@auth0/auth0-spa-js 2.2.0 → 2.4.0

package/dist/auth0-spa-js.development.js

@@ -540,7 +540,7 @@
         exports.default = SuperTokensLock;
     }));
     var Lock = unwrapExports(browserTabsLock);
-    var version = "2.2.0";
+    var version = "2.4.0";
     const DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS = 60;
     const DEFAULT_POPUP_CONFIG_OPTIONS = {
         timeoutInSeconds: DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS
@@ -612,6 +612,13 @@
             Object.setPrototypeOf(this, MissingRefreshTokenError.prototype);
         }
     }
+    class UseDpopNonceError extends GenericError {
+        constructor(newDpopNonce) {
+            super("use_dpop_nonce", "Server rejected DPoP proof: wrong nonce");
+            this.newDpopNonce = newDpopNonce;
+            Object.setPrototypeOf(this, UseDpopNonceError.prototype);
+        }
+    }
     function valueOrEmptyString(value, exclude = []) {
         return value && !exclude.includes(value) ? value : "";
     }
@@ -760,6 +767,319 @@
         }
         return parseInt(value, 10) || undefined;
     };
+    const fromEntries = iterable => [ ...iterable ].reduce(((obj, [key, val]) => {
+        obj[key] = val;
+        return obj;
+    }), {});
+    const encoder = new TextEncoder;
+    const decoder = new TextDecoder;
+    function buf(input) {
+        if (typeof input === "string") {
+            return encoder.encode(input);
+        }
+        return decoder.decode(input);
+    }
+    function checkRsaKeyAlgorithm(algorithm) {
+        if (typeof algorithm.modulusLength !== "number" || algorithm.modulusLength < 2048) {
+            throw new OperationProcessingError(`${algorithm.name} modulusLength must be at least 2048 bits`);
+        }
+    }
+    function subtleAlgorithm(key) {
+        switch (key.algorithm.name) {
+          case "ECDSA":
+            return {
+                name: key.algorithm.name,
+                hash: "SHA-256"
+            };
+
+          case "RSA-PSS":
+            checkRsaKeyAlgorithm(key.algorithm);
+            return {
+                name: key.algorithm.name,
+                saltLength: 256 >> 3
+            };
+
+          case "RSASSA-PKCS1-v1_5":
+            checkRsaKeyAlgorithm(key.algorithm);
+            return {
+                name: key.algorithm.name
+            };
+
+          case "Ed25519":
+            return {
+                name: key.algorithm.name
+            };
+        }
+        throw new UnsupportedOperationError;
+    }
+    async function jwt(header, claimsSet, key) {
+        if (key.usages.includes("sign") === false) {
+            throw new TypeError('private CryptoKey instances used for signing assertions must include "sign" in their "usages"');
+        }
+        const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(claimsSet)))}`;
+        const signature = b64u(await crypto.subtle.sign(subtleAlgorithm(key), key, buf(input)));
+        return `${input}.${signature}`;
+    }
+    let encodeBase64Url;
+    if (Uint8Array.prototype.toBase64) {
+        encodeBase64Url = input => {
+            if (input instanceof ArrayBuffer) {
+                input = new Uint8Array(input);
+            }
+            return input.toBase64({
+                alphabet: "base64url",
+                omitPadding: true
+            });
+        };
+    } else {
+        const CHUNK_SIZE = 32768;
+        encodeBase64Url = input => {
+            if (input instanceof ArrayBuffer) {
+                input = new Uint8Array(input);
+            }
+            const arr = [];
+            for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {
+                arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+            }
+            return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+        };
+    }
+    function b64u(input) {
+        return encodeBase64Url(input);
+    }
+    class UnsupportedOperationError extends Error {
+        constructor(message) {
+            var _a;
+            super(message !== null && message !== void 0 ? message : "operation not supported");
+            this.name = this.constructor.name;
+            (_a = Error.captureStackTrace) === null || _a === void 0 ? void 0 : _a.call(Error, this, this.constructor);
+        }
+    }
+    class OperationProcessingError extends Error {
+        constructor(message) {
+            var _a;
+            super(message);
+            this.name = this.constructor.name;
+            (_a = Error.captureStackTrace) === null || _a === void 0 ? void 0 : _a.call(Error, this, this.constructor);
+        }
+    }
+    function psAlg(key) {
+        switch (key.algorithm.hash.name) {
+          case "SHA-256":
+            return "PS256";
+
+          default:
+            throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name");
+        }
+    }
+    function rsAlg(key) {
+        switch (key.algorithm.hash.name) {
+          case "SHA-256":
+            return "RS256";
+
+          default:
+            throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name");
+        }
+    }
+    function esAlg(key) {
+        switch (key.algorithm.namedCurve) {
+          case "P-256":
+            return "ES256";
+
+          default:
+            throw new UnsupportedOperationError("unsupported EcKeyAlgorithm namedCurve");
+        }
+    }
+    function determineJWSAlgorithm(key) {
+        switch (key.algorithm.name) {
+          case "RSA-PSS":
+            return psAlg(key);
+
+          case "RSASSA-PKCS1-v1_5":
+            return rsAlg(key);
+
+          case "ECDSA":
+            return esAlg(key);
+
+          case "Ed25519":
+            return "Ed25519";
+
+          default:
+            throw new UnsupportedOperationError("unsupported CryptoKey algorithm name");
+        }
+    }
+    function isCryptoKey(key) {
+        return key instanceof CryptoKey;
+    }
+    function isPrivateKey(key) {
+        return isCryptoKey(key) && key.type === "private";
+    }
+    function isPublicKey(key) {
+        return isCryptoKey(key) && key.type === "public";
+    }
+    function epochTime() {
+        return Math.floor(Date.now() / 1e3);
+    }
+    async function generateProof$1(keypair, htu, htm, nonce, accessToken, additional) {
