typeof e?o.alg!==e:!e.includes(o.alg))throw Yt('unexpected JWT "alg" header parameter',Qn,{header:o,expected:e,reason:"client configuration"})}function fo(e,t){const{0:n,length:o}=e.getAll(t);if(o>1)throw Yt('"'.concat(t,'" parameter must be provided only once'),Qn);return n}const mo=Symbol(),yo=Symbol();function wo(e,t,n,o){if(dn(e),hn(t),n instanceof URL&&(n=n.searchParams),!(n instanceof URLSearchParams))throw Kt('"parameters" must be an instance of URLSearchParams, or URL',Wt);if(fo(n,"response"))throw Yt('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()',Qn,{parameters:n});const r=fo(n,"iss"),i=fo(n,"state");if(!r&&e.authorization_response_iss_parameter_supported)throw Yt('response parameter "iss" (issuer) missing',Qn,{parameters:n});if(r&&r!==e.issuer)throw Yt('unexpected "iss" (issuer) response parameter value',Qn,{expected:e.issuer,parameters:n});switch(o){case void 0:case yo:if(void 0!==i)throw Yt('unexpected "state" response parameter encountered',Qn,{expected:void 0,parameters:n});break;case mo:break;default:if(on(o,'"expectedState" argument'),i!==o)throw Yt(void 0===i?'response parameter "state" missing':'unexpected "state" response parameter value',Qn,{expected:o,parameters:n})}if(fo(n,"error"))throw new bn("authorization response from the server is an error",{cause:n});const a=fo(n,"id_token"),s=fo(n,"token");if(void 0!==a||void 0!==s)throw new Gt("implicit and hybrid flows are not supported");return c=new URLSearchParams(n),Mn.add(c),c;var c}async function go(e){let t,n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:rn;try{t=await e.json()}catch(t){throw n(e),Yt('failed to parse "response" body as JSON',Bn,t)}if(!Bt(t))throw Yt('"response" body must be a top level object',Qn,{body:t});return t}const vo=Symbol(),bo=Symbol(),_o=new TextEncoder,ko=new TextDecoder;function So(e){const t=new Uint8Array(e.length);for(let n=0;n<e.length;n++){const o=e.charCodeAt(n);if(o>127)throw new TypeError("non-ASCII string encountered in encode()");t[n]=o}return t}function To(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);const t=atob(e),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}function Eo(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64("string"==typeof e?e:ko.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=ko.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/");try{return To(t)}catch(e){throw new TypeError("The input to be decoded is not correctly encoded.")}}const Po=function(e){return new TypeError("CryptoKey does not support this operation, its ".concat(arguments.length>1&&void 0!==arguments[1]?arguments[1]:"algorithm.name"," must be ").concat(e))},Ao=(e,t)=>e.name===t;function Io(e,t){var n;if((n=e.hash,parseInt(n.name.slice(4),10))!==t)throw Po("SHA-".concat(t),"algorithm.hash")}function xo(e,t,n){switch(t){case"HS256":case"HS384":case"HS512":if(!Ao(e.algorithm,"HMAC"))throw Po("HMAC");Io(e.algorithm,parseInt(t.slice(2),10));break;case"RS256":case"RS384":case"RS512":if(!Ao(e.algorithm,"RSASSA-PKCS1-v1_5"))throw Po("RSASSA-PKCS1-v1_5");Io(e.algorithm,parseInt(t.slice(2),10));break;case"PS256":case"PS384":case"PS512":if(!Ao(e.algorithm,"RSA-PSS"))throw Po("RSA-PSS");Io(e.algorithm,parseInt(t.slice(2),10));break;case"Ed25519":case"EdDSA":if(!Ao(e.algorithm,"Ed25519"))throw Po("Ed25519");break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":if(!Ao(e.algorithm,t))throw Po(t);break;case"ES256":case"ES384":case"ES512":{if(!Ao(e.algorithm,"ECDSA"))throw Po("ECDSA");const n=function(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}(t);if(e.algorithm.namedCurve!==n)throw Po(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}!function(e,t){if(t&&!e.usages.includes(t))throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(t,"."))}(e,n)}function Ro(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if((o=o.filter(Boolean)).length>2){const t=o.pop();e+="one of type ".concat(o.join(", "),", or ").concat(t,".")}else 2===o.length?e+="one of type ".concat(o[0]," or ").concat(o[1],"."):e+="of type ".concat(o[0],".");if(null==t)e+=" Received ".concat(t);else if("function"==typeof t&&t.name)e+=" Received function ".concat(t.name);else if("object"==typeof t&&null!=t){var i;null!==(i=t.constructor)&&void 0!==i&&i.name&&(e+=" Received an instance of ".concat(t.constructor.name))}return e}const Co=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];return Ro("Key for the ".concat(e," algorithm must be "),t,...o)};class Oo extends Error{constructor(e,t){var n;super(e,t),s(this,"code","ERR_JOSE_GENERIC"),this.name=this.constructor.name,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}s(Oo,"code","ERR_JOSE_GENERIC");class Wo extends Oo{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),s(this,"code","ERR_JWT_CLAIM_VALIDATION_FAILED"),s(this,"claim",void 0),s(this,"reason",void 0),s(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t}}s(Wo,"code","ERR_JWT_CLAIM_VALIDATION_FAILED");class Ko extends Oo{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),s(this,"code","ERR_JWT_EXPIRED"),s(this,"claim",void 0),s(this,"reason",void 0),s(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t}}s(Ko,"code","ERR_JWT_EXPIRED");class Uo extends Oo{constructor(){super(...arguments),s(this,"code","ERR_JOSE_ALG_NOT_ALLOWED")}}s(Uo,"code","ERR_JOSE_ALG_NOT_ALLOWED");class Do extends Oo{constructor(){super(...arguments),s(this,"code","ERR_JOSE_NOT_SUPPORTED")}}s(Do,"code","ERR_JOSE_NOT_SUPPORTED");s(class extends Oo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"decryption operation failed",arguments.length>1?arguments[1]:void 0),s(this,"code","ERR_JWE_DECRYPTION_FAILED")}},"code","ERR_JWE_DECRYPTION_FAILED");s(class extends Oo{constructor(){super(...arguments),s(this,"code","ERR_JWE_INVALID")}},"code","ERR_JWE_INVALID");class Ho extends Oo{constructor(){super(...arguments),s(this,"code","ERR_JWS_INVALID")}}s(Ho,"code","ERR_JWS_INVALID");class Lo extends Oo{constructor(){super(...arguments),s(this,"code","ERR_JWT_INVALID")}}s(Lo,"code","ERR_JWT_INVALID");s(class extends Oo{constructor(){super(...arguments),s(this,"code","ERR_JWK_INVALID")}},"code","ERR_JWK_INVALID");class jo extends Oo{constructor(){super(...arguments),s(this,"code","ERR_JWKS_INVALID")}}s(jo,"code","ERR_JWKS_INVALID");class Mo extends Oo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"no applicable key found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),s(this,"code","ERR_JWKS_NO_MATCHING_KEY")}}s(Mo,"code","ERR_JWKS_NO_MATCHING_KEY");class No extends Oo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"multiple matching keys found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),s(this,Symbol.asyncIterator,void 0),s(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS")}}s(No,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");class zo extends Oo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"request timed out",arguments.length>1?arguments[1]:void 0),s(this,"code","ERR_JWKS_TIMEOUT")}}s(zo,"code","ERR_JWKS_TIMEOUT");class Jo extends Oo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"signature verification failed",arguments.length>1?arguments[1]:void 0),s(this,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED")}}s(Jo,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED");const Zo=e=>{if("CryptoKey"===(null==e?void 0:e[Symbol.toStringTag]))return!0;try{return e instanceof CryptoKey}catch(e){return!1}},Vo=e=>"KeyObject"===(null==e?void 0:e[Symbol.toStringTag]),Xo=e=>Zo(e)||Vo(e);function Go(e,t,n){try{return Eo(e)}catch(e){throw new n("Failed to base64url decode the ".concat(t))}}function Fo(e){if("object"!=typeof(t=e)||null===t||"[object Object]"!==Object.prototype.toString.call(e))return!1;var t;if(null===Object.getPrototypeOf(e))return!0;let n=e;for(;null!==Object.getPrototypeOf(n);)n=Object.getPrototypeOf(n);return Object.getPrototypeOf(e)===n}const Yo=e=>Fo(e)&&"string"==typeof e.kty;async function qo(e,t,n){if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(function(e){for(var t=arguments.length,n=new Array(t>1?t-1:0),o=1;o<t;o++)n[o-1]=arguments[o];return Ro("Key must be ",e,...n)}(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:"SHA-".concat(e.slice(-3)),name:"HMAC"},!1,[n])}return xo(t,e,n),t}async function Bo(e,t,n,o){const r=await qo(e,t,"verify");!function(e,t){if(e.startsWith("RS")||e.startsWith("PS")){const{modulusLength:n}=t.algorithm;if("number"!=typeof n||n<2048)throw new TypeError("".concat(e," requires key modulusLength to be 2048 bits or larger"))}}(e,r);const i=function(e,t){const n="SHA-".concat(e.slice(-3));switch(e){case"HS256":case"HS384":case"HS512":return{hash:n,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:n,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:n,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:n,name:"ECDSA",namedCurve:t.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:e};default:throw new Do("alg ".concat(e," is not supported either by JOSE or your javascript runtime"))}}(e,r.algorithm);try{return await crypto.subtle.verify(i,r,n,o)}catch(e){return!1}}const Qo='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';async function $o(e){var t,n;if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');const{algorithm:o,keyUsages:r}=function(e){let t,n;switch(e.kty){case"AKP":switch(e.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":t={name:e.alg},n=e.priv?["sign"]:["verify"];break;default:throw new Do(Qo)}break;case"RSA":switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(e.alg.slice(-3),10)||1)},n=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new Do(Qo)}break;case"EC":switch(e.alg){case"ES256":case"ES384":case"ES512":t={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[e.alg]},n=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new Do(Qo)}break;case"OKP":switch(e.alg){case"Ed25519":case"EdDSA":t={name:"Ed25519"},n=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new Do(Qo)}break;default:throw new Do('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:t,keyUsages:n}}(e),i=u({},e);return"AKP"!==i.kty&&delete i.alg,delete i.use,crypto.subtle.importKey("jwk",i,o,null!==(t=e.ext)&&void 0!==t?t:!e.d&&!e.priv,null!==(n=e.key_ops)&&void 0!==n?n:r)}const er="given KeyObject instance cannot be used for this algorithm";let tr;const nr=async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]&&arguments[3];tr||(tr=new WeakMap);let r=tr.get(e);if(null!=r&&r[n])return r[n];const i=await $o(u(u({},t),{},{alg:n}));return o&&Object.freeze(e),r?r[n]=i:tr.set(e,{[n]:i}),i};async function or(e,t){if(e instanceof Uint8Array)return e;if(Zo(e))return e;if(Vo(e)){if("secret"===e.type)return e.export();if("toCryptoKey"in e&&"function"==typeof e.toCryptoKey)try{return((e,t)=>{tr||(tr=new WeakMap);let n=tr.get(e);if(null!=n&&n[t])return n[t];const o="public"===e.type,r=!!o;let i;if("x25519"===e.asymmetricKeyType){switch(t){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(er)}i=e.toCryptoKey(e.asymmetricKeyType,r,o?[]:["deriveBits"])}if("ed25519"===e.asymmetricKeyType){if("EdDSA"!==t&&"Ed25519"!==t)throw new TypeError(er);i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"])}switch(e.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError(er);i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"])}if("rsa"===e.asymmetricKeyType){let n;switch(t){case"RSA-OAEP":n="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":n="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":n="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":n="SHA-512";break;default:throw new TypeError(er)}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:n},r,o?["encrypt"]:["decrypt"]);i=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:n},r,[o?"verify":"sign"])}if("ec"===e.asymmetricKeyType){var a;const n=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(null===(a=e.asymmetricKeyDetails)||void 0===a?void 0:a.namedCurve);if(!n)throw new TypeError(er);const s={ES256:"P-256",ES384:"P-384",ES512:"P-521"};s[t]&&n===s[t]&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),t.startsWith("ECDH-ES")&&(i=e.toCryptoKey({name:"ECDH",namedCurve:n},r,o?[]:["deriveBits"]))}if(!i)throw new TypeError(er);return n?n[t]=i:tr.set(e,{[t]:i}),i})(e,t)}catch(e){if(e instanceof TypeError)throw e}let n=e.export({format:"jwk"});return nr(e,n,t)}if(Yo(e))return e.k?Eo(e.k):nr(e,e,t,!0);throw new Error("unreachable")}const rr=(e,t)=>{if(e.byteLength!==t.length)return!1;for(let n=0;n<e.byteLength;n++)if(e[n]!==t[n])return!1;return!0},ir=e=>{const t=e.data[e.pos++];if(128&t){const n=127&t;let o=0;for(let t=0;t<n;t++)o=o<<8|e.data[e.pos++];return o}return t},ar=(e,t,n)=>{if(e.data[e.pos++]!==t)throw new Error(n)},sr=(e,t)=>{const n=e.data.subarray(e.pos,e.pos+t);return e.pos+=t,n};const cr=e=>{const t=(e=>{ar(e,6,"Expected algorithm OID");const t=ir(e);return sr(e,t)})(e);if(rr(t,[43,101,110]))return"X25519";if(!rr(t,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");ar(e,6,"Expected curve OID");const n=ir(e),o=sr(e,n);for(const{name:e,oid:t}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(rr(o,t))return e;throw new Error("Unsupported named curve")},ur=async(e,t,n,o)=>{var r;let i,a;const s="spki"===e,c=()=>s?["verify"]:["sign"];switch(n){case"PS256":case"PS384":case"PS512":i={name:"RSA-PSS",hash:"SHA-".concat(n.slice(-3))},a=c();break;case"RS256":case"RS384":case"RS512":i={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(n.slice(-3))},a=c();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":i={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(n.slice(-3),10)||1)},a=s?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":case"ES384":case"ES512":i={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[n]},a=c();break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":try{const e=o.getNamedCurve(t);i="X25519"===e?{name:"X25519"}:{name:"ECDH",namedCurve:e}}catch(e){throw new Do("Invalid or unsupported key format")}a=s?[]:["deriveBits"];break;case"Ed25519":case"EdDSA":i={name:"Ed25519"},a=c();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":i={name:n},a=c();break;default:throw new Do('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(e,t,i,null!==(r=null==o?void 0:o.extractable)&&void 0!==r?r:!!s,a)},lr=(e,t,n)=>{var o;const r=((e,t)=>To(e.replace(t,"")))(e,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);let i=n;return null!=t&&null!==(o=t.startsWith)&&void 0!==o&&o.call(t,"ECDH-ES")&&(i||(i={}),i.getNamedCurve=e=>{const t={data:e,pos:0};return function(e){ar(e,48,"Invalid PKCS#8 structure"),ir(e),ar(e,2,"Expected version field");const t=ir(e);e.pos+=t,ar(e,48,"Expected algorithm identifier");const n=ir(e);e.pos}(t),cr(t)}),ur("pkcs8",r,t,i)};const dr=e=>null==e?void 0:e[Symbol.toStringTag],hr=(e,t,n)=>{if(void 0!==t.use){let e;switch(n){case"sign":case"verify":e="sig";break;case"encrypt":case"decrypt":e="enc"}if(t.use!==e)throw new TypeError('Invalid key for this operation, its "use" must be "'.concat(e,'" when present'))}if(void 0!==t.alg&&t.alg!==e)throw new TypeError('Invalid key for this operation, its "alg" must be "'.concat(e,'" when present'));if(Array.isArray(t.key_ops)){var o,r;let i;switch(!0){case"sign"===n||"verify"===n:case"dir"===e:case e.includes("CBC-HS"):i=n;break;case e.startsWith("PBES2"):i="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(e):i=!e.includes("GCM")&&e.endsWith("KW")?"encrypt"===n?"wrapKey":"unwrapKey":n;break;case"encrypt"===n&&e.startsWith("RSA"):i="wrapKey";break;case"decrypt"===n:i=e.startsWith("RSA")?"unwrapKey":"deriveBits"}if(i&&!1===(null===(o=t.key_ops)||void 0===o||null===(r=o.includes)||void 0===r?void 0:r.call(o,i)))throw new TypeError('Invalid key for this operation, its "key_ops" must include "'.concat(i,'" when present'))}return!0};function pr(e,t,n){switch(e.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":((e,t,n)=>{if(!(t instanceof Uint8Array)){if(Yo(t)){if((e=>"oct"===e.kty&&"string"==typeof e.k)(t)&&hr(e,t,n))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!Xo(t))throw new TypeError(Co(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if("secret"!==t.type)throw new TypeError("".concat(dr(t),' instances for symmetric algorithms must be of type "secret"'))}})(e,t,n);break;default:((e,t,n)=>{if(Yo(t))switch(n){case"decrypt":case"sign":if((e=>"oct"!==e.kty&&("AKP"===e.kty&&"string"==typeof e.priv||"string"==typeof e.d))(t)&&hr(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if((e=>"oct"!==e.kty&&void 0===e.d&&void 0===e.priv)(t)&&hr(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!Xo(t))throw new TypeError(Co(e,t,"CryptoKey","KeyObject","JSON Web Key"));if("secret"===t.type)throw new TypeError("".concat(dr(t),' instances for asymmetric algorithms must not be of type "secret"'));if("public"===t.type)switch(n){case"sign":throw new TypeError("".concat(dr(t),' instances for asymmetric algorithm signing must be of type "private"'));case"decrypt":throw new TypeError("".concat(dr(t),' instances for asymmetric algorithm decryption must be of type "private"'))}if("private"===t.type)switch(n){case"verify":throw new TypeError("".concat(dr(t),' instances for asymmetric algorithm verifying must be of type "public"'));case"encrypt":throw new TypeError("".concat(dr(t),' instances for asymmetric algorithm encryption must be of type "public"'))}})(e,t,n)}}var fr,mr;let yr,wr;if("undefined"==typeof navigator||null===(fr=navigator.userAgent)||void 0===fr||null===(mr=fr.startsWith)||void 0===mr||!mr.call(fr,"Mozilla/5.0 ")){const e="v6.8.2";wr="".concat("openid-client","/").concat(e),yr={"user-agent":wr}}const gr=e=>vr.get(e);let vr,br;function _r(e){return void 0!==e?pn(e):(br||(br=new WeakMap),(e,t,n,o)=>{let r;return(r=br.get(t))||(!function(e,t){if("string"!=typeof e)throw Er("".concat(t," must be a string"),Tr);if(0===e.length)throw Er("".concat(t," must not be empty"),Sr)}(t.client_secret,'"metadata.client_secret"'),r=pn(t.client_secret),br.set(t,r)),r(e,t,n,o)})}const kr=Lt,Sr="ERR_INVALID_ARG_VALUE",Tr="ERR_INVALID_ARG_TYPE";function Er(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}function Pr(e){return async function(e){return on(e,"codeVerifier"),Xt(await crypto.subtle.digest("SHA-256",Jt(e)))}(e)}function Ar(){return an()}class Ir extends Error{constructor(e,t){var n;super(e,t),s(this,"code",void 0),this.name=this.constructor.name,this.code=null==t?void 0:t.code,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}function xr(e,t,n){return new Ir(e,{cause:t,code:n})}function Rr(e){if(e instanceof TypeError||e instanceof Ir||e instanceof vn||e instanceof bn||e instanceof _n)throw e;if(e instanceof Ft)switch(e.code){case to:throw xr("only requests to HTTPS are allowed",e,e.code);case no:throw xr("only requests to HTTP or HTTPS are allowed",e,e.code);case eo:throw xr("unexpected HTTP response status code",e.cause,e.code);case $n:throw xr("unexpected response content-type",e.cause,e.code);case Bn:throw xr("parsing error occured",e,e.code);case Qn:throw xr("invalid response encountered",e,e.code);case ro:throw xr("unexpected JWT claim value encountered",e,e.code);case io:throw xr("unexpected JSON attribute value encountered",e,e.code);case oo:throw xr("JWT timestamp claim value failed validation",e,e.code);default:throw xr(e.message,e,e.code)}if(e instanceof Gt)throw xr("unsupported operation",e,e.code);if(e instanceof DOMException)switch(e.name){case"OperationError":throw xr("runtime operation error",e,Yn);case"NotSupportedError":throw xr("runtime unsupported operation",e,Yn);case"TimeoutError":throw xr("operation timed out",e,"OAUTH_TIMEOUT");case"AbortError":throw xr("operation aborted",e,"OAUTH_ABORT")}throw new Ir("something went wrong",{cause:e})}async function Cr(e,t,n,o,r){const i=await async function(e,t){var n,o;if(!(e instanceof URL))throw Er('"server" must be an instance of URL',Tr);const r=!e.href.includes("/.well-known/"),i=null!==(n=null==t?void 0:t.timeout)&&void 0!==n?n:30,a=AbortSignal.timeout(1e3*i),s=await(r?tn(e,{algorithm:null==t?void 0:t.algorithm,[Lt]:null==t?void 0:t[kr],[Ut]:null==t||null===(o=t.execute)||void 0===o?void 0:o.includes(jr),signal:a,headers:new Headers(yr)}):((null==t?void 0:t[kr])||fetch)((yn(e,null==t||null===(c=t.execute)||void 0===c||!c.includes(jr)),e.href),{headers:Object.fromEntries(new Headers(u({accept:"application/json"},yr)).entries()),body:void 0,method:"GET",redirect:"manual",signal:a})).then(e=>async function(e,t){const n=e;if(!(n instanceof URL)&&n!==vo)throw Kt('"expectedIssuerIdentifier" must be an instance of URL',Wt);if(!Ct(t,Response))throw Kt('"response" must be an instance of Response',Wt);if(200!==t.status)throw Yt('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)',eo,t);co(t);const o=await go(t);if(on(o.issuer,'"response" body "issuer" property',Qn,{body:o}),n!==vo&&new URL(o.issuer).href!==n.href)throw Yt('"response" body "issuer" property does not match the expected value',io,{expected:n.href,body:o,attribute:"issuer"});return o}(vo,e)).catch(Rr);var c;r&&new URL(s.issuer).href!==e.href&&(function(e,t,n){return!("https://login.microsoftonline.com"!==e.origin||null!=n&&n.algorithm&&"oidc"!==n.algorithm||(t[Or]=!0,0))}(e,s,t)||function(e,t){return!(!e.hostname.endsWith(".b2clogin.com")||null!=t&&t.algorithm&&"oidc"!==t.algorithm)}(e,t)||(()=>{throw new Ir("discovered metadata issuer does not match the expected issuer",{code:io,cause:{expected:e.href,body:s,attribute:"issuer"}})})());return s}(e,r),a=new Wr(i,t,n,o);let s=gr(a);if(null!=r&&r[kr]&&(s.fetch=r[kr]),null!=r&&r.timeout&&(s.timeout=r.timeout),null!=r&&r.execute)for(const e of r.execute)e(a);return a}new TextDecoder;const Or=Symbol();class Wr{constructor(e,t,n,o){var r,i,a,s,c;if("string"!=typeof t||!t.length)throw Er('"clientId" must be a non-empty string',Tr);if("string"==typeof n&&(n={client_secret:n}),void 0!==(null===(r=n)||void 0===r?void 0:r.client_id)&&t!==n.client_id)throw Er('"clientId" and "metadata.client_id" must be the same',Sr);const l=u(u({},structuredClone(n)),{},{client_id:t});let d;l[Dt]=null!==(i=null===(a=n)||void 0===a?void 0:a[Dt])&&void 0!==i?i:0,l[Ht]=null!==(s=null===(c=n)||void 0===c?void 0:c[Ht])&&void 0!==s?s:30,d=o||("string"==typeof l.client_secret&&l.client_secret.length?_r(l.client_secret):(e,t,n,o)=>{n.set("client_id",t.client_id)});let h=Object.freeze(l);const p=structuredClone(e);Or in e&&(p[bo]=t=>{let{claims:{tid:n}}=t;return e.issuer.replace("{tenantid}",n)});let f=Object.freeze(p);vr||(vr=new WeakMap),vr.set(this,{__proto__:null,as:f,c:h,auth:d,tlsOnly:!0,jwksCache:{}})}serverMetadata(){const e=structuredClone(gr(this).as);return function(e){Object.defineProperties(e,function(e){return{supportsPKCE:{__proto__:null,value(){var t;let n=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"S256";return!0===(null===(t=e.code_challenge_methods_supported)||void 0===t?void 0:t.includes(n))}}}}(e))}(e),e}clientMetadata(){return structuredClone(gr(this).c)}get timeout(){return gr(this).timeout}set timeout(e){gr(this).timeout=e}get[kr](){return gr(this).fetch}set[kr](e){gr(this).fetch=e}}function Kr(e){Object.defineProperties(e,function(e){let t;if(void 0!==e.expires_in){const n=new Date;n.setSeconds(n.getSeconds()+e.expires_in),t=n.getTime()}return{expiresIn:{__proto__:null,value(){if(t){const e=Date.now();return t>e?Math.floor((t-e)/1e3):0}}},claims:{__proto__:null,value(){try{return Dn(this)}catch(e){return}}}}}(e))}async function Ur(e,t,n){var o;let r=arguments.length>3&&void 0!==arguments[3]&&arguments[3];const i=null===(o=e.headers.get("retry-after"))||void 0===o?void 0:o.trim();if(void 0===i)return;let a;if(/^\d+$/.test(i))a=parseInt(i,10);else{const e=new Date(i);if(Number.isFinite(e.getTime())){const t=new Date,n=e.getTime()-t.getTime();n>0&&(a=Math.ceil(n/1e3))}}if(r&&!Number.isFinite(a))throw new Ft("invalid Retry-After header value",{cause:e});a>t&&await Dr(a-t,n)}function Dr(e,t){return new Promise((n,o)=>{const r=e=>{try{t.throwIfAborted()}catch(e){return void o(e)}if(e<=0)return void n();const i=Math.min(e,5);setTimeout(()=>r(e-i),1e3*i)};r(e)})}async function Hr(e,t){Vr(e);const{as:n,c:o,auth:r,fetch:i,tlsOnly:a,timeout:s}=gr(e);return async function(e,t,n,o,r){dn(e),hn(t);const i=gn(e,"backchannel_authentication_endpoint",t.use_mtls_endpoint_aliases,!0!==(null==r?void 0:r[Ut])),a=new URLSearchParams(o);a.set("client_id",t.client_id);const s=Qt(null==r?void 0:r.headers);return s.set("accept","application/json"),On(e,t,n,i,a,s,r)}(n,o,r,t,{[Lt]:i,[Ut]:!a,headers:new Headers(yr),signal:Xr(s)}).then(e=>async function(e,t,n){if(dn(e),hn(t),!Ct(n,Response))throw Kt('"response" must be an instance of Response',Wt);await xn(n,200,"Backchannel Authentication Endpoint"),co(n);const o=await go(n);on(o.auth_req_id,'"response" body "auth_req_id" property',Qn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return nn(r,!0,'"response" body "expires_in" property',Qn,{body:o}),o.expires_in=r,void 0!==o.interval&&nn(o.interval,!1,'"response" body "interval" property',Qn,{body:o}),o}(n,o,e)).catch(Rr)}async function Lr(e,t,n,o){var r,i;Vr(e),n=new URLSearchParams(n);let a=null!==(r=t.interval)&&void 0!==r?r:5;const s=null!==(i=null==o?void 0:o.signal)&&void 0!==i?i:AbortSignal.timeout(1e3*t.expires_in);try{await Dr(a,s)}catch(e){Rr(e)}const{as:c,c:l,auth:d,fetch:h,tlsOnly:p,nonRepudiation:f,timeout:m,decrypt:y}=gr(e),w=(r,i)=>Lr(e,u(u({},t),{},{interval:r}),n,u(u({},o),{},{signal:s,flag:i})),g=await async function(e,t,n,o,r){dn(e),hn(t),on(o,'"authReqId"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("auth_req_id",o),Wn(e,t,n,"urn:openid:params:grant-type:ciba",i,r)}(c,l,d,t.auth_req_id,{[Lt]:h,[Ut]:!p,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(yr),signal:s.aborted?s:Xr(m)}).catch(Rr);var v;if(503===g.status&&g.headers.has("retry-after"))return await Ur(g,a,s,!0),await(null===(v=g.body)||void 0===v?void 0:v.cancel()),w(a);const b=async function(e,t,n,o){return Hn(e,t,n,void 0,null==o?void 0:o[Mt],null==o?void 0:o.recognizedTokenTypes)}(c,l,g,{[Mt]:y});let _;try{_=await b}catch(e){if(Gr(e,o))return w(a,Fr);if(e instanceof vn)switch(e.error){case"slow_down":a+=5;case"authorization_pending":return await Ur(e.response,a,s),w(a)}Rr(e)}return _.id_token&&await(null==f?void 0:f(g)),Kr(_),_}function jr(e){gr(e).tlsOnly=!1}async function Mr(e,t,n,o,r){if(Vr(e),!((null==r?void 0:r.flag)===Fr||t instanceof URL||function(e,t){try{return Object.getPrototypeOf(e)[Symbol.toStringTag]===t}catch(e){return!1}}(t,"Request")))throw Er('"currentUrl" must be an instance of URL, or Request',Tr);let i,a;const{as:s,c:c,auth:l,fetch:d,tlsOnly:h,jarm:p,hybrid:f,nonRepudiation:m,timeout:y,decrypt:w,implicit:g}=gr(e);if((null==r?void 0:r.flag)===Fr)i=r.authResponse,a=r.redirectUri;else{if(!(t instanceof URL)){const e=t;switch(t=new URL(t.url),e.method){case"GET":break;case"POST":const n=new URLSearchParams(await ho(e));if(f)t.hash=n.toString();else for(const[e,o]of n.entries())t.searchParams.append(e,o);break;default:throw Er("unexpected Request HTTP method",Sr)}}switch(a=function(e){return(e=new URL(e)).search="",e.hash="",e.href}(t),!0){case!!p:i=await p(t,null==n?void 0:n.expectedState);break;case!!f:i=await f(t,null==n?void 0:n.expectedNonce,null==n?void 0:n.expectedState,null==n?void 0:n.maxAge);break;case!!g:throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");default:try{i=wo(s,c,t.searchParams,null==n?void 0:n.expectedState)}catch(e){Rr(e)}}}const v=await async function(e,t,n,o,r,i,a){if(dn(e),hn(t),!Mn.has(o))throw Kt('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()',Ot);on(r,'"redirectUri"');const s=fo(o,"code");if(!s)throw Yt('no authorization code in "callbackParameters"',Qn);const c=new URLSearchParams(null==a?void 0:a.additionalParameters);return c.set("redirect_uri",r),c.set("code",s),i!==Nn&&(on(i,'"codeVerifier"'),c.set("code_verifier",i)),Wn(e,t,n,"authorization_code",c,a)}(s,c,l,i,a,(null==n?void 0:n.pkceCodeVerifier)||Nn,{additionalParameters:o,[Lt]:d,[Ut]:!h,DPoP:null==r?void 0:r.DPoP,headers:new Headers(yr),signal:Xr(y)}).catch(Rr);"string"!=typeof(null==n?void 0:n.expectedNonce)&&"number"!=typeof(null==n?void 0:n.maxAge)||(n.idTokenExpected=!0);const b=Xn(s,c,v,{expectedNonce:null==n?void 0:n.expectedNonce,maxAge:null==n?void 0:n.maxAge,requireIdToken:null==n?void 0:n.idTokenExpected,[Mt]:w});let _;try{_=await b}catch(t){if(Gr(t,r))return Mr(e,void 0,n,o,u(u({},r),{},{flag:Fr,authResponse:i,redirectUri:a}));Rr(t)}return _.id_token&&await(null==m?void 0:m(v)),Kr(_),_}async function Nr(e,t,n,o){Vr(e),n=new URLSearchParams(n);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,nonRepudiation:l,timeout:d,decrypt:h}=gr(e),p=await async function(e,t,n,o,r){dn(e),hn(t),on(o,'"refreshToken"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("refresh_token",o),Wn(e,t,n,"refresh_token",i,r)}(r,i,a,t,{[Lt]:s,[Ut]:!c,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(yr),signal:Xr(d)}).catch(Rr),f=async function(e,t,n,o){return Hn(e,t,n,void 0,null==o?void 0:o[Mt],null==o?void 0:o.recognizedTokenTypes)}(r,i,p,{[Mt]:h});let m;try{m=await f}catch(r){if(Gr(r,o))return Nr(e,t,n,u(u({},o),{},{flag:Fr}));Rr(r)}return m.id_token&&await(null==l?void 0:l(p)),Kr(m),m}async function zr(e,t,n){Vr(e),t=new URLSearchParams(t);const{as:o,c:r,auth:i,fetch:a,tlsOnly:s,timeout:c}=gr(e),l=await async function(e,t,n,o,r){return dn(e),hn(t),Wn(e,t,n,"client_credentials",new URLSearchParams(o),r)}(o,r,i,t,{[Lt]:a,[Ut]:!s,DPoP:null==n?void 0:n.DPoP,headers:new Headers(yr),signal:Xr(c)}).catch(Rr),d=async function(e,t,n,o){return Hn(e,t,n,void 0,null==o?void 0:o[Mt],null==o?void 0:o.recognizedTokenTypes)}(o,r,l);let h;try{h=await d}catch(o){if(Gr(o,n))return zr(e,t,u(u({},n),{},{flag:Fr}));Rr(o)}return Kr(h),h}function Jr(e,t){Vr(e);const{as:n,c:o,tlsOnly:r,hybrid:i,jarm:a,implicit:s}=gr(e),c=gn(n,"authorization_endpoint",!1,r);if((t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id),!t.has("request_uri")&&!t.has("request")){if(t.has("response_type")||t.set("response_type",i?"code id_token":s?"id_token":"code"),s&&!t.has("nonce"))throw Er("response_type=id_token clients must provide a nonce parameter in their authorization request parameters",Sr);a&&t.set("response_mode","jwt")}for(const[e,n]of t.entries())c.searchParams.append(e,n);return c}async function Zr(e,t,n){Vr(e);const o=Jr(e,t),{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:l}=gr(e),d=await async function(e,t,n,o,r){var i;dn(e),hn(t);const a=gn(e,"pushed_authorization_request_endpoint",t.use_mtls_endpoint_aliases,!0!==(null==r?void 0:r[Ut])),s=new URLSearchParams(o);s.set("client_id",t.client_id);const c=Qt(null==r?void 0:r.headers);c.set("accept","application/json"),void 0!==(null==r?void 0:r.DPoP)&&(Rn(r.DPoP),await r.DPoP.addProof(a,c,"POST"));const u=await On(e,t,n,a,s,c,r);return null==r||null===(i=r.DPoP)||void 0===i||i.cacheNonce(u,a),u}(r,i,a,o.searchParams,{[Lt]:s,[Ut]:!c,DPoP:null==n?void 0:n.DPoP,headers:new Headers(yr),signal:Xr(l)}).catch(Rr),h=async function(e,t,n){if(dn(e),hn(t),!Ct(n,Response))throw Kt('"response" must be an instance of Response',Wt);await xn(n,201,"Pushed Authorization Request Endpoint"),co(n);const o=await go(n);on(o.request_uri,'"response" body "request_uri" property',Qn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return nn(r,!0,'"response" body "expires_in" property',Qn,{body:o}),o.expires_in=r,o}(r,i,d);let p;try{p=await h}catch(o){if(Gr(o,n))return Zr(e,t,u(u({},n),{},{flag:Fr}));Rr(o)}return Jr(e,{request_uri:p.request_uri})}function Vr(e){if(!(e instanceof Wr))throw Er('"config" must be an instance of Configuration',Tr);if(Object.getPrototypeOf(e)!==Wr.prototype)throw Er("subclassing Configuration is not allowed",Sr)}function Xr(e){return e?AbortSignal.timeout(1e3*e):void 0}function Gr(e,t){return!