@civic/auth 0.0.1-beta.3 → 0.0.1-beta.31

package/src/types.ts

@@ -0,0 +1,227 @@
+import type { TokenResponseBody } from "oslo/oauth2";
+import type { JWT } from "oslo/jwt";
+
+type UnknownObject = Record<string, unknown>;
+type EmptyObject = Record<string, never>;
+
+// Display modes for the auth flow
+type DisplayMode = "iframe" | "redirect" | "new_tab" | "custom_tab";
+
+// Combined Auth and Session Service
+interface AuthSessionService {
+  // TODO DK NOTES: Should be in BrowserAuthSessionService, not relevant on backend
+  loadAuthorizationUrl(
+    authorizationURL: string,
+    displayMode: DisplayMode,
+  ): void;
+  // TODO DK NOTES: overrideDisplayMode parameter not appropriate here - also - do we need both this and the above in the interface?
+  getAuthorizationUrl(
+    scopes: string[],
+    overrideDisplayMode: DisplayMode,
+    nonce?: string,
+  ): Promise<string>;
+  // TODO DK NOTES: display mode should be in browser version only. Also, do we need this and the above two in the top-level interface?
+  signIn(
+    displayMode: DisplayMode,
+    scopes: string[],
+    nonce?: string,
+  ): Promise<void>;
+  // TODO DK NOTES: Input should be an auth code - do not assume it comes via an url
+  tokenExchange(responseUrl: string): Promise<SessionData>;
+  // TODO DK NOTES: Should be async for flexibility
+  getSessionData(): SessionData;
+  // TODO DK NOTES: Should be async for flexibility
+  updateSessionData(data: SessionData): void;
+  getUserInfoService(): Promise<UserInfoService>;
+}
+
+// Token Service
+interface TokenService {
+  exchangeCodeForTokens(authCode: string): Promise<Tokens>;
+  validateIdToken(idToken: string, nonce: string): boolean;
+  refreshAccessToken(refreshToken: string): Promise<Tokens>;
+}
+
+// User Info Service
+interface UserInfoService {
+  getUserInfo<T extends UnknownObject>(
+    accessToken: string,
+    idToken: string | null,
+  ): Promise<User<T> | null>;
+}
+
+// Resource Service
+interface ResourceService {
+  getProtectedResource(accessToken: string): Promise<unknown>;
+}
+
+// Auth Request (for internal use in AuthSessionService)
+type AuthRequest = {
+  clientId: string;
+  redirectUri: string;
+  state: string;
+  nonce: string;
+  scope: string;
+};
+
+type Endpoints = {
+  jwks: string;
+  auth: string;
+  token: string;
+  userinfo: string;
+  challenge?: string;
+};
+
+type Config = {
+  oauthServer: string;
+  endpoints?: Endpoints;
+};
+
+type SessionData = {
+  authenticated: boolean; // TODO can this be inferred from the presence of the tokens?
+  state?: string;
+  accessToken?: string;
+  refreshToken?: string;
+  idToken?: string;
+  timestamp?: number;
+  expiresIn?: number;
+  codeVerifier?: string;
+  displayMode?: DisplayMode;
+  openerUrl?: string;
+};
+
+type OIDCTokenResponseBody = TokenResponseBody & { id_token: string };
+
+type ParsedTokens = {
+  id_token: JWTPayload;
+  access_token: JWTPayload;
+  refresh_token?: string;
+};
+
+// The format we expose to the frontend via hooks
+type ForwardedTokens = Record<
+  string,
+  {
+    idToken?: string;
+    accessToken?: string;
+    refreshToken?: string;
+  }
+>;
+
+// The format in the JWT payload
+type ForwardedTokensJWT = Record<
+  string,
+  {
+    id_token?: string;
+    access_token?: string;
+    refresh_token?: string;
+    scope?: string;
+  }
+>;
+
+type JWTPayload = JWT["payload"] & {
+  iss: string;
+  aud: string;
+  sub: string;
+  iat: number;
+  exp: number;
+};
+
+type IdTokenPayload = JWTPayload & {
+  forwardedTokens?: ForwardedTokensJWT;
+  email?: string;
+  name?: string;
+  picture?: string;
+  nonce: string;
+  at_hash: string;
+};
+
+type IdToken = Omit<JWT, "payload"> & {
+  payload: IdTokenPayload;
+};
+
+type Tokens = {
+  idToken: string;
+  accessToken: string;
+  refreshToken: string;
+  forwardedTokens: ForwardedTokens;
+};
+
+// Base user interface
+type BaseUser = {
+  id: string;
+  email?: string;
+  name?: string;
+  given_name?: string;
+  family_name?: string;
+  picture?: string;
+  updated_at?: Date;
+};
+
+type User<T extends UnknownObject = EmptyObject> = BaseUser &
+  Partial<Tokens> &
+  T;
+
+type OpenIdConfiguration = {
+  authorization_endpoint: string;
+  claims_parameter_supported: boolean;
+  claims_supported: string[];
+  code_challenge_methods_supported: string[];
+  end_session_endpoint: string;
+  grant_types_supported: string[];
+  issuer: string;
+  jwks_uri: string;
+  authorization_response_iss_parameter_supported: boolean;
+  response_modes_supported: string[];
+  response_types_supported: string[];
+  scopes_supported: string[];
+  subject_types_supported: string[];
+  token_endpoint_auth_methods_supported: string[];
+  token_endpoint_auth_signing_alg_values_supported: string[];
+  token_endpoint: string;
+  id_token_signing_alg_values_supported: string[];
+  pushed_authorization_request_endpoint: string;
+  request_parameter_supported: boolean;
+  request_uri_parameter_supported: boolean;
+  userinfo_endpoint: string;
+  claim_types_supported: string[];
+};
+
+type LoginPostMessage = {
+  source: string;
+  type: string;
+  clientId: string;
+  data: {
+    url: string;
+  };
+};
+export type {
+  LoginPostMessage,
+  AuthSessionService,
+  TokenService,
+  UserInfoService,
+  ResourceService,
+  AuthRequest,
+  Tokens,
+  Endpoints,
+  Config,
+  SessionData,
+  OIDCTokenResponseBody,
+  ParsedTokens,
+  BaseUser,
+  User,
+  DisplayMode,
+  UnknownObject,
+  EmptyObject,
+  ForwardedTokens,
+  ForwardedTokensJWT,
+  JWTPayload,
+  IdTokenPayload,
+  IdToken,
+  OpenIdConfiguration,
+};
+
+export interface AuthStorage {
+  get(key: string): Promise<string | null>;
+  set(key: string, value: string): Promise<void>;
+}

package/src/utils.ts

@@ -0,0 +1,58 @@
+/**
+ * Checks if a popup window is blocked by the browser.
