@axa-fr/oidc-client 7.27.16 → 7.27.18

package/dist/index.js

@@ -327,53 +327,53 @@ var _ = {
 	}
 	let i = await e.crypto.subtle.digest(n, f(r));
 	return h(new Uint8Array(i));
-} }, x = (e) => async (t) => await y.generate(e)(t), S = (e) => (t) => async (n, r = "POST", i, a = {}) => {
+} }, x = (e) => async (t) => await y.generate(e)(t), ee = (e) => (t) => async (n, r = "POST", i, a = {}) => {
 	let o = {
-		jti: btoa(C()),
+		jti: btoa(S()),
 		htm: r,
 		htu: i,
 		iat: Math.round(Date.now() / 1e3),
 		...a
 	}, s = await b.thumbprint(e)(n, t.digestAlgorithm);
 	return await v.sign(e)(n, { kid: s }, o, t);
-}, C = () => {
+}, S = () => {
 	let e = "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx", t = "0123456789abcdef", n = 0, r = "";
 	for (let i = 0; i < 36; i++) e[i] !== "-" && e[i] !== "4" && (n = Math.random() * 16 | 0), e[i] === "x" ? r += t[n] : e[i] === "y" ? (n &= 3, n |= 8, r += t[n]) : r += e[i];
 	return r;
-}, w = () => {
+}, C = () => {
 	let e = typeof window < "u" && !!window.crypto;
 	return {
 		hasCrypto: e,
 		hasSubtleCrypto: e && !!window.crypto.subtle
 	};
-}, T = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", E = (e) => {
+}, w = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", T = (e) => {
 	let t = [];
 	for (let n = 0; n < e.byteLength; n += 1) {
 		let r = e[n] % 62;
-		t.push(T[r]);
+		t.push(w[r]);
 	}
 	return t.join("");
-}, D = (e) => {
-	let t = new Uint8Array(e), { hasCrypto: n } = w();
+}, E = (e) => {
+	let t = new Uint8Array(e), { hasCrypto: n } = C();
 	if (n) window.crypto.getRandomValues(t);
 	else for (let n = 0; n < e; n += 1) t[n] = Math.random() * 62 | 0;
-	return E(t);
+	return T(t);
 };
-function ee(e) {
+function te(e) {
 	let t = new ArrayBuffer(e.length), n = new Uint8Array(t);
 	for (let t = 0; t < e.length; t++) n[t] = e.charCodeAt(t);
 	return n;
 }
-function te(e) {
+function ne(e) {
 	return new Promise((t, n) => {
-		crypto.subtle.digest("SHA-256", ee(e)).then((e) => t(h(new Uint8Array(e))), (e) => n(e));
+		crypto.subtle.digest("SHA-256", te(e)).then((e) => t(h(new Uint8Array(e))), (e) => n(e));
 	});
 }
-var ne = (e) => {
+var re = (e) => {
 	if (e.length < 43 || e.length > 128) return Promise.reject(/* @__PURE__ */ Error("Invalid code length."));
-	let { hasSubtleCrypto: t } = w();
-	return t ? te(e) : Promise.reject(/* @__PURE__ */ Error("window.crypto.subtle is unavailable."));
-}, re = (e) => !!(e.os === "iOS" && e.osVersion.startsWith("12") || e.os === "Mac OS X" && e.osVersion.startsWith("10_15_6")), ie = (e) => {
+	let { hasSubtleCrypto: t } = C();
+	return t ? ne(e) : Promise.reject(/* @__PURE__ */ Error("window.crypto.subtle is unavailable."));
+}, ie = (e) => !!(e.os === "iOS" && e.osVersion.startsWith("12") || e.os === "Mac OS X" && e.osVersion.startsWith("10_15_6")), ae = (e) => {
 	let t = e.appVersion, n = e.userAgent, r = "-", i = [
 		{
 			s: "Windows 10",
@@ -509,7 +509,7 @@ var ne = (e) => {
 		osVersion: a
 	};
 };
-function ae() {
+function oe() {
 	let e = navigator.userAgent, t, n = e.match(/(opera|chrome|safari|firefox|msie|trident(?=\/))\/?\s*(\d+)/i) || [];
 	if (/trident/i.test(n[1])) return t = /\brv[ :]+(\d+)/g.exec(e) || [], {
 		name: "ie",
@@ -535,10 +535,10 @@ function ae() {
 		version: n[1]
 	};
 }
-var oe = () => {
-	let { name: e, version: t } = ae();
-	return e === "chrome" && parseInt(t) <= 70 || e === "opera" && (!t || parseInt(t.split(".")[0]) < 80) || e === "ie" ? !1 : !re(ie(navigator));
-}, se = async (t) => {
+var se = () => {
+	let { name: e, version: t } = oe();
+	return e === "chrome" && parseInt(t) <= 70 || e === "opera" && (!t || parseInt(t.split(".")[0]) < 80) || e === "ie" ? !1 : !ie(ae(navigator));
+}, ce = async (t) => {
 	let n;
 	if (t.tokens != null) return !1;
 	t.publishEvent(e.tryKeepExistingSessionAsync_begin, {});
@@ -581,7 +581,7 @@ var oe = () => {
 	} catch (r) {
 		return console.error(r), n && await n.clearAsync(), t.publishEvent(e.tryKeepExistingSessionAsync_error, "tokens inside ServiceWorker are invalid"), !1;
 	}
-}, O = class {
+}, D = class {
 	open(e) {
 		window.location.href = e;
 	}
@@ -598,30 +598,38 @@ var oe = () => {
 	getOrigin() {
 		return window.origin;
 	}
-}, k = {}, ce = (e, t = window.sessionStorage, n) => {
-	if (!k[e] && t) {
+}, O = {
+	STATE_MISSING: "STATE_MISSING",
+	STATE_MISMATCH: "STATE_MISMATCH",
+	NONCE_MISSING: "NONCE_MISSING"
+}, k = class e extends Error {
+	constructor(t, n) {
+		super(n), this.name = "OidcStateError", this.code = t, Object.setPrototypeOf(this, e.prototype);
+	}
+}, le = (e) => e instanceof k, A = {}, ue = (e, t = window.sessionStorage, n) => {
+	if (!A[e] && t) {
 		let n = t.getItem(e);
-		n && (k[e] = JSON.parse(n));
+		n && (A[e] = JSON.parse(n));
 	}
 	let r = 1e3 * n;
-	return k[e] && k[e].timestamp + r > Date.now() ? k[e].result : null;
-}, le = (e, t, n = window.sessionStorage) => {
+	return A[e] && A[e].timestamp + r > Date.now() ? A[e].result : null;
+}, de = (e, t, n = window.sessionStorage) => {
 	let r = Date.now();
-	k[e] = {
+	A[e] = {
 		result: t,
 		timestamp: r
 	}, n && n.setItem(e, JSON.stringify({
 		result: t,
 		timestamp: r
 	}));
-}, ue = 3600, de = (e) => async (t, n = ue, r = window.sessionStorage, i = 1e4) => {
-	let a = `${t}/.well-known/openid-configuration`, o = `oidc.server:${t}`, s = ce(o, r, n);
-	if (s) return new I(s);
-	let c = await A(e)(a, {}, i);
+}, fe = 3600, pe = (e) => async (t, n = fe, r = window.sessionStorage, i = 1e4) => {
+	let a = `${t}/.well-known/openid-configuration`, o = `oidc.server:${t}`, s = ue(o, r, n);
+	if (s) return new Me(s);
+	let c = await j(e)(a, {}, i);
 	if (c.status !== 200) return null;
 	let l = await c.json();
-	return le(o, l, r), new I(l);
-}, A = (e) => async (t, n = {}, r = 1e4, i = 0) => {
+	return de(o, l, r), new Me(l);
+}, j = (e) => async (t, n = {}, r = 1e4, i = 0) => {
 	let a;
 	try {
 		let i = new AbortController();
@@ -631,15 +639,15 @@ var oe = () => {
 		});
 	} catch (a) {
 		if (a.name === "AbortError" || a.message === "Network request failed") {
-			if (i <= 1) return await A(e)(t, n, r, i + 1);
+			if (i <= 1) return await j(e)(t, n, r, i + 1);
 			throw a;
 		} else throw console.error(a.message), a;
 	}
 	return a;
-}, j = {
+}, me = {
 	refresh_token: "refresh_token",
 	access_token: "access_token"
-}, fe = (e) => async (t, n, r = j.refresh_token, i, a = {}, o = 1e4) => {
+}, he = (e) => async (t, n, r = me.refresh_token, i, a = {}, o = 1e4) => {
 	let s = {
 		token: n,
 		token_type_hint: r,
@@ -652,19 +660,19 @@ var oe = () => {
 		c.push(`${t}=${n}`);
 	}
 	let l = c.join("&");
-	return (await A(e)(t, {
+	return (await j(e)(t, {
 		method: "POST",
 		headers: { "Content-Type": "application/x-www-form-urlencoded;charset=UTF-8" },
