@axa-fr/oidc-client 7.27.17 → 7.27.18

package/dist/index.js

@@ -327,53 +327,53 @@ var _ = {
 	}
 	let i = await e.crypto.subtle.digest(n, f(r));
 	return h(new Uint8Array(i));
-} }, x = (e) => async (t) => await y.generate(e)(t), S = (e) => (t) => async (n, r = "POST", i, a = {}) => {
+} }, x = (e) => async (t) => await y.generate(e)(t), ee = (e) => (t) => async (n, r = "POST", i, a = {}) => {
 	let o = {
-		jti: btoa(C()),
+		jti: btoa(S()),
 		htm: r,
 		htu: i,
 		iat: Math.round(Date.now() / 1e3),
 		...a
 	}, s = await b.thumbprint(e)(n, t.digestAlgorithm);
 	return await v.sign(e)(n, { kid: s }, o, t);
-}, C = () => {
+}, S = () => {
 	let e = "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx", t = "0123456789abcdef", n = 0, r = "";
 	for (let i = 0; i < 36; i++) e[i] !== "-" && e[i] !== "4" && (n = Math.random() * 16 | 0), e[i] === "x" ? r += t[n] : e[i] === "y" ? (n &= 3, n |= 8, r += t[n]) : r += e[i];
 	return r;
-}, w = () => {
+}, C = () => {
 	let e = typeof window < "u" && !!window.crypto;
 	return {
 		hasCrypto: e,
 		hasSubtleCrypto: e && !!window.crypto.subtle
 	};
-}, T = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", E = (e) => {
+}, w = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", T = (e) => {
 	let t = [];
 	for (let n = 0; n < e.byteLength; n += 1) {
 		let r = e[n] % 62;
-		t.push(T[r]);
+		t.push(w[r]);
 	}
 	return t.join("");
-}, D = (e) => {
-	let t = new Uint8Array(e), { hasCrypto: n } = w();
+}, E = (e) => {
+	let t = new Uint8Array(e), { hasCrypto: n } = C();
 	if (n) window.crypto.getRandomValues(t);
 	else for (let n = 0; n < e; n += 1) t[n] = Math.random() * 62 | 0;
-	return E(t);
+	return T(t);
 };
-function ee(e) {
+function te(e) {
 	let t = new ArrayBuffer(e.length), n = new Uint8Array(t);
 	for (let t = 0; t < e.length; t++) n[t] = e.charCodeAt(t);
 	return n;
 }
-function te(e) {
+function ne(e) {
 	return new Promise((t, n) => {
-		crypto.subtle.digest("SHA-256", ee(e)).then((e) => t(h(new Uint8Array(e))), (e) => n(e));
+		crypto.subtle.digest("SHA-256", te(e)).then((e) => t(h(new Uint8Array(e))), (e) => n(e));
 	});
 }
-var ne = (e) => {
+var re = (e) => {
 	if (e.length < 43 || e.length > 128) return Promise.reject(/* @__PURE__ */ Error("Invalid code length."));
-	let { hasSubtleCrypto: t } = w();
-	return t ? te(e) : Promise.reject(/* @__PURE__ */ Error("window.crypto.subtle is unavailable."));
-}, re = (e) => !!(e.os === "iOS" && e.osVersion.startsWith("12") || e.os === "Mac OS X" && e.osVersion.startsWith("10_15_6")), ie = (e) => {
+	let { hasSubtleCrypto: t } = C();
+	return t ? ne(e) : Promise.reject(/* @__PURE__ */ Error("window.crypto.subtle is unavailable."));
+}, ie = (e) => !!(e.os === "iOS" && e.osVersion.startsWith("12") || e.os === "Mac OS X" && e.osVersion.startsWith("10_15_6")), ae = (e) => {
 	let t = e.appVersion, n = e.userAgent, r = "-", i = [
 		{
 			s: "Windows 10",
@@ -509,7 +509,7 @@ var ne = (e) => {
 		osVersion: a
 	};
 };
-function ae() {
+function oe() {
 	let e = navigator.userAgent, t, n = e.match(/(opera|chrome|safari|firefox|msie|trident(?=\/))\/?\s*(\d+)/i) || [];
 	if (/trident/i.test(n[1])) return t = /\brv[ :]+(\d+)/g.exec(e) || [], {
 		name: "ie",
@@ -535,10 +535,10 @@ function ae() {
 		version: n[1]
 	};
 }
-var oe = () => {
-	let { name: e, version: t } = ae();
-	return e === "chrome" && parseInt(t) <= 70 || e === "opera" && (!t || parseInt(t.split(".")[0]) < 80) || e === "ie" ? !1 : !re(ie(navigator));
-}, se = async (t) => {
+var se = () => {
+	let { name: e, version: t } = oe();
+	return e === "chrome" && parseInt(t) <= 70 || e === "opera" && (!t || parseInt(t.split(".")[0]) < 80) || e === "ie" ? !1 : !ie(ae(navigator));
+}, ce = async (t) => {
 	let n;
 	if (t.tokens != null) return !1;
 	t.publishEvent(e.tryKeepExistingSessionAsync_begin, {});
@@ -581,7 +581,7 @@ var oe = () => {
 	} catch (r) {
 		return console.error(r), n && await n.clearAsync(), t.publishEvent(e.tryKeepExistingSessionAsync_error, "tokens inside ServiceWorker are invalid"), !1;
 	}
-}, O = class {
+}, D = class {
 	open(e) {
 		window.location.href = e;
 	}
@@ -598,30 +598,38 @@ var oe = () => {
 	getOrigin() {
 		return window.origin;
 	}
-}, k = {}, ce = (e, t = window.sessionStorage, n) => {
-	if (!k[e] && t) {
+}, O = {
+	STATE_MISSING: "STATE_MISSING",
+	STATE_MISMATCH: "STATE_MISMATCH",
+	NONCE_MISSING: "NONCE_MISSING"
+}, k = class e extends Error {
+	constructor(t, n) {
+		super(n), this.name = "OidcStateError", this.code = t, Object.setPrototypeOf(this, e.prototype);
+	}
+}, le = (e) => e instanceof k, A = {}, ue = (e, t = window.sessionStorage, n) => {
+	if (!A[e] && t) {
 		let n = t.getItem(e);
-		n && (k[e] = JSON.parse(n));
+		n && (A[e] = JSON.parse(n));
 	}
 	let r = 1e3 * n;
-	return k[e] && k[e].timestamp + r > Date.now() ? k[e].result : null;
-}, le = (e, t, n = window.sessionStorage) => {
+	return A[e] && A[e].timestamp + r > Date.now() ? A[e].result : null;
+}, de = (e, t, n = window.sessionStorage) => {
 	let r = Date.now();
-	k[e] = {
+	A[e] = {
 		result: t,
 		timestamp: r
 	}, n && n.setItem(e, JSON.stringify({
 		result: t,
 		timestamp: r
 	}));
-}, ue = 3600, de = (e) => async (t, n = ue, r = window.sessionStorage, i = 1e4) => {
-	let a = `${t}/.well-known/openid-configuration`, o = `oidc.server:${t}`, s = ce(o, r, n);
-	if (s) return new I(s);
-	let c = await A(e)(a, {}, i);
+}, fe = 3600, pe = (e) => async (t, n = fe, r = window.sessionStorage, i = 1e4) => {
+	let a = `${t}/.well-known/openid-configuration`, o = `oidc.server:${t}`, s = ue(o, r, n);
+	if (s) return new Me(s);
+	let c = await j(e)(a, {}, i);
 	if (c.status !== 200) return null;
 	let l = await c.json();
-	return le(o, l, r), new I(l);
-}, A = (e) => async (t, n = {}, r = 1e4, i = 0) => {
+	return de(o, l, r), new Me(l);
+}, j = (e) => async (t, n = {}, r = 1e4, i = 0) => {
 	let a;
 	try {
 		let i = new AbortController();
@@ -631,15 +639,15 @@ var oe = () => {
 		});
 	} catch (a) {
 		if (a.name === "AbortError" || a.message === "Network request failed") {
-			if (i <= 1) return await A(e)(t, n, r, i + 1);
+			if (i <= 1) return await j(e)(t, n, r, i + 1);
 			throw a;
 		} else throw console.error(a.message), a;
 	}
 	return a;
-}, fe = {
+}, me = {
 	refresh_token: "refresh_token",
 	access_token: "access_token"
-}, pe = (e) => async (t, n, r = fe.refresh_token, i, a = {}, o = 1e4) => {
+}, he = (e) => async (t, n, r = me.refresh_token, i, a = {}, o = 1e4) => {
 	let s = {
 		token: n,
 		token_type_hint: r,
@@ -652,19 +660,19 @@ var oe = () => {
 		c.push(`${t}=${n}`);
 	}
 	let l = c.join("&");
-	return (await A(e)(t, {
+	return (await j(e)(t, {
 		method: "POST",
 		headers: { "Content-Type": "application/x-www-form-urlencoded;charset=UTF-8" },
 		body: l