+ *
+ * This function attempts to open a small popup window and then checks if it was successfully created.
+ * If the popup is blocked by the browser, the function returns `true`. Otherwise, it returns `false`.
+ *
+ * @returns {boolean} - `true` if the popup is blocked, `false` otherwise.
+ */
+const isPopupBlocked = (): boolean => {
+  // First we try to open a small popup window. It either returns a window object or null.
+  const popup = window.open("", "", "width=1,height=1");
+
+  // If window.open() returns null, popup is definitely blocked
+  if (!popup) {
+    return true;
+  }
+
+  try {
+    // Try to access a property of the popup to check if it's usable
+    if (typeof popup.closed === "undefined") {
+      throw new Error("Popup is blocked");
+    }
+  } catch {
+    // Accessing the popup's properties throws an error if the popup is blocked
+    return true;
+  }
+
+  // Close the popup immediately if it was opened
+  popup.close();
+  return false;
+};
+
+// This type narrows T as far as it can by:
+// - removing all keys where the value is `undefined`
+// - making keys that are not undefined required
+// So, for example: given { a: string | undefined, b: string | undefined },
+// if you pass in { a: "foo" }, it returns an object of type: { a: string }
+type WithoutUndefined<T> = {
+  [K in keyof T as undefined extends T[K] ? never : K]: T[K];
+};
+export const withoutUndefined = <T extends { [K in keyof T]: unknown }>(
+  obj: T,
+): WithoutUndefined<T> => {
+  const result = {} as WithoutUndefined<T>;
+
+  for (const key in obj) {
+    if (obj[key] !== undefined) {
+      // TypeScript needs assurance that key is a valid key in WithoutUndefined<T>
+      // We use type assertion here
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (result as any)[key] = obj[key];
+    }
+  }
+
+  return result;
+};
+
+export { isPopupBlocked };

package/test/integration/sdk.test.tsx

@@ -0,0 +1,266 @@
+import React from "react";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { OAuth2Client } from "oslo/oauth2";
+import { useAuth, useUser } from "@/reactjs/hooks/index.js";
+import { CivicAuthProvider } from "@/reactjs/providers/index.js";
+import {
+  render,
+  screen,
+  act,
+  fireEvent,
+  waitFor,
+} from "@testing-library/react";
+import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
+import "@testing-library/jest-dom";
+import * as jose from "jose";
+import tokensFixture from "../support/tokens.json";
+import * as oauthLib from "@/lib/oauth.js";
+import type { JWTVerifyResult, ResolvedKey } from "jose";
+
+const validTokens = { ...tokensFixture.local.validTokens };
+// Mock Component to test OAuth flow with useAuth
+const MockOAuthComponent = () => {
+  const { signIn, isAuthenticated } = useAuth();
+  const { user } = useUser();
+
+  const handleLogin = async () => {
+    try {
+      await signIn("redirect");
+      alert("Login Redirect Initiated");
+    } catch {
+      alert("Login Failed");
+    }
+  };
+
+  return (
+    <div>
+      <button onClick={handleLogin}>Login</button>
+      {user && (
+        <p data-testid="user-email">
+          User:
+          {user.email}
+        </p>
+      )}
+      {isAuthenticated && (
+        <p data-testid="session">Session authenticated:true</p>
+      )}
+    </div>
+  );
+};
+
+describe("OAuth login", () => {
+  const clientId = "test-client-id";
+  let mockOAuth2Client: OAuth2Client;
+  let originalWindowLocation: Location;
+  afterEach(vi.clearAllMocks);
+
+  vi.spyOn(oauthLib, "getOauthEndpoints").mockResolvedValue({
+    auth: "http://localhost:3001/oauth/auth",
+    token: "http://localhost:3001/oauth/token",
+    jwks: "http://localhost:3001/oauth/jwks",
+    userinfo: "http://localhost:3001/oauth/userinfo",
+  });
+  vi.mock("oslo/oauth2", () => ({
+    OAuth2Client: vi.fn(),
+    generateCodeVerifier: vi.fn(() => "mock-code-verifier"),
+    generateState: vi.fn(() => "mock-state"),
+  }));
+
+  vi.mock("jose", () => ({
+    jwtVerify: vi.fn(),
+    createRemoteJWKSet: vi.fn(),
+  }));
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.resetModules();
+
+    // Setup mock implementations
+    mockOAuth2Client = {
+      createAuthorizationURL: vi.fn(),
+      validateAuthorizationCode: vi.fn(),
+      refreshAccessToken: vi.fn(),
+      clientId: "test-client-id",
+    } as unknown as OAuth2Client;
+    vi.mocked(OAuth2Client).mockImplementation(() => mockOAuth2Client);
+
+    // Setup jose mocks
+    const mockJWKS = {
+      getKey: vi.fn().mockResolvedValue({ alg: "RS256" }),
+    };
+    vi.mocked(jose.createRemoteJWKSet).mockReturnValue(mockJWKS as any);
+    vi.mocked(jose.jwtVerify).mockResolvedValue({
+      payload: { sub: "user123", name: "Test User", email: "test@example.com" },
+      protectedHeader: { alg: "RS256" },
+    } as unknown as JWTVerifyResult<unknown> & ResolvedKey);
+
+    originalWindowLocation = window.location;
+    window.location = { href: "" } as Location;
+    global.alert = vi.fn();
+    // Mock window.open to prevent errors.