 		body: l
 	}, o)).status === 200 ? { success: !0 } : { success: !1 };
-}, pe = (e) => async (t, n, r, i, a = {}, o, s = 1e4) => {
+}, ge = (e) => async (t, n, r, i, a = {}, o, s = 1e4) => {
 	for (let [e, t] of Object.entries(r)) n[e] === void 0 && (n[e] = t);
 	let c = [];
 	for (let e in n) {
 		let t = encodeURIComponent(e), r = encodeURIComponent(n[e]);
 		c.push(`${t}=${r}`);
 	}
-	let l = c.join("&"), u = await A(e)(t, {
+	let l = c.join("&"), u = await j(e)(t, {
 		method: "POST",
 		headers: {
 			"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
@@ -684,21 +692,21 @@ var oe = () => {
 		data: G(d, i, o),
 		demonstratingProofOfPossessionNonce: f
 	};
-}, me = (e, t) => async (n, r) => {
+}, _e = (e, t) => async (n, r) => {
 	r = r ? { ...r } : {};
-	let i = D(128), a = await ne(i);
+	let i = E(128), a = await re(i);
 	await e.setCodeVerifierAsync(i), await e.setStateAsync(r.state), r.code_challenge = a, r.code_challenge_method = "S256";
 	let o = "";
 	if (r) for (let [e, t] of Object.entries(r)) o === "" ? o += "?" : o += "&", o += `${e}=${encodeURIComponent(t)}`;
 	t.open(`${n}${o}`);
-}, M = "DPoP-Nonce", he = (e) => async (t, n, r, i, a = 1e4) => {
+}, M = "DPoP-Nonce", ve = (e) => async (t, n, r, i, a = 1e4) => {
 	n = n ? { ...n } : {}, n.code_verifier = await e.getCodeVerifierAsync();
 	let o = [];
 	for (let e in n) {
 		let t = encodeURIComponent(e), r = encodeURIComponent(n[e]);
 		o.push(`${t}=${r}`);
 	}
-	let s = o.join("&"), c = await A(fetch)(t, {
+	let s = o.join("&"), c = await j(fetch)(t, {
 		method: "POST",
 		headers: {
 			"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
@@ -721,7 +729,7 @@ var oe = () => {
 			demonstratingProofOfPossessionNonce: l
 		}
 	};
-}, ge = (e) => {
+}, ye = (e) => {
 	let t = e.match(/^([a-z][\w-]+\:)\/\/(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/);
 	if (!t) throw Error("Invalid URL");
 	let n = t[6], r = t[7];
@@ -739,23 +747,23 @@ var oe = () => {
 		search: n,
 		hash: r
 	};
-}, _e = (e) => {
-	let t = ge(e), { path: n } = t;
+}, be = (e) => {
+	let t = ye(e), { path: n } = t;
 	n.endsWith("/") && (n = n.slice(0, -1));
 	let { hash: r } = t;
 	return r === "#_=_" && (r = ""), r && (n += r), n;
 }, N = (e) => {
-	let { search: t } = ge(e);
-	return ve(t);
-}, ve = (e) => {
+	let { search: t } = ye(e);
+	return xe(t);
+}, xe = (e) => {
 	let t = {}, n, r, i, a = e.split("&");
 	for (r = 0, i = a.length; r < i; r++) n = a[r].split("="), t[decodeURIComponent(n[0])] = decodeURIComponent(n[1]);
 	return t;
-}, ye = (t, n, r, a, o) => (s = void 0, c = null, l = !1, u = void 0) => {
+}, Se = (t, n, r, a, o) => (s = void 0, c = null, l = !1, u = void 0) => {
 	let d = c;
 	return c = { ...c }, (async () => {
 		let f = s || o.getPath();
-		if ("state" in c || (c.state = D(16)), r(e.loginAsync_begin, {}), c) for (let e of Object.keys(c)) e.endsWith(":token_request") && delete c[e];
+		if ("state" in c || (c.state = E(16)), r(e.loginAsync_begin, {}), c) for (let e of Object.keys(c)) e.endsWith(":token_request") && delete c[e];
 		try {
 			let e = l ? n.silent_redirect_uri : n.redirect_uri;
 			u ||= n.scope;
@@ -763,7 +771,7 @@ var oe = () => {
 				...n.extras,
 				...c
 			} : c;
-			r.nonce ||= D(12);
+			r.nonce ||= E(12);
 			let s = { nonce: r.nonce }, p = await $(n, t), m = await a(n.authority, n.authority_configuration), h;
 			if (p) p.setLoginParams({
 				callbackPath: f,
@@ -785,12 +793,12 @@ var oe = () => {
 				response_type: "code",
 				...r
 			};
-			await me(h, o)(m.authorizationEndpoint, g);
+			await _e(h, o)(m.authorizationEndpoint, g);
 		} catch (t) {
 			throw r(e.loginAsync_error, t), t;
 		}
 	})();
-}, be = (t) => async (n = !1) => {
+}, Ce = (t) => async (n = !1) => {
 	try {
 		t.publishEvent(e.loginCallbackAsync_begin, {});
 		let r = t.configuration, a = r.client_id, o = n ? r.silent_redirect_uri : r.redirect_uri, s = r.authority, c = r.token_request_timeout, l = await t.initAsync(s, r.authority_configuration), u = N(t.location.getCurrentHref()), d = u.session_state, f = await $(r, t.configurationName), p, m, h, g;
@@ -801,7 +809,11 @@ var oe = () => {
 		}
 		if (u.error || u.error_description) throw Error(`Error from OIDC server: ${u.error} - ${u.error_description}`);
 		if (u.iss && u.iss !== l.issuer) throw console.error(), Error(`Issuer not valid (expected: ${l.issuer}, received: ${u.iss})`);
-		if (u.state && u.state !== g) throw Error(`State not valid (expected: ${g}, received: ${u.state})`);
+		if (u.state) {
+			if (!g) throw new k(O.STATE_MISSING, "OIDC state is missing from storage. The login state may have been cleared between the authorization redirect and the callback (e.g., private browsing, storage cleared, or browser eviction).");
+			if (u.state !== g) throw new k(O.STATE_MISMATCH, `OIDC state does not match the stored one (expected: ${g}, received: ${u.state}).`);
+		}
+		if (!m || !m.nonce) throw new k(O.NONCE_MISSING, "OIDC nonce is missing from storage. The login state may have been cleared between the authorization redirect and the callback (e.g., private browsing, storage cleared, or browser eviction).");
 		let _ = {
 			code: u.code,
 			grant_type: "authorization_code",
@@ -814,37 +826,37 @@ var oe = () => {
 		if (r.demonstrating_proof_of_possession) if (f) b.DPoP = `DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${t.configurationName}`;
 		else {
 			let e = await x(window)(r.demonstrating_proof_of_possession_configuration.generateKeyAlgorithm);
-			await i(t.configurationName, r.storage, r.login_state_storage ?? r.storage).setDemonstratingProofOfPossessionJwkAsync(e), b.DPoP = await S(window)(r.demonstrating_proof_of_possession_configuration)(e, "POST", y);
+			await i(t.configurationName, r.storage, r.login_state_storage ?? r.storage).setDemonstratingProofOfPossessionJwkAsync(e), b.DPoP = await ee(window)(r.demonstrating_proof_of_possession_configuration)(e, "POST", y);
 		}
-		let C = await he(p)(y, {
+		let S = await ve(p)(y, {
 			..._,
 			...v
 		}, b, t.configuration.token_renew_mode, c);
-		if (!C.success) throw Error("Token request failed");
-		let w, T = C.data.tokens, E = C.data.demonstratingProofOfPossessionNonce;
-		if (C.data.state !== v.state) throw Error("state is not valid");
-		let { isValid: D, reason: ee } = Be(T, m.nonce, l);
-		if (!D) throw Error(`Tokens are not OpenID valid, reason: ${ee}`);
+		if (!S.success) throw Error("Token request failed");
+		let C, w = S.data.tokens, T = S.data.demonstratingProofOfPossessionNonce;
+		if (S.data.state !== v.state) throw Error("state is not valid");
+		let { isValid: E, reason: te } = Ge(w, m.nonce, l);
+		if (!E) throw Error(`Tokens are not OpenID valid, reason: ${te}`);
 		if (f) {