+        const privateKey = keypair === null || keypair === void 0 ? void 0 : keypair.privateKey;
+        const publicKey = keypair === null || keypair === void 0 ? void 0 : keypair.publicKey;
+        if (!isPrivateKey(privateKey)) {
+            throw new TypeError('"keypair.privateKey" must be a private CryptoKey');
+        }
+        if (!isPublicKey(publicKey)) {
+            throw new TypeError('"keypair.publicKey" must be a public CryptoKey');
+        }
+        if (publicKey.extractable !== true) {
+            throw new TypeError('"keypair.publicKey.extractable" must be true');
+        }
+        if (typeof htu !== "string") {
+            throw new TypeError('"htu" must be a string');
+        }
+        if (typeof htm !== "string") {
+            throw new TypeError('"htm" must be a string');
+        }
+        if (nonce !== undefined && typeof nonce !== "string") {
+            throw new TypeError('"nonce" must be a string or undefined');
+        }
+        if (accessToken !== undefined && typeof accessToken !== "string") {
+            throw new TypeError('"accessToken" must be a string or undefined');
+        }
+        if (additional !== undefined && (typeof additional !== "object" || additional === null || Array.isArray(additional))) {
+            throw new TypeError('"additional" must be an object');
+        }
+        return jwt({
+            alg: determineJWSAlgorithm(privateKey),
+            typ: "dpop+jwt",
+            jwk: await publicJwk(publicKey)
+        }, Object.assign(Object.assign({}, additional), {
+            iat: epochTime(),
+            jti: crypto.randomUUID(),
+            htm: htm,
+            nonce: nonce,
+            htu: htu,
+            ath: accessToken ? b64u(await crypto.subtle.digest("SHA-256", buf(accessToken))) : undefined
+        }), privateKey);
+    }
+    async function publicJwk(key) {
+        const {kty: kty, e: e, n: n, x: x, y: y, crv: crv} = await crypto.subtle.exportKey("jwk", key);
+        return {
+            kty: kty,
+            crv: crv,
+            e: e,
+            n: n,
+            x: x,
+            y: y
+        };
+    }
+    async function generateKeyPair$1(alg, options) {
+        var _a;
+        let algorithm;
+        if (typeof alg !== "string" || alg.length === 0) {
+            throw new TypeError('"alg" must be a non-empty string');
+        }
+        switch (alg) {
+          case "PS256":
+            algorithm = {
+                name: "RSA-PSS",
+                hash: "SHA-256",
+                modulusLength: 2048,
+                publicExponent: new Uint8Array([ 1, 0, 1 ])
+            };
+            break;
+
+          case "RS256":
+            algorithm = {
+                name: "RSASSA-PKCS1-v1_5",
+                hash: "SHA-256",
+                modulusLength: 2048,
+                publicExponent: new Uint8Array([ 1, 0, 1 ])
+            };
+            break;
+
+          case "ES256":
+            algorithm = {
+                name: "ECDSA",
+                namedCurve: "P-256"
+            };
+            break;
+
+          case "Ed25519":
+            algorithm = {
+                name: "Ed25519"
+            };
+            break;
+
+          default:
+            throw new UnsupportedOperationError;
+        }
+        return crypto.subtle.generateKey(algorithm, (_a = options === null || options === void 0 ? void 0 : options.extractable) !== null && _a !== void 0 ? _a : false, [ "sign", "verify" ]);
+    }
+    async function calculateThumbprint$1(publicKey) {
+        if (!isPublicKey(publicKey)) {
+            throw new TypeError('"publicKey" must be a public CryptoKey');
+        }
+        if (publicKey.extractable !== true) {
+            throw new TypeError('"publicKey.extractable" must be true');
+        }
+        const jwk = await publicJwk(publicKey);
+        let components;
+        switch (jwk.kty) {
+          case "EC":
+            components = {
+                crv: jwk.crv,
+                kty: jwk.kty,
+                x: jwk.x,
+                y: jwk.y
+            };
+            break;
+
+          case "OKP":
+            components = {
+                crv: jwk.crv,
+                kty: jwk.kty,
+                x: jwk.x
+            };
+            break;
+
+          case "RSA":
+            components = {
+                e: jwk.e,
+                kty: jwk.kty,
+                n: jwk.n
+            };
+            break;
+
+          default:
+            throw new UnsupportedOperationError("unsupported JWK kty");
+        }
+        return b64u(await crypto.subtle.digest({
+            name: "SHA-256"
+        }, buf(JSON.stringify(components))));
+    }
+    const DPOP_NONCE_HEADER = "dpop-nonce";
+    const KEY_PAIR_ALGORITHM = "ES256";
+    const SUPPORTED_GRANT_TYPES = [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange" ];
+    function generateKeyPair() {
+        return generateKeyPair$1(KEY_PAIR_ALGORITHM, {
+            extractable: false
+        });
+    }
+    function calculateThumbprint(keyPair) {
+        return calculateThumbprint$1(keyPair.publicKey);
+    }
+    function normalizeUrl(url) {
+        const parsedUrl = new URL(url);
+        parsedUrl.search = "";
+        parsedUrl.hash = "";
+        return parsedUrl.href;
+    }
+    function generateProof({keyPair: keyPair, url: url, method: method, nonce: nonce, accessToken: accessToken}) {
+        const normalizedUrl = normalizeUrl(url);
+        return generateProof$1(keyPair, normalizedUrl, method, nonce, accessToken);
+    }
+    function isGrantTypeSupported(grantType) {
+        return SUPPORTED_GRANT_TYPES.includes(grantType);
+    }
     const sendMessage = (message, to) => new Promise((function(resolve, reject) {
         const messageChannel = new MessageChannel;
         messageChannel.port1.onmessage = function(event) {
@@ -777,7 +1097,8 @@
         const response = await fetch(fetchUrl, fetchOptions);
         return {
             ok: response.ok,
-            json: await response.json()
+            json: await response.json(),
+            headers: fromEntries(response.headers)
         };
     };
