npm - @axa-fr/oidc-client - Versions diffs - 7.27.0 → 7.27.2 - Mend

@axa-fr/oidc-client 7.27.0 → 7.27.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.umd.cjs CHANGED Viewed

@@ -1,2 +1,2 @@
-(function(C,D){typeof exports=="object"&&typeof module<"u"?D(exports):typeof define=="function"&&define.amd?define(["exports"],D):(C=typeof globalThis<"u"?globalThis:C||self,D(C["oidc-client"]={}))})(this,(function(C){"use strict";class D{open(n){window.location.href=n}reload(){window.location.reload()}getCurrentHref(){return window.location.href}getPath(){const n=window.location;return n.pathname+(n.search||"")+(n.hash||"")}getOrigin(){return window.origin}}const ke=2e3,V=console;class Ke{constructor(n,t,s,o=ke,i=!0){this._callback=n,this._client_id=t,this._url=s,this._interval=o||ke,this._stopOnError=i;const r=s.indexOf("/",s.indexOf("//")+2);this._frame_origin=s.substring(0,r),this._frame=window.document.createElement("iframe"),this._frame.style.visibility="hidden",this._frame.style.position="absolute",this._frame.style.display="none",this._frame.width=0,this._frame.height=0,this._frame.src=s}load(){return new Promise(n=>{this._frame.onload=()=>{n()},window.document.body.appendChild(this._frame),this._boundMessageEvent=this._message.bind(this),window.addEventListener("message",this._boundMessageEvent,!1)})}_message(n){n.origin===this._frame_origin&&n.source===this._frame.contentWindow&&(n.data==="error"?(V.error("CheckSessionIFrame: error message from check session op iframe"),this._stopOnError&&this.stop()):n.data==="changed"?(V.debug(n),V.debug("CheckSessionIFrame: changed message from check session op iframe"),this.stop(),this._callback()):V.debug("CheckSessionIFrame: "+n.data+" message from check session op iframe"))}start(n){V.debug("CheckSessionIFrame.start :"+n),this.stop();const t=()=>{this._frame.contentWindow.postMessage(this._client_id+" "+n,this._frame_origin)};t(),this._timer=window.setInterval(t,this._interval)}stop(){this._timer&&(V.debug("CheckSessionIFrame.stop"),window.clearInterval(this._timer),this._timer=null)}}const k={service_worker_not_supported_by_browser:"service_worker_not_supported_by_browser",token_acquired:"token_acquired",logout_from_another_tab:"logout_from_another_tab",logout_from_same_tab:"logout_from_same_tab",token_renewed:"token_renewed",token_timer:"token_timer",loginAsync_begin:"loginAsync_begin",loginAsync_error:"loginAsync_error",loginCallbackAsync_begin:"loginCallbackAsync_begin",loginCallbackAsync_end:"loginCallbackAsync_end",loginCallbackAsync_error:"loginCallbackAsync_error",refreshTokensAsync_begin:"refreshTokensAsync_begin",refreshTokensAsync:"refreshTokensAsync",refreshTokensAsync_end:"refreshTokensAsync_end",refreshTokensAsync_error:"refreshTokensAsync_error",refreshTokensAsync_silent_error:"refreshTokensAsync_silent_error",tryKeepExistingSessionAsync_begin:"tryKeepExistingSessionAsync_begin",tryKeepExistingSessionAsync_end:"tryKeepExistingSessionAsync_end",tryKeepExistingSessionAsync_error:"tryKeepExistingSessionAsync_error",silentLoginAsync_begin:"silentLoginAsync_begin",silentLoginAsync:"silentLoginAsync",silentLoginAsync_end:"silentLoginAsync_end",silentLoginAsync_error:"silentLoginAsync_error",syncTokensAsync_begin:"syncTokensAsync_begin",syncTokensAsync_lock_not_available:"syncTokensAsync_lock_not_available",syncTokensAsync_end:"syncTokensAsync_end",syncTokensAsync_error:"syncTokensAsync_error",tokensInvalidAndWaitingActionsToRefresh:"tokensInvalidAndWaitingActionsToRefresh"},x=(e,n=sessionStorage,t)=>{const s=t??n,o=w=>(n[`oidc.${e}`]=JSON.stringify({tokens:null,status:w}),delete n[`oidc.${e}.userInfo`],t&&t!==n&&(delete s[`oidc.login.${e}`],delete s[`oidc.state.${e}`],delete s[`oidc.code_verifier.${e}`],delete s[`oidc.nonce.${e}`]),Promise.resolve()),i=async()=>{if(!n[`oidc.${e}`])return n[`oidc.${e}`]=JSON.stringify({tokens:null,status:null}),{tokens:null,status:null};const w=JSON.parse(n[`oidc.${e}`]);return Promise.resolve({tokens:w.tokens,status:w.status})},r=w=>{n[`oidc.${e}`]=JSON.stringify({tokens:w})},a=async w=>{n[`oidc.session_state.${e}`]=w},c=async()=>n[`oidc.session_state.${e}`],f=w=>{s[`oidc.nonce.${e}`]=w.nonce},u=w=>{n[`oidc.jwk.${e}`]=JSON.stringify(w)},l=()=>JSON.parse(n[`oidc.jwk.${e}`]),h=async()=>({nonce:s[`oidc.nonce.${e}`]}),_=async w=>{n[`oidc.dpop_nonce.${e}`]=w},m=()=>n[`oidc.dpop_nonce.${e}`],p=()=>n[`oidc.${e}`]?JSON.stringify({tokens:JSON.parse(n[`oidc.${e}`]).tokens}):null,g={};return{clearAsync:o,initAsync:i,setTokens:r,getTokens:p,setSessionStateAsync:a,getSessionStateAsync:c,setNonceAsync:f,getNonceAsync:h,setLoginParams:w=>{g[e]=w,s[`oidc.login.${e}`]=JSON.stringify(w)},getLoginParams:()=>{const w=s[`oidc.login.${e}`];return w?(g[e]||(g[e]=JSON.parse(w)),g[e]):(console.warn(`storage[oidc.login.${e}] is empty, you should have an bad OIDC or code configuration somewhere.`),null)},getStateAsync:async()=>s[`oidc.state.${e}`],setStateAsync:async w=>{s[`oidc.state.${e}`]=w},getCodeVerifierAsync:async()=>s[`oidc.code_verifier.${e}`],setCodeVerifierAsync:async w=>{s[`oidc.code_verifier.${e}`]=w},setDemonstratingProofOfPossessionNonce:_,getDemonstratingProofOfPossessionNonce:m,setDemonstratingProofOfPossessionJwkAsync:u,getDemonstratingProofOfPossessionJwkAsync:l}};var F=(e=>(e.AutomaticBeforeTokenExpiration="AutomaticBeforeTokensExpiration",e.AutomaticOnlyWhenFetchExecuted="AutomaticOnlyWhenFetchExecuted",e))(F||{});const Ue=e=>decodeURIComponent(Array.prototype.map.call(atob(e),n=>"%"+("00"+n.charCodeAt(0).toString(16)).slice(-2)).join("")),Ve=e=>JSON.parse(Ue(e.replaceAll(/-/g,"+").replaceAll(/_/g,"/"))),me=e=>{try{return e&&Fe(e,".")===2?Ve(e.split(".")[1]):null}catch(n){console.warn(n)}return null},Fe=(e,n)=>e.split(n).length-1,X={access_token_or_id_token_invalid:"access_token_or_id_token_invalid",access_token_invalid:"access_token_invalid",id_token_invalid:"id_token_invalid"};function Me(e,n,t){if(e.issuedAt){if(typeof e.issuedAt=="string")return parseInt(e.issuedAt,10)}else return n&&n.iat?n.iat:t&&t.iat?t.iat:new Date().getTime()/1e3;return e.issuedAt}const ie=(e,n=null,t)=>{if(!e)return null;let s;const o=typeof e.expiresIn=="string"?parseInt(e.expiresIn,10):e.expiresIn;e.accessTokenPayload!==void 0?s=e.accessTokenPayload:s=me(e.accessToken);let i;n!=null&&"idToken"in n&&!("idToken"in e)?i=n.idToken:i=e.idToken;const r=e.idTokenPayload?e.idTokenPayload:me(i),a=r&&r.exp?r.exp:Number.MAX_VALUE,c=s&&s.exp?s.exp:e.issuedAt+o;e.issuedAt=Me(e,s,r);let f;e.expiresAt?f=e.expiresAt:t===X.access_token_invalid?f=c:t===X.id_token_invalid?f=a:f=a<c?a:c;const u={...e,idTokenPayload:r,accessTokenPayload:s,expiresAt:f,idToken:i};if(n!=null&&"refreshToken"in n&&!("refreshToken"in e)){const l=n.refreshToken;return{...u,refreshToken:l}}return u},re=(e,n,t)=>{if(!e)return null;if(!e.issued_at){const o=new Date().getTime()/1e3;e.issued_at=o}const s={accessToken:e.access_token,expiresIn:e.expires_in,idToken:e.id_token,scope:e.scope,tokenType:e.token_type,issuedAt:e.issued_at};return"refresh_token"in e&&(s.refreshToken=e.refresh_token),e.accessTokenPayload!==void 0&&(s.accessTokenPayload=e.accessTokenPayload),e.idTokenPayload!==void 0&&(s.idTokenPayload=e.idTokenPayload),ie(s,n,t)},J=(e,n)=>{const t=new Date().getTime()/1e3,s=n-t;return Math.round(s-e)},Be=(e,n=0)=>e?J(n,e.expiresAt)>0:!1,we=async(e,n=200,t=50)=>{let s=t,o=await e.syncTokensInfoAsync();for(;[b.REQUIRE_SYNC_TOKENS,b.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID,b.TOKENS_INVALID].includes(o)&&s>0;){if(e.configuration.token_automatic_renew_mode==F.AutomaticOnlyWhenFetchExecuted){await e.renewTokensAsync({});break}else await Q({milliseconds:n});s=s-1,o=await e.syncTokensInfoAsync()}return{isTokensValid:Be(e.getTokens()),tokens:e.getTokens(),numberWaited:s-t}},pe=(e,n,t)=>{if(e.idTokenPayload){const s=e.idTokenPayload;if(t.issuer!==s.iss)return{isValid:!1,reason:`Issuer does not match (oidcServerConfiguration issuer) ${t.issuer} !== (idTokenPayload issuer) ${s.iss}`};const o=new Date().getTime()/1e3;if(s.exp&&s.exp<o)return{isValid:!1,reason:`Token expired (idTokenPayload exp) ${s.exp} < (currentTimeUnixSecond) ${o}`};const i=3600*24*7;if(s.iat&&s.iat+i<o)return{isValid:!1,reason:`Token is used from too long time (idTokenPayload iat + timeInSevenDays) ${s.iat+i} < (currentTimeUnixSecond) ${o}`};if(s.nonce&&s.nonce!==n)return{isValid:!1,reason:`Nonce does not match (idTokenPayload nonce) ${s.nonce} !== (nonce) ${n}`}}return{isValid:!0,reason:""}},$=(function(){const e=typeof window>"u"?global:window;return{setTimeout:setTimeout.bind(e),clearTimeout:clearTimeout.bind(e),setInterval:setInterval.bind(e),clearInterval:clearInterval.bind(e)}})(),ae="7.27.0";let Ae=null,z;const Q=({milliseconds:e})=>new Promise(n=>$.setTimeout(n,e)),Se=(e="/")=>{try{z=new AbortController,fetch(`${e}OidcKeepAliveServiceWorker.json?minSleepSeconds=150`,{signal:z.signal}).catch(s=>{console.log(s)}),Q({milliseconds:150*1e3}).then(()=>Se(e))}catch(n){console.log(n)}},Z=()=>{z&&z.abort()},Te=e=>{const n=`oidc.tabId.${e}`,t=sessionStorage.getItem(n);if(t)return t;const s=globalThis.crypto.randomUUID();return sessionStorage.setItem(n,s),s},Je=5e3,He=e=>navigator.serviceWorker.controller??e.active??e.waiting??e.installing??null,I=(e,n)=>t=>{const s=n?.timeoutMs??Je;return new Promise((o,i)=>{const r=He(e);if(!r){i(new Error("Service worker target not available (controller/active/waiting/installing missing)"));return}const a=new MessageChannel;let c=null;const f=()=>{try{c!=null&&($.clearTimeout(c),c=null),a.port1.onmessage=null,a.port1.close(),a.port2.close()}catch(u){console.error(u)}};c=$.setTimeout(()=>{f(),i(new Error(`Service worker did not respond within ${s}ms (type=${t?.type})`))},s),a.port1.onmessage=u=>{f(),u?.data?.error?i(u.data.error):o(u.data)};try{const u=t?.configurationName;r.postMessage({...t,tabId:Te(u??"default")},[a.port2])}catch(u){f(),i(u)}})},je=async e=>navigator.serviceWorker.controller?navigator.serviceWorker.controller:new Promise(n=>{let t=!1;const s=()=>{t||(t=!0,navigator.serviceWorker.removeEventListener("controllerchange",s),n(navigator.serviceWorker.controller??null))};navigator.serviceWorker.addEventListener("controllerchange",s),$.setTimeout(()=>{t||(t=!0,navigator.serviceWorker.removeEventListener("controllerchange",s),n(navigator.serviceWorker.controller??null))},e)}),W=async(e,n)=>{const t=e.service_worker_relative_url;if(typeof window>"u"||typeof navigator>"u"||!navigator.serviceWorker||!t||e.service_worker_activate()===!1)return null;const s=`${t}?v=${ae}`;let o=null;e.service_worker_register?o=await e.service_worker_register(t):o=await navigator.serviceWorker.register(s,{updateViaCache:"none"});const i=`oidc.sw.version_mismatch_reload.${n}`,r=async()=>{Z(),console.log("New SW waiting – SKIP_WAITING");try{await I(o,{timeoutMs:8e3})({type:"SKIP_WAITING",configurationName:n,data:null})}catch(d){console.warn("SKIP_WAITING failed",d)}},a=d=>{Z(),d.addEventListener("statechange",async()=>{d.state==="installed"&&navigator.serviceWorker.controller&&await r()})};o.addEventListener("updatefound",()=>{const d=o.installing;d&&a(d)}),o.installing?a(o.installing):o.waiting&&navigator.serviceWorker.controller&&r();try{await o.update()}catch(d){console.error(d)}const c=`oidc.sw.controllerchange.reloaded.${n}`;navigator.serviceWorker.addEventListener("controllerchange",()=>{try{if(sessionStorage.getItem(c)==="1")return;sessionStorage.setItem(c,"1")}catch{}console.log("SW controller changed – reloading page"),Z(),window.location.reload()});try{await navigator.serviceWorker.ready,navigator.serviceWorker.controller||(await I(o,{timeoutMs:8e3})({type:"claim",configurationName:n,data:null}),await je(2e3))}catch(d){return console.warn(`Failed init ServiceWorker ${d?.toString?.()??String(d)}`),null}const f=async d=>I(o)({type:"clear",data:{status:d},configurationName:n}),u=async(d,K,E)=>{const P=await I(o)({type:"init",data:{oidcServerConfiguration:d,where:K,oidcConfiguration:{token_renew_mode:E.token_renew_mode,service_worker_convert_all_requests_to_cors:E.service_worker_convert_all_requests_to_cors}},configurationName:n}),se=P.version;if(se!==ae){console.warn(`Service worker ${se} version mismatch with js client version ${ae}, unregistering and reloading`);const Y=parseInt(sessionStorage.getItem(i)??"0",10);if(Y<3)if(sessionStorage.setItem(i,String(Y+1)),o.waiting)await r();else{Z();try{await o.update()}catch(Re){console.error(Re)}const oe=await o.unregister();console.log(`Service worker unregistering ${oe}`),await Q({milliseconds:2e3}),window.location.reload()}else console.error(`Service worker version mismatch persists after ${Y} attempt(s). Continuing with mismatched version.`),sessionStorage.removeItem(i)}else sessionStorage.removeItem(i);return{tokens:re(P.tokens,null,E.token_renew_mode),status:P.status}},l=(d="/")=>{Ae==null&&(Ae="not_null",Se(d))},h=d=>I(o)({type:"setSessionState",data:{sessionState:d},configurationName:n}),_=async()=>(await I(o)({type:"getSessionState",data:null,configurationName:n})).sessionState,m=d=>(sessionStorage[`oidc.nonce.${n}`]=d.nonce,I(o)({type:"setNonce",data:{nonce:d},configurationName:n})),p=async(d=!0)=>{let E=(await I(o)({type:"getNonce",data:null,configurationName:n})).nonce;return E||(E=sessionStorage[`oidc.nonce.${n}`],console.warn("nonce not found in service worker, using sessionStorage"),d&&(await m(E),E=(await p(!1)).nonce)),{nonce:E}},g={},y=d=>{g[n]=d,localStorage[`oidc.login.${n}`]=JSON.stringify(d)},A=()=>{const d=localStorage[`oidc.login.${n}`];return g[n]||(g[n]=JSON.parse(d)),g[n]},S=async d=>{await I(o)({type:"setDemonstratingProofOfPossessionNonce",data:{demonstratingProofOfPossessionNonce:d},configurationName:n})},O=async()=>(await I(o)({type:"getDemonstratingProofOfPossessionNonce",data:null,configurationName:n})).demonstratingProofOfPossessionNonce,T=async d=>{const K=JSON.stringify(d);await I(o)({type:"setDemonstratingProofOfPossessionJwk",data:{demonstratingProofOfPossessionJwkJson:K},configurationName:n})},N=async()=>{const d=await I(o)({type:"getDemonstratingProofOfPossessionJwk",data:null,configurationName:n});return d.demonstratingProofOfPossessionJwkJson?JSON.parse(d.demonstratingProofOfPossessionJwkJson):null},w=async(d=!0)=>{let E=(await I(o)({type:"getState",data:null,configurationName:n})).state;return E||(E=sessionStorage[`oidc.state.${n}`],console.warn("state not found in service worker, using sessionStorage"),d&&(await q(E),E=await w(!1))),E},q=async d=>(sessionStorage[`oidc.state.${n}`]=d,I(o)({type:"setState",data:{state:d},configurationName:n})),R=async(d=!0)=>{let E=(await I(o)({type:"getCodeVerifier",data:null,configurationName:n})).codeVerifier;return E||(E=sessionStorage[`oidc.code_verifier.${n}`],console.warn("codeVerifier not found in service worker, using sessionStorage"),d&&(await v(E),E=await R(!1))),E},v=async d=>(sessionStorage[`oidc.code_verifier.${n}`]=d,I(o)({type:"setCodeVerifier",data:{codeVerifier:d},configurationName:n}));return{clearAsync:f,initAsync:u,startKeepAliveServiceWorker:()=>l(e.service_worker_keep_alive_path),setSessionStateAsync:h,getSessionStateAsync:_,setNonceAsync:m,getNonceAsync:p,setLoginParams:y,getLoginParams:A,getStateAsync:w,setStateAsync:q,getCodeVerifierAsync:R,setCodeVerifierAsync:v,setDemonstratingProofOfPossessionNonce:S,getDemonstratingProofOfPossessionNonce:O,setDemonstratingProofOfPossessionJwkAsync:T,getDemonstratingProofOfPossessionJwkAsync:N}},M={},Ge=(e,n=window.sessionStorage,t)=>{if(!M[e]&&n){const o=n.getItem(e);o&&(M[e]=JSON.parse(o))}const s=1e3*t;return M[e]&&M[e].timestamp+s>Date.now()?M[e].result:null},qe=(e,n,t=window.sessionStorage)=>{const s=Date.now();M[e]={result:n,timestamp:s},t&&t.setItem(e,JSON.stringify({result:n,timestamp:s}))};function ve(e){return new TextEncoder().encode(e)}function Ee(e){return btoa(e).