-			if (T.refreshToken && !T.refreshToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) throw Error("Refresh token should be hidden by service worker");
-			if (E && T?.accessToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) throw Error("Demonstration of proof of possession require Access token not hidden by service worker");
+			if (w.refreshToken && !w.refreshToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) throw Error("Refresh token should be hidden by service worker");
+			if (T && w?.accessToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) throw Error("Demonstration of proof of possession require Access token not hidden by service worker");
 		}
-		if (f) await f.initAsync(l, "syncTokensAsync", r), w = f.getLoginParams(), E && await f.setDemonstratingProofOfPossessionNonce(E);
+		if (f) await f.initAsync(l, "syncTokensAsync", r), C = f.getLoginParams(), T && await f.setDemonstratingProofOfPossessionNonce(T);
 		else {
 			let e = i(t.configurationName, r.storage, r.login_state_storage ?? r.storage);
-			w = e.getLoginParams(), E && await e.setDemonstratingProofOfPossessionNonce(E);
+			C = e.getLoginParams(), T && await e.setDemonstratingProofOfPossessionNonce(T);
 		}
 		return await t.startCheckSessionAsync(l.checkSessionIframe, a, d, n), t.publishEvent(e.loginCallbackAsync_end, {}), {
-			tokens: T,
+			tokens: w,
 			state: "request.state",
-			callbackPath: w.callbackPath,
+			callbackPath: C.callbackPath,
 			scope: u.scope,
-			extras: w.extras
+			extras: C.extras
 		};
 	} catch (n) {
 		throw console.error(n), t.publishEvent(e.loginCallbackAsync_error, n), n;
 	}
-}, xe = {
+}, we = {
 	access_token: "access_token",
 	refresh_token: "refresh_token"
 }, P = (e, t) => {
@@ -857,59 +869,72 @@ var oe = () => {
 		return n;
 	}
 	return n;
-}, Se = (e) => {
+}, Te = (e) => {
 	let t = {};
 	if (e) {
 		for (let [n, r] of Object.entries(e)) n.includes(":") || (t[n] = r);
 		return t;
 	}
 	return t;
-}, Ce = (e) => async (t) => {
+}, Ee = (e) => async (t) => {
 	c.clearTimeout(e.timeoutId), e.timeoutId = null, e.checkSessionIFrame && e.checkSessionIFrame.stop();
 	let n = await $(e.configuration, e.configurationName);
 	n ? await n.clearAsync(t) : await i(e.configurationName, e.configuration.storage, e.configuration.login_state_storage ?? e.configuration.storage).clearAsync(t), e.tokens = null, e.userInfo = null;
-}, we = (t, n, r, i, a) => async (o = void 0, s = null) => {
-	let c = t.configuration, l = await t.initAsync(c.authority, c.authority_configuration);
-	o && typeof o != "string" && (o = void 0, i.warn("callbackPathOrUrl path is not a string"));
-	let u = o ?? a.getPath(), d = !1;
-	o && (d = o.includes("https://") || o.includes("http://"));
-	let f = d ? o : a.getOrigin() + u, p = t.tokens ? t.tokens.idToken : "";
+}, F = (t, n) => async () => {
+	let r = t.tokens?.idTokenPayload?.sub ?? null;
+	await t.destroyAsync("LOGGED_OUT");
+	for (let [, i] of Object.entries(n)) i === t ? t.publishEvent(e.logout_from_same_tab, {}) : await t.logoutSameTabAsync(t.configuration.client_id, r);
+}, De = (e, t, n, r) => {
+	"id_token_hint" in t || (t.id_token_hint = n), !("post_logout_redirect_uri" in t) && r !== null && (t.post_logout_redirect_uri = r);
+	let i = "";
+	for (let [e, n] of Object.entries(t)) n != null && (i === "" ? i += "?" : i += "&", i += `${e}=${encodeURIComponent(n)}`);
+	return `${e}${i}`;
+}, Oe = (e, t, n, r, i) => async (a = void 0, o = null) => {
+	let s = e.configuration, c = await e.initAsync(s.authority, s.authority_configuration);
+	a && typeof a != "string" && (a = void 0, r.warn("callbackPathOrUrl path is not a string"));
+	let l = a ?? i.getPath(), u = !1;
+	a && (u = a.includes("https://") || a.includes("http://"));
+	let d = a === null ? null : u ? a : i.getOrigin() + l, f = e.tokens ? e.tokens.idToken : "";
+	e.isLoggingOut = !0;
 	try {
-		let e = l.revocationEndpoint;
-		if (e) {
-			let n = [], i = t.tokens ? t.tokens.accessToken : null;
-			if (i && c.logout_tokens_to_invalidate.includes(xe.access_token)) {
-				let t = P(s, ":revoke_access_token"), a = fe(r)(e, i, j.access_token, c.client_id, t);
-				n.push(a);
-			}
-			let a = t.tokens ? t.tokens.refreshToken : null;
-			if (a && c.logout_tokens_to_invalidate.includes(xe.refresh_token)) {
-				let t = P(s, ":revoke_refresh_token"), i = fe(r)(e, a, j.refresh_token, c.client_id, t);
-				n.push(i);
+		try {
+			let t = c.revocationEndpoint;
+			if (t) {
+				let r = [], i = e.tokens ? e.tokens.accessToken : null;
+				if (i && s.logout_tokens_to_invalidate.includes(we.access_token)) {
+					let e = P(o, ":revoke_access_token"), a = he(n)(t, i, me.access_token, s.client_id, e);
+					r.push(a);
+				}
+				let a = e.tokens ? e.tokens.refreshToken : null;
+				if (a && s.logout_tokens_to_invalidate.includes(we.refresh_token)) {
+					let e = P(o, ":revoke_refresh_token"), i = he(n)(t, a, me.refresh_token, s.client_id, e);
+					r.push(i);
+				}
+				r.length > 0 && await Promise.all(r);
 			}
-			n.length > 0 && await Promise.all(n);
+		} catch (e) {
+			r.warn("logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error"), r.warn(e);
 		}
-	} catch (e) {
-		i.warn("logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error"), i.warn(e);
+		let a = P(o, ":oidc");
+		if (a && a.no_reload === "true") {
+			await F(e, t)(), e.isLoggingOut = !1;
+			return;
+		}
+		let l = Te(o);
+		if (c.endSessionEndpoint) {
+			let e = De(c.endSessionEndpoint, l, f, d);
+			i.open(e);
+		} else i.reload();
+		await F(e, t)();
+	} catch (t) {
+		throw e.isLoggingOut = !1, t;
 	}
-	let m = t.tokens?.idTokenPayload?.sub ?? null;
-	await t.destroyAsync("LOGGED_OUT");
-	for (let [, r] of Object.entries(n)) r === t ? t.publishEvent(e.logout_from_same_tab, {}) : await t.logoutSameTabAsync(t.configuration.client_id, m);
-	let h = P(s, ":oidc");
-	if (h && h.no_reload === "true") return;
-	let g = Se(s);
-	if (l.endSessionEndpoint) {
-		"id_token_hint" in g || (g.id_token_hint = p), !("post_logout_redirect_uri" in g) && o !== null && (g.post_logout_redirect_uri = f);
-		let e = "";
-		for (let [t, n] of Object.entries(g)) n != null && (e === "" ? e += "?" : e += "&", e += `${t}=${encodeURIComponent(n)}`);
-		a.open(`${l.endSessionEndpoint}${e}`);
-	} else a.reload();
-}, F = /* @__PURE__ */ function(e) {
+}, I = /* @__PURE__ */ function(e) {
 	return e.AutomaticBeforeTokenExpiration = "AutomaticBeforeTokensExpiration", e.AutomaticOnlyWhenFetchExecuted = "AutomaticOnlyWhenFetchExecuted", e;
-}({}), Te = (e, t, n = !1) => async (...r) => {
+}({}), ke = (e, t, n = !1) => async (...r) => {
 	let [i, a, ...o] = r, s = a ? { ...a } : { method: "GET" }, c = new Headers();
 	s.headers && (c = s.headers instanceof Headers ? s.headers : new Headers(s.headers));