 	}, o)).status === 200 ? { success: !0 } : { success: !1 };
-}, me = (e) => async (t, n, r, i, a = {}, o, s = 1e4) => {
+}, ge = (e) => async (t, n, r, i, a = {}, o, s = 1e4) => {
 	for (let [e, t] of Object.entries(r)) n[e] === void 0 && (n[e] = t);
 	let c = [];
 	for (let e in n) {
 		let t = encodeURIComponent(e), r = encodeURIComponent(n[e]);
 		c.push(`${t}=${r}`);
 	}
-	let l = c.join("&"), u = await A(e)(t, {
+	let l = c.join("&"), u = await j(e)(t, {
 		method: "POST",
 		headers: {
 			"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
@@ -678,27 +686,27 @@ var oe = () => {
 		demonstratingProofOfPossessionNonce: null
 	};
 	let d = await u.json(), f = null;
-	return u.headers.has(j) && (f = u.headers.get(j)), {
+	return u.headers.has(M) && (f = u.headers.get(M)), {
 		success: !0,
 		status: u.status,
 		data: G(d, i, o),
 		demonstratingProofOfPossessionNonce: f
 	};
-}, he = (e, t) => async (n, r) => {
+}, _e = (e, t) => async (n, r) => {
 	r = r ? { ...r } : {};
-	let i = D(128), a = await ne(i);
+	let i = E(128), a = await re(i);
 	await e.setCodeVerifierAsync(i), await e.setStateAsync(r.state), r.code_challenge = a, r.code_challenge_method = "S256";
 	let o = "";
 	if (r) for (let [e, t] of Object.entries(r)) o === "" ? o += "?" : o += "&", o += `${e}=${encodeURIComponent(t)}`;
 	t.open(`${n}${o}`);
-}, j = "DPoP-Nonce", ge = (e) => async (t, n, r, i, a = 1e4) => {
+}, M = "DPoP-Nonce", ve = (e) => async (t, n, r, i, a = 1e4) => {
 	n = n ? { ...n } : {}, n.code_verifier = await e.getCodeVerifierAsync();
 	let o = [];
 	for (let e in n) {
 		let t = encodeURIComponent(e), r = encodeURIComponent(n[e]);
 		o.push(`${t}=${r}`);
 	}
-	let s = o.join("&"), c = await A(fetch)(t, {
+	let s = o.join("&"), c = await j(fetch)(t, {
 		method: "POST",
 		headers: {
 			"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
@@ -711,7 +719,7 @@ var oe = () => {
 		status: c.status
 	};
 	let l = null;
-	c.headers.has(j) && (l = c.headers.get(j));
+	c.headers.has(M) && (l = c.headers.get(M));
 	let u = await c.json();
 	return {
 		success: !0,
@@ -721,7 +729,7 @@ var oe = () => {
 			demonstratingProofOfPossessionNonce: l
 		}
 	};
-}, _e = (e) => {
+}, ye = (e) => {
 	let t = e.match(/^([a-z][\w-]+\:)\/\/(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/);
 	if (!t) throw Error("Invalid URL");
 	let n = t[6], r = t[7];
@@ -739,23 +747,23 @@ var oe = () => {
 		search: n,
 		hash: r
 	};
-}, ve = (e) => {
-	let t = _e(e), { path: n } = t;
+}, be = (e) => {
+	let t = ye(e), { path: n } = t;
 	n.endsWith("/") && (n = n.slice(0, -1));
 	let { hash: r } = t;
 	return r === "#_=_" && (r = ""), r && (n += r), n;
-}, M = (e) => {
-	let { search: t } = _e(e);
-	return ye(t);
-}, ye = (e) => {
+}, N = (e) => {
+	let { search: t } = ye(e);
+	return xe(t);
+}, xe = (e) => {
 	let t = {}, n, r, i, a = e.split("&");
 	for (r = 0, i = a.length; r < i; r++) n = a[r].split("="), t[decodeURIComponent(n[0])] = decodeURIComponent(n[1]);
 	return t;
-}, be = (t, n, r, a, o) => (s = void 0, c = null, l = !1, u = void 0) => {
+}, Se = (t, n, r, a, o) => (s = void 0, c = null, l = !1, u = void 0) => {
 	let d = c;
 	return c = { ...c }, (async () => {
 		let f = s || o.getPath();
-		if ("state" in c || (c.state = D(16)), r(e.loginAsync_begin, {}), c) for (let e of Object.keys(c)) e.endsWith(":token_request") && delete c[e];
+		if ("state" in c || (c.state = E(16)), r(e.loginAsync_begin, {}), c) for (let e of Object.keys(c)) e.endsWith(":token_request") && delete c[e];
 		try {
 			let e = l ? n.silent_redirect_uri : n.redirect_uri;
 			u ||= n.scope;
@@ -763,7 +771,7 @@ var oe = () => {
 				...n.extras,
 				...c
 			} : c;
-			r.nonce ||= D(12);
+			r.nonce ||= E(12);
 			let s = { nonce: r.nonce }, p = await $(n, t), m = await a(n.authority, n.authority_configuration), h;
 			if (p) p.setLoginParams({
 				callbackPath: f,
@@ -785,15 +793,15 @@ var oe = () => {
 				response_type: "code",
 				...r
 			};
-			await he(h, o)(m.authorizationEndpoint, g);
+			await _e(h, o)(m.authorizationEndpoint, g);
 		} catch (t) {
 			throw r(e.loginAsync_error, t), t;
 		}
 	})();
-}, xe = (t) => async (n = !1) => {
+}, Ce = (t) => async (n = !1) => {
 	try {
 		t.publishEvent(e.loginCallbackAsync_begin, {});
-		let r = t.configuration, a = r.client_id, o = n ? r.silent_redirect_uri : r.redirect_uri, s = r.authority, c = r.token_request_timeout, l = await t.initAsync(s, r.authority_configuration), u = M(t.location.getCurrentHref()), d = u.session_state, f = await $(r, t.configurationName), p, m, h, g;
+		let r = t.configuration, a = r.client_id, o = n ? r.silent_redirect_uri : r.redirect_uri, s = r.authority, c = r.token_request_timeout, l = await t.initAsync(s, r.authority_configuration), u = N(t.location.getCurrentHref()), d = u.session_state, f = await $(r, t.configurationName), p, m, h, g;
 		if (f) await f.initAsync(l, "loginCallbackAsync", r), await f.setSessionStateAsync(d), m = await f.getNonceAsync(), h = f.getLoginParams(), g = await f.getStateAsync(), f.startKeepAliveServiceWorker(), p = f;
 		else {
 			let e = i(t.configurationName, r.storage ?? sessionStorage, r.login_state_storage ?? r.storage ?? sessionStorage);
@@ -801,7 +809,11 @@ var oe = () => {
 		}
 		if (u.error || u.error_description) throw Error(`Error from OIDC server: ${u.error} - ${u.error_description}`);
 		if (u.iss && u.iss !== l.issuer) throw console.error(), Error(`Issuer not valid (expected: ${l.issuer}, received: ${u.iss})`);
-		if (u.state && u.state !== g) throw Error(`State not valid (expected: ${g}, received: ${u.state})`);
+		if (u.state) {
+			if (!g) throw new k(O.STATE_MISSING, "OIDC state is missing from storage. The login state may have been cleared between the authorization redirect and the callback (e.g., private browsing, storage cleared, or browser eviction).");
+			if (u.state !== g) throw new k(O.STATE_MISMATCH, `OIDC state does not match the stored one (expected: ${g}, received: ${u.state}).`);
+		}
+		if (!m || !m.nonce) throw new k(O.NONCE_MISSING, "OIDC nonce is missing from storage. The login state may have been cleared between the authorization redirect and the callback (e.g., private browsing, storage cleared, or browser eviction).");
 		let _ = {
 			code: u.code,
 			grant_type: "authorization_code",
@@ -814,40 +826,40 @@ var oe = () => {
 		if (r.demonstrating_proof_of_possession) if (f) b.DPoP = `DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${t.configurationName}`;
 		else {
 			let e = await x(window)(r.demonstrating_proof_of_possession_configuration.generateKeyAlgorithm);
-			await i(t.configurationName, r.storage, r.login_state_storage ?? r.storage).setDemonstratingProofOfPossessionJwkAsync(e), b.DPoP = await S(window)(r.demonstrating_proof_of_possession_configuration)(e, "POST", y);