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+/g,"")}function Ye(e){return encodeURIComponent(e).replace(/%([0-9A-F]{2})/g,function(t,s){return String.fromCharCode(parseInt(s,16))})}const ce=e=>{let n="";return e.forEach(function(t){n+=String.fromCharCode(t)}),Ee(n)};function Oe(e){return Ee(Ye(e))}const Xe={importKeyAlgorithm:{name:"ECDSA",namedCurve:"P-256",hash:{name:"ES256"}},signAlgorithm:{name:"ECDSA",hash:{name:"SHA-256"}},generateKeyAlgorithm:{name:"ECDSA",namedCurve:"P-256"},digestAlgorithm:{name:"SHA-256"},jwtHeaderAlgorithm:"ES256"},ze={sign:e=>async(n,t,s,o,i="dpop+jwt")=>{switch(n=Object.assign({},n),t.typ=i,t.alg=o.jwtHeaderAlgorithm,t.alg){case"ES256":t.jwk={kty:n.kty,crv:n.crv,x:n.x,y:n.y};break;case"RS256":t.jwk={kty:n.kty,n:n.n,e:n.e,kid:t.kid};break;default:throw new Error("Unknown or not implemented JWS algorithm")}const r={protected:Oe(JSON.stringify(t)),payload:Oe(JSON.stringify(s))},a=o.importKeyAlgorithm,c=!0,f=["sign"],u=await e.crypto.subtle.importKey("jwk",n,a,c,f),l=ve(`${r.protected}.${r.payload}`),h=o.signAlgorithm,_=await e.crypto.subtle.sign(h,u,l);return r.signature=ce(new Uint8Array(_)),`${r.protected}.${r.payload}.${r.signature}`}},Qe={generate:e=>async n=>{const t=n,s=!0,o=["sign","verify"],i=await e.crypto.subtle.generateKey(t,s,o);return await e.crypto.subtle.exportKey("jwk",i.privateKey)},neuter:e=>{const n=Object.assign({},e);return delete n.d,n.key_ops=["verify"],n}},Ze={thumbprint:e=>async(n,t)=>{let s;switch(n.kty){case"EC":s='{"crv":"CRV","kty":"EC","x":"X","y":"Y"}'.replace("CRV",n.crv).replace("X",n.x).replace("Y",n.y);break;case"RSA":s='{"e":"E","kty":"RSA","n":"N"}'.replace("E",n.e).replace("N",n.n);break;default:throw new Error("Unknown or not implemented JWK type")}const o=await e.crypto.subtle.digest(t,ve(s));return ce(new Uint8Array(o))}},en=e=>async n=>await Qe.generate(e)(n),be=e=>n=>async(t,s="POST",o,i={})=>{const r={jti:btoa(nn()),htm:s,htu:o,iat:Math.round(Date.now()/1e3),...i},a=await Ze.thumbprint(e)(t,n.digestAlgorithm);return await ze.sign(e)(t,{kid:a},r,n)},nn=()=>{const e="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx",n="0123456789abcdef";let t=0,s="";for(let o=0;o<36;o++)e[o]!=="-"&&e[o]!=="4"&&(t=Math.random()*16|0),e[o]==="x"?s+=n[t]:e[o]==="y"?(t&=3,t|=8,s+=n[t]):s+=e[o];return s},Pe=()=>{const e=typeof window<"u"&&!!window.crypto,n=e&&!!window.crypto.subtle;return{hasCrypto:e,hasSubtleCrypto:n}},le="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",tn=e=>{const n=[];for(let t=0;t<e.byteLength;t+=1){const s=e[t]%le.length;n.push(le[s])}return n.join("")},ue=e=>{const n=new Uint8Array(e),{hasCrypto:t}=Pe();if(t)window.crypto.getRandomValues(n);else for(let s=0;s<e;s+=1)n[s]=Math.random()*le.length|0;return tn(n)};function sn(e){const n=new ArrayBuffer(e.length),t=new Uint8Array(n);for(let s=0;s<e.length;s++)t[s]=e.charCodeAt(s);return t}function Ie(e){return new Promise((n,t)=>{crypto.subtle.digest("SHA-256",sn(e)).then(s=>n(ce(new Uint8Array(s))),s=>t(s))})}const on=e=>{if(e.length<43||e.length>128)return Promise.reject(new Error("Invalid code length."));const{hasSubtleCrypto:n}=Pe();return n?Ie(e):Promise.reject(new Error("window.crypto.subtle is unavailable."))},rn=3600,an=e=>async(n,t=rn,s=window.sessionStorage,o=1e4)=>{const i=`${n}/.well-known/openid-configuration`,r=`oidc.server:${n}`,a=Ge(r,s,t);if(a)return new he(a);const c=await H(e)(i,{},o);if(c.status!==200)return null;const f=await c.json();return qe(r,f,s),new he(f)},H=e=>async(n,t={},s=1e4,o=0)=>{let i;try{const r=new AbortController;setTimeout(()=>r.abort(),s),i=await e(n,{...t,signal:r.signal})}catch(r){if(r.name==="AbortError"||r.message==="Network request failed"){if(o<=1)return await H(e)(n,t,s,o+1);throw r}else throw console.error(r.message),r}return i},_e={refresh_token:"refresh_token",access_token:"access_token"},Ne=e=>async(n,t,s=_e.refresh_token,o,i={},r=1e4)=>{const a={token:t,token_type_hint:s,client_id:o};for(const[l,h]of Object.entries(i))a[l]===void 0&&(a[l]=h);const c=[];for(const l in a){const h=encodeURIComponent(l),_=encodeURIComponent(a[l]);c.push(`${h}=${_}`)}const f=c.join("&");return(await H(e)(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"},body:f},r)).status!==200?{success:!1}:{success:!0}},cn=e=>async(n,t,s,o,i={},r,a=1e4)=>{for(const[_,m]of Object.entries(s))t[_]===void 0&&(t[_]=m);const c=[];for(const _ in t){const m=encodeURIComponent(_),p=encodeURIComponent(t[_]);c.push(`${m}=${p}`)}const f=c.join("&"),u=await H(e)(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8",...i},body:f},a);if(u.status!==200)return{success:!1,status:u.status,demonstratingProofOfPossessionNonce:null};const l=await u.json();let h=null;return u.headers.has(ee)&&(h=u.headers.get(ee)),{success:!0,status:u.status,data:re(l,o,r),demonstratingProofOfPossessionNonce:h}},ln=(e,n)=>async(t,s)=>{s=s?{...s}:{};const o=ue(128),i=await on(o);await e.setCodeVerifierAsync(o),await e.setStateAsync(s.state),s.code_challenge=i,s.code_challenge_method="S256";let r="";if(s)for(const[a,c]of Object.entries(s))r===""?r+="?":r+="&",r+=`${a}=${encodeURIComponent(c)}`;n.open(`${t}${r}`)},ee="DPoP-Nonce",un=e=>async(n,t,s,o,i=1e4)=>{t=t?{...t}:{},t.code_verifier=await e.getCodeVerifierAsync();const r=[];for(const l in t){const h=encodeURIComponent(l),_=encodeURIComponent(t[l]);r.push(`${h}=${_}`)}const a=r.join("&"),c=await H(fetch)(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8",...s},body:a},i);if(await Promise.all([e.setCodeVerifierAsync(null),e.setStateAsync(null)]),c.status!==200)return{success:!1,status:c.status};let f=null;c.headers.has(ee)&&(f=c.headers.get(ee));const u=await c.json();return{success:!0,data:{state:t.state,tokens:re(u,null,o),demonstratingProofOfPossessionNonce:f}}};async function Ce(e,n,t,s=null){const o=c=>{e.tokens=c},{tokens:i,status:r}=await ne(e)(o,0,0,n,t,s);return await W(e.configuration,e.configurationName)||x(e.configurationName,e.configuration.storage,e.configuration.login_state_storage??e.configuration.storage).setTokens(e.tokens),e.tokens?i:(await e.destroyAsync(r),null)}async function xe(e,n=!1,t=null,s=null){const o=e.configuration,i=`${o.client_id}_${e.configurationName}_${o.authority}`;let r;const a=await W(e.configuration,e.configurationName);if(o?.storage===window?.sessionStorage&&!a||!navigator.locks)r=await Ce(e,n,t,s);else{let c="retry";for(;c==="retry";)c=await navigator.locks.request(i,{ifAvailable:!0},async f=>f?await Ce(e,n,t,s):(e.publishEvent(L.eventNames.syncTokensAsync_lock_not_available,{lock:"lock not available"}),"retry"));r=c}return r?(e.timeoutId&&(e.timeoutId=j(e,e.tokens.expiresAt,t,s)),e.tokens):null}const j=(e,n,t=null,s=null)=>{const o=e.configuration.refresh_time_before_tokens_expiration_in_second;return e.timeoutId&&$.clearTimeout(e.timeoutId),$.setTimeout(async()=>{const r={timeLeft:J(o,n)};e.publishEvent(L.eventNames.token_timer,r),await xe(e,!1,t,s)},1e3)},b={FORCE_REFRESH:"FORCE_REFRESH",SESSION_LOST:"SESSION_LOST",NOT_CONNECTED:"NOT_CONNECTED",TOKENS_VALID:"TOKENS_VALID",TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID",TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID:"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID",LOGOUT_FROM_ANOTHER_TAB:"LOGOUT_FROM_ANOTHER_TAB",REQUIRE_SYNC_TOKENS:"REQUIRE_SYNC_TOKENS",TOKENS_INVALID:"TOKENS_INVALID"},fe=e=>async(n,t,s,o=!1)=>{const i={nonce:null};if(!s)return{tokens:null,status:b.NOT_CONNECTED,nonce:i};let r=i;const a=await e.initAsync(n.authority,n.authority_configuration),c=await W(n,t);if(c){const{status:l,tokens:h}=await c.initAsync(a,"syncTokensAsync",n);if(l==="LOGGED_OUT")return{tokens:null,status:b.LOGOUT_FROM_ANOTHER_TAB,nonce:i};if(l==="SESSIONS_LOST")return{tokens:null,status:b.SESSION_LOST,nonce:i};if(!l||!h)return{tokens:null,status:b.REQUIRE_SYNC_TOKENS,nonce:i};if(h.issuedAt!==s.issuedAt){const m=J(n.refresh_time_before_tokens_expiration_in_second,h.expiresAt)>0?b.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:b.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID,p=await c.getNonceAsync();return{tokens:h,status:m,nonce:p}}r=await c.getNonceAsync()}else{const l=x(t,n.storage??sessionStorage,n.login_state_storage??n.storage??sessionStorage),h=await l.initAsync();let{tokens:_}=h;const{status:m}=h;if(_&&(_=ie(_,e.tokens,n.token_renew_mode)),_){if(m==="SESSIONS_LOST")return{tokens:null,status:b.SESSION_LOST,nonce:i};if(_.issuedAt!==s.issuedAt){const g=J(n.refresh_time_before_tokens_expiration_in_second,_.expiresAt)>0?b.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:b.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID,y=await l.getNonceAsync();return{tokens:_,status:g,nonce:y}}}else return{tokens:null,status:b.LOGOUT_FROM_ANOTHER_TAB,nonce:i};r=await l.getNonceAsync()}const u=J(n.refresh_time_before_tokens_expiration_in_second,s.expiresAt)>0?"TOKENS_VALID":"TOKENS_INVALID";return o?{tokens:s,status:"FORCE_REFRESH",nonce:r}:{tokens:s,status:u,nonce:r}},ne=e=>async(n,t=0,s=0,o=!1,i=null,r=null)=>{if(!navigator.onLine&&document.hidden)return{tokens:e.tokens,status:"GIVE_UP"};let a=6;const c=o?2:5,f=5;for(;!navigator.onLine&&a>0;)await Q({milliseconds:1e3}),a--,e.publishEvent(k.refreshTokensAsync,{message:`wait because navigator is offline try ${a}`});const u=document.hidden,l=u?t:t+1,h=u?s+1:s;if(t>=c||s>=f)return n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token"}),{tokens:null,status:"SESSION_LOST"};i||(i={});const _=e.configuration,m=(g,y=null,A=null)=>de(e.configurationName,e.configuration,e.publishEvent.bind(e))(g,y,A),p=async()=>{try{let g;const y=await W(_,e.configurationName);y?g=y.getLoginParams():g=x(e.configurationName,_.storage,_.login_state_storage??_.storage).getLoginParams();const A={};if(g&&g.extras)for(const[O,T]of Object.entries(g.extras))T!=null&&(A[O]=T);if(i)for(const[O,T]of Object.entries(i))T!=null&&(A[O]=T);A.prompt="none",r&&(A.scope=r);const S=await m(A);return S?S.error?(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token silent"}),{tokens:null,status:"SESSION_LOST"}):(n(S.tokens),e.publishEvent(L.eventNames.token_renewed,{}),{tokens:S.tokens,status:"LOGGED"}):(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token silent not active"}),{tokens:null,status:"SESSION_LOST"})}catch(g){return console.error(g),e.publishEvent(k.refreshTokensAsync_silent_error,{message:"exceptionSilent",exception:g.message}),await ne(e)(n,l,h,o,i,r)}};try{const{status:g,tokens:y,nonce:A}=await fe(e)(_,e.configurationName,e.tokens,o);switch(g){case b.SESSION_LOST:return n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token session lost"}),{tokens:null,status:"SESSION_LOST"};case b.NOT_CONNECTED:return n(null),{tokens:null,status:null};case b.TOKENS_VALID:return n(y),{tokens:y,status:"LOGGED_IN"};case b.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:return n(y),e.publishEvent(L.eventNames.token_renewed,{reason:"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID"}),{tokens:y,status:"LOGGED_IN"};case b.LOGOUT_FROM_ANOTHER_TAB:return n(null),e.publishEvent(k.logout_from_another_tab,{status:"session syncTokensAsync"}),{tokens:null,status:"LOGGED_OUT"};case b.REQUIRE_SYNC_TOKENS:return _.token_automatic_renew_mode==F.AutomaticOnlyWhenFetchExecuted&&!o?(e.publishEvent(k.tokensInvalidAndWaitingActionsToRefresh,{}),{tokens:e.tokens,status:"GIVE_UP"}):(e.publishEvent(k.refreshTokensAsync_begin,{tryNumber:t}),await p());default:{if(_.token_automatic_renew_mode==F.AutomaticOnlyWhenFetchExecuted&&b.FORCE_REFRESH!==g)return e.publishEvent(k.tokensInvalidAndWaitingActionsToRefresh,{}),{tokens:e.tokens,status:"GIVE_UP"};if(e.publishEvent(k.refreshTokensAsync_begin,{refreshToken:y.refreshToken,status:g,tryNumber:t,backgroundTry:s}),!y.refreshToken)return await p();const S=_.client_id,O=_.redirect_uri,T=_.authority,w={..._.token_request_extras?_.token_request_extras:{}};for(const[R,v]of Object.entries(i))R.endsWith(":token_request")&&(w[R.replace(":token_request","")]=v);return await(async()=>{const R={client_id:S,redirect_uri:O,grant_type:"refresh_token",refresh_token:y.refreshToken},v=await e.initAsync(T,_.authority_configuration),d=document.hidden?1e4:3e4*10,K=v.tokenEndpoint,E={};_.demonstrating_proof_of_possession&&(E.DPoP=await e.generateDemonstrationOfProofOfPossessionAsync(y.accessToken,K,"POST"));const P=await cn(e.getFetch())(K,R,w,y,E,_.token_renew_mode,d);if(P.success){const{isValid:se,reason:Y}=pe(P.data,A.nonce,v);if(!se)return n(null),e.publishEvent(k.refreshTokensAsync_error,{message:`refresh token return not valid tokens, reason: ${Y}`}),{tokens:null,status:"SESSION_LOST"};if(n(P.data),P.demonstratingProofOfPossessionNonce){const oe=await W(_,e.configurationName);oe?await oe.setDemonstratingProofOfPossessionNonce(P.demonstratingProofOfPossessionNonce):await x(e.configurationName,_.storage,_.login_state_storage??_.storage).setDemonstratingProofOfPossessionNonce(P.demonstratingProofOfPossessionNonce)}return e.publishEvent(k.refreshTokensAsync_end,{success:P.success}),e.publishEvent(L.eventNames.token_renewed,{reason:"REFRESH_TOKEN"}),{tokens:P.data,status:"LOGGED_IN"}}else return e.publishEvent(k.refreshTokensAsync_silent_error,{message:"bad request",tokenResponse:P}),P.status>=400&&P.status<500?(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:`session lost: ${P.status}`}),{tokens:null,status:"SESSION_LOST"}):await ne(e)(n,l,h,o,i,r)})()}}}catch(g){return console.error(g),e.publishEvent(k.refreshTokensAsync_silent_error,{message:"exception",exception:g.message}),new Promise((y,A)=>{setTimeout(()=>{ne(e)(n,l,h,o,i,r).then(y).catch(A)},1e3)})}},de=(e,n,t)=>(s=null,o=null,i=null)=>{if(!n.silent_redirect_uri||!n.silent_login_uri)return Promise.resolve(null);try{t(k.silentLoginAsync_begin,{});let r="";if(o&&(s==null&&(s={}),s.state=o),i!=null&&(s==null&&(s={}),s.scope=i),s!=null)for(const[l,h]of Object.entries(s))h!=null&&(r===""?r=`?${encodeURIComponent(l)}=${encodeURIComponent(h)}`:r+=`&${encodeURIComponent(l)}=${encodeURIComponent(h)}`);const a=n.silent_login_uri+r,c=a.indexOf("/",a.indexOf("//")+2),f=a.substring(0,c),u=document.createElement("iframe");return u.width="0px",u.height="0px",u.id=`${e}_oidc_iframe`,u.setAttribute("src",a),u.style.display="none",document.body.appendChild(u),new Promise((l,h)=>{let _=!1;const m=()=>{window.removeEventListener("message",p),u.remove(),_=!0},p=g=>{if(g.origin===f&&g.source===u.contentWindow){const y=`${e}_oidc_tokens:`,A=`${e}_oidc_error:`,S=`${e}_oidc_exception:`,O=g.data;if(O&&typeof O=="string"&&!_){if(O.startsWith(y)){const T=JSON.parse(g.data.replace(y,""));t(k.silentLoginAsync_end,{}),l(T),m()}else if(O.startsWith(A)){const T=JSON.parse(g.data.replace(A,""));t(k.silentLoginAsync_error,T),l({error:"oidc_"+T.error,tokens:null,sessionState:null}),m()}else if(O.startsWith(S)){const T=JSON.parse(g.data.replace(S,""));t(k.silentLoginAsync_error,T),h(new Error(T.error)),m()}}}};try{window.addEventListener("message",p);const g=n.silent_login_timeout;setTimeout(()=>{_||(m(),t(k.silentLoginAsync_error,{reason:"timeout"}),h(new Error("timeout")))},g)}catch(g){m(),t(k.silentLoginAsync_error,g),h(g)}})}catch(r){throw t(k.silentLoginAsync_error,r),r}},_n=(e,n,t,s,o)=>(i=null,r=void 0)=>{i={...i};const a=(f,u,l)=>de(n,t,s.bind(o))(f,u,l);return(async()=>{o.timeoutId&&$.clearTimeout(o.timeoutId);let f;i&&"state"in i&&(f=i.state,delete i.state);try{const u=t.extras?{...t.extras,...i}:i,l=await a({...u,prompt:"none"},f,r);if(l)return o.tokens=l.tokens,s(k.token_acquired,{}),o.timeoutId=j(o,o.tokens.expiresAt,i,r),{}}catch(u){return u}})()},fn=(e,n,t)=>(s,o,i,r=!1)=>{const a=(c,f=void 0,u=void 0)=>de(e.configurationName,t,e.publishEvent.bind(e))(c,f,u);return new Promise((c,f)=>{if(t.silent_login_uri&&t.silent_redirect_uri&&t.monitor_session&&s&&i&&!r){const u=()=>{e.checkSessionIFrame.stop();const l=e.tokens;if(l===null)return;const h=l.idToken,_=l.idTokenPayload;return a({prompt:"none",id_token_hint:h,scope:t.scope||"openid"}).then(m=>{if(m.error)throw new Error(m.error);const p=m.tokens.idTokenPayload;if(_.sub===p.sub){const g=m.sessionState;e.checkSessionIFrame.start(m.sessionState),_.sid===p.sid?console.debug("SessionMonitor._callback: Same sub still logged in at OP, restarting check session iframe; session_state:",g):console.debug("SessionMonitor._callback: Same sub still logged in at OP, session state has changed, restarting check session iframe; session_state:",g)}else console.debug("SessionMonitor._callback: Different subject signed into OP:",p.sub)}).catch(async m=>{console.warn("SessionMonitor._callback: Silent login failed, logging out other tabs:",m);for(const[,p]of Object.entries(n))await p.logoutOtherTabAsync(t.client_id,_.sub)})};e.checkSessionIFrame=new Ke(u,o,s),e.checkSessionIFrame.load().then(()=>{e.checkSessionIFrame.start(i),c(e.checkSessionIFrame)}).catch(l=>{f(l)})}else c(null)})},dn=e=>!!