-	let l = (await ze({
+	let l = (await We({
 		getTokens: () => t.tokens,
 		configuration: {
 			token_automatic_renew_mode: t.configuration.token_automatic_renew_mode,
@@ -932,32 +957,32 @@ var oe = () => {
 		...s,
 		headers: c
 	}, ...o);
-}, Ee = (e) => async (t = !1, n = !1) => {
+}, Ae = (e) => async (t = !1, n = !1) => {
 	if (e.userInfo != null && !t) return e.userInfo;
 	let r = !t && e.configuration.storage?.getItem(`oidc.${e.configurationName}.userInfo`);
 	if (r) return e.userInfo = JSON.parse(r), e.userInfo;
 	let i = e.configuration, a = (await e.initAsync(i.authority, i.authority_configuration)).userInfoEndpoint, o = await (async () => {
-		let t = await Te(fetch, e, n)(a);
+		let t = await ke(fetch, e, n)(a);
 		return t.status === 200 ? t.json() : null;
 	})();
 	return e.userInfo = o, o && e.configuration.storage?.setItem(`oidc.${e.configurationName}.userInfo`, JSON.stringify(o)), o;
-}, De = () => fetch, I = class {
+}, je = () => fetch, Me = class {
 	constructor(e) {
 		this.authorizationEndpoint = e.authorization_endpoint, this.tokenEndpoint = e.token_endpoint, this.revocationEndpoint = e.revocation_endpoint, this.userInfoEndpoint = e.userinfo_endpoint, this.checkSessionIframe = e.check_session_iframe, this.issuer = e.issuer, this.endSessionEndpoint = e.end_session_endpoint;
 	}
-}, L = {}, Oe = (e, t = new O()) => (n, r = "default") => (L[r] || (L[r] = new R(n, r, e, t)), L[r]), ke = async (e) => {
+}, L = {}, Ne = (e, t = new D()) => (n, r = "default") => (L[r] || (L[r] = new R(n, r, e, t)), L[r]), Pe = async (e) => {
 	let { parsedTokens: t, callbackPath: n, extras: r, scope: i } = await e.loginCallbackAsync();
 	return e.timeoutId = z(e, t.expiresAt, r, i), { callbackPath: n };
-}, Ae = (e) => Math.floor(Math.random() * e), R = class t {
-	constructor(e, t = "default", n, r = new O()) {
-		this.initPromise = null, this.tryKeepExistingSessionPromise = null, this.loginPromise = null, this.loginCallbackPromise = null, this.loginCallbackWithAutoTokensRenewPromise = null, this.userInfoPromise = null, this.renewTokensPromise = null, this.logoutPromise = null;
+}, Fe = (e) => Math.floor(Math.random() * e), R = class t {
+	constructor(e, t = "default", n, r = new D()) {
+		this.isLoggingOut = !1, this.initPromise = null, this.tryKeepExistingSessionPromise = null, this.loginPromise = null, this.loginCallbackPromise = null, this.loginCallbackWithAutoTokensRenewPromise = null, this.userInfoPromise = null, this.renewTokensPromise = null, this.clearSessionPromise = null, this.logoutPromise = null;
 		let i = e.silent_login_uri;
 		e.silent_redirect_uri && !e.silent_login_uri && (i = `${e.silent_redirect_uri.replace("-callback", "").replace("callback", "")}-login`);
 		let a = e.refresh_time_before_tokens_expiration_in_second ?? 120;
-		a > 60 && (a -= Math.floor(Math.random() * 40)), this.location = r ?? new O(), this.configuration = {
+		a > 60 && (a -= Math.floor(Math.random() * 40)), this.location = r ?? new D(), this.configuration = {
 			...e,
 			silent_login_uri: i,
-			token_automatic_renew_mode: e.token_automatic_renew_mode ?? F.AutomaticBeforeTokenExpiration,
+			token_automatic_renew_mode: e.token_automatic_renew_mode ?? I.AutomaticBeforeTokenExpiration,
 			monitor_session: e.monitor_session ?? !1,
 			refresh_time_before_tokens_expiration_in_second: a,
 			silent_login_timeout: e.silent_login_timeout ?? 12e3,
@@ -965,13 +990,13 @@ var oe = () => {
 			demonstrating_proof_of_possession: e.demonstrating_proof_of_possession ?? !1,
 			authority_timeout_wellknowurl_in_millisecond: e.authority_timeout_wellknowurl_in_millisecond ?? 1e4,
 			logout_tokens_to_invalidate: e.logout_tokens_to_invalidate ?? ["access_token", "refresh_token"],
-			service_worker_activate: e.service_worker_activate ?? oe,
+			service_worker_activate: e.service_worker_activate ?? se,
 			demonstrating_proof_of_possession_configuration: e.demonstrating_proof_of_possession_configuration ?? _,
 			preload_user_info: e.preload_user_info ?? !1
-		}, this.getFetch = n ?? De, this.configurationName = t, this.tokens = null, this.userInfo = null, this.events = [], this.timeoutId = null, this.loginCallbackWithAutoTokensRenewAsync.bind(this), this.initAsync.bind(this), this.loginCallbackAsync.bind(this), this.subscribeEvents.bind(this), this.removeEventSubscription.bind(this), this.publishEvent.bind(this), this.destroyAsync.bind(this), this.logoutAsync.bind(this), this.renewTokensAsync.bind(this), this.initAsync(this.configuration.authority, this.configuration.authority_configuration);
+		}, this.getFetch = n ?? je, this.configurationName = t, this.tokens = null, this.userInfo = null, this.events = [], this.timeoutId = null, this.loginCallbackWithAutoTokensRenewAsync.bind(this), this.initAsync.bind(this), this.loginCallbackAsync.bind(this), this.subscribeEvents.bind(this), this.removeEventSubscription.bind(this), this.publishEvent.bind(this), this.destroyAsync.bind(this), this.logoutAsync.bind(this), this.renewTokensAsync.bind(this), this.initAsync(this.configuration.authority, this.configuration.authority_configuration);
 	}
 	subscribeEvents(e) {
-		let t = Ae(9999999999999).toString();
+		let t = Fe(9999999999999).toString();
 		return this.events.push({
 			id: t,
 			func: e
@@ -987,7 +1012,7 @@ var oe = () => {
 		});
 	}
 	static {
-		this.getOrCreate = (e, t) => (n, r = "default") => Oe(e, t)(n, r);
+		this.getOrCreate = (e, t) => (n, r = "default") => Ne(e, t)(n, r);
 	}
 	static get(e = "default") {
 		return Object.prototype.hasOwnProperty.call(L, e) ? L[e] : null;
@@ -1026,7 +1051,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 	async initAsync(e, t) {
 		if (this.initPromise !== null) return this.initPromise;
 		let n = async () => {
-			if (t != null) return new I({
+			if (t != null) return new Me({
 				authorization_endpoint: t.authorization_endpoint,
 				end_session_endpoint: t.end_session_endpoint,
 				revocation_endpoint: t.revocation_endpoint,
@@ -1036,14 +1061,14 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 				issuer: t.issuer
 			});
 			let n = await $(this.configuration, this.configurationName) ? this.configuration.storage || window.sessionStorage : this.configuration.storage;
-			return await de(this.getFetch())(e, this.configuration.authority_time_cache_wellknowurl_in_second ?? 3600, n, this.configuration.authority_timeout_wellknowurl_in_millisecond);
+			return await pe(this.getFetch())(e, this.configuration.authority_time_cache_wellknowurl_in_second ?? 3600, n, this.configuration.authority_timeout_wellknowurl_in_millisecond);
 		};
 		return this.initPromise = n(), this.initPromise.finally(() => {
 			this.initPromise = null;
 		});
 	}
 	async tryKeepExistingSessionAsync() {