+			await i(t.configurationName, r.storage, r.login_state_storage ?? r.storage).setDemonstratingProofOfPossessionJwkAsync(e), b.DPoP = await ee(window)(r.demonstrating_proof_of_possession_configuration)(e, "POST", y);
 		}
-		let C = await ge(p)(y, {
+		let S = await ve(p)(y, {
 			..._,
 			...v
 		}, b, t.configuration.token_renew_mode, c);
-		if (!C.success) throw Error("Token request failed");
-		let w, T = C.data.tokens, E = C.data.demonstratingProofOfPossessionNonce;
-		if (C.data.state !== v.state) throw Error("state is not valid");
-		let { isValid: D, reason: ee } = He(T, m.nonce, l);
-		if (!D) throw Error(`Tokens are not OpenID valid, reason: ${ee}`);
+		if (!S.success) throw Error("Token request failed");
+		let C, w = S.data.tokens, T = S.data.demonstratingProofOfPossessionNonce;
+		if (S.data.state !== v.state) throw Error("state is not valid");
+		let { isValid: E, reason: te } = Ge(w, m.nonce, l);
+		if (!E) throw Error(`Tokens are not OpenID valid, reason: ${te}`);
 		if (f) {
-			if (T.refreshToken && !T.refreshToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) throw Error("Refresh token should be hidden by service worker");
-			if (E && T?.accessToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) throw Error("Demonstration of proof of possession require Access token not hidden by service worker");
+			if (w.refreshToken && !w.refreshToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) throw Error("Refresh token should be hidden by service worker");
+			if (T && w?.accessToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) throw Error("Demonstration of proof of possession require Access token not hidden by service worker");
 		}
-		if (f) await f.initAsync(l, "syncTokensAsync", r), w = f.getLoginParams(), E && await f.setDemonstratingProofOfPossessionNonce(E);
+		if (f) await f.initAsync(l, "syncTokensAsync", r), C = f.getLoginParams(), T && await f.setDemonstratingProofOfPossessionNonce(T);
 		else {
 			let e = i(t.configurationName, r.storage, r.login_state_storage ?? r.storage);
-			w = e.getLoginParams(), E && await e.setDemonstratingProofOfPossessionNonce(E);
+			C = e.getLoginParams(), T && await e.setDemonstratingProofOfPossessionNonce(T);
 		}
 		return await t.startCheckSessionAsync(l.checkSessionIframe, a, d, n), t.publishEvent(e.loginCallbackAsync_end, {}), {
-			tokens: T,
+			tokens: w,
 			state: "request.state",
-			callbackPath: w.callbackPath,
+			callbackPath: C.callbackPath,
 			scope: u.scope,
-			extras: w.extras
+			extras: C.extras
 		};
 	} catch (n) {
 		throw console.error(n), t.publishEvent(e.loginCallbackAsync_error, n), n;
 	}
-}, Se = {
+}, we = {
 	access_token: "access_token",
 	refresh_token: "refresh_token"
-}, N = (e, t) => {
+}, P = (e, t) => {
 	let n = {};
 	if (e) {
 		for (let [r, i] of Object.entries(e)) if (r.endsWith(t)) {
@@ -857,27 +869,27 @@ var oe = () => {
 		return n;
 	}
 	return n;
-}, Ce = (e) => {
+}, Te = (e) => {
 	let t = {};
 	if (e) {
 		for (let [n, r] of Object.entries(e)) n.includes(":") || (t[n] = r);
 		return t;
 	}
 	return t;
-}, we = (e) => async (t) => {
+}, Ee = (e) => async (t) => {
 	c.clearTimeout(e.timeoutId), e.timeoutId = null, e.checkSessionIFrame && e.checkSessionIFrame.stop();
 	let n = await $(e.configuration, e.configurationName);
 	n ? await n.clearAsync(t) : await i(e.configurationName, e.configuration.storage, e.configuration.login_state_storage ?? e.configuration.storage).clearAsync(t), e.tokens = null, e.userInfo = null;
-}, P = (t, n) => async () => {
+}, F = (t, n) => async () => {
 	let r = t.tokens?.idTokenPayload?.sub ?? null;
 	await t.destroyAsync("LOGGED_OUT");
 	for (let [, i] of Object.entries(n)) i === t ? t.publishEvent(e.logout_from_same_tab, {}) : await t.logoutSameTabAsync(t.configuration.client_id, r);
-}, Te = (e, t, n, r) => {
+}, De = (e, t, n, r) => {
 	"id_token_hint" in t || (t.id_token_hint = n), !("post_logout_redirect_uri" in t) && r !== null && (t.post_logout_redirect_uri = r);
 	let i = "";
 	for (let [e, n] of Object.entries(t)) n != null && (i === "" ? i += "?" : i += "&", i += `${e}=${encodeURIComponent(n)}`);
 	return `${e}${i}`;
-}, Ee = (e, t, n, r, i) => async (a = void 0, o = null) => {
+}, Oe = (e, t, n, r, i) => async (a = void 0, o = null) => {
 	let s = e.configuration, c = await e.initAsync(s.authority, s.authority_configuration);
 	a && typeof a != "string" && (a = void 0, r.warn("callbackPathOrUrl path is not a string"));
 	let l = a ?? i.getPath(), u = !1;
@@ -889,13 +901,13 @@ var oe = () => {
 			let t = c.revocationEndpoint;
 			if (t) {
 				let r = [], i = e.tokens ? e.tokens.accessToken : null;
-				if (i && s.logout_tokens_to_invalidate.includes(Se.access_token)) {
-					let e = N(o, ":revoke_access_token"), a = pe(n)(t, i, fe.access_token, s.client_id, e);
+				if (i && s.logout_tokens_to_invalidate.includes(we.access_token)) {
+					let e = P(o, ":revoke_access_token"), a = he(n)(t, i, me.access_token, s.client_id, e);
 					r.push(a);
 				}
 				let a = e.tokens ? e.tokens.refreshToken : null;
-				if (a && s.logout_tokens_to_invalidate.includes(Se.refresh_token)) {
-					let e = N(o, ":revoke_refresh_token"), i = pe(n)(t, a, fe.refresh_token, s.client_id, e);
+				if (a && s.logout_tokens_to_invalidate.includes(we.refresh_token)) {
+					let e = P(o, ":revoke_refresh_token"), i = he(n)(t, a, me.refresh_token, s.client_id, e);
 					r.push(i);
 				}
 				r.length > 0 && await Promise.all(r);
@@ -903,26 +915,26 @@ var oe = () => {
 		} catch (e) {
 			r.warn("logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error"), r.warn(e);
 		}
-		let a = N(o, ":oidc");
+		let a = P(o, ":oidc");
 		if (a && a.no_reload === "true") {
-			await P(e, t)(), e.isLoggingOut = !1;
+			await F(e, t)(), e.isLoggingOut = !1;
 			return;
 		}
-		let l = Ce(o);
+		let l = Te(o);
 		if (c.endSessionEndpoint) {
-			let e = Te(c.endSessionEndpoint, l, f, d);
+			let e = De(c.endSessionEndpoint, l, f, d);
 			i.open(e);
 		} else i.reload();
-		await P(e, t)();
+		await F(e, t)();
 	} catch (t) {
 		throw e.isLoggingOut = !1, t;
 	}
-}, F = /* @__PURE__ */ function(e) {
+}, I = /* @__PURE__ */ function(e) {
 	return e.AutomaticBeforeTokenExpiration = "AutomaticBeforeTokensExpiration", e.AutomaticOnlyWhenFetchExecuted = "AutomaticOnlyWhenFetchExecuted", e;
-}({}), De = (e, t, n = !1) => async (...r) => {
+}({}), ke = (e, t, n = !1) => async (...r) => {
 	let [i, a, ...o] = r, s = a ? { ...a } : { method: "GET" }, c = new Headers();
 	s.headers && (c = s.headers instanceof Headers ? s.headers : new Headers(s.headers));
-	let l = (await Ve({
+	let l = (await We({
 		getTokens: () => t.tokens,
 		configuration: {
 			token_automatic_renew_mode: t.configuration.token_automatic_renew_mode,