     const fetchWithoutWorker = async (fetchUrl, fetchOptions, timeout) => {
@@ -810,7 +1131,17 @@
             return fetchWithoutWorker(fetchUrl, fetchOptions, timeout);
         }
     };
-    async function getJSON(url, timeout, audience, scope, options, worker, useFormData) {
+    async function getJSON(url, timeout, audience, scope, options, worker, useFormData, dpop, isDpopRetry) {
+        if (dpop) {
+            const dpopProof = await dpop.generateProof({
+                url: url,
+                method: options.method || "GET",
+                nonce: await dpop.getNonce()
+            });
+            options.headers = Object.assign(Object.assign({}, options.headers), {
+                dpop: dpopProof
+            });
+        }
         let fetchError = null;
         let response;
         for (let i = 0; i < DEFAULT_SILENT_TOKEN_RETRY_COUNT; i++) {
@@ -825,7 +1156,14 @@
         if (fetchError) {
             throw fetchError;
         }
-        const _a = response.json, {error: error, error_description: error_description} = _a, data = __rest(_a, [ "error", "error_description" ]), {ok: ok} = response;
+        const _a = response.json, {error: error, error_description: error_description} = _a, data = __rest(_a, [ "error", "error_description" ]), {headers: headers, ok: ok} = response;
+        let newDpopNonce;
+        if (dpop) {
+            newDpopNonce = headers[DPOP_NONCE_HEADER];
+            if (newDpopNonce) {
+                await dpop.setNonce(newDpopNonce);
+            }
+        }
         if (!ok) {
             const errorMessage = error_description || `HTTP error. Unable to fetch ${url}`;
             if (error === "mfa_required") {
@@ -834,13 +1172,26 @@
             if (error === "missing_refresh_token") {
                 throw new MissingRefreshTokenError(audience, scope);
             }
+            if (error === "use_dpop_nonce") {
+                if (!dpop || !newDpopNonce || isDpopRetry) {
+                    throw new UseDpopNonceError(newDpopNonce);
+                }
+                return getJSON(url, timeout, audience, scope, options, worker, useFormData, dpop, true);
+            }
             throw new GenericError(error || "request_error", errorMessage);
         }
         return data;
     }
     async function oauthToken(_a, worker) {
-        var {baseUrl: baseUrl, timeout: timeout, audience: audience, scope: scope, auth0Client: auth0Client, useFormData: useFormData} = _a, options = __rest(_a, [ "baseUrl", "timeout", "audience", "scope", "auth0Client", "useFormData" ]);
-        const body = useFormData ? createQueryParams(options) : JSON.stringify(options);
+        var {baseUrl: baseUrl, timeout: timeout, audience: audience, scope: scope, auth0Client: auth0Client, useFormData: useFormData, dpop: dpop} = _a, options = __rest(_a, [ "baseUrl", "timeout", "audience", "scope", "auth0Client", "useFormData", "dpop" ]);
+        const isTokenExchange = options.grant_type === "urn:ietf:params:oauth:grant-type:token-exchange";
+        const allParams = Object.assign(Object.assign(Object.assign({}, options), isTokenExchange && audience && {
+            audience: audience
+        }), isTokenExchange && scope && {
+            scope: scope
+        });
+        const body = useFormData ? createQueryParams(allParams) : JSON.stringify(allParams);
+        const isDpopSupported = isGrantTypeSupported(options.grant_type);
         return await getJSON(`${baseUrl}/oauth/token`, timeout, audience || "default", scope, {
             method: "POST",
             body: body,
@@ -848,7 +1199,7 @@
                 "Content-Type": useFormData ? "application/x-www-form-urlencoded" : "application/json",
                 "Auth0-Client": btoa(JSON.stringify(auth0Client || DEFAULT_AUTH0_CLIENT))
             }
-        }, worker, useFormData);
+        }, worker, useFormData, isDpopSupported ? dpop : undefined);
     }
     const dedupe = arr => Array.from(new Set(arr));
     const getUniqueScopes = (...scopes) => dedupe(scopes.filter(Boolean).join(" ").trim().split(/\s+/)).join(" ");
@@ -1390,7 +1741,7 @@
             return new Worker(url, options);
         };
     }
-    var WorkerFactory = createBase64WorkerFactory("Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwooZnVuY3Rpb24oKSB7CiAgICAidXNlIHN0cmljdCI7CiAgICBjbGFzcyBHZW5lcmljRXJyb3IgZXh0ZW5kcyBFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKSB7CiAgICAgICAgICAgIHN1cGVyKGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICAgICAgdGhpcy5lcnJvciA9IGVycm9yOwogICAgICAgICAgICB0aGlzLmVycm9yX2Rlc2NyaXB0aW9uID0gZXJyb3JfZGVzY3JpcHRpb247CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBHZW5lcmljRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICAgICAgc3RhdGljIGZyb21QYXlsb2FkKHtlcnJvcjogZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvcl9kZXNjcmlwdGlvbn0pIHsKICAgICAgICAgICAgcmV0dXJuIG5ldyBHZW5lcmljRXJyb3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICB9CiAgICB9CiAgICBjbGFzcyBNaXNzaW5nUmVmcmVzaFRva2VuRXJyb3IgZXh0ZW5kcyBHZW5lcmljRXJyb3IgewogICAgICAgIGNvbnN0cnVjdG9yKGF1ZGllbmNlLCBzY29wZSkgewogICAgICAgICAgICBzdXBlcigibWlzc2luZ19yZWZyZXNoX3Rva2VuIiwgYE1pc3NpbmcgUmVmcmVzaCBUb2tlbiAoYXVkaWVuY2U6ICcke3ZhbHVlT3JFbXB0eVN0cmluZyhhdWRpZW5jZSwgWyAiZGVmYXVsdCIgXSl9Jywgc2NvcGU6ICcke3ZhbHVlT3JFbXB0eVN0cmluZyhzY29wZSl9JylgKTsKICAgICAgICAgICAgdGhpcy5hdWRpZW5jZSA9IGF1ZGllbmNlOwogICAgICAgICAgICB0aGlzLnNjb3BlID0gc2NvcGU7CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBNaXNzaW5nUmVmcmVzaFRva2VuRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICB9CiAgICBmdW5jdGlvbiB2YWx1ZU9yRW1wdHlTdHJpbmcodmFsdWUsIGV4Y2x1ZGUgPSBbXSkgewogICAgICAgIHJldHVybiB2YWx1ZSAmJiAhZXhjbHVkZS5pbmNsdWRlcyh2YWx1ZSkgPyB2YWx1ZSA6ICIiOwogICAgfQogICAgZnVuY3Rpb24gX19yZXN0KHMsIGUpIHsKICAgICAgICB2YXIgdCA9IHt9OwogICAgICAgIGZvciAodmFyIHAgaW4gcykgaWYgKE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbChzLCBwKSAmJiBlLmluZGV4T2YocCkgPCAwKSB0W3BdID0gc1twXTsKICAgICAgICBpZiAocyAhPSBudWxsICYmIHR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzID09PSAiZnVuY3Rpb24iKSBmb3IgKHZhciBpID0gMCwgcCA9IE9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMocyk7IGkgPCBwLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgIGlmIChlLmluZGV4T2YocFtpXSkgPCAwICYmIE9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChzLCBwW2ldKSkgdFtwW2ldXSA9IHNbcFtpXV07CiAgICAgICAgfQogICAgICAgIHJldHVybiB0OwogICAgfQogICAgdHlwZW9mIFN1cHByZXNzZWRFcnJvciA9PT0gImZ1bmN0aW9uIiA/IFN1cHByZXNzZWRFcnJvciA6IGZ1bmN0aW9uKGVycm9yLCBzdXBwcmVzc2VkLCBtZXNzYWdlKSB7CiAgICAgICAgdmFyIGUgPSBuZXcgRXJyb3IobWVzc2FnZSk7CiAgICAgICAgcmV0dXJuIGUubmFtZSA9ICJTdXBwcmVzc2VkRXJyb3IiLCBlLmVycm9yID0gZXJyb3IsIGUuc3VwcHJlc3NlZCA9IHN1cHByZXNzZWQsIGU7CiAgICB9OwogICAgY29uc3Qgc3RyaXBVbmRlZmluZWQgPSBwYXJhbXMgPT4gT2JqZWN0LmtleXMocGFyYW1zKS5maWx0ZXIoKGsgPT4gdHlwZW9mIHBhcmFtc1trXSAhPT0gInVuZGVmaW5lZCIpKS5yZWR1Y2UoKChhY2MsIGtleSkgPT4gT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LCBhY2MpLCB7CiAgICAgICAgW2tleV06IHBhcmFtc1trZXldCiAgICB9KSksIHt9KTsKICAgIGNvbnN0IGNyZWF0ZVF1ZXJ5UGFyYW1zID0gX2EgPT4gewogICAgICAgIHZhciB7Y2xpZW50SWQ6IGNsaWVudF9pZH0gPSBfYSwgcGFyYW1zID0gX19yZXN0KF9hLCBbICJjbGllbnRJZCIgXSk7CiAgICAgICAgcmV0dXJuIG5ldyBVUkxTZWFyY2hQYXJhbXMoc3RyaXBVbmRlZmluZWQoT2JqZWN0LmFzc2lnbih7CiAgICAgICAgICAgIGNsaWVudF9pZDogY2xpZW50X2lkCiAgICAgICAgfSwgcGFyYW1zKSkpLnRvU3RyaW5nKCk7CiAgICB9OwogICAgbGV0IHJlZnJlc2hUb2tlbnMgPSB7fTsKICAgIGNvbnN0IGNhY2hlS2V5ID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gYCR7YXVkaWVuY2V9fCR7c2NvcGV9YDsKICAgIGNvbnN0IGdldFJlZnJlc2hUb2tlbiA9IChhdWRpZW5jZSwgc2NvcGUpID0+IHJlZnJlc2hUb2tlbnNbY2FjaGVLZXkoYXVkaWVuY2UsIHNjb3BlKV07CiAgICBjb25zdCBzZXRSZWZyZXNoVG9rZW4gPSAocmVmcmVzaFRva2VuLCBhdWRpZW5jZSwgc2NvcGUpID0+IHJlZnJlc2hUb2tlbnNbY2FjaGVLZXkoYXVkaWVuY2UsIHNjb3BlKV0gPSByZWZyZXNoVG9rZW47CiAgICBjb25zdCBkZWxldGVSZWZyZXNoVG9rZW4gPSAoYXVkaWVuY2UsIHNjb3BlKSA9PiBkZWxldGUgcmVmcmVzaFRva2Vuc1tjYWNoZUtleShhdWRpZW5jZSwgc2NvcGUpXTsKICAgIGNvbnN0IHdhaXQgPSB0aW1lID0+IG5ldyBQcm9taXNlKChyZXNvbHZlID0+IHNldFRpbWVvdXQocmVzb2x2ZSwgdGltZSkpKTsKICAgIGNvbnN0IGZvcm1EYXRhVG9PYmplY3QgPSBmb3JtRGF0YSA9PiB7CiAgICAgICAgY29uc3QgcXVlcnlQYXJhbXMgPSBuZXcgVVJMU2VhcmNoUGFyYW1zKGZvcm1EYXRhKTsKICAgICAgICBjb25zdCBwYXJzZWRRdWVyeSA9IHt9OwogICAgICAgIHF1ZXJ5UGFyYW1zLmZvckVhY2goKCh2YWwsIGtleSkgPT4gewogICAgICAgICAgICBwYXJzZWRRdWVyeVtrZXldID0gdmFsOwogICAgICAgIH0pKTsKICAgICAgICByZXR1cm4gcGFyc2VkUXVlcnk7CiAgICB9OwogICAgY29uc3QgbWVzc2FnZUhhbmRsZXIgPSBhc3luYyAoe2RhdGE6IHt0aW1lb3V0OiB0aW1lb3V0LCBhdXRoOiBhdXRoLCBmZXRjaFVybDogZmV0Y2hVcmwsIGZldGNoT3B0aW9uczogZmV0Y2hPcHRpb25zLCB1c2VGb3JtRGF0YTogdXNlRm9ybURhdGF9LCBwb3J0czogW3BvcnRdfSkgPT4gewogICAgICAgIGxldCBqc29uOwogICAgICAgIGNvbnN0IHthdWRpZW5jZTogYXVkaWVuY2UsIHNjb3BlOiBzY29wZX0gPSBhdXRoIHx8IHt9OwogICAgICAgIHRyeSB7CiAgICAgICAgICAgIGNvbnN0IGJvZHkgPSB1c2VGb3JtRGF0YSA/IGZvcm1EYXRhVG9PYmplY3QoZmV0Y2hPcHRpb25zLmJvZHkpIDogSlNPTi5wYXJzZShmZXRjaE9wdGlvbnMuYm9keSk7CiAgICAgICAgICAgIGlmICghYm9keS5yZWZyZXNoX3Rva2VuICYmIGJvZHkuZ3JhbnRfdHlwZSA9PT0gInJlZnJlc2hfdG9rZW4iKSB7CiAgICAgICAgICAgICAgICBjb25zdCByZWZyZXNoVG9rZW4gPSBnZXRSZWZyZXNoVG9rZW4oYXVkaWVuY2UsIHNjb3BlKTsKICAgICAgICAgICAgICAgIGlmICghcmVmcmVzaFRva2VuKSB7CiAgICAgICAgICAgICAgICAgICAgdGhyb3cgbmV3IE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvcihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgZmV0Y2hPcHRpb25zLmJvZHkgPSB1c2VGb3JtRGF0YSA/IGNyZWF0ZVF1ZXJ5UGFyYW1zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSwgYm9keSksIHsKICAgICAgICAgICAgICAgICAgICByZWZyZXNoX3Rva2VuOiByZWZyZXNoVG9rZW4KICAgICAgICAgICAgICAgIH0pKSA6IEpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSwgYm9keSksIHsKICAgICAgICAgICAgICAgICAgICByZWZyZXNoX3Rva2VuOiByZWZyZXNoVG9rZW4KICAgICAgICAgICAgICAgIH0pKTsKICAgICAgICAgICAgfQogICAgICAgICAgICBsZXQgYWJvcnRDb250cm9sbGVyOwogICAgICAgICAgICBpZiAodHlwZW9mIEFib3J0Q29udHJvbGxlciA9PT0gImZ1bmN0aW9uIikgewogICAgICAgICAgICAgICAgYWJvcnRDb250cm9sbGVyID0gbmV3IEFib3J0Q29udHJvbGxlcjsKICAgICAgICAgICAgICAgIGZldGNoT3B0aW9ucy5zaWduYWwgPSBhYm9ydENvbnRyb2xsZXIuc2lnbmFsOwogICAgICAgICAgICB9CiAgICAgICAgICAgIGxldCByZXNwb25zZTsKICAgICAgICAgICAgdHJ5IHsKICAgICAgICAgICAgICAgIHJlc3BvbnNlID0gYXdhaXQgUHJvbWlzZS5yYWNlKFsgd2FpdCh0aW1lb3V0KSwgZmV0Y2goZmV0Y2hVcmwsIE9iamVjdC5hc3NpZ24oe30sIGZldGNoT3B0aW9ucykpIF0pOwogICAgICAgICAgICB9IGNhdGNoIChlcnJvcikgewogICAgICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6IGVycm9yLm1lc3NhZ2UKICAgICAgICAgICAgICAgIH0pOwogICAgICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICB9CiAgICAgICAgICAgIGlmICghcmVzcG9uc2UpIHsKICAgICAgICAgICAgICAgIGlmIChhYm9ydENvbnRyb2xsZXIpIGFib3J0Q29udHJvbGxlci5hYm9ydCgpOwogICAgICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6ICJUaW1lb3V0IHdoZW4gZXhlY3V0aW5nICdmZXRjaCciCiAgICAgICAgICAgICAgICB9KTsKICAgICAgICAgICAgICAgIHJldHVybjsKICAgICAgICAgICAgfQogICAgICAgICAgICBqc29uID0gYXdhaXQgcmVzcG9uc2UuanNvbigpOwogICAgICAgICAgICBpZiAoanNvbi5yZWZyZXNoX3Rva2VuKSB7CiAgICAgICAgICAgICAgICBzZXRSZWZyZXNoVG9rZW4oanNvbi5yZWZyZXNoX3Rva2VuLCBhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgZGVsZXRlIGpzb24ucmVmcmVzaF90b2tlbjsKICAgICAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgICAgIGRlbGV0ZVJlZnJlc2hUb2tlbihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICB9CiAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgb2s6IHJlc3BvbnNlLm9rLAogICAgICAgICAgICAgICAganNvbjoganNvbgogICAgICAgICAgICB9KTsKICAgICAgICB9IGNhdGNoIChlcnJvcikgewogICAgICAgICAgICBwb3J0LnBvc3RNZXNzYWdlKHsKICAgICAgICAgICAgICAgIG9rOiBmYWxzZSwKICAgICAgICAgICAgICAgIGpzb246IHsKICAgICAgICAgICAgICAgICAgICBlcnJvcjogZXJyb3IuZXJyb3IsCiAgICAgICAgICAgICAgICAgICAgZXJyb3JfZGVzY3JpcHRpb246IGVycm9yLm1lc3NhZ2UKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfSk7CiAgICAgICAgfQogICAgfTsKICAgIHsKICAgICAgICBhZGRFdmVudExpc3RlbmVyKCJtZXNzYWdlIiwgbWVzc2FnZUhhbmRsZXIpOwogICAgfQp9KSgpOwoK", null, false);