-		return this.tryKeepExistingSessionPromise === null ? (this.tryKeepExistingSessionPromise = se(this), this.tryKeepExistingSessionPromise.finally(() => {
+		return this.tryKeepExistingSessionPromise === null ? (this.tryKeepExistingSessionPromise = ce(this), this.tryKeepExistingSessionPromise.finally(() => {
 			this.tryKeepExistingSessionPromise = null;
 		})) : this.tryKeepExistingSessionPromise;
 	}
@@ -1051,14 +1076,14 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 		await d(this, L, this.configuration)(e, t, n, r);
 	}
 	async loginAsync(e = void 0, t = null, n = !1, r = void 0, i = !1) {
-		return this.logoutPromise && await this.logoutPromise, this.loginPromise === null ? (i ? this.loginPromise = u(window, this.configurationName, this.configuration, this.publishEvent.bind(this), this)(t, r) : this.loginPromise = ye(this.configurationName, this.configuration, this.publishEvent.bind(this), this.initAsync.bind(this), this.location)(e, t, n, r), this.loginPromise.finally(() => {
+		return this.logoutPromise && await this.logoutPromise, this.loginPromise === null ? (i ? this.loginPromise = u(window, this.configurationName, this.configuration, this.publishEvent.bind(this), this)(t, r) : this.loginPromise = Se(this.configurationName, this.configuration, this.publishEvent.bind(this), this.initAsync.bind(this), this.location)(e, t, n, r), this.loginPromise.finally(() => {
 			this.loginPromise = null;
 		})) : this.loginPromise;
 	}
 	async loginCallbackAsync(e = !1) {
 		if (this.loginCallbackPromise !== null) return this.loginCallbackPromise;
 		let n = async () => {
-			let n = await be(this)(e), r = n.tokens;
+			let n = await Ce(this)(e), r = n.tokens;
 			return this.tokens = r, await $(this.configuration, this.configurationName) || i(this.configurationName, this.configuration.storage, this.configuration.login_state_storage ?? this.configuration.storage).setTokens(r), this.publishEvent(t.eventNames.token_acquired, r), this.configuration.preload_user_info && await this.userInfoAsync(), {
 				parsedTokens: r,
 				state: n.state,
@@ -1073,31 +1098,36 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 	}
 	async generateDemonstrationOfProofOfPossessionAsync(e, t, n, r = {}) {
 		let a = this.configuration, o = {
-			ath: await te(e),
+			ath: await ne(e),
 			...r
 		};
-		if (await $(a, this.configurationName)) return `DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${this.configurationName}#tabId=${We(this.configurationName)}`;
+		if (await $(a, this.configurationName)) return `DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${this.configurationName}#tabId=${Ye(this.configurationName)}`;
 		let s = i(this.configurationName, a.storage, a.login_state_storage ?? a.storage), c = await s.getDemonstratingProofOfPossessionJwkAsync(), l = s.getDemonstratingProofOfPossessionNonce();
-		return l && (o.nonce = l), await S(window)(a.demonstrating_proof_of_possession_configuration)(c, n, t, o);
+		return l && (o.nonce = l), await ee(window)(a.demonstrating_proof_of_possession_configuration)(c, n, t, o);
 	}
 	loginCallbackWithAutoTokensRenewAsync() {
-		return this.loginCallbackWithAutoTokensRenewPromise === null ? (this.loginCallbackWithAutoTokensRenewPromise = ke(this), this.loginCallbackWithAutoTokensRenewPromise.finally(() => {
+		return this.loginCallbackWithAutoTokensRenewPromise === null ? (this.loginCallbackWithAutoTokensRenewPromise = Pe(this), this.loginCallbackWithAutoTokensRenewPromise.finally(() => {
 			this.loginCallbackWithAutoTokensRenewPromise = null;
 		})) : this.loginCallbackWithAutoTokensRenewPromise;
 	}
 	userInfoAsync(e = !1, t = !1) {
-		return this.userInfoPromise === null ? (this.userInfoPromise = Ee(this)(e, t), this.userInfoPromise.finally(() => {
+		return this.userInfoPromise === null ? (this.userInfoPromise = Ae(this)(e, t), this.userInfoPromise.finally(() => {
 			this.userInfoPromise = null;
 		})) : this.userInfoPromise;
 	}
 	async renewTokensAsync(e = null, t = null) {
 		if (this.renewTokensPromise !== null) return this.renewTokensPromise;
-		if (this.timeoutId) return c.clearTimeout(this.timeoutId), this.renewTokensPromise = Me(this, !0, e, t), this.renewTokensPromise.finally(() => {
+		if (this.timeoutId) return c.clearTimeout(this.timeoutId), this.renewTokensPromise = Le(this, !0, e, t), this.renewTokensPromise.finally(() => {
 			this.renewTokensPromise = null;
 		});
 	}
 	async destroyAsync(e) {
-		return await Ce(this)(e);
+		return await Ee(this)(e);
+	}
+	async clearSessionAsync() {
+		return this.clearSessionPromise ? this.clearSessionPromise : (this.clearSessionPromise = F(this, L)(), this.clearSessionPromise.finally(() => {
+			this.clearSessionPromise = null;
+		}));
 	}
 	async logoutSameTabAsync(t, n) {
 		this.configuration.monitor_session && this.configuration.client_id === t && n && this.tokens && this.tokens.idTokenPayload && this.tokens.idTokenPayload.sub === n && (await this.destroyAsync("LOGGED_OUT"), this.publishEvent(e.logout_from_same_tab, {
@@ -1112,25 +1142,25 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 		}));
 	}
 	async logoutAsync(e = void 0, t = null) {
-		return this.logoutPromise ? this.logoutPromise : (this.logoutPromise = we(this, L, this.getFetch(), console, this.location)(e, t), this.logoutPromise.finally(() => {
+		return this.logoutPromise ? this.logoutPromise : (this.logoutPromise = Oe(this, L, this.getFetch(), console, this.location)(e, t), this.logoutPromise.finally(() => {
 			this.logoutPromise = null;
 		}));
 	}
 };
 //#endregion
 //#region src/renewTokens.ts
-async function je(e, t, n, r = null) {
+async function Ie(e, t, n, r = null) {
 	let { tokens: a, status: o } = await H(e)((t) => {
 		e.tokens = t;
 	}, 0, 0, t, n, r);
 	return await $(e.configuration, e.configurationName) || i(e.configurationName, e.configuration.storage, e.configuration.login_state_storage ?? e.configuration.storage).setTokens(e.tokens), e.tokens ? a : (await e.destroyAsync(o), null);
 }
-async function Me(e, t = !1, n = null, r = null) {
+async function Le(e, t = !1, n = null, r = null) {
 	let i = e.configuration, a = `${i.client_id}_${e.configurationName}_${i.authority}`, o, s = await $(e.configuration, e.configurationName);
-	if (i?.storage === window?.sessionStorage && !s || !navigator.locks) o = await je(e, t, n, r);
+	if (i?.storage === window?.sessionStorage && !s || !navigator.locks) o = await Ie(e, t, n, r);
 	else {
 		let i = "retry";
-		for (; i === "retry";) i = await navigator.locks.request(a, { ifAvailable: !0 }, async (i) => i ? await je(e, t, n, r) : (e.publishEvent(R.eventNames.syncTokensAsync_lock_not_available, { lock: "lock not available" }), "retry"));