@@ -945,32 +957,32 @@ var oe = () => {
 		...s,
 		headers: c
 	}, ...o);
-}, Oe = (e) => async (t = !1, n = !1) => {
+}, Ae = (e) => async (t = !1, n = !1) => {
 	if (e.userInfo != null && !t) return e.userInfo;
 	let r = !t && e.configuration.storage?.getItem(`oidc.${e.configurationName}.userInfo`);
 	if (r) return e.userInfo = JSON.parse(r), e.userInfo;
 	let i = e.configuration, a = (await e.initAsync(i.authority, i.authority_configuration)).userInfoEndpoint, o = await (async () => {
-		let t = await De(fetch, e, n)(a);
+		let t = await ke(fetch, e, n)(a);
 		return t.status === 200 ? t.json() : null;
 	})();
 	return e.userInfo = o, o && e.configuration.storage?.setItem(`oidc.${e.configurationName}.userInfo`, JSON.stringify(o)), o;
-}, ke = () => fetch, I = class {
+}, je = () => fetch, Me = class {
 	constructor(e) {
 		this.authorizationEndpoint = e.authorization_endpoint, this.tokenEndpoint = e.token_endpoint, this.revocationEndpoint = e.revocation_endpoint, this.userInfoEndpoint = e.userinfo_endpoint, this.checkSessionIframe = e.check_session_iframe, this.issuer = e.issuer, this.endSessionEndpoint = e.end_session_endpoint;
 	}
-}, L = {}, Ae = (e, t = new O()) => (n, r = "default") => (L[r] || (L[r] = new R(n, r, e, t)), L[r]), je = async (e) => {
+}, L = {}, Ne = (e, t = new D()) => (n, r = "default") => (L[r] || (L[r] = new R(n, r, e, t)), L[r]), Pe = async (e) => {
 	let { parsedTokens: t, callbackPath: n, extras: r, scope: i } = await e.loginCallbackAsync();
 	return e.timeoutId = z(e, t.expiresAt, r, i), { callbackPath: n };
-}, Me = (e) => Math.floor(Math.random() * e), R = class t {
-	constructor(e, t = "default", n, r = new O()) {
+}, Fe = (e) => Math.floor(Math.random() * e), R = class t {
+	constructor(e, t = "default", n, r = new D()) {
 		this.isLoggingOut = !1, this.initPromise = null, this.tryKeepExistingSessionPromise = null, this.loginPromise = null, this.loginCallbackPromise = null, this.loginCallbackWithAutoTokensRenewPromise = null, this.userInfoPromise = null, this.renewTokensPromise = null, this.clearSessionPromise = null, this.logoutPromise = null;
 		let i = e.silent_login_uri;
 		e.silent_redirect_uri && !e.silent_login_uri && (i = `${e.silent_redirect_uri.replace("-callback", "").replace("callback", "")}-login`);
 		let a = e.refresh_time_before_tokens_expiration_in_second ?? 120;
-		a > 60 && (a -= Math.floor(Math.random() * 40)), this.location = r ?? new O(), this.configuration = {
+		a > 60 && (a -= Math.floor(Math.random() * 40)), this.location = r ?? new D(), this.configuration = {
 			...e,
 			silent_login_uri: i,
-			token_automatic_renew_mode: e.token_automatic_renew_mode ?? F.AutomaticBeforeTokenExpiration,
+			token_automatic_renew_mode: e.token_automatic_renew_mode ?? I.AutomaticBeforeTokenExpiration,
 			monitor_session: e.monitor_session ?? !1,
 			refresh_time_before_tokens_expiration_in_second: a,
 			silent_login_timeout: e.silent_login_timeout ?? 12e3,
@@ -978,13 +990,13 @@ var oe = () => {
 			demonstrating_proof_of_possession: e.demonstrating_proof_of_possession ?? !1,
 			authority_timeout_wellknowurl_in_millisecond: e.authority_timeout_wellknowurl_in_millisecond ?? 1e4,
 			logout_tokens_to_invalidate: e.logout_tokens_to_invalidate ?? ["access_token", "refresh_token"],
-			service_worker_activate: e.service_worker_activate ?? oe,
+			service_worker_activate: e.service_worker_activate ?? se,
 			demonstrating_proof_of_possession_configuration: e.demonstrating_proof_of_possession_configuration ?? _,
 			preload_user_info: e.preload_user_info ?? !1
-		}, this.getFetch = n ?? ke, this.configurationName = t, this.tokens = null, this.userInfo = null, this.events = [], this.timeoutId = null, this.loginCallbackWithAutoTokensRenewAsync.bind(this), this.initAsync.bind(this), this.loginCallbackAsync.bind(this), this.subscribeEvents.bind(this), this.removeEventSubscription.bind(this), this.publishEvent.bind(this), this.destroyAsync.bind(this), this.logoutAsync.bind(this), this.renewTokensAsync.bind(this), this.initAsync(this.configuration.authority, this.configuration.authority_configuration);
+		}, this.getFetch = n ?? je, this.configurationName = t, this.tokens = null, this.userInfo = null, this.events = [], this.timeoutId = null, this.loginCallbackWithAutoTokensRenewAsync.bind(this), this.initAsync.bind(this), this.loginCallbackAsync.bind(this), this.subscribeEvents.bind(this), this.removeEventSubscription.bind(this), this.publishEvent.bind(this), this.destroyAsync.bind(this), this.logoutAsync.bind(this), this.renewTokensAsync.bind(this), this.initAsync(this.configuration.authority, this.configuration.authority_configuration);
 	}
 	subscribeEvents(e) {
-		let t = Me(9999999999999).toString();
+		let t = Fe(9999999999999).toString();
 		return this.events.push({
 			id: t,
 			func: e
@@ -1000,7 +1012,7 @@ var oe = () => {
 		});
 	}
 	static {
-		this.getOrCreate = (e, t) => (n, r = "default") => Ae(e, t)(n, r);
+		this.getOrCreate = (e, t) => (n, r = "default") => Ne(e, t)(n, r);
 	}
 	static get(e = "default") {
 		return Object.prototype.hasOwnProperty.call(L, e) ? L[e] : null;
@@ -1016,7 +1028,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 	}
 	_silentLoginCallbackFromIFrame() {
 		if (this.configuration.silent_redirect_uri && this.configuration.silent_login_uri) {
-			let e = this.location, t = M(e.getCurrentHref());
+			let e = this.location, t = N(e.getCurrentHref());
 			window.parent.postMessage(`${this.configurationName}_oidc_tokens:${JSON.stringify({
 				tokens: this.tokens,
 				sessionState: t.session_state
@@ -1025,7 +1037,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 	}
 	_silentLoginErrorCallbackFromIFrame(e = null) {
 		if (this.configuration.silent_redirect_uri && this.configuration.silent_login_uri) {
-			let t = this.location, n = M(t.getCurrentHref());
+			let t = this.location, n = N(t.getCurrentHref());
 			n.error ? window.parent.postMessage(`${this.configurationName}_oidc_error:${JSON.stringify({ error: n.error })}`, t.getOrigin()) : window.parent.postMessage(`${this.configurationName}_oidc_exception:${JSON.stringify({ error: e == null ? "" : e.toString() })}`, t.getOrigin());
 		}
 	}
@@ -1039,7 +1051,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 	async initAsync(e, t) {
 		if (this.initPromise !== null) return this.initPromise;
 		let n = async () => {
-			if (t != null) return new I({
+			if (t != null) return new Me({
 				authorization_endpoint: t.authorization_endpoint,
 				end_session_endpoint: t.end_session_endpoint,
 				revocation_endpoint: t.revocation_endpoint,
@@ -1049,14 +1061,14 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 				issuer: t.issuer
 			});