+    vi.spyOn(window, "open").mockReturnValue(null);
+  });
+
+  afterEach(() => {
+    window.location = originalWindowLocation;
+  });
+
+  it("should set the correct auth url for login with redirect", async () => {
+    const windowAssign = vi.fn();
+    const redirectUri = "http://localhost:3001/callback";
+
+    vi.mocked(mockOAuth2Client.createAuthorizationURL).mockResolvedValue(
+      new URL(
+        "http://localhost:3001/oauth/auth?response_type=code&client_id=" +
+          clientId +
+          "&redirect_uri=" +
+          encodeURIComponent(redirectUri) +
+          "&scope=openid%20profile%20email&state=mock-state&code_challenge=mock-code-challenge&code_challenge_method=S256",
+      ),
+    );
+
+    window.location = {
+      ...originalWindowLocation,
+      assign: windowAssign,
+      replace: vi.fn(),
+      reload: vi.fn(),
+    };
+
+    const queryClient = new QueryClient();
+    render(
+      <QueryClientProvider client={queryClient}>
+        <CivicAuthProvider
+          clientId={clientId}
+          redirectUrl={redirectUri}
+          config={{
+            oauthServer: "http://localhost:3001",
+          }}
+        >
+          <MockOAuthComponent />
+        </CivicAuthProvider>
+      </QueryClientProvider>,
+    );
+
+    // Trigger the login button click, which initiates the OAuth flow
+    await act(async () => {
+      fireEvent.click(screen.getByText("Login"));
+    });
+
+    // Confirm that the sdk set the window.location.href to the auth url
+    const url = new URL(window.location.href);
+    expect(url.origin + url.pathname).toEqual(
+      "http://localhost:3001/oauth/auth",
+    );
+    expect(url.searchParams.get("response_type")).toEqual("code");
+    expect(url.searchParams.get("client_id")).toEqual(clientId);
+    expect(url.searchParams.get("redirect_uri")).toEqual(redirectUri);
+    expect(url.searchParams.get("scope")).toEqual("openid profile email");
+    expect(url.searchParams.get("state")).toBeTruthy(); // Ensure state is present
+    expect(url.searchParams.get("code_challenge")).toBeTruthy(); // Ensure code_challenge is present
+    expect(url.searchParams.get("code_challenge_method")).toEqual("S256");
+    expect(screen.queryByTestId("session")).not.toBeInTheDocument();
+  });
+
+  it("should initiate code exchange, validate tokens, and derive user from ID token", async () => {
+    const queryClient = new QueryClient();
+    const redirectUri = "http://localhost:3001/callback";
+
+    // Mock ID token with user information
+    const mockIdToken = validTokens.idToken;
+    const mockAccessToken = validTokens.accessToken;
+
+    // Mock oslo token exchange
+    const mockTokens = {
+      access_token: mockAccessToken,
+      id_token: mockIdToken,
+      refresh_token: "mock-refresh-token",
+      expires_in: 3600,
+    };
+    vi.mocked(mockOAuth2Client.validateAuthorizationCode).mockResolvedValue(
+      mockTokens,
+    );
+
+    // Prime storage and simulate redirect
+    await act(async () => {
+      localStorage.setItem(
+        "civic-auth:test-client-id",