+		for (; i === "retry";) i = await navigator.locks.request(a, { ifAvailable: !0 }, async (i) => i ? await Ie(e, t, n, r) : (e.publishEvent(R.eventNames.syncTokensAsync_lock_not_available, { lock: "lock not available" }), "retry"));
 		o = i;
 	}
 	return o ? (e.timeoutId &&= z(e, e.tokens.expiresAt, n, r), e.tokens) : null;
@@ -1139,7 +1169,7 @@ var z = (e, t, n = null, r = null) => {
 	let i = e.configuration.refresh_time_before_tokens_expiration_in_second;
 	return e.timeoutId && c.clearTimeout(e.timeoutId), c.setTimeout(async () => {
 		let a = { timeLeft: K(i, t) };
-		e.publishEvent(R.eventNames.token_timer, a), await Me(e, !1, n, r);
+		e.publishEvent(R.eventNames.token_timer, a), await Le(e, !1, n, r);
 	}, 1e3);
 }, B = {
 	FORCE_REFRESH: "FORCE_REFRESH",
@@ -1276,12 +1306,12 @@ var z = (e, t, n = null, r = null) => {
 				tokens: null,
 				status: "LOGGED_OUT"
 			};
-			case B.REQUIRE_SYNC_TOKENS: return h.token_automatic_renew_mode == F.AutomaticOnlyWhenFetchExecuted && !o ? (t.publishEvent(e.tokensInvalidAndWaitingActionsToRefresh, {}), {
+			case B.REQUIRE_SYNC_TOKENS: return h.token_automatic_renew_mode == I.AutomaticOnlyWhenFetchExecuted && !o ? (t.publishEvent(e.tokensInvalidAndWaitingActionsToRefresh, {}), {
 				tokens: t.tokens,
 				status: "GIVE_UP"
 			}) : (t.publishEvent(e.refreshTokensAsync_begin, { tryNumber: r }), await _());
 			default: {
-				if (h.token_automatic_renew_mode == F.AutomaticOnlyWhenFetchExecuted && B.FORCE_REFRESH !== l) return t.publishEvent(e.tokensInvalidAndWaitingActionsToRefresh, {}), {
+				if (h.token_automatic_renew_mode == I.AutomaticOnlyWhenFetchExecuted && B.FORCE_REFRESH !== l) return t.publishEvent(e.tokensInvalidAndWaitingActionsToRefresh, {}), {
 					tokens: t.tokens,
 					status: "GIVE_UP"
 				};
@@ -1301,9 +1331,13 @@ var z = (e, t, n = null, r = null) => {
 						refresh_token: u.refreshToken
 					}, a = await t.initAsync(v, h.authority_configuration), l = document.hidden ? 1e4 : 3e4 * 10, _ = a.tokenEndpoint, b = {};
 					h.demonstrating_proof_of_possession && (b.DPoP = await t.generateDemonstrationOfProofOfPossessionAsync(u.accessToken, _, "POST"));
-					let x = await pe(t.getFetch())(_, r, y, u, b, h.token_renew_mode, l);
+					let x = await ge(t.getFetch())(_, r, y, u, b, h.token_renew_mode, l);
 					if (x.success) {
-						let { isValid: r, reason: o } = Be(x.data, d.nonce, a);
+						if (!d || !d.nonce) return n(null), t.publishEvent(e.refreshTokensAsync_error, { message: "refresh token: nonce missing from storage" }), {
+							tokens: null,
+							status: "SESSION_LOST"
+						};
+						let { isValid: r, reason: o } = Ge(x.data, d.nonce, a);
 						if (!r) return n(null), t.publishEvent(e.refreshTokensAsync_error, { message: `refresh token return not valid tokens, reason: ${o}` }), {
 							tokens: null,
 							status: "SESSION_LOST"
@@ -1336,29 +1370,29 @@ var z = (e, t, n = null, r = null) => {
 			}, 1e3);
 		});
 	}
-}, Ne = (e) => decodeURIComponent(Array.prototype.map.call(atob(e), (e) => "%" + ("00" + e.charCodeAt(0).toString(16)).slice(-2)).join("")), Pe = (e) => JSON.parse(Ne(e.replaceAll(/-/g, "+").replaceAll(/_/g, "/"))), Fe = (e) => {
+}, Re = (e) => decodeURIComponent(Array.prototype.map.call(atob(e), (e) => "%" + ("00" + e.charCodeAt(0).toString(16)).slice(-2)).join("")), ze = (e) => JSON.parse(Re(e.replaceAll(/-/g, "+").replaceAll(/_/g, "/"))), Be = (e) => {
 	try {
-		return e && Ie(e, ".") === 2 ? Pe(e.split(".")[1]) : null;
+		return e && Ve(e, ".") === 2 ? ze(e.split(".")[1]) : null;
 	} catch (e) {
 		console.warn(e);
 	}
 	return null;
-}, Ie = (e, t) => e.split(t).length - 1, U = {
+}, Ve = (e, t) => e.split(t).length - 1, U = {
 	access_token_or_id_token_invalid: "access_token_or_id_token_invalid",
 	access_token_invalid: "access_token_invalid",
 	id_token_invalid: "id_token_invalid"
 };
-function Le(e, t, n) {
+function He(e, t, n) {
 	return e.issuedAt ? typeof e.issuedAt == "string" ? parseInt(e.issuedAt, 10) : e.issuedAt : t && t.iat ? t.iat : n && n.iat ? n.iat : (/* @__PURE__ */ new Date()).getTime() / 1e3;
 }
 var W = (e, t = null, n) => {
 	if (!e) return null;
 	let r, i = typeof e.expiresIn == "string" ? parseInt(e.expiresIn, 10) : e.expiresIn;
-	r = e.accessTokenPayload === void 0 ? Fe(e.accessToken) : e.accessTokenPayload;
+	r = e.accessTokenPayload === void 0 ? Be(e.accessToken) : e.accessTokenPayload;
 	let a;
 	a = t != null && "idToken" in t && !("idToken" in e) ? t.idToken : e.idToken;
-	let o = e.idTokenPayload ? e.idTokenPayload : Fe(a), s = o && o.exp ? o.exp : Number.MAX_VALUE, c = r && r.exp ? r.exp : e.issuedAt + i;
-	e.issuedAt = Le(e, r, o);
+	let o = e.idTokenPayload ? e.idTokenPayload : Be(a), s = o && o.exp ? o.exp : Number.MAX_VALUE, c = r && r.exp ? r.exp : e.issuedAt + i;
+	e.issuedAt = He(e, r, o);
 	let l;
 	l = e.expiresAt ? e.expiresAt : n === U.access_token_invalid ? c : n === U.id_token_invalid || s < c ? s : c;
 	let u = {
@@ -1391,25 +1425,25 @@ var W = (e, t = null, n) => {
 }, K = (e, t) => {
 	let n = t - (/* @__PURE__ */ new Date()).getTime() / 1e3;
 	return Math.round(n - e);
-}, Re = (e, t = 0) => e ? K(t, e.expiresAt) > 0 : !1, ze = async (e, t = 200, n = 50) => {
+}, Ue = (e, t = 0) => e ? K(t, e.expiresAt) > 0 : !1, We = async (e, t = 200, n = 50) => {
 	let r = n, i = await e.syncTokensInfoAsync();
 	for (; [
 		B.REQUIRE_SYNC_TOKENS,
 		B.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID,
 		B.TOKENS_INVALID
 	].includes(i) && r > 0;) {
-		if (e.configuration.token_automatic_renew_mode == F.AutomaticOnlyWhenFetchExecuted) {
+		if (e.configuration.token_automatic_renew_mode == I.AutomaticOnlyWhenFetchExecuted) {
 			await e.renewTokensAsync({});
 			break;
 		} else await J({ milliseconds: t });
 		--r, i = await e.syncTokensInfoAsync();
 	}
 	return {
-		isTokensValid: Re(e.getTokens()),
+		isTokensValid: Ue(e.getTokens()),
 		tokens: e.getTokens(),
 		numberWaited: r - n
 	};
-}, Be = (e, t, n) => {
+}, Ge = (e, t, n) => {
 	if (e.idTokenPayload) {
 		let r = e.idTokenPayload;
 		if (n.issuer !== r.iss) return {
@@ -1435,25 +1469,25 @@ var W = (e, t = null, n) => {
 		isValid: !0,
 		reason: ""
 	};
-}, Ve = "7.27.16", He = null, q, J = ({ milliseconds: e }) => new Promise((t) => c.setTimeout(t, e)), Ue = (e = "/") => {
+}, Ke = "7.27.18", qe = null, q, J = ({ milliseconds: e }) => new Promise((t) => c.setTimeout(t, e)), Je = (e = "/") => {
 	try {
 		q = new AbortController(), fetch(`${e}OidcKeepAliveServiceWorker.json?minSleepSeconds=150`, { signal: q.signal }).catch((e) => {
 			console.log(e);
-		}), J({ milliseconds: 150 * 1e3 }).then(() => Ue(e));
+		}), J({ milliseconds: 150 * 1e3 }).then(() => Je(e));
 	} catch (e) {
 		console.log(e);
 	}
 }, Y = () => {
 	q && q.abort();
-}, We = (e) => {
+}, Ye = (e) => {