(null==t||!t.DPoP||t.flag===Fr)&&function(e){if(e instanceof _n){const{0:t,length:n}=e.cause;return 1===n&&"dpop"===t.scheme&&"use_dpop_nonce"===t.parameters.error}return e instanceof vn&&"use_dpop_nonce"===e.error}(e)}Object.freeze(Wr.prototype);const Fr=Symbol();async function Yr(e,t,n,o){Vr(e);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:u,decrypt:l}=gr(e),d=await async function(e,t,n,o,r,i){return dn(e),hn(t),on(o,'"grantType"'),Wn(e,t,n,o,new URLSearchParams(r),i)}(r,i,a,t,new URLSearchParams(n),{[Lt]:s,[Ut]:!c,DPoP:null==o?void 0:o.DPoP,headers:new Headers(yr),signal:Xr(u)}).then(e=>{let n;return"urn:ietf:params:oauth:grant-type:token-exchange"===t&&(n={n_a:()=>{}}),async function(e,t,n,o){return Hn(e,t,n,void 0,null==o?void 0:o[Mt],null==o?void 0:o.recognizedTokenTypes)}(r,i,e,{[Mt]:l,recognizedTokenTypes:n})}).catch(Rr);return Kr(d),d}async function qr(e,t,n){if(!Fo(e))throw new Ho("Flattened JWS must be an object");if(void 0===e.protected&&void 0===e.header)throw new Ho('Flattened JWS must have either of the "protected" or "header" members');if(void 0!==e.protected&&"string"!=typeof e.protected)throw new Ho("JWS Protected Header incorrect type");if(void 0===e.payload)throw new Ho("JWS Payload missing");if("string"!=typeof e.signature)throw new Ho("JWS Signature missing or incorrect type");if(void 0!==e.header&&!Fo(e.header))throw new Ho("JWS Unprotected Header incorrect type");let o={};if(e.protected)try{const t=Eo(e.protected);o=JSON.parse(ko.decode(t))}catch(e){throw new Ho("JWS Protected Header is invalid")}if(!function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.filter(Boolean);if(0===o.length||1===o.length)return!0;let r;for(const e of o){const t=Object.keys(e);if(r&&0!==r.size)for(const e of t){if(r.has(e))return!1;r.add(e)}else r=new Set(t)}return!0}(o,e.header))throw new Ho("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");const r=u(u({},o),e.header),i=function(e,t,n,o,r){if(void 0!==r.crit&&void 0===(null==o?void 0:o.crit))throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!o||void 0===o.crit)return new Set;if(!Array.isArray(o.crit)||0===o.crit.length||o.crit.some(e=>"string"!=typeof e||0===e.length))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;i=void 0!==n?new Map([...Object.entries(n),...t.entries()]):t;for(const t of o.crit){if(!i.has(t))throw new Do('Extension Header Parameter "'.concat(t,'" is not recognized'));if(void 0===r[t])throw new e('Extension Header Parameter "'.concat(t,'" is missing'));if(i.get(t)&&void 0===o[t])throw new e('Extension Header Parameter "'.concat(t,'" MUST be integrity protected'))}return new Set(o.crit)}(Ho,new Map([["b64",!0]]),null==n?void 0:n.crit,o,r);let a=!0;if(i.has("b64")&&(a=o.b64,"boolean"!=typeof a))throw new Ho('The "b64" (base64url-encode payload) Header Parameter must be a boolean');const{alg:s}=r;if("string"!=typeof s||!s)throw new Ho('JWS "alg" (Algorithm) Header Parameter missing or invalid');const c=n&&function(e,t){if(void 0!==t&&(!Array.isArray(t)||t.some(e=>"string"!=typeof e)))throw new TypeError('"'.concat(e,'" option must be an array of strings'));if(t)return new Set(t)}("algorithms",n.algorithms);if(c&&!c.has(s))throw new Uo('"alg" (Algorithm) Header Parameter value not allowed');if(a){if("string"!=typeof e.payload)throw new Ho("JWS Payload must be a string")}else if("string"!=typeof e.payload&&!(e.payload instanceof Uint8Array))throw new Ho("JWS Payload must be a string or an Uint8Array instance");let l=!1;"function"==typeof t&&(t=await t(o,e),l=!0),pr(s,t,"verify");const d=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.reduce((e,t)=>{let{length:n}=t;return e+n},0),r=new Uint8Array(o);let i=0;for(const e of t)r.set(e,i),i+=e.length;return r}(void 0!==e.protected?So(e.protected):new Uint8Array,So("."),"string"==typeof e.payload?a?So(e.payload):_o.encode(e.payload):e.payload),h=Go(e.signature,"signature",Ho),p=await or(t,s);if(!await Bo(s,p,h,d))throw new Jo;let f;f=a?Go(e.payload,"payload",Ho):"string"==typeof e.payload?_o.encode(e.payload):e.payload;const m={payload:f};return void 0!==e.protected&&(m.protectedHeader=o),void 0!==e.header&&(m.unprotectedHeader=e.header),l?u(u({},m),{},{key:p}):m}const Br=86400,Qr=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function $r(e){const t=Qr.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");const n=parseFloat(t[2]);let o;switch(t[3].toLowerCase()){case"sec":case"secs":case"second":case"seconds":case"s":o=Math.round(n);break;case"minute":case"minutes":case"min":case"mins":case"m":o=Math.round(60*n);break;case"hour":case"hours":case"hr":case"hrs":case"h":o=Math.round(3600*n);break;case"day":case"days":case"d":o=Math.round(n*Br);break;case"week":case"weeks":case"w":o=Math.round(604800*n);break;default:o=Math.round(31557600*n)}return"-"===t[1]||"ago"===t[4]?-o:o}const ei=e=>e.includes("/")?e.toLowerCase():"application/".concat(e.toLowerCase());function ti(e,t){let n,o=arguments.length>2&&void 0!==arguments[2]?arguments[2]:{};try{n=JSON.parse(ko.decode(t))}catch(e){}if(!Fo(n))throw new Lo("JWT Claims Set must be a top-level JSON object");const{typ:r}=o;if(r&&("string"!=typeof e.typ||ei(e.typ)!==ei(r)))throw new Wo('unexpected "typ" JWT header value',n,"typ","check_failed");const{requiredClaims:i=[],issuer:a,subject:s,audience:c,maxTokenAge:u}=o,l=[...i];void 0!==u&&l.push("iat"),void 0!==c&&l.push("aud"),void 0!==s&&l.push("sub"),void 0!==a&&l.push("iss");for(const e of new Set(l.reverse()))if(!(e in n))throw new Wo('missing required "'.concat(e,'" claim'),n,e,"missing");if(a&&!(Array.isArray(a)?a:[a]).includes(n.iss))throw new Wo('unexpected "iss" claim value',n,"iss","check_failed");if(s&&n.sub!==s)throw new Wo('unexpected "sub" claim value',n,"sub","check_failed");if(c&&(d=n.aud,h="string"==typeof c?[c]:c,!("string"==typeof d?h.includes(d):Array.isArray(d)&&h.some(Set.prototype.has.bind(new Set(d))))))throw new Wo('unexpected "aud" claim value',n,"aud","check_failed");var d,h;let p;switch(typeof o.clockTolerance){case"string":p=$r(o.clockTolerance);break;case"number":p=o.clockTolerance;break;case"undefined":p=0;break;default:throw new TypeError("Invalid clockTolerance option type")}const{currentDate:f}=o,m=(y=f||new Date,Math.floor(y.getTime()/1e3));var y;if((void 0!==n.iat||u)&&"number"!=typeof n.iat)throw new Wo('"iat" claim must be a number',n,"iat","invalid");if(void 0!==n.nbf){if("number"!=typeof n.nbf)throw new Wo('"nbf" claim must be a number',n,"nbf","invalid");if(n.nbf>m+p)throw new Wo('"nbf" claim timestamp check failed',n,"nbf","check_failed")}if(void 0!==n.exp){if("number"!=typeof n.exp)throw new Wo('"exp" claim must be a number',n,"exp","invalid");if(n.exp<=m-p)throw new Ko('"exp" claim timestamp check failed',n,"exp","check_failed")}if(u){const e=m-n.iat;if(e-p>("number"==typeof u?u:$r(u)))throw new Ko('"iat" claim timestamp check failed (too far in the past)',n,"iat","check_failed");if(e<0-p)throw new Wo('"iat" claim timestamp check failed (it should be in the past)',n,"iat","check_failed")}return n}async function ni(e,t,n){var o;const r=await async function(e,t,n){if(e instanceof Uint8Array&&(e=ko.decode(e)),"string"!=typeof e)throw new Ho("Compact JWS must be a string or Uint8Array");const{0:o,1:r,2:i,length:a}=e.split(".");if(3!==a)throw new Ho("Invalid Compact JWS");const s=await qr({payload:r,protected:o,signature:i},t,n),c={payload:s.payload,protectedHeader:s.protectedHeader};return"function"==typeof t?u(u({},c),{},{key:s.key}):c}(e,t,n);if(null!==(o=r.protectedHeader.crit)&&void 0!==o&&o.includes("b64")&&!1===r.protectedHeader.b64)throw new Lo("JWTs MUST NOT use unencoded payload");const i={payload:ti(r.protectedHeader,r.payload,n),protectedHeader:r.protectedHeader};return"function"==typeof t?u(u({},i),{},{key:r.key}):i}function oi(e){return Fo(e)}var ri,ii,ai=new WeakMap,si=new WeakMap;class ci{constructor(e){if(i(this,ai,void 0),i(this,si,new WeakMap),!function(e){return e&&"object"==typeof e&&Array.isArray(e.keys)&&e.keys.every(oi)}(e))throw new jo("JSON Web Key Set malformed");a(ai,this,structuredClone(e))}jwks(){return r(ai,this)}async getKey(e,t){const{alg:o,kid:i}=u(u({},e),null==t?void 0:t.header),a=function(e){switch("string"==typeof e&&e.slice(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";case"ML":return"AKP";default:throw new Do('Unsupported "alg" value for a JSON Web Key Set')}}(o),s=r(ai,this).keys.filter(e=>{let t=a===e.kty;if(t&&"string"==typeof i&&(t=i===e.kid),!t||"string"!=typeof e.alg&&"AKP"!==a||(t=o===e.alg),t&&"string"==typeof e.use&&(t="sig"===e.use),t&&Array.isArray(e.key_ops)&&(t=e.key_ops.includes("verify")),t)switch(o){case"ES256":t="P-256"===e.crv;break;case"ES384":t="P-384"===e.crv;break;case"ES512":t="P-521"===e.crv;break;case"Ed25519":case"EdDSA":t="Ed25519"===e.crv}return t}),{0:c,length:l}=s;if(0===l)throw new Mo;if(1!==l){const e=new No,t=r(si,this);throw e[Symbol.asyncIterator]=d(function*(){for(const e of s)try{yield yield n(ui(t,e,o))}catch(e){}}),e}return ui(r(si,this),c,o)}}async function ui(e,t,n){const o=e.get(t)||e.set(t,{}).get(t);if(void 0===o[n]){const e=await async function(e,t,n){var o;if(!Fo(e))throw new TypeError("JWK must be an object");let r;switch(null!=t||(t=e.alg),null!=r||(r=null!==(o=null==n?void 0:n.extractable)&&void 0!==o?o:e.ext),e.kty){case"oct":if("string"!=typeof e.k||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return Eo(e.k);case"RSA":if("oth"in e&&void 0!==e.oth)throw new Do('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');return $o(u(u({},e),{},{alg:t,ext:r}));case"AKP":if("string"!=typeof e.alg||!e.alg)throw new TypeError('missing "alg" (Algorithm) Parameter value');if(void 0!==t&&t!==e.alg)throw new TypeError("JWK alg and alg option value mismatch");return $o(u(u({},e),{},{ext:r}));case"EC":case"OKP":return $o(u(u({},e),{},{alg:t,ext:r}));default:throw new Do('Unsupported "kty" (Key Type) Parameter value')}}(u(u({},t),{},{ext:!0}),n);if(e instanceof Uint8Array||"public"!==e.type)throw new jo("JSON Web Key Set members must be public keys");o[n]=e}return o[n]}function li(e){const t=new ci(e),n=async(e,n)=>t.getKey(e,n);return Object.defineProperties(n,{jwks:{value:()=>structuredClone(t.jwks()),enumerable:!1,configurable:!1,writable:!1}}),n}let di;if("undefined"==typeof navigator||null===(ri=navigator.userAgent)||void 0===ri||null===(ii=ri.startsWith)||void 0===ii||!ii.call(ri,"Mozilla/5.0 ")){const e="v6.2.2";di="".concat("jose","/").concat(e)}const hi=Symbol();const pi=Symbol();var fi=new WeakMap,mi=new WeakMap,yi=new WeakMap,wi=new WeakMap,gi=new WeakMap,vi=new WeakMap,bi=new WeakMap,_i=new WeakMap,ki=new WeakMap,Si=new WeakMap;class Ti{constructor(e,t){if(i(this,fi,void 0),i(this,mi,void 0),i(this,yi,void 0),i(this,wi,void 0),i(this,gi,void 0),i(this,vi,void 0),i(this,bi,void 0),i(this,_i,void 0),i(this,ki,void 0),i(this,Si,void 0),!(e instanceof URL))throw new TypeError("url must be an instance of URL");var n,o;a(fi,this,new URL(e.href)),a(mi,this,"number"==typeof(null==t?void 0:t.timeoutDuration)?null==t?void 0:t.timeoutDuration:5e3),a(yi,this,"number"==typeof(null==t?void 0:t.cooldownDuration)?null==t?void 0:t.cooldownDuration:3e4),a(wi,this,"number"==typeof(null==t?void 0:t.cacheMaxAge)?null==t?void 0:t.cacheMaxAge:6e5),a(bi,this,new Headers(null==t?void 0:t.headers)),di&&!r(bi,this).has("User-Agent")&&r(bi,this).set("User-Agent",di),r(bi,this).has("accept")||(r(bi,this).set("accept","application/json"),r(bi,this).append("accept","application/jwk-set+json")),a(_i,this,null==t?void 0:t[hi]),void 0!==(null==t?void 0:t[pi])&&(a(Si,this,null==t?void 0:t[pi]),n=null==t?void 0:t[pi],o=r(wi,this),"object"==typeof n&&null!==n&&"uat"in n&&"number"==typeof n.uat&&!(Date.now()-n.uat>=o)&&"jwks"in n&&Fo(n.jwks)&&Array.isArray(n.jwks.keys)&&Array.prototype.every.call(n.jwks.keys,Fo)&&(a(gi,this,r(Si,this).uat),a(ki,this,li(r(Si,this).jwks))))}pendingFetch(){return!!r(vi,this)}coolingDown(){return"number"==typeof r(gi,this)&&Date.now()<r(gi,this)+r(yi,this)}fresh(){return"number"==typeof r(gi,this)&&Date.now()<r(gi,this)+r(wi,this)}jwks(){var e;return null===(e=r(ki,this))||void 0===e?void 0:e.jwks()}async getKey(e,t){r(ki,this)&&this.fresh()||await this.reload();try{return await r(ki,this).call(this,e,t)}catch(n){if(n instanceof Mo&&!1===this.coolingDown())return await this.reload(),r(ki,this).call(this,e,t);throw n}}async reload(){r(vi,this)&&("undefined"!=typeof WebSocketPair||"undefined"!=typeof navigator&&"Cloudflare-Workers"===navigator.userAgent||"undefined"!=typeof EdgeRuntime&&"vercel"===EdgeRuntime)&&a(vi,this,void 0),r(vi,this)||a(vi,this,async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:fetch;const r=await o(e,{method:"GET",signal:n,redirect:"manual",headers:t}).catch(e=>{if("TimeoutError"===e.name)throw new zo;throw e});if(200!==r.status)throw new Oo("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await r.json()}catch(e){throw new Oo("Failed to parse the JSON Web Key Set HTTP response as JSON")}}(r(fi,this).href,r(bi,this),AbortSignal.timeout(r(mi,this)),r(_i,this)).then(e=>{a(ki,this,li(e)),r(Si,this)&&(r(Si,this).uat=Date.now(),r(Si,this).jwks=e),a(gi,this,Date.now()),a(vi,this,void 0)}).catch(e=>{throw a(vi,this,void 0),e})),await r(vi,this)}}const Ei=["mfaToken"],Pi=["mfaToken"];var Ai,Ii,xi,Ri,Ci,Oi,Wi,Ki,Ui,Di,Hi,Li,ji,Mi,Ni,zi,Ji=class extends Error{constructor(e,t){super(t),s(this,"code",void 0),this.name="NotSupportedError",this.code=e}},Zi=class extends Error{constructor(e,t,n){super(t),s(this,"cause",void 0),s(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message}}},Vi=class extends Zi{constructor(e,t){super("token_by_code_error",e,t),this.name="TokenByCodeError"}},Xi=class extends Zi{constructor(e,t){super("token_by_client_credentials_error",e,t),this.name="TokenByClientCredentialsError"}},Gi=class extends Zi{constructor(e,t){super("token_by_refresh_token_error",e,t),this.name="TokenByRefreshTokenError"}},Fi=class extends Zi{constructor(e,t){super("token_by_password_error",e,t),this.name="TokenByPasswordError"}},Yi=class extends Zi{constructor(e,t){super("token_for_connection_error",e,t),this.name="TokenForConnectionErrorCode"}},qi=class extends Zi{constructor(e,t){super("token_exchange_error",e,t),this.name="TokenExchangeError"}},Bi=class extends Error{constructor(e){super(e),s(this,"code","verify_logout_token_error"),this.name="VerifyLogoutTokenError"}},Qi=class extends Zi{constructor(e){super("backchannel_authentication_error","There was an error when trying to use Client-Initiated Backchannel Authentication.",e),s(this,"code","backchannel_authentication_error"),this.name="BackchannelAuthenticationError"}},$i=class extends Zi{constructor(e){super("build_authorization_url_error","There was an error when trying to build the authorization URL.",e),this.name="BuildAuthorizationUrlError"}},ea=class extends Zi{constructor(e){super("build_link_user_url_error","There was an error when trying to build the Link User URL.",e),this.name="BuildLinkUserUrlError"}},ta=class extends Zi{constructor(e){super("build_unlink_user_url_error","There was an error when trying to build the Unlink User URL.",e),this.name="BuildUnlinkUserUrlError"}},na=class extends Error{constructor(){super("The client secret or client assertion signing key must be provided."),s(this,"code","missing_client_auth_error"),this.name="MissingClientAuthError"}};function oa(e){return Object.entries(e).filter(e=>{let[,t]=e;return void 0!==t}).reduce((e,t)=>u(u({},e),{},{[t[0]]:t[1]}),{})}var ra=class extends Error{constructor(e,t,n){super(t),s(this,"cause",void 0),s(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message}}},ia=class extends ra{constructor(e,t){super("mfa_list_authenticators_error",e,t),this.name="MfaListAuthenticatorsError"}},aa=class extends ra{constructor(e,t){super("mfa_enrollment_error",e,t),this.name="MfaEnrollmentError"}},sa=class extends ra{constructor(e,t){super("mfa_delete_authenticator_error",e,t),this.name="MfaDeleteAuthenticatorError"}},ca=class extends ra{constructor(e,t){super("mfa_challenge_error",e,t),this.name="MfaChallengeError"}};function ua(e){return{id:e.id,authenticatorType:e.authenticator_type,active:e.active,name:e.name,oobChannels:e.oob_channels,type:e.type}}var la=(Ai=new WeakMap,Ii=new WeakMap,xi=new WeakMap,class{constructor(e){var t;i(this,Ai,void 0),i(this,Ii,void 0),i(this,xi,void 0),a(Ai,this,"https://".concat(e.domain)),a(Ii,this,e.clientId),a(xi,this,null!==(t=e.customFetch)&&void 0!==t?t:function(){return fetch(...arguments)})}async listAuthenticators(e){const t="".concat(r(Ai,this),"/mfa/authenticators"),{mfaToken:n}=e,o=await r(xi,this).call(this,t,{method:"GET",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!o.ok){const e=await o.json();throw new ia(e.error_description||"Failed to list authenticators",e)}return(await o.json()).map(ua)}async enrollAuthenticator(e){const t="".concat(r(Ai,this),"/mfa/associate"),{mfaToken:n}=e,o=l(e,Ei),i={authenticator_types:o.authenticatorTypes};"oobChannels"in o&&(i.oob_channels=o.oobChannels),"phoneNumber"in o&&o.phoneNumber&&(i.phone_number=o.phoneNumber),"email"in o&&o.email&&(i.email=o.email);const a=await r(xi,this).call(this,t,{method:"POST",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"},body:JSON.stringify(i)});if(!a.ok){const e=await a.json();throw new aa(e.error_description||"Failed to enroll authenticator",e)}return function(e){if("otp"===e.authenticator_type)return{authenticatorType:"otp",secret:e.secret,barcodeUri:e.barcode_uri,recoveryCodes:e.recovery_codes,id:e.id};if("oob"===e.authenticator_type)return{authenticatorType:"oob",oobChannel:e.oob_channel,oobCode:e.oob_code,bindingMethod:e.binding_method,id:e.id,barcodeUri:e.barcode_uri,recoveryCodes:e.recovery_codes};throw new Error("Unexpected authenticator type: ".concat(e.authenticator_type))}(await a.json())}async deleteAuthenticator(e){const{authenticatorId:t,mfaToken:n}=e,o="".concat(r(Ai,this),"/mfa/authenticators/").concat(encodeURIComponent(t)),i=await r(xi,this).call(this,o,{method:"DELETE",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!i.ok){const e=await i.json();throw new sa(e.error_description||"Failed to delete authenticator",e)}}async challengeAuthenticator(e){const t="".concat(r(Ai,this),"/mfa/challenge"),{mfaToken:n}=e,o=l(e,Pi),i={mfa_token:n,client_id:r(Ii,this),challenge_type:o.challengeType};o.authenticatorId&&(i.authenticator_id=o.authenticatorId);const a=await r(xi,this).call(this,t,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(i)});if(!a.ok){const e=await a.json();throw new ca(e.error_description||"Failed to challenge authenticator",e)}return function(e){const t={challengeType:e.challenge_type};return void 0!==e.oob_code&&(t.oobCode=e.oob_code),void 0!==e.binding_method&&(t.bindingMethod=e.binding_method),t}(await a.json())}});var da=class e{constructor(e,t,n,o,r,i,a){s(this,"accessToken",void 0),s(this,"idToken",void 0),s(this,"refreshToken",void 0),s(this,"expiresAt",void 0),s(this,"scope",void 0),s(this,"claims",void 0),s(this,"authorizationDetails",void 0),s(this,"tokenType",void 0),s(this,"issuedTokenType",void 0),this.accessToken=e,this.idToken=n,this.refreshToken=o,this.expiresAt=t,this.scope=r,this.claims=i,this.authorizationDetails=a}static fromTokenEndpointResponse(t){const n=t.id_token?t.claims():void 0,o=new e(t.access_token,Math.floor(Date.now()/1e3)+Number(t.expires_in),t.id_token,t.refresh_token,t.scope,n,t.authorization_details);return o.tokenType=t.token_type,o.issuedTokenType=t.issued_token_type,o}},ha=(Ri=new WeakMap,Ci=new WeakMap,Oi=new WeakMap,class{constructor(e,t){i(this,Ri,new Map),i(this,Ci,void 0),i(this,Oi,void 0),a(Oi,this,Math.max(1,Math.floor(e))),a(Ci,this,Math.max(0,Math.floor(t)))}get(e){const t=r(Ri,this).get(e);if(t){if(!(Date.now()>=t.expiresAt))return r(Ri,this).delete(e),r(Ri,this).set(e,t),t.value;r(Ri,this).delete(e)}}set(e,t){for(r(Ri,this).has(e)&&r(Ri,this).delete(e),r(Ri,this).set(e,{value:t,expiresAt:Date.now()+r(Ci,this)});r(Ri,this).size>r(Oi,this);){const e=r(Ri,this).keys().next().value;if(void 0===e)break;r(Ri,this).delete(e)}}}),pa=new Map;function fa(e){return{ttlMs:1e3*("number"==typeof(null==e?void 0:e.ttl)?e.ttl:600),maxEntries:"number"==typeof(null==e?void 0:e.maxEntries)&&e.maxEntries>0?e.maxEntries:100}}var ma=class{static createDiscoveryCache(e){const t=(n=e.maxEntries,o=e.ttlMs,"".concat(n,":").concat(o));var n,o;let r=(i=t,pa.get(i));var i;return r||(r=new ha(e.maxEntries,e.ttlMs),pa.set(t,r)),r}static createJwksCache(){return{}}},ya="openid profile email offline_access",wa=Object.freeze(new Set(["grant_type","client_id","client_secret","client_assertion","client_assertion_type","subject_token","subject_token_type","requested_token_type","actor_token","actor_token_type","audience","aud","resource","resources","resource_indicator","scope","connection","login_hint","organization","assertion"]));function ga(e){if(null==e)throw new qi("subject_token is required");if("string"!=typeof e)throw new qi("subject_token must be a string");if(0===e.trim().length)throw new qi("subject_token cannot be blank or whitespace");if(e!==e.trim())throw new qi("subject_token must not include leading or trailing whitespace");if(/^bearer\s+/i.test(e))throw new qi("subject_token must not include the 'Bearer ' prefix")}function va(e,t){if(t)for(const[n,o]of Object.entries(t))if(!wa.has(n))if(Array.isArray(o)){if(o.length>20)throw new qi("Parameter '".concat(n,"' exceeds maximum array size of ").concat(20));o.forEach(t=>{e.append(n,t)})}else e.append(n,o)}var ba="urn:ietf:params:oauth:token-type:access_token",_a=(Wi=new WeakMap,Ki=new WeakMap,Ui=new WeakMap,Di=new WeakMap,Hi=new WeakMap,Li=new WeakMap,ji=new WeakMap,Mi=new WeakMap,Ni=new WeakMap,zi=new WeakSet,class{constructor(e){var t,n,c,l;if(function(e,t){o(e,t),t.add(e)}(this,zi),i(this,Wi,void 0),i(this,Ki,void 0),i(this,Ui,void 0),i(this,Di,void 0),i(this,Hi,void 0),i(this,Li,void 0),i(this,ji,void 0),i(this,Mi,void 0),i(this,Ni,void 0),s(this,"mfa",void 0),a(Di,this,e),e.useMtls&&!e.customFetch)throw new Ji("mtls_without_custom_fetch_not_supported","Using mTLS without a custom fetch implementation is not supported");a(Hi,this,function(e,t){if(!1===t.enabled)return e;const n={name:t.name,version:t.version},o=btoa(JSON.stringify(n));return async(t,n)=>{const r=t instanceof Request?new Headers(t.headers):new Headers;return null!=n&&n.headers&&new Headers(n.headers).forEach((e,t)=>{r.set(t,e)}),r.set("Auth0-Client",o),e(t,u(u({},n),{},{headers:r}))}}(null!==(t=e.customFetch)&&void 0!==t?t:function(){return fetch(...arguments)},!1===(null==(n=e.telemetry)?void 0:n.enabled)?n:{enabled:!0,name:null!==(c=null==n?void 0:n.name)&&void 0!==c?c:"@auth0/auth0-auth-js",version:null!==(l=null==n?void 0:n.version)&&void 0!==l?l:"1.6.0"}));const d=fa(e.discoveryCache);a(ji,this,ma.createDiscoveryCache(d)),a(Mi,this,new Map),a(Ni,this,ma.createJwksCache()),this.mfa=new la({domain:r(Di,this).domain,clientId:r(Di,this).clientId,customFetch:r(Hi,this)})}async getServerMetadata(){const{serverMetadata:e}=await t(zi,this,Ta).call(this);return e}async buildAuthorizationUrl(e){const{serverMetadata:n}=await t(zi,this,Ta).call(this);if(null!=e&&e.pushedAuthorizationRequests&&!n.pushed_authorization_request_endpoint)throw new Ji("par_not_supported_error","The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");try{return await t(zi,this,Ia).call(this,e)}catch(e){throw new $i(e)}}async buildLinkUserUrl(e){try{const n=await t(zi,this,Ia).call(this,{authorizationParams:u(u({},e.authorizationParams),{},{requested_connection:e.connection,requested_connection_scope:e.connectionScope,scope:"openid link_account offline_access",id_token_hint:e.idToken})});return{linkUserUrl:n.authorizationUrl,codeVerifier:n.codeVerifier}}catch(e){throw new ea(e)}}async buildUnlinkUserUrl(e){try{const n=await t(zi,this,Ia).call(this,{authorizationParams:u(u({},e.authorizationParams),{},{requested_connection:e.connection,scope:"openid unlink_account",id_token_hint:e.idToken})});return{unlinkUserUrl:n.authorizationUrl,codeVerifier:n.codeVerifier}}catch(e){throw new ta(e)}}async backchannelAuthentication(e){const{configuration:n,serverMetadata:o}=await t(zi,this,Ta).call(this),i=oa(u(u({},r(Di,this).authorizationParams),null==e?void 0:e.authorizationParams)),a=new URLSearchParams(u(u({scope:ya},i),{},{client_id:r(Di,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:o.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&a.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&a.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await Hr(n,a),t=await Lr(n,e);return da.fromTokenEndpointResponse(t)}catch(e){throw new Qi(e)}}async initiateBackchannelAuthentication(e){const{configuration:n,serverMetadata:o}=await t(zi,this,Ta).call(this),i=oa(u(u({},r(Di,this).authorizationParams),null==e?void 0:e.authorizationParams)),a=new URLSearchParams(u(u({scope:ya},i),{},{client_id:r(Di,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:o.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&a.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&a.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await Hr(n,a);return{authReqId:e.auth_req_id,expiresIn:e.expires_in,interval:e.interval}}catch(e){throw new Qi(e)}}async backchannelAuthenticationGrant(e){let{authReqId:n}=e;const{configuration:o}=await t(zi,this,Ta).call(this),r=new URLSearchParams({auth_req_id:n});try{const e=await Yr(o,"urn:openid:params:grant-type:ciba",r);return da.fromTokenEndpointResponse(e)}catch(e){throw new Qi(e)}}async getTokenForConnection(e){var t;if(e.refreshToken&&e.accessToken)throw new Yi("Either a refresh or access token should be specified, but not both.");const n=null!==(t=e.accessToken)&&void 0!==t?t:e.refreshToken;if(!n)throw new Yi("Either a refresh or access token must be specified.");try{return await this.exchangeToken({connection:e.connection,subjectToken:n,subjectTokenType:e.accessToken?ba:"urn:ietf:params:oauth:token-type:refresh_token",loginHint:e.loginHint})}catch(e){if(e instanceof qi)throw new Yi(e.message,e.cause);throw e}}async exchangeToken(e){return"connection"in e?t(zi,this,Ea).call(this,e):t(zi,this,Pa).call(this,e)}async getTokenByCode(e,n){const{configuration:o}=await t(zi,this,Ta).call(this);try{const t=await Mr(o,e,{pkceCodeVerifier:n.codeVerifier});return da.fromTokenEndpointResponse(t)}catch(e){throw new Vi("There was an error while trying to request a token.",e)}}async getTokenByRefreshToken(e){const{configuration:n}=await t(zi,this,Ta).call(this),o=new URLSearchParams;e.audience&&o.append("audience",e.audience),e.scope&&o.append("scope",e.scope);try{const t=await Nr(n,e.refreshToken,o);return da.fromTokenEndpointResponse(t)}catch(e){throw new Gi("The access token has expired and there was an error while trying to refresh it.",e)}}async getTokenByPassword(e){const{configuration:n}=await t(zi,this,Ta).call(this),o=new URLSearchParams({username:e.username,password:e.password});e.audience&&o.append("audience",e.audience),e.scope&&o.append("scope",e.scope),e.realm&&o.append("realm",e.realm);let i=n;if(e.auth0ForwardedFor){const o=await t(zi,this,Aa).call(this);i=new Wr(n.serverMetadata(),r(Di,this).clientId,r(Di,this).clientSecret,o),i[kr]=(t,n)=>r(Hi,this).call(this,t,u(u({},n),{},{headers:u(u({},n.headers),{},{"auth0-forwarded-for":e.auth0ForwardedFor})}))}try{const e=await Yr(i,"password",o);return da.fromTokenEndpointResponse(e)}catch(e){throw new Fi("There was an error while trying to request a token.",e)}}async getTokenByClientCredentials(e){const{configuration:n}=await t(zi,this,Ta).call(this);try{const t=new URLSearchParams({audience:e.audience});e.organization&&t.append("organization",e.organization);const o=await zr(n,t);return da.fromTokenEndpointResponse(o)}catch(e){throw new Xi("There was an error while trying to request a token.",e)}}async buildLogoutUrl(e){const{configuration:n,serverMetadata:o}=await t(zi,this,Ta).call(this);if(!o.end_session_endpoint){const t=new URL("https://".concat(r(Di,this).domain,"/v2/logout"));return t.searchParams.set("returnTo",e.returnTo),t.searchParams.set("client_id",r(Di,this).clientId),t}return function(e,t){Vr(e);const{as:n,c:o,tlsOnly:r}=gr(e),i=gn(n,"end_session_endpoint",!1,r);(t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id);for(const[e,n]of t.entries())i.searchParams.append(e,n);return i}(n,{post_logout_redirect_uri:e.returnTo})}async verifyLogoutToken(e){const{serverMetadata:n}=await t(zi,this,Ta).call(this),o=fa(r(Di,this).discoveryCache),i=n.jwks_uri;r(Li,this)||a(Li,this,function(e,t){const n=new Ti(e,t),o=async(e,t)=>n.getKey(e,t);return Object.defineProperties(o,{coolingDown:{get:()=>n.coolingDown(),enumerable:!0,configurable:!1},fresh:{get:()=>n.fresh(),enumerable:!0,configurable:!1},reload:{value:()=>n.reload(),enumerable:!0,configurable:!1,writable:!1},reloading:{get:()=>n.pendingFetch(),enumerable:!0,configurable:!1},jwks:{value:()=>n.jwks(),enumerable:!0,configurable:!1,writable:!1}}),o}(new URL(i),{cacheMaxAge:o.ttlMs,[hi]:r(Hi,this),[pi]:r(Ni,this)}));const{payload:s}=await ni(e.logoutToken,r(Li,this),{issuer:n.issuer,audience:r(Di,this).clientId,algorithms:["RS256"],requiredClaims:["iat"]});if(!("sid"in s)&&!("sub"in s))throw new Bi('either "sid" or "sub" (or both) claims must be present');if("sid"in s&&"string"!=typeof s.sid)throw new Bi('"sid" claim must be a string');if("sub"in s&&"string"!=typeof s.sub)throw new Bi('"sub" claim must be a string');if("nonce"in s)throw new Bi('"nonce" claim is prohibited');if(!("events"in s))throw new Bi('"events" claim is missing');if("object"!=typeof s.events||null===s.events)throw new Bi('"events" claim must be an object');if(!("http://schemas.openid.net/event/backchannel-logout"in s.events))throw new Bi('"http://schemas.openid.net/event/backchannel-logout" member is missing in the "events" claim');if("object"!=typeof s.events["http://schemas.openid.net/event/backchannel-logout"])throw new Bi('"http://schemas.openid.net/event/backchannel-logout" member in the "events" claim must be an object');return{sid:s.sid,sub:s.sub}}});function ka(){const e=r(Di,this).domain.toLowerCase();return"".concat(e,"|mtls:").concat(r(Di,this).useMtls?"1":"0")}async function Sa(e){const n=await t(zi,this,Aa).call(this),o=new Wr(e,r(Di,this).clientId,r(Di,this).clientSecret,n);return o[kr]=r(Hi,this),o}async function Ta(){if(r(Wi,this)&&r(Ki,this))return{configuration:r(Wi,this),serverMetadata:r(Ki,this)};const e=t(zi,this,ka).call(this),n=r(ji,this).get(e);if(n)return a(Ki,this,n.serverMetadata),a(Wi,this,await t(zi,this,Sa).call(this,n.serverMetadata)),{configuration:r(Wi,this),serverMetadata:r(Ki,this)};const o=r(Mi,this).get(e);if(o){const e=await o;return a(Ki,this,e.serverMetadata),a(Wi,this,await t(zi,this,Sa).call(this,e.serverMetadata)),{configuration:r(Wi,this),serverMetadata:r(Ki,this)}}const i=(async()=>{const n=await t(zi,this,Aa).call(this),o=await Cr(new URL("https://".concat(r(Di,this).domain)),r(Di,this).clientId,{use_mtls_endpoint_aliases:r(Di,this).useMtls},n,{[kr]:r(Hi,this)}),i=o.serverMetadata();return r(ji,this).set(e,{serverMetadata:i}),{configuration:o,serverMetadata:i}})(),s=i.then(e=>{let{serverMetadata:t}=e;return{serverMetadata:t}});s.catch(()=>{}),r(Mi,this).set(e,s);try{const{configuration:e,serverMetadata:t}=await i;a(Wi,this,e),a(Ki,this,t),r(Wi,this)[kr]=r(Hi,this)}finally{r(Mi,this).delete(e)}return{configuration:r(Wi,this),serverMetadata:r(Ki,this)}}async function Ea(e){var n,o;const{configuration:r}=await t(zi,this,Ta).call(this);if("audience"in e||"resource"in e)throw new qi("audience and resource parameters are not supported for Token Vault exchanges");ga(e.subjectToken);const i=new URLSearchParams({connection:e.connection,subject_token:e.subjectToken,subject_token_type:null!==(n=e.subjectTokenType)&&void 0!==n?n:ba,requested_token_type:null!==(o=e.requestedTokenType)&&void 0!