+        JSON.stringify({
+          authenticated: false,
+          state: "mock-state",
+          codeVerifier: "mock-code-verifier",
+          displayMode: "redirect",
+        }),
+      );
+      window.location.pathname = "test-pathName";
+
+      // Configure window.location to simulate redirect
+      Object.defineProperty(window, "location", {
+        value: {
+          ...window.location,
+          origin: "http://mock-origin",
+        },
+        writable: true,
+      });
+      window.location.href = `${redirectUri}?code=test-code&state=mock-state`;
+
+      // Render the AuthProvider with the mock OAuth component
+      render(
+        <QueryClientProvider client={queryClient}>
+          <CivicAuthProvider
+            clientId={clientId}
+            redirectUrl={redirectUri}
+            config={{
+              oauthServer: "http://localhost:3001",
+            }}
+          >
+            <MockOAuthComponent />
+          </CivicAuthProvider>
+        </QueryClientProvider>,
+      );
+    });
+
+    expect(mockOAuth2Client.validateAuthorizationCode).toHaveBeenCalledWith(
+      "test-code",
+      {
+        codeVerifier: "mock-code-verifier",
+      },
+    );
+
+    // Check that jose.jwtVerify was called for id_token validation
+    await waitFor(() => {
+      expect(jose.jwtVerify).toHaveBeenCalledWith(
+        mockIdToken,
+        expect.any(Object),
+        {
+          issuer: ["http://localhost:3001", "http://localhost:3001/"],
+          audience: clientId,
+        },
+      );
+    });
+
+    // Check that jose.jwtVerify was called for access_token validation
+    await waitFor(() => {
+      expect(jose.jwtVerify).toHaveBeenCalledWith(
+        mockAccessToken,
+        expect.any(Object),
+        {
+          issuer: ["http://localhost:3001", "http://localhost:3001/"],
+        },
+      );
+    });
+
+    // Check that the authenticated flag is set in the session
+    await waitFor(() => {
+      expect(screen.queryByTestId("session")).toHaveTextContent(
+        "Session authenticated:true",
+      );
+    });
+
+    // Check that the user info derived from the ID token is displayed
+    await waitFor(() => {
+      expect(screen.queryByTestId("user-email")).toHaveTextContent(
+        "User:ghost@civic.com",
+      );
+    });
+  });
+});

package/test/support/fixtures.ts

@@ -0,0 +1,56 @@
+const oauthWellKnownResponse = {
+  authorization_endpoint: "https://auth-dev.civic.com/oauth/auth",
+  claims_parameter_supported: false,
+  claims_supported: [
+    "sub",
+    "forwardedTokens",
+    "email",
+    "name",
+    "family_name",
+    "picture",
+    "login_method",
+    "sid",
+    "auth_time",
+    "iss",
+  ],
+  code_challenge_methods_supported: ["S256"],
+  end_session_endpoint: "https://auth-dev.civic.com/oauth/session/end",
+  grant_types_supported: ["implicit", "authorization_code", "refresh_token"],
+  issuer: "https://auth-dev.civic.com/oauth/",
+  jwks_uri: "https://auth-dev.civic.com/oauth/jwks",
+  authorization_response_iss_parameter_supported: true,