(e.os==="iOS"&&e.osVersion.startsWith("12")||e.os==="Mac OS X"&&e.osVersion.startsWith("10_15_6")),gn=e=>{const n=e.appVersion,t=e.userAgent,s="-";let o=s;const i=[{s:"Windows 10",r:/(Windows 10.0|Windows NT 10.0)/},{s:"Windows 8.1",r:/(Windows 8.1|Windows NT 6.3)/},{s:"Windows 8",r:/(Windows 8|Windows NT 6.2)/},{s:"Windows 7",r:/(Windows 7|Windows NT 6.1)/},{s:"Windows Vista",r:/Windows NT 6.0/},{s:"Windows Server 2003",r:/Windows NT 5.2/},{s:"Windows XP",r:/(Windows NT 5.1|Windows XP)/},{s:"Windows 2000",r:/(Windows NT 5.0|Windows 2000)/},{s:"Windows ME",r:/(Win 9x 4.90|Windows ME)/},{s:"Windows 98",r:/(Windows 98|Win98)/},{s:"Windows 95",r:/(Windows 95|Win95|Windows_95)/},{s:"Windows NT 4.0",r:/(Windows NT 4.0|WinNT4.0|WinNT|Windows NT)/},{s:"Windows CE",r:/Windows CE/},{s:"Windows 3.11",r:/Win16/},{s:"Android",r:/Android/},{s:"Open BSD",r:/OpenBSD/},{s:"Sun OS",r:/SunOS/},{s:"Chrome OS",r:/CrOS/},{s:"Linux",r:/(Linux|X11(?!.*CrOS))/},{s:"iOS",r:/(iPhone|iPad|iPod)/},{s:"Mac OS X",r:/Mac OS X/},{s:"Mac OS",r:/(Mac OS|MacPPC|MacIntel|Mac_PowerPC|Macintosh)/},{s:"QNX",r:/QNX/},{s:"UNIX",r:/UNIX/},{s:"BeOS",r:/BeOS/},{s:"OS/2",r:/OS\/2/},{s:"Search Bot",r:/(nuhk|Googlebot|Yammybot|Openbot|Slurp|MSNBot|Ask Jeeves\/Teoma|ia_archiver)/}];for(const a in i){const c=i[a];if(c.r.test(t)){o=c.s;break}}let r=s;switch(/Windows/.test(o)&&(r=/Windows (.*)/.exec(o)[1],o="Windows"),o){case"Mac OS":case"Mac OS X":case"Android":r=/(?:Android|Mac OS|Mac OS X|MacPPC|MacIntel|Mac_PowerPC|Macintosh) ([._\d]+)/.exec(t)[1];break;case"iOS":{const a=/OS (\d+)_(\d+)_?(\d+)?/.exec(n);a!=null&&a.length>2&&(r=a[1]+"."+a[2]+"."+(parseInt(a[3])|0));break}}return{os:o,osVersion:r}};function hn(){const e=navigator.userAgent;let n,t=e.match(/(opera|chrome|safari|firefox|msie|trident(?=\/))\/?\s*(\d+)/i)||[];if(/trident/i.test(t[1]))return n=/\brv[ :]+(\d+)/g.exec(e)||[],{name:"ie",version:n[1]||""};if(t[1]==="Chrome"&&(n=e.match(/\bOPR|Edge\/(\d+)/),n!=null)){let s=n[1];if(!s){const o=e.split(n[0]+"/");o.length>1&&(s=o[1])}return{name:"opera",version:s}}return t=t[2]?[t[1],t[2]]:[navigator.appName,navigator.appVersion,"-?"],(n=e.match(/version\/(\d+)/i))!=null&&t.splice(1,1,n[1]),{name:t[0].toLowerCase(),version:t[1]}}const yn=()=>{const{name:e,version:n}=hn();if(e==="chrome"&&parseInt(n)<=70||e==="opera"&&(!n||parseInt(n.split(".")[0])<80)||e==="ie")return!1;const t=gn(navigator);return!dn(t)},kn=async e=>{let n;if(e.tokens!=null)return!1;e.publishEvent(k.tryKeepExistingSessionAsync_begin,{});try{const t=e.configuration,s=await e.initAsync(t.authority,t.authority_configuration);if(n=await W(t,e.configurationName),n){const{tokens:o}=await n.initAsync(s,"tryKeepExistingSessionAsync",t);if(o){n.startKeepAliveServiceWorker(),e.tokens=o;const i=n.getLoginParams(e.configurationName);e.timeoutId=j(e,e.tokens.expiresAt,i.extras,i.scope);const r=await n.getSessionStateAsync();return await e.startCheckSessionAsync(s.checkSessionIframe,t.client_id,r),t.preload_user_info&&await e.userInfoAsync(),e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!0,message:"tokens inside ServiceWorker are valid"}),!0}e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!1,message:"no exiting session found"})}else{t.service_worker_relative_url&&e.publishEvent(k.service_worker_not_supported_by_browser,{message:"service worker is not supported by this browser"});const o=x(e.configurationName,t.storage??sessionStorage,t.login_state_storage??t.storage??sessionStorage),{tokens:i}=await o.initAsync();if(i){e.tokens=ie(i,null,t.token_renew_mode);const r=o.getLoginParams();e.timeoutId=j(e,e.tokens.expiresAt,r.extras,r.scope);const a=await o.getSessionStateAsync();return await e.startCheckSessionAsync(s.checkSessionIframe,t.client_id,a),t.preload_user_info&&await e.userInfoAsync(),e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!0,message:"tokens inside storage are valid"}),!0}}return e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!1,message:n?"service worker sessions not retrieved":"session storage sessions not retrieved"}),!1}catch(t){return console.error(t),n&&await n.clearAsync(),e.publishEvent(k.tryKeepExistingSessionAsync_error,"tokens inside ServiceWorker are invalid"),!1}},We=e=>{const n=e.match(/^([a-z][\w-]+\:)\/\/(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/);if(!n)throw new Error("Invalid URL");let t=n[6],s=n[7];if(s){const o=s.split("?");o.length===2&&(s=o[0],t=o[1])}return t.startsWith("?")&&(t=t.slice(1)),n&&{href:e,protocol:n[1],host:n[2],hostname:n[3],port:n[4],path:n[5],search:t,hash:s}},mn=e=>{const n=We(e);let{path:t}=n;t.endsWith("/")&&(t=t.slice(0,-1));let{hash:s}=n;return s==="#_=_"&&(s=""),s&&(t+=s),t},te=e=>{const n=We(e),{search:t}=n;return wn(t)},wn=e=>{const n={};let t,s,o;const i=e.split("&");for(s=0,o=i.length;s<o;s++)t=i[s].split("="),n[decodeURIComponent(t[0])]=decodeURIComponent(t[1]);return n},pn=(e,n,t,s,o)=>(i=void 0,r=null,a=!1,c=void 0)=>{const f=r;return r={...r},(async()=>{const l=i||o.getPath();if("state"in r||(r.state=ue(16)),t(k.loginAsync_begin,{}),r)for(const h of Object.keys(r))h.endsWith(":token_request")&&delete r[h];try{const h=a?n.silent_redirect_uri:n.redirect_uri;c||(c=n.scope);const _=n.extras?{...n.extras,...r}:r;_.nonce||(_.nonce=ue(12));const m={nonce:_.nonce},p=await W(n,e),g=await s(n.authority,n.authority_configuration);let y;if(p)p.setLoginParams({callbackPath:l,extras:f,scope:c}),await p.initAsync(g,"loginAsync",n),await p.setNonceAsync(m),p.startKeepAliveServiceWorker(),y=p;else{const S=x(e,n.storage??sessionStorage,n.login_state_storage??n.storage??sessionStorage);S.setLoginParams({callbackPath:l,extras:f,scope:c}),await S.setNonceAsync(m),y=S}const A={client_id:n.client_id,redirect_uri:h,scope:c,response_type:"code",..._};await ln(y,o)(g.authorizationEndpoint,A)}catch(h){throw t(k.loginAsync_error,h),h}})()},An=e=>async(n=!1)=>{try{e.publishEvent(k.loginCallbackAsync_begin,{});const t=e.configuration,s=t.client_id,o=n?t.silent_redirect_uri:t.redirect_uri,i=t.authority,r=t.token_request_timeout,a=await e.initAsync(i,t.authority_configuration),c=e.location.getCurrentHref(),f=te(c),u=f.session_state,l=await W(t,e.configurationName);let h,_,m,p;if(l)await l.initAsync(a,"loginCallbackAsync",t),await l.setSessionStateAsync(u),_=await l.getNonceAsync(),m=l.getLoginParams(),p=await l.getStateAsync(),l.startKeepAliveServiceWorker(),h=l;else{const v=x(e.configurationName,t.storage??sessionStorage,t.login_state_storage??t.storage??sessionStorage);await v.setSessionStateAsync(u),_=await v.getNonceAsync(),m=v.getLoginParams(),p=await v.getStateAsync(),h=v}if(f.error||f.error_description)throw new Error(`Error from OIDC server: ${f.error} - ${f.error_description}`);if(f.iss&&f.iss!==a.issuer)throw console.error(),new Error(`Issuer not valid (expected: ${a.issuer}, received: ${f.iss})`);if(f.state&&f.state!==p)throw new Error(`State not valid (expected: ${p}, received: ${f.state})`);const g={code:f.code,grant_type:"authorization_code",client_id:t.client_id,redirect_uri:o},y={};if(t.token_request_extras)for(const[v,d]of Object.entries(t.token_request_extras))y[v]=d;if(m?.extras)for(const[v,d]of Object.entries(m.extras))v.endsWith(":token_request")&&(y[v.replace(":token_request","")]=d);const A=a.tokenEndpoint,S={};if(t.demonstrating_proof_of_possession)if(l)S.DPoP=`DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${e.configurationName}`;else{const v=await en(window)(t.demonstrating_proof_of_possession_configuration.generateKeyAlgorithm);await x(e.configurationName,t.storage,t.login_state_storage??t.storage).setDemonstratingProofOfPossessionJwkAsync(v),S.DPoP=await be(window)(t.demonstrating_proof_of_possession_configuration)(v,"POST",A)}const O=await un(h)(A,{...g,...y},S,e.configuration.token_renew_mode,r);if(!O.success)throw new Error("Token request failed");let T;const N=O.data.tokens,w=O.data.demonstratingProofOfPossessionNonce;if(O.data.state!==y.state)throw new Error("state is not valid");const{isValid:q,reason:R}=pe(N,_.nonce,a);if(!q)throw new Error(`Tokens are not OpenID valid, reason: ${R}`);if(l){if(N.refreshToken&&!N.refreshToken.includes("SECURED_BY_OIDC_SERVICE_WORKER"))throw new Error("Refresh token should be hidden by service worker");if(w&&N?.accessToken.includes("SECURED_BY_OIDC_SERVICE_WORKER"))throw new Error("Demonstration of proof of possession require Access token not hidden by service worker")}if(l)await l.initAsync(a,"syncTokensAsync",t),T=l.getLoginParams(),w&&await l.setDemonstratingProofOfPossessionNonce(w);else{const v=x(e.configurationName,t.storage,t.login_state_storage??t.storage);T=v.getLoginParams(),w&&await v.setDemonstratingProofOfPossessionNonce(w)}return await e.startCheckSessionAsync(a.checkSessionIframe,s,u,n),e.publishEvent(k.loginCallbackAsync_end,{}),{tokens:N,state:"request.state",callbackPath:T.callbackPath,scope:f.scope,extras:T.extras}}catch(t){throw console.error(t),e.publishEvent(k.loginCallbackAsync_error,t),t}},Le={access_token:"access_token",refresh_token:"refresh_token"},ge=(e,n)=>{const t={};if(e){for(const[s,o]of Object.entries(e))if(s.endsWith(n)){const i=s.replace(n,"");t[i]=o}return t}return t},Sn=e=>{const n={};if(e){for(const[t,s]of Object.entries(e))t.includes(":")||(n[t]=s);return n}return n},Tn=e=>async n=>{$.clearTimeout(e.timeoutId),e.timeoutId=null,e.checkSessionIFrame&&e.checkSessionIFrame.stop();const t=await W(e.configuration,e.configurationName);t?await t.clearAsync(n):await x(e.configurationName,e.configuration.storage,e.configuration.login_state_storage??e.configuration.storage).clearAsync(n),e.tokens=null,e.userInfo=null},vn=(e,n,t,s,o)=>async(i=void 0,r=null)=>{const a=e.configuration,c=await e.initAsync(a.authority,a.authority_configuration);i&&typeof i!="string"&&(i=void 0,s.warn("callbackPathOrUrl path is not a string"));const f=i??o.getPath();let u=!1;i&&(u=i.includes("https://")||i.includes("http://"));const l=u?i:o.getOrigin()+f,h=e.tokens?e.tokens.idToken:"";try{const y=c.revocationEndpoint;if(y){const A=[],S=e.tokens?e.tokens.accessToken:null;if(S&&a.logout_tokens_to_invalidate.includes(Le.access_token)){const T=ge(r,":revoke_access_token"),N=Ne(t)(y,S,_e.access_token,a.client_id,T);A.push(N)}const O=e.tokens?e.tokens.refreshToken:null;if(O&&a.logout_tokens_to_invalidate.includes(Le.refresh_token)){const T=ge(r,":revoke_refresh_token"),N=Ne(t)(y,O,_e.refresh_token,a.client_id,T);A.push(N)}A.length>0&&await Promise.all(A)}}catch(y){s.warn("logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error"),s.warn(y)}const _=e.tokens?.idTokenPayload?.sub??null;await e.destroyAsync("LOGGED_OUT");for(const[,y]of Object.entries(n))y!==e?await e.logoutSameTabAsync(e.configuration.client_id,_):e.publishEvent(k.logout_from_same_tab,{});const m=ge(r,":oidc");if(m&&m.no_reload==="true")return;const g=Sn(r);if(c.endSessionEndpoint){"id_token_hint"in g||(g.id_token_hint=h),!("post_logout_redirect_uri"in g)&&i!==null&&(g.post_logout_redirect_uri=l);let y="";for(const[A,S]of Object.entries(g))S!=null&&(y===""?y+="?":y+="&",y+=`${A}=${encodeURIComponent(S)}`);o.open(`${c.endSessionEndpoint}${y}`)}else o.reload()},De=(e,n,t=!1)=>async(...s)=>{const[o,i,...r]=s,a=i?{...i}:{method:"GET"};let c=new Headers;a.headers&&(c=a.headers instanceof Headers?a.headers:new Headers(a.headers));const f={getTokens:()=>n.tokens,configuration:{token_automatic_renew_mode:n.configuration.token_automatic_renew_mode,refresh_time_before_tokens_expiration_in_second:n.configuration.refresh_time_before_tokens_expiration_in_second},syncTokensInfoAsync:async()=>{const{status:_}=await fe(n)(n.configuration,n.configurationName,n.tokens,!1);return _},renewTokensAsync:n.renewTokensAsync.bind(n)},l=(await we(f))?.tokens?.accessToken;if(c.has("Accept")||c.set("Accept","application/json"),l){if(n.configuration.demonstrating_proof_of_possession&&t){const _=await n.generateDemonstrationOfProofOfPossessionAsync(l,o.toString(),a.method);c.set("Authorization",`DPoP ${l}`),c.set("DPoP",_)}else c.set("Authorization",`Bearer ${l}`);a.credentials||(a.credentials="same-origin")}const h={...a,headers:c};return await e(o,h,...r)},En=e=>async(n=!1,t=!1)=>{if(e.userInfo!=null&&!n)return e.userInfo;const s=!n&&e.configuration.storage?.getItem(`oidc.${e.configurationName}.userInfo`);if(s)return e.userInfo=JSON.parse(s),e.userInfo;const o=e.configuration,r=(await e.initAsync(o.authority,o.authority_configuration)).userInfoEndpoint,c=await(async()=>{const u=await De(fetch,e,t)(r);return u.status!==200?null:u.json()})();return e.userInfo=c,c&&e.configuration.storage?.setItem(`oidc.${e.configurationName}.userInfo`,JSON.stringify(c)),c},$e=()=>fetch;class he{constructor(n){this.authorizationEndpoint=n.authorization_endpoint,this.tokenEndpoint=n.token_endpoint,this.revocationEndpoint=n.revocation_endpoint,this.userInfoEndpoint=n.userinfo_endpoint,this.checkSessionIframe=n.check_session_iframe,this.issuer=n.issuer,this.endSessionEndpoint=n.end_session_endpoint}}const U={},On=(e,n=new D)=>(t,s="default")=>(U[s]||(U[s]=new L(t,s,e,n)),U[s]),bn=async e=>{const{parsedTokens:n,callbackPath:t,extras:s,scope:o}=await e.loginCallbackAsync();return e.timeoutId=j(e,n.expiresAt,s,o),{callbackPath:t}},Pn=e=>Math.floor(Math.random()*e),G=class G{constructor(n,t="default",s,o=new D){this.initPromise=null,this.tryKeepExistingSessionPromise=null,this.loginPromise=null,this.loginCallbackPromise=null,this.loginCallbackWithAutoTokensRenewPromise=null,this.userInfoPromise=null,this.renewTokensPromise=null,this.logoutPromise=null;let i=n.silent_login_uri;n.silent_redirect_uri&&!n.silent_login_uri&&(i=`${n.silent_redirect_uri.replace("-callback","").replace("callback","")}-login`);let r=n.refresh_time_before_tokens_expiration_in_second??120;r>60&&(r=r-Math.floor(Math.random()*40)),this.location=o??new D,this.configuration={...n,silent_login_uri:i,token_automatic_renew_mode:n.token_automatic_renew_mode??F.AutomaticBeforeTokenExpiration,monitor_session:n.monitor_session??!1,refresh_time_before_tokens_expiration_in_second:r,silent_login_timeout:n.silent_login_timeout??12e3,token_renew_mode:n.token_renew_mode??X.access_token_or_id_token_invalid,demonstrating_proof_of_possession:n.demonstrating_proof_of_possession??!1,authority_timeout_wellknowurl_in_millisecond:n.authority_timeout_wellknowurl_in_millisecond??1e4,logout_tokens_to_invalidate:n.logout_tokens_to_invalidate??["access_token","refresh_token"],service_worker_activate:n.service_worker_activate??yn,demonstrating_proof_of_possession_configuration:n.demonstrating_proof_of_possession_configuration??Xe,preload_user_info:n.preload_user_info??!1},this.getFetch=s??$e,this.configurationName=t,this.tokens=null,this.userInfo=null,this.events=[],this.timeoutId=null,this.loginCallbackWithAutoTokensRenewAsync.bind(this),this.initAsync.bind(this),this.loginCallbackAsync.bind(this),this.subscribeEvents.bind(this),this.removeEventSubscription.bind(this),this.publishEvent.bind(this),this.destroyAsync.bind(this),this.logoutAsync.bind(this),this.renewTokensAsync.bind(this),this.initAsync(this.configuration.authority,this.configuration.authority_configuration)}subscribeEvents(n){const t=Pn(9999999999999).toString();return this.events.push({id:t,func:n}),t}removeEventSubscription(n){const t=this.events.filter(s=>s.id!==n);this.events=t}publishEvent(n,t){this.events.forEach(s=>{s.func(n,t)})}static get(n="default"){const t=typeof process>"u";if(!Object.prototype.hasOwnProperty.call(U,n)&&t)throw Error(`OIDC library does seem initialized.