 			let n = await $(this.configuration, this.configurationName) ? this.configuration.storage || window.sessionStorage : this.configuration.storage;
-			return await de(this.getFetch())(e, this.configuration.authority_time_cache_wellknowurl_in_second ?? 3600, n, this.configuration.authority_timeout_wellknowurl_in_millisecond);
+			return await pe(this.getFetch())(e, this.configuration.authority_time_cache_wellknowurl_in_second ?? 3600, n, this.configuration.authority_timeout_wellknowurl_in_millisecond);
 		};
 		return this.initPromise = n(), this.initPromise.finally(() => {
 			this.initPromise = null;
 		});
 	}
 	async tryKeepExistingSessionAsync() {
-		return this.tryKeepExistingSessionPromise === null ? (this.tryKeepExistingSessionPromise = se(this), this.tryKeepExistingSessionPromise.finally(() => {
+		return this.tryKeepExistingSessionPromise === null ? (this.tryKeepExistingSessionPromise = ce(this), this.tryKeepExistingSessionPromise.finally(() => {
 			this.tryKeepExistingSessionPromise = null;
 		})) : this.tryKeepExistingSessionPromise;
 	}
@@ -1064,14 +1076,14 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 		await d(this, L, this.configuration)(e, t, n, r);
 	}
 	async loginAsync(e = void 0, t = null, n = !1, r = void 0, i = !1) {
-		return this.logoutPromise && await this.logoutPromise, this.loginPromise === null ? (i ? this.loginPromise = u(window, this.configurationName, this.configuration, this.publishEvent.bind(this), this)(t, r) : this.loginPromise = be(this.configurationName, this.configuration, this.publishEvent.bind(this), this.initAsync.bind(this), this.location)(e, t, n, r), this.loginPromise.finally(() => {
+		return this.logoutPromise && await this.logoutPromise, this.loginPromise === null ? (i ? this.loginPromise = u(window, this.configurationName, this.configuration, this.publishEvent.bind(this), this)(t, r) : this.loginPromise = Se(this.configurationName, this.configuration, this.publishEvent.bind(this), this.initAsync.bind(this), this.location)(e, t, n, r), this.loginPromise.finally(() => {
 			this.loginPromise = null;
 		})) : this.loginPromise;
 	}
 	async loginCallbackAsync(e = !1) {
 		if (this.loginCallbackPromise !== null) return this.loginCallbackPromise;
 		let n = async () => {
-			let n = await xe(this)(e), r = n.tokens;
+			let n = await Ce(this)(e), r = n.tokens;
 			return this.tokens = r, await $(this.configuration, this.configurationName) || i(this.configurationName, this.configuration.storage, this.configuration.login_state_storage ?? this.configuration.storage).setTokens(r), this.publishEvent(t.eventNames.token_acquired, r), this.configuration.preload_user_info && await this.userInfoAsync(), {
 				parsedTokens: r,
 				state: n.state,
@@ -1086,34 +1098,34 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 	}
 	async generateDemonstrationOfProofOfPossessionAsync(e, t, n, r = {}) {
 		let a = this.configuration, o = {
-			ath: await te(e),
+			ath: await ne(e),
 			...r
 		};
-		if (await $(a, this.configurationName)) return `DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${this.configurationName}#tabId=${Ke(this.configurationName)}`;
+		if (await $(a, this.configurationName)) return `DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${this.configurationName}#tabId=${Ye(this.configurationName)}`;
 		let s = i(this.configurationName, a.storage, a.login_state_storage ?? a.storage), c = await s.getDemonstratingProofOfPossessionJwkAsync(), l = s.getDemonstratingProofOfPossessionNonce();
-		return l && (o.nonce = l), await S(window)(a.demonstrating_proof_of_possession_configuration)(c, n, t, o);
+		return l && (o.nonce = l), await ee(window)(a.demonstrating_proof_of_possession_configuration)(c, n, t, o);
 	}
 	loginCallbackWithAutoTokensRenewAsync() {
-		return this.loginCallbackWithAutoTokensRenewPromise === null ? (this.loginCallbackWithAutoTokensRenewPromise = je(this), this.loginCallbackWithAutoTokensRenewPromise.finally(() => {
+		return this.loginCallbackWithAutoTokensRenewPromise === null ? (this.loginCallbackWithAutoTokensRenewPromise = Pe(this), this.loginCallbackWithAutoTokensRenewPromise.finally(() => {
 			this.loginCallbackWithAutoTokensRenewPromise = null;
 		})) : this.loginCallbackWithAutoTokensRenewPromise;
 	}
 	userInfoAsync(e = !1, t = !1) {
-		return this.userInfoPromise === null ? (this.userInfoPromise = Oe(this)(e, t), this.userInfoPromise.finally(() => {
+		return this.userInfoPromise === null ? (this.userInfoPromise = Ae(this)(e, t), this.userInfoPromise.finally(() => {
 			this.userInfoPromise = null;
 		})) : this.userInfoPromise;
 	}
 	async renewTokensAsync(e = null, t = null) {
 		if (this.renewTokensPromise !== null) return this.renewTokensPromise;
-		if (this.timeoutId) return c.clearTimeout(this.timeoutId), this.renewTokensPromise = Pe(this, !0, e, t), this.renewTokensPromise.finally(() => {
+		if (this.timeoutId) return c.clearTimeout(this.timeoutId), this.renewTokensPromise = Le(this, !0, e, t), this.renewTokensPromise.finally(() => {
 			this.renewTokensPromise = null;
 		});
 	}
 	async destroyAsync(e) {
-		return await we(this)(e);
+		return await Ee(this)(e);
 	}
 	async clearSessionAsync() {
-		return this.clearSessionPromise ? this.clearSessionPromise : (this.clearSessionPromise = P(this, L)(), this.clearSessionPromise.finally(() => {
+		return this.clearSessionPromise ? this.clearSessionPromise : (this.clearSessionPromise = F(this, L)(), this.clearSessionPromise.finally(() => {
 			this.clearSessionPromise = null;
 		}));
 	}
@@ -1130,25 +1142,25 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 		}));
 	}
 	async logoutAsync(e = void 0, t = null) {
-		return this.logoutPromise ? this.logoutPromise : (this.logoutPromise = Ee(this, L, this.getFetch(), console, this.location)(e, t), this.logoutPromise.finally(() => {
+		return this.logoutPromise ? this.logoutPromise : (this.logoutPromise = Oe(this, L, this.getFetch(), console, this.location)(e, t), this.logoutPromise.finally(() => {
 			this.logoutPromise = null;
 		}));
 	}
 };
 //#endregion
 //#region src/renewTokens.ts
-async function Ne(e, t, n, r = null) {
+async function Ie(e, t, n, r = null) {
 	let { tokens: a, status: o } = await H(e)((t) => {
 		e.tokens = t;
 	}, 0, 0, t, n, r);
 	return await $(e.configuration, e.configurationName) || i(e.configurationName, e.configuration.storage, e.configuration.login_state_storage ?? e.configuration.storage).setTokens(e.tokens), e.tokens ? a : (await e.destroyAsync(o), null);
 }
-async function Pe(e, t = !1, n = null, r = null) {
+async function Le(e, t = !1, n = null, r = null) {
 	let i = e.configuration, a = `${i.client_id}_${e.configurationName}_${i.authority}`, o, s = await $(e.configuration, e.configurationName);
-	if (i?.storage === window?.sessionStorage && !s || !navigator.locks) o = await Ne(e, t, n, r);