+  response_modes_supported: ["form_post", "fragment", "query"],
+  response_types_supported: ["code id_token", "code", "id_token", "none"],
+  scopes_supported: [
+    "openid",
+    "offline_access",
+    "forwardedTokens",
+    "email",
+    "profile",
+  ],
+  subject_types_supported: ["public"],
+  token_endpoint_auth_methods_supported: [
+    "client_secret_basic",
+    "client_secret_jwt",
+    "client_secret_post",
+    "private_key_jwt",
+    "none",
+  ],
+  token_endpoint_auth_signing_alg_values_supported: [
+    "HS256",
+    "RS256",
+    "PS256",
+    "ES256",
+    "EdDSA",
+  ],
+  token_endpoint: "https://auth-dev.civic.com/oauth/token",
+  id_token_signing_alg_values_supported: ["PS256", "RS256"],
+  pushed_authorization_request_endpoint:
+    "https://auth-dev.civic.com/oauth/request",
+  request_parameter_supported: false,
+  request_uri_parameter_supported: false,
+  userinfo_endpoint: "https://auth-dev.civic.com/oauth/me",
+  claim_types_supported: ["normal"],
+};
+
+export { oauthWellKnownResponse };

package/test/support/tokens.json

@@ -0,0 +1,26 @@
+{
+    "local": {
+        "validTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImNpdmljLWF1dGgtdG9rZW4tc2lnbmVyLWtleSJ9.eyJzdWIiOiIzMzZmNDQ1Zi1hZjcxLTQxYzYtODNlZC00NjJhY2ZiNTU1YjYiLCJlbWFpbCI6Imdob3N0QGNpdmljLmNvbSIsImZvcndhcmRlZFRva2VucyI6eyJkdW1teSI6eyJhY2Nlc3NfdG9rZW4iOiIiLCJleHBpcmVzX2luIjozNjAwLCJpZF90b2tlbiI6ImV5SmhiR2NpT2lKU1V6STFOaUlzSW5SNWNDSTZJa3BYVkNJc0ltdHBaQ0k2SW10bGVYTjBiM0psTFVOSVFVNUhSUzFOUlNKOS5leUp6ZFdJaU9pSjBaWE4wSWl3aVlYUmZhR0Z6YUNJNklrcEdVbkZRZUhsZmJGYzFVaTFIV0dabE9Ia3lja0VpTENKaGRXUWlPaUp0ZVMxamJHbGxiblFpTENKbGVIQWlPakUzTWprd05qZ3hOVFVzSW1saGRDSTZNVGN5T1RBMk5EVTFOU3dpYVhOeklqb2lhSFIwY0RvdkwyeHZZMkZzYUc5emREbzVNRGt3SW4wLm11TGg2T2s0YVIyb0V3RC1yUFZXck5RY24xMFZqSjVmN0hUUHVNSk50NFBFVUEyVkttZnRKdHdEOXB5WVVNUngybkhHaWRIMVIyemhwbUpWclVUaDl4SDVpNkQxckx5VHA2UXFTbm9RQ1lYTFA3bzdJRWdLcTkta1R0TUhWS2t1LU1qX2FvNk05TUFaN3llYnpCR3dJcHVYcFRZY3JwMC1EQVZLSW94LVV1b0lfSkljbURWSExtbjJfUEhMZ0Z1Y3ctMTlVZFgyYUlTM19kSDRqQ01CLXp4Y0xGTmV6SlVfV1BRVTNYUEhyQk83M3lMWTU2NmEyb1RVczV3Tkh4bWJKOXdBWXJSRHJSQVBrcml2R2s1WEhNSG5RX21OUlUxNGhSc2N3Y25vOC1NZnNlZlRHc1JsbDdSRXpiaUFWUzZjY2hHV0ItVXJJWk92R0p6UjFlZGRjQSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJ0b2tlbl90eXBlIjoiQmVhcmVyIn19LCJub25jZSI6IjEyMzQ1Njc4OTAiLCJhdF9oYXNoIjoiVFZjelNRMERIeElHY2t1VzducDYydyIsImF1ZCI6ImRlbW8tY2xpZW50LTEiLCJleHAiOjE3MjkwNjgxNTYsImlhdCI6MTcyOTA2NDU1NiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDAxIn0.NNvOtkls3wjivcCWYanqWr8_cHzf7by2_6mSF_qeNqJ8zt7ZPmKh2R6WbnrlYVsym0sMYueR9m_bDGsNZNrwXGPABz4ff7TV5LH8LO1W_fdPemMBlIDdRwc0DZx7BUIKqwvciQ1lHx-2xv-6gH7TZVX7Dwvv-zArLpLkmzrec4EV0Wyn-WYAZFqMMpPvEUCCxkp_AWMh9P8ax3ExSHPAMu5_skJo1nJTK5lri3DNU31IuXvLz2JFYusDViFDwu5wx_TSC1S-hsRQd_aK_wGGifqfuwuGRX43ZEDqRcB5lgBAfc8v1kxYu5HhF07C63zMLZjJg66pGBHwNWp5r-Q4K-2xBXDU6TP-4YYikvwqIOjlRiz_RP_kEBrioqNRvwk8SU2laJ7g7st_4q86RiXPS4uN31o5eDSCiM5dd0OdC2IUZorC5pMym-IzuHEJhWr68psczj3dUKxbLbuoH-827CQt-8Vv8znfS7ck8I0YDXjVSKhBYXoCnzXpwJ-c9OcPIbquTQrqeogGqTlA6Nt-23rC7Ave8xOcRQZrJ1Ec5c5eD_4MoSYw3q90b6AT6U3tY3ewYQMdg4Ro9x-hFu7uCuurDZgnyugpM7dBATaFfR3ar9nRtdMyPrU2LhEeZS2iwSvP7wuWJpIkjxFy3znFrsFBTa_WbD0BJSOfl1j5G94",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6ImNpdmljLWF1dGgtdG9rZW4tc2lnbmVyLWtleSJ9.eyJqdGkiOiJjS2xCVW1jZW0tVjE3RzM4N1AyTUIiLCJzdWIiOiIzMzZmNDQ1Zi1hZjcxLTQxYzYtODNlZC00NjJhY2ZiNTU1YjYiLCJpYXQiOjE3MjkwNjQ1NTYsImV4cCI6MTcyOTA2ODE1NiwiY2xpZW50X2lkIjoiZGVtby1jbGllbnQtMSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMSIsImF1ZCI6ImNpdmljIn0.gsX--7GtdF1JYQi5Spt6GfcvZ_8EZxkpO8GljfoXJw-cRYhP98-w9IADZBn87ekH914pnUTxp1x_oLhTWGBrR_yMsHRYim_gkVv8t-dnOEAR4IzDByG7kd58TM_blbY-yma0Cb-O3XRGgrdkvw2PjMeHfTSl3tlYx0c47PS8WegOkYkQcfyPUUNEsUFA8e5qzmkMCdwFWHaox-fQaaNpFrO0wCRWOvYr3vFnrLU87Ds7AOaurZUYaFgxqcMsg3zhZXB2pslqS2p9pmQO3Yi0m8-ntX5P18TWX6oOdBbOLqJX3R5s2GAAm9tYJOeBz-JpTucmn4OaL3OyJvIZqM-7EAVtHdnVYUjzGarNu4_b-rcj66mkSNBbquqjAmRBQ5nnRMkmWZxkf6BKgOwmuONLaU4soZEc_AUNtcKIRzbYmBvrgBlPZr5lvkSKIynKlDCbhsB7O_yBRijVesQrau5ReUcXdbJMRj1U5goBnWXV8y8xZFVKwJvx5WdQVUz2tjmtTO8xMK0ORcWdJShIzlhvQrUsjuiFKWytlbRckIdrllsNLfTFbIvQLa9Pmi-FgrJtm-wD3RoHlNgtjGiHjN-YfWCauTcSn9Xd8TbjIc8D43LuRR2Oh3c78GrEVerbnmTjXh6UFZ6ZXkrkarVst8KQMtPiUo9_DdtJP6ghXLXdo6A"
+        },
+        "expiredTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJlbWFpbCI6ImVkMjEyNTczLTgxMGEtNDliZS1iNzdiLTg2OWMyOWM2ZWRkZEBleGFtcGxlLmV4YW1wbGUiLCJmb3J3YXJkZWRUb2tlbnMiOnsiZHVtbXkiOnsiYWNjZXNzX3Rva2VuIjoidGVzdC1mb3J3YXJkZWQtYWNjZXNzLXRva2VuIiwiaWRfdG9rZW4iOiJ0ZXN0LWZvcndhcmRlZC1pZC10b2tlbiJ9fSwibm9uY2UiOiIxMjM0NTY3ODkwIiwiYXRfaGFzaCI6Ikh3T3JXdldWRV9UR3h3c2ZCN0NyRlEiLCJhdWQiOiJkZW1vLWNsaWVudC0xIiwiZXhwIjoxNjk3OTU5OTI1LCJpYXQiOjE2NjY0MjM5MjUsImlzcyI6Imh0dHBzOi8vYXV0aC1kZXYuY2l2aWMuY29tL29hdXRoLyJ9.MO0IdxEyNiOq4E5QdtpfSbnXQKiN8euC2ac0E0VWggUP4o5yoz29gqAzETP_omvOBfOn4hJjXTDPGqKXKg-Lz-oLdzF71aztskCerwDuB5PdqyCGMS9Qa2j40FTJ7RkuBG9PISUpGWYfZ28q7u94h8GyWtqRtPAF2aPD1rvckk-WTXLeMqEWtfEy0yCJ4MvEwp6MUgeb7EwRKUZ_cuVCE5Xm8rNebO9b2I3Jqdg8cNNyAxEYkWERBcfFtOfaQYD_8DNJvpNpJvZXAowaab7dzNgGBAxhTQ7s4S9h-Ly2nQIAIpbff_A4baI6rOqWfFxdzrxcFt34x0S_90Z3MXNziAb-ocG0WkPewRm0hvrF4E-zFTM4guTvtol0cKw9qWLb_JE-Idm9Zq-abkOS6FvM2E0j1iqKjT1GqM_EhOdIMzOidqxlls5v2UaaJ34PvR_1yTopm6Lguhr6uX3CW_F4A5tGAxsReeUDdGQAhkPYqZp8zjPUxjCA3cJEnMSGWHgqiBJ5lCLeH-SaccT828pSqYL8FrN0Qts3ILaElVVECHiWhN90lGaBSPw8pn19odH70wH651C2eonWKAKQMpNheGmyjrGE8n0jPwz-p-8ISp5H793wlWiTH2ay33METj0Vbgg-G1p1xcWD5WR4X-uyH1f-iNupvVNYn8mf0iPxM-I",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJ0Wk9RdjQ0Unh2MzJ4dTJReElzTnEiLCJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJleHAiOjE2OTc5NTk5MjUsImlhdCI6MTY2NjQyMzkyNSwiY2xpZW50X2lkIjoiZGVtby1jbGllbnQtMSIsImlzcyI6Imh0dHBzOi8vYXV0aC1kZXYuY2l2aWMuY29tL29hdXRoLyIsImF1ZCI6ImNpdmljIn0.HxnjNL8P7K0WHoCQXpvbxtu_yTrcdudj4GI4fjQZEoVXJ14IkssKUa3aJGWZ2vJkxqIogoLmywYFBjvLZqcc1vo3Q-aLlVEb7EkjsQU4Qo8BMsJ0ZS2_4cDewt9WBUrMA-fDy3UwgoxHlM5OCjQ5lKAPLLm2FJDJ-djFOf_z0le9FOZ4MqkU7u_lc57e0jdCwSZmIRIU5DPX90jh-p2r8OxBwRorjAwuiiu59wTtYyEpfdicSwb7mM7hM6nFp-zl14ogWGCiW20_Lx0sz-1EfzUgw-rH2xW5R_QDUQtHJ15Pq0mtck77i608y2IElnQgwYlmSmn7gpSUoNB7Bh7cBckRfV1YHh8CoReQOKjtfCbhZYVdFDuuUaIEYmI_E9W-C4BKWJkdtX3kCy576jCx15-N7VBzVYIpkOVHHeZdRkMLVJCts2W84it0lCXgMg7KfOcuv8Lzqj_IrSBmP6jgKiOhWJ0eWQLrKGBKOS5IxhK6kyQjZSKy8Yj-N_iBt1PP4e-EWBL2jlQ81ycm4_qgUmiADryUVRchUUAyT-y5TD_LTb2gu-7h_ElKFJ_9scWjxn-SguJi2ObYaFqTes9cNtMFLP3mi9wHhlCngb5_Bw1goV0XHR1H-PSX-XOQ0MzTK7KA8uT1PHbRCsHEFkjMaZgWEwfxTqXVt2LzT6PH_Qs"