-Please checkout that you are using OIDC hook inside a <OidcProvider configurationName="${n}"></OidcProvider> component.`);return U[n]}_silentLoginCallbackFromIFrame(){if(this.configuration.silent_redirect_uri&&this.configuration.silent_login_uri){const n=this.location,t=te(n.getCurrentHref());window.parent.postMessage(`${this.configurationName}_oidc_tokens:${JSON.stringify({tokens:this.tokens,sessionState:t.session_state})}`,n.getOrigin())}}_silentLoginErrorCallbackFromIFrame(n=null){if(this.configuration.silent_redirect_uri&&this.configuration.silent_login_uri){const t=this.location,s=te(t.getCurrentHref());s.error?window.parent.postMessage(`${this.configurationName}_oidc_error:${JSON.stringify({error:s.error})}`,t.getOrigin()):window.parent.postMessage(`${this.configurationName}_oidc_exception:${JSON.stringify({error:n==null?"":n.toString()})}`,t.getOrigin())}}async silentLoginCallbackAsync(){try{await this.loginCallbackAsync(!0),this._silentLoginCallbackFromIFrame()}catch(n){console.error(n),this._silentLoginErrorCallbackFromIFrame(n)}}async initAsync(n,t){if(this.initPromise!==null)return this.initPromise;const s=async()=>{if(t!=null)return new he({authorization_endpoint:t.authorization_endpoint,end_session_endpoint:t.end_session_endpoint,revocation_endpoint:t.revocation_endpoint,token_endpoint:t.token_endpoint,userinfo_endpoint:t.userinfo_endpoint,check_session_iframe:t.check_session_iframe,issuer:t.issuer});const i=await W(this.configuration,this.configurationName)?this.configuration.storage||window.sessionStorage:this.configuration.storage;return await an(this.getFetch())(n,this.configuration.authority_time_cache_wellknowurl_in_second??3600,i,this.configuration.authority_timeout_wellknowurl_in_millisecond)};return this.initPromise=s(),this.initPromise.finally(()=>{this.initPromise=null})}async tryKeepExistingSessionAsync(){return this.tryKeepExistingSessionPromise!==null?this.tryKeepExistingSessionPromise:(this.tryKeepExistingSessionPromise=kn(this),this.tryKeepExistingSessionPromise.finally(()=>{this.tryKeepExistingSessionPromise=null}))}async startCheckSessionAsync(n,t,s,o=!1){await fn(this,U,this.configuration)(n,t,s,o)}async loginAsync(n=void 0,t=null,s=!1,o=void 0,i=!1){return this.logoutPromise&&await this.logoutPromise,this.loginPromise!==null?this.loginPromise:(i?this.loginPromise=_n(window,this.configurationName,this.configuration,this.publishEvent.bind(this),this)(t,o):this.loginPromise=pn(this.configurationName,this.configuration,this.publishEvent.bind(this),this.initAsync.bind(this),this.location)(n,t,s,o),this.loginPromise.finally(()=>{this.loginPromise=null}))}async loginCallbackAsync(n=!1){if(this.loginCallbackPromise!==null)return this.loginCallbackPromise;const t=async()=>{const s=await An(this)(n),o=s.tokens;return this.tokens=o,await W(this.configuration,this.configurationName)||x(this.configurationName,this.configuration.storage,this.configuration.login_state_storage??this.configuration.storage).setTokens(o),this.publishEvent(G.eventNames.token_acquired,o),this.configuration.preload_user_info&&await this.userInfoAsync(),{parsedTokens:o,state:s.state,callbackPath:s.callbackPath,scope:s.scope,extras:s.extras}};return this.loginCallbackPromise=t(),this.loginCallbackPromise.finally(()=>{this.loginCallbackPromise=null})}async generateDemonstrationOfProofOfPossessionAsync(n,t,s,o={}){const i=this.configuration,r={ath:await Ie(n),...o};if(await W(i,this.configurationName))return`DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${this.configurationName}#tabId=${Te(this.configurationName)}`;const c=x(this.configurationName,i.storage,i.login_state_storage??i.storage),f=await c.getDemonstratingProofOfPossessionJwkAsync(),u=c.getDemonstratingProofOfPossessionNonce();return u&&(r.nonce=u),await be(window)(i.demonstrating_proof_of_possession_configuration)(f,s,t,r)}loginCallbackWithAutoTokensRenewAsync(){return this.loginCallbackWithAutoTokensRenewPromise!==null?this.loginCallbackWithAutoTokensRenewPromise:(this.loginCallbackWithAutoTokensRenewPromise=bn(this),this.loginCallbackWithAutoTokensRenewPromise.finally(()=>{this.loginCallbackWithAutoTokensRenewPromise=null}))}userInfoAsync(n=!1,t=!1){return this.userInfoPromise!==null?this.userInfoPromise:(this.userInfoPromise=En(this)(n,t),this.userInfoPromise.finally(()=>{this.userInfoPromise=null}))}async renewTokensAsync(n=null,t=null){if(this.renewTokensPromise!==null)return this.renewTokensPromise;if(this.timeoutId)return $.clearTimeout(this.timeoutId),this.renewTokensPromise=xe(this,!0,n,t),this.renewTokensPromise.finally(()=>{this.renewTokensPromise=null})}async destroyAsync(n){return await Tn(this)(n)}async logoutSameTabAsync(n,t){this.configuration.monitor_session&&this.configuration.client_id===n&&t&&this.tokens&&this.tokens.idTokenPayload&&this.tokens.idTokenPayload.sub===t&&(await this.destroyAsync("LOGGED_OUT"),this.publishEvent(k.logout_from_same_tab,{mmessage:"SessionMonitor",sub:t}))}async logoutOtherTabAsync(n,t){this.configuration.monitor_session&&this.configuration.client_id===n&&t&&this.tokens&&this.tokens.idTokenPayload&&this.tokens.idTokenPayload.sub===t&&(await this.destroyAsync("LOGGED_OUT"),this.publishEvent(k.logout_from_another_tab,{message:"SessionMonitor",sub:t}))}async logoutAsync(n=void 0,t=null){return this.logoutPromise?this.logoutPromise:(this.logoutPromise=vn(this,U,this.getFetch(),console,this.location)(n,t),this.logoutPromise.finally(()=>{this.logoutPromise=null}))}};G.getOrCreate=(n,t)=>(s,o="default")=>On(n,t)(s,o),G.eventNames=k;let L=G;const B=class B{constructor(n){this._oidc=n}subscribeEvents(n){return this._oidc.subscribeEvents(n)}removeEventSubscription(n){this._oidc.removeEventSubscription(n)}publishEvent(n,t){this._oidc.publishEvent(n,t)}static get(n="default"){return new B(L.get(n))}tryKeepExistingSessionAsync(){return this._oidc.tryKeepExistingSessionAsync()}loginAsync(n=void 0,t=null,s=!1,o=void 0,i=!1){return this._oidc.loginAsync(n,t,s,o,i)}logoutAsync(n=void 0,t=null){return this._oidc.logoutAsync(n,t)}silentLoginCallbackAsync(){return this._oidc.silentLoginCallbackAsync()}renewTokensAsync(n=null,t=null){return this._oidc.renewTokensAsync(n,t)}loginCallbackAsync(){return this._oidc.loginCallbackWithAutoTokensRenewAsync()}get tokens(){return this._oidc.tokens}get configuration(){return this._oidc.configuration}async generateDemonstrationOfProofOfPossessionAsync(n,t,s,o={}){return this._oidc.generateDemonstrationOfProofOfPossessionAsync(n,t,s,o)}async getValidTokenAsync(n=200,t=50){const s=this._oidc,o={getTokens:()=>s.tokens,configuration:{token_automatic_renew_mode:s.configuration.token_automatic_renew_mode,refresh_time_before_tokens_expiration_in_second:s.configuration.refresh_time_before_tokens_expiration_in_second},syncTokensInfoAsync:async()=>{const{status:i}=await fe(s)(s.configuration,s.configurationName,s.tokens,!1);return i},renewTokensAsync:s.renewTokensAsync.bind(s)};return we(o,n,t)}fetchWithTokens(n,t=!1){return De(n,this._oidc,t)}async userInfoAsync(n=!1,t=!1){return this._oidc.userInfoAsync(n,t)}userInfo(){return this._oidc.userInfo}};B.getOrCreate=(n,t=new D)=>(s,o="default")=>new B(L.getOrCreate(n,t)(s,o)),B.eventNames=L.eventNames;let ye=B;C.OidcClient=ye,C.OidcLocation=D,C.TokenAutomaticRenewMode=F,C.TokenRenewMode=X,C.getFetchDefault=$e,C.getParseQueryStringFromLocation=te,C.getPath=mn,Object.defineProperty(C,Symbol.toStringTag,{value:"Module"})}));
+(function(x,K){typeof exports=="object"&&typeof module<"u"?K(exports):typeof define=="function"&&define.amd?define(["exports"],K):(x=typeof globalThis<"u"?globalThis:x||self,K(x["oidc-client"]={}))})(this,(function(x){"use strict";class K{open(n){window.location.href=n}reload(){window.location.reload()}getCurrentHref(){return window.location.href}getPath(){const n=window.location;return n.pathname+(n.search||"")+(n.hash||"")}getOrigin(){return window.origin}}const Se=2e3,B=console;class Be{constructor(n,t,s,o=Se,i=!0){this._callback=n,this._client_id=t,this._url=s,this._interval=o||Se,this._stopOnError=i;const r=s.indexOf("/",s.indexOf("//")+2);this._frame_origin=s.substring(0,r),this._frame=window.document.createElement("iframe"),this._frame.style.visibility="hidden",this._frame.style.position="absolute",this._frame.style.display="none",this._frame.width=0,this._frame.height=0,this._frame.src=s}load(){return new Promise(n=>{this._frame.onload=()=>{n()},window.document.body.appendChild(this._frame),this._boundMessageEvent=this._message.bind(this),window.addEventListener("message",this._boundMessageEvent,!1)})}_message(n){n.origin===this._frame_origin&&n.source===this._frame.contentWindow&&(n.data==="error"?(B.error("CheckSessionIFrame: error message from check session op iframe"),this._stopOnError&&this.stop()):n.data==="changed"?(B.debug(n),B.debug("CheckSessionIFrame: changed message from check session op iframe"),this.stop(),this._callback()):B.debug("CheckSessionIFrame: "+n.data+" message from check session op iframe"))}start(n){B.debug("CheckSessionIFrame.start :"+n),this.stop();const t=()=>{this._frame.contentWindow.postMessage(this._client_id+" "+n,this._frame_origin)};t(),this._timer=window.setInterval(t,this._interval)}stop(){this._timer&&(B.debug("CheckSessionIFrame.stop"),window.clearInterval(this._timer),this._timer=null)}}const k={service_worker_not_supported_by_browser:"service_worker_not_supported_by_browser",token_acquired:"token_acquired",logout_from_another_tab:"logout_from_another_tab",logout_from_same_tab:"logout_from_same_tab",token_renewed:"token_renewed",token_timer:"token_timer",loginAsync_begin:"loginAsync_begin",loginAsync_error:"loginAsync_error",loginCallbackAsync_begin:"loginCallbackAsync_begin",loginCallbackAsync_end:"loginCallbackAsync_end",loginCallbackAsync_error:"loginCallbackAsync_error",refreshTokensAsync_begin:"refreshTokensAsync_begin",refreshTokensAsync:"refreshTokensAsync",refreshTokensAsync_end:"refreshTokensAsync_end",refreshTokensAsync_error:"refreshTokensAsync_error",refreshTokensAsync_silent_error:"refreshTokensAsync_silent_error",tryKeepExistingSessionAsync_begin:"tryKeepExistingSessionAsync_begin",tryKeepExistingSessionAsync_end:"tryKeepExistingSessionAsync_end",tryKeepExistingSessionAsync_error:"tryKeepExistingSessionAsync_error",silentLoginAsync_begin:"silentLoginAsync_begin",silentLoginAsync:"silentLoginAsync",silentLoginAsync_end:"silentLoginAsync_end",silentLoginAsync_error:"silentLoginAsync_error",syncTokensAsync_begin:"syncTokensAsync_begin",syncTokensAsync_lock_not_available:"syncTokensAsync_lock_not_available",syncTokensAsync_end:"syncTokensAsync_end",syncTokensAsync_error:"syncTokensAsync_error",tokensInvalidAndWaitingActionsToRefresh:"tokensInvalidAndWaitingActionsToRefresh"},W=(e,n=sessionStorage,t)=>{const s=t??n,o=w=>(n[`oidc.${e}`]=JSON.stringify({tokens:null,status:w}),delete n[`oidc.${e}.userInfo`],t&&t!==n&&(delete s[`oidc.login.${e}`],delete s[`oidc.state.${e}`],delete s[`oidc.code_verifier.${e}`],delete s[`oidc.nonce.${e}`]),Promise.resolve()),i=async()=>{if(!n[`oidc.${e}`])return n[`oidc.${e}`]=JSON.stringify({tokens:null,status:null}),{tokens:null,status:null};const w=JSON.parse(n[`oidc.${e}`]);return Promise.resolve({tokens:w.tokens,status:w.status})},r=w=>{n[`oidc.${e}`]=JSON.stringify({tokens:w})},a=async w=>{n[`oidc.session_state.${e}`]=w},c=async()=>n[`oidc.session_state.${e}`],f=w=>{s[`oidc.nonce.${e}`]=w.nonce},u=w=>{n[`oidc.jwk.${e}`]=JSON.stringify(w)},l=()=>JSON.parse(n[`oidc.jwk.${e}`]),h=async()=>({nonce:s[`oidc.nonce.${e}`]}),_=async w=>{n[`oidc.dpop_nonce.${e}`]=w},m=()=>n[`oidc.dpop_nonce.${e}`],p=()=>n[`oidc.${e}`]?JSON.stringify({tokens:JSON.parse(n[`oidc.${e}`]).tokens}):null,g={};return{clearAsync:o,initAsync:i,setTokens:r,getTokens:p,setSessionStateAsync:a,getSessionStateAsync:c,setNonceAsync:f,getNonceAsync:h,setLoginParams:w=>{g[e]=w,s[`oidc.login.${e}`]=JSON.stringify(w)},getLoginParams:()=>{const w=s[`oidc.login.${e}`];return w?(g[e]||(g[e]=JSON.parse(w)),g[e]):(console.warn(`storage[oidc.login.${e}] is empty, you should have an bad OIDC or code configuration somewhere.`),null)},getStateAsync:async()=>s[`oidc.state.${e}`],setStateAsync:async w=>{s[`oidc.state.${e}`]=w},getCodeVerifierAsync:async()=>s[`oidc.code_verifier.${e}`],setCodeVerifierAsync:async w=>{s[`oidc.code_verifier.${e}`]=w},setDemonstratingProofOfPossessionNonce:_,getDemonstratingProofOfPossessionNonce:m,setDemonstratingProofOfPossessionJwkAsync:u,getDemonstratingProofOfPossessionJwkAsync:l}};var J=(e=>(e.AutomaticBeforeTokenExpiration="AutomaticBeforeTokensExpiration",e.AutomaticOnlyWhenFetchExecuted="AutomaticOnlyWhenFetchExecuted",e))(J||{});const Je=e=>decodeURIComponent(Array.prototype.map.call(atob(e),n=>"%"+("00"+n.charCodeAt(0).toString(16)).slice(-2)).join("")),He=e=>JSON.parse(Je(e.replaceAll(/-/g,"+").replaceAll(/_/g,"/"))),Te=e=>{try{return e&&Ge(e,".")===2?He(e.split(".")[1]):null}catch(n){console.warn(n)}return null},Ge=(e,n)=>e.split(n).length-1,ee={access_token_or_id_token_invalid:"access_token_or_id_token_invalid",access_token_invalid:"access_token_invalid",id_token_invalid:"id_token_invalid"};function je(e,n,t){if(e.issuedAt){if(typeof e.issuedAt=="string")return parseInt(e.issuedAt,10)}else return n&&n.iat?n.iat:t&&t.iat?t.iat:new Date().getTime()/1e3;return e.issuedAt}const re=(e,n=null,t)=>{if(!e)return null;let s;const o=typeof e.expiresIn=="string"?parseInt(e.expiresIn,10):e.expiresIn;e.accessTokenPayload!==void 0?s=e.accessTokenPayload:s=Te(e.accessToken);let i;n!=null&&"idToken"in n&&!("idToken"in e)?i=n.idToken:i=e.idToken;const r=e.idTokenPayload?e.idTokenPayload:Te(i),a=r&&r.exp?r.exp:Number.MAX_VALUE,c=s&&s.exp?s.exp:e.issuedAt+o;e.issuedAt=je(e,s,r);let f;e.expiresAt?f=e.expiresAt:t===ee.access_token_invalid?f=c:t===ee.id_token_invalid?f=a:f=a<c?a:c;const u={...e,idTokenPayload:r,accessTokenPayload:s,expiresAt:f,idToken:i};if(n!=null&&"refreshToken"in n&&!("refreshToken"in e)){const l=n.refreshToken;return{...u,refreshToken:l}}return u},ae=(e,n,t)=>{if(!e)return null;if(!e.issued_at){const o=new Date().getTime()/1e3;e.issued_at=o}const s={accessToken:e.access_token,expiresIn:e.expires_in,idToken:e.id_token,scope:e.scope,tokenType:e.token_type,issuedAt:e.issued_at};return"refresh_token"in e&&(s.refreshToken=e.refresh_token),e.accessTokenPayload!