+	if (i?.storage === window?.sessionStorage && !s || !navigator.locks) o = await Ie(e, t, n, r);
 	else {
 		let i = "retry";
-		for (; i === "retry";) i = await navigator.locks.request(a, { ifAvailable: !0 }, async (i) => i ? await Ne(e, t, n, r) : (e.publishEvent(R.eventNames.syncTokensAsync_lock_not_available, { lock: "lock not available" }), "retry"));
+		for (; i === "retry";) i = await navigator.locks.request(a, { ifAvailable: !0 }, async (i) => i ? await Ie(e, t, n, r) : (e.publishEvent(R.eventNames.syncTokensAsync_lock_not_available, { lock: "lock not available" }), "retry"));
 		o = i;
 	}
 	return o ? (e.timeoutId &&= z(e, e.tokens.expiresAt, n, r), e.tokens) : null;
@@ -1157,7 +1169,7 @@ var z = (e, t, n = null, r = null) => {
 	let i = e.configuration.refresh_time_before_tokens_expiration_in_second;
 	return e.timeoutId && c.clearTimeout(e.timeoutId), c.setTimeout(async () => {
 		let a = { timeLeft: K(i, t) };
-		e.publishEvent(R.eventNames.token_timer, a), await Pe(e, !1, n, r);
+		e.publishEvent(R.eventNames.token_timer, a), await Le(e, !1, n, r);
 	}, 1e3);
 }, B = {
 	FORCE_REFRESH: "FORCE_REFRESH",
@@ -1294,12 +1306,12 @@ var z = (e, t, n = null, r = null) => {
 				tokens: null,
 				status: "LOGGED_OUT"
 			};
-			case B.REQUIRE_SYNC_TOKENS: return h.token_automatic_renew_mode == F.AutomaticOnlyWhenFetchExecuted && !o ? (t.publishEvent(e.tokensInvalidAndWaitingActionsToRefresh, {}), {
+			case B.REQUIRE_SYNC_TOKENS: return h.token_automatic_renew_mode == I.AutomaticOnlyWhenFetchExecuted && !o ? (t.publishEvent(e.tokensInvalidAndWaitingActionsToRefresh, {}), {
 				tokens: t.tokens,
 				status: "GIVE_UP"
 			}) : (t.publishEvent(e.refreshTokensAsync_begin, { tryNumber: r }), await _());
 			default: {
-				if (h.token_automatic_renew_mode == F.AutomaticOnlyWhenFetchExecuted && B.FORCE_REFRESH !== l) return t.publishEvent(e.tokensInvalidAndWaitingActionsToRefresh, {}), {
+				if (h.token_automatic_renew_mode == I.AutomaticOnlyWhenFetchExecuted && B.FORCE_REFRESH !== l) return t.publishEvent(e.tokensInvalidAndWaitingActionsToRefresh, {}), {
 					tokens: t.tokens,
 					status: "GIVE_UP"
 				};
@@ -1319,9 +1331,13 @@ var z = (e, t, n = null, r = null) => {
 						refresh_token: u.refreshToken
 					}, a = await t.initAsync(v, h.authority_configuration), l = document.hidden ? 1e4 : 3e4 * 10, _ = a.tokenEndpoint, b = {};
 					h.demonstrating_proof_of_possession && (b.DPoP = await t.generateDemonstrationOfProofOfPossessionAsync(u.accessToken, _, "POST"));
-					let x = await me(t.getFetch())(_, r, y, u, b, h.token_renew_mode, l);
+					let x = await ge(t.getFetch())(_, r, y, u, b, h.token_renew_mode, l);
 					if (x.success) {
-						let { isValid: r, reason: o } = He(x.data, d.nonce, a);
+						if (!d || !d.nonce) return n(null), t.publishEvent(e.refreshTokensAsync_error, { message: "refresh token: nonce missing from storage" }), {
+							tokens: null,
+							status: "SESSION_LOST"
+						};
+						let { isValid: r, reason: o } = Ge(x.data, d.nonce, a);
 						if (!r) return n(null), t.publishEvent(e.refreshTokensAsync_error, { message: `refresh token return not valid tokens, reason: ${o}` }), {
 							tokens: null,
 							status: "SESSION_LOST"
@@ -1354,29 +1370,29 @@ var z = (e, t, n = null, r = null) => {
 			}, 1e3);
 		});
 	}
-}, Fe = (e) => decodeURIComponent(Array.prototype.map.call(atob(e), (e) => "%" + ("00" + e.charCodeAt(0).toString(16)).slice(-2)).join("")), Ie = (e) => JSON.parse(Fe(e.replaceAll(/-/g, "+").replaceAll(/_/g, "/"))), Le = (e) => {
+}, Re = (e) => decodeURIComponent(Array.prototype.map.call(atob(e), (e) => "%" + ("00" + e.charCodeAt(0).toString(16)).slice(-2)).join("")), ze = (e) => JSON.parse(Re(e.replaceAll(/-/g, "+").replaceAll(/_/g, "/"))), Be = (e) => {
 	try {
-		return e && Re(e, ".") === 2 ? Ie(e.split(".")[1]) : null;
+		return e && Ve(e, ".") === 2 ? ze(e.split(".")[1]) : null;
 	} catch (e) {
 		console.warn(e);
 	}
 	return null;
-}, Re = (e, t) => e.split(t).length - 1, U = {
+}, Ve = (e, t) => e.split(t).length - 1, U = {
 	access_token_or_id_token_invalid: "access_token_or_id_token_invalid",
 	access_token_invalid: "access_token_invalid",
 	id_token_invalid: "id_token_invalid"
 };
-function ze(e, t, n) {
+function He(e, t, n) {
 	return e.issuedAt ? typeof e.issuedAt == "string" ? parseInt(e.issuedAt, 10) : e.issuedAt : t && t.iat ? t.iat : n && n.iat ? n.iat : (/* @__PURE__ */ new Date()).getTime() / 1e3;
 }
 var W = (e, t = null, n) => {
 	if (!e) return null;
 	let r, i = typeof e.expiresIn == "string" ? parseInt(e.expiresIn, 10) : e.expiresIn;
-	r = e.accessTokenPayload === void 0 ? Le(e.accessToken) : e.accessTokenPayload;
+	r = e.accessTokenPayload === void 0 ? Be(e.accessToken) : e.accessTokenPayload;
 	let a;
 	a = t != null && "idToken" in t && !("idToken" in e) ? t.idToken : e.idToken;
-	let o = e.idTokenPayload ? e.idTokenPayload : Le(a), s = o && o.exp ? o.exp : Number.MAX_VALUE, c = r && r.exp ? r.exp : e.issuedAt + i;
-	e.issuedAt = ze(e, r, o);
+	let o = e.idTokenPayload ? e.idTokenPayload : Be(a), s = o && o.exp ? o.exp : Number.MAX_VALUE, c = r && r.exp ? r.exp : e.issuedAt + i;
+	e.issuedAt = He(e, r, o);
 	let l;
 	l = e.expiresAt ? e.expiresAt : n === U.access_token_invalid ? c : n === U.id_token_invalid || s < c ? s : c;
 	let u = {
@@ -1409,25 +1425,25 @@ var W = (e, t = null, n) => {
 }, K = (e, t) => {
 	let n = t - (/* @__PURE__ */ new Date()).getTime() / 1e3;
 	return Math.round(n - e);
-}, Be = (e, t = 0) => e ? K(t, e.expiresAt) > 0 : !1, Ve = async (e, t = 200, n = 50) => {
+}, Ue = (e, t = 0) => e ? K(t, e.expiresAt) > 0 : !1, We = async (e, t = 200, n = 50) => {
 	let r = n, i = await e.syncTokensInfoAsync();
 	for (; [
 		B.REQUIRE_SYNC_TOKENS,
 		B.TOKEN_UPDATED_BY_ANOTHER_TAB_TOKENS_INVALID,
 		B.TOKENS_INVALID
 	].includes(i) && r > 0;) {
-		if (e.configuration.token_automatic_renew_mode == F.AutomaticOnlyWhenFetchExecuted) {
+		if (e.configuration.token_automatic_renew_mode == I.AutomaticOnlyWhenFetchExecuted) {
 			await e.renewTokensAsync({});
 			break;
 		} else await J({ milliseconds: t });
 		--r, i = await e.syncTokensInfoAsync();
 	}
 	return {
-		isTokensValid: Be(e.getTokens()),
+		isTokensValid: Ue(e.getTokens()),
 		tokens: e.getTokens(),
 		numberWaited: r - n
 	};
-}, He = (e, t, n) => {
+}, Ge = (e, t, n) => {
 	if (e.idTokenPayload) {
 		let r = e.idTokenPayload;
 		if (n.issuer !== r.iss) return {
@@ -1453,25 +1469,25 @@ var W = (e, t = null, n) => {
 		isValid: !0,
 		reason: ""
 	};
-}, Ue = "7.27.17", We = null, q, J = ({ milliseconds: e }) => new Promise((t) => c.setTimeout(t, e)), Ge = (e = "/") => {
+}, Ke = "7.27.18", qe = null, q, J = ({ milliseconds: e }) => new Promise((t) => c.setTimeout(t, e)), Je = (e = "/") => {