+        }
+    },
+    "dev": {
+        "validTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJlbWFpbCI6ImVkMjEyNTczLTgxMGEtNDliZS1iNzdiLTg2OWMyOWM2ZWRkZEBleGFtcGxlLmV4YW1wbGUiLCJmb3J3YXJkZWRUb2tlbnMiOnsiZHVtbXkiOnsiYWNjZXNzX3Rva2VuIjoidGVzdC1mb3J3YXJkZWQtYWNjZXNzLXRva2VuIiwiaWRfdG9rZW4iOiJ0ZXN0LWZvcndhcmRlZC1pZC10b2tlbiJ9fSwibm9uY2UiOiIxMjM0NTY3ODkwIiwiYXRfaGFzaCI6Ikh3T3JXdldWRV9UR3h3c2ZCN0NyRlEiLCJhdWQiOiJkZW1vLWNsaWVudC0xIiwiZXhwIjozMjUyODU5NDc1NCwiaWF0IjoxNzI5MDY2NTY4LCJpc3MiOiJodHRwczovL2F1dGgtZGV2LmNpdmljLmNvbS9vYXV0aC8ifQ.vRQtCQqzV_m62rClHrOtiV7C2zBDOp6h51IgPvlX4-z9x5BDmgckZpNfxPo-Skl7Un5HwTmnqfEyrdsIUScI86Nf_jVt6oEwM1YE2PwygHPW6oE4-Nlipcpll7zNaQQTBVpfuz1bEC7xRqM3quH-RT_hEB4em8YrN0uIBtPrBJ3JpzSnjrLkdziLiSQbejYMLM69WCRCc0pT1V8oBRWxq3fd6s71ajZ8X-KIf5p5Nc24FzidK6X3Yb7pD9sq8BlqbGIDpdXJXNCPJz8kpN9AiggAJUpYeNV2zi0rm5O5-C8UHwOVkAd7SCc_rBxoUxJ9K8B_RX3mo0wKzjY_BVLrvba4R9Nbl5JYkaWPnvKaZDEebjdb3eHdljeomEtP1uYNOqTGqY0Pj8312WNjC6-HtDQFevzmZKYqLtExGuGMuj81V9QUO_SAWzPKZ_wgscJzdR_lFgCqL2uOE0CL6LcnXefyqiMMtsIh2BuBKBJHzCmBf26ezaOuR_hRH4wbJ2rawiqSInhwedeHC1MoVsEWcjealUJspWCfbTqGF-ewTmRAvXffkNjOiQNtclt63ap9gbE89tsNlG_TFICbHFAbn4rNTq6e1gpgke1Ouf9ex1UXrZb9HdfeN5o9-7IsPlEWblkxDKxqcj6YAukETfW7wYzt4tV_sxqO_uxiHhczRU8",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJ0Wk9RdjQ0Unh2MzJ4dTJReElzTnEiLCJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJpYXQiOjE3MjkwNjY1NjgsImV4cCI6MzI1Mjg1OTQ3NTQsImNsaWVudF9pZCI6ImRlbW8tY2xpZW50LTEiLCJpc3MiOiJodHRwczovL2F1dGgtZGV2LmNpdmljLmNvbS9vYXV0aC8iLCJhdWQiOiJjaXZpYyJ9.CzQ_WXqFobV_fafE3K2dIUttvcFDxOGMT_GnUmdyg5HLB1MRCQYZItwZof_h-LdQp8suo4XyneclOJnQhCzlmDjOcEZOns_joh91t-zDX1jXIQNqC_evpzvfr5Rubz26gsKljk642ru0gkaH8cLHPJx3jgvtBrQzbLbzKJZRIhWqthrqdcKHKeUxN6g-LAFqQG7d-tP6cL_X1Q29IBpJ49SkpYFEDslLwQ_LU5zal_k-2tEyU6DfoFWB9hbNfBQy16SJzgDBDnZ3DadDSRjpXBwRa7m9ALa3A_qVln3K4wuTR46LFDqMKNAqf_sfy5tIJ6Zja5ehwxqmMwXtHomZY9OtfHDE511AZ6wGSagEpexe3eV-2TVwTvJBZnqfeLnnzlF9Z6qqq65lJ5XhO34Ylxnt-kqLqPOPwp-rYCJna-tUsEKAokkqKnHf2FycMQAaBx0grk5yyD2Y4CttlCfbdehoFSyWtTFvkjkk7MebLXqvMbqxXSmKaBn7Of0W6E9Qs6nJ5gWMaVuD9gc2H-BvQAQBUSYpl0TB_yPJKbiRb03HvvgZUdgB9XI9e5YFSMA0K_0SPtx4AgSLH2Coz-NxwLUtP22PUTNmm-04r8Sj0SVWw9w9mW4YXU3U4BGI_0fmIW3BMGgDk_9ghsumaNYKSe1P4qFLqh2jqEov0MagLck"
+        },
+        "differentSignerTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJlbWFpbCI6ImVkMjEyNTczLTgxMGEtNDliZS1iNzdiLTg2OWMyOWM2ZWRkZEBleGFtcGxlLmV4YW1wbGUiLCJmb3J3YXJkZWRUb2tlbnMiOnsiZHVtbXkiOnsiYWNjZXNzX3Rva2VuIjoidGVzdC1mb3J3YXJkZWQtYWNjZXNzLXRva2VuIiwiaWRfdG9rZW4iOiJ0ZXN0LWZvcndhcmRlZC1pZC10b2tlbiJ9fSwibm9uY2UiOiIxMjM0NTY3ODkwIiwiYXRfaGFzaCI6Ikh3T3JXdldWRV9UR3h3c2ZCN0NyRlEiLCJhdWQiOiJkZW1vLWNsaWVudC0xIiwiZXhwIjozMjUyODU5NDc1NCwiaWF0IjoxNzI5MDY2NTY4LCJpc3MiOiJodHRwczovL2F1dGgtZGV2LmNpdmljLmNvbS9vYXV0aC8ifQ.hEPfoJRHEttdCUttpFI1e5fVrPIboOsAqwNsnXR0ANpl9qJjbYgkwPhpTaoujCI2LoNmTNqTxdFuq19g03-EMIJCvfv2hi4NOSXCzk94EFumDLaKQNvSnyXBb3LolD45-OqRBUycvQcWgynRSCS_GaGncJ_qPfFarThwYuzRKF7XvBlQf7FbdnVAWwpuP9AU6dJDLZNJChm3wRrubsbMLzhtWbFhTAlrp7ACLoCkx6c3_IZs35Wcn-5DfdBRGYicrJvaqQ4xBTTLR0lE23VsLMPDAqgdcCOIduCobq6FuY8hAGkJwOZ-cW81KYrCGQn_47GDfaP_BsAUM4YblcCuAQ",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJ0Wk9RdjQ0Unh2MzJ4dTJReElzTnEiLCJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJpYXQiOjE3MjkwNjY1NjgsImV4cCI6MzI1Mjg1OTQ3NTQsImNsaWVudF9pZCI6ImRlbW8tY2xpZW50LTEiLCJpc3MiOiJodHRwczovL2F1dGgtZGV2LmNpdmljLmNvbS9vYXV0aC8iLCJhdWQiOiJjaXZpYyJ9.VXHpr2yV7fk7ggPurT5zSlfcTrC6VfMGqt5KUi9bw3raetbwC7zdPNtNdcwLEGL1O-JvQB2JH6aDc24bLv6h2yyxNZufoq9LHQKZpJYEe6nEaeTIZkWG0TeKa1Kpj4Gq2C7ooNMPKdjb8hYu_4PN8uaB7z1jM55CLPr-SvSiOqpyZDDc92zShlYTGcUVKFUIM4mQ-vZv8064ck4L1ca0H3LvMegdiUg0WUcDttzcfRpqv9jw1g-CNGx4I-0Bqlb_EqGuY345-0_iH3AsMvFuhQn1SltYYrLLWm9drMpQh3YGtFGqu21Oz-geRrpfAmxRBF7fcgDC-0kwroP2ARymDw"
+        },
+        "expiredTokens": {
+            "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJlbWFpbCI6ImVkMjEyNTczLTgxMGEtNDliZS1iNzdiLTg2OWMyOWM2ZWRkZEBleGFtcGxlLmV4YW1wbGUiLCJmb3J3YXJkZWRUb2tlbnMiOnsiZHVtbXkiOnsiYWNjZXNzX3Rva2VuIjoidGVzdC1mb3J3YXJkZWQtYWNjZXNzLXRva2VuIiwiaWRfdG9rZW4iOiJ0ZXN0LWZvcndhcmRlZC1pZC10b2tlbiJ9fSwibm9uY2UiOiIxMjM0NTY3ODkwIiwiYXRfaGFzaCI6Ikh3T3JXdldWRV9UR3h3c2ZCN0NyRlEiLCJhdWQiOiJkZW1vLWNsaWVudC0xIiwiZXhwIjoxNjk3OTU5OTI1LCJpYXQiOjE2NjY0MjM5MjUsImlzcyI6Imh0dHBzOi8vYXV0aC1kZXYuY2l2aWMuY29tL29hdXRoLyJ9.MO0IdxEyNiOq4E5QdtpfSbnXQKiN8euC2ac0E0VWggUP4o5yoz29gqAzETP_omvOBfOn4hJjXTDPGqKXKg-Lz-oLdzF71aztskCerwDuB5PdqyCGMS9Qa2j40FTJ7RkuBG9PISUpGWYfZ28q7u94h8GyWtqRtPAF2aPD1rvckk-WTXLeMqEWtfEy0yCJ4MvEwp6MUgeb7EwRKUZ_cuVCE5Xm8rNebO9b2I3Jqdg8cNNyAxEYkWERBcfFtOfaQYD_8DNJvpNpJvZXAowaab7dzNgGBAxhTQ7s4S9h-Ly2nQIAIpbff_A4baI6rOqWfFxdzrxcFt34x0S_90Z3MXNziAb-ocG0WkPewRm0hvrF4E-zFTM4guTvtol0cKw9qWLb_JE-Idm9Zq-abkOS6FvM2E0j1iqKjT1GqM_EhOdIMzOidqxlls5v2UaaJ34PvR_1yTopm6Lguhr6uX3CW_F4A5tGAxsReeUDdGQAhkPYqZp8zjPUxjCA3cJEnMSGWHgqiBJ5lCLeH-SaccT828pSqYL8FrN0Qts3ILaElVVECHiWhN90lGaBSPw8pn19odH70wH651C2eonWKAKQMpNheGmyjrGE8n0jPwz-p-8ISp5H793wlWiTH2ay33METj0Vbgg-G1p1xcWD5WR4X-uyH1f-iNupvVNYn8mf0iPxM-I",
+            "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJ0Wk9RdjQ0Unh2MzJ4dTJReElzTnEiLCJzdWIiOiIzZmJlM2QwMy0yZDM4LTRjZjgtYjAzNy1kZDVjMjdkOWFmODAiLCJleHAiOjE2OTc5NTk5MjUsImlhdCI6MTY2NjQyMzkyNSwiY2xpZW50X2lkIjoiZGVtby1jbGllbnQtMSIsImlzcyI6Imh0dHBzOi8vYXV0aC1kZXYuY2l2aWMuY29tL29hdXRoLyIsImF1ZCI6ImNpdmljIn0.HxnjNL8P7K0WHoCQXpvbxtu_yTrcdudj4GI4fjQZEoVXJ14IkssKUa3aJGWZ2vJkxqIogoLmywYFBjvLZqcc1vo3Q-aLlVEb7EkjsQU4Qo8BMsJ0ZS2_4cDewt9WBUrMA-fDy3UwgoxHlM5OCjQ5lKAPLLm2FJDJ-djFOf_z0le9FOZ4MqkU7u_lc57e0jdCwSZmIRIU5DPX90jh-p2r8OxBwRorjAwuiiu59wTtYyEpfdicSwb7mM7hM6nFp-zl14ogWGCiW20_Lx0sz-1EfzUgw-rH2xW5R_QDUQtHJ15Pq0mtck77i608y2IElnQgwYlmSmn7gpSUoNB7Bh7cBckRfV1YHh8CoReQOKjtfCbhZYVdFDuuUaIEYmI_E9W-C4BKWJkdtX3kCy576jCx15-N7VBzVYIpkOVHHeZdRkMLVJCts2W84it0lCXgMg7KfOcuv8Lzqj_IrSBmP6jgKiOhWJ0eWQLrKGBKOS5IxhK6kyQjZSKy8Yj-N_iBt1PP4e-EWBL2jlQ81ycm4_qgUmiADryUVRchUUAyT-y5TD_LTb2gu-7h_ElKFJ_9scWjxn-SguJi2ObYaFqTes9cNtMFLP3mi9wHhlCngb5_Bw1goV0XHR1H-PSX-XOQ0MzTK7KA8uT1PHbRCsHEFkjMaZgWEwfxTqXVt2LzT6PH_Qs"
+        }
+    }
+}