==o?o:"http://auth0.com/oauth/token-type/federated-connection-access-token"});e.loginHint&&i.append("login_hint",e.loginHint),e.scope&&i.append("scope",e.scope),va(i,e.extra);try{const e=await Yr(r,"urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token",i);return da.fromTokenEndpointResponse(e)}catch(t){throw new qi("Failed to exchange token for connection '".concat(e.connection,"'."),t)}}async function Pa(e){const{configuration:n}=await t(zi,this,Ta).call(this);ga(e.subjectToken);const o=new URLSearchParams({subject_token_type:e.subjectTokenType,subject_token:e.subjectToken});e.audience&&o.append("audience",e.audience),e.scope&&o.append("scope",e.scope),e.requestedTokenType&&o.append("requested_token_type",e.requestedTokenType),e.organization&&o.append("organization",e.organization),va(o,e.extra);try{const e=await Yr(n,"urn:ietf:params:oauth:grant-type:token-exchange",o);return da.fromTokenEndpointResponse(e)}catch(t){throw new qi("Failed to exchange token of type '".concat(e.subjectTokenType,"'").concat(e.audience?" for audience '".concat(e.audience,"'"):"","."),t)}}async function Aa(){return r(Ui,this)||a(Ui,this,(async()=>{if(!r(Di,this).clientSecret&&!r(Di,this).clientAssertionSigningKey&&!r(Di,this).useMtls)throw new na;if(r(Di,this).useMtls)return(e,t,n,o)=>{n.set("client_id",t.client_id)};let e=r(Di,this).clientAssertionSigningKey;return!e||e instanceof CryptoKey||(e=await async function(e,t,n){if("string"!=typeof e||0!==e.indexOf("-----BEGIN PRIVATE KEY-----"))throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return lr(e,t,n)}(e,r(Di,this).clientAssertionSigningAlg||"RS256")),e?function(e,t){return fn(e,t)}(e):_r(r(Di,this).clientSecret)})().catch(e=>{throw a(Ui,this,void 0),e})),r(Ui,this)}async function Ia(e){const{configuration:n}=await t(zi,this,Ta).call(this),o=Ar(),i=await Pr(o),a=oa(u(u({},r(Di,this).authorizationParams),null==e?void 0:e.authorizationParams)),s=new URLSearchParams(u(u({scope:ya},a),{},{client_id:r(Di,this).clientId,code_challenge:i,code_challenge_method:"S256"}));return{authorizationUrl:null!=e&&e.pushedAuthorizationRequests?await Zr(n,s):await Jr(n,s),codeVerifier:o}}class xa extends g{constructor(e,t){super(e,t),Object.setPrototypeOf(this,xa.prototype)}static fromPayload(e){let{error:t,error_description:n}=e;return new xa(t,n)}}class Ra extends xa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Ra.prototype)}}class Ca extends xa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Ca.prototype)}}class Oa extends xa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Oa.prototype)}}class Wa extends xa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Wa.prototype)}}class Ka extends xa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Ka.prototype)}}class Ua{constructor(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:6e5;s(this,"contexts",new Map),s(this,"ttlMs",void 0),this.ttlMs=e}set(e,t){this.cleanup(),this.contexts.set(e,u(u({},t),{},{createdAt:Date.now()}))}get(e){const t=this.contexts.get(e);if(t){if(!(Date.now()-t.createdAt>this.ttlMs))return t;this.contexts.delete(e)}}remove(e){this.contexts.delete(e)}cleanup(){const e=Date.now();for(const[t,n]of this.contexts)e-n.createdAt>this.ttlMs&&this.contexts.delete(t)}get size(){return this.contexts.size}}class Da{constructor(e,t){s(this,"authJsMfaClient",void 0),s(this,"auth0Client",void 0),s(this,"contextManager",void 0),this.authJsMfaClient=e,this.auth0Client=t,this.contextManager=new Ua}setMFAAuthDetails(e,t,n,o){this.contextManager.set(e,{scope:t,audience:n,mfaRequirements:o})}async getAuthenticators(e){var t;const n=this.contextManager.get(e);if(null==n||null===(t=n.mfaRequirements)||void 0===t||!t.challenge||0===n.mfaRequirements.challenge.length)throw new Ra("invalid_request","challengeType is required and must contain at least one challenge type, please check mfa_required error payload");const o=n.mfaRequirements.challenge.map(e=>e.type);try{return(await this.authJsMfaClient.listAuthenticators({mfaToken:e})).filter(e=>!!e.type&&o.includes(e.type))}catch(e){var r;if(e instanceof ia)throw new Ra(null===(r=e.cause)||void 0===r?void 0:r.error,e.message);throw e}}async enroll(e){const t=function(e){const t=Tt[e.factorType];return u(u(u({mfaToken:e.mfaToken,authenticatorTypes:t.authenticatorTypes},t.oobChannels&&{oobChannels:t.oobChannels}),"phoneNumber"in e&&{phoneNumber:e.phoneNumber}),"email"in e&&{email:e.email})}(e);try{return await this.authJsMfaClient.enrollAuthenticator(t)}catch(e){var n;if(e instanceof aa)throw new Ca(null===(n=e.cause)||void 0===n?void 0:n.error,e.message);throw e}}async challenge(e){try{const t={challengeType:e.challengeType,mfaToken:e.mfaToken};return e.authenticatorId&&(t.authenticatorId=e.authenticatorId),await this.authJsMfaClient.challengeAuthenticator(t)}catch(e){var t;if(e instanceof ca)throw new Oa(null===(t=e.cause)||void 0===t?void 0:t.error,e.message);throw e}}async getEnrollmentFactors(e){const t=this.contextManager.get(e);if(!t||!t.mfaRequirements)throw new Ka("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");return t.mfaRequirements.enroll&&0!==t.mfaRequirements.enroll.length?t.mfaRequirements.enroll:[]}async verify(e){const t=this.contextManager.get(e.mfaToken);if(!t)throw new Wa("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");const n=function(e){return"otp"in e&&e.otp?Et:"oobCode"in e&&e.oobCode?Pt:"recoveryCode"in e&&e.recoveryCode?At:void 0}(e);if(!n)throw new Wa("invalid_request","Unable to determine grant type. Provide one of: otp, oobCode, or recoveryCode.");const o=t.scope,r=t.audience;try{const t=await this.auth0Client._requestTokenForMfa({grant_type:n,mfaToken:e.mfaToken,scope:o,audience:r,otp:e.otp,oob_code:e.oobCode,binding_code:e.bindingCode,recovery_code:e.recoveryCode});return this.contextManager.remove(e.mfaToken),t}catch(e){if(e instanceof E)this.setMFAAuthDetails(e.mfa_token,o,r,e.mfa_requirements);else if(e instanceof Wa)throw new Wa(e.error,e.error_description);throw e}}}const Ha=["openUrl","fragment","appState"],La=["url"],ja=["cacheMode"],Ma=["federated"],Na=["openUrl"],za=["id_token","decodedToken"],Ja=["mfaToken"];class Za{constructor(e){let t,n;if(s(this,"transactionManager",void 0),s(this,"cacheManager",void 0),s(this,"lockManager",void 0),s(this,"domainUrl",void 0),s(this,"tokenIssuer",void 0),s(this,"scope",void 0),s(this,"cookieStorage",void 0),s(this,"dpop",void 0),s(this,"sessionCheckExpiryDays",void 0),s(this,"orgHintCookieName",void 0),s(this,"isAuthenticatedCookieName",void 0),s(this,"nowProvider",void 0),s(this,"httpTimeoutMs",void 0),s(this,"options",void 0),s(this,"userCache",(new He).enclosedCache),s(this,"myAccountApi",void 0),s(this,"mfa",void 0),s(this,"worker",void 0),s(this,"authJsClient",void 0),s(this,"defaultOptions",{authorizationParams:{scope:"openid profile email"},useRefreshTokensFallback:!1,useFormData:!0}),this.options=u(u(u({},this.defaultOptions),e),{},{authorizationParams:u(u({},this.defaultOptions.authorizationParams),e.authorizationParams)}),"undefined"!=typeof window&&(()=>{if(!C())throw new Error("For security reasons, `window.crypto` is required to run `auth0-spa-js`.");if(void 0===C().subtle)throw new Error("\n      auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information.\n    ")})(),this.lockManager=(oe||(oe=ne()),oe),e.cache&&e.cacheLocation&&console.warn("Both `cache` and `cacheLocation` options have been specified in the Auth0Client configuration; ignoring `cacheLocation` and using `cache`."),e.cache)n=e.cache;else{if(t=e.cacheLocation||f,!ft(t))throw new Error('Invalid cache location "'.concat(t,'"'));n=ft(t)()}var o;this.httpTimeoutMs=e.httpTimeoutInSeconds?1e3*e.httpTimeoutInSeconds:1e4,this.cookieStorage=!1===e.legacySameSiteCookie?Be:$e,this.orgHintCookieName=(o=this.options.clientId,"auth0.".concat(o,".organization_hint")),this.isAuthenticatedCookieName=(e=>"auth0.".concat(e,".is.authenticated"))(this.options.clientId),this.sessionCheckExpiryDays=e.sessionCheckExpiryDays||1;const r=e.useCookiesForTransactions?this.cookieStorage:et;var i;this.scope=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if("object"!=typeof e)return{[w]:Ce(t,e,...o)};let i={[w]:Ce(t,...o)};return Object.keys(e).forEach(n=>{const r=e[n];i[n]=Ce(t,r,...o)}),i}(this.options.authorizationParams.scope,"openid",this.options.useRefreshTokens?"offline_access":""),this.transactionManager=new je(r,this.options.clientId,this.options.cookieDomain),this.nowProvider=this.options.nowProvider||y,this.cacheManager=new Le(n,n.allKeys?void 0:new lt(n,this.options.clientId),this.nowProvider),this.dpop=this.options.useDpop?new vt(this.options.clientId):void 0,this.domainUrl=(i=this.options.domain,/^https?:\/\//.test(i)?i:"https://".concat(i)),this.tokenIssuer=((e,t)=>e?e.startsWith("https://")?e:"https://".concat(e,"/"):"".concat(t,"/"))(this.options.issuer,this.domainUrl);const a="".concat(this.domainUrl,"/me/"),c=this.createFetcher(u(u({},this.options.useDpop&&{dpopNonceId:"__auth0_my_account_api__"}),{},{getAccessToken:()=>this.getTokenSilently({authorizationParams:{scope:"create:me:connected_accounts",audience:a},detailedResponse:!0})}));this.myAccountApi=new kt(c,a),this.authJsClient=new _a({domain:this.options.domain,clientId:this.options.clientId}),this.mfa=new Da(this.authJsClient.mfa,this),"undefined"!=typeof window&&window.Worker&&this.options.useRefreshTokens&&t===f&&(this.options.workerUrl?this.worker=new Worker(this.options.workerUrl):this.worker=new ct,this.worker.postMessage({type:"init",allowedBaseUrl:this.domainUrl}))}getConfiguration(){return Object.freeze({domain:this.options.domain,clientId:this.options.clientId})}_url(e){const t=this.options.auth0Client||m,n=U(t,!0),o=encodeURIComponent(btoa(JSON.stringify(n)));return"".concat(this.domainUrl).concat(e,"&auth0Client=").concat(o)}_authorizeUrl(e){return this._url("/authorize?".concat(D(e)))}async _verifyIdToken(e,t,n){const o=await this.nowProvider();return ze({iss:this.tokenIssuer,aud:this.options.clientId,id_token:e,nonce:t,organization:n,leeway:this.options.leeway,max_age:(r=this.options.authorizationParams.max_age,"string"!=typeof r?r:parseInt(r,10)||void 0),now:o});var r}_processOrgHint(e){e?this.cookieStorage.save(this.orgHintCookieName,e,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}):this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain})}_extractSessionTransferToken(e){return new URLSearchParams(window.location.search).get(e)||void 0}_clearSessionTransferTokenFromUrl(e){try{const t=new URL(window.location.href);t.searchParams.has(e)&&(t.searchParams.delete(e),window.history.replaceState({},"",t.toString()))}catch(e){}}_applySessionTransferToken(e){const t=this.options.sessionTransferTokenQueryParamName;if(!t||e.session_transfer_token)return e;const n=this._extractSessionTransferToken(t);return n?(this._clearSessionTransferTokenFromUrl(t),u(u({},e),{},{session_transfer_token:n})):e}async _prepareAuthorizeUrl(e,t,n){var o;const r=W(O()),i=W(O()),a=O(),s=await H(a),c=j(s),l=await(null===(o=this.dpop)||void 0===o?void 0:o.calculateThumbprint()),d=((e,t,n,o,r,i,a,s,c)=>u(u(u({client_id:e.clientId},e.authorizationParams),n),{},{scope:Oe(t,n.scope,n.audience),response_type:"code",response_mode:s||"query",state:o,nonce:r,redirect_uri:a||e.authorizationParams.redirect_uri,code_challenge:i,code_challenge_method:"S256",dpop_jkt:c}))(this.options,this.scope,e,r,i,c,e.redirect_uri||this.options.authorizationParams.redirect_uri||n,null==t?void 0:t.response_mode,l),h=this._authorizeUrl(d);return{nonce:i,code_verifier:a,scope:d.scope,audience:d.audience||w,redirect_uri:d.redirect_uri,state:r,url:h}}async loginWithPopup(e,t){var n;if(e=e||{},!(t=t||{}).popup&&(t.popup=(e=>{const t=window.screenX+(window.innerWidth-400)/2,n=window.screenY+(window.innerHeight-600)/2;return window.open(e,"auth0:authorize:popup","left=".concat(t,",top=").concat(n,",width=").concat(400,",height=").concat(600,",resizable,scrollbars=yes,status=1"))})(""),!t.popup))throw new T;const o=this._applySessionTransferToken(e.authorizationParams||{}),r=await this._prepareAuthorizeUrl(o,{response_mode:"web_message"},window.location.origin);t.popup.location.href=r.url;const i=await((e,t)=>new Promise((n,o)=>{let r;const i=setInterval(()=>{e.popup&&e.popup.closed&&(clearInterval(i),clearTimeout(a),window.removeEventListener("message",r,!1),o(new S(e.popup)))},1e3),a=setTimeout(()=>{clearInterval(i),o(new k(e.popup)),window.removeEventListener("message",r,!1)},1e3*(e.timeoutInSeconds||60));r=function(s){if(s.origin===t&&s.data&&"authorization_response"===s.data.type){if(clearTimeout(a),clearInterval(i),window.removeEventListener("message",r,!1),!1!==e.closePopup&&e.popup.close(),s.data.response.error)return o(g.fromPayload(s.data.response));n(s.data.response)}},window.addEventListener("message",r)}))(u(u({},t),{},{timeoutInSeconds:t.timeoutInSeconds||this.options.authorizeTimeoutInSeconds||60}),new URL(r.url).origin);if(r.state!==i.state)throw new g("state_mismatch","Invalid state");const a=(null===(n=e.authorizationParams)||void 0===n?void 0:n.organization)||this.options.authorizationParams.organization;await this._requestToken({audience:r.audience,scope:r.scope,code_verifier:r.code_verifier,grant_type:"authorization_code",code:i.code,redirect_uri:r.redirect_uri},{nonceIn:r.nonce,organization:a})}async getUser(){var e;const t=await this._getIdTokenFromCache();return null==t||null===(e=t.decodedToken)||void 0===e?void 0:e.user}async getIdTokenClaims(){var e;const t=await this._getIdTokenFromCache();return null==t||null===(e=t.decodedToken)||void 0===e?void 0:e.claims}async loginWithRedirect(){var e;const t=mt(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),{openUrl:n,fragment:o,appState:r}=t,i=l(t,Ha),a=(null===(e=i.authorizationParams)||void 0===e?void 0:e.organization)||this.options.authorizationParams.organization,s=this._applySessionTransferToken(i.authorizationParams||{}),c=await this._prepareAuthorizeUrl(s),{url:d}=c,h=l(c,La);this.transactionManager.create(u(u({},h),{},{appState:r,response_type:tt.Code},a&&{organization:a}));const p=o?"".concat(d,"#").concat(o):d;n?await n(p):window.location.assign(p)}async handleRedirectCallback(){const e=(arguments.length>0&&void 0!==arguments[0]?arguments[0]:window.location.href).split("?").slice(1);if(0===e.length)throw new Error("There are no query params available for parsing.");const t=this.transactionManager.get();if(!t)throw new g("missing_transaction","Invalid state");this.transactionManager.remove();const n=(e=>{e.indexOf("#")>-1&&(e=e.substring(0,e.indexOf("#")));const t=new URLSearchParams(e);return{state:t.get("state"),code:t.get("code")||void 0,connect_code:t.get("connect_code")||void 0,error:t.get("error")||void 0,error_description:t.get("error_description")||void 0}})(e.join(""));return t.response_type===tt.ConnectCode?this._handleConnectAccountRedirectCallback(n,t):this._handleLoginRedirectCallback(n,t)}async _handleLoginRedirectCallback(e,t){const{code:n,state:o,error:r,error_description:i}=e;if(r)throw new v(r,i||r,o,t.appState);if(!t.code_verifier||t.state&&t.state!==o)throw new g("state_mismatch","Invalid state");const a=t.organization,s=t.nonce,c=t.redirect_uri;return await this._requestToken(u({audience:t.audience,scope:t.scope,code_verifier:t.code_verifier,grant_type:"authorization_code",code:n},c?{redirect_uri:c}:{}),{nonceIn:s,organization:a}),{appState:t.appState,response_type:tt.Code}}async _handleConnectAccountRedirectCallback(e,t){const{connect_code:n,state:o,error:r,error_description:i}=e;if(r)throw new b(r,i||r,t.connection,o,t.appState);if(!n)throw new g("missing_connect_code","Missing connect code");if(!(t.code_verifier&&t.state&&t.auth_session&&t.redirect_uri&&t.state===o))throw new g("state_mismatch","Invalid state");return u(u({},await this.myAccountApi.completeAccount({auth_session:t.auth_session,connect_code:n,redirect_uri:t.redirect_uri,code_verifier:t.code_verifier})),{},{appState:t.appState,response_type:tt.ConnectCode})}async checkSession(e){if(!this.cookieStorage.get(this.isAuthenticatedCookieName)){if(!this.cookieStorage.get(ht))return;this.cookieStorage.save(this.isAuthenticatedCookieName,!0,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(ht)}try{await this.getTokenSilently(e)}catch(e){}}async getTokenSilently(){var e,t;let n=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};const o=u(u({cacheMode:"on"},n),{},{authorizationParams:u(u(u({},this.options.authorizationParams),n.authorizationParams),{},{scope:Oe(this.scope,null===(e=n.authorizationParams)||void 0===e?void 0:e.scope,(null===(t=n.authorizationParams)||void 0===t?void 0:t.audience)||this.options.authorizationParams.audience)})}),r=await((e,t)=>{let n=ut[t];return n||(n=e().finally(()=>{delete ut[t],n=null}),ut[t]=n),n})(()=>this._getTokenSilently(o),"".concat(this.options.clientId,"::").concat(o.authorizationParams.audience,"::").concat(o.authorizationParams.scope));return n.detailedResponse?r:null==r?void 0:r.access_token}async _getTokenSilently(e){const{cacheMode:t}=e,n=l(e,ja);if("off"!==t){const e=await this._getEntryFromCache({scope:n.authorizationParams.scope,audience:n.authorizationParams.audience||w,clientId:this.options.clientId,cacheMode:t});if(e)return e}if("cache-only"===t)return;const o=(r=this.options.clientId,i=n.authorizationParams.audience||"default","".concat("auth0.lock.getTokenSilently",".").concat(r,".").concat(i));var r,i;try{return await this.lockManager.runWithLock(o,5e3,async()=>{if("off"!==t){const e=await this._getEntryFromCache({scope:n.authorizationParams.scope,audience:n.authorizationParams.audience||w,clientId:this.options.clientId});if(e)return e}const e=this.options.useRefreshTokens?await this._getTokenUsingRefreshToken(n):await this._getTokenFromIFrame(n),{id_token:o,token_type:r,access_token:i,oauthTokenScope:a,expires_in:s}=e;return u(u({id_token:o,token_type:r,access_token:i},a?{scope:a}:null),{},{expires_in:s})})}catch(e){if(this._isInteractiveError(e)&&"popup"===this.options.interactiveErrorHandler)return await this._handleInteractiveErrorWithPopup(n);throw e}}_isInteractiveError(e){return e instanceof E||e instanceof g&&this._isIframeMfaError(e)}_isIframeMfaError(e){return"login_required"===e.error&&"Multifactor authentication required"===e.error_description}async _handleInteractiveErrorWithPopup(e){try{await this.loginWithPopup({authorizationParams:e.authorizationParams});const t=await this._getEntryFromCache({scope:e.authorizationParams.scope,audience:e.authorizationParams.audience||w,clientId:this.options.clientId});if(!t)throw new g("interactive_handler_cache_miss","Token not found in cache after interactive authentication");return t}catch(e){throw e}}async getTokenWithPopup(){var e,t;let n=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{},o=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{};const r=u(u({},n),{},{authorizationParams:u(u(u({},this.options.authorizationParams),n.authorizationParams),{},{scope:Oe(this.scope,null===(e=n.authorizationParams)||void 0===e?void 0:e.scope,(null===(t=n.authorizationParams)||void 0===t?void 0:t.audience)||this.options.authorizationParams.audience)})});o=u(u({},p),o),await this.loginWithPopup(r,o);return(await this.cacheManager.get(new Ue({scope:r.authorizationParams.scope,audience:r.authorizationParams.audience||w,clientId:this.options.clientId}),void 0,this.options.useMrrt)).access_token}async isAuthenticated(){return!!await this.getUser()}_buildLogoutUrl(e){null!==e.clientId?e.clientId=e.clientId||this.options.clientId:delete e.clientId;const t=e.logoutParams||{},{federated:n}=t,o=l(t,Ma),r=n?"&federated":"";return this._url("/v2/logout?".concat(D(u({clientId:e.clientId},o))))+r}async logout(){var e;let t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};const n=mt(t),{openUrl:o}=n,r=l(n,Na);null===t.clientId?await this.cacheManager.clear():await this.cacheManager.clear(t.clientId||this.options.clientId),this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(this.isAuthenticatedCookieName,{cookieDomain:this.options.cookieDomain}),this.userCache.remove(Ke),await(null===(e=this.dpop)||void 0===e?void 0:e.clear());const i=this._buildLogoutUrl(r);o?await o(i):!1!==o&&window.location.assign(i)}async _getTokenFromIFrame(e){const t=(n=this.options.clientId,"".concat("auth0.lock.getTokenFromIFrame",".").concat(n));var n;try{return await this.lockManager.runWithLock(t,5e3,async()=>{const t=u(u({},e.authorizationParams),{},{prompt:"none"}),n=this.cookieStorage.get(this.orgHintCookieName);n&&!t.organization&&(t.organization=n);const{url:o,state:r,nonce:i,code_verifier:a,redirect_uri:s,scope:c,audience:l}=await this._prepareAuthorizeUrl(t,{response_mode:"web_message"},window.location.origin);if(window.crossOriginIsolated)throw new g("login_required","The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.");const d=e.timeoutInSeconds||this.options.authorizeTimeoutInSeconds;let h;try{h=new URL(this.domainUrl).origin}catch(e){h=this.domainUrl}const p=await function(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:60;return new Promise((o,r)=>{const i=window.document.createElement("iframe");i.setAttribute("width","0"),i.setAttribute("height","0"),i.style.display="none";const a=()=>{window.document.body.contains(i)&&(window.document.body.removeChild(i),window.removeEventListener("message",s,!1))};let s;const c=setTimeout(()=>{r(new _),a()},1e3*n);s=function(e){if(e.origin!=t)return;if(!e.data||"authorization_response"!==e.data.type)return;const n=e.source;n&&n.close(),e.data.response.error?r(g.fromPayload(e.data.response)):o(e.data.response),clearTimeout(c),window.removeEventListener("message",s,!1),setTimeout(a,2e3)},window.addEventListener("message",s,!1),window.document.body.appendChild(i),i.setAttribute("src",e)})}(o,h,d);if(r!==p.state)throw new g("state_mismatch","Invalid state");const f=await this._requestToken(u(u({},e.authorizationParams),{},{code_verifier:a,code:p.code,grant_type:"authorization_code",redirect_uri:s,timeout:e.authorizationParams.timeout||this.httpTimeoutMs}),{nonceIn:i,organization:t.organization});return u(u({},f),{},{scope:c,oauthTokenScope:f.scope,audience:l})})}catch(e){if("login_required"===e.error){e instanceof g&&this._isIframeMfaError(e)&&"popup"===this.options.interactiveErrorHandler||this.logout({openUrl:!1})}throw e}}async _getTokenUsingRefreshToken(e){const t=await this.cacheManager.get(new Ue({scope:e.authorizationParams.scope,audience:e.authorizationParams.audience||w,clientId:this.options.clientId}),void 0,this.options.useMrrt);if(!(t&&t.refresh_token||this.worker)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);throw new P(e.authorizationParams.audience||w,e.authorizationParams.scope)}const n=e.authorizationParams.redirect_uri||this.options.authorizationParams.redirect_uri||window.location.origin,o="number"==typeof e.timeoutInSeconds?1e3*e.timeoutInSeconds:null,r=((e,t,n,o)=>{if(e&&n&&o){var r;if(t.audience!==n)return t.scope;const e=o.split(" "),i=(null===(r=t.scope)||void 0===r?void 0:r.split(" "))||[],a=i.every(t=>e.includes(t));return e.length>=i.length&&a?o:t.scope}return t.scope})(this.options.useMrrt,e.authorizationParams,null==t?void 0:t.audience,null==t?void 0:t.scope);try{const i=await this._requestToken(u(u({},e.authorizationParams),{},{grant_type:"refresh_token",refresh_token:t&&t.refresh_token,redirect_uri:n},o&&{timeout:o}),{scopesToRequest:r});if(i.refresh_token&&null!=t&&t.refresh_token&&await this.cacheManager.updateEntry(t.refresh_token,i.refresh_token),this.options.useMrrt){if(s=null==t?void 0:t.audience,c=null==t?void 0:t.scope,l=e.authorizationParams.audience,d=e.authorizationParams.scope,s!==l||!yt(d,c)){if(!yt(r,i.scope)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);await this.cacheManager.remove(this.options.clientId,e.authorizationParams.audience,e.authorizationParams.scope);const t=((e,t)=>{const n=(null==e?void 0:e.split(" "))||[],o=(null==t?void 0:t.split(" "))||[];return n.filter(e=>-1==o.indexOf(e)).join(",")})(r,i.scope);throw new A(e.authorizationParams.audience||"default",t)}}}return u(u({},i),{},{scope:e.authorizationParams.scope,oauthTokenScope:i.scope,audience:e.authorizationParams.audience||w})}catch(t){if(t.message){if(t.message.includes("user is blocked"))throw await this.logout({openUrl:!1}),t;if((t.message.includes("Missing Refresh Token")||t.message.includes("invalid refresh token"))&&this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e)}var i,a;if(t instanceof E)this.mfa.setMFAAuthDetails(t.mfa_token,null===(i=e.authorizationParams)||void 0===i?void 0:i.scope,null===(a=e.authorizationParams)||void 0===a?void 0:a.audience,t.mfa_requirements);throw t}var s,c,l,d}async _saveEntryInCache(e){const{id_token:t,decodedToken:n}=e,o=l(e,za);this.userCache.set(Ke,{id_token:t,decodedToken:n}),await this.cacheManager.setIdToken(this.options.clientId,e.id_token,e.decodedToken),await this.cacheManager.set(o)}async _getIdTokenFromCache(){const e=this.options.authorizationParams.audience||w,t=this.scope[e],n=await this.cacheManager.getIdToken(new Ue({clientId:this.options.clientId,audience:e,scope:t})),o=this.userCache.get(Ke);return n&&n.id_token===(null==o?void 0:o.id_token)?o:(this.userCache.set(Ke,n),n)}async _getEntryFromCache(e){let{scope:t,audience:n,clientId:o,cacheMode:r}=e;const i=await this.cacheManager.get(new Ue({scope:t,audience:n,clientId:o}),60,this.options.useMrrt,r);if(i&&i.access_token){const{token_type:e,access_token:t,oauthTokenScope:n,expires_in:o}=i,r=await this._getIdTokenFromCache();return r&&u(u({id_token:r.id_token,token_type:e||"Bearer",access_token:t},n?{scope:n}:null),{},{expires_in:o})}}async _requestToken(e,t){const{nonceIn:n,organization:o,scopesToRequest:r}=t||{},i=await Re(u(u({baseUrl:this.domainUrl,client_id:this.options.clientId,auth0Client:this.options.auth0Client,useFormData:this.options.useFormData,timeout:this.httpTimeoutMs,useMrrt:this.options.useMrrt,dpop:this.dpop},e),{},{scope:r||e.scope}),this.worker),a=await this._verifyIdToken(i.id_token,n,o);if("authorization_code"===e.grant_type){var s;const e=await this._getIdTokenFromCache();null!=e&&null!==(s=e.decodedToken)&&void 0!==s&&null!==(s=s.claims)&&void 0!==s&&s.sub&&e.decodedToken.claims.sub!==a.claims.sub&&(await this.cacheManager.clear(this.options.clientId),this.userCache.remove(Ke))}return await this._saveEntryInCache(u(u(u({},i),{},{decodedToken:a,scope:e.scope,audience:e.audience||w},i.scope?{oauthTokenScope:i.scope}:null),{},{client_id:this.options.clientId})),this.cookieStorage.save(this.isAuthenticatedCookieName,!0,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this._processOrgHint(o||a.claims.org_id),u(u({},i),{},{decodedToken:a})}async loginWithCustomTokenExchange(e){return this._requestToken(u(u({},e),{},{grant_type:"urn:ietf:params:oauth:grant-type:token-exchange",subject_token:e.subject_token,subject_token_type:e.subject_token_type,scope:Oe(this.scope,e.scope,e.audience||this.options.authorizationParams.audience),audience:e.audience||this.options.authorizationParams.audience,organization:e.organization||this.options.authorizationParams.organization}))}async exchangeToken(e){return this.loginWithCustomTokenExchange(e)}_assertDpop(e){if(!e)throw new Error("`useDpop` option must be enabled before using DPoP.")}getDpopNonce(e){return this._assertDpop(this.dpop),this.dpop.getNonce(e)}setDpopNonce(e,t){return this._assertDpop(this.dpop),this.dpop.setNonce(e,t)}generateDpopProof(e){return this._assertDpop(this.dpop),this.dpop.generateProof(e)}createFetcher(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};return new _t(e,{isDpopEnabled:()=>!!this.options.useDpop,getAccessToken:e=>{var t;return this.getTokenSilently({authorizationParams:{scope:null==e||null===(t=e.scope)||void 0===t?void 0:t.join(" "),audience:null==e?void 0:e.audience},detailedResponse:!0})},getDpopNonce:()=>this.getDpopNonce(e.dpopNonceId),setDpopNonce:t=>this.setDpopNonce(t,e.dpopNonceId),generateDpopProof:e=>this.generateDpopProof(e)})}async connectAccountWithRedirect(e){const{openUrl:t,appState:n,connection:o,scopes:r,authorization_params:i,redirectUri:a=this.options.authorizationParams.redirect_uri||window.location.origin}=e;if(!o)throw new Error("connection is required");const s=W(O()),c=O(),u=await H(c),l=j(u),{connect_uri:d,connect_params:h,auth_session:p}=await this.myAccountApi.connectAccount({connection:o,scopes:r,redirect_uri:a,state:s,code_challenge:l,code_challenge_method:"S256",authorization_params:i});this.transactionManager.create({state:s,code_verifier:c,auth_session:p,redirect_uri:a,appState:n,connection:o,response_type:tt.ConnectCode});const f=new URL(d);f.searchParams.set("ticket",h.ticket),t?await t(f.toString()):window.location.assign(f)}async _requestTokenForMfa(e,t){const{mfaToken:n}=e,o=l(e,Ja);return this._requestToken(u(u({},o),{},{mfa_token:n}),t)}}async function Va(e){const t=new Za(e);return await t.checkSession(),t}export{Za as Auth0Client,v as AuthenticationError,Ue as CacheKey,b as ConnectError,g as GenericError,He as InMemoryCache,De as LocalStorageCache,Da as MfaApiClient,Oa as MfaChallengeError,Ca as MfaEnrollmentError,Ka as MfaEnrollmentFactorsError,xa as MfaError,Ra as MfaListAuthenticatorsError,E as MfaRequiredError,Wa as MfaVerifyError,P as MissingRefreshTokenError,St as MyAccountApiError,S as PopupCancelledError,T as PopupOpenError,k as PopupTimeoutError,tt as ResponseType,_ as TimeoutError,I as UseDpopNonceError,nt as User,Va as createAuth0Client};