+    var WorkerFactory = createBase64WorkerFactory("Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwooZnVuY3Rpb24oKSB7CiAgICAidXNlIHN0cmljdCI7CiAgICBjbGFzcyBHZW5lcmljRXJyb3IgZXh0ZW5kcyBFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKSB7CiAgICAgICAgICAgIHN1cGVyKGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICAgICAgdGhpcy5lcnJvciA9IGVycm9yOwogICAgICAgICAgICB0aGlzLmVycm9yX2Rlc2NyaXB0aW9uID0gZXJyb3JfZGVzY3JpcHRpb247CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBHZW5lcmljRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICAgICAgc3RhdGljIGZyb21QYXlsb2FkKHtlcnJvcjogZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvcl9kZXNjcmlwdGlvbn0pIHsKICAgICAgICAgICAgcmV0dXJuIG5ldyBHZW5lcmljRXJyb3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICB9CiAgICB9CiAgICBjbGFzcyBNaXNzaW5nUmVmcmVzaFRva2VuRXJyb3IgZXh0ZW5kcyBHZW5lcmljRXJyb3IgewogICAgICAgIGNvbnN0cnVjdG9yKGF1ZGllbmNlLCBzY29wZSkgewogICAgICAgICAgICBzdXBlcigibWlzc2luZ19yZWZyZXNoX3Rva2VuIiwgYE1pc3NpbmcgUmVmcmVzaCBUb2tlbiAoYXVkaWVuY2U6ICcke3ZhbHVlT3JFbXB0eVN0cmluZyhhdWRpZW5jZSwgWyAiZGVmYXVsdCIgXSl9Jywgc2NvcGU6ICcke3ZhbHVlT3JFbXB0eVN0cmluZyhzY29wZSl9JylgKTsKICAgICAgICAgICAgdGhpcy5hdWRpZW5jZSA9IGF1ZGllbmNlOwogICAgICAgICAgICB0aGlzLnNjb3BlID0gc2NvcGU7CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBNaXNzaW5nUmVmcmVzaFRva2VuRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICB9CiAgICBmdW5jdGlvbiB2YWx1ZU9yRW1wdHlTdHJpbmcodmFsdWUsIGV4Y2x1ZGUgPSBbXSkgewogICAgICAgIHJldHVybiB2YWx1ZSAmJiAhZXhjbHVkZS5pbmNsdWRlcyh2YWx1ZSkgPyB2YWx1ZSA6ICIiOwogICAgfQogICAgZnVuY3Rpb24gX19yZXN0KHMsIGUpIHsKICAgICAgICB2YXIgdCA9IHt9OwogICAgICAgIGZvciAodmFyIHAgaW4gcykgaWYgKE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbChzLCBwKSAmJiBlLmluZGV4T2YocCkgPCAwKSB0W3BdID0gc1twXTsKICAgICAgICBpZiAocyAhPSBudWxsICYmIHR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzID09PSAiZnVuY3Rpb24iKSBmb3IgKHZhciBpID0gMCwgcCA9IE9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMocyk7IGkgPCBwLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgIGlmIChlLmluZGV4T2YocFtpXSkgPCAwICYmIE9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChzLCBwW2ldKSkgdFtwW2ldXSA9IHNbcFtpXV07CiAgICAgICAgfQogICAgICAgIHJldHVybiB0OwogICAgfQogICAgdHlwZW9mIFN1cHByZXNzZWRFcnJvciA9PT0gImZ1bmN0aW9uIiA/IFN1cHByZXNzZWRFcnJvciA6IGZ1bmN0aW9uKGVycm9yLCBzdXBwcmVzc2VkLCBtZXNzYWdlKSB7CiAgICAgICAgdmFyIGUgPSBuZXcgRXJyb3IobWVzc2FnZSk7CiAgICAgICAgcmV0dXJuIGUubmFtZSA9ICJTdXBwcmVzc2VkRXJyb3IiLCBlLmVycm9yID0gZXJyb3IsIGUuc3VwcHJlc3NlZCA9IHN1cHByZXNzZWQsIGU7CiAgICB9OwogICAgY29uc3Qgc3RyaXBVbmRlZmluZWQgPSBwYXJhbXMgPT4gT2JqZWN0LmtleXMocGFyYW1zKS5maWx0ZXIoKGsgPT4gdHlwZW9mIHBhcmFtc1trXSAhPT0gInVuZGVmaW5lZCIpKS5yZWR1Y2UoKChhY2MsIGtleSkgPT4gT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LCBhY2MpLCB7CiAgICAgICAgW2tleV06IHBhcmFtc1trZXldCiAgICB9KSksIHt9KTsKICAgIGNvbnN0IGNyZWF0ZVF1ZXJ5UGFyYW1zID0gX2EgPT4gewogICAgICAgIHZhciB7Y2xpZW50SWQ6IGNsaWVudF9pZH0gPSBfYSwgcGFyYW1zID0gX19yZXN0KF9hLCBbICJjbGllbnRJZCIgXSk7CiAgICAgICAgcmV0dXJuIG5ldyBVUkxTZWFyY2hQYXJhbXMoc3RyaXBVbmRlZmluZWQoT2JqZWN0LmFzc2lnbih7CiAgICAgICAgICAgIGNsaWVudF9pZDogY2xpZW50X2lkCiAgICAgICAgfSwgcGFyYW1zKSkpLnRvU3RyaW5nKCk7CiAgICB9OwogICAgY29uc3QgZnJvbUVudHJpZXMgPSBpdGVyYWJsZSA9PiBbIC4uLml0ZXJhYmxlIF0ucmVkdWNlKCgob2JqLCBba2V5LCB2YWxdKSA9PiB7CiAgICAgICAgb2JqW2tleV0gPSB2YWw7CiAgICAgICAgcmV0dXJuIG9iajsKICAgIH0pLCB7fSk7CiAgICBsZXQgcmVmcmVzaFRva2VucyA9IHt9OwogICAgY29uc3QgY2FjaGVLZXkgPSAoYXVkaWVuY2UsIHNjb3BlKSA9PiBgJHthdWRpZW5jZX18JHtzY29wZX1gOwogICAgY29uc3QgZ2V0UmVmcmVzaFRva2VuID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gcmVmcmVzaFRva2Vuc1tjYWNoZUtleShhdWRpZW5jZSwgc2NvcGUpXTsKICAgIGNvbnN0IHNldFJlZnJlc2hUb2tlbiA9IChyZWZyZXNoVG9rZW4sIGF1ZGllbmNlLCBzY29wZSkgPT4gcmVmcmVzaFRva2Vuc1tjYWNoZUtleShhdWRpZW5jZSwgc2NvcGUpXSA9IHJlZnJlc2hUb2tlbjsKICAgIGNvbnN0IGRlbGV0ZVJlZnJlc2hUb2tlbiA9IChhdWRpZW5jZSwgc2NvcGUpID0+IGRlbGV0ZSByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldOwogICAgY29uc3Qgd2FpdCA9IHRpbWUgPT4gbmV3IFByb21pc2UoKHJlc29sdmUgPT4gc2V0VGltZW91dChyZXNvbHZlLCB0aW1lKSkpOwogICAgY29uc3QgZm9ybURhdGFUb09iamVjdCA9IGZvcm1EYXRhID0+IHsKICAgICAgICBjb25zdCBxdWVyeVBhcmFtcyA9IG5ldyBVUkxTZWFyY2hQYXJhbXMoZm9ybURhdGEpOwogICAgICAgIGNvbnN0IHBhcnNlZFF1ZXJ5ID0ge307CiAgICAgICAgcXVlcnlQYXJhbXMuZm9yRWFjaCgoKHZhbCwga2V5KSA9PiB7CiAgICAgICAgICAgIHBhcnNlZFF1ZXJ5W2tleV0gPSB2YWw7CiAgICAgICAgfSkpOwogICAgICAgIHJldHVybiBwYXJzZWRRdWVyeTsKICAgIH07CiAgICBjb25zdCBtZXNzYWdlSGFuZGxlciA9IGFzeW5jICh7ZGF0YToge3RpbWVvdXQ6IHRpbWVvdXQsIGF1dGg6IGF1dGgsIGZldGNoVXJsOiBmZXRjaFVybCwgZmV0Y2hPcHRpb25zOiBmZXRjaE9wdGlvbnMsIHVzZUZvcm1EYXRhOiB1c2VGb3JtRGF0YX0sIHBvcnRzOiBbcG9ydF19KSA9PiB7CiAgICAgICAgbGV0IGhlYWRlcnMgPSB7fTsKICAgICAgICBsZXQganNvbjsKICAgICAgICBjb25zdCB7YXVkaWVuY2U6IGF1ZGllbmNlLCBzY29wZTogc2NvcGV9ID0gYXV0aCB8fCB7fTsKICAgICAgICB0cnkgewogICAgICAgICAgICBjb25zdCBib2R5ID0gdXNlRm9ybURhdGEgPyBmb3JtRGF0YVRvT2JqZWN0KGZldGNoT3B0aW9ucy5ib2R5KSA6IEpTT04ucGFyc2UoZmV0Y2hPcHRpb25zLmJvZHkpOwogICAgICAgICAgICBpZiAoIWJvZHkucmVmcmVzaF90b2tlbiAmJiBib2R5LmdyYW50X3R5cGUgPT09ICJyZWZyZXNoX3Rva2VuIikgewogICAgICAgICAgICAgICAgY29uc3QgcmVmcmVzaFRva2VuID0gZ2V0UmVmcmVzaFRva2VuKGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgICAgICBpZiAoIXJlZnJlc2hUb2tlbikgewogICAgICAgICAgICAgICAgICAgIHRocm93IG5ldyBNaXNzaW5nUmVmcmVzaFRva2VuRXJyb3IoYXVkaWVuY2UsIHNjb3BlKTsKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIGZldGNoT3B0aW9ucy5ib2R5ID0gdXNlRm9ybURhdGEgPyBjcmVhdGVRdWVyeVBhcmFtcyhPYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sIGJvZHkpLCB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaF90b2tlbjogcmVmcmVzaFRva2VuCiAgICAgICAgICAgICAgICB9KSkgOiBKU09OLnN0cmluZ2lmeShPYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sIGJvZHkpLCB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaF90b2tlbjogcmVmcmVzaFRva2VuCiAgICAgICAgICAgICAgICB9KSk7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgbGV0IGFib3J0Q29udHJvbGxlcjsKICAgICAgICAgICAgaWYgKHR5cGVvZiBBYm9ydENvbnRyb2xsZXIgPT09ICJmdW5jdGlvbiIpIHsKICAgICAgICAgICAgICAgIGFib3J0Q29udHJvbGxlciA9IG5ldyBBYm9ydENvbnRyb2xsZXI7CiAgICAgICAgICAgICAgICBmZXRjaE9wdGlvbnMuc2lnbmFsID0gYWJvcnRDb250cm9sbGVyLnNpZ25hbDsKICAgICAgICAgICAgfQogICAgICAgICAgICBsZXQgcmVzcG9uc2U7CiAgICAgICAgICAgIHRyeSB7CiAgICAgICAgICAgICAgICByZXNwb25zZSA9IGF3YWl0IFByb21pc2UucmFjZShbIHdhaXQodGltZW91dCksIGZldGNoKGZldGNoVXJsLCBPYmplY3QuYXNzaWduKHt9LCBmZXRjaE9wdGlvbnMpKSBdKTsKICAgICAgICAgICAgfSBjYXRjaCAoZXJyb3IpIHsKICAgICAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgICAgIGVycm9yOiBlcnJvci5tZXNzYWdlCiAgICAgICAgICAgICAgICB9KTsKICAgICAgICAgICAgICAgIHJldHVybjsKICAgICAgICAgICAgfQogICAgICAgICAgICBpZiAoIXJlc3BvbnNlKSB7CiAgICAgICAgICAgICAgICBpZiAoYWJvcnRDb250cm9sbGVyKSBhYm9ydENvbnRyb2xsZXIuYWJvcnQoKTsKICAgICAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgICAgIGVycm9yOiAiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIgogICAgICAgICAgICAgICAgfSk7CiAgICAgICAgICAgICAgICByZXR1cm47CiAgICAgICAgICAgIH0KICAgICAgICAgICAgaGVhZGVycyA9IGZyb21FbnRyaWVzKHJlc3BvbnNlLmhlYWRlcnMpOwogICAgICAgICAgICBqc29uID0gYXdhaXQgcmVzcG9uc2UuanNvbigpOwogICAgICAgICAgICBpZiAoanNvbi5yZWZyZXNoX3Rva2VuKSB7CiAgICAgICAgICAgICAgICBzZXRSZWZyZXNoVG9rZW4oanNvbi5yZWZyZXNoX3Rva2VuLCBhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgZGVsZXRlIGpzb24ucmVmcmVzaF90b2tlbjsKICAgICAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgICAgIGRlbGV0ZVJlZnJlc2hUb2tlbihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICB9CiAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgb2s6IHJlc3BvbnNlLm9rLAogICAgICAgICAgICAgICAganNvbjoganNvbiwKICAgICAgICAgICAgICAgIGhlYWRlcnM6IGhlYWRlcnMKICAgICAgICAgICAgfSk7CiAgICAgICAgfSBjYXRjaCAoZXJyb3IpIHsKICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICBvazogZmFsc2UsCiAgICAgICAgICAgICAgICBqc29uOiB7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6IGVycm9yLmVycm9yLAogICAgICAgICAgICAgICAgICAgIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvci5tZXNzYWdlCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgaGVhZGVyczogaGVhZGVycwogICAgICAgICAgICB9KTsKICAgICAgICB9CiAgICB9OwogICAgewogICAgICAgIGFkZEV2ZW50TGlzdGVuZXIoIm1lc3NhZ2UiLCBtZXNzYWdlSGFuZGxlcik7CiAgICB9Cn0pKCk7Cgo=", null, false);
     const singlePromiseMap = {};
     const singlePromise = (cb, key) => {
         let promise = singlePromiseMap[key];
@@ -1457,7 +1808,7 @@
         localstorage: () => new LocalStorageCache
     };
     const cacheFactory = location => cacheLocationBuilders[location];
-    const getAuthorizeParams = (clientOptions, scope, authorizationParams, state, nonce, code_challenge, redirect_uri, response_mode) => Object.assign(Object.assign(Object.assign({
+    const getAuthorizeParams = (clientOptions, scope, authorizationParams, state, nonce, code_challenge, redirect_uri, response_mode, thumbprint) => Object.assign(Object.assign(Object.assign({
         client_id: clientOptions.clientId
     }, clientOptions.authorizationParams), authorizationParams), {
         scope: getUniqueScopes(scope, authorizationParams.scope),
@@ -1467,7 +1818,8 @@
         nonce: nonce,
         redirect_uri: redirect_uri || clientOptions.authorizationParams.redirect_uri,
         code_challenge: code_challenge,
-        code_challenge_method: "S256"
+        code_challenge_method: "S256",
+        dpop_jkt: thumbprint
     });
     const patchOpenUrlWithOnRedirect = options => {
         const {openUrl: openUrl, onRedirect: onRedirect} = options, originalOptions = __rest(options, [ "openUrl", "onRedirect" ]);
@@ -1476,6 +1828,208 @@
         });
         return result;
     };
+    const VERSION = 1;
+    const NAME = "auth0-spa-js";
+    const TABLES = {
+        NONCE: "nonce",
+        KEYPAIR: "keypair"
+    };
+    const AUTH0_NONCE_ID = "auth0";
+    class DpopStorage {
+        constructor(clientId) {
+            this.clientId = clientId;
+        }
+        getVersion() {
+            return VERSION;
+        }
+        createDbHandle() {
+            const req = window.indexedDB.open(NAME, this.getVersion());
+            return new Promise(((resolve, reject) => {
+                req.onupgradeneeded = () => Object.values(TABLES).forEach((t => req.result.createObjectStore(t)));
+                req.onerror = () => reject(req.error);
+                req.onsuccess = () => resolve(req.result);
+            }));
+        }
+        async getDbHandle() {
+            if (!this.dbHandle) {
+                this.dbHandle = await this.createDbHandle();
+            }
+            return this.dbHandle;
+        }
+        async executeDbRequest(table, mode, requestFactory) {
+            const db = await this.getDbHandle();
+            const txn = db.transaction(table, mode);
+            const store = txn.objectStore(table);
+            const request = requestFactory(store);
+            return new Promise(((resolve, reject) => {
+                request.onsuccess = () => resolve(request.result);
+                request.onerror = () => reject(request.error);
+            }));
+        }
+        buildKey(id) {
+            const finalId = id ? `_${id}` : AUTH0_NONCE_ID;
+            return `${this.clientId}::${finalId}`;
+        }
+        setNonce(nonce, id) {
+            return this.save(TABLES.NONCE, this.buildKey(id), nonce);
+        }
+        setKeyPair(keyPair) {
+            return this.save(TABLES.KEYPAIR, this.buildKey(), keyPair);
+        }
+        async save(table, key, obj) {
+            return void await this.executeDbRequest(table, "readwrite", (table => table.put(obj, key)));
+        }
+        findNonce(id) {
+            return this.find(TABLES.NONCE, this.buildKey(id));
+        }
+        findKeyPair() {
+            return this.find(TABLES.KEYPAIR, this.buildKey());
+        }
+        find(table, key) {
+            return this.executeDbRequest(table, "readonly", (table => table.get(key)));
+        }
+        async deleteBy(table, predicate) {
+            const allKeys = await this.executeDbRequest(table, "readonly", (table => table.getAllKeys()));
+            allKeys === null || allKeys === void 0 ? void 0 : allKeys.filter(predicate).map((k => this.executeDbRequest(table, "readwrite", (table => table.delete(k)))));
+        }
+        deleteByClientId(table, clientId) {
+            return this.deleteBy(table, (k => typeof k === "string" && k.startsWith(`${clientId}::`)));
+        }
+        clearNonces() {
+            return this.deleteByClientId(TABLES.NONCE, this.clientId);
+        }
+        clearKeyPairs() {
+            return this.deleteByClientId(TABLES.KEYPAIR, this.clientId);
+        }
+    }
+    class Dpop {
+        constructor(clientId) {
+            this.storage = new DpopStorage(clientId);
+        }
+        getNonce(id) {
+            return this.storage.findNonce(id);
+        }
+        setNonce(nonce, id) {
+            return this.storage.setNonce(nonce, id);
+        }
+        async getOrGenerateKeyPair() {
+            let keyPair = await this.storage.findKeyPair();
+            if (!keyPair) {
+                keyPair = await generateKeyPair();
+                await this.storage.setKeyPair(keyPair);
+            }
+            return keyPair;
+        }
+        async generateProof(params) {
+            const keyPair = await this.getOrGenerateKeyPair();
+            return generateProof(Object.assign({
+                keyPair: keyPair
+            }, params));
+        }
+        async calculateThumbprint() {