 	let t = `oidc.tabId.${e}`, n = sessionStorage.getItem(t);
 	if (n) return n;
 	let r = globalThis.crypto.randomUUID();
 	return sessionStorage.setItem(t, r), r;
-}, Ge = (e) => navigator.serviceWorker.controller ?? e.active ?? e.waiting ?? e.installing ?? null, X = (e, t) => (n) => {
+}, Xe = (e) => navigator.serviceWorker.controller ?? e.active ?? e.waiting ?? e.installing ?? null, X = (e, t) => (n) => {
 	let r = t?.timeoutMs ?? 5e3;
 	return new Promise((t, i) => {
-		let a = Ge(e);
+		let a = Xe(e);
 		if (!a) {
 			i(/* @__PURE__ */ Error("Service worker target not available (controller/active/waiting/installing missing)"));
 			return;
@@ -1474,39 +1508,39 @@ var W = (e, t = null, n) => {
 			let e = n?.configurationName;
 			a.postMessage({
 				...n,
-				tabId: We(e ?? "default")
+				tabId: Ye(e ?? "default")
 			}, [o.port2]);
 		} catch (e) {
 			l(), i(e);
 		}
 	});
-}, Ke = async (e) => navigator.serviceWorker.controller ? navigator.serviceWorker.controller : new Promise((t) => {
+}, Ze = async (e) => navigator.serviceWorker.controller ? navigator.serviceWorker.controller : new Promise((t) => {
 	let n = !1, r = () => {
 		n || (n = !0, navigator.serviceWorker.removeEventListener("controllerchange", r), t(navigator.serviceWorker.controller ?? null));
 	};
 	navigator.serviceWorker.addEventListener("controllerchange", r), c.setTimeout(() => {
 		n || (n = !0, navigator.serviceWorker.removeEventListener("controllerchange", r), t(navigator.serviceWorker.controller ?? null));
 	}, e);
-}), qe = !1, Z = !1, Q = /* @__PURE__ */ new Map(), Je = "oidc.sw.controllerchange_reload_count", Ye = 3, Xe = () => {
+}), Qe = !1, Z = !1, Q = /* @__PURE__ */ new Map(), $e = "oidc.sw.controllerchange_reload_count", et = 3, tt = () => {
 	try {
-		return parseInt(sessionStorage.getItem(Je) ?? "0", 10);
+		return parseInt(sessionStorage.getItem($e) ?? "0", 10);
 	} catch {
 		return 0;
 	}
-}, Ze = () => {
-	let e = Xe() + 1;
+}, nt = () => {
+	let e = tt() + 1;
 	try {
-		sessionStorage.setItem(Je, String(e));
+		sessionStorage.setItem($e, String(e));
 	} catch {}
 	return e;
-}, Qe = () => {
+}, rt = () => {
 	try {
-		sessionStorage.removeItem(Je);
+		sessionStorage.removeItem($e);
 	} catch {}
 }, $ = async (e, t) => {
 	let n = e.service_worker_relative_url;
 	if (typeof window > "u" || typeof navigator > "u" || !navigator.serviceWorker || !n || e.service_worker_activate() === !1) return null;
-	let r = `${n}?v=${Ve}`, i = null;
+	let r = `${n}?v=${Ke}`, i = null;
 	e.service_worker_register ? (Q.has(n) || Q.set(n, e.service_worker_register(n)), i = await Q.get(n)) : (Q.has(r) || Q.set(r, navigator.serviceWorker.register(r, { updateViaCache: "none" })), i = await Q.get(r));
 	let a = `oidc.sw.version_mismatch_reload.${t}`, o = async (e) => {
 		Y(), console.log("New SW waiting – SKIP_WAITING");
@@ -1529,7 +1563,7 @@ var W = (e, t = null, n) => {
 						type: "SKIP_WAITING",
 						configurationName: t,
 						data: null,
-						tabId: We(t ?? "default")
+						tabId: Ye(t ?? "default")
 					}, [i.port2]);
 				} catch (e) {
 					o(), r(e);
@@ -1544,7 +1578,7 @@ var W = (e, t = null, n) => {
 	}, l = (e) => {
 		Y(), e.addEventListener("statechange", async () => {
 			if (e.state === "installed" && navigator.serviceWorker.controller) {
-				if (Xe() >= Ye) {
+				if (tt() >= et) {
 					console.warn("SW trackInstallingWorker: skipping SKIP_WAITING because the reload budget is exhausted");
 					return;
 				}
@@ -1555,7 +1589,7 @@ var W = (e, t = null, n) => {
 	i.addEventListener("updatefound", () => {
 		let e = i.installing;
 		e && l(e);
-	}), i.installing ? l(i.installing) : i.waiting && navigator.serviceWorker.controller && (Xe() < Ye ? s() : console.warn("SW: a waiting worker exists but reload budget is exhausted – skipping activation")), i.update().catch((e) => {
+	}), i.installing ? l(i.installing) : i.waiting && navigator.serviceWorker.controller && (tt() < et ? s() : console.warn("SW: a waiting worker exists but reload budget is exhausted – skipping activation")), i.update().catch((e) => {
 		console.error(e);
 	});
 	try {
@@ -1563,14 +1597,14 @@ var W = (e, t = null, n) => {
 			type: "claim",
 			configurationName: t,
 			data: null
-		}), await Ke(2e3));
+		}), await Ze(2e3));
 	} catch (e) {
 		return console.warn(`Failed init ServiceWorker ${e?.toString?.() ?? String(e)}`), null;
 	}
-	qe || (qe = !0, navigator.serviceWorker.addEventListener("controllerchange", () => {
+	Qe || (Qe = !0, navigator.serviceWorker.addEventListener("controllerchange", () => {
 		if (Z) return;
-		let e = Ze();
-		if (e > Ye) {
+		let e = nt();
+		if (e > et) {
 			console.warn(`SW controllerchange: reload budget exhausted (${e - 1} reloads). Skipping reload to avoid infinite loop.`);
 			return;
 		}
@@ -1593,8 +1627,8 @@ var W = (e, t = null, n) => {
 			},
 			configurationName: t
 		}), c = o.version;
-		if (c !== "7.27.16") {
-			console.warn(`Service worker ${c} version mismatch with js client version ${Ve}, unregistering and reloading`);
+		if (c !== "7.27.18") {
+			console.warn(`Service worker ${c} version mismatch with js client version ${Ke}, unregistering and reloading`);
 			let e = parseInt(sessionStorage.getItem(a) ?? "0", 10);
 			if (e < 3) {
 				if (sessionStorage.setItem(a, String(e + 1)), i.waiting) return await s(), await J({ milliseconds: 500 }), Z || (Z = !0, window.location.reload()), new Promise(() => {});
@@ -1609,13 +1643,13 @@ var W = (e, t = null, n) => {
 					return console.log(`Service worker unregistering ${e}`), await J({ milliseconds: 500 }), Z || (Z = !0, window.location.reload()), new Promise(() => {});
 				}
 			} else console.error(`Service worker version mismatch persists after ${e} attempt(s). Continuing with mismatched version.`);
-		} else sessionStorage.removeItem(a), Qe();
+		} else sessionStorage.removeItem(a), rt();
 		return {
 			tokens: G(o.tokens, null, r.token_renew_mode),
 			status: o.status
 		};
 	}, f = (e = "/") => {
-		He ?? (He = "not_null", Ue(e));
+		qe ?? (qe = "not_null", Je(e));
 	}, p = (e) => X(i)({
 		type: "setSessionState",
 		data: { sessionState: e },
@@ -1661,39 +1695,39 @@ var W = (e, t = null, n) => {
 		type: "getDemonstratingProofOfPossessionNonce",
 		data: null,
 		configurationName: t
-	})).demonstratingProofOfPossessionNonce, S = async (e) => {
+	})).demonstratingProofOfPossessionNonce, ee = async (e) => {
 		let n = JSON.stringify(e);
 		await X(i)({
 			type: "setDemonstratingProofOfPossessionJwk",
 			data: { demonstratingProofOfPossessionJwkJson: n },
 			configurationName: t
 		});
-	}, C = async () => {
+	}, S = async () => {
 		let e = await X(i)({
 			type: "getDemonstratingProofOfPossessionJwk",
 			data: null,
 			configurationName: t
 		});