+function e(e,t){var n={};for(var o in e)Object.prototype.hasOwnProperty.call(e,o)&&t.indexOf(o)<0&&(n[o]=e[o]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var r=0;for(o=Object.getOwnPropertySymbols(e);r<o.length;r++)t.indexOf(o[r])<0&&Object.prototype.propertyIsEnumerable.call(e,o[r])&&(n[o[r]]=e[o[r]])}return n}"function"==typeof SuppressedError&&SuppressedError;const t={timeoutInSeconds:60},n=1e4,o="memory",r={name:"auth0-spa-js",version:"2.19.1"},i=()=>Date.now(),a="default";class s extends Error{constructor(e,t){super(t),this.error=e,this.error_description=t,Object.setPrototypeOf(this,s.prototype)}static fromPayload(e){let{error:t,error_description:n}=e;return new s(t,n)}}class c extends s{constructor(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:null;super(e,t),this.state=n,this.appState=o,Object.setPrototypeOf(this,c.prototype)}}class u extends s{constructor(e,t,n,o){let r=arguments.length>4&&void 0!==arguments[4]?arguments[4]:null;super(e,t),this.connection=n,this.state=o,this.appState=r,Object.setPrototypeOf(this,u.prototype)}}class l extends s{constructor(){super("timeout","Timeout"),Object.setPrototypeOf(this,l.prototype)}}class d extends l{constructor(e){super(),this.popup=e,Object.setPrototypeOf(this,d.prototype)}}class h extends s{constructor(e){super("cancelled","Popup closed"),this.popup=e,Object.setPrototypeOf(this,h.prototype)}}class p extends s{constructor(){super("popup_open","Unable to open a popup for loginWithPopup - window.open returned `null`"),Object.setPrototypeOf(this,p.prototype)}}class f extends s{constructor(e,t,n,o){super(e,t),this.mfa_token=n,this.mfa_requirements=o,Object.setPrototypeOf(this,f.prototype)}}class m extends s{constructor(e,t){super("missing_refresh_token","Missing Refresh Token (audience: '".concat(g(e,["default"]),"', scope: '").concat(g(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,m.prototype)}}class y extends s{constructor(e,t){super("missing_scopes","Missing requested scopes after refresh (audience: '".concat(g(e,["default"]),"', missing scope: '").concat(g(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,y.prototype)}}class w extends s{constructor(e){super("use_dpop_nonce","Server rejected DPoP proof: wrong nonce"),this.newDpopNonce=e,Object.setPrototypeOf(this,w.prototype)}}function g(e){return e&&!(arguments.length>1&&void 0!==arguments[1]?arguments[1]:[]).includes(e)?e:""}const v=()=>window.crypto,b=()=>{const e="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";let t="";for(;t.length<43;){const n=v().getRandomValues(new Uint8Array(43-t.length));for(const o of n)t.length<43&&o<198&&(t+=e[o%66])}return t},_=e=>btoa(e),k=[{key:"name",type:["string"]},{key:"version",type:["string","number"]},{key:"env",type:["object"]}],S=function(e){let t=arguments.length>1&&void 0!==arguments[1]&&arguments[1];return Object.keys(e).reduce((n,o)=>{if(t&&"env"===o)return n;const r=k.find(e=>e.key===o);return r&&r.type.includes(typeof e[o])&&(n[o]=e[o]),n},{})},T=t=>{var{clientId:n}=t,o=e(t,["clientId"]);return new URLSearchParams((e=>Object.keys(e).filter(t=>void 0!==e[t]).reduce((t,n)=>Object.assign(Object.assign({},t),{[n]:e[n]}),{}))(Object.assign({client_id:n},o))).toString()},E=async e=>{const t=v().subtle.digest({name:"SHA-256"},(new TextEncoder).encode(e));return await t},P=e=>(e=>decodeURIComponent(atob(e).split("").map(e=>"%"+("00"+e.charCodeAt(0).toString(16)).slice(-2)).join("")))(e.replace(/_/g,"/").replace(/-/g,"+")),A=e=>{const t=new Uint8Array(e);return(e=>{const t={"+":"-","/":"_","=":""};return e.replace(/[+/=]/g,e=>t[e])})(window.btoa(String.fromCharCode(...Array.from(t))))};var R="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},x={},I={};Object.defineProperty(I,"__esModule",{value:!0});var O=function(){function e(){var e=this;this.locked=new Map,this.addToLocked=function(t,n){var o=e.locked.get(t);void 0===o?void 0===n?e.locked.set(t,[]):e.locked.set(t,[n]):void 0!==n&&(o.unshift(n),e.locked.set(t,o))},this.isLocked=function(t){return e.locked.has(t)},this.lock=function(t){return new Promise(function(n,o){e.isLocked(t)?e.addToLocked(t,n):(e.addToLocked(t),n())})},this.unlock=function(t){var n=e.locked.get(t);if(void 0!==n&&0!==n.length){var o=n.pop();e.locked.set(t,n),void 0!==o&&setTimeout(o,0)}else e.locked.delete(t)}}return e.getInstance=function(){return void 0===e.instance&&(e.instance=new e),e.instance},e}();I.default=function(){return O.getInstance()};var C=R&&R.__awaiter||function(e,t,n,o){return new(n||(n=Promise))(function(r,i){function a(e){try{c(o.next(e))}catch(e){i(e)}}function s(e){try{c(o.throw(e))}catch(e){i(e)}}function c(e){e.done?r(e.value):new n(function(t){t(e.value)}).then(a,s)}c((o=o.apply(e,t||[])).next())})},j=R&&R.__generator||function(e,t){var n,o,r,i,a={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return i={next:s(0),throw:s(1),return:s(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function s(i){return function(s){return function(i){if(n)throw new TypeError("Generator is already executing.");for(;a;)try{if(n=1,o&&(r=2&i[0]?o.return:i[0]?o.throw||((r=o.return)&&r.call(o),0):o.next)&&!(r=r.call(o,i[1])).done)return r;switch(o=0,r&&(i=[2&i[0],r.value]),i[0]){case 0:case 1:r=i;break;case 4:return a.label++,{value:i[1],done:!1};case 5:a.label++,o=i[1],i=[0];continue;case 7:i=a.ops.pop(),a.trys.pop();continue;default:if(!(r=a.trys,(r=r.length>0&&r[r.length-1])||6!==i[0]&&2!==i[0])){a=0;continue}if(3===i[0]&&(!r||i[1]>r[0]&&i[1]<r[3])){a.label=i[1];break}if(6===i[0]&&a.label<r[1]){a.label=r[1],r=i;break}if(r&&a.label<r[2]){a.label=r[2],a.ops.push(i);break}r[2]&&a.ops.pop(),a.trys.pop();continue}i=t.call(e,a)}catch(e){i=[6,e],o=0}finally{n=r=0}if(5&i[0])throw i[1];return{value:i[0]?i[1]:void 0,done:!0}}([i,s])}}},W=R;Object.defineProperty(x,"__esModule",{value:!0});var K=I,U="browser-tabs-lock-key",D={key:function(e){return C(W,void 0,void 0,function(){return j(this,function(e){throw new Error("Unsupported")})})},getItem:function(e){return C(W,void 0,void 0,function(){return j(this,function(e){throw new Error("Unsupported")})})},clear:function(){return C(W,void 0,void 0,function(){return j(this,function(e){return[2,window.localStorage.clear()]})})},removeItem:function(e){return C(W,void 0,void 0,function(){return j(this,function(e){throw new Error("Unsupported")})})},setItem:function(e,t){return C(W,void 0,void 0,function(){return j(this,function(e){throw new Error("Unsupported")})})},keySync:function(e){return window.localStorage.key(e)},getItemSync:function(e){return window.localStorage.getItem(e)},clearSync:function(){return window.localStorage.clear()},removeItemSync:function(e){return window.localStorage.removeItem(e)},setItemSync:function(e,t){return window.localStorage.setItem(e,t)}};function N(e){return new Promise(function(t){return setTimeout(t,e)})}function L(e){for(var t="0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz",n="",o=0;o<e;o++){n+=t[Math.floor(61*Math.random())]}return n}var z=function(){function e(t){this.acquiredIatSet=new Set,this.storageHandler=void 0,this.id=Date.now().toString()+L(15),this.acquireLock=this.acquireLock.bind(this),this.releaseLock=this.releaseLock.bind(this),this.releaseLock__private__=this.releaseLock__private__.bind(this),this.waitForSomethingToChange=this.waitForSomethingToChange.bind(this),this.refreshLockWhileAcquired=this.refreshLockWhileAcquired.bind(this),this.storageHandler=t,void 0===e.waiters&&(e.waiters=[])}return e.prototype.acquireLock=function(t,n){return void 0===n&&(n=5e3),C(this,void 0,void 0,function(){var o,r,i,a,s,c,u;return j(this,function(l){switch(l.label){case 0:o=Date.now()+L(4),r=Date.now()+n,i=U+"-"+t,a=void 0===this.storageHandler?D:this.storageHandler,l.label=1;case 1:return Date.now()<r?[4,N(30)]:[3,8];case 2:return l.sent(),null!==a.getItemSync(i)?[3,5]:(s=this.id+"-"+t+"-"+o,[4,N(Math.floor(25*Math.random()))]);case 3:return l.sent(),a.setItemSync(i,JSON.stringify({id:this.id,iat:o,timeoutKey:s,timeAcquired:Date.now(),timeRefreshed:Date.now()})),[4,N(30)];case 4:return l.sent(),null!==(c=a.getItemSync(i))&&(u=JSON.parse(c)).id===this.id&&u.iat===o?(this.acquiredIatSet.add(o),this.refreshLockWhileAcquired(i,o),[2,!0]):[3,7];case 5:return e.lockCorrector(void 0===this.storageHandler?D:this.storageHandler),[4,this.waitForSomethingToChange(r)];case 6:l.sent(),l.label=7;case 7:return o=Date.now()+L(4),[3,1];case 8:return[2,!1]}})})},e.prototype.refreshLockWhileAcquired=function(e,t){return C(this,void 0,void 0,function(){var n=this;return j(this,function(o){return setTimeout(function(){return C(n,void 0,void 0,function(){var n,o,r;return j(this,function(i){switch(i.label){case 0:return[4,K.default().lock(t)];case 1:return i.sent(),this.acquiredIatSet.has(t)?(n=void 0===this.storageHandler?D:this.storageHandler,null===(o=n.getItemSync(e))?(K.default().unlock(t),[2]):((r=JSON.parse(o)).timeRefreshed=Date.now(),n.setItemSync(e,JSON.stringify(r)),K.default().unlock(t),this.refreshLockWhileAcquired(e,t),[2])):(K.default().unlock(t),[2])}})})},1e3),[2]})})},e.prototype.waitForSomethingToChange=function(t){return C(this,void 0,void 0,function(){return j(this,function(n){switch(n.label){case 0:return[4,new Promise(function(n){var o=!1,r=Date.now(),i=!1;function a(){if(i||(window.removeEventListener("storage",a),e.removeFromWaiting(a),clearTimeout(s),i=!0),!o){o=!0;var t=50-(Date.now()-r);t>0?setTimeout(n,t):n(null)}}window.addEventListener("storage",a),e.addToWaiting(a);var s=setTimeout(a,Math.max(0,t-Date.now()))})];case 1:return n.sent(),[2]}})})},e.addToWaiting=function(t){this.removeFromWaiting(t),void 0!==e.waiters&&e.waiters.push(t)},e.removeFromWaiting=function(t){void 0!==e.waiters&&(e.waiters=e.waiters.filter(function(e){return e!==t}))},e.notifyWaiters=function(){void 0!==e.waiters&&e.waiters.slice().forEach(function(e){return e()})},e.prototype.releaseLock=function(e){return C(this,void 0,void 0,function(){return j(this,function(t){switch(t.label){case 0:return[4,this.releaseLock__private__(e)];case 1:return[2,t.sent()]}})})},e.prototype.releaseLock__private__=function(t){return C(this,void 0,void 0,function(){var n,o,r,i;return j(this,function(a){switch(a.label){case 0:return n=void 0===this.storageHandler?D:this.storageHandler,o=U+"-"+t,null===(r=n.getItemSync(o))?[2]:(i=JSON.parse(r)).id!==this.id?[3,2]:[4,K.default().lock(i.iat)];case 1:a.sent(),this.acquiredIatSet.delete(i.iat),n.removeItemSync(o),K.default().unlock(i.iat),e.notifyWaiters(),a.label=2;case 2:return[2]}})})},e.lockCorrector=function(t){for(var n=Date.now()-5e3,o=t,r=[],i=0;;){var a=o.keySync(i);if(null===a)break;r.push(a),i++}for(var s=!1,c=0;c<r.length;c++){var u=r[c];if(u.includes(U)){var l=o.getItemSync(u);if(null!==l){var d=JSON.parse(l);(void 0===d.timeRefreshed&&d.timeAcquired<n||void 0!==d.timeRefreshed&&d.timeRefreshed<n)&&(o.removeItemSync(u),s=!0)}}}s&&e.notifyWaiters()},e.waiters=void 0,e}(),H=x.default=z;class J{async runWithLock(e,t,n){const o=new AbortController,r=setTimeout(()=>o.abort(),t);try{return await navigator.locks.request(e,{mode:"exclusive",signal:o.signal},async e=>{if(clearTimeout(r),!e)throw new Error("Lock not available");return await n()})}catch(e){if(clearTimeout(r),"AbortError"===(null==e?void 0:e.name))throw new l;throw e}}}class M{constructor(){this.activeLocks=new Set,this.lock=new H,this.pagehideHandler=()=>{this.activeLocks.forEach(e=>this.lock.releaseLock(e)),this.activeLocks.clear()}}async runWithLock(e,t,n){let o=!1;for(let n=0;n<10&&!o;n++)o=await this.lock.acquireLock(e,t);if(!o)throw new l;this.activeLocks.add(e),1===this.activeLocks.size&&"undefined"!=typeof window&&window.addEventListener("pagehide",this.pagehideHandler);try{return await n()}finally{this.activeLocks.delete(e),await this.lock.releaseLock(e),0===this.activeLocks.size&&"undefined"!=typeof window&&window.removeEventListener("pagehide",this.pagehideHandler)}}}function Z(){return"undefined"!=typeof navigator&&"function"==typeof(null===(e=navigator.locks)||void 0===e?void 0:e.request)?new J:new M;var e}let V=null;const F=new TextEncoder,X=new TextDecoder;function G(e){return"string"==typeof e?F.encode(e):X.decode(e)}function Y(e){if("number"!=typeof e.modulusLength||e.modulusLength<2048)throw new ee(`${e.name} modulusLength must be at least 2048 bits`)}async function B(e,t,n){if(!1===n.usages.includes("sign"))throw new TypeError('private CryptoKey instances used for signing assertions must include "sign" in their "usages"');const o=`${Q(G(JSON.stringify(e)))}.${Q(G(JSON.stringify(t)))}`;return`${o}.${Q(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case"ECDSA":return{name:e.algorithm.name,hash:"SHA-256"};case"RSA-PSS":return Y(e.algorithm),{name:e.algorithm.name,saltLength:32};case"RSASSA-PKCS1-v1_5":return Y(e.algorithm),{name:e.algorithm.name};case"Ed25519":return{name:e.algorithm.name}}throw new $}(n),n,G(o)))}`}let q;if(Uint8Array.prototype.toBase64)q=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:!0}));else{const e=32768;q=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}}function Q(e){return q(e)}class $ extends Error{constructor(e){var t;super(null!=e?e:"operation not supported"),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor)}}class ee extends Error{constructor(e){var t;super(e),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor)}}function te(e){switch(e.algorithm.name){case"RSA-PSS":return function(e){if("SHA-256"===e.algorithm.hash.name)return"PS256";throw new $("unsupported RsaHashedKeyAlgorithm hash name")}(e);case"RSASSA-PKCS1-v1_5":return function(e){if("SHA-256"===e.algorithm.hash.name)return"RS256";throw new $("unsupported RsaHashedKeyAlgorithm hash name")}(e);case"ECDSA":return function(e){if("P-256"===e.algorithm.namedCurve)return"ES256";throw new $("unsupported EcKeyAlgorithm namedCurve")}(e);case"Ed25519":return"Ed25519";default:throw new $("unsupported CryptoKey algorithm name")}}function ne(e){return e instanceof CryptoKey}function oe(e){return ne(e)&&"public"===e.type}async function re(e,t,n,o,r,i){const a=null==e?void 0:e.privateKey,s=null==e?void 0:e.publicKey;if(!ne(c=a)||"private"!==c.type)throw new TypeError('"keypair.privateKey" must be a private CryptoKey');var c;if(!oe(s))throw new TypeError('"keypair.publicKey" must be a public CryptoKey');if(!0!==s.extractable)throw new TypeError('"keypair.publicKey.extractable" must be true');if("string"!=typeof t)throw new TypeError('"htu" must be a string');if("string"!=typeof n)throw new TypeError('"htm" must be a string');if(void 0!==o&&"string"!=typeof o)throw new TypeError('"nonce" must be a string or undefined');if(void 0!==r&&"string"!=typeof r)throw new TypeError('"accessToken" must be a string or undefined');if(void 0!==i&&("object"!=typeof i||null===i||Array.isArray(i)))throw new TypeError('"additional" must be an object');return B({alg:te(a),typ:"dpop+jwt",jwk:await ie(s)},Object.assign(Object.assign({},i),{iat:Math.floor(Date.now()/1e3),jti:crypto.randomUUID(),htm:n,nonce:o,htu:t,ath:r?Q(await crypto.subtle.digest("SHA-256",G(r))):void 0}),a)}async function ie(e){const{kty:t,e:n,n:o,x:r,y:i,crv:a}=await crypto.subtle.exportKey("jwk",e);return{kty:t,crv:a,e:n,n:o,x:r,y:i}}const ae="dpop-nonce",se=["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:token-exchange","http://auth0.com/oauth/grant-type/mfa-oob","http://auth0.com/oauth/grant-type/mfa-otp","http://auth0.com/oauth/grant-type/mfa-recovery-code"];function ce(){return async function(e,t){var n;let o;if("string"!=typeof e||0===e.length)throw new TypeError('"alg" must be a non-empty string');switch(e){case"PS256":o={name:"RSA-PSS",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case"RS256":o={name:"RSASSA-PKCS1-v1_5",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case"ES256":o={name:"ECDSA",namedCurve:"P-256"};break;case"Ed25519":o={name:"Ed25519"};break;default:throw new $}return crypto.subtle.generateKey(o,null!==(n=null==t?void 0:t.extractable)&&void 0!==n&&n,["sign","verify"])}("ES256",{extractable:!1})}function ue(e){return async function(e){if(!oe(e))throw new TypeError('"publicKey" must be a public CryptoKey');if(!0!==e.extractable)throw new TypeError('"publicKey.extractable" must be true');const t=await ie(e);let n;switch(t.kty){case"EC":n={crv:t.crv,kty:t.kty,x:t.x,y:t.y};break;case"OKP":n={crv:t.crv,kty:t.kty,x:t.x};break;case"RSA":n={e:t.e,kty:t.kty,n:t.n};break;default:throw new $("unsupported JWK kty")}return Q(await crypto.subtle.digest({name:"SHA-256"},G(JSON.stringify(n))))}(e.publicKey)}function le(e){let{keyPair:t,url:n,method:o,nonce:r,accessToken:i}=e;const a=function(e){const t=new URL(e);return t.search="",t.hash="",t.href}(n);return re(t,a,o,r,i)}const de=(e,t)=>new Promise(function(n,o){const r=new MessageChannel;r.port1.onmessage=function(e){e.data.error?o(new Error(e.data.error)):n(e.data),r.port1.close()},t.postMessage(e,[r.port2])}),he=(e,t,n)=>{const o=new AbortController;let r;return t.signal=o.signal,Promise.race([fetch(e,t),new Promise((e,t)=>{r=setTimeout(()=>{o.abort(),t(new Error("Timeout when executing 'fetch'"))},n)})]).finally(()=>{clearTimeout(r)})},pe=async function(e,t,o,r,i,a){let s=arguments.length>6&&void 0!==arguments[6]?arguments[6]:n;return i?(async(e,t,n,o,r,i,a,s)=>de({type:"refresh",auth:{audience:t,scope:n},timeout:r,fetchUrl:e,fetchOptions:o,useFormData:a,useMrrt:s},i))(e,t,o,r,s,i,a,arguments.length>7?arguments[7]:void 0):(async(e,t,n)=>{const o=await he(e,t,n);return{ok:o.ok,json:await o.json(),headers:(r=o.headers,[...r].reduce((e,t)=>{let[n,o]=t;return e[n]=o,e},{}))};var r})(e,r,s)};async function fe(t,n,o,r,i,a,c,u,l,d){if(l){const e=await l.generateProof({url:t,method:i.method||"GET",nonce:await l.getNonce()});i.headers=Object.assign(Object.assign({},i.headers),{dpop:e})}let h,p=null;for(let e=0;e<3;e++)try{h=await pe(t,o,r,i,a,c,n,u),p=null;break}catch(e){p=e}if(p)throw p;const y=h.json,{error:g,error_description:v}=y,b=e(y,["error","error_description"]),{headers:_,ok:k}=h;let S;if(l&&(S=_[ae],S&&await l.setNonce(S)),!k){const e=v||"HTTP error. Unable to fetch ".concat(t);if("mfa_required"===g)throw new f(g,e,b.mfa_token,b.mfa_requirements);if("missing_refresh_token"===g)throw new m(o,r);if("use_dpop_nonce"===g){if(!l||!S||d)throw new w(S);return fe(t,n,o,r,i,a,c,u,l,!0)}throw new s(g||"request_error",e)}return b}async function me(t,n){var{baseUrl:o,timeout:i,audience:s,scope:c,auth0Client:u,useFormData:l,useMrrt:d,dpop:h}=t,p=e(t,["baseUrl","timeout","audience","scope","auth0Client","useFormData","useMrrt","dpop"]);const f="urn:ietf:params:oauth:grant-type:token-exchange"===p.grant_type,m="refresh_token"===p.grant_type&&d,y=Object.assign(Object.assign(Object.assign(Object.assign({},p),f&&s&&{audience:s}),f&&c&&{scope:c}),m&&{audience:s,scope:c}),w=l?T(y):JSON.stringify(y),g=(v=p.grant_type,se.includes(v));var v;return await fe("".concat(o,"/oauth/token"),i,s||a,c,{method:"POST",body:w,headers:{"Content-Type":l?"application/x-www-form-urlencoded":"application/json","Auth0-Client":btoa(JSON.stringify(S(u||r)))}},n,l,d,g?h:void 0)}const ye=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];return(o=t.filter(Boolean).join(" ").trim().split(/\s+/),Array.from(new Set(o))).join(" ");var o},we=(e,t,n)=>{let o;return n&&(o=e[n]),o||(o=e[a]),ye(o,t)},ge="@@auth0spajs@@",ve="@@user@@";class be{constructor(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:ge,n=arguments.length>2?arguments[2]:void 0;this.prefix=t,this.suffix=n,this.clientId=e.clientId,this.scope=e.scope,this.audience=e.audience}toKey(){return[this.prefix,this.clientId,this.audience,this.scope,this.suffix].filter(Boolean).join("::")}static fromKey(e){const[t,n,o,r]=e.split("::");return new be({clientId:n,scope:r,audience:o},t)}static fromCacheEntry(e){const{scope:t,audience:n,client_id:o}=e;return new be({scope:t,audience:n,clientId:o})}}class _e{set(e,t){localStorage.setItem(e,JSON.stringify(t))}get(e){const t=window.localStorage.getItem(e);if(t)try{return JSON.parse(t)}catch(e){return}}remove(e){localStorage.removeItem(e)}allKeys(){return Object.keys(window.localStorage).filter(e=>e.startsWith(ge))}}class ke{constructor(){this.enclosedCache=function(){let e={};return{set(t,n){e[t]=n},get(t){const n=e[t];if(n)return n},remove(t){delete e[t]},allKeys:()=>Object.keys(e)}}()}}class Se{constructor(e,t,n){this.cache=e,this.keyManifest=t,this.nowProvider=n||i}async setIdToken(e,t,n){var o;const r=this.getIdTokenCacheKey(e);await this.cache.set(r,{id_token:t,decodedToken:n}),await(null===(o=this.keyManifest)||void 0===o?void 0:o.add(r))}async getIdToken(e){const t=await this.cache.get(this.getIdTokenCacheKey(e.clientId));if(!t&&e.scope&&e.audience){const t=await this.get(e);if(!t)return;if(!t.id_token||!t.decodedToken)return;return{id_token:t.id_token,decodedToken:t.decodedToken}}if(t)return{id_token:t.id_token,decodedToken:t.decodedToken}}async get(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:0,n=arguments.length>2&&void 0!==arguments[2]&&arguments[2],o=arguments.length>3?arguments[3]:void 0;var r;let i=await this.cache.get(e.toKey()),a=e;if(!i){const t=await this.getCacheKeys();if(!t)return;const r=this.matchExistingCacheKey(e,t);if(r&&(i=await this.cache.get(r),a=be.fromKey(r)),!i&&n&&"cache-only"!==o)return this.getEntryWithRefreshToken(e,t)}if(!i)return;const s=await this.nowProvider(),c=Math.floor(s/1e3);return i.expiresAt-t<c?i.body.refresh_token?this.modifiedCachedEntry(i,a):(await this.cache.remove(a.toKey()),void await(null===(r=this.keyManifest)||void 0===r?void 0:r.remove(a.toKey()))):i.body}async modifiedCachedEntry(e,t){const n={refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope},o={body:n,expiresAt:e.expiresAt};return await this.cache.set(t.toKey(),o),{refresh_token:n.refresh_token,audience:n.audience,scope:n.scope}}async set(e){var t;const n=new be({clientId:e.client_id,scope:e.scope,audience:e.audience}),o=await this.wrapCacheEntry(e);await this.cache.set(n.toKey(),o),await(null===(t=this.keyManifest)||void 0===t?void 0:t.add(n.toKey()))}async remove(e,t,n){const o=new be({clientId:e,scope:n,audience:t});await this.cache.remove(o.toKey())}async stripRefreshToken(e){var t;const n=await this.getCacheKeys();if(n)for(const o of n){const n=await this.cache.get(o);(null===(t=null==n?void 0:n.body)||void 0===t?void 0:t.refresh_token)===e&&(delete n.body.refresh_token,await this.cache.set(o,n))}}async clear(e){var t;const n=await this.getCacheKeys();n&&(await n.filter(t=>!e||t.includes(e)).reduce(async(e,t)=>{await e,await this.cache.remove(t)},Promise.resolve()),await(null===(t=this.keyManifest)||void 0===t?void 0:t.clear()))}async wrapCacheEntry(e){const t=await this.nowProvider();return{body:e,expiresAt:Math.floor(t/1e3)+e.expires_in}}async getCacheKeys(){var e;return this.keyManifest?null===(e=await this.keyManifest.get())||void 0===e?void 0:e.keys:this.cache.allKeys?this.cache.allKeys():void 0}getIdTokenCacheKey(e){return new be({clientId:e},ge,ve).toKey()}matchExistingCacheKey(e,t){return t.filter(t=>{var n;const o=be.fromKey(t),r=new Set(o.scope&&o.scope.split(" ")),i=(null===(n=e.scope)||void 0===n?void 0:n.split(" "))||[],a=o.scope&&i.reduce((e,t)=>e&&r.has(t),!0);return o.prefix===ge&&o.clientId===e.clientId&&o.audience===e.audience&&a})[0]}async getEntryWithRefreshToken(e,t){var n;for(const o of t){const t=be.fromKey(o);if(t.prefix===ge&&t.clientId===e.clientId){const e=await this.cache.get(o);if(null===(n=null==e?void 0:e.body)||void 0===n?void 0:n.refresh_token)return{refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope}}}}async getRefreshTokensByAudience(e,t){var n;const o=await this.getCacheKeys();if(!o)return[];const r=new Set;for(const i of o){const o=be.fromKey(i);if(o.prefix===ge&&o.clientId===t&&o.audience===e){const e=await this.cache.get(i);(null===(n=null==e?void 0:e.body)||void 0===n?void 0:n.refresh_token)&&r.add(e.body.refresh_token)}}return Array.from(r)}async updateEntry(e,t){var n;const o=await this.getCacheKeys();if(o)for(const r of o){const o=await this.cache.get(r);(null===(n=null==o?void 0:o.body)||void 0===n?void 0:n.refresh_token)===e&&(o.body.refresh_token=t,await this.cache.set(r,o))}}}class Te{constructor(e,t,n){this.storage=e,this.clientId=t,this.cookieDomain=n,this.storageKey="".concat("a0.spajs.txs",".").concat(this.clientId)}create(e){this.storage.save(this.storageKey,e,{daysUntilExpire:1,cookieDomain:this.cookieDomain})}get(){return this.storage.get(this.storageKey)}remove(){this.storage.remove(this.storageKey,{cookieDomain:this.cookieDomain})}}const Ee=e=>"number"==typeof e,Pe=["iss","aud","exp","nbf","iat","jti","azp","nonce","auth_time","at_hash","c_hash","acr","amr","sub_jwk","cnf","sip_from_tag","sip_date","sip_callid","sip_cseq_num","sip_via_branch","orig","dest","mky","events","toe","txn","rph","sid","vot","vtm"],Ae=e=>{if(!e.id_token)throw new Error("ID token is required but missing");const t=(e=>{const t=e.split("."),[n,o,r]=t;if(3!==t.length||!n||!o||!r)throw new Error("ID token could not be decoded");const i=JSON.parse(P(o)),a={__raw:e},s={};return Object.keys(i).forEach(e=>{a[e]=i[e],Pe.includes(e)||(s[e]=i[e])}),{encoded:{header:n,payload:o,signature:r},header:JSON.parse(P(n)),claims:a,user:s}})(e.id_token);if(!t.claims.iss)throw new Error("Issuer (iss) claim must be a string present in the ID token");if(t.claims.iss!==e.iss)throw new Error('Issuer (iss) claim mismatch in the ID token; expected "'.concat(e.iss,'", found "').concat(t.claims.iss,'"'));if(!t.user.sub)throw new Error("Subject (sub) claim must be a string present in the ID token");if("RS256"!==t.header.alg)throw new Error('Signature algorithm of "'.concat(t.header.alg,'" is not supported. Expected the ID token to be signed with "RS256".'));if(!t.claims.aud||"string"!=typeof t.claims.aud&&!Array.isArray(t.claims.aud))throw new Error("Audience (aud) claim must be a string or array of strings present in the ID token");if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e.aud))throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but was not one of "').concat(t.claims.aud.join(", "),'"'));if(t.claims.aud.length>1){if(!t.claims.azp)throw new Error("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");if(t.claims.azp!==e.aud)throw new Error('Authorized Party (azp) claim mismatch in the ID token; expected "'.concat(e.aud,'", found "').concat(t.claims.azp,'"'))}}else if(t.claims.aud!==e.aud)throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but found "').concat(t.claims.aud,'"'));if(e.nonce){if(!t.claims.nonce)throw new Error("Nonce (nonce) claim must be a string present in the ID token");if(t.claims.nonce!==e.nonce)throw new Error('Nonce (nonce) claim mismatch in the ID token; expected "'.concat(e.nonce,'", found "').concat(t.claims.nonce,'"'))}if(e.max_age&&!Ee(t.claims.auth_time))throw new Error("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");if(null==t.claims.exp||!Ee(t.claims.exp))throw new Error("Expiration Time (exp) claim must be a number present in the ID token");if(!Ee(t.claims.iat))throw new Error("Issued At (iat) claim must be a number present in the ID token");const n=e.leeway||60,o=new Date(e.now||Date.now()),r=new Date(0);if(r.setUTCSeconds(t.claims.exp+n),o>r)throw new Error("Expiration Time (exp) claim error in the ID token; current time (".concat(o,") is after expiration time (").concat(r,")"));if(null!=t.claims.nbf&&Ee(t.claims.nbf)){const e=new Date(0);if(e.setUTCSeconds(t.claims.nbf-n),o<e)throw new Error("Not Before time (nbf) claim in the ID token indicates that this token can't be used just yet. Current time (".concat(o,") is before ").concat(e))}if(null!=t.claims.auth_time&&Ee(t.claims.auth_time)){const r=new Date(0);if(r.setUTCSeconds(parseInt(t.claims.auth_time)+e.max_age+n),o>r)throw new Error("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (".concat(o,") is after last auth at ").concat(r))}if(e.organization){const n=e.organization.trim();if(n.startsWith("org_")){const e=n;if(!t.claims.org_id)throw new Error("Organization ID (org_id) claim must be a string present in the ID token");if(e!==t.claims.org_id)throw new Error('Organization ID (org_id) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_id,'"'))}else{const e=n.toLowerCase();if(!t.claims.org_name)throw new Error("Organization Name (org_name) claim must be a string present in the ID token");if(e!==t.claims.org_name)throw new Error('Organization Name (org_name) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_name,'"'))}}return t};var Re=R&&R.__assign||function(){return Re=Object.assign||function(e){for(var t,n=1,o=arguments.length;n<o;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},Re.apply(this,arguments)};function xe(e,t){if(!t)return"";var n="; "+e;return!0===t?n:n+"="+t}function Ie(e,t,n){return encodeURIComponent(e).replace(/%(23|24|26|2B|5E|60|7C)/g,decodeURIComponent).replace(/\(/g,"%28").replace(/\)/g,"%29")+"="+encodeURIComponent(t).replace(/%(23|24|26|2B|3A|3C|3E|3D|2F|3F|40|5B|5D|5E|60|7B|7D|7C)/g,decodeURIComponent)+function(e){if("number"==typeof e.expires){var t=new Date;t.setMilliseconds(t.getMilliseconds()+864e5*e.expires),e.expires=t}return xe("Expires",e.expires?e.expires.toUTCString():"")+xe("Domain",e.domain)+xe("Path",e.path)+xe("Secure",e.secure)+xe("SameSite",e.sameSite)}(n)}function Oe(){return function(e){for(var t={},n=e?e.split("; "):[],o=/(%[\dA-F]{2})+/gi,r=0;r<n.length;r++){var i=n[r].split("="),a=i.slice(1).join("=");'"'===a.charAt(0)&&(a=a.slice(1,-1));try{t[i[0].replace(o,decodeURIComponent)]=a.replace(o,decodeURIComponent)}catch(e){}}return t}(document.cookie)}var Ce=function(e){return Oe()[e]};function je(e,t,n){document.cookie=Ie(e,t,Re({path:"/"},n))}var We=je;var Ke=function(e,t){je(e,"",Re(Re({},t),{expires:-1}))};const Ue={get(e){const t=Ce(e);if(void 0!==t)return JSON.parse(t)},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:!0,sameSite:"none"}),(null==n?void 0:n.daysUntilExpire)&&(o.expires=n.daysUntilExpire),(null==n?void 0:n.cookieDomain)&&(o.domain=n.cookieDomain),We(e,JSON.stringify(t),o)},remove(e,t){let n={};(null==t?void 0:t.cookieDomain)&&(n.domain=t.cookieDomain),Ke(e,n)}},De="_legacy_",Ne={get(e){const t=Ue.get(e);return t||Ue.get("".concat(De).concat(e))},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:!0}),(null==n?void 0:n.daysUntilExpire)&&(o.expires=n.daysUntilExpire),(null==n?void 0:n.cookieDomain)&&(o.domain=n.cookieDomain),We("".concat(De).concat(e),JSON.stringify(t),o),Ue.save(e,t,n)},remove(e,t){let n={};(null==t?void 0:t.cookieDomain)&&(n.domain=t.cookieDomain),Ke(e,n),Ue.remove(e,t),Ue.remove("".concat(De).concat(e),t)}},Le={get(e){if("undefined"==typeof sessionStorage)return;const t=sessionStorage.getItem(e);return null!=t?JSON.parse(t):void 0},save(e,t){sessionStorage.setItem(e,JSON.stringify(t))},remove(e){sessionStorage.removeItem(e)}};var ze;!function(e){e.Code="code",e.ConnectCode="connect_code"}(ze||(ze={}));class He{}function Je(e,t,n){var o=void 0===t?null:t,r=function(e,t){var n=atob(e);if(t){for(var o=new Uint8Array(n.length),r=0,i=n.length;r<i;++r)o[r]=n.charCodeAt(r);return String.fromCharCode.apply(null,new Uint16Array(o.buffer))}return n}(e,void 0!==n&&n),i=r.indexOf("\n",10)+1,a=r.substring(i)+(o?"