==void 0&&(s.accessTokenPayload=e.accessTokenPayload),e.idTokenPayload!==void 0&&(s.idTokenPayload=e.idTokenPayload),re(s,n,t)},q=(e,n)=>{const t=new Date().getTime()/1e3,s=n-t;return Math.round(s-e)},qe=(e,n=0)=>e?q(n,e.expiresAt)>0:!1,ve=async(e,n=200,t=50)=>{let s=t,o=await e.syncTokensInfoAsync();for(;[P.REQUIRE_SYNC_TOKENS,P.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID,P.TOKENS_INVALID].includes(o)&&s>0;){if(e.configuration.token_automatic_renew_mode==J.AutomaticOnlyWhenFetchExecuted){await e.renewTokensAsync({});break}else await Y({milliseconds:n});s=s-1,o=await e.syncTokensInfoAsync()}return{isTokensValid:qe(e.getTokens()),tokens:e.getTokens(),numberWaited:s-t}},Ee=(e,n,t)=>{if(e.idTokenPayload){const s=e.idTokenPayload;if(t.issuer!==s.iss)return{isValid:!1,reason:`Issuer does not match (oidcServerConfiguration issuer) ${t.issuer} !== (idTokenPayload issuer) ${s.iss}`};const o=new Date().getTime()/1e3;if(s.exp&&s.exp<o)return{isValid:!1,reason:`Token expired (idTokenPayload exp) ${s.exp} < (currentTimeUnixSecond) ${o}`};const i=3600*24*7;if(s.iat&&s.iat+i<o)return{isValid:!1,reason:`Token is used from too long time (idTokenPayload iat + timeInSevenDays) ${s.iat+i} < (currentTimeUnixSecond) ${o}`};if(s.nonce&&s.nonce!==n)return{isValid:!1,reason:`Nonce does not match (idTokenPayload nonce) ${s.nonce} !== (nonce) ${n}`}}return{isValid:!0,reason:""}},D=(function(){const e=typeof window>"u"?global:window;return{setTimeout:setTimeout.bind(e),clearTimeout:clearTimeout.bind(e),setInterval:setInterval.bind(e),clearInterval:clearInterval.bind(e)}})(),ce="7.27.2";let Oe=null,ne;const Y=({milliseconds:e})=>new Promise(n=>D.setTimeout(n,e)),be=(e="/")=>{try{ne=new AbortController,fetch(`${e}OidcKeepAliveServiceWorker.json?minSleepSeconds=150`,{signal:ne.signal}).catch(s=>{console.log(s)}),Y({milliseconds:150*1e3}).then(()=>be(e))}catch(n){console.log(n)}},te=()=>{ne&&ne.abort()},le=e=>{const n=`oidc.tabId.${e}`,t=sessionStorage.getItem(n);if(t)return t;const s=globalThis.crypto.randomUUID();return sessionStorage.setItem(n,s),s},Ye=5e3,Xe=e=>navigator.serviceWorker.controller??e.active??e.waiting??e.installing??null,I=(e,n)=>t=>{const s=n?.timeoutMs??Ye;return new Promise((o,i)=>{const r=Xe(e);if(!r){i(new Error("Service worker target not available (controller/active/waiting/installing missing)"));return}const a=new MessageChannel;let c=null;const f=()=>{try{c!=null&&(D.clearTimeout(c),c=null),a.port1.onmessage=null,a.port1.close(),a.port2.close()}catch(u){console.error(u)}};c=D.setTimeout(()=>{f(),i(new Error(`Service worker did not respond within ${s}ms (type=${t?.type})`))},s),a.port1.onmessage=u=>{f(),u?.data?.error?i(u.data.error):o(u.data)};try{const u=t?.configurationName;r.postMessage({...t,tabId:le(u??"default")},[a.port2])}catch(u){f(),i(u)}})},ze=async e=>navigator.serviceWorker.controller?navigator.serviceWorker.controller:new Promise(n=>{let t=!1;const s=()=>{t||(t=!0,navigator.serviceWorker.removeEventListener("controllerchange",s),n(navigator.serviceWorker.controller??null))};navigator.serviceWorker.addEventListener("controllerchange",s),D.setTimeout(()=>{t||(t=!0,navigator.serviceWorker.removeEventListener("controllerchange",s),n(navigator.serviceWorker.controller??null))},e)});let Pe=!1,H=!1;const ue="oidc.sw.controllerchange_reload_count",_e=3,fe=()=>{try{return parseInt(sessionStorage.getItem(ue)??"0",10)}catch{return 0}},Qe=()=>{const e=fe()+1;try{sessionStorage.setItem(ue,String(e))}catch{}return e},Ze=()=>{try{sessionStorage.removeItem(ue)}catch{}},L=async(e,n)=>{const t=e.service_worker_relative_url;if(typeof window>"u"||typeof navigator>"u"||!navigator.serviceWorker||!t||e.service_worker_activate()===!1)return null;const s=`${t}?v=${ce}`;let o=null;e.service_worker_register?o=await e.service_worker_register(t):o=await navigator.serviceWorker.register(s,{updateViaCache:"none"});const i=`oidc.sw.version_mismatch_reload.${n}`,r=async d=>{te(),console.log("New SW waiting – SKIP_WAITING");try{await new Promise((N,S)=>{const b=new MessageChannel;let V=null;const F=()=>{try{V!=null&&(D.clearTimeout(V),V=null),b.port1.onmessage=null,b.port1.close(),b.port2.close()}catch($){console.error($)}};V=D.setTimeout(()=>{F(),S(new Error("SKIP_WAITING did not respond within 8000ms"))},8e3),b.port1.onmessage=$=>{F(),$?.data?.error?S($.data.error):N()};try{d.postMessage({type:"SKIP_WAITING",configurationName:n,data:null,tabId:le(n??"default")},[b.port2])}catch($){F(),S($)}})}catch(N){console.warn("SKIP_WAITING failed",N)}},a=async()=>{const d=o.waiting;d?await r(d):console.warn("sendSkipWaiting called but no waiting service worker found")},c=d=>{te(),d.addEventListener("statechange",async()=>{if(d.state==="installed"&&navigator.serviceWorker.controller){if(fe()>=_e){console.warn("SW trackInstallingWorker: skipping SKIP_WAITING because the reload budget is exhausted");return}await r(d)}})};o.addEventListener("updatefound",()=>{const d=o.installing;d&&c(d)}),o.installing?c(o.installing):o.waiting&&navigator.serviceWorker.controller&&(fe()<_e?a():console.warn("SW: a waiting worker exists but reload budget is exhausted – skipping activation")),o.update().catch(d=>{console.error(d)});try{await navigator.serviceWorker.ready,navigator.serviceWorker.controller||(await I(o,{timeoutMs:8e3})({type:"claim",configurationName:n,data:null}),await ze(2e3))}catch(d){return console.warn(`Failed init ServiceWorker ${d?.toString?.()??String(d)}`),null}Pe||(Pe=!0,navigator.serviceWorker.addEventListener("controllerchange",()=>{if(H)return;const d=Qe();if(d>_e){console.warn(`SW controllerchange: reload budget exhausted (${d-1} reloads). Skipping reload to avoid infinite loop.`);return}H=!0,console.log("SW controller changed – reloading page"),te(),window.location.reload()}));const f=async d=>I(o)({type:"clear",data:{status:d},configurationName:n}),u=async(d,N,S)=>{const b=await I(o)({type:"init",data:{oidcServerConfiguration:d,where:N,oidcConfiguration:{token_renew_mode:S.token_renew_mode,service_worker_convert_all_requests_to_cors:S.service_worker_convert_all_requests_to_cors}},configurationName:n}),V=b.version;if(V!==ce){console.warn(`Service worker ${V} version mismatch with js client version ${ce}, unregistering and reloading`);const F=parseInt(sessionStorage.getItem(i)??"0",10);if(F<3){if(sessionStorage.setItem(i,String(F+1)),o.waiting)return await a(),await Y({milliseconds:500}),H||(H=!0,window.location.reload()),new Promise(()=>{});{te();try{await o.update()}catch(Me){console.error(Me)}const $=await o.unregister();return console.log(`Service worker unregistering ${$}`),await Y({milliseconds:500}),H||(H=!0,window.location.reload()),new Promise(()=>{})}}else console.error(`Service worker version mismatch persists after ${F} attempt(s). Continuing with mismatched version.`)}else sessionStorage.removeItem(i),Ze();return{tokens:ae(b.tokens,null,S.token_renew_mode),status:b.status}},l=(d="/")=>{Oe==null&&(Oe="not_null",be(d))},h=d=>I(o)({type:"setSessionState",data:{sessionState:d},configurationName:n}),_=async()=>(await I(o)({type:"getSessionState",data:null,configurationName:n})).sessionState,m=d=>(sessionStorage[`oidc.nonce.${n}`]=d.nonce,I(o)({type:"setNonce",data:{nonce:d},configurationName:n})),p=async(d=!0)=>{let S=(await I(o)({type:"getNonce",data:null,configurationName:n})).nonce;return S||(S=sessionStorage[`oidc.nonce.${n}`],console.warn("nonce not found in service worker, using sessionStorage"),d&&(await m(S),S=(await p(!1)).nonce)),{nonce:S}},g={},y=d=>{g[n]=d,localStorage[`oidc.login.${n}`]=JSON.stringify(d)},A=()=>{const d=localStorage[`oidc.login.${n}`];return g[n]||(g[n]=JSON.parse(d)),g[n]},T=async d=>{await I(o)({type:"setDemonstratingProofOfPossessionNonce",data:{demonstratingProofOfPossessionNonce:d},configurationName:n})},O=async()=>(await I(o)({type:"getDemonstratingProofOfPossessionNonce",data:null,configurationName:n})).demonstratingProofOfPossessionNonce,v=async d=>{const N=JSON.stringify(d);await I(o)({type:"setDemonstratingProofOfPossessionJwk",data:{demonstratingProofOfPossessionJwkJson:N},configurationName:n})},C=async()=>{const d=await I(o)({type:"getDemonstratingProofOfPossessionJwk",data:null,configurationName:n});return d.demonstratingProofOfPossessionJwkJson?JSON.parse(d.demonstratingProofOfPossessionJwkJson):null},w=async(d=!0)=>{let S=(await I(o)({type:"getState",data:null,configurationName:n})).state;return S||(S=sessionStorage[`oidc.state.${n}`],console.warn("state not found in service worker, using sessionStorage"),d&&(await Z(S),S=await w(!1))),S},Z=async d=>(sessionStorage[`oidc.state.${n}`]=d,I(o)({type:"setState",data:{state:d},configurationName:n})),U=async(d=!0)=>{let S=(await I(o)({type:"getCodeVerifier",data:null,configurationName:n})).codeVerifier;return S||(S=sessionStorage[`oidc.code_verifier.${n}`],console.warn("codeVerifier not found in service worker, using sessionStorage"),d&&(await E(S),S=await U(!1))),S},E=async d=>(sessionStorage[`oidc.code_verifier.${n}`]=d,I(o)({type:"setCodeVerifier",data:{codeVerifier:d},configurationName:n}));return{clearAsync:f,initAsync:u,startKeepAliveServiceWorker:()=>l(e.service_worker_keep_alive_path),setSessionStateAsync:h,getSessionStateAsync:_,setNonceAsync:m,getNonceAsync:p,setLoginParams:y,getLoginParams:A,getStateAsync:w,setStateAsync:Z,getCodeVerifierAsync:U,setCodeVerifierAsync:E,setDemonstratingProofOfPossessionNonce:T,getDemonstratingProofOfPossessionNonce:O,setDemonstratingProofOfPossessionJwkAsync:v,getDemonstratingProofOfPossessionJwkAsync:C}},G={},en=(e,n=window.sessionStorage,t)=>{if(!G[e]&&n){const o=n.getItem(e);o&&(G[e]=JSON.parse(o))}const s=1e3*t;return G[e]&&G[e].timestamp+s>Date.now()?G[e].result:null},nn=(e,n,t=window.sessionStorage)=>{const s=Date.now();G[e]={result:n,timestamp:s},t&&t.setItem(e,JSON.stringify({result:n,timestamp:s}))};function Ie(e){return new TextEncoder().encode(e)}function Ce(e){return btoa(e).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+/g,"")}function tn(e){return encodeURIComponent(e).replace(/%([0-9A-F]{2})/g,function(t,s){return String.fromCharCode(parseInt(s,16))})}const de=e=>{let n="";return e.forEach(function(t){n+=String.fromCharCode(t)}),Ce(n)};function Ne(e){return Ce(tn(e))}const sn={importKeyAlgorithm:{name:"ECDSA",namedCurve:"P-256",hash:{name:"ES256"}},signAlgorithm:{name:"ECDSA",hash:{name:"SHA-256"}},generateKeyAlgorithm:{name:"ECDSA",namedCurve:"P-256"},digestAlgorithm:{name:"SHA-256"},jwtHeaderAlgorithm:"ES256"},on={sign:e=>async(n,t,s,o,i="dpop+jwt")=>{switch(n=Object.assign({},n),t.typ=i,t.alg=o.jwtHeaderAlgorithm,t.alg){case"ES256":t.jwk={kty:n.kty,crv:n.crv,x:n.x,y:n.y};break;case"RS256":t.jwk={kty:n.kty,n:n.n,e:n.e,kid:t.kid};break;default:throw new Error("Unknown or not implemented JWS algorithm")}const r={protected:Ne(JSON.stringify(t)),payload:Ne(JSON.stringify(s))},a=o.importKeyAlgorithm,c=!0,f=["sign"],u=await e.crypto.subtle.importKey("jwk",n,a,c,f),l=Ie(`${r.protected}.${r.payload}`),h=o.signAlgorithm,_=await e.crypto.subtle.sign(h,u,l);return r.signature=de(new Uint8Array(_)),`${r.protected}.${r.payload}.${r.signature}`}},rn={generate:e=>async n=>{const t=n,s=!0,o=["sign","verify"],i=await e.crypto.subtle.generateKey(t,s,o);return await e.crypto.subtle.exportKey("jwk",i.privateKey)},neuter:e=>{const n=Object.assign({},e);return delete n.d,n.key_ops=["verify"],n}},an={thumbprint:e=>async(n,t)=>{let s;switch(n.kty){case"EC":s='{"crv":"CRV","kty":"EC","x":"X","y":"Y"}'.replace("CRV",n.crv).replace("X",n.x).replace("Y",n.y);break;case"RSA":s='{"e":"E","kty":"RSA","n":"N"}'.replace("E",n.e).replace("N",n.n);break;default:throw new Error("Unknown or not implemented JWK type")}const o=await e.crypto.subtle.digest(t,Ie(s));return de(new Uint8Array(o))}},cn=e=>async n=>await rn.generate(e)(n),xe=e=>n=>async(t,s="POST",o,i={})=>{const r={jti:btoa(ln()),htm:s,htu:o,iat:Math.round(Date.now()/1e3),...i},a=await an.thumbprint(e)(t,n.digestAlgorithm);return await on.sign(e)(t,{kid:a},r,n)},ln=()=>{const e="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx",n="0123456789abcdef";let t=0,s="";for(let o=0;o<36;o++)e[o]!=="-"&&e[o]!=="4"&&(t=Math.random()*16|0),e[o]==="x"?s+=n[t]:e[o]==="y"?(t&=3,t|=8,s+=n[t]):s+=e[o];return s},We=()=>{const e=typeof window<"u"&&!!window.crypto,n=e&&!!window.crypto.subtle;return{hasCrypto:e,hasSubtleCrypto:n}},ge="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",un=e=>{const n=[];for(let t=0;t<e.byteLength;t+=1){const s=e[t]%ge.length;n.push(ge[s])}return n.join("")},he=e=>{const n=new Uint8Array(e),{hasCrypto:t}=We();if(t)window.crypto.getRandomValues(n);else for(let s=0;s<e;s+=1)n[s]=Math.random()*ge.length|0;return un(n)};function _n(e){const n=new ArrayBuffer(e.length),t=new Uint8Array(n);for(let s=0;s<e.length;s++)t[s]=e.charCodeAt(s);return t}function Le(e){return new Promise((n,t)=>{crypto.subtle.digest("SHA-256",_n(e)).then(s=>n(de(new Uint8Array(s))),s=>t(s))})}const fn=e=>{if(e.length<43||e.length>128)return Promise.reject(new Error("Invalid code length."));const{hasSubtleCrypto:n}=We();return n?Le(e):Promise.reject(new Error("window.crypto.subtle is unavailable."))},dn=3600,gn=e=>async(n,t=dn,s=window.sessionStorage,o=1e4)=>{const i=`${n}/.well-known/openid-configuration`,r=`oidc.server:${n}`,a=en(r,s,t);if(a)return new pe(a);const c=await X(e)(i,{},o);if(c.status!==200)return null;const f=await c.json();return nn(r,f,s),new pe(f)},X=e=>async(n,t={},s=1e4,o=0)=>{let i;try{const r=new AbortController;setTimeout(()=>r.abort(),s),i=await e(n,{...t,signal:r.signal})}catch(r){if(r.name==="AbortError"||r.message==="Network request failed"){if(o<=1)return await X(e)(n,t,s,o+1);throw r}else throw console.error(r.message),r}return i},ye={refresh_token:"refresh_token",access_token:"access_token"},De=e=>async(n,t,s=ye.refresh_token,o,i={},r=1e4)=>{const a={token:t,token_type_hint:s,client_id:o};for(const[l,h]of Object.entries(i))a[l]===void 0&&(a[l]=h);const c=[];for(const l in a){const h=encodeURIComponent(l),_=encodeURIComponent(a[l]);c.push(`${h}=${_}`)}const f=c.join("&");return(await X(e)(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"},body:f},r)).status!