+            const keyPair = await this.getOrGenerateKeyPair();
+            return calculateThumbprint(keyPair);
+        }
+        async clear() {
+            await Promise.all([ this.storage.clearNonces(), this.storage.clearKeyPairs() ]);
+        }
+    }
+    class Fetcher {
+        constructor(config, hooks) {
+            this.hooks = hooks;
+            this.config = Object.assign(Object.assign({}, config), {
+                fetch: config.fetch || (typeof window === "undefined" ? fetch : window.fetch.bind(window))
+            });
+        }
+        isAbsoluteUrl(url) {
+            return /^(https?:)?\/\//i.test(url);
+        }
+        buildUrl(baseUrl, url) {
+            if (url) {
+                if (this.isAbsoluteUrl(url)) {
+                    return url;
+                }
+                if (baseUrl) {
+                    return `${baseUrl.replace(/\/?\/$/, "")}/${url.replace(/^\/+/, "")}`;
+                }
+            }
+            throw new TypeError("`url` must be absolute or `baseUrl` non-empty.");
+        }
+        getAccessToken() {
+            return this.config.getAccessToken ? this.config.getAccessToken() : this.hooks.getAccessToken();
+        }
+        buildBaseRequest(info, init) {
+            const request = new Request(info, init);
+            if (!this.config.baseUrl) {
+                return request;
+            }
+            return new Request(this.buildUrl(this.config.baseUrl, request.url), request);
+        }
+        async setAuthorizationHeader(request, accessToken) {
+            request.headers.set("authorization", `${this.config.dpopNonceId ? "DPoP" : "Bearer"} ${accessToken}`);
+        }
+        async setDpopProofHeader(request, accessToken) {
+            if (!this.config.dpopNonceId) {
+                return;
+            }
+            const dpopNonce = await this.hooks.getDpopNonce();
+            const dpopProof = await this.hooks.generateDpopProof({
+                accessToken: accessToken,
+                method: request.method,
+                nonce: dpopNonce,
+                url: request.url
+            });
+            request.headers.set("dpop", dpopProof);
+        }
+        async prepareRequest(request) {
+            const accessToken = await this.getAccessToken();
+            this.setAuthorizationHeader(request, accessToken);
+            await this.setDpopProofHeader(request, accessToken);
+        }
+        getHeader(headers, name) {
+            if (Array.isArray(headers)) {
+                return new Headers(headers).get(name) || "";
+            }
+            if (typeof headers.get === "function") {
+                return headers.get(name) || "";
+            }
+            return headers[name] || "";
+        }
+        hasUseDpopNonceError(response) {
+            if (response.status !== 401) {
+                return false;
+            }
+            const wwwAuthHeader = this.getHeader(response.headers, "www-authenticate");
+            return wwwAuthHeader.includes("use_dpop_nonce");
+        }
+        async handleResponse(response, callbacks) {
+            const newDpopNonce = this.getHeader(response.headers, DPOP_NONCE_HEADER);
+            if (newDpopNonce) {
+                await this.hooks.setDpopNonce(newDpopNonce);
+            }
+            if (!this.hasUseDpopNonceError(response)) {
+                return response;
+            }
+            if (!newDpopNonce || !callbacks.onUseDpopNonceError) {
+                throw new UseDpopNonceError(newDpopNonce);
+            }
+            return callbacks.onUseDpopNonceError();
+        }
+        async internalFetchWithAuth(info, init, callbacks) {
+            const request = this.buildBaseRequest(info, init);
+            await this.prepareRequest(request);
+            const response = await this.config.fetch(request);
+            return this.handleResponse(response, callbacks);
+        }
+        fetchWithAuth(info, init) {
+            const callbacks = {
+                onUseDpopNonceError: () => this.internalFetchWithAuth(info, init, Object.assign(Object.assign({}, callbacks), {
+                    onUseDpopNonceError: undefined
+                }))
+            };
+            return this.internalFetchWithAuth(info, init, callbacks);
+        }
+    }
     const lock = new Lock;
     class Auth0Client {
         constructor(options) {
@@ -1519,6 +2073,7 @@
             this.transactionManager = new TransactionManager(transactionStorage, this.options.clientId, this.options.cookieDomain);
             this.nowProvider = this.options.nowProvider || DEFAULT_NOW_PROVIDER;
             this.cacheManager = new CacheManager(cache, !cache.allKeys ? new CacheKeyManifest(cache, this.options.clientId) : undefined, this.nowProvider);
+            this.dpop = this.options.useDpop ? new Dpop(this.options.clientId) : undefined;
             this.domainUrl = getDomain(this.options.domain);
             this.tokenIssuer = getTokenIssuer(this.options.issuer, this.domainUrl);
             if (typeof window !== "undefined" && window.Worker && this.options.useRefreshTokens && cacheLocation === CACHE_LOCATION_MEMORY) {
@@ -1562,12 +2117,14 @@
             }
         }
         async _prepareAuthorizeUrl(authorizationParams, authorizeOptions, fallbackRedirectUri) {
+            var _a;
             const state = encode(createRandomString());
             const nonce = encode(createRandomString());
             const code_verifier = createRandomString();
             const code_challengeBuffer = await sha256(code_verifier);
             const code_challenge = bufferToBase64UrlEncoded(code_challengeBuffer);
-            const params = getAuthorizeParams(this.options, this.scope, authorizationParams, state, nonce, code_challenge, authorizationParams.redirect_uri || this.options.authorizationParams.redirect_uri || fallbackRedirectUri, authorizeOptions === null || authorizeOptions === void 0 ? void 0 : authorizeOptions.response_mode);
+            const thumbprint = await ((_a = this.dpop) === null || _a === void 0 ? void 0 : _a.calculateThumbprint());