//# sourceMappingURL="+o:""),s=new Blob([a],{type:"application/javascript"});return URL.createObjectURL(s)}var Me,Ze,Ve,Fe,Xe=(Me="Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwohZnVuY3Rpb24oKXsidXNlIHN0cmljdCI7Y2xhc3MgZSBleHRlbmRzIEVycm9ye2NvbnN0cnVjdG9yKHQscil7c3VwZXIociksdGhpcy5lcnJvcj10LHRoaXMuZXJyb3JfZGVzY3JpcHRpb249cixPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcyxlLnByb3RvdHlwZSl9c3RhdGljIGZyb21QYXlsb2FkKHQpe2xldHtlcnJvcjpyLGVycm9yX2Rlc2NyaXB0aW9uOm99PXQ7cmV0dXJuIG5ldyBlKHIsbyl9fWNsYXNzIHQgZXh0ZW5kcyBle2NvbnN0cnVjdG9yKGUsbyl7c3VwZXIoIm1pc3NpbmdfcmVmcmVzaF90b2tlbiIsIk1pc3NpbmcgUmVmcmVzaCBUb2tlbiAoYXVkaWVuY2U6ICciLmNvbmNhdChyKGUsWyJkZWZhdWx0Il0pLCInLCBzY29wZTogJyIpLmNvbmNhdChyKG8pLCInKSIpKSx0aGlzLmF1ZGllbmNlPWUsdGhpcy5zY29wZT1vLE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLHQucHJvdG90eXBlKX19ZnVuY3Rpb24gcihlKXtyZXR1cm4gZSYmIShhcmd1bWVudHMubGVuZ3RoPjEmJnZvaWQgMCE9PWFyZ3VtZW50c1sxXT9hcmd1bWVudHNbMV06W10pLmluY2x1ZGVzKGUpP2U6IiJ9ImZ1bmN0aW9uIj09dHlwZW9mIFN1cHByZXNzZWRFcnJvciYmU3VwcHJlc3NlZEVycm9yO2NvbnN0IG89ZT0+e3ZhcntjbGllbnRJZDp0fT1lLHI9ZnVuY3Rpb24oZSx0KXt2YXIgcj17fTtmb3IodmFyIG8gaW4gZSlPYmplY3QucHJvdG90eXBlLmhhc093blByb3BlcnR5LmNhbGwoZSxvKSYmdC5pbmRleE9mKG8pPDAmJihyW29dPWVbb10pO2lmKG51bGwhPWUmJiJmdW5jdGlvbiI9PXR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKXt2YXIgcz0wO2ZvcihvPU9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMoZSk7czxvLmxlbmd0aDtzKyspdC5pbmRleE9mKG9bc10pPDAmJk9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChlLG9bc10pJiYocltvW3NdXT1lW29bc11dKX1yZXR1cm4gcn0oZSxbImNsaWVudElkIl0pO3JldHVybiBuZXcgVVJMU2VhcmNoUGFyYW1zKChlPT5PYmplY3Qua2V5cyhlKS5maWx0ZXIodD0+dm9pZCAwIT09ZVt0XSkucmVkdWNlKCh0LHIpPT5PYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sdCkse1tyXTplW3JdfSkse30pKShPYmplY3QuYXNzaWduKHtjbGllbnRfaWQ6dH0scikpKS50b1N0cmluZygpfTtsZXQgcz17fSxuPW51bGw7Y29uc3QgaT0oZSx0KT0+IiIuY29uY2F0KGUsInwiKS5jb25jYXQodCksYT0oZSx0KT0+dC5zdGFydHNXaXRoKCIiLmNvbmNhdChlLCJ8IikpLGM9ZT0+e09iamVjdC5lbnRyaWVzKHMpLmZvckVhY2godD0+e2xldFtyLG9dPXQ7bz09PWUmJmRlbGV0ZSBzW3JdfSl9LGw9ZT0+e2NvbnN0IHQ9bmV3IFVSTFNlYXJjaFBhcmFtcyhlKSxyPXt9O3JldHVybiB0LmZvckVhY2goKGUsdCk9PntyW3RdPWV9KSxyfSxmPWFzeW5jIGU9PntsZXQgcixuLHtkYXRhOnt0aW1lb3V0OmMsYXV0aDpmLGZldGNoVXJsOnUsZmV0Y2hPcHRpb25zOmgsdXNlRm9ybURhdGE6ZCx1c2VNcnJ0OnB9LHBvcnRzOltnXX09ZSx5PXt9O2NvbnN0e2F1ZGllbmNlOmIsc2NvcGU6T309Znx8e307dHJ5e2NvbnN0IGU9ZD9sKGguYm9keSk6SlNPTi5wYXJzZShoLmJvZHkpO2lmKCFlLnJlZnJlc2hfdG9rZW4mJiJyZWZyZXNoX3Rva2VuIj09PWUuZ3JhbnRfdHlwZSl7aWYobj0oKGUsdCk9PnNbaShlLHQpXSkoYixPKSwhbiYmcCl7Y29uc3QgZT1zLmxhdGVzdF9yZWZyZXNoX3Rva2VuLHQ9KChlLHQpPT4hIU9iamVjdC5rZXlzKHMpLmZpbmQocj0+e2lmKCJsYXRlc3RfcmVmcmVzaF90b2tlbiIhPT1yKXtjb25zdCBvPWEodCxyKSxzPXIuc3BsaXQoInwiKVsxXS5zcGxpdCgiICIpLG49ZS5zcGxpdCgiICIpLmV2ZXJ5KGU9PnMuaW5jbHVkZXMoZSkpO3JldHVybiBvJiZufX0pKShPLGIpO2UmJiF0JiYobj1lKX1pZighbil0aHJvdyBuZXcgdChiLE8pO2guYm9keT1kP28oT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LGUpLHtyZWZyZXNoX3Rva2VuOm59KSk6SlNPTi5zdHJpbmdpZnkoT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LGUpLHtyZWZyZXNoX3Rva2VuOm59KSl9bGV0IGYsdzsiZnVuY3Rpb24iPT10eXBlb2YgQWJvcnRDb250cm9sbGVyJiYoZj1uZXcgQWJvcnRDb250cm9sbGVyLGguc2lnbmFsPWYuc2lnbmFsKTt0cnl7dz1hd2FpdCBQcm9taXNlLnJhY2UoWyhtPWMsbmV3IFByb21pc2UoZT0+c2V0VGltZW91dChlLG0pKSksZmV0Y2godSxPYmplY3QuYXNzaWduKHt9LGgpKV0pfWNhdGNoKGUpe3JldHVybiB2b2lkIGcucG9zdE1lc3NhZ2Uoe2Vycm9yOmUubWVzc2FnZX0pfWlmKCF3KXJldHVybiBmJiZmLmFib3J0KCksdm9pZCBnLnBvc3RNZXNzYWdlKHtlcnJvcjoiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIn0pO189dy5oZWFkZXJzLHk9Wy4uLl9dLnJlZHVjZSgoZSx0KT0+e2xldFtyLG9dPXQ7cmV0dXJuIGVbcl09byxlfSx7fSkscj1hd2FpdCB3Lmpzb24oKSxyLnJlZnJlc2hfdG9rZW4/KHAmJihzLmxhdGVzdF9yZWZyZXNoX3Rva2VuPXIucmVmcmVzaF90b2tlbixrPW4saj1yLnJlZnJlc2hfdG9rZW4sT2JqZWN0LmVudHJpZXMocykuZm9yRWFjaChlPT57bGV0W3Qscl09ZTtyPT09ayYmKHNbdF09ail9KSksKChlLHQscik9PntzW2kodCxyKV09ZX0pKHIucmVmcmVzaF90b2tlbixiLE8pLGRlbGV0ZSByLnJlZnJlc2hfdG9rZW4pOigoZSx0KT0+e2RlbGV0ZSBzW2koZSx0KV19KShiLE8pLGcucG9zdE1lc3NhZ2Uoe29rOncub2ssanNvbjpyLGhlYWRlcnM6eX0pfWNhdGNoKGUpe2cucG9zdE1lc3NhZ2Uoe29rOiExLGpzb246e2Vycm9yOmUuZXJyb3IsZXJyb3JfZGVzY3JpcHRpb246ZS5tZXNzYWdlfSxoZWFkZXJzOnl9KX12YXIgayxqLF8sbX0sdT1hc3luYyBlPT57bGV0e2RhdGE6e3RpbWVvdXQ6dCxhdXRoOnIsZmV0Y2hVcmw6bixmZXRjaE9wdGlvbnM6aSx1c2VGb3JtRGF0YTpmfSxwb3J0czpbdV19PWU7Y29uc3R7YXVkaWVuY2U6aH09cnx8e307dHJ5e2NvbnN0IGU9KGU9Pntjb25zdCB0PW5ldyBTZXQ7cmV0dXJuIE9iamVjdC5lbnRyaWVzKHMpLmZvckVhY2gocj0+e2xldFtvLHNdPXI7YShlLG8pJiZ0LmFkZChzKX0pLEFycmF5LmZyb20odCl9KShoKTtpZigwPT09ZS5sZW5ndGgpcmV0dXJuIHZvaWQgdS5wb3N0TWVzc2FnZSh7b2s6ITB9KTtjb25zdCByPWY/bChpLmJvZHkpOkpTT04ucGFyc2UoaS5ib2R5KTtmb3IoY29uc3QgcyBvZiBlKXtjb25zdCBlPWY/byhPYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30scikse3Rva2VuOnN9KSk6SlNPTi5zdHJpbmdpZnkoT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LHIpLHt0b2tlbjpzfSkpO2xldCBhLGwsaCxkOyJmdW5jdGlvbiI9PXR5cGVvZiBBYm9ydENvbnRyb2xsZXImJihhPW5ldyBBYm9ydENvbnRyb2xsZXIsbD1hLnNpZ25hbCk7dHJ5e2Q9YXdhaXQgUHJvbWlzZS5yYWNlKFtuZXcgUHJvbWlzZShlPT57aD1zZXRUaW1lb3V0KGUsdCl9KSxmZXRjaChuLE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxpKSx7Ym9keTplLHNpZ25hbDpsfSkpXSkuZmluYWxseSgoKT0+Y2xlYXJUaW1lb3V0KGgpKX1jYXRjaChlKXtyZXR1cm4gdm9pZCB1LnBvc3RNZXNzYWdlKHtlcnJvcjplLm1lc3NhZ2V9KX1pZighZClyZXR1cm4gYSYmYS5hYm9ydCgpLHZvaWQgdS5wb3N0TWVzc2FnZSh7ZXJyb3I6IlRpbWVvdXQgd2hlbiBleGVjdXRpbmcgJ2ZldGNoJyJ9KTtpZighZC5vayl7bGV0IGU7dHJ5e2NvbnN0e2Vycm9yX2Rlc2NyaXB0aW9uOnR9PUpTT04ucGFyc2UoYXdhaXQgZC50ZXh0KCkpO2U9dH1jYXRjaChlKXt9cmV0dXJuIHZvaWQgdS5wb3N0TWVzc2FnZSh7ZXJyb3I6ZXx8IkhUVFAgZXJyb3IgIi5jb25jYXQoZC5zdGF0dXMpfSl9YyhzKX11LnBvc3RNZXNzYWdlKHtvazohMH0pfWNhdGNoKGUpe3UucG9zdE1lc3NhZ2Uoe2Vycm9yOmUubWVzc2FnZXx8IlVua25vd24gZXJyb3IgZHVyaW5nIHRva2VuIHJldm9jYXRpb24ifSl9fSxoPShlLHQpPT57aWYoIW4pcmV0dXJuITE7dHJ5e2NvbnN0IHI9bmV3IFVSTChuKS5vcmlnaW4sbz1uZXcgVVJMKGUuZmV0Y2hVcmwpO3JldHVybiBvLm9yaWdpbj09PXImJm8ucGF0aG5hbWU9PT10fWNhdGNoKGUpe3JldHVybiExfX07YWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsZT0+e2NvbnN0e2RhdGE6dCxwb3J0czpyfT1lLFtvXT1yO2lmKCJ0eXBlImluIHQmJiJpbml0Ij09PXQudHlwZSl7aWYobnVsbD09PW4pdHJ5e25ldyBVUkwodC5hbGxvd2VkQmFzZVVybCksbj10LmFsbG93ZWRCYXNlVXJsfWNhdGNoKGUpe3JldHVybn19ZWxzZXtpZigidHlwZSJpbiB0JiYicmV2b2tlIj09PXQudHlwZSlyZXR1cm4gaCh0LCIvb2F1dGgvcmV2b2tlIik/dm9pZCB1KGUpOnZvaWQobnVsbD09b3x8by5wb3N0TWVzc2FnZSh7b2s6ITEsanNvbjp7ZXJyb3I6ImludmFsaWRfZmV0Y2hfdXJsIixlcnJvcl9kZXNjcmlwdGlvbjoiVW5hdXRob3JpemVkIGZldGNoIFVSTCJ9LGhlYWRlcnM6e319KSk7ImZldGNoVXJsImluIHQmJmgodCwiL29hdXRoL3Rva2VuIik/ZihlKTpudWxsPT1vfHxvLnBvc3RNZXNzYWdlKHtvazohMSxqc29uOntlcnJvcjoiaW52YWxpZF9mZXRjaF91cmwiLGVycm9yX2Rlc2NyaXB0aW9uOiJVbmF1dGhvcml6ZWQgZmV0Y2ggVVJMIn0saGVhZGVyczp7fX0pfX0pfSgpOwoK",Ze=null,Ve=!1,function(e){return Fe=Fe||Je(Me,Ze,Ve),new Worker(Fe,e)});const Ge={};class Ye{constructor(e,t){this.cache=e,this.clientId=t,this.manifestKey=this.createManifestKeyFrom(this.clientId)}async add(e){var t;const n=new Set((null===(t=await this.cache.get(this.manifestKey))||void 0===t?void 0:t.keys)||[]);n.add(e),await this.cache.set(this.manifestKey,{keys:[...n]})}async remove(e){const t=await this.cache.get(this.manifestKey);if(t){const n=new Set(t.keys);return n.delete(e),n.size>0?await this.cache.set(this.manifestKey,{keys:[...n]}):await this.cache.remove(this.manifestKey)}}get(){return this.cache.get(this.manifestKey)}clear(){return this.cache.remove(this.manifestKey)}createManifestKeyFrom(e){return"".concat(ge,"::").concat(e)}}const Be="auth0.is.authenticated",qe={memory:()=>(new ke).enclosedCache,localstorage:()=>new _e},Qe=e=>qe[e],$e=t=>{const{openUrl:n,onRedirect:o}=t,r=e(t,["openUrl","onRedirect"]);return Object.assign(Object.assign({},r),{openUrl:!1===n||n?n:o})},et=(e,t)=>{const n=(null==t?void 0:t.split(" "))||[];return((null==e?void 0:e.split(" "))||[]).every(e=>n.includes(e))},tt={NONCE:"nonce",KEYPAIR:"keypair"};class nt{constructor(e){this.clientId=e}getVersion(){return 1}createDbHandle(){const e=window.indexedDB.open("auth0-spa-js",this.getVersion());return new Promise((t,n)=>{e.onupgradeneeded=()=>Object.values(tt).forEach(t=>e.result.createObjectStore(t)),e.onerror=()=>n(e.error),e.onsuccess=()=>t(e.result)})}async getDbHandle(){return this.dbHandle||(this.dbHandle=await this.createDbHandle()),this.dbHandle}async executeDbRequest(e,t,n){const o=n((await this.getDbHandle()).transaction(e,t).objectStore(e));return new Promise((e,t)=>{o.onsuccess=()=>e(o.result),o.onerror=()=>t(o.error)})}buildKey(e){const t=e?"_".concat(e):"auth0";return"".concat(this.clientId,"::").concat(t)}setNonce(e,t){return this.save(tt.NONCE,this.buildKey(t),e)}setKeyPair(e){return this.save(tt.KEYPAIR,this.buildKey(),e)}async save(e,t,n){await this.executeDbRequest(e,"readwrite",e=>e.put(n,t))}findNonce(e){return this.find(tt.NONCE,this.buildKey(e))}findKeyPair(){return this.find(tt.KEYPAIR,this.buildKey())}find(e,t){return this.executeDbRequest(e,"readonly",e=>e.get(t))}async deleteBy(e,t){const n=await this.executeDbRequest(e,"readonly",e=>e.getAllKeys());null==n||n.filter(t).map(t=>this.executeDbRequest(e,"readwrite",e=>e.delete(t)))}deleteByClientId(e,t){return this.deleteBy(e,e=>"string"==typeof e&&e.startsWith("".concat(t,"::")))}clearNonces(){return this.deleteByClientId(tt.NONCE,this.clientId)}clearKeyPairs(){return this.deleteByClientId(tt.KEYPAIR,this.clientId)}}class ot{constructor(e){this.storage=new nt(e)}getNonce(e){return this.storage.findNonce(e)}setNonce(e,t){return this.storage.setNonce(e,t)}async getOrGenerateKeyPair(){let e=await this.storage.findKeyPair();return e||(e=await ce(),await this.storage.setKeyPair(e)),e}async generateProof(e){const t=await this.getOrGenerateKeyPair();return le(Object.assign({keyPair:t},e))}async calculateThumbprint(){return ue(await this.getOrGenerateKeyPair())}async clear(){await Promise.all([this.storage.clearNonces(),this.storage.clearKeyPairs()])}}var rt;!function(e){e.Bearer="Bearer",e.DPoP="DPoP"}(rt||(rt={}));class it{constructor(e,t){this.hooks=t,this.config=Object.assign(Object.assign({},e),{fetch:e.fetch||("undefined"==typeof window?fetch:window.fetch.bind(window))})}isAbsoluteUrl(e){return/^(https?:)?\/\//i.test(e)}buildUrl(e,t){if(t){if(this.isAbsoluteUrl(t))return t;if(e)return"".concat(e.replace(/\/?\/$/,""),"/").concat(t.replace(/^\/+/,""))}throw new TypeError("`url` must be absolute or `baseUrl` non-empty.")}getAccessToken(e){return this.config.getAccessToken?this.config.getAccessToken(e):this.hooks.getAccessToken(e)}extractUrl(e){return"string"==typeof e?e:e instanceof URL?e.href:e.url}buildBaseRequest(e,t){if(!this.config.baseUrl)return new Request(e,t);const n=this.buildUrl(this.config.baseUrl,this.extractUrl(e)),o=e instanceof Request?new Request(n,e):n;return new Request(o,t)}setAuthorizationHeader(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:rt.Bearer;e.headers.set("authorization","".concat(n," ").concat(t))}async setDpopProofHeader(e,t){if(!this.config.dpopNonceId)return;const n=await this.hooks.getDpopNonce(),o=await this.hooks.generateDpopProof({accessToken:t,method:e.method,nonce:n,url:e.url});e.headers.set("dpop",o)}async prepareRequest(e,t){const n=await this.getAccessToken(t);let o,r;"string"==typeof n?(o=this.config.dpopNonceId?rt.DPoP:rt.Bearer,r=n):(o=n.token_type,r=n.access_token),this.setAuthorizationHeader(e,r,o),o===rt.DPoP&&await this.setDpopProofHeader(e,r)}getHeader(e,t){return Array.isArray(e)?new Headers(e).get(t)||"":"function"==typeof e.get?e.get(t)||"":e[t]||""}hasUseDpopNonceError(e){if(401!==e.status)return!1;const t=this.getHeader(e.headers,"www-authenticate");return t.includes("invalid_dpop_nonce")||t.includes("use_dpop_nonce")}async handleResponse(e,t){const n=this.getHeader(e.headers,ae);if(n&&await this.hooks.setDpopNonce(n),!this.hasUseDpopNonceError(e))return e;if(!n||!t.onUseDpopNonceError)throw new w(n);return t.onUseDpopNonceError()}async internalFetchWithAuth(e,t,n,o){const r=this.buildBaseRequest(e,t);await this.prepareRequest(r,o);const i=await this.config.fetch(r);return this.handleResponse(i,n)}fetchWithAuth(e,t,n){const o={onUseDpopNonceError:()=>this.internalFetchWithAuth(e,t,Object.assign(Object.assign({},o),{onUseDpopNonceError:void 0}),n)};return this.internalFetchWithAuth(e,t,o,n)}}class at{constructor(e,t){this.myAccountFetcher=e,this.apiBase=t}async connectAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/connect"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async completeAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/complete"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async _handleResponse(e){let t;try{t=await e.text(),t=JSON.parse(t)}catch(n){throw new st({type:"invalid_json",status:e.status,title:"Invalid JSON response",detail:t||String(n)})}if(e.ok)return t;throw new st(t)}}class st extends Error{constructor(e){let{type:t,status:n,title:o,detail:r,validation_errors:i}=e;super(r),this.name="MyAccountApiError",this.type=t,this.status=n,this.title=o,this.detail=r,this.validation_errors=i,Object.setPrototypeOf(this,st.prototype)}}const ct={otp:{authenticatorTypes:["otp"]},sms:{authenticatorTypes:["oob"],oobChannels:["sms"]},email:{authenticatorTypes:["oob"],oobChannels:["email"]},push:{authenticatorTypes:["oob"],oobChannels:["auth0"]},voice:{authenticatorTypes:["oob"],oobChannels:["voice"]}},ut="http://auth0.com/oauth/grant-type/mfa-otp",lt="http://auth0.com/oauth/grant-type/mfa-oob",dt="http://auth0.com/oauth/grant-type/mfa-recovery-code";function ht(e,t){this.v=e,this.k=t}function pt(e,t,n){if("function"==typeof e?e===t:e.has(t))return arguments.length<3?t:n;throw new TypeError("Private element is not present on this object")}function ft(e){return new ht(e,0)}function mt(e,t){if(t.has(e))throw new TypeError("Cannot initialize the same private elements twice on an object")}function yt(e,t){return e.get(pt(e,t))}function wt(e,t,n){mt(e,t),t.set(e,n)}function gt(e,t,n){return e.set(pt(e,t),n),n}function vt(e,t,n){return(t=function(e){var t=function(e,t){if("object"!=typeof e||!e)return e;var n=e[Symbol.toPrimitive];if(void 0!==n){var o=n.call(e,t||"default");if("object"!=typeof o)return o;throw new TypeError("@@toPrimitive must return a primitive value.")}return("string"===t?String:Number)(e)}(e,"string");return"symbol"==typeof t?t:t+""}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function bt(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);t&&(o=o.filter(function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable})),n.push.apply(n,o)}return n}function _t(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?bt(Object(n),!0).forEach(function(t){vt(e,t,n[t])}):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):bt(Object(n)).forEach(function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))})}return e}function kt(e,t){if(null==e)return{};var n,o,r=function(e,t){if(null==e)return{};var n={};for(var o in e)if({}.hasOwnProperty.call(e,o)){if(-1!==t.indexOf(o))continue;n[o]=e[o]}return n}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(o=0;o<i.length;o++)n=i[o],-1===t.indexOf(n)&&{}.propertyIsEnumerable.call(e,n)&&(r[n]=e[n])}return r}function St(e){return function(){return new Tt(e.apply(this,arguments))}}function Tt(e){var t,n;function o(t,n){try{var i=e[t](n),a=i.value,s=a instanceof ht;Promise.resolve(s?a.v:a).then(function(n){if(s){var c="return"===t&&a.k?t:"next";if(!a.k||n.done)return o(c,n);n=e[c](n).value}r(!!i.done,n)},function(e){o("throw",e)})}catch(e){r(2,e)}}function r(e,r){2===e?t.reject(r):t.resolve({value:r,done:e}),(t=t.next)?o(t.key,t.arg):n=null}this._invoke=function(e,r){return new Promise(function(i,a){var s={key:e,arg:r,resolve:i,reject:a,next:null};n?n=n.next=s:(t=n=s,o(e,r))})},"function"!=typeof e.return&&(this.return=void 0)}var Et,Pt;let At;if(Tt.prototype["function"==typeof Symbol&&Symbol.asyncIterator||"@@asyncIterator"]=function(){return this},Tt.prototype.next=function(e){return this._invoke("next",e)},Tt.prototype.throw=function(e){return this._invoke("throw",e)},Tt.prototype.return=function(e){return this._invoke("return",e)},"undefined"==typeof navigator||null===(Et=navigator.userAgent)||void 0===Et||null===(Pt=Et.startsWith)||void 0===Pt||!Pt.call(Et,"Mozilla/5.0 ")){const e="v3.8.5";At="".concat("oauth4webapi","/").concat(e)}function Rt(e,t){if(null==e)return!1;try{return e instanceof t||Object.getPrototypeOf(e)[Symbol.toStringTag]===t.prototype[Symbol.toStringTag]}catch(e){return!1}}const xt="ERR_INVALID_ARG_VALUE",It="ERR_INVALID_ARG_TYPE";function Ot(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}const Ct=Symbol(),jt=Symbol(),Wt=Symbol(),Kt=Symbol(),Ut=Symbol(),Dt=Symbol(),Nt=new TextEncoder,Lt=new TextDecoder;function zt(e){return"string"==typeof e?Nt.encode(e):Lt.decode(e)}let Ht,Jt;if(Uint8Array.prototype.toBase64)Ht=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:!0}));else{const e=32768;Ht=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}}function Mt(e){return"string"==typeof e?Jt(e):Ht(e)}Jt=Uint8Array.fromBase64?e=>{try{return Uint8Array.fromBase64(e,{alphabet:"base64url"})}catch(e){throw Ot("The input to be decoded is not correctly encoded.",xt,e)}}:e=>{try{const t=atob(e.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"")),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}catch(e){throw Ot("The input to be decoded is not correctly encoded.",xt,e)}};class Zt extends Error{constructor(e,t){var n;super(e,t),vt(this,"code",void 0),this.name=this.constructor.name,this.code=Fn,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}class Vt extends Error{constructor(e,t){var n;super(e,t),vt(this,"code",void 0),this.name=this.constructor.name,null!=t&&t.code&&(this.code=null==t?void 0:t.code),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}function Ft(e,t,n){return new Vt(e,{code:t,cause:n})}function Xt(e,t){if(function(e,t){if(!(e instanceof CryptoKey))throw Ot("".concat(t," must be a CryptoKey"),It)}(e,t),"private"!==e.type)throw Ot("".concat(t," must be a private CryptoKey"),xt)}function Gt(e){return null!==e&&"object"==typeof e&&!Array.isArray(e)}function Yt(e){Rt(e,Headers)&&(e=Object.fromEntries(e.entries()));const t=new Headers(null!=e?e:{});if(At&&!t.has("user-agent")&&t.set("user-agent",At),t.has("authorization"))throw Ot('"options.headers" must not include the "authorization" header name',xt);return t}function Bt(e,t){if(void 0!==t){if("function"==typeof t&&(t=t(e.href)),!(t instanceof AbortSignal))throw Ot('"options.signal" must return or be an instance of AbortSignal',It);return t}}function qt(e){return e.includes("//")?e.replace("//","/"):e}async function Qt(e,t){return async function(e,t,n,o){if(!(e instanceof URL))throw Ot('"'.concat(t,'" must be an instance of URL'),It);pn(e,!0!==(null==o?void 0:o[Ct]));const r=n(new URL(e.href)),i=Yt(null==o?void 0:o.headers);return i.set("accept","application/json"),((null==o?void 0:o[Kt])||fetch)(r.href,{body:void 0,headers:Object.fromEntries(i.entries()),method:"GET",redirect:"manual",signal:Bt(r,null==o?void 0:o.signal)})}(e,"issuerIdentifier",e=>{switch(null==t?void 0:t.algorithm){case void 0:case"oidc":!function(e,t){e.pathname=qt("".concat(e.pathname,"/").concat(t))}(e,".well-known/openid-configuration");break;case"oauth2":!function(e,t){let n=arguments.length>2&&void 0!==arguments[2]&&arguments[2];"/"===e.pathname?e.pathname=t:e.pathname=qt("".concat(t,"/").concat(n?e.pathname:e.pathname.replace(/(\/)$/,"")))}(e,".well-known/oauth-authorization-server");break;default:throw Ot('"options.algorithm" must be "oidc" (default), or "oauth2"',xt)}return e},t)}function $t(e,t,n,o,r){try{if("number"!=typeof e||!Number.isFinite(e))throw Ot("".concat(n," must be a number"),It,r);if(e>0)return;if(t){if(0!==e)throw Ot("".concat(n," must be a non-negative number"),xt,r);return}throw Ot("".concat(n," must be a positive number"),xt,r)}catch(e){if(o)throw Ft(e.message,o,r);throw e}}function en(e,t,n,o){try{if("string"!=typeof e)throw Ot("".concat(t," must be a string"),It,o);if(0===e.length)throw Ot("".concat(t," must not be empty"),xt,o)}catch(e){if(n)throw Ft(e.message,n,o);throw e}}function tn(e){!function(e,t){if(Rn(e)!==t)throw function(e){let t='"response" content-type must be ';for(var n=arguments.length,o=new Array(n>1?n-1:0),r=1;r<n;r++)o[r-1]=arguments[r];if(o.length>2){const e=o.pop();t+="".concat(o.join(", "),", or ").concat(e)}else 2===o.length?t+="".concat(o[0]," or ").concat(o[1]):t+=o[0];return Ft(t,Bn,e)}(e,t)}(e,"application/json")}function nn(){return Mt(crypto.getRandomValues(new Uint8Array(32)))}function on(e){switch(e.algorithm.name){case"RSA-PSS":return function(e){switch(e.algorithm.hash.name){case"SHA-256":return"PS256";case"SHA-384":return"PS384";case"SHA-512":return"PS512";default:throw new Zt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case"RSASSA-PKCS1-v1_5":return function(e){switch(e.algorithm.hash.name){case"SHA-256":return"RS256";case"SHA-384":return"RS384";case"SHA-512":return"RS512";default:throw new Zt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case"ECDSA":return function(e){switch(e.algorithm.namedCurve){case"P-256":return"ES256";case"P-384":return"ES384";case"P-521":return"ES512";default:throw new Zt("unsupported EcKeyAlgorithm namedCurve",{cause:e})}}(e);case"Ed25519":case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return e.algorithm.name;case"EdDSA":return"Ed25519";default:throw new Zt("unsupported CryptoKey algorithm name",{cause:e})}}function rn(e){const t=null==e?void 0:e[jt];return"number"==typeof t&&Number.isFinite(t)?t:0}function an(e){const t=null==e?void 0:e[Wt];return"number"==typeof t&&Number.isFinite(t)&&-1!==Math.sign(t)?t:30}function sn(){return Math.floor(Date.now()/1e3)}function cn(e){if("object"!=typeof e||null===e)throw Ot('"as" must be an object',It);en(e.issuer,'"as.issuer"')}function un(e){if("object"!=typeof e||null===e)throw Ot('"client" must be an object',It);en(e.client_id,'"client.client_id"')}function ln(e){return en(e,'"clientSecret"'),(t,n,o,r)=>{o.set("client_id",n.client_id),o.set("client_secret",e)}}function dn(e,t){const{key:n,kid:o}=(r=e)instanceof CryptoKey?{key:r}:(null==r?void 0:r.key)instanceof CryptoKey?(void 0!==r.kid&&en(r.kid,'"kid"'),{key:r.key,kid:r.kid}):{};var r;return Xt(n,'"clientPrivateKey.key"'),async(e,r,i,a)=>{var s;const c={alg:on(n),kid:o},u=function(e,t){const n=sn()+rn(t);return{jti:nn(),aud:e.issuer,exp:n+60,iat:n,nbf:n,iss:t.client_id,sub:t.client_id}}(e,r);null==t||null===(s=t[Ut])||void 0===s||s.call(t,c,u),i.set("client_id",r.client_id),i.set("client_assertion_type","urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),i.set("client_assertion",await async function(e,t,n){if(!n.usages.includes("sign"))throw Ot('CryptoKey instances used for signing assertions must include "sign" in their "usages"',xt);const o="".concat(Mt(zt(JSON.stringify(e))),".").concat(Mt(zt(JSON.stringify(t)))),r=Mt(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case"ECDSA":return{name:e.algorithm.name,hash:so(e)};case"RSA-PSS":switch(ao(e),e.algorithm.hash.name){case"SHA-256":case"SHA-384":case"SHA-512":return{name:e.algorithm.name,saltLength:parseInt(e.algorithm.hash.name.slice(-3),10)>>3};default:throw new Zt("unsupported RSA-PSS hash name",{cause:e})}case"RSASSA-PKCS1-v1_5":return ao(e),e.algorithm.name;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":case"Ed25519":return e.algorithm.name}throw new Zt("unsupported CryptoKey algorithm name",{cause:e})}(n),n,zt(o)));return"".concat(o,".").concat(r)}(c,u,n))}}const hn=URL.parse?(e,t)=>URL.parse(e,t):(e,t)=>{try{return new URL(e,t)}catch(e){return null}};function pn(e,t){if(t&&"https:"!==e.protocol)throw Ft("only requests to HTTPS are allowed",Qn,e);if("https:"!==e.protocol&&"http:"!==e.protocol)throw Ft("only HTTP and HTTPS requests are allowed",$n,e)}function fn(e,t,n,o){let r;if("string"!=typeof e||!(r=hn(e)))throw Ft("authorization server metadata does not contain a valid ".concat(n?'"as.mtls_endpoint_aliases.'.concat(t,'"'):'"as.'.concat(t,'"')),void 0===e?oo:ro,{attribute:n?"mtls_endpoint_aliases.".concat(t):t});return pn(r,o),r}function mn(e,t,n,o){return n&&e.mtls_endpoint_aliases&&t in e.mtls_endpoint_aliases?fn(e.mtls_endpoint_aliases[t],t,n,o):fn(e[t],t,n,o)}class yn extends Error{constructor(e,t){var n;super(e,t),vt(this,"cause",void 0),vt(this,"code",void 0),vt(this,"error",void 0),vt(this,"status",void 0),vt(this,"error_description",void 0),vt(this,"response",void 0),this.name=this.constructor.name,this.code=Vn,this.cause=t.cause,this.error=t.cause.error,this.status=t.response.status,this.error_description=t.cause.error_description,Object.defineProperty(this,"response",{enumerable:!1,value:t.response}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}class wn extends Error{constructor(e,t){var n,o;super(e,t),vt(this,"cause",void 0),vt(this,"code",void 0),vt(this,"error",void 0),vt(this,"error_description",void 0),this.name=this.constructor.name,this.code=Xn,this.cause=t.cause,this.error=t.cause.get("error"),this.error_description=null!==(n=t.cause.get("error_description"))&&void 0!==n?n:void 0,null===(o=Error.captureStackTrace)||void 0===o||o.call(Error,this,this.constructor)}}class gn extends Error{constructor(e,t){var n;super(e,t),vt(this,"cause",void 0),vt(this,"code",void 0),vt(this,"response",void 0),vt(this,"status",void 0),this.name=this.constructor.name,this.code=Zn,this.cause=t.cause,this.status=t.response.status,this.response=t.response,Object.defineProperty(this,"response",{enumerable:!1}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}const vn="[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+",bn="("+vn+')\\s*=\\s*"((?:[^"\\\\]|\\\\[\\s\\S])*)"',_n="("+vn+")\\s*=\\s*("+vn+")",kn=new RegExp("^[,\\s]*("+vn+")"),Sn=new RegExp("^[,\\s]*"+bn+"[,\\s]*(.*)"),Tn=new RegExp("^[,\\s]*"+_n+"[,\\s]*(.*)"),En=new RegExp("^([a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2})(?:$|[,\\s])(.*)");async function Pn(e,t,n){if(e.status!==t){let t;var o;if(function(e){let t;if(t=function(e){if(!Rt(e,Response))throw Ot('"response" must be an instance of Response',It);const t=e.headers.get("www-authenticate");if(null===t)return;const n=[];let o=t;for(;o;){var r;let e=o.match(kn);const t=null===(r=e)||void 0===r?void 0:r[1].toLowerCase();if(!t)return;const i=o.substring(e[0].length);if(i&&!i.match(/^[\s,]/))return;const a=i.match(/^\s+(.*)$/),s=!!a;o=a?a[1]:void 0;const c={};let u;if(s)for(;o;){let t,n;if(e=o.match(Sn)){if([,t,n,o]=e,n.includes("\\"))try{n=JSON.parse('"'.concat(n,'"'))}catch(e){}c[t.toLowerCase()]=n}else{if(!(e=o.match(Tn))){if(e=o.match(En)){if(Object.keys(c).length)break;[,u,o]=e;break}return}[,t,n,o]=e,c[t.toLowerCase()]=n}}else o=i||void 0;const l={scheme:t,parameters:c};u&&(l.token68=u),n.push(l)}return n.length?n:void 0}(e))throw new gn("server responded with a challenge in the WWW-Authenticate HTTP Header",{cause:t,response:e})}(e),t=await async function(e){if(e.status>399&&e.status<500){io(e),tn(e);try{const t=await e.clone().json();if(Gt(t)&&"string"==typeof t.error&&t.error.length)return t}catch(e){}}}(e))throw await(null===(o=e.body)||void 0===o?void 0:o.cancel()),new yn("server responded with an error in the response body",{cause:t,response:e});throw Ft('"response" is not a conform '.concat(n," response (unexpected HTTP status code)"),qn,e)}}function An(e){if(!Dn.has(e))throw Ot('"options.DPoP" is not a valid DPoPHandle',xt)}function Rn(e){var t;return null===(t=e.headers.get("content-type"))||void 0===t?void 0:t.split(";")[0]}async function xn(e,t,n,o,r,i,a){return await n(e,t,r,i),i.set("content-type","application/x-www-form-urlencoded;charset=UTF-8"),((null==a?void 0:a[Kt])||fetch)(o.href,{body:r,headers:Object.fromEntries(i.entries()),method:"POST",redirect:"manual",signal:Bt(o,null==a?void 0:a.signal)})}async function In(e,t,n,o,r,i){var a;const s=mn(e,"token_endpoint",t.use_mtls_endpoint_aliases,!0!==(null==i?void 0:i[Ct]));r.set("grant_type",o);const c=Yt(null==i?void 0:i.headers);c.set("accept","application/json"),void 0!==(null==i?void 0:i.DPoP)&&(An(i.DPoP),await i.DPoP.addProof(s,c,"POST"));const u=await xn(e,t,n,s,r,c,i);return null==i||null===(a=i.DPoP)||void 0===a||a.cacheNonce(u,s),u}const On=new WeakMap,Cn=new WeakMap;function jn(e){if(!e.id_token)return;const t=On.get(e);if(!t)throw Ot('"ref" was already garbage collected or did not resolve from the proper sources',xt);return t}async function Wn(e,t,n,o,r,i){if(cn(e),un(t),!Rt(n,Response))throw Ot('"response" must be an instance of Response',It);await Pn(n,200,"Token Endpoint"),io(n);const a=await mo(n);if(en(a.access_token,'"response" body "access_token" property',Yn,{body:a}),en(a.token_type,'"response" body "token_type" property',Yn,{body:a}),a.token_type=a.token_type.toLowerCase(),void 0!==a.expires_in){let e="number"!=typeof a.expires_in?parseFloat(a.expires_in):a.expires_in;$t(e,!0,'"response" body "expires_in" property',Yn,{body:a}),a.expires_in=e}if(void 0!==a.refresh_token&&en(a.refresh_token,'"response" body "refresh_token" property',Yn,{body:a}),void 0!==a.scope&&"string"!=typeof a.scope)throw Ft('"response" body "scope" property must be a string',Yn,{body:a});if(void 0!==a.id_token){en(a.id_token,'"response" body "id_token" property',Yn,{body:a});const i=["aud","exp","iat","iss","sub"];!0===t.require_auth_time&&i.push("auth_time"),void 0!==t.default_max_age&&($t(t.default_max_age,!0,'"client.default_max_age"'),i.push("auth_time")),null!=o&&o.length&&i.push(...o);const{claims:s,jwt:c}=await async function(e,t,n,o,r){let i,a,{0:s,1:c,length:u}=e.split(".");if(5===u){if(void 0===r)throw new Zt("JWE decryption is not configured",{cause:e});e=await r(e),({0:s,1:c,length:u}=e.split("."))}if(3!==u)throw Ft("Invalid JWT",Yn,e);try{i=JSON.parse(zt(Mt(s)))}catch(e){throw Ft("failed to parse JWT Header body as base64url encoded JSON",Gn,e)}if(!Gt(i))throw Ft("JWT Header must be a top level object",Yn,e);if(t(i),void 0!==i.crit)throw new Zt('no JWT "crit" header parameter extensions are supported',{cause:{header:i}});try{a=JSON.parse(zt(Mt(c)))}catch(e){throw Ft("failed to parse JWT Payload body as base64url encoded JSON",Gn,e)}if(!Gt(a))throw Ft("JWT Payload must be a top level object",Yn,e);const l=sn()+n;if(void 0!==a.exp){if("number"!=typeof a.exp)throw Ft('unexpected JWT "exp" (expiration time) claim type',Yn,{claims:a});if(a.exp<=l-o)throw Ft('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp',eo,{claims:a,now:l,tolerance:o,claim:"exp"})}if(void 0!==a.iat&&"number"!=typeof a.iat)throw Ft('unexpected JWT "iat" (issued at) claim type',Yn,{claims:a});if(void 0!==a.iss&&"string"!=typeof a.iss)throw Ft('unexpected JWT "iss" (issuer) claim type',Yn,{claims:a});if(void 0!==a.nbf){if("number"!=typeof a.nbf)throw Ft('unexpected JWT "nbf" (not before) claim type',Yn,{claims:a});if(a.nbf>l+o)throw Ft('unexpected JWT "nbf" (not before) claim value',eo,{claims:a,now:l,tolerance:o,claim:"nbf"})}if(void 0!==a.aud&&"string"!=typeof a.aud&&!Array.isArray(a.aud))throw Ft('unexpected JWT "aud" (audience) claim type',Yn,{claims:a});return{header:i,claims:a,jwt:e}}(a.id_token,uo.bind(void 0,t.id_token_signed_response_alg,e.id_token_signing_alg_values_supported,"RS256"),rn(t),an(t),r).then(zn.bind(void 0,i)).then(Un.bind(void 0,e)).then(Kn.bind(void 0,t.client_id));if(Array.isArray(s.aud)&&1!==s.aud.length){if(void 0===s.azp)throw Ft('ID Token "aud" (audience) claim includes additional untrusted audiences',to,{claims:s,claim:"aud"});if(s.azp!==t.client_id)throw Ft('unexpected ID Token "azp" (authorized party) claim value',to,{expected:t.client_id,claims:s,claim:"azp"})}void 0!==s.auth_time&&$t(s.auth_time,!0,'ID Token "auth_time" (authentication time)',Yn,{claims:s}),Cn.set(n,c),On.set(a,s)}if(void 0!==(null==i?void 0:i[a.token_type]))i[a.token_type](n,a);else if("dpop"!==a.token_type&&"bearer"!==a.token_type)throw new Zt("unsupported `token_type` value",{cause:{body:a}});return a}function Kn(e,t){if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e))throw Ft('unexpected JWT "aud" (audience) claim value',to,{expected:e,claims:t.claims,claim:"aud"})}else if(t.claims.aud!==e)throw Ft('unexpected JWT "aud" (audience) claim value',to,{expected:e,claims:t.claims,claim:"aud"});return t}function Un(e,t){var n,o;const r=null!==(n=null===(o=e[wo])||void 0===o?void 0:o.call(e,t))&&void 0!==n?n:e.issuer;if(t.claims.iss!==r)throw Ft('unexpected JWT "iss" (issuer) claim value',to,{expected:r,claims:t.claims,claim:"iss"});return t}const Dn=new WeakSet;const Nn=Symbol();const Ln={aud:"audience",c_hash:"code hash",client_id:"client id",exp:"expiration time",iat:"issued at",iss:"issuer",jti:"jwt id",nonce:"nonce",s_hash:"state hash",sub:"subject",ath:"access token hash",htm:"http method",htu:"http uri",cnf:"confirmation",auth_time:"authentication time"};function zn(e,t){for(const n of e)if(void 0===t.claims[n])throw Ft('JWT "'.concat(n,'" (').concat(Ln[n],") claim missing"),Yn,{claims:t.claims});return t}const Hn=Symbol(),Jn=Symbol();async function Mn(e,t,n,o){return"string"==typeof(null==o?void 0:o.expectedNonce)||"number"==typeof(null==o?void 0:o.maxAge)||null!=o&&o.requireIdToken?async function(e,t,n,o,r,i,a){const s=[];switch(o){case void 0:o=Hn;break;case Hn:break;default:en(o,'"expectedNonce" argument'),s.push("nonce")}switch(null!=r||(r=t.default_max_age),r){case void 0:r=Jn;break;case Jn:break;default:$t(r,!0,'"maxAge" argument'),s.push("auth_time")}const c=await Wn(e,t,n,s,i,a);en(c.id_token,'"response" body "id_token" property',Yn,{body:c});const u=jn(c);if(r!==Jn){const e=sn()+rn(t),n=an(t);if(u.auth_time+r<e-n)throw Ft("too much time has elapsed since the last End-User authentication",eo,{claims:u,now:e,tolerance:n,claim:"auth_time"})}if(o===Hn){if(void 0!==u.nonce)throw Ft('unexpected ID Token "nonce" claim value',to,{expected:void 0,claims:u,claim:"nonce"})}else if(u.nonce!==o)throw Ft('unexpected ID Token "nonce" claim value',to,{expected:o,claims:u,claim:"nonce"});return c}(e,t,n,o.expectedNonce,o.maxAge,o[Dt],o.recognizedTokenTypes):async function(e,t,n,o,r){const i=await Wn(e,t,n,void 0,o,r),a=jn(i);if(a){if(void 0!==t.default_max_age){$t(t.default_max_age,!0,'"client.default_max_age"');const e=sn()+rn(t),n=an(t);if(a.auth_time+t.default_max_age<e-n)throw Ft("too much time has elapsed since the last End-User authentication",eo,{claims:a,now:e,tolerance:n,claim:"auth_time"})}if(void 0!==a.nonce)throw Ft('unexpected ID Token "nonce" claim value',to,{expected:void 0,claims:a,claim:"nonce"})}return i}(e,t,n,null==o?void 0:o[Dt],null==o?void 0:o.recognizedTokenTypes)}const Zn="OAUTH_WWW_AUTHENTICATE_CHALLENGE",Vn="OAUTH_RESPONSE_BODY_ERROR",Fn="OAUTH_UNSUPPORTED_OPERATION",Xn="OAUTH_AUTHORIZATION_RESPONSE_ERROR",Gn="OAUTH_PARSE_ERROR",Yn="OAUTH_INVALID_RESPONSE",Bn="OAUTH_RESPONSE_IS_NOT_JSON",qn="OAUTH_RESPONSE_IS_NOT_CONFORM",Qn="OAUTH_HTTP_REQUEST_FORBIDDEN",$n="OAUTH_REQUEST_PROTOCOL_FORBIDDEN",eo="OAUTH_JWT_TIMESTAMP_CHECK_FAILED",to="OAUTH_JWT_CLAIM_COMPARISON_FAILED",no="OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED",oo="OAUTH_MISSING_SERVER_METADATA",ro="OAUTH_INVALID_SERVER_METADATA";function io(e){if(e.bodyUsed)throw Ot('"response" body has been used already',xt)}function ao(e){const{algorithm:t}=e;if("number"!=typeof t.modulusLength||t.modulusLength<2048)throw new Zt("unsupported ".concat(t.name," modulusLength"),{cause:e})}function so(e){const{algorithm:t}=e;switch(t.namedCurve){case"P-256":return"SHA-256";case"P-384":return"SHA-384";case"P-521":return"SHA-512";default:throw new Zt("unsupported ECDSA namedCurve",{cause:e})}}async function co(e){if("POST"!