==200?{success:!1}:{success:!0}},hn=e=>async(n,t,s,o,i={},r,a=1e4)=>{for(const[_,m]of Object.entries(s))t[_]===void 0&&(t[_]=m);const c=[];for(const _ in t){const m=encodeURIComponent(_),p=encodeURIComponent(t[_]);c.push(`${m}=${p}`)}const f=c.join("&"),u=await X(e)(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8",...i},body:f},a);if(u.status!==200)return{success:!1,status:u.status,demonstratingProofOfPossessionNonce:null};const l=await u.json();let h=null;return u.headers.has(se)&&(h=u.headers.get(se)),{success:!0,status:u.status,data:ae(l,o,r),demonstratingProofOfPossessionNonce:h}},yn=(e,n)=>async(t,s)=>{s=s?{...s}:{};const o=he(128),i=await fn(o);await e.setCodeVerifierAsync(o),await e.setStateAsync(s.state),s.code_challenge=i,s.code_challenge_method="S256";let r="";if(s)for(const[a,c]of Object.entries(s))r===""?r+="?":r+="&",r+=`${a}=${encodeURIComponent(c)}`;n.open(`${t}${r}`)},se="DPoP-Nonce",kn=e=>async(n,t,s,o,i=1e4)=>{t=t?{...t}:{},t.code_verifier=await e.getCodeVerifierAsync();const r=[];for(const l in t){const h=encodeURIComponent(l),_=encodeURIComponent(t[l]);r.push(`${h}=${_}`)}const a=r.join("&"),c=await X(fetch)(n,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8",...s},body:a},i);if(await Promise.all([e.setCodeVerifierAsync(null),e.setStateAsync(null)]),c.status!==200)return{success:!1,status:c.status};let f=null;c.headers.has(se)&&(f=c.headers.get(se));const u=await c.json();return{success:!0,data:{state:t.state,tokens:ae(u,null,o),demonstratingProofOfPossessionNonce:f}}};async function Re(e,n,t,s=null){const o=c=>{e.tokens=c},{tokens:i,status:r}=await oe(e)(o,0,0,n,t,s);return await L(e.configuration,e.configurationName)||W(e.configurationName,e.configuration.storage,e.configuration.login_state_storage??e.configuration.storage).setTokens(e.tokens),e.tokens?i:(await e.destroyAsync(r),null)}async function $e(e,n=!1,t=null,s=null){const o=e.configuration,i=`${o.client_id}_${e.configurationName}_${o.authority}`;let r;const a=await L(e.configuration,e.configurationName);if(o?.storage===window?.sessionStorage&&!a||!navigator.locks)r=await Re(e,n,t,s);else{let c="retry";for(;c==="retry";)c=await navigator.locks.request(i,{ifAvailable:!0},async f=>f?await Re(e,n,t,s):(e.publishEvent(R.eventNames.syncTokensAsync_lock_not_available,{lock:"lock not available"}),"retry"));r=c}return r?(e.timeoutId&&(e.timeoutId=z(e,e.tokens.expiresAt,t,s)),e.tokens):null}const z=(e,n,t=null,s=null)=>{const o=e.configuration.refresh_time_before_tokens_expiration_in_second;return e.timeoutId&&D.clearTimeout(e.timeoutId),D.setTimeout(async()=>{const r={timeLeft:q(o,n)};e.publishEvent(R.eventNames.token_timer,r),await $e(e,!1,t,s)},1e3)},P={FORCE_REFRESH:"FORCE_REFRESH",SESSION_LOST:"SESSION_LOST",NOT_CONNECTED:"NOT_CONNECTED",TOKENS_VALID:"TOKENS_VALID",TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID",TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID:"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID",LOGOUT_FROM_ANOTHER_TAB:"LOGOUT_FROM_ANOTHER_TAB",REQUIRE_SYNC_TOKENS:"REQUIRE_SYNC_TOKENS",TOKENS_INVALID:"TOKENS_INVALID"},ke=e=>async(n,t,s,o=!1)=>{const i={nonce:null};if(!s)return{tokens:null,status:P.NOT_CONNECTED,nonce:i};let r=i;const a=await e.initAsync(n.authority,n.authority_configuration),c=await L(n,t);if(c){const{status:l,tokens:h}=await c.initAsync(a,"syncTokensAsync",n);if(l==="LOGGED_OUT")return{tokens:null,status:P.LOGOUT_FROM_ANOTHER_TAB,nonce:i};if(l==="SESSIONS_LOST")return{tokens:null,status:P.SESSION_LOST,nonce:i};if(!l||!h)return{tokens:null,status:P.REQUIRE_SYNC_TOKENS,nonce:i};if(h.issuedAt!==s.issuedAt){const m=q(n.refresh_time_before_tokens_expiration_in_second,h.expiresAt)>0?P.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:P.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID,p=await c.getNonceAsync();return{tokens:h,status:m,nonce:p}}r=await c.getNonceAsync()}else{const l=W(t,n.storage??sessionStorage,n.login_state_storage??n.storage??sessionStorage),h=await l.initAsync();let{tokens:_}=h;const{status:m}=h;if(_&&(_=re(_,e.tokens,n.token_renew_mode)),_){if(m==="SESSIONS_LOST")return{tokens:null,status:P.SESSION_LOST,nonce:i};if(_.issuedAt!==s.issuedAt){const g=q(n.refresh_time_before_tokens_expiration_in_second,_.expiresAt)>0?P.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:P.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID,y=await l.getNonceAsync();return{tokens:_,status:g,nonce:y}}}else return{tokens:null,status:P.LOGOUT_FROM_ANOTHER_TAB,nonce:i};r=await l.getNonceAsync()}const u=q(n.refresh_time_before_tokens_expiration_in_second,s.expiresAt)>0?"TOKENS_VALID":"TOKENS_INVALID";return o?{tokens:s,status:"FORCE_REFRESH",nonce:r}:{tokens:s,status:u,nonce:r}},oe=e=>async(n,t=0,s=0,o=!1,i=null,r=null)=>{if(!navigator.onLine&&document.hidden)return{tokens:e.tokens,status:"GIVE_UP"};let a=6;const c=o?2:5,f=5;for(;!navigator.onLine&&a>0;)await Y({milliseconds:1e3}),a--,e.publishEvent(k.refreshTokensAsync,{message:`wait because navigator is offline try ${a}`});const u=document.hidden,l=u?t:t+1,h=u?s+1:s;if(t>=c||s>=f)return n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token"}),{tokens:null,status:"SESSION_LOST"};i||(i={});const _=e.configuration,m=(g,y=null,A=null)=>me(e.configurationName,e.configuration,e.publishEvent.bind(e))(g,y,A),p=async()=>{try{let g;const y=await L(_,e.configurationName);y?g=y.getLoginParams():g=W(e.configurationName,_.storage,_.login_state_storage??_.storage).getLoginParams();const A={};if(g&&g.extras)for(const[O,v]of Object.entries(g.extras))v!=null&&(A[O]=v);if(i)for(const[O,v]of Object.entries(i))v!=null&&(A[O]=v);A.prompt="none",r&&(A.scope=r);const T=await m(A);return T?T.error?(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token silent"}),{tokens:null,status:"SESSION_LOST"}):(n(T.tokens),e.publishEvent(R.eventNames.token_renewed,{}),{tokens:T.tokens,status:"LOGGED"}):(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token silent not active"}),{tokens:null,status:"SESSION_LOST"})}catch(g){return console.error(g),e.publishEvent(k.refreshTokensAsync_silent_error,{message:"exceptionSilent",exception:g.message}),await oe(e)(n,l,h,o,i,r)}};try{const{status:g,tokens:y,nonce:A}=await ke(e)(_,e.configurationName,e.tokens,o);switch(g){case P.SESSION_LOST:return n(null),e.publishEvent(k.refreshTokensAsync_error,{message:"refresh token session lost"}),{tokens:null,status:"SESSION_LOST"};case P.NOT_CONNECTED:return n(null),{tokens:null,status:null};case P.TOKENS_VALID:return n(y),{tokens:y,status:"LOGGED_IN"};case P.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID:return n(y),e.publishEvent(R.eventNames.token_renewed,{reason:"TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_VALID"}),{tokens:y,status:"LOGGED_IN"};case P.LOGOUT_FROM_ANOTHER_TAB:return n(null),e.publishEvent(k.logout_from_another_tab,{status:"session syncTokensAsync"}),{tokens:null,status:"LOGGED_OUT"};case P.REQUIRE_SYNC_TOKENS:return _.token_automatic_renew_mode==J.AutomaticOnlyWhenFetchExecuted&&!o?(e.publishEvent(k.tokensInvalidAndWaitingActionsToRefresh,{}),{tokens:e.tokens,status:"GIVE_UP"}):(e.publishEvent(k.refreshTokensAsync_begin,{tryNumber:t}),await p());default:{if(_.token_automatic_renew_mode==J.AutomaticOnlyWhenFetchExecuted&&P.FORCE_REFRESH!==g)return e.publishEvent(k.tokensInvalidAndWaitingActionsToRefresh,{}),{tokens:e.tokens,status:"GIVE_UP"};if(e.publishEvent(k.refreshTokensAsync_begin,{refreshToken:y.refreshToken,status:g,tryNumber:t,backgroundTry:s}),!y.refreshToken)return await p();const T=_.client_id,O=_.redirect_uri,v=_.authority,w={..._.token_request_extras?_.token_request_extras:{}};for(const[U,E]of Object.entries(i))U.endsWith(":token_request")&&(w[U.replace(":token_request","")]=E);return await(async()=>{const U={client_id:T,redirect_uri:O,grant_type:"refresh_token",refresh_token:y.refreshToken},E=await e.initAsync(v,_.authority_configuration),d=document.hidden?1e4:3e4*10,N=E.tokenEndpoint,S={};_.demonstrating_proof_of_possession&&(S.DPoP=await e.generateDemonstrationOfProofOfPossessionAsync(y.accessToken,N,"POST"));const b=await hn(e.getFetch())(N,U,w,y,S,_.token_renew_mode,d);if(b.success){const{isValid:V,reason:F}=Ee(b.data,A.nonce,E);if(!V)return n(null),e.publishEvent(k.refreshTokensAsync_error,{message:`refresh token return not valid tokens, reason: ${F}`}),{tokens:null,status:"SESSION_LOST"};if(n(b.data),b.demonstratingProofOfPossessionNonce){const $=await L(_,e.configurationName);$?await $.setDemonstratingProofOfPossessionNonce(b.demonstratingProofOfPossessionNonce):await W(e.configurationName,_.storage,_.login_state_storage??_.storage).setDemonstratingProofOfPossessionNonce(b.demonstratingProofOfPossessionNonce)}return e.publishEvent(k.refreshTokensAsync_end,{success:b.success}),e.publishEvent(R.eventNames.token_renewed,{reason:"REFRESH_TOKEN"}),{tokens:b.data,status:"LOGGED_IN"}}else return e.publishEvent(k.refreshTokensAsync_silent_error,{message:"bad request",tokenResponse:b}),b.status>=400&&b.status<500?(n(null),e.publishEvent(k.refreshTokensAsync_error,{message:`session lost: ${b.status}`}),{tokens:null,status:"SESSION_LOST"}):await oe(e)(n,l,h,o,i,r)})()}}}catch(g){return console.error(g),e.publishEvent(k.refreshTokensAsync_silent_error,{message:"exception",exception:g.message}),new Promise((y,A)=>{setTimeout(()=>{oe(e)(n,l,h,o,i,r).then(y).catch(A)},1e3)})}},me=(e,n,t)=>(s=null,o=null,i=null)=>{if(!n.silent_redirect_uri||!n.silent_login_uri)return Promise.resolve(null);try{t(k.silentLoginAsync_begin,{});let r="";if(o&&(s==null&&(s={}),s.state=o),i!=null&&(s==null&&(s={}),s.scope=i),s!=null)for(const[l,h]of Object.entries(s))h!=null&&(r===""?r=`?${encodeURIComponent(l)}=${encodeURIComponent(h)}`:r+=`&${encodeURIComponent(l)}=${encodeURIComponent(h)}`);const a=n.silent_login_uri+r,c=a.indexOf("/",a.indexOf("//")+2),f=a.substring(0,c),u=document.createElement("iframe");return u.width="0px",u.height="0px",u.id=`${e}_oidc_iframe`,u.setAttribute("src",a),u.style.display="none",document.body.appendChild(u),new Promise((l,h)=>{let _=!1;const m=()=>{window.removeEventListener("message",p),u.remove(),_=!0},p=g=>{if(g.origin===f&&g.source===u.contentWindow){const y=`${e}_oidc_tokens:`,A=`${e}_oidc_error:`,T=`${e}_oidc_exception:`,O=g.data;if(O&&typeof O=="string"&&!_){if(O.startsWith(y)){const v=JSON.parse(g.data.replace(y,""));t(k.silentLoginAsync_end,{}),l(v),m()}else if(O.startsWith(A)){const v=JSON.parse(g.data.replace(A,""));t(k.silentLoginAsync_error,v),l({error:"oidc_"+v.error,tokens:null,sessionState:null}),m()}else if(O.startsWith(T)){const v=JSON.parse(g.data.replace(T,""));t(k.silentLoginAsync_error,v),h(new Error(v.error)),m()}}}};try{window.addEventListener("message",p);const g=n.silent_login_timeout;setTimeout(()=>{_||(m(),t(k.silentLoginAsync_error,{reason:"timeout"}),h(new Error("timeout")))},g)}catch(g){m(),t(k.silentLoginAsync_error,g),h(g)}})}catch(r){throw t(k.silentLoginAsync_error,r),r}},mn=(e,n,t,s,o)=>(i=null,r=void 0)=>{i={...i};const a=(f,u,l)=>me(n,t,s.bind(o))(f,u,l);return(async()=>{o.timeoutId&&D.clearTimeout(o.timeoutId);let f;i&&"state"in i&&(f=i.state,delete i.state);try{const u=t.extras?{...t.extras,...i}:i,l=await a({...u,prompt:"none"},f,r);if(l)return o.tokens=l.tokens,s(k.token_acquired,{}),o.timeoutId=z(o,o.tokens.expiresAt,i,r),{}}catch(u){return u}})()},wn=(e,n,t)=>(s,o,i,r=!1)=>{const a=(c,f=void 0,u=void 0)=>me(e.configurationName,t,e.publishEvent.bind(e))(c,f,u);return new Promise((c,f)=>{if(t.silent_login_uri&&t.silent_redirect_uri&&t.monitor_session&&s&&i&&!r){const u=()=>{e.checkSessionIFrame.stop();const l=e.tokens;if(l===null)return;const h=l.idToken,_=l.idTokenPayload;return a({prompt:"none",id_token_hint:h,scope:t.scope||"openid"}).then(m=>{if(m.error)throw new Error(m.error);const p=m.tokens.idTokenPayload;if(_.sub===p.sub){const g=m.sessionState;e.checkSessionIFrame.start(m.sessionState),_.sid===p.sid?console.debug("SessionMonitor._callback: Same sub still logged in at OP, restarting check session iframe; session_state:",g):console.debug("SessionMonitor._callback: Same sub still logged in at OP, session state has changed, restarting check session iframe; session_state:",g)}else console.debug("SessionMonitor._callback: Different subject signed into OP:",p.sub)}).catch(async m=>{console.warn("SessionMonitor._callback: Silent login failed, logging out other tabs:",m);for(const[,p]of Object.entries(n))await p.logoutOtherTabAsync(t.client_id,_.sub)})};e.checkSessionIFrame=new Be(u,o,s),e.checkSessionIFrame.load().then(()=>{e.checkSessionIFrame.start(i),c(e.checkSessionIFrame)}).catch(l=>{f(l)})}else c(null)})},pn=e=>!!(e.os==="iOS"&&e.osVersion.startsWith("12")||e.os==="Mac OS X"&&e.osVersion.startsWith("10_15_6")),An=e=>{const n=e.appVersion,t=e.userAgent,s="-";let o=s;const i=[{s:"Windows 10",r:/(Windows 10.0|Windows NT 10.0)/},{s:"Windows 8.1",r:/(Windows 8.1|Windows NT 6.3)/},{s:"Windows 8",r:/(Windows 8|Windows NT 6.2)/},{s:"Windows 7",r:/(Windows 7|Windows NT 6.1)/},{s:"Windows Vista",r:/Windows NT 6.0/},{s:"Windows Server 2003",r:/Windows NT 5.2/},{s:"Windows XP",r:/(Windows NT 5.1|Windows XP)/},{s:"Windows 2000",r:/(Windows NT 5.0|Windows 2000)/},{s:"Windows ME",r:/(Win 9x 4.90|Windows ME)/},{s:"Windows 98",r:/(Windows 98|Win98)/},{s:"Windows 95",r:/(Windows 95|Win95|Windows_95)/},{s:"Windows NT 4.0",r:/(Windows NT 4.0|WinNT4.0|WinNT|Windows NT)/},{s:"Windows CE",r:/Windows CE/},{s:"Windows 3.11",r:/Win16/},{s:"Android",r:/Android/},{s:"Open BSD",r:/OpenBSD/},{s:"Sun OS",r:/SunOS/},{s:"Chrome OS",r:/CrOS/},{s:"Linux",r:/(Linux|X11(?!.*CrOS))/},{s:"iOS",r:/(iPhone|iPad|iPod)/},{s:"Mac OS X",r:/Mac OS X/},{s:"Mac OS",r:/(Mac OS|MacPPC|MacIntel|Mac_PowerPC|Macintosh)/},{s:"QNX",r:/QNX/},{s:"UNIX",r:/UNIX/},{s:"BeOS",r:/BeOS/},{s:"OS/2",r:/OS\/2/},{s:"Search Bot",r:/(nuhk|Googlebot|Yammybot|Openbot|Slurp|MSNBot|Ask Jeeves\/Teoma|ia_archiver)/}];for(const a in i){const c=i[a];if(c.r.test(t)){o=c.s;break}}let r=s;switch(/Windows/.test(o)&&(r=/Windows (.