 		return e.demonstratingProofOfPossessionJwkJson ? JSON.parse(e.demonstratingProofOfPossessionJwkJson) : null;
-	}, w = async (e = !0) => {
+	}, C = async (e = !0) => {
 		let n = (await X(i)({
 			type: "getState",
 			data: null,
 			configurationName: t
 		})).state;
-		return n || (n = sessionStorage[`oidc.state.${t}`], console.warn("state not found in service worker, using sessionStorage"), e && (await T(n), n = await w(!1))), n;
-	}, T = async (e) => (sessionStorage[`oidc.state.${t}`] = e, X(i)({
+		return n || (n = sessionStorage[`oidc.state.${t}`], console.warn("state not found in service worker, using sessionStorage"), e && (await w(n), n = await C(!1))), n;
+	}, w = async (e) => (sessionStorage[`oidc.state.${t}`] = e, X(i)({
 		type: "setState",
 		data: { state: e },
 		configurationName: t
-	})), E = async (e = !0) => {
+	})), T = async (e = !0) => {
 		let n = (await X(i)({
 			type: "getCodeVerifier",
 			data: null,
 			configurationName: t
 		})).codeVerifier;
-		return n || (n = sessionStorage[`oidc.code_verifier.${t}`], console.warn("codeVerifier not found in service worker, using sessionStorage"), e && (await D(n), n = await E(!1))), n;
-	}, D = async (e) => (sessionStorage[`oidc.code_verifier.${t}`] = e, X(i)({
+		return n || (n = sessionStorage[`oidc.code_verifier.${t}`], console.warn("codeVerifier not found in service worker, using sessionStorage"), e && (await E(n), n = await T(!1))), n;
+	}, E = async (e) => (sessionStorage[`oidc.code_verifier.${t}`] = e, X(i)({
 		type: "setCodeVerifier",
 		data: { codeVerifier: e },
 		configurationName: t
@@ -1708,24 +1742,24 @@ var W = (e, t = null, n) => {
 		getNonceAsync: g,
 		setLoginParams: v,
 		getLoginParams: y,
-		getStateAsync: w,
-		setStateAsync: T,
-		getCodeVerifierAsync: E,
-		setCodeVerifierAsync: D,
+		getStateAsync: C,
+		setStateAsync: w,
+		getCodeVerifierAsync: T,
+		setCodeVerifierAsync: E,
 		setDemonstratingProofOfPossessionNonce: b,
 		getDemonstratingProofOfPossessionNonce: x,
-		setDemonstratingProofOfPossessionJwkAsync: S,
-		getDemonstratingProofOfPossessionJwkAsync: C,
+		setDemonstratingProofOfPossessionJwkAsync: ee,
+		getDemonstratingProofOfPossessionJwkAsync: S,
 		signalAsync: (e, n) => X(i, n)({
 			...e,
 			configurationName: e.configurationName ?? t
 		})
 	};
-}, $e = async (e, t, n, r) => {
+}, it = async (e, t, n, r) => {
 	let i = await $(e, t);
 	if (!i) throw Error(`signalServiceWorkerAsync: no service worker registered for configuration "${t}"`);
 	return i.signalAsync(n, r);
-}, et = class e {
+}, at = class e {
 	constructor(e) {
 		this._oidc = e;
 	}
@@ -1739,7 +1773,7 @@ var W = (e, t = null, n) => {
 		this._oidc.publishEvent(e, t);
 	}
 	static {
-		this.getOrCreate = (t, n = new O()) => (r, i = "default") => new e(R.getOrCreate(t, n)(r, i));
+		this.getOrCreate = (t, n = new D()) => (r, i = "default") => new e(R.getOrCreate(t, n)(r, i));
 	}
 	static get(t = "default") {
 		let n = R.get(t);
@@ -1760,6 +1794,12 @@ var W = (e, t = null, n) => {
 	logoutAsync(e = void 0, t = null) {
 		return this._oidc.logoutAsync(e, t);
 	}
+	clearSessionAsync() {
+		return this._oidc.clearSessionAsync();
+	}
+	get isLoggingOut() {
+		return this._oidc.isLoggingOut === !0;
+	}
 	silentLoginCallbackAsync() {
 		return this._oidc.silentLoginCallbackAsync();
 	}
@@ -1780,7 +1820,7 @@ var W = (e, t = null, n) => {
 	}
 	async getValidTokenAsync(e = 200, t = 50) {
 		let n = this._oidc;
-		return ze({
+		return We({
 			getTokens: () => n.tokens,
 			configuration: {
 				token_automatic_renew_mode: n.configuration.token_automatic_renew_mode,
@@ -1794,7 +1834,7 @@ var W = (e, t = null, n) => {
 		}, e, t);
 	}
 	fetchWithTokens(e, t = !1) {
-		return Te(e, this._oidc, t);
+		return ke(e, this._oidc, t);
 	}
 	async userInfoAsync(e = !1, t = !1) {
 		return this._oidc.userInfoAsync(e, t);
@@ -1803,9 +1843,9 @@ var W = (e, t = null, n) => {
 		return this._oidc.userInfo;
 	}
 	async signalServiceWorker(e, t) {
-		return $e(this._oidc.configuration, this._oidc.configurationName, e, t);
+		return it(this._oidc.configuration, this._oidc.configurationName, e, t);
 	}
-}, tt = "1.0.0", nt = {
+}, ot = "1.0.0", st = {
 	SKIP_WAITING: "SKIP_WAITING",
 	CLAIM: "claim",
 	CLEAR: "clear",
@@ -1822,18 +1862,18 @@ var W = (e, t = null, n) => {
 	GET_DPOP_NONCE: "getDemonstratingProofOfPossessionNonce",
 	SET_DPOP_JWK: "setDemonstratingProofOfPossessionJwk",
 	GET_DPOP_JWK: "getDemonstratingProofOfPossessionJwk"
-}, rt = {
+}, ct = {
 	ACCESS_TOKEN: "ACCESS_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER",
 	REFRESH_TOKEN: "REFRESH_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER",
 	NONCE_TOKEN: "NONCE_SECURED_BY_OIDC_SERVICE_WORKER",
 	CODE_VERIFIER: "CODE_VERIFIER_SECURED_BY_OIDC_SERVICE_WORKER"
-}, it = "DPOP_SECURED_BY_OIDC_SERVICE_WORKER", at = {
+}, lt = "DPOP_SECURED_BY_OIDC_SERVICE_WORKER", ut = {
 	TAB_ID: "oidc.tabId.",
 	STATE: "oidc.state.",
 	NONCE: "oidc.nonce.",
 	CODE_VERIFIER: "oidc.code_verifier.",
 	LOGIN_PARAMS: "oidc.login.",
 	SW_VERSION_MISMATCH_RELOAD: "oidc.sw.version_mismatch_reload."
-}, ot = "oidc.sw.controllerchange_reload_count", st = (e, t) => `${e}${t}`, ct = (e, t, n = "default") => `${e}_${t}#tabId=${n}`, lt = (e, t = "default") => `${it}_${e}#tabId=${t}`, ut = (e) => typeof e == "string" ? Object.values(nt).includes(e) : !1;
+}, dt = "oidc.sw.controllerchange_reload_count", ft = (e, t) => `${e}${t}`, pt = (e, t, n = "default") => `${e}_${t}#tabId=${n}`, mt = (e, t = "default") => `${lt}_${e}#tabId=${t}`, ht = (e) => typeof e == "string" ? Object.values(st).includes(e) : !1;
 //#endregion
-export { it as DPOP_TOKEN_PLACEHOLDER_PREFIX, et as OidcClient, O as OidcLocation, tt as PROTOCOL_VERSION, at as STORAGE_KEY_PREFIX, ot as SW_CONTROLLER_CHANGE_RELOAD_COUNT_KEY, nt as ServiceWorkerMessageType, rt as TOKEN_PLACEHOLDERS, F as TokenAutomaticRenewMode, U as TokenRenewMode, lt as buildDpopSecuredPlaceholder, ct as buildSecuredTokenPlaceholder, st as buildStorageKey, De as getFetchDefault, N as getParseQueryStringFromLocation, _e as getPath, ut as isServiceWorkerMessageType, $e as signalServiceWorkerAsync };
+export { lt as DPOP_TOKEN_PLACEHOLDER_PREFIX, at as OidcClient, D as OidcLocation, k as OidcStateError, O as OidcStateErrorCode, ot as PROTOCOL_VERSION, ut as STORAGE_KEY_PREFIX, dt as SW_CONTROLLER_CHANGE_RELOAD_COUNT_KEY, st as ServiceWorkerMessageType, ct as TOKEN_PLACEHOLDERS, I as TokenAutomaticRenewMode, U as TokenRenewMode, mt as buildDpopSecuredPlaceholder, pt as buildSecuredTokenPlaceholder, ft as buildStorageKey, je as getFetchDefault, N as getParseQueryStringFromLocation, be as getPath, le as isOidcStateError, ht as isServiceWorkerMessageType, it as signalServiceWorkerAsync };