==e.method)throw Ot("form_post responses are expected to use the POST method",xt,{cause:e});if("application/x-www-form-urlencoded"!==Rn(e))throw Ot("form_post responses are expected to use the application/x-www-form-urlencoded content-type",xt,{cause:e});return async function(e){if(e.bodyUsed)throw Ot("form_post Request instances must contain a readable body",xt,{cause:e});return e.text()}(e)}function uo(e,t,n,o){if(void 0===e)if(Array.isArray(t)){if(!t.includes(o.alg))throw Ft('unexpected JWT "alg" header parameter',Yn,{header:o,expected:t,reason:"authorization server metadata"})}else{if(void 0===n)throw Ft('missing client or server configuration to verify used JWT "alg" header parameter',void 0,{client:e,issuer:t,fallback:n});if("string"==typeof n?o.alg!==n:"function"==typeof n?!n(o.alg):!n.includes(o.alg))throw Ft('unexpected JWT "alg" header parameter',Yn,{header:o,expected:n,reason:"default value"})}else if("string"==typeof e?o.alg!==e:!e.includes(o.alg))throw Ft('unexpected JWT "alg" header parameter',Yn,{header:o,expected:e,reason:"client configuration"})}function lo(e,t){const{0:n,length:o}=e.getAll(t);if(o>1)throw Ft('"'.concat(t,'" parameter must be provided only once'),Yn);return n}const ho=Symbol(),po=Symbol();function fo(e,t,n,o){if(cn(e),un(t),n instanceof URL&&(n=n.searchParams),!(n instanceof URLSearchParams))throw Ot('"parameters" must be an instance of URLSearchParams, or URL',It);if(lo(n,"response"))throw Ft('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()',Yn,{parameters:n});const r=lo(n,"iss"),i=lo(n,"state");if(!r&&e.authorization_response_iss_parameter_supported)throw Ft('response parameter "iss" (issuer) missing',Yn,{parameters:n});if(r&&r!==e.issuer)throw Ft('unexpected "iss" (issuer) response parameter value',Yn,{expected:e.issuer,parameters:n});switch(o){case void 0:case po:if(void 0!==i)throw Ft('unexpected "state" response parameter encountered',Yn,{expected:void 0,parameters:n});break;case ho:break;default:if(en(o,'"expectedState" argument'),i!==o)throw Ft(void 0===i?'response parameter "state" missing':'unexpected "state" response parameter value',Yn,{expected:o,parameters:n})}if(lo(n,"error"))throw new wn("authorization response from the server is an error",{cause:n});const a=lo(n,"id_token"),s=lo(n,"token");if(void 0!==a||void 0!==s)throw new Zt("implicit and hybrid flows are not supported");return c=new URLSearchParams(n),Dn.add(c),c;var c}async function mo(e){let t,n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:tn;try{t=await e.json()}catch(t){throw n(e),Ft('failed to parse "response" body as JSON',Gn,t)}if(!Gt(t))throw Ft('"response" body must be a top level object',Yn,{body:t});return t}const yo=Symbol(),wo=Symbol(),go=new TextEncoder,vo=new TextDecoder;function bo(e){const t=new Uint8Array(e.length);for(let n=0;n<e.length;n++){const o=e.charCodeAt(n);if(o>127)throw new TypeError("non-ASCII string encountered in encode()");t[n]=o}return t}function _o(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);const t=atob(e),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}function ko(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64("string"==typeof e?e:vo.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=vo.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/");try{return _o(t)}catch(e){throw new TypeError("The input to be decoded is not correctly encoded.")}}const So=function(e){return new TypeError("CryptoKey does not support this operation, its ".concat(arguments.length>1&&void 0!==arguments[1]?arguments[1]:"algorithm.name"," must be ").concat(e))},To=(e,t)=>e.name===t;function Eo(e,t){var n;if((n=e.hash,parseInt(n.name.slice(4),10))!==t)throw So("SHA-".concat(t),"algorithm.hash")}function Po(e,t,n){switch(t){case"HS256":case"HS384":case"HS512":if(!To(e.algorithm,"HMAC"))throw So("HMAC");Eo(e.algorithm,parseInt(t.slice(2),10));break;case"RS256":case"RS384":case"RS512":if(!To(e.algorithm,"RSASSA-PKCS1-v1_5"))throw So("RSASSA-PKCS1-v1_5");Eo(e.algorithm,parseInt(t.slice(2),10));break;case"PS256":case"PS384":case"PS512":if(!To(e.algorithm,"RSA-PSS"))throw So("RSA-PSS");Eo(e.algorithm,parseInt(t.slice(2),10));break;case"Ed25519":case"EdDSA":if(!To(e.algorithm,"Ed25519"))throw So("Ed25519");break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":if(!To(e.algorithm,t))throw So(t);break;case"ES256":case"ES384":case"ES512":{if(!To(e.algorithm,"ECDSA"))throw So("ECDSA");const n=function(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}(t);if(e.algorithm.namedCurve!==n)throw So(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}!function(e,t){if(t&&!e.usages.includes(t))throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(t,"."))}(e,n)}function Ao(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if((o=o.filter(Boolean)).length>2){const t=o.pop();e+="one of type ".concat(o.join(", "),", or ").concat(t,".")}else 2===o.length?e+="one of type ".concat(o[0]," or ").concat(o[1],"."):e+="of type ".concat(o[0],".");if(null==t)e+=" Received ".concat(t);else if("function"==typeof t&&t.name)e+=" Received function ".concat(t.name);else if("object"==typeof t&&null!=t){var i;null!==(i=t.constructor)&&void 0!==i&&i.name&&(e+=" Received an instance of ".concat(t.constructor.name))}return e}const Ro=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];return Ao("Key for the ".concat(e," algorithm must be "),t,...o)};class xo extends Error{constructor(e,t){var n;super(e,t),vt(this,"code","ERR_JOSE_GENERIC"),this.name=this.constructor.name,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}vt(xo,"code","ERR_JOSE_GENERIC");class Io extends xo{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),vt(this,"code","ERR_JWT_CLAIM_VALIDATION_FAILED"),vt(this,"claim",void 0),vt(this,"reason",void 0),vt(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t}}vt(Io,"code","ERR_JWT_CLAIM_VALIDATION_FAILED");class Oo extends xo{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),vt(this,"code","ERR_JWT_EXPIRED"),vt(this,"claim",void 0),vt(this,"reason",void 0),vt(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t}}vt(Oo,"code","ERR_JWT_EXPIRED");class Co extends xo{constructor(){super(...arguments),vt(this,"code","ERR_JOSE_ALG_NOT_ALLOWED")}}vt(Co,"code","ERR_JOSE_ALG_NOT_ALLOWED");class jo extends xo{constructor(){super(...arguments),vt(this,"code","ERR_JOSE_NOT_SUPPORTED")}}vt(jo,"code","ERR_JOSE_NOT_SUPPORTED");vt(class extends xo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"decryption operation failed",arguments.length>1?arguments[1]:void 0),vt(this,"code","ERR_JWE_DECRYPTION_FAILED")}},"code","ERR_JWE_DECRYPTION_FAILED");vt(class extends xo{constructor(){super(...arguments),vt(this,"code","ERR_JWE_INVALID")}},"code","ERR_JWE_INVALID");class Wo extends xo{constructor(){super(...arguments),vt(this,"code","ERR_JWS_INVALID")}}vt(Wo,"code","ERR_JWS_INVALID");class Ko extends xo{constructor(){super(...arguments),vt(this,"code","ERR_JWT_INVALID")}}vt(Ko,"code","ERR_JWT_INVALID");vt(class extends xo{constructor(){super(...arguments),vt(this,"code","ERR_JWK_INVALID")}},"code","ERR_JWK_INVALID");class Uo extends xo{constructor(){super(...arguments),vt(this,"code","ERR_JWKS_INVALID")}}vt(Uo,"code","ERR_JWKS_INVALID");class Do extends xo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"no applicable key found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),vt(this,"code","ERR_JWKS_NO_MATCHING_KEY")}}vt(Do,"code","ERR_JWKS_NO_MATCHING_KEY");class No extends xo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"multiple matching keys found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),vt(this,Symbol.asyncIterator,void 0),vt(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS")}}vt(No,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");class Lo extends xo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"request timed out",arguments.length>1?arguments[1]:void 0),vt(this,"code","ERR_JWKS_TIMEOUT")}}vt(Lo,"code","ERR_JWKS_TIMEOUT");class zo extends xo{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"signature verification failed",arguments.length>1?arguments[1]:void 0),vt(this,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED")}}vt(zo,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED");const Ho=e=>{if("CryptoKey"===(null==e?void 0:e[Symbol.toStringTag]))return!0;try{return e instanceof CryptoKey}catch(e){return!1}},Jo=e=>"KeyObject"===(null==e?void 0:e[Symbol.toStringTag]),Mo=e=>Ho(e)||Jo(e);function Zo(e,t,n){try{return ko(e)}catch(e){throw new n("Failed to base64url decode the ".concat(t))}}function Vo(e){if("object"!=typeof(t=e)||null===t||"[object Object]"!==Object.prototype.toString.call(e))return!1;var t;if(null===Object.getPrototypeOf(e))return!0;let n=e;for(;null!==Object.getPrototypeOf(n);)n=Object.getPrototypeOf(n);return Object.getPrototypeOf(e)===n}const Fo=e=>Vo(e)&&"string"==typeof e.kty;async function Xo(e,t,n){if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(function(e){for(var t=arguments.length,n=new Array(t>1?t-1:0),o=1;o<t;o++)n[o-1]=arguments[o];return Ao("Key must be ",e,...n)}(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:"SHA-".concat(e.slice(-3)),name:"HMAC"},!1,[n])}return Po(t,e,n),t}async function Go(e,t,n,o){const r=await Xo(e,t,"verify");!function(e,t){if(e.startsWith("RS")||e.startsWith("PS")){const{modulusLength:n}=t.algorithm;if("number"!=typeof n||n<2048)throw new TypeError("".concat(e," requires key modulusLength to be 2048 bits or larger"))}}(e,r);const i=function(e,t){const n="SHA-".concat(e.slice(-3));switch(e){case"HS256":case"HS384":case"HS512":return{hash:n,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:n,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:n,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:n,name:"ECDSA",namedCurve:t.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:e};default:throw new jo("alg ".concat(e," is not supported either by JOSE or your javascript runtime"))}}(e,r.algorithm);try{return await crypto.subtle.verify(i,r,n,o)}catch(e){return!1}}const Yo='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';async function Bo(e){var t,n;if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');const{algorithm:o,keyUsages:r}=function(e){let t,n;switch(e.kty){case"AKP":switch(e.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":t={name:e.alg},n=e.priv?["sign"]:["verify"];break;default:throw new jo(Yo)}break;case"RSA":switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(e.alg.slice(-3),10)||1)},n=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new jo(Yo)}break;case"EC":switch(e.alg){case"ES256":case"ES384":case"ES512":t={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[e.alg]},n=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new jo(Yo)}break;case"OKP":switch(e.alg){case"Ed25519":case"EdDSA":t={name:"Ed25519"},n=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new jo(Yo)}break;default:throw new jo('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:t,keyUsages:n}}(e),i=_t({},e);return"AKP"!==i.kty&&delete i.alg,delete i.use,crypto.subtle.importKey("jwk",i,o,null!==(t=e.ext)&&void 0!==t?t:!e.d&&!e.priv,null!==(n=e.key_ops)&&void 0!==n?n:r)}const qo="given KeyObject instance cannot be used for this algorithm";let Qo;const $o=async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]&&arguments[3];Qo||(Qo=new WeakMap);let r=Qo.get(e);if(null!=r&&r[n])return r[n];const i=await Bo(_t(_t({},t),{},{alg:n}));return o&&Object.freeze(e),r?r[n]=i:Qo.set(e,{[n]:i}),i};async function er(e,t){if(e instanceof Uint8Array)return e;if(Ho(e))return e;if(Jo(e)){if("secret"===e.type)return e.export();if("toCryptoKey"in e&&"function"==typeof e.toCryptoKey)try{return((e,t)=>{Qo||(Qo=new WeakMap);let n=Qo.get(e);if(null!=n&&n[t])return n[t];const o="public"===e.type,r=!!o;let i;if("x25519"===e.asymmetricKeyType){switch(t){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(qo)}i=e.toCryptoKey(e.asymmetricKeyType,r,o?[]:["deriveBits"])}if("ed25519"===e.asymmetricKeyType){if("EdDSA"!==t&&"Ed25519"!==t)throw new TypeError(qo);i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"])}switch(e.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError(qo);i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"])}if("rsa"===e.asymmetricKeyType){let n;switch(t){case"RSA-OAEP":n="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":n="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":n="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":n="SHA-512";break;default:throw new TypeError(qo)}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:n},r,o?["encrypt"]:["decrypt"]);i=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:n},r,[o?"verify":"sign"])}if("ec"===e.asymmetricKeyType){var a;const n=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(null===(a=e.asymmetricKeyDetails)||void 0===a?void 0:a.namedCurve);if(!n)throw new TypeError(qo);const s={ES256:"P-256",ES384:"P-384",ES512:"P-521"};s[t]&&n===s[t]&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),t.startsWith("ECDH-ES")&&(i=e.toCryptoKey({name:"ECDH",namedCurve:n},r,o?[]:["deriveBits"]))}if(!i)throw new TypeError(qo);return n?n[t]=i:Qo.set(e,{[t]:i}),i})(e,t)}catch(e){if(e instanceof TypeError)throw e}let n=e.export({format:"jwk"});return $o(e,n,t)}if(Fo(e))return e.k?ko(e.k):$o(e,e,t,!0);throw new Error("unreachable")}const tr=(e,t)=>{if(e.byteLength!==t.length)return!1;for(let n=0;n<e.byteLength;n++)if(e[n]!==t[n])return!1;return!0},nr=e=>{const t=e.data[e.pos++];if(128&t){const n=127&t;let o=0;for(let t=0;t<n;t++)o=o<<8|e.data[e.pos++];return o}return t},or=(e,t,n)=>{if(e.data[e.pos++]!==t)throw new Error(n)},rr=(e,t)=>{const n=e.data.subarray(e.pos,e.pos+t);return e.pos+=t,n};const ir=e=>{const t=(e=>{or(e,6,"Expected algorithm OID");const t=nr(e);return rr(e,t)})(e);if(tr(t,[43,101,110]))return"X25519";if(!tr(t,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");or(e,6,"Expected curve OID");const n=nr(e),o=rr(e,n);for(const{name:e,oid:t}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(tr(o,t))return e;throw new Error("Unsupported named curve")},ar=async(e,t,n,o)=>{var r;let i,a;const s="spki"===e,c=()=>s?["verify"]:["sign"];switch(n){case"PS256":case"PS384":case"PS512":i={name:"RSA-PSS",hash:"SHA-".concat(n.slice(-3))},a=c();break;case"RS256":case"RS384":case"RS512":i={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(n.slice(-3))},a=c();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":i={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(n.slice(-3),10)||1)},a=s?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":case"ES384":case"ES512":i={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[n]},a=c();break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":try{const e=o.getNamedCurve(t);i="X25519"===e?{name:"X25519"}:{name:"ECDH",namedCurve:e}}catch(e){throw new jo("Invalid or unsupported key format")}a=s?[]:["deriveBits"];break;case"Ed25519":case"EdDSA":i={name:"Ed25519"},a=c();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":i={name:n},a=c();break;default:throw new jo('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(e,t,i,null!==(r=null==o?void 0:o.extractable)&&void 0!==r?r:!!s,a)},sr=(e,t,n)=>{var o;const r=((e,t)=>_o(e.replace(t,"")))(e,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);let i=n;return null!=t&&null!==(o=t.startsWith)&&void 0!==o&&o.call(t,"ECDH-ES")&&(i||(i={}),i.getNamedCurve=e=>{const t={data:e,pos:0};return function(e){or(e,48,"Invalid PKCS#8 structure"),nr(e),or(e,2,"Expected version field");const t=nr(e);e.pos+=t,or(e,48,"Expected algorithm identifier");const n=nr(e);e.pos}(t),ir(t)}),ar("pkcs8",r,t,i)};const cr=e=>null==e?void 0:e[Symbol.toStringTag],ur=(e,t,n)=>{if(void 0!==t.use){let e;switch(n){case"sign":case"verify":e="sig";break;case"encrypt":case"decrypt":e="enc"}if(t.use!==e)throw new TypeError('Invalid key for this operation, its "use" must be "'.concat(e,'" when present'))}if(void 0!==t.alg&&t.alg!==e)throw new TypeError('Invalid key for this operation, its "alg" must be "'.concat(e,'" when present'));if(Array.isArray(t.key_ops)){var o,r;let i;switch(!0){case"sign"===n||"verify"===n:case"dir"===e:case e.includes("CBC-HS"):i=n;break;case e.startsWith("PBES2"):i="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(e):i=!e.includes("GCM")&&e.endsWith("KW")?"encrypt"===n?"wrapKey":"unwrapKey":n;break;case"encrypt"===n&&e.startsWith("RSA"):i="wrapKey";break;case"decrypt"===n:i=e.startsWith("RSA")?"unwrapKey":"deriveBits"}if(i&&!1===(null===(o=t.key_ops)||void 0===o||null===(r=o.includes)||void 0===r?void 0:r.call(o,i)))throw new TypeError('Invalid key for this operation, its "key_ops" must include "'.concat(i,'" when present'))}return!0};function lr(e,t,n){switch(e.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":((e,t,n)=>{if(!(t instanceof Uint8Array)){if(Fo(t)){if((e=>"oct"===e.kty&&"string"==typeof e.k)(t)&&ur(e,t,n))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!Mo(t))throw new TypeError(Ro(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if("secret"!==t.type)throw new TypeError("".concat(cr(t),' instances for symmetric algorithms must be of type "secret"'))}})(e,t,n);break;default:((e,t,n)=>{if(Fo(t))switch(n){case"decrypt":case"sign":if((e=>"oct"!==e.kty&&("AKP"===e.kty&&"string"==typeof e.priv||"string"==typeof e.d))(t)&&ur(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if((e=>"oct"!==e.kty&&void 0===e.d&&void 0===e.priv)(t)&&ur(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!Mo(t))throw new TypeError(Ro(e,t,"CryptoKey","KeyObject","JSON Web Key"));if("secret"===t.type)throw new TypeError("".concat(cr(t),' instances for asymmetric algorithms must not be of type "secret"'));if("public"===t.type)switch(n){case"sign":throw new TypeError("".concat(cr(t),' instances for asymmetric algorithm signing must be of type "private"'));case"decrypt":throw new TypeError("".concat(cr(t),' instances for asymmetric algorithm decryption must be of type "private"'))}if("private"===t.type)switch(n){case"verify":throw new TypeError("".concat(cr(t),' instances for asymmetric algorithm verifying must be of type "public"'));case"encrypt":throw new TypeError("".concat(cr(t),' instances for asymmetric algorithm encryption must be of type "public"'))}})(e,t,n)}}var dr,hr;let pr,fr;if("undefined"==typeof navigator||null===(dr=navigator.userAgent)||void 0===dr||null===(hr=dr.startsWith)||void 0===hr||!hr.call(dr,"Mozilla/5.0 ")){const e="v6.8.2";fr="".concat("openid-client","/").concat(e),pr={"user-agent":fr}}const mr=e=>yr.get(e);let yr,wr;function gr(e){return void 0!==e?ln(e):(wr||(wr=new WeakMap),(e,t,n,o)=>{let r;return(r=wr.get(t))||(!function(e,t){if("string"!=typeof e)throw kr("".concat(t," must be a string"),_r);if(0===e.length)throw kr("".concat(t," must not be empty"),br)}(t.client_secret,'"metadata.client_secret"'),r=ln(t.client_secret),wr.set(t,r)),r(e,t,n,o)})}const vr=Kt,br="ERR_INVALID_ARG_VALUE",_r="ERR_INVALID_ARG_TYPE";function kr(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}function Sr(e){return async function(e){return en(e,"codeVerifier"),Mt(await crypto.subtle.digest("SHA-256",zt(e)))}(e)}function Tr(){return nn()}class Er extends Error{constructor(e,t){var n;super(e,t),vt(this,"code",void 0),this.name=this.constructor.name,this.code=null==t?void 0:t.code,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor)}}function Pr(e,t,n){return new Er(e,{cause:t,code:n})}function Ar(e){if(e instanceof TypeError||e instanceof Er||e instanceof yn||e instanceof wn||e instanceof gn)throw e;if(e instanceof Vt)switch(e.code){case Qn:throw Pr("only requests to HTTPS are allowed",e,e.code);case $n:throw Pr("only requests to HTTP or HTTPS are allowed",e,e.code);case qn:throw Pr("unexpected HTTP response status code",e.cause,e.code);case Bn:throw Pr("unexpected response content-type",e.cause,e.code);case Gn:throw Pr("parsing error occured",e,e.code);case Yn:throw Pr("invalid response encountered",e,e.code);case to:throw Pr("unexpected JWT claim value encountered",e,e.code);case no:throw Pr("unexpected JSON attribute value encountered",e,e.code);case eo:throw Pr("JWT timestamp claim value failed validation",e,e.code);default:throw Pr(e.message,e,e.code)}if(e instanceof Zt)throw Pr("unsupported operation",e,e.code);if(e instanceof DOMException)switch(e.name){case"OperationError":throw Pr("runtime operation error",e,Fn);case"NotSupportedError":throw Pr("runtime unsupported operation",e,Fn);case"TimeoutError":throw Pr("operation timed out",e,"OAUTH_TIMEOUT");case"AbortError":throw Pr("operation aborted",e,"OAUTH_ABORT")}throw new Er("something went wrong",{cause:e})}async function Rr(e,t,n,o,r){const i=await async function(e,t){var n,o;if(!(e instanceof URL))throw kr('"server" must be an instance of URL',_r);const r=!e.href.includes("/.well-known/"),i=null!==(n=null==t?void 0:t.timeout)&&void 0!==n?n:30,a=AbortSignal.timeout(1e3*i),s=await(r?Qt(e,{algorithm:null==t?void 0:t.algorithm,[Kt]:null==t?void 0:t[vr],[Ct]:null==t||null===(o=t.execute)||void 0===o?void 0:o.includes(Ur),signal:a,headers:new Headers(pr)}):((null==t?void 0:t[vr])||fetch)((pn(e,null==t||null===(c=t.execute)||void 0===c||!c.includes(Ur)),e.href),{headers:Object.fromEntries(new Headers(_t({accept:"application/json"},pr)).entries()),body:void 0,method:"GET",redirect:"manual",signal:a})).then(e=>async function(e,t){const n=e;if(!(n instanceof URL)&&n!==yo)throw Ot('"expectedIssuerIdentifier" must be an instance of URL',It);if(!Rt(t,Response))throw Ot('"response" must be an instance of Response',It);if(200!==t.status)throw Ft('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)',qn,t);io(t);const o=await mo(t);if(en(o.issuer,'"response" body "issuer" property',Yn,{body:o}),n!==yo&&new URL(o.issuer).href!==n.href)throw Ft('"response" body "issuer" property does not match the expected value',no,{expected:n.href,body:o,attribute:"issuer"});return o}(yo,e)).catch(Ar);var c;r&&new URL(s.issuer).href!==e.href&&(function(e,t,n){return!("https://login.microsoftonline.com"!==e.origin||null!=n&&n.algorithm&&"oidc"!==n.algorithm||(t[xr]=!0,0))}(e,s,t)||function(e,t){return!(!e.hostname.endsWith(".b2clogin.com")||null!=t&&t.algorithm&&"oidc"!==t.algorithm)}(e,t)||(()=>{throw new Er("discovered metadata issuer does not match the expected issuer",{code:no,cause:{expected:e.href,body:s,attribute:"issuer"}})})());return s}(e,r),a=new Ir(i,t,n,o);let s=mr(a);if(null!=r&&r[vr]&&(s.fetch=r[vr]),null!=r&&r.timeout&&(s.timeout=r.timeout),null!=r&&r.execute)for(const e of r.execute)e(a);return a}new TextDecoder;const xr=Symbol();class Ir{constructor(e,t,n,o){var r,i,a,s,c;if("string"!=typeof t||!t.length)throw kr('"clientId" must be a non-empty string',_r);if("string"==typeof n&&(n={client_secret:n}),void 0!==(null===(r=n)||void 0===r?void 0:r.client_id)&&t!==n.client_id)throw kr('"clientId" and "metadata.client_id" must be the same',br);const u=_t(_t({},structuredClone(n)),{},{client_id:t});let l;u[jt]=null!==(i=null===(a=n)||void 0===a?void 0:a[jt])&&void 0!==i?i:0,u[Wt]=null!==(s=null===(c=n)||void 0===c?void 0:c[Wt])&&void 0!==s?s:30,l=o||("string"==typeof u.client_secret&&u.client_secret.length?gr(u.client_secret):(e,t,n,o)=>{n.set("client_id",t.client_id)});let d=Object.freeze(u);const h=structuredClone(e);xr in e&&(h[wo]=t=>{let{claims:{tid:n}}=t;return e.issuer.replace("{tenantid}",n)});let p=Object.freeze(h);yr||(yr=new WeakMap),yr.set(this,{__proto__:null,as:p,c:d,auth:l,tlsOnly:!0,jwksCache:{}})}serverMetadata(){const e=structuredClone(mr(this).as);return function(e){Object.defineProperties(e,function(e){return{supportsPKCE:{__proto__:null,value(){var t;let n=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"S256";return!0===(null===(t=e.code_challenge_methods_supported)||void 0===t?void 0:t.includes(n))}}}}(e))}(e),e}clientMetadata(){return structuredClone(mr(this).c)}get timeout(){return mr(this).timeout}set timeout(e){mr(this).timeout=e}get[vr](){return mr(this).fetch}set[vr](e){mr(this).fetch=e}}function Or(e){Object.defineProperties(e,function(e){let t;if(void 0!==e.expires_in){const n=new Date;n.setSeconds(n.getSeconds()+e.expires_in),t=n.getTime()}return{expiresIn:{__proto__:null,value(){if(t){const e=Date.now();return t>e?Math.floor((t-e)/1e3):0}}},claims:{__proto__:null,value(){try{return jn(this)}catch(e){return}}}}}(e))}async function Cr(e,t,n){var o;let r=arguments.length>3&&void 0!==arguments[3]&&arguments[3];const i=null===(o=e.headers.get("retry-after"))||void 0===o?void 0:o.trim();if(void 0===i)return;let a;if(/^\d+$/.test(i))a=parseInt(i,10);else{const e=new Date(i);if(Number.isFinite(e.getTime())){const t=new Date,n=e.getTime()-t.getTime();n>0&&(a=Math.ceil(n/1e3))}}if(r&&!Number.isFinite(a))throw new Vt("invalid Retry-After header value",{cause:e});a>t&&await jr(a-t,n)}function jr(e,t){return new Promise((n,o)=>{const r=e=>{try{t.throwIfAborted()}catch(e){return void o(e)}if(e<=0)return void n();const i=Math.min(e,5);setTimeout(()=>r(e-i),1e3*i)};r(e)})}async function Wr(e,t){Jr(e);const{as:n,c:o,auth:r,fetch:i,tlsOnly:a,timeout:s}=mr(e);return async function(e,t,n,o,r){cn(e),un(t);const i=mn(e,"backchannel_authentication_endpoint",t.use_mtls_endpoint_aliases,!0!==(null==r?void 0:r[Ct])),a=new URLSearchParams(o);a.set("client_id",t.client_id);const s=Yt(null==r?void 0:r.headers);return s.set("accept","application/json"),xn(e,t,n,i,a,s,r)}(n,o,r,t,{[Kt]:i,[Ct]:!a,headers:new Headers(pr),signal:Mr(s)}).then(e=>async function(e,t,n){if(cn(e),un(t),!Rt(n,Response))throw Ot('"response" must be an instance of Response',It);await Pn(n,200,"Backchannel Authentication Endpoint"),io(n);const o=await mo(n);en(o.auth_req_id,'"response" body "auth_req_id" property',Yn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return $t(r,!0,'"response" body "expires_in" property',Yn,{body:o}),o.expires_in=r,void 0!==o.interval&&$t(o.interval,!1,'"response" body "interval" property',Yn,{body:o}),o}(n,o,e)).catch(Ar)}async function Kr(e,t,n,o){var r,i;Jr(e),n=new URLSearchParams(n);let a=null!==(r=t.interval)&&void 0!==r?r:5;const s=null!==(i=null==o?void 0:o.signal)&&void 0!==i?i:AbortSignal.timeout(1e3*t.expires_in);try{await jr(a,s)}catch(e){Ar(e)}const{as:c,c:u,auth:l,fetch:d,tlsOnly:h,nonRepudiation:p,timeout:f,decrypt:m}=mr(e),y=(r,i)=>Kr(e,_t(_t({},t),{},{interval:r}),n,_t(_t({},o),{},{signal:s,flag:i})),w=await async function(e,t,n,o,r){cn(e),un(t),en(o,'"authReqId"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("auth_req_id",o),In(e,t,n,"urn:openid:params:grant-type:ciba",i,r)}(c,u,l,t.auth_req_id,{[Kt]:d,[Ct]:!h,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(pr),signal:s.aborted?s:Mr(f)}).catch(Ar);var g;if(503===w.status&&w.headers.has("retry-after"))return await Cr(w,a,s,!0),await(null===(g=w.body)||void 0===g?void 0:g.cancel()),y(a);const v=async function(e,t,n,o){return Wn(e,t,n,void 0,null==o?void 0:o[Dt],null==o?void 0:o.recognizedTokenTypes)}(c,u,w,{[Dt]:m});let b;try{b=await v}catch(e){if(Zr(e,o))return y(a,Vr);if(e instanceof yn)switch(e.error){case"slow_down":a+=5;case"authorization_pending":return await Cr(e.response,a,s),y(a)}Ar(e)}return b.id_token&&await(null==p?void 0:p(w)),Or(b),b}function Ur(e){mr(e).tlsOnly=!1}async function Dr(e,t,n,o,r){if(Jr(e),!((null==r?void 0:r.flag)===Vr||t instanceof URL||function(e,t){try{return Object.getPrototypeOf(e)[Symbol.toStringTag]===t}catch(e){return!1}}(t,"Request")))throw kr('"currentUrl" must be an instance of URL, or Request',_r);let i,a;const{as:s,c:c,auth:u,fetch:l,tlsOnly:d,jarm:h,hybrid:p,nonRepudiation:f,timeout:m,decrypt:y,implicit:w}=mr(e);if((null==r?void 0:r.flag)===Vr)i=r.authResponse,a=r.redirectUri;else{if(!(t instanceof URL)){const e=t;switch(t=new URL(t.url),e.method){case"GET":break;case"POST":const n=new URLSearchParams(await co(e));if(p)t.hash=n.toString();else for(const[e,o]of n.entries())t.searchParams.append(e,o);break;default:throw kr("unexpected Request HTTP method",br)}}switch(a=function(e){return(e=new URL(e)).search="",e.hash="",e.href}(t),!0){case!!h:i=await h(t,null==n?void 0:n.expectedState);break;case!!p:i=await p(t,null==n?void 0:n.expectedNonce,null==n?void 0:n.expectedState,null==n?void 0:n.maxAge);break;case!!w:throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");default:try{i=fo(s,c,t.searchParams,null==n?void 0:n.expectedState)}catch(e){Ar(e)}}}const g=await async function(e,t,n,o,r,i,a){if(cn(e),un(t),!Dn.has(o))throw Ot('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()',xt);en(r,'"redirectUri"');const s=lo(o,"code");if(!s)throw Ft('no authorization code in "callbackParameters"',Yn);const c=new URLSearchParams(null==a?void 0:a.additionalParameters);return c.set("redirect_uri",r),c.set("code",s),i!==Nn&&(en(i,'"codeVerifier"'),c.set("code_verifier",i)),In(e,t,n,"authorization_code",c,a)}(s,c,u,i,a,(null==n?void 0:n.pkceCodeVerifier)||Nn,{additionalParameters:o,[Kt]:l,[Ct]:!d,DPoP:null==r?void 0:r.DPoP,headers:new Headers(pr),signal:Mr(m)}).catch(Ar);"string"!=typeof(null==n?void 0:n.expectedNonce)&&"number"!=typeof(null==n?void 0:n.maxAge)||(n.idTokenExpected=!0);const v=Mn(s,c,g,{expectedNonce:null==n?void 0:n.expectedNonce,maxAge:null==n?void 0:n.maxAge,requireIdToken:null==n?void 0:n.idTokenExpected,[Dt]:y});let b;try{b=await v}catch(t){if(Zr(t,r))return Dr(e,void 0,n,o,_t(_t({},r),{},{flag:Vr,authResponse:i,redirectUri:a}));Ar(t)}return b.id_token&&await(null==f?void 0:f(g)),Or(b),b}async function Nr(e,t,n,o){Jr(e),n=new URLSearchParams(n);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,nonRepudiation:u,timeout:l,decrypt:d}=mr(e),h=await async function(e,t,n,o,r){cn(e),un(t),en(o,'"refreshToken"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("refresh_token",o),In(e,t,n,"refresh_token",i,r)}(r,i,a,t,{[Kt]:s,[Ct]:!c,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(pr),signal:Mr(l)}).catch(Ar),p=async function(e,t,n,o){return Wn(e,t,n,void 0,null==o?void 0:o[Dt],null==o?void 0:o.recognizedTokenTypes)}(r,i,h,{[Dt]:d});let f;try{f=await p}catch(r){if(Zr(r,o))return Nr(e,t,n,_t(_t({},o),{},{flag:Vr}));Ar(r)}return f.id_token&&await(null==u?void 0:u(h)),Or(f),f}async function Lr(e,t,n){Jr(e),t=new URLSearchParams(t);const{as:o,c:r,auth:i,fetch:a,tlsOnly:s,timeout:c}=mr(e),u=await async function(e,t,n,o,r){return cn(e),un(t),In(e,t,n,"client_credentials",new URLSearchParams(o),r)}(o,r,i,t,{[Kt]:a,[Ct]:!s,DPoP:null==n?void 0:n.DPoP,headers:new Headers(pr),signal:Mr(c)}).catch(Ar),l=async function(e,t,n,o){return Wn(e,t,n,void 0,null==o?void 0:o[Dt],null==o?void 0:o.recognizedTokenTypes)}(o,r,u);let d;try{d=await l}catch(o){if(Zr(o,n))return Lr(e,t,_t(_t({},n),{},{flag:Vr}));Ar(o)}return Or(d),d}function zr(e,t){Jr(e);const{as:n,c:o,tlsOnly:r,hybrid:i,jarm:a,implicit:s}=mr(e),c=mn(n,"authorization_endpoint",!1,r);if((t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id),!t.has("request_uri")&&!t.has("request")){if(t.has("response_type")||t.set("response_type",i?"code id_token":s?"id_token":"code"),s&&!t.has("nonce"))throw kr("response_type=id_token clients must provide a nonce parameter in their authorization request parameters",br);a&&t.set("response_mode","jwt")}for(const[e,n]of t.entries())c.searchParams.append(e,n);return c}async function Hr(e,t,n){Jr(e);const o=zr(e,t),{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:u}=mr(e),l=await async function(e,t,n,o,r){var i;cn(e),un(t);const a=mn(e,"pushed_authorization_request_endpoint",t.use_mtls_endpoint_aliases,!0!==(null==r?void 0:r[Ct])),s=new URLSearchParams(o);s.set("client_id",t.client_id);const c=Yt(null==r?void 0:r.headers);c.set("accept","application/json"),void 0!