 	try {
 		q = new AbortController(), fetch(`${e}OidcKeepAliveServiceWorker.json?minSleepSeconds=150`, { signal: q.signal }).catch((e) => {
 			console.log(e);
-		}), J({ milliseconds: 150 * 1e3 }).then(() => Ge(e));
+		}), J({ milliseconds: 150 * 1e3 }).then(() => Je(e));
 	} catch (e) {
 		console.log(e);
 	}
 }, Y = () => {
 	q && q.abort();
-}, Ke = (e) => {
+}, Ye = (e) => {
 	let t = `oidc.tabId.${e}`, n = sessionStorage.getItem(t);
 	if (n) return n;
 	let r = globalThis.crypto.randomUUID();
 	return sessionStorage.setItem(t, r), r;
-}, qe = (e) => navigator.serviceWorker.controller ?? e.active ?? e.waiting ?? e.installing ?? null, X = (e, t) => (n) => {
+}, Xe = (e) => navigator.serviceWorker.controller ?? e.active ?? e.waiting ?? e.installing ?? null, X = (e, t) => (n) => {
 	let r = t?.timeoutMs ?? 5e3;
 	return new Promise((t, i) => {
-		let a = qe(e);
+		let a = Xe(e);
 		if (!a) {
 			i(/* @__PURE__ */ Error("Service worker target not available (controller/active/waiting/installing missing)"));
 			return;
@@ -1492,39 +1508,39 @@ var W = (e, t = null, n) => {
 			let e = n?.configurationName;
 			a.postMessage({
 				...n,
-				tabId: Ke(e ?? "default")
+				tabId: Ye(e ?? "default")
 			}, [o.port2]);
 		} catch (e) {
 			l(), i(e);
 		}
 	});
-}, Je = async (e) => navigator.serviceWorker.controller ? navigator.serviceWorker.controller : new Promise((t) => {
+}, Ze = async (e) => navigator.serviceWorker.controller ? navigator.serviceWorker.controller : new Promise((t) => {
 	let n = !1, r = () => {
 		n || (n = !0, navigator.serviceWorker.removeEventListener("controllerchange", r), t(navigator.serviceWorker.controller ?? null));
 	};
 	navigator.serviceWorker.addEventListener("controllerchange", r), c.setTimeout(() => {
 		n || (n = !0, navigator.serviceWorker.removeEventListener("controllerchange", r), t(navigator.serviceWorker.controller ?? null));
 	}, e);
-}), Ye = !1, Z = !1, Q = /* @__PURE__ */ new Map(), Xe = "oidc.sw.controllerchange_reload_count", Ze = 3, Qe = () => {
+}), Qe = !1, Z = !1, Q = /* @__PURE__ */ new Map(), $e = "oidc.sw.controllerchange_reload_count", et = 3, tt = () => {
 	try {
-		return parseInt(sessionStorage.getItem(Xe) ?? "0", 10);
+		return parseInt(sessionStorage.getItem($e) ?? "0", 10);
 	} catch {
 		return 0;
 	}
-}, $e = () => {
-	let e = Qe() + 1;
+}, nt = () => {
+	let e = tt() + 1;
 	try {
-		sessionStorage.setItem(Xe, String(e));
+		sessionStorage.setItem($e, String(e));
 	} catch {}
 	return e;
-}, et = () => {
+}, rt = () => {
 	try {
-		sessionStorage.removeItem(Xe);
+		sessionStorage.removeItem($e);
 	} catch {}
 }, $ = async (e, t) => {
 	let n = e.service_worker_relative_url;
 	if (typeof window > "u" || typeof navigator > "u" || !navigator.serviceWorker || !n || e.service_worker_activate() === !1) return null;
-	let r = `${n}?v=${Ue}`, i = null;
+	let r = `${n}?v=${Ke}`, i = null;
 	e.service_worker_register ? (Q.has(n) || Q.set(n, e.service_worker_register(n)), i = await Q.get(n)) : (Q.has(r) || Q.set(r, navigator.serviceWorker.register(r, { updateViaCache: "none" })), i = await Q.get(r));
 	let a = `oidc.sw.version_mismatch_reload.${t}`, o = async (e) => {
 		Y(), console.log("New SW waiting – SKIP_WAITING");
@@ -1547,7 +1563,7 @@ var W = (e, t = null, n) => {
 						type: "SKIP_WAITING",
 						configurationName: t,
 						data: null,
-						tabId: Ke(t ?? "default")
+						tabId: Ye(t ?? "default")
 					}, [i.port2]);
 				} catch (e) {
 					o(), r(e);
@@ -1562,7 +1578,7 @@ var W = (e, t = null, n) => {
 	}, l = (e) => {
 		Y(), e.addEventListener("statechange", async () => {
 			if (e.state === "installed" && navigator.serviceWorker.controller) {
-				if (Qe() >= Ze) {
+				if (tt() >= et) {
 					console.warn("SW trackInstallingWorker: skipping SKIP_WAITING because the reload budget is exhausted");
 					return;
 				}
@@ -1573,7 +1589,7 @@ var W = (e, t = null, n) => {
 	i.addEventListener("updatefound", () => {
 		let e = i.installing;
 		e && l(e);
-	}), i.installing ? l(i.installing) : i.waiting && navigator.serviceWorker.controller && (Qe() < Ze ? s() : console.warn("SW: a waiting worker exists but reload budget is exhausted – skipping activation")), i.update().catch((e) => {
+	}), i.installing ? l(i.installing) : i.waiting && navigator.serviceWorker.controller && (tt() < et ? s() : console.warn("SW: a waiting worker exists but reload budget is exhausted – skipping activation")), i.update().catch((e) => {
 		console.error(e);
 	});
 	try {
@@ -1581,14 +1597,14 @@ var W = (e, t = null, n) => {
 			type: "claim",
 			configurationName: t,
 			data: null
-		}), await Je(2e3));
+		}), await Ze(2e3));
 	} catch (e) {
 		return console.warn(`Failed init ServiceWorker ${e?.toString?.() ?? String(e)}`), null;
 	}
-	Ye || (Ye = !0, navigator.serviceWorker.addEventListener("controllerchange", () => {
+	Qe || (Qe = !0, navigator.serviceWorker.addEventListener("controllerchange", () => {
 		if (Z) return;
-		let e = $e();
-		if (e > Ze) {
+		let e = nt();
+		if (e > et) {
 			console.warn(`SW controllerchange: reload budget exhausted (${e - 1} reloads). Skipping reload to avoid infinite loop.`);
 			return;
 		}
@@ -1611,8 +1627,8 @@ var W = (e, t = null, n) => {
 			},
 			configurationName: t
 		}), c = o.version;
-		if (c !== "7.27.17") {
-			console.warn(`Service worker ${c} version mismatch with js client version ${Ue}, unregistering and reloading`);
+		if (c !== "7.27.18") {
+			console.warn(`Service worker ${c} version mismatch with js client version ${Ke}, unregistering and reloading`);
 			let e = parseInt(sessionStorage.getItem(a) ?? "0", 10);
 			if (e < 3) {
 				if (sessionStorage.setItem(a, String(e + 1)), i.waiting) return await s(), await J({ milliseconds: 500 }), Z || (Z = !0, window.location.reload()), new Promise(() => {});
@@ -1627,13 +1643,13 @@ var W = (e, t = null, n) => {
 					return console.log(`Service worker unregistering ${e}`), await J({ milliseconds: 500 }), Z || (Z = !0, window.location.reload()), new Promise(() => {});
 				}
 			} else console.error(`Service worker version mismatch persists after ${e} attempt(s). Continuing with mismatched version.`);
-		} else sessionStorage.removeItem(a), et();
+		} else sessionStorage.removeItem(a), rt();
 		return {
 			tokens: G(o.tokens, null, r.token_renew_mode),
 			status: o.status
 		};
 	}, f = (e = "/") => {
-		We ?? (We = "not_null", Ge(e));
+		qe ?? (qe = "not_null", Je(e));
 	}, p = (e) => X(i)({
 		type: "setSessionState",
 		data: { sessionState: e },
@@ -1679,39 +1695,39 @@ var W = (e, t = null, n) => {
 		type: "getDemonstratingProofOfPossessionNonce",
 		data: null,
 		configurationName: t
-	})).demonstratingProofOfPossessionNonce, S = async (e) => {