*)/.exec(o)[1],o="Windows"),o){case"Mac OS":case"Mac OS X":case"Android":r=/(?:Android|Mac OS|Mac OS X|MacPPC|MacIntel|Mac_PowerPC|Macintosh) ([._\d]+)/.exec(t)[1];break;case"iOS":{const a=/OS (\d+)_(\d+)_?(\d+)?/.exec(n);a!=null&&a.length>2&&(r=a[1]+"."+a[2]+"."+(parseInt(a[3])|0));break}}return{os:o,osVersion:r}};function Sn(){const e=navigator.userAgent;let n,t=e.match(/(opera|chrome|safari|firefox|msie|trident(?=\/))\/?\s*(\d+)/i)||[];if(/trident/i.test(t[1]))return n=/\brv[ :]+(\d+)/g.exec(e)||[],{name:"ie",version:n[1]||""};if(t[1]==="Chrome"&&(n=e.match(/\bOPR|Edge\/(\d+)/),n!=null)){let s=n[1];if(!s){const o=e.split(n[0]+"/");o.length>1&&(s=o[1])}return{name:"opera",version:s}}return t=t[2]?[t[1],t[2]]:[navigator.appName,navigator.appVersion,"-?"],(n=e.match(/version\/(\d+)/i))!=null&&t.splice(1,1,n[1]),{name:t[0].toLowerCase(),version:t[1]}}const Tn=()=>{const{name:e,version:n}=Sn();if(e==="chrome"&&parseInt(n)<=70||e==="opera"&&(!n||parseInt(n.split(".")[0])<80)||e==="ie")return!1;const t=An(navigator);return!pn(t)},vn=async e=>{let n;if(e.tokens!=null)return!1;e.publishEvent(k.tryKeepExistingSessionAsync_begin,{});try{const t=e.configuration,s=await e.initAsync(t.authority,t.authority_configuration);if(n=await L(t,e.configurationName),n){const{tokens:o}=await n.initAsync(s,"tryKeepExistingSessionAsync",t);if(o){n.startKeepAliveServiceWorker(),e.tokens=o;const i=n.getLoginParams(e.configurationName);e.timeoutId=z(e,e.tokens.expiresAt,i.extras,i.scope);const r=await n.getSessionStateAsync();return await e.startCheckSessionAsync(s.checkSessionIframe,t.client_id,r),t.preload_user_info&&await e.userInfoAsync(),e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!0,message:"tokens inside ServiceWorker are valid"}),!0}e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!1,message:"no exiting session found"})}else{t.service_worker_relative_url&&e.publishEvent(k.service_worker_not_supported_by_browser,{message:"service worker is not supported by this browser"});const o=W(e.configurationName,t.storage??sessionStorage,t.login_state_storage??t.storage??sessionStorage),{tokens:i}=await o.initAsync();if(i){e.tokens=re(i,null,t.token_renew_mode);const r=o.getLoginParams();e.timeoutId=z(e,e.tokens.expiresAt,r.extras,r.scope);const a=await o.getSessionStateAsync();return await e.startCheckSessionAsync(s.checkSessionIframe,t.client_id,a),t.preload_user_info&&await e.userInfoAsync(),e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!0,message:"tokens inside storage are valid"}),!0}}return e.publishEvent(k.tryKeepExistingSessionAsync_end,{success:!1,message:n?"service worker sessions not retrieved":"session storage sessions not retrieved"}),!1}catch(t){return console.error(t),n&&await n.clearAsync(),e.publishEvent(k.tryKeepExistingSessionAsync_error,"tokens inside ServiceWorker are invalid"),!1}},Ke=e=>{const n=e.match(/^([a-z][\w-]+\:)\/\/(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/);if(!n)throw new Error("Invalid URL");let t=n[6],s=n[7];if(s){const o=s.split("?");o.length===2&&(s=o[0],t=o[1])}return t.startsWith("?")&&(t=t.slice(1)),n&&{href:e,protocol:n[1],host:n[2],hostname:n[3],port:n[4],path:n[5],search:t,hash:s}},En=e=>{const n=Ke(e);let{path:t}=n;t.endsWith("/")&&(t=t.slice(0,-1));let{hash:s}=n;return s==="#_=_"&&(s=""),s&&(t+=s),t},ie=e=>{const n=Ke(e),{search:t}=n;return On(t)},On=e=>{const n={};let t,s,o;const i=e.split("&");for(s=0,o=i.length;s<o;s++)t=i[s].split("="),n[decodeURIComponent(t[0])]=decodeURIComponent(t[1]);return n},bn=(e,n,t,s,o)=>(i=void 0,r=null,a=!1,c=void 0)=>{const f=r;return r={...r},(async()=>{const l=i||o.getPath();if("state"in r||(r.state=he(16)),t(k.loginAsync_begin,{}),r)for(const h of Object.keys(r))h.endsWith(":token_request")&&delete r[h];try{const h=a?n.silent_redirect_uri:n.redirect_uri;c||(c=n.scope);const _=n.extras?{...n.extras,...r}:r;_.nonce||(_.nonce=he(12));const m={nonce:_.nonce},p=await L(n,e),g=await s(n.authority,n.authority_configuration);let y;if(p)p.setLoginParams({callbackPath:l,extras:f,scope:c}),await p.initAsync(g,"loginAsync",n),await p.setNonceAsync(m),p.startKeepAliveServiceWorker(),y=p;else{const T=W(e,n.storage??sessionStorage,n.login_state_storage??n.storage??sessionStorage);T.setLoginParams({callbackPath:l,extras:f,scope:c}),await T.setNonceAsync(m),y=T}const A={client_id:n.client_id,redirect_uri:h,scope:c,response_type:"code",..._};await yn(y,o)(g.authorizationEndpoint,A)}catch(h){throw t(k.loginAsync_error,h),h}})()},Pn=e=>async(n=!1)=>{try{e.publishEvent(k.loginCallbackAsync_begin,{});const t=e.configuration,s=t.client_id,o=n?t.silent_redirect_uri:t.redirect_uri,i=t.authority,r=t.token_request_timeout,a=await e.initAsync(i,t.authority_configuration),c=e.location.getCurrentHref(),f=ie(c),u=f.session_state,l=await L(t,e.configurationName);let h,_,m,p;if(l)await l.initAsync(a,"loginCallbackAsync",t),await l.setSessionStateAsync(u),_=await l.getNonceAsync(),m=l.getLoginParams(),p=await l.getStateAsync(),l.startKeepAliveServiceWorker(),h=l;else{const E=W(e.configurationName,t.storage??sessionStorage,t.login_state_storage??t.storage??sessionStorage);await E.setSessionStateAsync(u),_=await E.getNonceAsync(),m=E.getLoginParams(),p=await E.getStateAsync(),h=E}if(f.error||f.error_description)throw new Error(`Error from OIDC server: ${f.error} - ${f.error_description}`);if(f.iss&&f.iss!==a.issuer)throw console.error(),new Error(`Issuer not valid (expected: ${a.issuer}, received: ${f.iss})`);if(f.state&&f.state!==p)throw new Error(`State not valid (expected: ${p}, received: ${f.state})`);const g={code:f.code,grant_type:"authorization_code",client_id:t.client_id,redirect_uri:o},y={};if(t.token_request_extras)for(const[E,d]of Object.entries(t.token_request_extras))y[E]=d;if(m?.extras)for(const[E,d]of Object.entries(m.extras))E.endsWith(":token_request")&&(y[E.replace(":token_request","")]=d);const A=a.tokenEndpoint,T={};if(t.demonstrating_proof_of_possession)if(l)T.DPoP=`DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${e.configurationName}`;else{const E=await cn(window)(t.demonstrating_proof_of_possession_configuration.generateKeyAlgorithm);await W(e.configurationName,t.storage,t.login_state_storage??t.storage).setDemonstratingProofOfPossessionJwkAsync(E),T.DPoP=await xe(window)(t.demonstrating_proof_of_possession_configuration)(E,"POST",A)}const O=await kn(h)(A,{...g,...y},T,e.configuration.token_renew_mode,r);if(!O.success)throw new Error("Token request failed");let v;const C=O.data.tokens,w=O.data.demonstratingProofOfPossessionNonce;if(O.data.state!==y.state)throw new Error("state is not valid");const{isValid:Z,reason:U}=Ee(C,_.nonce,a);if(!Z)throw new Error(`Tokens are not OpenID valid, reason: ${U}`);if(l){if(C.refreshToken&&!C.refreshToken.includes("SECURED_BY_OIDC_SERVICE_WORKER"))throw new Error("Refresh token should be hidden by service worker");if(w&&C?.accessToken.includes("SECURED_BY_OIDC_SERVICE_WORKER"))throw new Error("Demonstration of proof of possession require Access token not hidden by service worker")}if(l)await l.initAsync(a,"syncTokensAsync",t),v=l.getLoginParams(),w&&await l.setDemonstratingProofOfPossessionNonce(w);else{const E=W(e.configurationName,t.storage,t.login_state_storage??t.storage);v=E.getLoginParams(),w&&await E.setDemonstratingProofOfPossessionNonce(w)}return await e.startCheckSessionAsync(a.checkSessionIframe,s,u,n),e.publishEvent(k.loginCallbackAsync_end,{}),{tokens:C,state:"request.state",callbackPath:v.callbackPath,scope:f.scope,extras:v.extras}}catch(t){throw console.error(t),e.publishEvent(k.loginCallbackAsync_error,t),t}},Ue={access_token:"access_token",refresh_token:"refresh_token"},we=(e,n)=>{const t={};if(e){for(const[s,o]of Object.entries(e))if(s.endsWith(n)){const i=s.replace(n,"");t[i]=o}return t}return t},In=e=>{const n={};if(e){for(const[t,s]of Object.entries(e))t.includes(":")||(n[t]=s);return n}return n},Cn=e=>async n=>{D.clearTimeout(e.timeoutId),e.timeoutId=null,e.checkSessionIFrame&&e.checkSessionIFrame.stop();const t=await L(e.configuration,e.configurationName);t?await t.clearAsync(n):await W(e.configurationName,e.configuration.storage,e.configuration.login_state_storage??e.configuration.storage).clearAsync(n),e.tokens=null,e.userInfo=null},Nn=(e,n,t,s,o)=>async(i=void 0,r=null)=>{const a=e.configuration,c=await e.initAsync(a.authority,a.authority_configuration);i&&typeof i!="string"&&(i=void 0,s.warn("callbackPathOrUrl path is not a string"));const f=i??o.getPath();let u=!1;i&&(u=i.includes("https://")||i.includes("http://"));const l=u?i:o.getOrigin()+f,h=e.tokens?e.tokens.idToken:"";try{const y=c.revocationEndpoint;if(y){const A=[],T=e.tokens?e.tokens.accessToken:null;if(T&&a.logout_tokens_to_invalidate.includes(Ue.access_token)){const v=we(r,":revoke_access_token"),C=De(t)(y,T,ye.access_token,a.client_id,v);A.push(C)}const O=e.tokens?e.tokens.refreshToken:null;if(O&&a.logout_tokens_to_invalidate.includes(Ue.refresh_token)){const v=we(r,":revoke_refresh_token"),C=De(t)(y,O,ye.refresh_token,a.client_id,v);A.push(C)}A.length>0&&await Promise.all(A)}}catch(y){s.warn("logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error"),s.warn(y)}const _=e.tokens?.idTokenPayload?.sub??null;await e.destroyAsync("LOGGED_OUT");for(const[,y]of Object.entries(n))y!==e?await e.logoutSameTabAsync(e.configuration.client_id,_):e.publishEvent(k.logout_from_same_tab,{});const m=we(r,":oidc");if(m&&m.no_reload==="true")return;const g=In(r);if(c.endSessionEndpoint){"id_token_hint"in g||(g.id_token_hint=h),!("post_logout_redirect_uri"in g)&&i!==null&&(g.post_logout_redirect_uri=l);let y="";for(const[A,T]of Object.entries(g))T!=null&&(y===""?y+="?":y+="&",y+=`${A}=${encodeURIComponent(T)}`);o.open(`${c.endSessionEndpoint}${y}`)}else o.reload()},Ve=(e,n,t=!1)=>async(...s)=>{const[o,i,...r]=s,a=i?{...i}:{method:"GET"};let c=new Headers;a.headers&&(c=a.headers instanceof Headers?a.headers:new Headers(a.headers));const f={getTokens:()=>n.tokens,configuration:{token_automatic_renew_mode:n.configuration.token_automatic_renew_mode,refresh_time_before_tokens_expiration_in_second:n.configuration.refresh_time_before_tokens_expiration_in_second},syncTokensInfoAsync:async()=>{const{status:_}=await ke(n)(n.configuration,n.configurationName,n.tokens,!1);return _},renewTokensAsync:n.renewTokensAsync.bind(n)},l=(await ve(f))?.tokens?.accessToken;if(c.has("Accept")||c.set("Accept","application/json"),l){if(n.configuration.demonstrating_proof_of_possession&&t){const _=await n.generateDemonstrationOfProofOfPossessionAsync(l,o.toString(),a.method);c.set("Authorization",`DPoP ${l}`),c.set("DPoP",_)}else c.set("Authorization",`Bearer ${l}`);a.credentials||(a.credentials="same-origin")}const h={...a,headers:c};return await e(o,h,...r)},xn=e=>async(n=!1,t=!1)=>{if(e.userInfo!=null&&!n)return e.userInfo;const s=!n&&e.configuration.storage?.getItem(`oidc.${e.configurationName}.userInfo`);if(s)return e.userInfo=JSON.parse(s),e.userInfo;const o=e.configuration,r=(await e.initAsync(o.authority,o.authority_configuration)).userInfoEndpoint,c=await(async()=>{const u=await Ve(fetch,e,t)(r);return u.status!==200?null:u.json()})();return e.userInfo=c,c&&e.configuration.storage?.setItem(`oidc.${e.configurationName}.userInfo`,JSON.stringify(c)),c},Fe=()=>fetch;class pe{constructor(n){this.authorizationEndpoint=n.authorization_endpoint,this.tokenEndpoint=n.token_endpoint,this.revocationEndpoint=n.revocation_endpoint,this.userInfoEndpoint=n.userinfo_endpoint,this.checkSessionIframe=n.check_session_iframe,this.issuer=n.issuer,this.endSessionEndpoint=n.end_session_endpoint}}const M={},Wn=(e,n=new K)=>(t,s="default")=>(M[s]||(M[s]=new R(t,s,e,n)),M[s]),Ln=async e=>{const{parsedTokens:n,callbackPath:t,extras:s,scope:o}=await e.loginCallbackAsync();return e.timeoutId=z(e,n.expiresAt,s,o),{callbackPath:t}},Dn=e=>Math.floor(Math.random()*e),Q=class Q{constructor(n,t="default",s,o=new K){this.initPromise=null,this.tryKeepExistingSessionPromise=null,this.loginPromise=null,this.loginCallbackPromise=null,this.loginCallbackWithAutoTokensRenewPromise=null,this.userInfoPromise=null,this.renewTokensPromise=null,this.logoutPromise=null;let i=n.silent_login_uri;n.silent_redirect_uri&&!n.silent_login_uri&&(i=`${n.silent_redirect_uri.replace("-callback","").replace("callback","")}-login`);let r=n.refresh_time_before_tokens_expiration_in_second??120;r>60&&(r=r-Math.floor(Math.random()*40)),this.location=o??new K,this.configuration={...n,silent_login_uri:i,token_automatic_renew_mode:n.token_automatic_renew_mode??J.AutomaticBeforeTokenExpiration,monitor_session:n.monitor_session??!1,refresh_time_before_tokens_expiration_in_second:r,silent_login_timeout:n.silent_login_timeout??12e3,token_renew_mode:n.token_renew_mode??ee.access_token_or_id_token_invalid,demonstrating_proof_of_possession:n.demonstrating_proof_of_possession??!1,authority_timeout_wellknowurl_in_millisecond:n.authority_timeout_wellknowurl_in_millisecond??1e4,logout_tokens_to_invalidate:n.logout_tokens_to_invalidate??["access_token","refresh_token"],service_worker_activate:n.service_worker_activate??Tn,demonstrating_proof_of_possession_configuration:n.demonstrating_proof_of_possession_configuration??sn,preload_user_info:n.preload_user_info??!1},this.getFetch=s??Fe,this.configurationName=t,this.tokens=null,this.userInfo=null,this.events=[],this.timeoutId=null,this.loginCallbackWithAutoTokensRenewAsync.bind(this),this.initAsync.bind(this),this.loginCallbackAsync.bind(this),this.subscribeEvents.bind(this),this.removeEventSubscription.bind(this),this.publishEvent.bind(this),this.destroyAsync.bind(this),this.logoutAsync.bind(this),this.renewTokensAsync.bind(this),this.initAsync(this.configuration.authority,this.configuration.authority_configuration)}subscribeEvents(n){const t=Dn(9999999999999).toString();return this.events.push({id:t,func:n}),t}removeEventSubscription(n){const t=this.events.filter(s=>s.id!==n);this.events=t}publishEvent(n,t){this.events.forEach(s=>{s.func(n,t)})}static get(n="default"){const t=typeof process>"u";if(!Object.prototype.hasOwnProperty.call(M,n)&&t)throw Error(`OIDC library does seem initialized.