==(null==r?void 0:r.DPoP)&&(An(r.DPoP),await r.DPoP.addProof(a,c,"POST"));const u=await xn(e,t,n,a,s,c,r);return null==r||null===(i=r.DPoP)||void 0===i||i.cacheNonce(u,a),u}(r,i,a,o.searchParams,{[Kt]:s,[Ct]:!c,DPoP:null==n?void 0:n.DPoP,headers:new Headers(pr),signal:Mr(u)}).catch(Ar),d=async function(e,t,n){if(cn(e),un(t),!Rt(n,Response))throw Ot('"response" must be an instance of Response',It);await Pn(n,201,"Pushed Authorization Request Endpoint"),io(n);const o=await mo(n);en(o.request_uri,'"response" body "request_uri" property',Yn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return $t(r,!0,'"response" body "expires_in" property',Yn,{body:o}),o.expires_in=r,o}(r,i,l);let h;try{h=await d}catch(o){if(Zr(o,n))return Hr(e,t,_t(_t({},n),{},{flag:Vr}));Ar(o)}return zr(e,{request_uri:h.request_uri})}function Jr(e){if(!(e instanceof Ir))throw kr('"config" must be an instance of Configuration',_r);if(Object.getPrototypeOf(e)!==Ir.prototype)throw kr("subclassing Configuration is not allowed",br)}function Mr(e){return e?AbortSignal.timeout(1e3*e):void 0}function Zr(e,t){return!(null==t||!t.DPoP||t.flag===Vr)&&function(e){if(e instanceof gn){const{0:t,length:n}=e.cause;return 1===n&&"dpop"===t.scheme&&"use_dpop_nonce"===t.parameters.error}return e instanceof yn&&"use_dpop_nonce"===e.error}(e)}Object.freeze(Ir.prototype);const Vr=Symbol();async function Fr(e,t,n,o){Jr(e);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:u,decrypt:l}=mr(e),d=await async function(e,t,n,o,r,i){return cn(e),un(t),en(o,'"grantType"'),In(e,t,n,o,new URLSearchParams(r),i)}(r,i,a,t,new URLSearchParams(n),{[Kt]:s,[Ct]:!c,DPoP:null==o?void 0:o.DPoP,headers:new Headers(pr),signal:Mr(u)}).then(e=>{let n;return"urn:ietf:params:oauth:grant-type:token-exchange"===t&&(n={n_a:()=>{}}),async function(e,t,n,o){return Wn(e,t,n,void 0,null==o?void 0:o[Dt],null==o?void 0:o.recognizedTokenTypes)}(r,i,e,{[Dt]:l,recognizedTokenTypes:n})}).catch(Ar);return Or(d),d}async function Xr(e,t,n){if(!Vo(e))throw new Wo("Flattened JWS must be an object");if(void 0===e.protected&&void 0===e.header)throw new Wo('Flattened JWS must have either of the "protected" or "header" members');if(void 0!==e.protected&&"string"!=typeof e.protected)throw new Wo("JWS Protected Header incorrect type");if(void 0===e.payload)throw new Wo("JWS Payload missing");if("string"!=typeof e.signature)throw new Wo("JWS Signature missing or incorrect type");if(void 0!==e.header&&!Vo(e.header))throw new Wo("JWS Unprotected Header incorrect type");let o={};if(e.protected)try{const t=ko(e.protected);o=JSON.parse(vo.decode(t))}catch(e){throw new Wo("JWS Protected Header is invalid")}if(!function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.filter(Boolean);if(0===o.length||1===o.length)return!0;let r;for(const e of o){const t=Object.keys(e);if(r&&0!==r.size)for(const e of t){if(r.has(e))return!1;r.add(e)}else r=new Set(t)}return!0}(o,e.header))throw new Wo("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");const r=_t(_t({},o),e.header),i=function(e,t,n,o,r){if(void 0!==r.crit&&void 0===(null==o?void 0:o.crit))throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!o||void 0===o.crit)return new Set;if(!Array.isArray(o.crit)||0===o.crit.length||o.crit.some(e=>"string"!=typeof e||0===e.length))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;i=void 0!==n?new Map([...Object.entries(n),...t.entries()]):t;for(const t of o.crit){if(!i.has(t))throw new jo('Extension Header Parameter "'.concat(t,'" is not recognized'));if(void 0===r[t])throw new e('Extension Header Parameter "'.concat(t,'" is missing'));if(i.get(t)&&void 0===o[t])throw new e('Extension Header Parameter "'.concat(t,'" MUST be integrity protected'))}return new Set(o.crit)}(Wo,new Map([["b64",!0]]),null==n?void 0:n.crit,o,r);let a=!0;if(i.has("b64")&&(a=o.b64,"boolean"!=typeof a))throw new Wo('The "b64" (base64url-encode payload) Header Parameter must be a boolean');const{alg:s}=r;if("string"!=typeof s||!s)throw new Wo('JWS "alg" (Algorithm) Header Parameter missing or invalid');const c=n&&function(e,t){if(void 0!==t&&(!Array.isArray(t)||t.some(e=>"string"!=typeof e)))throw new TypeError('"'.concat(e,'" option must be an array of strings'));if(t)return new Set(t)}("algorithms",n.algorithms);if(c&&!c.has(s))throw new Co('"alg" (Algorithm) Header Parameter value not allowed');if(a){if("string"!=typeof e.payload)throw new Wo("JWS Payload must be a string")}else if("string"!=typeof e.payload&&!(e.payload instanceof Uint8Array))throw new Wo("JWS Payload must be a string or an Uint8Array instance");let u=!1;"function"==typeof t&&(t=await t(o,e),u=!0),lr(s,t,"verify");const l=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.reduce((e,t)=>{let{length:n}=t;return e+n},0),r=new Uint8Array(o);let i=0;for(const e of t)r.set(e,i),i+=e.length;return r}(void 0!==e.protected?bo(e.protected):new Uint8Array,bo("."),"string"==typeof e.payload?a?bo(e.payload):go.encode(e.payload):e.payload),d=Zo(e.signature,"signature",Wo),h=await er(t,s);if(!await Go(s,h,d,l))throw new zo;let p;p=a?Zo(e.payload,"payload",Wo):"string"==typeof e.payload?go.encode(e.payload):e.payload;const f={payload:p};return void 0!==e.protected&&(f.protectedHeader=o),void 0!==e.header&&(f.unprotectedHeader=e.header),u?_t(_t({},f),{},{key:h}):f}const Gr=86400,Yr=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function Br(e){const t=Yr.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");const n=parseFloat(t[2]);let o;switch(t[3].toLowerCase()){case"sec":case"secs":case"second":case"seconds":case"s":o=Math.round(n);break;case"minute":case"minutes":case"min":case"mins":case"m":o=Math.round(60*n);break;case"hour":case"hours":case"hr":case"hrs":case"h":o=Math.round(3600*n);break;case"day":case"days":case"d":o=Math.round(n*Gr);break;case"week":case"weeks":case"w":o=Math.round(604800*n);break;default:o=Math.round(31557600*n)}return"-"===t[1]||"ago"===t[4]?-o:o}const qr=e=>e.includes("/")?e.toLowerCase():"application/".concat(e.toLowerCase());function Qr(e,t){let n,o=arguments.length>2&&void 0!==arguments[2]?arguments[2]:{};try{n=JSON.parse(vo.decode(t))}catch(e){}if(!Vo(n))throw new Ko("JWT Claims Set must be a top-level JSON object");const{typ:r}=o;if(r&&("string"!=typeof e.typ||qr(e.typ)!==qr(r)))throw new Io('unexpected "typ" JWT header value',n,"typ","check_failed");const{requiredClaims:i=[],issuer:a,subject:s,audience:c,maxTokenAge:u}=o,l=[...i];void 0!==u&&l.push("iat"),void 0!==c&&l.push("aud"),void 0!==s&&l.push("sub"),void 0!==a&&l.push("iss");for(const e of new Set(l.reverse()))if(!(e in n))throw new Io('missing required "'.concat(e,'" claim'),n,e,"missing");if(a&&!(Array.isArray(a)?a:[a]).includes(n.iss))throw new Io('unexpected "iss" claim value',n,"iss","check_failed");if(s&&n.sub!==s)throw new Io('unexpected "sub" claim value',n,"sub","check_failed");if(c&&(d=n.aud,h="string"==typeof c?[c]:c,!("string"==typeof d?h.includes(d):Array.isArray(d)&&h.some(Set.prototype.has.bind(new Set(d))))))throw new Io('unexpected "aud" claim value',n,"aud","check_failed");var d,h;let p;switch(typeof o.clockTolerance){case"string":p=Br(o.clockTolerance);break;case"number":p=o.clockTolerance;break;case"undefined":p=0;break;default:throw new TypeError("Invalid clockTolerance option type")}const{currentDate:f}=o,m=(y=f||new Date,Math.floor(y.getTime()/1e3));var y;if((void 0!==n.iat||u)&&"number"!=typeof n.iat)throw new Io('"iat" claim must be a number',n,"iat","invalid");if(void 0!==n.nbf){if("number"!=typeof n.nbf)throw new Io('"nbf" claim must be a number',n,"nbf","invalid");if(n.nbf>m+p)throw new Io('"nbf" claim timestamp check failed',n,"nbf","check_failed")}if(void 0!==n.exp){if("number"!=typeof n.exp)throw new Io('"exp" claim must be a number',n,"exp","invalid");if(n.exp<=m-p)throw new Oo('"exp" claim timestamp check failed',n,"exp","check_failed")}if(u){const e=m-n.iat;if(e-p>("number"==typeof u?u:Br(u)))throw new Oo('"iat" claim timestamp check failed (too far in the past)',n,"iat","check_failed");if(e<0-p)throw new Io('"iat" claim timestamp check failed (it should be in the past)',n,"iat","check_failed")}return n}async function $r(e,t,n){var o;const r=await async function(e,t,n){if(e instanceof Uint8Array&&(e=vo.decode(e)),"string"!=typeof e)throw new Wo("Compact JWS must be a string or Uint8Array");const{0:o,1:r,2:i,length:a}=e.split(".");if(3!==a)throw new Wo("Invalid Compact JWS");const s=await Xr({payload:r,protected:o,signature:i},t,n),c={payload:s.payload,protectedHeader:s.protectedHeader};return"function"==typeof t?_t(_t({},c),{},{key:s.key}):c}(e,t,n);if(null!==(o=r.protectedHeader.crit)&&void 0!==o&&o.includes("b64")&&!1===r.protectedHeader.b64)throw new Ko("JWTs MUST NOT use unencoded payload");const i={payload:Qr(r.protectedHeader,r.payload,n),protectedHeader:r.protectedHeader};return"function"==typeof t?_t(_t({},i),{},{key:r.key}):i}function ei(e){return Vo(e)}var ti,ni,oi=new WeakMap,ri=new WeakMap;class ii{constructor(e){if(wt(this,oi,void 0),wt(this,ri,new WeakMap),!function(e){return e&&"object"==typeof e&&Array.isArray(e.keys)&&e.keys.every(ei)}(e))throw new Uo("JSON Web Key Set malformed");gt(oi,this,structuredClone(e))}jwks(){return yt(oi,this)}async getKey(e,t){const{alg:n,kid:o}=_t(_t({},e),null==t?void 0:t.header),r=function(e){switch("string"==typeof e&&e.slice(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";case"ML":return"AKP";default:throw new jo('Unsupported "alg" value for a JSON Web Key Set')}}(n),i=yt(oi,this).keys.filter(e=>{let t=r===e.kty;if(t&&"string"==typeof o&&(t=o===e.kid),!t||"string"!=typeof e.alg&&"AKP"!==r||(t=n===e.alg),t&&"string"==typeof e.use&&(t="sig"===e.use),t&&Array.isArray(e.key_ops)&&(t=e.key_ops.includes("verify")),t)switch(n){case"ES256":t="P-256"===e.crv;break;case"ES384":t="P-384"===e.crv;break;case"ES512":t="P-521"===e.crv;break;case"Ed25519":case"EdDSA":t="Ed25519"===e.crv}return t}),{0:a,length:s}=i;if(0===s)throw new Do;if(1!==s){const e=new No,t=yt(ri,this);throw e[Symbol.asyncIterator]=St(function*(){for(const e of i)try{yield yield ft(ai(t,e,n))}catch(e){}}),e}return ai(yt(ri,this),a,n)}}async function ai(e,t,n){const o=e.get(t)||e.set(t,{}).get(t);if(void 0===o[n]){const e=await async function(e,t,n){var o;if(!Vo(e))throw new TypeError("JWK must be an object");let r;switch(null!=t||(t=e.alg),null!=r||(r=null!==(o=null==n?void 0:n.extractable)&&void 0!==o?o:e.ext),e.kty){case"oct":if("string"!=typeof e.k||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return ko(e.k);case"RSA":if("oth"in e&&void 0!==e.oth)throw new jo('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');return Bo(_t(_t({},e),{},{alg:t,ext:r}));case"AKP":if("string"!=typeof e.alg||!e.alg)throw new TypeError('missing "alg" (Algorithm) Parameter value');if(void 0!==t&&t!==e.alg)throw new TypeError("JWK alg and alg option value mismatch");return Bo(_t(_t({},e),{},{ext:r}));case"EC":case"OKP":return Bo(_t(_t({},e),{},{alg:t,ext:r}));default:throw new jo('Unsupported "kty" (Key Type) Parameter value')}}(_t(_t({},t),{},{ext:!0}),n);if(e instanceof Uint8Array||"public"!==e.type)throw new Uo("JSON Web Key Set members must be public keys");o[n]=e}return o[n]}function si(e){const t=new ii(e),n=async(e,n)=>t.getKey(e,n);return Object.defineProperties(n,{jwks:{value:()=>structuredClone(t.jwks()),enumerable:!1,configurable:!1,writable:!1}}),n}let ci;if("undefined"==typeof navigator||null===(ti=navigator.userAgent)||void 0===ti||null===(ni=ti.startsWith)||void 0===ni||!ni.call(ti,"Mozilla/5.0 ")){const e="v6.2.2";ci="".concat("jose","/").concat(e)}const ui=Symbol();const li=Symbol();var di=new WeakMap,hi=new WeakMap,pi=new WeakMap,fi=new WeakMap,mi=new WeakMap,yi=new WeakMap,wi=new WeakMap,gi=new WeakMap,vi=new WeakMap,bi=new WeakMap;class _i{constructor(e,t){if(wt(this,di,void 0),wt(this,hi,void 0),wt(this,pi,void 0),wt(this,fi,void 0),wt(this,mi,void 0),wt(this,yi,void 0),wt(this,wi,void 0),wt(this,gi,void 0),wt(this,vi,void 0),wt(this,bi,void 0),!(e instanceof URL))throw new TypeError("url must be an instance of URL");var n,o;gt(di,this,new URL(e.href)),gt(hi,this,"number"==typeof(null==t?void 0:t.timeoutDuration)?null==t?void 0:t.timeoutDuration:5e3),gt(pi,this,"number"==typeof(null==t?void 0:t.cooldownDuration)?null==t?void 0:t.cooldownDuration:3e4),gt(fi,this,"number"==typeof(null==t?void 0:t.cacheMaxAge)?null==t?void 0:t.cacheMaxAge:6e5),gt(wi,this,new Headers(null==t?void 0:t.headers)),ci&&!yt(wi,this).has("User-Agent")&&yt(wi,this).set("User-Agent",ci),yt(wi,this).has("accept")||(yt(wi,this).set("accept","application/json"),yt(wi,this).append("accept","application/jwk-set+json")),gt(gi,this,null==t?void 0:t[ui]),void 0!==(null==t?void 0:t[li])&&(gt(bi,this,null==t?void 0:t[li]),n=null==t?void 0:t[li],o=yt(fi,this),"object"==typeof n&&null!==n&&"uat"in n&&"number"==typeof n.uat&&!(Date.now()-n.uat>=o)&&"jwks"in n&&Vo(n.jwks)&&Array.isArray(n.jwks.keys)&&Array.prototype.every.call(n.jwks.keys,Vo)&&(gt(mi,this,yt(bi,this).uat),gt(vi,this,si(yt(bi,this).jwks))))}pendingFetch(){return!!yt(yi,this)}coolingDown(){return"number"==typeof yt(mi,this)&&Date.now()<yt(mi,this)+yt(pi,this)}fresh(){return"number"==typeof yt(mi,this)&&Date.now()<yt(mi,this)+yt(fi,this)}jwks(){var e;return null===(e=yt(vi,this))||void 0===e?void 0:e.jwks()}async getKey(e,t){yt(vi,this)&&this.fresh()||await this.reload();try{return await yt(vi,this).call(this,e,t)}catch(n){if(n instanceof Do&&!1===this.coolingDown())return await this.reload(),yt(vi,this).call(this,e,t);throw n}}async reload(){yt(yi,this)&&("undefined"!=typeof WebSocketPair||"undefined"!=typeof navigator&&"Cloudflare-Workers"===navigator.userAgent||"undefined"!=typeof EdgeRuntime&&"vercel"===EdgeRuntime)&&gt(yi,this,void 0),yt(yi,this)||gt(yi,this,async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:fetch;const r=await o(e,{method:"GET",signal:n,redirect:"manual",headers:t}).catch(e=>{if("TimeoutError"===e.name)throw new Lo;throw e});if(200!==r.status)throw new xo("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await r.json()}catch(e){throw new xo("Failed to parse the JSON Web Key Set HTTP response as JSON")}}(yt(di,this).href,yt(wi,this),AbortSignal.timeout(yt(hi,this)),yt(gi,this)).then(e=>{gt(vi,this,si(e)),yt(bi,this)&&(yt(bi,this).uat=Date.now(),yt(bi,this).jwks=e),gt(mi,this,Date.now()),gt(yi,this,void 0)}).catch(e=>{throw gt(yi,this,void 0),e})),await yt(yi,this)}}const ki=["mfaToken"],Si=["mfaToken"];var Ti,Ei,Pi,Ai,Ri,xi,Ii,Oi,Ci,ji,Wi,Ki,Ui,Di,Ni,Li,zi=class extends Error{constructor(e,t){super(t),vt(this,"code",void 0),this.name="NotSupportedError",this.code=e}},Hi=class extends Error{constructor(e,t,n){super(t),vt(this,"cause",void 0),vt(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message}}},Ji=class extends Hi{constructor(e,t){super("token_by_code_error",e,t),this.name="TokenByCodeError"}},Mi=class extends Hi{constructor(e,t){super("token_by_client_credentials_error",e,t),this.name="TokenByClientCredentialsError"}},Zi=class extends Hi{constructor(e,t){super("token_by_refresh_token_error",e,t),this.name="TokenByRefreshTokenError"}},Vi=class extends Hi{constructor(e,t){super("token_by_password_error",e,t),this.name="TokenByPasswordError"}},Fi=class extends Hi{constructor(e,t){super("token_for_connection_error",e,t),this.name="TokenForConnectionErrorCode"}},Xi=class extends Hi{constructor(e,t){super("token_exchange_error",e,t),this.name="TokenExchangeError"}},Gi=class extends Error{constructor(e){super(e),vt(this,"code","verify_logout_token_error"),this.name="VerifyLogoutTokenError"}},Yi=class extends Hi{constructor(e){super("backchannel_authentication_error","There was an error when trying to use Client-Initiated Backchannel Authentication.",e),vt(this,"code","backchannel_authentication_error"),this.name="BackchannelAuthenticationError"}},Bi=class extends Hi{constructor(e){super("build_authorization_url_error","There was an error when trying to build the authorization URL.",e),this.name="BuildAuthorizationUrlError"}},qi=class extends Hi{constructor(e){super("build_link_user_url_error","There was an error when trying to build the Link User URL.",e),this.name="BuildLinkUserUrlError"}},Qi=class extends Hi{constructor(e){super("build_unlink_user_url_error","There was an error when trying to build the Unlink User URL.",e),this.name="BuildUnlinkUserUrlError"}},$i=class extends Error{constructor(){super("The client secret or client assertion signing key must be provided."),vt(this,"code","missing_client_auth_error"),this.name="MissingClientAuthError"}};function ea(e){return Object.entries(e).filter(e=>{let[,t]=e;return void 0!==t}).reduce((e,t)=>_t(_t({},e),{},{[t[0]]:t[1]}),{})}var ta=class extends Error{constructor(e,t,n){super(t),vt(this,"cause",void 0),vt(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message}}},na=class extends ta{constructor(e,t){super("mfa_list_authenticators_error",e,t),this.name="MfaListAuthenticatorsError"}},oa=class extends ta{constructor(e,t){super("mfa_enrollment_error",e,t),this.name="MfaEnrollmentError"}},ra=class extends ta{constructor(e,t){super("mfa_delete_authenticator_error",e,t),this.name="MfaDeleteAuthenticatorError"}},ia=class extends ta{constructor(e,t){super("mfa_challenge_error",e,t),this.name="MfaChallengeError"}};function aa(e){return{id:e.id,authenticatorType:e.authenticator_type,active:e.active,name:e.name,oobChannels:e.oob_channels,type:e.type}}var sa=(Ti=new WeakMap,Ei=new WeakMap,Pi=new WeakMap,class{constructor(e){var t;wt(this,Ti,void 0),wt(this,Ei,void 0),wt(this,Pi,void 0),gt(Ti,this,"https://".concat(e.domain)),gt(Ei,this,e.clientId),gt(Pi,this,null!==(t=e.customFetch)&&void 0!==t?t:function(){return fetch(...arguments)})}async listAuthenticators(e){const t="".concat(yt(Ti,this),"/mfa/authenticators"),{mfaToken:n}=e,o=await yt(Pi,this).call(this,t,{method:"GET",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!o.ok){const e=await o.json();throw new na(e.error_description||"Failed to list authenticators",e)}return(await o.json()).map(aa)}async enrollAuthenticator(e){const t="".concat(yt(Ti,this),"/mfa/associate"),{mfaToken:n}=e,o=kt(e,ki),r={authenticator_types:o.authenticatorTypes};"oobChannels"in o&&(r.oob_channels=o.oobChannels),"phoneNumber"in o&&o.phoneNumber&&(r.phone_number=o.phoneNumber),"email"in o&&o.email&&(r.email=o.email);const i=await yt(Pi,this).call(this,t,{method:"POST",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"},body:JSON.stringify(r)});if(!i.ok){const e=await i.json();throw new oa(e.error_description||"Failed to enroll authenticator",e)}return function(e){if("otp"===e.authenticator_type)return{authenticatorType:"otp",secret:e.secret,barcodeUri:e.barcode_uri,recoveryCodes:e.recovery_codes,id:e.id};if("oob"===e.authenticator_type)return{authenticatorType:"oob",oobChannel:e.oob_channel,oobCode:e.oob_code,bindingMethod:e.binding_method,id:e.id,barcodeUri:e.barcode_uri,recoveryCodes:e.recovery_codes};throw new Error("Unexpected authenticator type: ".concat(e.authenticator_type))}(await i.json())}async deleteAuthenticator(e){const{authenticatorId:t,mfaToken:n}=e,o="".concat(yt(Ti,this),"/mfa/authenticators/").concat(encodeURIComponent(t)),r=await yt(Pi,this).call(this,o,{method:"DELETE",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!r.ok){const e=await r.json();throw new ra(e.error_description||"Failed to delete authenticator",e)}}async challengeAuthenticator(e){const t="".concat(yt(Ti,this),"/mfa/challenge"),{mfaToken:n}=e,o=kt(e,Si),r={mfa_token:n,client_id:yt(Ei,this),challenge_type:o.challengeType};o.authenticatorId&&(r.authenticator_id=o.authenticatorId);const i=await yt(Pi,this).call(this,t,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(r)});if(!i.ok){const e=await i.json();throw new ia(e.error_description||"Failed to challenge authenticator",e)}return function(e){const t={challengeType:e.challenge_type};return void 0!==e.oob_code&&(t.oobCode=e.oob_code),void 0!==e.binding_method&&(t.bindingMethod=e.binding_method),t}(await i.json())}});var ca=class e{constructor(e,t,n,o,r,i,a){vt(this,"accessToken",void 0),vt(this,"idToken",void 0),vt(this,"refreshToken",void 0),vt(this,"expiresAt",void 0),vt(this,"scope",void 0),vt(this,"claims",void 0),vt(this,"authorizationDetails",void 0),vt(this,"tokenType",void 0),vt(this,"issuedTokenType",void 0),this.accessToken=e,this.idToken=n,this.refreshToken=o,this.expiresAt=t,this.scope=r,this.claims=i,this.authorizationDetails=a}static fromTokenEndpointResponse(t){const n=t.id_token?t.claims():void 0,o=new e(t.access_token,Math.floor(Date.now()/1e3)+Number(t.expires_in),t.id_token,t.refresh_token,t.scope,n,t.authorization_details);return o.tokenType=t.token_type,o.issuedTokenType=t.issued_token_type,o}},ua=(Ai=new WeakMap,Ri=new WeakMap,xi=new WeakMap,class{constructor(e,t){wt(this,Ai,new Map),wt(this,Ri,void 0),wt(this,xi,void 0),gt(xi,this,Math.max(1,Math.floor(e))),gt(Ri,this,Math.max(0,Math.floor(t)))}get(e){const t=yt(Ai,this).get(e);if(t){if(!(Date.now()>=t.expiresAt))return yt(Ai,this).delete(e),yt(Ai,this).set(e,t),t.value;yt(Ai,this).delete(e)}}set(e,t){for(yt(Ai,this).has(e)&&yt(Ai,this).delete(e),yt(Ai,this).set(e,{value:t,expiresAt:Date.now()+yt(Ri,this)});yt(Ai,this).size>yt(xi,this);){const e=yt(Ai,this).keys().next().value;if(void 0===e)break;yt(Ai,this).delete(e)}}}),la=new Map;function da(e){return{ttlMs:1e3*("number"==typeof(null==e?void 0:e.ttl)?e.ttl:600),maxEntries:"number"==typeof(null==e?void 0:e.maxEntries)&&e.maxEntries>0?e.maxEntries:100}}var ha=class{static createDiscoveryCache(e){const t=(n=e.maxEntries,o=e.ttlMs,"".concat(n,":").concat(o));var n,o;let r=(i=t,la.get(i));var i;return r||(r=new ua(e.maxEntries,e.ttlMs),la.set(t,r)),r}static createJwksCache(){return{}}},pa="openid profile email offline_access",fa=Object.freeze(new Set(["grant_type","client_id","client_secret","client_assertion","client_assertion_type","subject_token","subject_token_type","requested_token_type","actor_token","actor_token_type","audience","aud","resource","resources","resource_indicator","scope","connection","login_hint","organization","assertion"]));function ma(e){if(null==e)throw new Xi("subject_token is required");if("string"!=typeof e)throw new Xi("subject_token must be a string");if(0===e.trim().length)throw new Xi("subject_token cannot be blank or whitespace");if(e!==e.trim())throw new Xi("subject_token must not include leading or trailing whitespace");if(/^bearer\s+/i.test(e))throw new Xi("subject_token must not include the 'Bearer ' prefix")}function ya(e,t){if(t)for(const[n,o]of Object.entries(t))if(!fa.has(n))if(Array.isArray(o)){if(o.length>20)throw new Xi("Parameter '".concat(n,"' exceeds maximum array size of ").concat(20));o.forEach(t=>{e.append(n,t)})}else e.append(n,o)}var wa="urn:ietf:params:oauth:token-type:access_token",ga=(Ii=new WeakMap,Oi=new WeakMap,Ci=new WeakMap,ji=new WeakMap,Wi=new WeakMap,Ki=new WeakMap,Ui=new WeakMap,Di=new WeakMap,Ni=new WeakMap,Li=new WeakSet,class{constructor(e){var t,n,o,r;if(function(e,t){mt(e,t),t.add(e)}(this,Li),wt(this,Ii,void 0),wt(this,Oi,void 0),wt(this,Ci,void 0),wt(this,ji,void 0),wt(this,Wi,void 0),wt(this,Ki,void 0),wt(this,Ui,void 0),wt(this,Di,void 0),wt(this,Ni,void 0),vt(this,"mfa",void 0),gt(ji,this,e),e.useMtls&&!e.customFetch)throw new zi("mtls_without_custom_fetch_not_supported","Using mTLS without a custom fetch implementation is not supported");gt(Wi,this,function(e,t){if(!1===t.enabled)return e;const n={name:t.name,version:t.version},o=btoa(JSON.stringify(n));return async(t,n)=>{const r=t instanceof Request?new Headers(t.headers):new Headers;return null!=n&&n.headers&&new Headers(n.headers).forEach((e,t)=>{r.set(t,e)}),r.set("Auth0-Client",o),e(t,_t(_t({},n),{},{headers:r}))}}(null!==(t=e.customFetch)&&void 0!==t?t:function(){return fetch(...arguments)},!1===(null==(n=e.telemetry)?void 0:n.enabled)?n:{enabled:!0,name:null!==(o=null==n?void 0:n.name)&&void 0!==o?o:"@auth0/auth0-auth-js",version:null!==(r=null==n?void 0:n.version)&&void 0!==r?r:"1.6.0"}));const i=da(e.discoveryCache);gt(Ui,this,ha.createDiscoveryCache(i)),gt(Di,this,new Map),gt(Ni,this,ha.createJwksCache()),this.mfa=new sa({domain:yt(ji,this).domain,clientId:yt(ji,this).clientId,customFetch:yt(Wi,this)})}async getServerMetadata(){const{serverMetadata:e}=await pt(Li,this,_a).call(this);return e}async buildAuthorizationUrl(e){const{serverMetadata:t}=await pt(Li,this,_a).call(this);if(null!=e&&e.pushedAuthorizationRequests&&!t.pushed_authorization_request_endpoint)throw new zi("par_not_supported_error","The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");try{return await pt(Li,this,Ea).call(this,e)}catch(e){throw new Bi(e)}}async buildLinkUserUrl(e){try{const t=await pt(Li,this,Ea).call(this,{authorizationParams:_t(_t({},e.authorizationParams),{},{requested_connection:e.connection,requested_connection_scope:e.connectionScope,scope:"openid link_account offline_access",id_token_hint:e.idToken})});return{linkUserUrl:t.authorizationUrl,codeVerifier:t.codeVerifier}}catch(e){throw new qi(e)}}async buildUnlinkUserUrl(e){try{const t=await pt(Li,this,Ea).call(this,{authorizationParams:_t(_t({},e.authorizationParams),{},{requested_connection:e.connection,scope:"openid unlink_account",id_token_hint:e.idToken})});return{unlinkUserUrl:t.authorizationUrl,codeVerifier:t.codeVerifier}}catch(e){throw new Qi(e)}}async backchannelAuthentication(e){const{configuration:t,serverMetadata:n}=await pt(Li,this,_a).call(this),o=ea(_t(_t({},yt(ji,this).authorizationParams),null==e?void 0:e.authorizationParams)),r=new URLSearchParams(_t(_t({scope:pa},o),{},{client_id:yt(ji,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:n.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&r.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&r.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await Wr(t,r),n=await Kr(t,e);return ca.fromTokenEndpointResponse(n)}catch(e){throw new Yi(e)}}async initiateBackchannelAuthentication(e){const{configuration:t,serverMetadata:n}=await pt(Li,this,_a).call(this),o=ea(_t(_t({},yt(ji,this).authorizationParams),null==e?void 0:e.authorizationParams)),r=new URLSearchParams(_t(_t({scope:pa},o),{},{client_id:yt(ji,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:n.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&r.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&r.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await Wr(t,r);return{authReqId:e.auth_req_id,expiresIn:e.expires_in,interval:e.interval}}catch(e){throw new Yi(e)}}async backchannelAuthenticationGrant(e){let{authReqId:t}=e;const{configuration:n}=await pt(Li,this,_a).call(this),o=new URLSearchParams({auth_req_id:t});try{const e=await Fr(n,"urn:openid:params:grant-type:ciba",o);return ca.fromTokenEndpointResponse(e)}catch(e){throw new Yi(e)}}async getTokenForConnection(e){var t;if(e.refreshToken&&e.accessToken)throw new Fi("Either a refresh or access token should be specified, but not both.");const n=null!==(t=e.accessToken)&&void 0!==t?t:e.refreshToken;if(!n)throw new Fi("Either a refresh or access token must be specified.");try{return await this.exchangeToken({connection:e.connection,subjectToken:n,subjectTokenType:e.accessToken?wa:"urn:ietf:params:oauth:token-type:refresh_token",loginHint:e.loginHint})}catch(e){if(e instanceof Xi)throw new Fi(e.message,e.cause);throw e}}async exchangeToken(e){return"connection"in e?pt(Li,this,ka).call(this,e):pt(Li,this,Sa).call(this,e)}async getTokenByCode(e,t){const{configuration:n}=await pt(Li,this,_a).call(this);try{const o=await Dr(n,e,{pkceCodeVerifier:t.codeVerifier});return ca.fromTokenEndpointResponse(o)}catch(e){throw new Ji("There was an error while trying to request a token.",e)}}async getTokenByRefreshToken(e){const{configuration:t}=await pt(Li,this,_a).call(this),n=new URLSearchParams;e.audience&&n.append("audience",e.audience),e.scope&&n.append("scope",e.scope);try{const o=await Nr(t,e.refreshToken,n);return ca.fromTokenEndpointResponse(o)}catch(e){throw new Zi("The access token has expired and there was an error while trying to refresh it.",e)}}async getTokenByPassword(e){const{configuration:t}=await pt(Li,this,_a).call(this),n=new URLSearchParams({username:e.username,password:e.password});e.audience&&n.append("audience",e.audience),e.scope&&n.append("scope",e.scope),e.realm&&n.append("realm",e.realm);let o=t;if(e.auth0ForwardedFor){const n=await pt(Li,this,Ta).call(this);o=new Ir(t.serverMetadata(),yt(ji,this).clientId,yt(ji,this).clientSecret,n),o[vr]=(t,n)=>yt(Wi,this).call(this,t,_t(_t({},n),{},{headers:_t(_t({},n.headers),{},{"auth0-forwarded-for":e.auth0ForwardedFor})}))}try{const e=await Fr(o,"password",n);return ca.fromTokenEndpointResponse(e)}catch(e){throw new Vi("There was an error while trying to request a token.",e)}}async getTokenByClientCredentials(e){const{configuration:t}=await pt(Li,this,_a).call(this);try{const n=new URLSearchParams({audience:e.audience});e.organization&&n.append("organization",e.organization);const o=await Lr(t,n);return ca.fromTokenEndpointResponse(o)}catch(e){throw new Mi("There was an error while trying to request a token.",e)}}async buildLogoutUrl(e){const{configuration:t,serverMetadata:n}=await pt(Li,this,_a).call(this);if(!n.end_session_endpoint){const t=new URL("https://".concat(yt(ji,this).domain,"/v2/logout"));return t.searchParams.set("returnTo",e.returnTo),t.searchParams.set("client_id",yt(ji,this).clientId),t}return function(e,t){Jr(e);const{as:n,c:o,tlsOnly:r}=mr(e),i=mn(n,"end_session_endpoint",!1,r);(t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id);for(const[e,n]of t.entries())i.searchParams.append(e,n);return i}(t,{post_logout_redirect_uri:e.returnTo})}async verifyLogoutToken(e){const{serverMetadata:t}=await pt(Li,this,_a).call(this),n=da(yt(ji,this).discoveryCache),o=t.jwks_uri;yt(Ki,this)||gt(Ki,this,function(e,t){const n=new _i(e,t),o=async(e,t)=>n.getKey(e,t);return Object.defineProperties(o,{coolingDown:{get:()=>n.coolingDown(),enumerable:!0,configurable:!1},fresh:{get:()=>n.fresh(),enumerable:!0,configurable:!1},reload:{value:()=>n.reload(),enumerable:!0,configurable:!1,writable:!1},reloading:{get:()=>n.pendingFetch(),enumerable:!0,configurable:!1},jwks:{value:()=>n.jwks(),enumerable:!0,configurable:!1,writable:!1}}),o}(new URL(o),{cacheMaxAge:n.ttlMs,[ui]:yt(Wi,this),[li]:yt(Ni,this)}));const{payload:r}=await $r(e.logoutToken,yt(Ki,this),{issuer:t.issuer,audience:yt(ji,this).clientId,algorithms:["RS256"],requiredClaims:["iat"]});if(!("sid"in r)&&!("sub"in r))throw new Gi('either "sid" or "sub" (or both) claims must be present');if("sid"in r&&"string"!=typeof r.sid)throw new Gi('"sid" claim must be a string');if("sub"in r&&"string"!=typeof r.sub)throw new Gi('"sub" claim must be a string');if("nonce"in r)throw new Gi('"nonce" claim is prohibited');if(!("events"in r))throw new Gi('"events" claim is missing');if("object"!=typeof r.events||null===r.events)throw new Gi('"events" claim must be an object');if(!("http://schemas.openid.net/event/backchannel-logout"in r.events))throw new Gi('"http://schemas.openid.net/event/backchannel-logout" member is missing in the "events" claim');if("object"!