+	})).demonstratingProofOfPossessionNonce, ee = async (e) => {
 		let n = JSON.stringify(e);
 		await X(i)({
 			type: "setDemonstratingProofOfPossessionJwk",
 			data: { demonstratingProofOfPossessionJwkJson: n },
 			configurationName: t
 		});
-	}, C = async () => {
+	}, S = async () => {
 		let e = await X(i)({
 			type: "getDemonstratingProofOfPossessionJwk",
 			data: null,
 			configurationName: t
 		});
 		return e.demonstratingProofOfPossessionJwkJson ? JSON.parse(e.demonstratingProofOfPossessionJwkJson) : null;
-	}, w = async (e = !0) => {
+	}, C = async (e = !0) => {
 		let n = (await X(i)({
 			type: "getState",
 			data: null,
 			configurationName: t
 		})).state;
-		return n || (n = sessionStorage[`oidc.state.${t}`], console.warn("state not found in service worker, using sessionStorage"), e && (await T(n), n = await w(!1))), n;
-	}, T = async (e) => (sessionStorage[`oidc.state.${t}`] = e, X(i)({
+		return n || (n = sessionStorage[`oidc.state.${t}`], console.warn("state not found in service worker, using sessionStorage"), e && (await w(n), n = await C(!1))), n;
+	}, w = async (e) => (sessionStorage[`oidc.state.${t}`] = e, X(i)({
 		type: "setState",
 		data: { state: e },
 		configurationName: t
-	})), E = async (e = !0) => {
+	})), T = async (e = !0) => {
 		let n = (await X(i)({
 			type: "getCodeVerifier",
 			data: null,
 			configurationName: t
 		})).codeVerifier;
-		return n || (n = sessionStorage[`oidc.code_verifier.${t}`], console.warn("codeVerifier not found in service worker, using sessionStorage"), e && (await D(n), n = await E(!1))), n;
-	}, D = async (e) => (sessionStorage[`oidc.code_verifier.${t}`] = e, X(i)({
+		return n || (n = sessionStorage[`oidc.code_verifier.${t}`], console.warn("codeVerifier not found in service worker, using sessionStorage"), e && (await E(n), n = await T(!1))), n;
+	}, E = async (e) => (sessionStorage[`oidc.code_verifier.${t}`] = e, X(i)({
 		type: "setCodeVerifier",
 		data: { codeVerifier: e },
 		configurationName: t
@@ -1726,24 +1742,24 @@ var W = (e, t = null, n) => {
 		getNonceAsync: g,
 		setLoginParams: v,
 		getLoginParams: y,
-		getStateAsync: w,
-		setStateAsync: T,
-		getCodeVerifierAsync: E,
-		setCodeVerifierAsync: D,
+		getStateAsync: C,
+		setStateAsync: w,
+		getCodeVerifierAsync: T,
+		setCodeVerifierAsync: E,
 		setDemonstratingProofOfPossessionNonce: b,
 		getDemonstratingProofOfPossessionNonce: x,
-		setDemonstratingProofOfPossessionJwkAsync: S,
-		getDemonstratingProofOfPossessionJwkAsync: C,
+		setDemonstratingProofOfPossessionJwkAsync: ee,
+		getDemonstratingProofOfPossessionJwkAsync: S,
 		signalAsync: (e, n) => X(i, n)({
 			...e,
 			configurationName: e.configurationName ?? t
 		})
 	};
-}, tt = async (e, t, n, r) => {
+}, it = async (e, t, n, r) => {
 	let i = await $(e, t);
 	if (!i) throw Error(`signalServiceWorkerAsync: no service worker registered for configuration "${t}"`);
 	return i.signalAsync(n, r);
-}, nt = class e {
+}, at = class e {
 	constructor(e) {
 		this._oidc = e;
 	}
@@ -1757,7 +1773,7 @@ var W = (e, t = null, n) => {
 		this._oidc.publishEvent(e, t);
 	}
 	static {
-		this.getOrCreate = (t, n = new O()) => (r, i = "default") => new e(R.getOrCreate(t, n)(r, i));
+		this.getOrCreate = (t, n = new D()) => (r, i = "default") => new e(R.getOrCreate(t, n)(r, i));
 	}
 	static get(t = "default") {
 		let n = R.get(t);
@@ -1804,7 +1820,7 @@ var W = (e, t = null, n) => {
 	}
 	async getValidTokenAsync(e = 200, t = 50) {
 		let n = this._oidc;
-		return Ve({
+		return We({
 			getTokens: () => n.tokens,
 			configuration: {
 				token_automatic_renew_mode: n.configuration.token_automatic_renew_mode,
@@ -1818,7 +1834,7 @@ var W = (e, t = null, n) => {
 		}, e, t);
 	}
 	fetchWithTokens(e, t = !1) {
-		return De(e, this._oidc, t);
+		return ke(e, this._oidc, t);
 	}
 	async userInfoAsync(e = !1, t = !1) {
 		return this._oidc.userInfoAsync(e, t);
@@ -1827,9 +1843,9 @@ var W = (e, t = null, n) => {
 		return this._oidc.userInfo;
 	}
 	async signalServiceWorker(e, t) {
-		return tt(this._oidc.configuration, this._oidc.configurationName, e, t);
+		return it(this._oidc.configuration, this._oidc.configurationName, e, t);
 	}
-}, rt = "1.0.0", it = {
+}, ot = "1.0.0", st = {
 	SKIP_WAITING: "SKIP_WAITING",
 	CLAIM: "claim",
 	CLEAR: "clear",
@@ -1846,18 +1862,18 @@ var W = (e, t = null, n) => {
 	GET_DPOP_NONCE: "getDemonstratingProofOfPossessionNonce",
 	SET_DPOP_JWK: "setDemonstratingProofOfPossessionJwk",
 	GET_DPOP_JWK: "getDemonstratingProofOfPossessionJwk"
-}, at = {
+}, ct = {
 	ACCESS_TOKEN: "ACCESS_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER",
 	REFRESH_TOKEN: "REFRESH_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER",
 	NONCE_TOKEN: "NONCE_SECURED_BY_OIDC_SERVICE_WORKER",
 	CODE_VERIFIER: "CODE_VERIFIER_SECURED_BY_OIDC_SERVICE_WORKER"
-}, ot = "DPOP_SECURED_BY_OIDC_SERVICE_WORKER", st = {
+}, lt = "DPOP_SECURED_BY_OIDC_SERVICE_WORKER", ut = {
 	TAB_ID: "oidc.tabId.",
 	STATE: "oidc.state.",
 	NONCE: "oidc.nonce.",
 	CODE_VERIFIER: "oidc.code_verifier.",
 	LOGIN_PARAMS: "oidc.login.",
 	SW_VERSION_MISMATCH_RELOAD: "oidc.sw.version_mismatch_reload."
-}, ct = "oidc.sw.controllerchange_reload_count", lt = (e, t) => `${e}${t}`, ut = (e, t, n = "default") => `${e}_${t}#tabId=${n}`, dt = (e, t = "default") => `${ot}_${e}#tabId=${t}`, ft = (e) => typeof e == "string" ? Object.values(it).includes(e) : !1;
+}, dt = "oidc.sw.controllerchange_reload_count", ft = (e, t) => `${e}${t}`, pt = (e, t, n = "default") => `${e}_${t}#tabId=${n}`, mt = (e, t = "default") => `${lt}_${e}#tabId=${t}`, ht = (e) => typeof e == "string" ? Object.values(st).includes(e) : !1;
 //#endregion
-export { ot as DPOP_TOKEN_PLACEHOLDER_PREFIX, nt as OidcClient, O as OidcLocation, rt as PROTOCOL_VERSION, st as STORAGE_KEY_PREFIX, ct as SW_CONTROLLER_CHANGE_RELOAD_COUNT_KEY, it as ServiceWorkerMessageType, at as TOKEN_PLACEHOLDERS, F as TokenAutomaticRenewMode, U as TokenRenewMode, dt as buildDpopSecuredPlaceholder, ut as buildSecuredTokenPlaceholder, lt as buildStorageKey, ke as getFetchDefault, M as getParseQueryStringFromLocation, ve as getPath, ft as isServiceWorkerMessageType, tt as signalServiceWorkerAsync };
+export { lt as DPOP_TOKEN_PLACEHOLDER_PREFIX, at as OidcClient, D as OidcLocation, k as OidcStateError, O as OidcStateErrorCode, ot as PROTOCOL_VERSION, ut as STORAGE_KEY_PREFIX, dt as SW_CONTROLLER_CHANGE_RELOAD_COUNT_KEY, st as ServiceWorkerMessageType, ct as TOKEN_PLACEHOLDERS, I as TokenAutomaticRenewMode, U as TokenRenewMode, mt as buildDpopSecuredPlaceholder, pt as buildSecuredTokenPlaceholder, ft as buildStorageKey, je as getFetchDefault, N as getParseQueryStringFromLocation, be as getPath, le as isOidcStateError, ht as isServiceWorkerMessageType, it as signalServiceWorkerAsync };