+Please checkout that you are using OIDC hook inside a <OidcProvider configurationName="${n}"></OidcProvider> component.`);return M[n]}_silentLoginCallbackFromIFrame(){if(this.configuration.silent_redirect_uri&&this.configuration.silent_login_uri){const n=this.location,t=ie(n.getCurrentHref());window.parent.postMessage(`${this.configurationName}_oidc_tokens:${JSON.stringify({tokens:this.tokens,sessionState:t.session_state})}`,n.getOrigin())}}_silentLoginErrorCallbackFromIFrame(n=null){if(this.configuration.silent_redirect_uri&&this.configuration.silent_login_uri){const t=this.location,s=ie(t.getCurrentHref());s.error?window.parent.postMessage(`${this.configurationName}_oidc_error:${JSON.stringify({error:s.error})}`,t.getOrigin()):window.parent.postMessage(`${this.configurationName}_oidc_exception:${JSON.stringify({error:n==null?"":n.toString()})}`,t.getOrigin())}}async silentLoginCallbackAsync(){try{await this.loginCallbackAsync(!0),this._silentLoginCallbackFromIFrame()}catch(n){console.error(n),this._silentLoginErrorCallbackFromIFrame(n)}}async initAsync(n,t){if(this.initPromise!==null)return this.initPromise;const s=async()=>{if(t!=null)return new pe({authorization_endpoint:t.authorization_endpoint,end_session_endpoint:t.end_session_endpoint,revocation_endpoint:t.revocation_endpoint,token_endpoint:t.token_endpoint,userinfo_endpoint:t.userinfo_endpoint,check_session_iframe:t.check_session_iframe,issuer:t.issuer});const i=await L(this.configuration,this.configurationName)?this.configuration.storage||window.sessionStorage:this.configuration.storage;return await gn(this.getFetch())(n,this.configuration.authority_time_cache_wellknowurl_in_second??3600,i,this.configuration.authority_timeout_wellknowurl_in_millisecond)};return this.initPromise=s(),this.initPromise.finally(()=>{this.initPromise=null})}async tryKeepExistingSessionAsync(){return this.tryKeepExistingSessionPromise!==null?this.tryKeepExistingSessionPromise:(this.tryKeepExistingSessionPromise=vn(this),this.tryKeepExistingSessionPromise.finally(()=>{this.tryKeepExistingSessionPromise=null}))}async startCheckSessionAsync(n,t,s,o=!1){await wn(this,M,this.configuration)(n,t,s,o)}async loginAsync(n=void 0,t=null,s=!1,o=void 0,i=!1){return this.logoutPromise&&await this.logoutPromise,this.loginPromise!==null?this.loginPromise:(i?this.loginPromise=mn(window,this.configurationName,this.configuration,this.publishEvent.bind(this),this)(t,o):this.loginPromise=bn(this.configurationName,this.configuration,this.publishEvent.bind(this),this.initAsync.bind(this),this.location)(n,t,s,o),this.loginPromise.finally(()=>{this.loginPromise=null}))}async loginCallbackAsync(n=!1){if(this.loginCallbackPromise!==null)return this.loginCallbackPromise;const t=async()=>{const s=await Pn(this)(n),o=s.tokens;return this.tokens=o,await L(this.configuration,this.configurationName)||W(this.configurationName,this.configuration.storage,this.configuration.login_state_storage??this.configuration.storage).setTokens(o),this.publishEvent(Q.eventNames.token_acquired,o),this.configuration.preload_user_info&&await this.userInfoAsync(),{parsedTokens:o,state:s.state,callbackPath:s.callbackPath,scope:s.scope,extras:s.extras}};return this.loginCallbackPromise=t(),this.loginCallbackPromise.finally(()=>{this.loginCallbackPromise=null})}async generateDemonstrationOfProofOfPossessionAsync(n,t,s,o={}){const i=this.configuration,r={ath:await Le(n),...o};if(await L(i,this.configurationName))return`DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${this.configurationName}#tabId=${le(this.configurationName)}`;const c=W(this.configurationName,i.storage,i.login_state_storage??i.storage),f=await c.getDemonstratingProofOfPossessionJwkAsync(),u=c.getDemonstratingProofOfPossessionNonce();return u&&(r.nonce=u),await xe(window)(i.demonstrating_proof_of_possession_configuration)(f,s,t,r)}loginCallbackWithAutoTokensRenewAsync(){return this.loginCallbackWithAutoTokensRenewPromise!==null?this.loginCallbackWithAutoTokensRenewPromise:(this.loginCallbackWithAutoTokensRenewPromise=Ln(this),this.loginCallbackWithAutoTokensRenewPromise.finally(()=>{this.loginCallbackWithAutoTokensRenewPromise=null}))}userInfoAsync(n=!1,t=!1){return this.userInfoPromise!==null?this.userInfoPromise:(this.userInfoPromise=xn(this)(n,t),this.userInfoPromise.finally(()=>{this.userInfoPromise=null}))}async renewTokensAsync(n=null,t=null){if(this.renewTokensPromise!==null)return this.renewTokensPromise;if(this.timeoutId)return D.clearTimeout(this.timeoutId),this.renewTokensPromise=$e(this,!0,n,t),this.renewTokensPromise.finally(()=>{this.renewTokensPromise=null})}async destroyAsync(n){return await Cn(this)(n)}async logoutSameTabAsync(n,t){this.configuration.monitor_session&&this.configuration.client_id===n&&t&&this.tokens&&this.tokens.idTokenPayload&&this.tokens.idTokenPayload.sub===t&&(await this.destroyAsync("LOGGED_OUT"),this.publishEvent(k.logout_from_same_tab,{mmessage:"SessionMonitor",sub:t}))}async logoutOtherTabAsync(n,t){this.configuration.monitor_session&&this.configuration.client_id===n&&t&&this.tokens&&this.tokens.idTokenPayload&&this.tokens.idTokenPayload.sub===t&&(await this.destroyAsync("LOGGED_OUT"),this.publishEvent(k.logout_from_another_tab,{message:"SessionMonitor",sub:t}))}async logoutAsync(n=void 0,t=null){return this.logoutPromise?this.logoutPromise:(this.logoutPromise=Nn(this,M,this.getFetch(),console,this.location)(n,t),this.logoutPromise.finally(()=>{this.logoutPromise=null}))}};Q.getOrCreate=(n,t)=>(s,o="default")=>Wn(n,t)(s,o),Q.eventNames=k;let R=Q;const j=class j{constructor(n){this._oidc=n}subscribeEvents(n){return this._oidc.subscribeEvents(n)}removeEventSubscription(n){this._oidc.removeEventSubscription(n)}publishEvent(n,t){this._oidc.publishEvent(n,t)}static get(n="default"){return new j(R.get(n))}tryKeepExistingSessionAsync(){return this._oidc.tryKeepExistingSessionAsync()}loginAsync(n=void 0,t=null,s=!1,o=void 0,i=!1){return this._oidc.loginAsync(n,t,s,o,i)}logoutAsync(n=void 0,t=null){return this._oidc.logoutAsync(n,t)}silentLoginCallbackAsync(){return this._oidc.silentLoginCallbackAsync()}renewTokensAsync(n=null,t=null){return this._oidc.renewTokensAsync(n,t)}loginCallbackAsync(){return this._oidc.loginCallbackWithAutoTokensRenewAsync()}get tokens(){return this._oidc.tokens}get configuration(){return this._oidc.configuration}async generateDemonstrationOfProofOfPossessionAsync(n,t,s,o={}){return this._oidc.generateDemonstrationOfProofOfPossessionAsync(n,t,s,o)}async getValidTokenAsync(n=200,t=50){const s=this._oidc,o={getTokens:()=>s.tokens,configuration:{token_automatic_renew_mode:s.configuration.token_automatic_renew_mode,refresh_time_before_tokens_expiration_in_second:s.configuration.refresh_time_before_tokens_expiration_in_second},syncTokensInfoAsync:async()=>{const{status:i}=await ke(s)(s.configuration,s.configurationName,s.tokens,!1);return i},renewTokensAsync:s.renewTokensAsync.bind(s)};return ve(o,n,t)}fetchWithTokens(n,t=!1){return Ve(n,this._oidc,t)}async userInfoAsync(n=!1,t=!1){return this._oidc.userInfoAsync(n,t)}userInfo(){return this._oidc.userInfo}};j.getOrCreate=(n,t=new K)=>(s,o="default")=>new j(R.getOrCreate(n,t)(s,o)),j.eventNames=R.eventNames;let Ae=j;x.OidcClient=Ae,x.OidcLocation=K,x.TokenAutomaticRenewMode=J,x.TokenRenewMode=ee,x.getFetchDefault=Fe,x.getParseQueryStringFromLocation=ie,x.getPath=En,Object.defineProperty(x,Symbol.toStringTag,{value:"Module"})}));

package/dist/initWorker.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"initWorker.d.ts","sourceRoot":"","sources":["../src/initWorker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAG5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAM/C,eAAO,MAAM,UAAU,GAAI,kBAAkB;IAAE,YAAY,EAAE,GAAG,CAAA;CAAE,qBAEjE,CAAC;AA4BF,eAAO,MAAM,yCAAyC,GACnD,UAAU,cAAc,MAAY,cAAc,GAAG,EAAE,eAAe,MAAM,IAAI,kBAOhF,CAAC;AAEJ,eAAO,MAAM,QAAQ,GAAI,mBAAmB,MAAM,WAQjD,CAAC;~~AAgGF~~,eAAO,MAAM,eAAe,GAC1B,eAAe,iBAAiB,EAChC,mBAAmB,MAAM;;~~6EAsHJ~~,iBAAiB;;;;;~~yCAmEM~~,MAAM;;;+BA2BX,OAAO;;;;;+BA8EP,OAAO;2BAoBV,MAAM;sCASI,OAAO;yCAoBH,MAAM;kFA1FjB,MAAM;;mFAmBR,UAAU;;EAoGhD,CAAC"}
1	+ {"version":3,"file":"initWorker.d.ts","sourceRoot":"","sources":["../src/initWorker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAG5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAM/C,eAAO,MAAM,UAAU,GAAI,kBAAkB;IAAE,YAAY,EAAE,GAAG,CAAA;CAAE,qBAEjE,CAAC;AA4BF,eAAO,MAAM,yCAAyC,GACnD,UAAU,cAAc,MAAY,cAAc,GAAG,EAAE,eAAe,MAAM,IAAI,kBAOhF,CAAC;AAEJ,eAAO,MAAM,QAAQ,GAAI,mBAAmB,MAAM,WAQjD,CAAC;AAwIF,eAAO,MAAM,eAAe,GAC1B,eAAe,iBAAiB,EAChC,mBAAmB,MAAM;;6EAsMJ,iBAAiB;;;;;yCAkFM,MAAM;;;+BA2BX,OAAO;;;;;+BA8EP,OAAO;2BAoBV,MAAM;sCASI,OAAO;yCAoBH,MAAM;kFA1FjB,MAAM;;mFAmBR,UAAU;;EAoGhD,CAAC"}

package/dist/version.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
-declare const _default: "7.27.0";
+declare const _default: "7.27.2";
 export default _default;
 //# sourceMappingURL=version.d.ts.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@axa-fr/oidc-client",
-  "version": "7.27.0",
+  "version": "7.27.2",
   "private": false,
   "type": "module",
   "main": "./dist/index.umd.cjs",
@@ -20,7 +20,7 @@
     "url": "https://github.com/AxaFrance/oidc-client.git"
   },
   "dependencies": {
-    "@axa-fr/oidc-client-service-worker": "7.27.0"
+    "@axa-fr/oidc-client-service-worker": "7.27.2"
   },
   "devDependencies": {
     "@testing-library/dom": "10.4.1",

package/src/initWorker.ts CHANGED Viewed

@@ -151,6 +151,46 @@ const waitForControllerAsync = async (timeoutMs: number) => {
   });
 };
+// Module-level guards to prevent:
+// - registering multiple controllerchange listeners (one per initWorkerAsync call)
+// - reloading more than once per page lifetime
+let controllerChangeListenerRegistered = false;
+let controllerChangeReloading = false;
+// Session-level guard to prevent infinite reload loops caused by SW update cycles.
+// The controllerchange listener triggers a page reload, but after reload the module-level
+// guards above are reset. If the SW still hasn't been updated correctly (e.g. stale cache,
+// Firefox issues), the cycle would repeat forever. This key tracks reloads across page loads
+// via sessionStorage so we can break the loop.
+const SW_RELOAD_SESSION_KEY = 'oidc.sw.controllerchange_reload_count';
+const SW_RELOAD_MAX = 3;
+const getControllerChangeReloadCount = (): number => {
+  try {
+    return parseInt(sessionStorage.getItem(SW_RELOAD_SESSION_KEY) ?? '0', 10);
+  } catch {
+    return 0;
+  }
+};
+const incrementControllerChangeReloadCount = (): number => {
+  const count = getControllerChangeReloadCount() + 1;
+  try {
+    sessionStorage.setItem(SW_RELOAD_SESSION_KEY, String(count));
+  } catch {
+    // ignore
+  }
+  return count;
+};
+const clearControllerChangeReloadCount = () => {
+  try {
+    sessionStorage.removeItem(SW_RELOAD_SESSION_KEY);
+  } catch {
+    // ignore
+  }
+};
 export const initWorkerAsync = async (
   configuration: OidcConfiguration,
   configurationName: string,
@@ -183,25 +223,82 @@ export const initWorkerAsync = async (
   const versionMismatchKey = `oidc.sw.version_mismatch_reload.${configurationName}`;
-  const sendSkipWaiting = async () => {
+  const sendSkipWaitingToWorker = async (targetSw: ServiceWorker) => {
     stopKeepAlive();
     console.log('New SW waiting – SKIP_WAITING');
     try {
-      await sendMessageAsync(registration, { timeoutMs: 8000 })({
-        type: 'SKIP_WAITING',
-        configurationName,
-        data: null,
+      await new Promise<void>((resolve, reject) => {
+        const messageChannel = new MessageChannel();
+        let timeoutId: any = null;
+        const cleanup = () => {
+          try {
+            if (timeoutId != null) {
+              timer.clearTimeout(timeoutId);
+              timeoutId = null;
+            }
+            messageChannel.port1.onmessage = null;
+            messageChannel.port1.close();
+            messageChannel.port2.close();
+          } catch (ex) {
+            console.error(ex);
+          }
+        };
+        timeoutId = timer.setTimeout(() => {
+          cleanup();
+          reject(new Error('SKIP_WAITING did not respond within 8000ms'));
+        }, 8000);
+        messageChannel.port1.onmessage = event => {
+          cleanup();
+          if (event?.data?.error) reject(event.data.error);
+          else resolve();
+        };
+        try {
+          targetSw.postMessage(
+            {
+              type: 'SKIP_WAITING',
+              configurationName,
+              data: null,
+              tabId: getTabId(configurationName ?? 'default'),
+            },
+            [messageChannel.port2],
+          );
+        } catch (err) {
+          cleanup();
+          reject(err);
+        }
       });
     } catch (e) {
       console.warn('SKIP_WAITING failed', e);
     }
   };
+  const sendSkipWaiting = async () => {
+    const waitingSw = registration.waiting;
+    if (waitingSw) {
+      await sendSkipWaitingToWorker(waitingSw);
+    } else {
+      console.warn('sendSkipWaiting called but no waiting service worker found');
+    }
+  };
   const trackInstallingWorker = (newSW: ServiceWorker) => {
     stopKeepAlive();
     newSW.addEventListener('statechange', async () => {
       if (newSW.state === 'installed' && navigator.serviceWorker.controller) {
-        await sendSkipWaiting();
+        // Guard against infinite SKIP_WAITING → controllerchange → reload loops.
+        // If we've already exhausted the reload budget, don't force activation – let the
+        // browser handle it naturally on the next navigation instead.
+        if (getControllerChangeReloadCount() >= SW_RELOAD_MAX) {
+          console.warn(
+            'SW trackInstallingWorker: skipping SKIP_WAITING because the reload budget is exhausted',
+          );
+          return;
+        }
+        await sendSkipWaitingToWorker(newSW);
       }
     });
   };
@@ -219,33 +316,25 @@ export const initWorkerAsync = async (
   if (registration.installing) {
     trackInstallingWorker(registration.installing);
   } else if (registration.waiting && navigator.serviceWorker.controller) {
-    // A new SW is already waiting – activate it straight away
-    sendSkipWaiting();
+    // A new SW is already waiting – activate it straight away (unless reload budget exhausted)
+    if (getControllerChangeReloadCount() < SW_RELOAD_MAX) {
+      sendSkipWaiting();
+    } else {
+      console.warn(
+        'SW: a waiting worker exists but reload budget is exhausted – skipping activation',
+      );
+    }
   }
-  // (Optional but useful on Safari) ask for update early
-  try {
-    await registration.update();
-  } catch (ex) {
+  // (Optional but useful on Safari) ask for update early – non-blocking to avoid slowing init
+  registration.update().catch(ex => {
     console.error(ex);
-  }
-  // 2) Quand le SW actif change, on reload (once per session)
-  const reloadKey = `oidc.sw.controllerchange.reloaded.${configurationName}`;
-  navigator.serviceWorker.addEventListener('controllerchange', () => {
-    try {
-      if (sessionStorage.getItem(reloadKey) === '1') return;
-      sessionStorage.setItem(reloadKey, '1');
-    } catch {
-      // ignore
-    }
-    console.log('SW controller changed – reloading page');
-    stopKeepAlive();
-    window.location.reload();
   });
-  // 3) Claim + init classique (Safari-safe)
+  // 2) Claim + init classique (Safari-safe)
+  // IMPORTANT: claim() is done BEFORE registering the controllerchange listener,
+  // because claim() can trigger a controllerchange event on first visit and we don't
+  // want that initial claim to cause a reload loop.
   try {
     await navigator.serviceWorker.ready;
@@ -264,6 +353,37 @@ export const initWorkerAsync = async (
     return null;
   }
+  // 3) Register the controllerchange listener AFTER claim, and only once per page lifetime.
+  // This prevents:
+  // - claim() from triggering a reload on first visit
+  // - multiple listeners being stacked (initWorkerAsync is called many times)
+  // - more than one reload per page lifetime (guard via controllerChangeReloading)
+  // - infinite loops across page reloads (guard via sessionStorage counter)
+  if (!controllerChangeListenerRegistered) {
+    controllerChangeListenerRegistered = true;
+    navigator.serviceWorker.addEventListener('controllerchange', () => {
+      if (controllerChangeReloading) {
+        return;
+      }
+      // Session-level guard: prevent infinite reload loops when the SW never converges
+      // to the expected version (e.g. stale cache, Firefox issues, Electron quirks).
+      const reloadCount = incrementControllerChangeReloadCount();
+      if (reloadCount > SW_RELOAD_MAX) {
+        console.warn(
+          `SW controllerchange: reload budget exhausted (${reloadCount - 1} reloads). ` +
+            'Skipping reload to avoid infinite loop.',
+        );
+        return;
+      }
+      controllerChangeReloading = true;
+      console.log('SW controller changed – reloading page');
+      stopKeepAlive();
+      window.location.reload();
+    });
+  }
   const clearAsync = async status => {
     return sendMessageAsync(registration)({ type: 'clear', data: { status }, configurationName });
   };
@@ -297,9 +417,18 @@ export const initWorkerAsync = async (
       const reloadCount = parseInt(sessionStorage.getItem(versionMismatchKey) ?? '0', 10);
       if (reloadCount < 3) {
         sessionStorage.setItem(versionMismatchKey, String(reloadCount + 1));
-        // If a new SW is already waiting, skip it into activation so controllerchange triggers reload
         if (registration.waiting) {
+          // A new SW is already waiting – activate it; controllerchange will trigger reload
           await sendSkipWaiting();
+          // If controllerchange did not reload yet, wait a moment then force reload
+          await sleepAsync({ milliseconds: 500 });
+          if (!controllerChangeReloading) {
+            controllerChangeReloading = true;
+            window.location.reload();
+          }
+          // Return a never-resolving promise to avoid returning stale tokens
+          return new Promise<never>(() => {});
         } else {
           // No waiting SW – force a fresh update and reload
           stopKeepAlive();
@@ -310,18 +439,24 @@ export const initWorkerAsync = async (
           }
           const isSuccess = await registration.unregister();
           console.log(`Service worker unregistering ${isSuccess}`);
-          await sleepAsync({ milliseconds: 2000 });
-          window.location.reload();
+          await sleepAsync({ milliseconds: 500 });
+          if (!controllerChangeReloading) {
+            controllerChangeReloading = true;
+            window.location.reload();
+          }
+          return new Promise<never>(() => {});
         }
       } else {
+        // Max retries reached – do NOT clear the key so future initAsync calls
+        // won't restart the cycle of 3 reloads
         console.error(
           `Service worker version mismatch persists after ${reloadCount} attempt(s). Continuing with mismatched version.`,
         );
-        sessionStorage.removeItem(versionMismatchKey);
       }
     } else {
-      // Version matches – clear any leftover mismatch counter
+      // Version matches – clear any leftover mismatch counter and reload counter
       sessionStorage.removeItem(versionMismatchKey);
+      clearControllerChangeReloadCount();
     }
     // @ts-ignore

package/src/version.ts CHANGED Viewed

	@@ -1 +1 @@
1	- export default '7.27.0';
1	+ export default '7.27.2';