=typeof r.events["http://schemas.openid.net/event/backchannel-logout"])throw new Gi('"http://schemas.openid.net/event/backchannel-logout" member in the "events" claim must be an object');return{sid:r.sid,sub:r.sub}}});function va(){const e=yt(ji,this).domain.toLowerCase();return"".concat(e,"|mtls:").concat(yt(ji,this).useMtls?"1":"0")}async function ba(e){const t=await pt(Li,this,Ta).call(this),n=new Ir(e,yt(ji,this).clientId,yt(ji,this).clientSecret,t);return n[vr]=yt(Wi,this),n}async function _a(){if(yt(Ii,this)&&yt(Oi,this))return{configuration:yt(Ii,this),serverMetadata:yt(Oi,this)};const e=pt(Li,this,va).call(this),t=yt(Ui,this).get(e);if(t)return gt(Oi,this,t.serverMetadata),gt(Ii,this,await pt(Li,this,ba).call(this,t.serverMetadata)),{configuration:yt(Ii,this),serverMetadata:yt(Oi,this)};const n=yt(Di,this).get(e);if(n){const e=await n;return gt(Oi,this,e.serverMetadata),gt(Ii,this,await pt(Li,this,ba).call(this,e.serverMetadata)),{configuration:yt(Ii,this),serverMetadata:yt(Oi,this)}}const o=(async()=>{const t=await pt(Li,this,Ta).call(this),n=await Rr(new URL("https://".concat(yt(ji,this).domain)),yt(ji,this).clientId,{use_mtls_endpoint_aliases:yt(ji,this).useMtls},t,{[vr]:yt(Wi,this)}),o=n.serverMetadata();return yt(Ui,this).set(e,{serverMetadata:o}),{configuration:n,serverMetadata:o}})(),r=o.then(e=>{let{serverMetadata:t}=e;return{serverMetadata:t}});r.catch(()=>{}),yt(Di,this).set(e,r);try{const{configuration:e,serverMetadata:t}=await o;gt(Ii,this,e),gt(Oi,this,t),yt(Ii,this)[vr]=yt(Wi,this)}finally{yt(Di,this).delete(e)}return{configuration:yt(Ii,this),serverMetadata:yt(Oi,this)}}async function ka(e){var t,n;const{configuration:o}=await pt(Li,this,_a).call(this);if("audience"in e||"resource"in e)throw new Xi("audience and resource parameters are not supported for Token Vault exchanges");ma(e.subjectToken);const r=new URLSearchParams({connection:e.connection,subject_token:e.subjectToken,subject_token_type:null!==(t=e.subjectTokenType)&&void 0!==t?t:wa,requested_token_type:null!==(n=e.requestedTokenType)&&void 0!==n?n:"http://auth0.com/oauth/token-type/federated-connection-access-token"});e.loginHint&&r.append("login_hint",e.loginHint),e.scope&&r.append("scope",e.scope),ya(r,e.extra);try{const e=await Fr(o,"urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token",r);return ca.fromTokenEndpointResponse(e)}catch(t){throw new Xi("Failed to exchange token for connection '".concat(e.connection,"'."),t)}}async function Sa(e){const{configuration:t}=await pt(Li,this,_a).call(this);ma(e.subjectToken);const n=new URLSearchParams({subject_token_type:e.subjectTokenType,subject_token:e.subjectToken});e.audience&&n.append("audience",e.audience),e.scope&&n.append("scope",e.scope),e.requestedTokenType&&n.append("requested_token_type",e.requestedTokenType),e.organization&&n.append("organization",e.organization),ya(n,e.extra);try{const e=await Fr(t,"urn:ietf:params:oauth:grant-type:token-exchange",n);return ca.fromTokenEndpointResponse(e)}catch(t){throw new Xi("Failed to exchange token of type '".concat(e.subjectTokenType,"'").concat(e.audience?" for audience '".concat(e.audience,"'"):"","."),t)}}async function Ta(){return yt(Ci,this)||gt(Ci,this,(async()=>{if(!yt(ji,this).clientSecret&&!yt(ji,this).clientAssertionSigningKey&&!yt(ji,this).useMtls)throw new $i;if(yt(ji,this).useMtls)return(e,t,n,o)=>{n.set("client_id",t.client_id)};let e=yt(ji,this).clientAssertionSigningKey;return!e||e instanceof CryptoKey||(e=await async function(e,t,n){if("string"!=typeof e||0!==e.indexOf("-----BEGIN PRIVATE KEY-----"))throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return sr(e,t,n)}(e,yt(ji,this).clientAssertionSigningAlg||"RS256")),e?function(e,t){return dn(e,t)}(e):gr(yt(ji,this).clientSecret)})().catch(e=>{throw gt(Ci,this,void 0),e})),yt(Ci,this)}async function Ea(e){const{configuration:t}=await pt(Li,this,_a).call(this),n=Tr(),o=await Sr(n),r=ea(_t(_t({},yt(ji,this).authorizationParams),null==e?void 0:e.authorizationParams)),i=new URLSearchParams(_t(_t({scope:pa},r),{},{client_id:yt(ji,this).clientId,code_challenge:o,code_challenge_method:"S256"}));return{authorizationUrl:null!=e&&e.pushedAuthorizationRequests?await Hr(t,i):await zr(t,i),codeVerifier:n}}class Pa extends s{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Pa.prototype)}static fromPayload(e){let{error:t,error_description:n}=e;return new Pa(t,n)}}class Aa extends Pa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Aa.prototype)}}class Ra extends Pa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Ra.prototype)}}class xa extends Pa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,xa.prototype)}}class Ia extends Pa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Ia.prototype)}}class Oa extends Pa{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Oa.prototype)}}class Ca{constructor(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:6e5;this.contexts=new Map,this.ttlMs=e}set(e,t){this.cleanup(),this.contexts.set(e,Object.assign(Object.assign({},t),{createdAt:Date.now()}))}get(e){const t=this.contexts.get(e);if(t){if(!(Date.now()-t.createdAt>this.ttlMs))return t;this.contexts.delete(e)}}remove(e){this.contexts.delete(e)}cleanup(){const e=Date.now();for(const[t,n]of this.contexts)e-n.createdAt>this.ttlMs&&this.contexts.delete(t)}get size(){return this.contexts.size}}class ja{constructor(e,t){this.authJsMfaClient=e,this.auth0Client=t,this.contextManager=new Ca}setMFAAuthDetails(e,t,n,o){this.contextManager.set(e,{scope:t,audience:n,mfaRequirements:o})}async getAuthenticators(e){var t,n;const o=this.contextManager.get(e);if(!(null===(t=null==o?void 0:o.mfaRequirements)||void 0===t?void 0:t.challenge)||0===o.mfaRequirements.challenge.length)throw new Aa("invalid_request","challengeType is required and must contain at least one challenge type, please check mfa_required error payload");const r=o.mfaRequirements.challenge.map(e=>e.type);try{return(await this.authJsMfaClient.listAuthenticators({mfaToken:e})).filter(e=>!!e.type&&r.includes(e.type))}catch(e){if(e instanceof na)throw new Aa(null===(n=e.cause)||void 0===n?void 0:n.error,e.message);throw e}}async enroll(e){var t;const n=function(e){const t=ct[e.factorType];return Object.assign(Object.assign(Object.assign({mfaToken:e.mfaToken,authenticatorTypes:t.authenticatorTypes},t.oobChannels&&{oobChannels:t.oobChannels}),"phoneNumber"in e&&{phoneNumber:e.phoneNumber}),"email"in e&&{email:e.email})}(e);try{return await this.authJsMfaClient.enrollAuthenticator(n)}catch(e){if(e instanceof oa)throw new Ra(null===(t=e.cause)||void 0===t?void 0:t.error,e.message);throw e}}async challenge(e){var t;try{const t={challengeType:e.challengeType,mfaToken:e.mfaToken};return e.authenticatorId&&(t.authenticatorId=e.authenticatorId),await this.authJsMfaClient.challengeAuthenticator(t)}catch(e){if(e instanceof ia)throw new xa(null===(t=e.cause)||void 0===t?void 0:t.error,e.message);throw e}}async getEnrollmentFactors(e){const t=this.contextManager.get(e);if(!t||!t.mfaRequirements)throw new Oa("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");return t.mfaRequirements.enroll&&0!==t.mfaRequirements.enroll.length?t.mfaRequirements.enroll:[]}async verify(e){const t=this.contextManager.get(e.mfaToken);if(!t)throw new Ia("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");const n=function(e){return"otp"in e&&e.otp?ut:"oobCode"in e&&e.oobCode?lt:"recoveryCode"in e&&e.recoveryCode?dt:void 0}(e);if(!n)throw new Ia("invalid_request","Unable to determine grant type. Provide one of: otp, oobCode, or recoveryCode.");const o=t.scope,r=t.audience;try{const t=await this.auth0Client._requestTokenForMfa({grant_type:n,mfaToken:e.mfaToken,scope:o,audience:r,otp:e.otp,oob_code:e.oobCode,binding_code:e.bindingCode,recovery_code:e.recoveryCode});return this.contextManager.remove(e.mfaToken),t}catch(e){if(e instanceof f)this.setMFAAuthDetails(e.mfa_token,o,r,e.mfa_requirements);else if(e instanceof Ia)throw new Ia(e.error,e.error_description);throw e}}}class Wa{constructor(e){let t,r;if(this.userCache=(new ke).enclosedCache,this.defaultOptions={authorizationParams:{scope:"openid profile email"},useRefreshTokensFallback:!1,useFormData:!0},this.options=Object.assign(Object.assign(Object.assign({},this.defaultOptions),e),{authorizationParams:Object.assign(Object.assign({},this.defaultOptions.authorizationParams),e.authorizationParams)}),"undefined"!=typeof window&&(()=>{if(!v())throw new Error("For security reasons, `window.crypto` is required to run `auth0-spa-js`.");if(void 0===v().subtle)throw new Error("\n      auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information.\n    ")})(),this.lockManager=(V||(V=Z()),V),e.cache&&e.cacheLocation&&console.warn("Both `cache` and `cacheLocation` options have been specified in the Auth0Client configuration; ignoring `cacheLocation` and using `cache`."),e.cache)r=e.cache;else{if(t=e.cacheLocation||o,!Qe(t))throw new Error('Invalid cache location "'.concat(t,'"'));r=Qe(t)()}var s;this.httpTimeoutMs=e.httpTimeoutInSeconds?1e3*e.httpTimeoutInSeconds:n,this.cookieStorage=!1===e.legacySameSiteCookie?Ue:Ne,this.orgHintCookieName=(s=this.options.clientId,"auth0.".concat(s,".organization_hint")),this.isAuthenticatedCookieName=(e=>"auth0.".concat(e,".is.authenticated"))(this.options.clientId),this.sessionCheckExpiryDays=e.sessionCheckExpiryDays||1;const c=e.useCookiesForTransactions?this.cookieStorage:Le;var u;this.scope=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if("object"!=typeof e)return{[a]:ye(t,e,...o)};let i={[a]:ye(t,...o)};return Object.keys(e).forEach(n=>{const r=e[n];i[n]=ye(t,r,...o)}),i}(this.options.authorizationParams.scope,"openid",this.options.useRefreshTokens?"offline_access":""),this.transactionManager=new Te(c,this.options.clientId,this.options.cookieDomain),this.nowProvider=this.options.nowProvider||i,this.cacheManager=new Se(r,r.allKeys?void 0:new Ye(r,this.options.clientId),this.nowProvider),this.dpop=this.options.useDpop?new ot(this.options.clientId):void 0,this.domainUrl=(u=this.options.domain,/^https?:\/\//.test(u)?u:"https://".concat(u)),this.tokenIssuer=((e,t)=>e?e.startsWith("https://")?e:"https://".concat(e,"/"):"".concat(t,"/"))(this.options.issuer,this.domainUrl);const l="".concat(this.domainUrl,"/me/"),d=this.createFetcher(Object.assign(Object.assign({},this.options.useDpop&&{dpopNonceId:"__auth0_my_account_api__"}),{getAccessToken:()=>this.getTokenSilently({authorizationParams:{scope:"create:me:connected_accounts",audience:l},detailedResponse:!0})}));this.myAccountApi=new at(d,l),this.authJsClient=new ga({domain:this.options.domain,clientId:this.options.clientId}),this.mfa=new ja(this.authJsClient.mfa,this),"undefined"!=typeof window&&window.Worker&&this.options.useRefreshTokens&&t===o&&(this.options.workerUrl?this.worker=new Worker(this.options.workerUrl):this.worker=new Xe,this.worker.postMessage({type:"init",allowedBaseUrl:this.domainUrl}))}getConfiguration(){return Object.freeze({domain:this.options.domain,clientId:this.options.clientId})}_url(e){const t=this.options.auth0Client||r,n=S(t,!0),o=encodeURIComponent(btoa(JSON.stringify(n)));return"".concat(this.domainUrl).concat(e,"&auth0Client=").concat(o)}_authorizeUrl(e){return this._url("/authorize?".concat(T(e)))}async _verifyIdToken(e,t,n){const o=await this.nowProvider();return Ae({iss:this.tokenIssuer,aud:this.options.clientId,id_token:e,nonce:t,organization:n,leeway:this.options.leeway,max_age:(r=this.options.authorizationParams.max_age,"string"!=typeof r?r:parseInt(r,10)||void 0),now:o});var r}_processOrgHint(e){e?this.cookieStorage.save(this.orgHintCookieName,e,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}):this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain})}_extractSessionTransferToken(e){return new URLSearchParams(window.location.search).get(e)||void 0}_clearSessionTransferTokenFromUrl(e){try{const t=new URL(window.location.href);t.searchParams.has(e)&&(t.searchParams.delete(e),window.history.replaceState({},"",t.toString()))}catch(e){}}_applySessionTransferToken(e){const t=this.options.sessionTransferTokenQueryParamName;if(!t||e.session_transfer_token)return e;const n=this._extractSessionTransferToken(t);return n?(this._clearSessionTransferTokenFromUrl(t),Object.assign(Object.assign({},e),{session_transfer_token:n})):e}async _prepareAuthorizeUrl(e,t,n){var o;const r=_(b()),i=_(b()),s=b(),c=await E(s),u=A(c),l=await(null===(o=this.dpop)||void 0===o?void 0:o.calculateThumbprint()),d=((e,t,n,o,r,i,a,s,c)=>Object.assign(Object.assign(Object.assign({client_id:e.clientId},e.authorizationParams),n),{scope:we(t,n.scope,n.audience),response_type:"code",response_mode:s||"query",state:o,nonce:r,redirect_uri:a||e.authorizationParams.redirect_uri,code_challenge:i,code_challenge_method:"S256",dpop_jkt:c}))(this.options,this.scope,e,r,i,u,e.redirect_uri||this.options.authorizationParams.redirect_uri||n,null==t?void 0:t.response_mode,l),h=this._authorizeUrl(d);return{nonce:i,code_verifier:s,scope:d.scope,audience:d.audience||a,redirect_uri:d.redirect_uri,state:r,url:h}}async loginWithPopup(e,t){var n;if(e=e||{},!(t=t||{}).popup&&(t.popup=(e=>{const t=window.screenX+(window.innerWidth-400)/2,n=window.screenY+(window.innerHeight-600)/2;return window.open(e,"auth0:authorize:popup","left=".concat(t,",top=").concat(n,",width=").concat(400,",height=").concat(600,",resizable,scrollbars=yes,status=1"))})(""),!t.popup))throw new p;const o=this._applySessionTransferToken(e.authorizationParams||{}),r=await this._prepareAuthorizeUrl(o,{response_mode:"web_message"},window.location.origin);t.popup.location.href=r.url;const i=await((e,t)=>new Promise((n,o)=>{let r;const i=setInterval(()=>{e.popup&&e.popup.closed&&(clearInterval(i),clearTimeout(a),window.removeEventListener("message",r,!1),o(new h(e.popup)))},1e3),a=setTimeout(()=>{clearInterval(i),o(new d(e.popup)),window.removeEventListener("message",r,!1)},1e3*(e.timeoutInSeconds||60));r=function(c){if(c.origin===t&&c.data&&"authorization_response"===c.data.type){if(clearTimeout(a),clearInterval(i),window.removeEventListener("message",r,!1),!1!==e.closePopup&&e.popup.close(),c.data.response.error)return o(s.fromPayload(c.data.response));n(c.data.response)}},window.addEventListener("message",r)}))(Object.assign(Object.assign({},t),{timeoutInSeconds:t.timeoutInSeconds||this.options.authorizeTimeoutInSeconds||60}),new URL(r.url).origin);if(r.state!==i.state)throw new s("state_mismatch","Invalid state");const a=(null===(n=e.authorizationParams)||void 0===n?void 0:n.organization)||this.options.authorizationParams.organization;await this._requestToken({audience:r.audience,scope:r.scope,code_verifier:r.code_verifier,grant_type:"authorization_code",code:i.code,redirect_uri:r.redirect_uri},{nonceIn:r.nonce,organization:a})}async getUser(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.user}async getIdTokenClaims(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.claims}async loginWithRedirect(){var t;const n=$e(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),{openUrl:o,fragment:r,appState:i}=n,a=e(n,["openUrl","fragment","appState"]),s=(null===(t=a.authorizationParams)||void 0===t?void 0:t.organization)||this.options.authorizationParams.organization,c=this._applySessionTransferToken(a.authorizationParams||{}),u=await this._prepareAuthorizeUrl(c),{url:l}=u,d=e(u,["url"]);this.transactionManager.create(Object.assign(Object.assign(Object.assign({},d),{appState:i,response_type:ze.Code}),s&&{organization:s}));const h=r?"".concat(l,"#").concat(r):l;o?await o(h):window.location.assign(h)}async handleRedirectCallback(){const e=(arguments.length>0&&void 0!==arguments[0]?arguments[0]:window.location.href).split("?").slice(1);if(0===e.length)throw new Error("There are no query params available for parsing.");const t=this.transactionManager.get();if(!t)throw new s("missing_transaction","Invalid state");this.transactionManager.remove();const n=(e=>{e.indexOf("#")>-1&&(e=e.substring(0,e.indexOf("#")));const t=new URLSearchParams(e);return{state:t.get("state"),code:t.get("code")||void 0,connect_code:t.get("connect_code")||void 0,error:t.get("error")||void 0,error_description:t.get("error_description")||void 0}})(e.join(""));return t.response_type===ze.ConnectCode?this._handleConnectAccountRedirectCallback(n,t):this._handleLoginRedirectCallback(n,t)}async _handleLoginRedirectCallback(e,t){const{code:n,state:o,error:r,error_description:i}=e;if(r)throw new c(r,i||r,o,t.appState);if(!t.code_verifier||t.state&&t.state!==o)throw new s("state_mismatch","Invalid state");const a=t.organization,u=t.nonce,l=t.redirect_uri;return await this._requestToken(Object.assign({audience:t.audience,scope:t.scope,code_verifier:t.code_verifier,grant_type:"authorization_code",code:n},l?{redirect_uri:l}:{}),{nonceIn:u,organization:a}),{appState:t.appState,response_type:ze.Code}}async _handleConnectAccountRedirectCallback(e,t){const{connect_code:n,state:o,error:r,error_description:i}=e;if(r)throw new u(r,i||r,t.connection,o,t.appState);if(!n)throw new s("missing_connect_code","Missing connect code");if(!(t.code_verifier&&t.state&&t.auth_session&&t.redirect_uri&&t.state===o))throw new s("state_mismatch","Invalid state");const a=await this.myAccountApi.completeAccount({auth_session:t.auth_session,connect_code:n,redirect_uri:t.redirect_uri,code_verifier:t.code_verifier});return Object.assign(Object.assign({},a),{appState:t.appState,response_type:ze.ConnectCode})}async checkSession(e){if(!this.cookieStorage.get(this.isAuthenticatedCookieName)){if(!this.cookieStorage.get(Be))return;this.cookieStorage.save(this.isAuthenticatedCookieName,!0,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(Be)}try{await this.getTokenSilently(e)}catch(e){}}async getTokenSilently(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};var t,n;const o=Object.assign(Object.assign({cacheMode:"on"},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:we(this.scope,null===(t=e.authorizationParams)||void 0===t?void 0:t.scope,(null===(n=e.authorizationParams)||void 0===n?void 0:n.audience)||this.options.authorizationParams.audience)})}),r=await((e,t)=>{let n=Ge[t];return n||(n=e().finally(()=>{delete Ge[t],n=null}),Ge[t]=n),n})(()=>this._getTokenSilently(o),"".concat(this.options.clientId,"::").concat(o.authorizationParams.audience,"::").concat(o.authorizationParams.scope));return e.detailedResponse?r:null==r?void 0:r.access_token}async _getTokenSilently(t){const{cacheMode:n}=t,o=e(t,["cacheMode"]);if("off"!==n){const e=await this._getEntryFromCache({scope:o.authorizationParams.scope,audience:o.authorizationParams.audience||a,clientId:this.options.clientId,cacheMode:n});if(e)return e}if("cache-only"===n)return;const r=(i=this.options.clientId,s=o.authorizationParams.audience||"default","".concat("auth0.lock.getTokenSilently",".").concat(i,".").concat(s));var i,s;try{return await this.lockManager.runWithLock(r,5e3,async()=>{if("off"!==n){const e=await this._getEntryFromCache({scope:o.authorizationParams.scope,audience:o.authorizationParams.audience||a,clientId:this.options.clientId});if(e)return e}const e=this.options.useRefreshTokens?await this._getTokenUsingRefreshToken(o):await this._getTokenFromIFrame(o),{id_token:t,token_type:r,access_token:i,oauthTokenScope:s,expires_in:c}=e;return Object.assign(Object.assign({id_token:t,token_type:r,access_token:i},s?{scope:s}:null),{expires_in:c})})}catch(e){if(this._isInteractiveError(e)&&"popup"===this.options.interactiveErrorHandler)return await this._handleInteractiveErrorWithPopup(o);throw e}}_isInteractiveError(e){return e instanceof f||e instanceof s&&this._isIframeMfaError(e)}_isIframeMfaError(e){return"login_required"===e.error&&"Multifactor authentication required"===e.error_description}async _handleInteractiveErrorWithPopup(e){try{await this.loginWithPopup({authorizationParams:e.authorizationParams});const t=await this._getEntryFromCache({scope:e.authorizationParams.scope,audience:e.authorizationParams.audience||a,clientId:this.options.clientId});if(!t)throw new s("interactive_handler_cache_miss","Token not found in cache after interactive authentication");return t}catch(e){throw e}}async getTokenWithPopup(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{},n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{};var o,r;const i=Object.assign(Object.assign({},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:we(this.scope,null===(o=e.authorizationParams)||void 0===o?void 0:o.scope,(null===(r=e.authorizationParams)||void 0===r?void 0:r.audience)||this.options.authorizationParams.audience)})});n=Object.assign(Object.assign({},t),n),await this.loginWithPopup(i,n);return(await this.cacheManager.get(new be({scope:i.authorizationParams.scope,audience:i.authorizationParams.audience||a,clientId:this.options.clientId}),void 0,this.options.useMrrt)).access_token}async isAuthenticated(){return!!await this.getUser()}_buildLogoutUrl(t){null!==t.clientId?t.clientId=t.clientId||this.options.clientId:delete t.clientId;const n=t.logoutParams||{},{federated:o}=n,r=e(n,["federated"]),i=o?"&federated":"";return this._url("/v2/logout?".concat(T(Object.assign({clientId:t.clientId},r))))+i}async revokeRefreshToken(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};if(!this.options.useRefreshTokens)return;const t=e.audience||this.options.authorizationParams.audience||a,o=await this.cacheManager.getRefreshTokensByAudience(t,this.options.clientId);await async function(e,t){let{baseUrl:o,timeout:i,auth0Client:c,useFormData:u,refreshTokens:l,audience:d,client_id:h,onRefreshTokenRevoked:p}=e;const f=i||n,m="refresh_token",y="".concat(o,"/oauth/revoke"),w={"Content-Type":u?"application/x-www-form-urlencoded":"application/json","Auth0-Client":btoa(JSON.stringify(S(c||r)))};if(t){const e={client_id:h,token_type_hint:m},n=u?T(e):JSON.stringify(e);try{return await de({type:"revoke",timeout:f,fetchUrl:y,fetchOptions:{method:"POST",body:n,headers:w},useFormData:u,auth:{audience:null!=d?d:a}},t)}catch(e){throw new s("revoke_error",e.message)}}for(const e of l){const t={client_id:h,token_type_hint:m,token:e},n=u?T(t):JSON.stringify(t),o=await he(y,{method:"POST",body:n,headers:w},f);if(!o.ok){let e,t;try{({error:e,error_description:t}=JSON.parse(await o.text()))}catch(e){}throw new s(e||"revoke_error",t||"HTTP error ".concat(o.status))}await(null==p?void 0:p(e))}}({baseUrl:this.domainUrl,timeout:this.httpTimeoutMs,auth0Client:this.options.auth0Client,useFormData:this.options.useFormData,client_id:this.options.clientId,refreshTokens:o,audience:t,onRefreshTokenRevoked:e=>this.cacheManager.stripRefreshToken(e)},this.worker)}async logout(){let t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};var n;const o=$e(t),{openUrl:r}=o,i=e(o,["openUrl"]);null===t.clientId?await this.cacheManager.clear():await this.cacheManager.clear(t.clientId||this.options.clientId),this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(this.isAuthenticatedCookieName,{cookieDomain:this.options.cookieDomain}),this.userCache.remove(ve),await(null===(n=this.dpop)||void 0===n?void 0:n.clear());const a=this._buildLogoutUrl(i);r?await r(a):!1!==r&&window.location.assign(a)}async _getTokenFromIFrame(e){const t=(n=this.options.clientId,"".concat("auth0.lock.getTokenFromIFrame",".").concat(n));var n;try{return await this.lockManager.runWithLock(t,5e3,async()=>{const t=Object.assign(Object.assign({},e.authorizationParams),{prompt:"none"}),n=this.cookieStorage.get(this.orgHintCookieName);n&&!t.organization&&(t.organization=n);const{url:o,state:r,nonce:i,code_verifier:a,redirect_uri:c,scope:u,audience:d}=await this._prepareAuthorizeUrl(t,{response_mode:"web_message"},window.location.origin);if(window.crossOriginIsolated)throw new s("login_required","The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.");const h=e.timeoutInSeconds||this.options.authorizeTimeoutInSeconds;let p;try{p=new URL(this.domainUrl).origin}catch(e){p=this.domainUrl}const f=await function(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:60;return new Promise((o,r)=>{const i=window.document.createElement("iframe");i.setAttribute("width","0"),i.setAttribute("height","0"),i.style.display="none";const a=()=>{window.document.body.contains(i)&&(window.document.body.removeChild(i),window.removeEventListener("message",c,!1))};let c;const u=setTimeout(()=>{r(new l),a()},1e3*n);c=function(e){if(e.origin!=t)return;if(!e.data||"authorization_response"!==e.data.type)return;const n=e.source;n&&n.close(),e.data.response.error?r(s.fromPayload(e.data.response)):o(e.data.response),clearTimeout(u),window.removeEventListener("message",c,!1),setTimeout(a,2e3)},window.addEventListener("message",c,!1),window.document.body.appendChild(i),i.setAttribute("src",e)})}(o,p,h);if(r!==f.state)throw new s("state_mismatch","Invalid state");const m=await this._requestToken(Object.assign(Object.assign({},e.authorizationParams),{code_verifier:a,code:f.code,grant_type:"authorization_code",redirect_uri:c,timeout:e.authorizationParams.timeout||this.httpTimeoutMs}),{nonceIn:i,organization:t.organization});return Object.assign(Object.assign({},m),{scope:u,oauthTokenScope:m.scope,audience:d})})}catch(e){if("login_required"===e.error){e instanceof s&&this._isIframeMfaError(e)&&"popup"===this.options.interactiveErrorHandler||this.logout({openUrl:!1})}throw e}}async _getTokenUsingRefreshToken(e){var t,n;const o=await this.cacheManager.get(new be({scope:e.authorizationParams.scope,audience:e.authorizationParams.audience||a,clientId:this.options.clientId}),void 0,this.options.useMrrt);if(!(o&&o.refresh_token||this.worker)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);throw new m(e.authorizationParams.audience||a,e.authorizationParams.scope)}const r=e.authorizationParams.redirect_uri||this.options.authorizationParams.redirect_uri||window.location.origin,i="number"==typeof e.timeoutInSeconds?1e3*e.timeoutInSeconds:null,s=((e,t,n,o)=>{var r;if(e&&n&&o){if(t.audience!==n)return t.scope;const e=o.split(" "),i=(null===(r=t.scope)||void 0===r?void 0:r.split(" "))||[],a=i.every(t=>e.includes(t));return e.length>=i.length&&a?o:t.scope}return t.scope})(this.options.useMrrt,e.authorizationParams,null==o?void 0:o.audience,null==o?void 0:o.scope);try{const t=await this._requestToken(Object.assign(Object.assign(Object.assign({},e.authorizationParams),{grant_type:"refresh_token",refresh_token:o&&o.refresh_token,redirect_uri:r}),i&&{timeout:i}),{scopesToRequest:s});if(t.refresh_token&&(null==o?void 0:o.refresh_token)&&await this.cacheManager.updateEntry(o.refresh_token,t.refresh_token),this.options.useMrrt){if(c=null==o?void 0:o.audience,u=null==o?void 0:o.scope,l=e.authorizationParams.audience,d=e.authorizationParams.scope,c!==l||!et(d,u)){if(!et(s,t.scope)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);await this.cacheManager.remove(this.options.clientId,e.authorizationParams.audience,e.authorizationParams.scope);const n=((e,t)=>{const n=(null==e?void 0:e.split(" "))||[],o=(null==t?void 0:t.split(" "))||[];return n.filter(e=>-1==o.indexOf(e)).join(",")})(s,t.scope);throw new y(e.authorizationParams.audience||"default",n)}}}return Object.assign(Object.assign({},t),{scope:e.authorizationParams.scope,oauthTokenScope:t.scope,audience:e.authorizationParams.audience||a})}catch(o){if(o.message){if(o.message.includes("user is blocked"))throw await this.logout({openUrl:!1}),o;if((o.message.includes("Missing Refresh Token")||o.message.includes("invalid refresh token"))&&this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e)}throw o instanceof f&&this.mfa.setMFAAuthDetails(o.mfa_token,null===(t=e.authorizationParams)||void 0===t?void 0:t.scope,null===(n=e.authorizationParams)||void 0===n?void 0:n.audience,o.mfa_requirements),o}var c,u,l,d}async _saveEntryInCache(t){const{id_token:n,decodedToken:o}=t,r=e(t,["id_token","decodedToken"]);this.userCache.set(ve,{id_token:n,decodedToken:o}),await this.cacheManager.setIdToken(this.options.clientId,t.id_token,t.decodedToken),await this.cacheManager.set(r)}async _getIdTokenFromCache(){const e=this.options.authorizationParams.audience||a,t=this.scope[e],n=await this.cacheManager.getIdToken(new be({clientId:this.options.clientId,audience:e,scope:t})),o=this.userCache.get(ve);return n&&n.id_token===(null==o?void 0:o.id_token)?o:(this.userCache.set(ve,n),n)}async _getEntryFromCache(e){let{scope:t,audience:n,clientId:o,cacheMode:r}=e;const i=await this.cacheManager.get(new be({scope:t,audience:n,clientId:o}),60,this.options.useMrrt,r);if(i&&i.access_token){const{token_type:e,access_token:t,oauthTokenScope:n,expires_in:o}=i,r=await this._getIdTokenFromCache();return r&&Object.assign(Object.assign({id_token:r.id_token,token_type:e||"Bearer",access_token:t},n?{scope:n}:null),{expires_in:o})}}async _requestToken(e,t){var n,o;const{nonceIn:r,organization:i,scopesToRequest:s}=t||{},c=await me(Object.assign(Object.assign({baseUrl:this.domainUrl,client_id:this.options.clientId,auth0Client:this.options.auth0Client,useFormData:this.options.useFormData,timeout:this.httpTimeoutMs,useMrrt:this.options.useMrrt,dpop:this.dpop},e),{scope:s||e.scope}),this.worker),u=await this._verifyIdToken(c.id_token,r,i);if("authorization_code"===e.grant_type){const e=await this._getIdTokenFromCache();(null===(o=null===(n=null==e?void 0:e.decodedToken)||void 0===n?void 0:n.claims)||void 0===o?void 0:o.sub)&&e.decodedToken.claims.sub!==u.claims.sub&&(await this.cacheManager.clear(this.options.clientId),this.userCache.remove(ve))}return await this._saveEntryInCache(Object.assign(Object.assign(Object.assign(Object.assign({},c),{decodedToken:u,scope:e.scope,audience:e.audience||a}),c.scope?{oauthTokenScope:c.scope}:null),{client_id:this.options.clientId})),this.cookieStorage.save(this.isAuthenticatedCookieName,!0,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this._processOrgHint(i||u.claims.org_id),Object.assign(Object.assign({},c),{decodedToken:u})}async loginWithCustomTokenExchange(e){return this._requestToken(Object.assign(Object.assign({},e),{grant_type:"urn:ietf:params:oauth:grant-type:token-exchange",subject_token:e.subject_token,subject_token_type:e.subject_token_type,scope:we(this.scope,e.scope,e.audience||this.options.authorizationParams.audience),audience:e.audience||this.options.authorizationParams.audience,organization:e.organization||this.options.authorizationParams.organization}))}async exchangeToken(e){return this.loginWithCustomTokenExchange(e)}_assertDpop(e){if(!e)throw new Error("`useDpop` option must be enabled before using DPoP.")}getDpopNonce(e){return this._assertDpop(this.dpop),this.dpop.getNonce(e)}setDpopNonce(e,t){return this._assertDpop(this.dpop),this.dpop.setNonce(e,t)}generateDpopProof(e){return this._assertDpop(this.dpop),this.dpop.generateProof(e)}createFetcher(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};return new it(e,{isDpopEnabled:()=>!!this.options.useDpop,getAccessToken:e=>{var t;return this.getTokenSilently({authorizationParams:{scope:null===(t=null==e?void 0:e.scope)||void 0===t?void 0:t.join(" "),audience:null==e?void 0:e.audience},detailedResponse:!0})},getDpopNonce:()=>this.getDpopNonce(e.dpopNonceId),setDpopNonce:t=>this.setDpopNonce(t,e.dpopNonceId),generateDpopProof:e=>this.generateDpopProof(e)})}async connectAccountWithRedirect(e){const{openUrl:t,appState:n,connection:o,scopes:r,authorization_params:i,redirectUri:a=this.options.authorizationParams.redirect_uri||window.location.origin}=e;if(!o)throw new Error("connection is required");const s=_(b()),c=b(),u=await E(c),l=A(u),{connect_uri:d,connect_params:h,auth_session:p}=await this.myAccountApi.connectAccount({connection:o,scopes:r,redirect_uri:a,state:s,code_challenge:l,code_challenge_method:"S256",authorization_params:i});this.transactionManager.create({state:s,code_verifier:c,auth_session:p,redirect_uri:a,appState:n,connection:o,response_type:ze.ConnectCode});const f=new URL(d);f.searchParams.set("ticket",h.ticket),t?await t(f.toString()):window.location.assign(f)}async _requestTokenForMfa(t,n){const{mfaToken:o}=t,r=e(t,["mfaToken"]);return this._requestToken(Object.assign(Object.assign({},r),{mfa_token:o}),n)}}async function Ka(e){const t=new Wa(e);return await t.checkSession(),t}export{Wa as Auth0Client,c as AuthenticationError,be as CacheKey,u as ConnectError,s as GenericError,ke as InMemoryCache,_e as LocalStorageCache,ja as MfaApiClient,xa as MfaChallengeError,Ra as MfaEnrollmentError,Oa as MfaEnrollmentFactorsError,Pa as MfaError,Aa as MfaListAuthenticatorsError,f as MfaRequiredError,Ia as MfaVerifyError,m as MissingRefreshTokenError,st as MyAccountApiError,h as PopupCancelledError,p as PopupOpenError,d as PopupTimeoutError,ze as ResponseType,l as TimeoutError,w as UseDpopNonceError,He as User,Ka as createAuth0Client};
 //# sourceMappingURL=auth0-spa-js.production.esm.js.map