+            const params = getAuthorizeParams(this.options, this.scope, authorizationParams, state, nonce, code_challenge, authorizationParams.redirect_uri || this.options.authorizationParams.redirect_uri || fallbackRedirectUri, authorizeOptions === null || authorizeOptions === void 0 ? void 0 : authorizeOptions.response_mode, thumbprint);
             const url = this._authorizeUrl(params);
             return {
                 nonce: nonce,
@@ -1732,9 +2289,10 @@
                         }
                     }
                     const authResult = this.options.useRefreshTokens ? await this._getTokenUsingRefreshToken(getTokenOptions) : await this._getTokenFromIFrame(getTokenOptions);
-                    const {id_token: id_token, access_token: access_token, oauthTokenScope: oauthTokenScope, expires_in: expires_in} = authResult;
+                    const {id_token: id_token, token_type: token_type, access_token: access_token, oauthTokenScope: oauthTokenScope, expires_in: expires_in} = authResult;
                     return Object.assign(Object.assign({
                         id_token: id_token,
+                        token_type: token_type,
                         access_token: access_token
                     }, oauthTokenScope ? {
                         scope: oauthTokenScope
@@ -1783,7 +2341,8 @@
             return url + federatedQuery;
         }
         async logout(options = {}) {
-            const _a = patchOpenUrlWithOnRedirect(options), {openUrl: openUrl} = _a, logoutOptions = __rest(_a, [ "openUrl" ]);
+            var _a;
+            const _b = patchOpenUrlWithOnRedirect(options), {openUrl: openUrl} = _b, logoutOptions = __rest(_b, [ "openUrl" ]);
             if (options.clientId === null) {
                 await this.cacheManager.clear();
             } else {
@@ -1796,6 +2355,7 @@
                 cookieDomain: this.options.cookieDomain
             });
             this.userCache.remove(CACHE_KEY_ID_TOKEN_SUFFIX);
+            await ((_a = this.dpop) === null || _a === void 0 ? void 0 : _a.clear());
             const url = this._buildLogoutUrl(logoutOptions);
             if (openUrl) {
                 await openUrl(url);
@@ -1819,7 +2379,13 @@
                     throw new GenericError("login_required", "The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.");
                 }
                 const authorizeTimeout = options.timeoutInSeconds || this.options.authorizeTimeoutInSeconds;
-                const codeResult = await runIframe(url, this.domainUrl, authorizeTimeout);
+                let eventOrigin;
+                try {
+                    eventOrigin = new URL(this.domainUrl).origin;
+                } catch (_a) {
+                    eventOrigin = this.domainUrl;
+                }
+                const codeResult = await runIframe(url, eventOrigin, authorizeTimeout);
                 if (stateIn !== codeResult.state) {
                     throw new GenericError("state_mismatch", "Invalid state");
                 }
@@ -1911,10 +2477,11 @@
                 clientId: clientId
             }), 60);
             if (entry && entry.access_token) {
-                const {access_token: access_token, oauthTokenScope: oauthTokenScope, expires_in: expires_in} = entry;
+                const {token_type: token_type, access_token: access_token, oauthTokenScope: oauthTokenScope, expires_in: expires_in} = entry;
                 const cache = await this._getIdTokenFromCache();
                 return cache && Object.assign(Object.assign({
                     id_token: cache.id_token,
+                    token_type: token_type ? token_type : "Bearer",
                     access_token: access_token
                 }, oauthTokenScope ? {
                     scope: oauthTokenScope
@@ -1930,7 +2497,8 @@
                 client_id: this.options.clientId,
                 auth0Client: this.options.auth0Client,
                 useFormData: this.options.useFormData,
-                timeout: this.httpTimeoutMs
+                timeout: this.httpTimeoutMs,
+                dpop: this.dpop
             }, options), this.worker);
             const decodedToken = await this._verifyIdToken(authResult.id_token, nonceIn, organization);
             await this._saveEntryInCache(Object.assign(Object.assign(Object.assign(Object.assign({}, authResult), {
@@ -1957,7 +2525,36 @@
                 subject_token: options.subject_token,
                 subject_token_type: options.subject_token_type,
                 scope: getUniqueScopes(options.scope, this.scope),
-                audience: this.options.authorizationParams.audience
+                audience: options.audience || this.options.authorizationParams.audience
+            });
+        }
+        _assertDpop(dpop) {
+            if (!dpop) {
+                throw new Error("`useDpop` option must be enabled before using DPoP.");
+            }
+        }
+        getDpopNonce(id) {
+            this._assertDpop(this.dpop);
+            return this.dpop.getNonce(id);
+        }
+        setDpopNonce(nonce, id) {
+            this._assertDpop(this.dpop);
+            return this.dpop.setNonce(nonce, id);
+        }
+        generateDpopProof(params) {
+            this._assertDpop(this.dpop);
+            return this.dpop.generateProof(params);
+        }
+        createFetcher(config = {}) {
+            if (this.options.useDpop && !config.dpopNonceId) {
+                throw new TypeError("When `useDpop` is enabled, `dpopNonceId` must be set when calling `createFetcher()`.");
+            }
+            return new Fetcher(config, {
+                isDpopEnabled: () => !!this.options.useDpop,
+                getAccessToken: () => this.getTokenSilently(),
+                getDpopNonce: () => this.getDpopNonce(config.dpopNonceId),
+                setDpopNonce: nonce => this.setDpopNonce(nonce),
+                generateDpopProof: params => this.generateDpopProof(params)
             });
         }
     }
@@ -1978,6 +2575,7 @@
     exports.PopupCancelledError = PopupCancelledError;
     exports.PopupTimeoutError = PopupTimeoutError;
     exports.TimeoutError = TimeoutError;
+    exports.UseDpopNonceError = UseDpopNonceError;
     exports.User = User;
     exports.createAuth0Client = createAuth0Client;
     Object.defineProperty(exports, "__esModule", {