npm - @crossauth/common - Versions diffs - 0.0.1 - Mend

@crossauth/common 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/LICENSE +203 -0
package/dist/error.d.ts +168 -0
package/dist/error.d.ts.map +1 -0
package/dist/index.cjs +1 -0
package/dist/index.d.ts +10 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.iife.js +1 -0
package/dist/index.js +1980 -0
package/dist/interfaces.d.ts +262 -0
package/dist/interfaces.d.ts.map +1 -0
package/dist/jwt.d.ts +25 -0
package/dist/jwt.d.ts.map +1 -0
package/dist/logger.d.ts +148 -0
package/dist/logger.d.ts.map +1 -0
package/dist/oauth/client.d.ts +475 -0
package/dist/oauth/client.d.ts.map +1 -0
package/dist/oauth/tokenconsumer.d.ts +115 -0
package/dist/oauth/tokenconsumer.d.ts.map +1 -0
package/dist/oauth/wellknown.d.ts +59 -0
package/dist/oauth/wellknown.d.ts.map +1 -0
package/package.json +32 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1980 @@
+var fe = Object.defineProperty;
+var G = (e) => {
+  throw TypeError(e);
+};
+var pe = (e, t, r) => t in e ? fe(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
+var a = (e, t, r) => pe(e, typeof t != "symbol" ? t + "" : t, r), Y = (e, t, r) => t.has(e) || G("Cannot " + r);
+var u = (e, t, r) => (Y(e, t, "read from private field"), r ? r.call(e) : t.get(e)), O = (e, t, r) => t.has(e) ? G("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), _ = (e, t, r, n) => (Y(e, t, "write to private field"), n ? n.call(e, r) : t.set(e, r), r);
+class k {
+}
+/** Ordinary, active user who can log in freely */
+a(k, "active", "active"), /** Deactivated account.  User cannot log in */
+a(k, "disabled", "disabled"), /** Two factor authentication has been actived for this user
+ * but has not yet been configured.  Once a user logs in,
+ * they will be directed to a page to configure 2FA and will
+ * not be able to do anything else (that requires login) until
+ * they have done so.
+ */
+a(k, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
+ * verified his or her email address.  Cannot log on until it has
+ * been verified.
+ */
+a(k, "awaitingEmailVerification", "awaitingemailverification"), /**
+ * If the state is set to this, the user may not access any
+ * login-required functions unless he or she has changed their password.
+ *
+ * Upon login, the user is redirected to the change password page.
+ */
+a(k, "passwordChangeNeeded", "passwordchangeneeded"), /**
+ * If the state is set to this, the user may not access any
+ * login-required functions unless he or she has reset their password.
+ *
+ * Upon login, the user is redirected to the reset password page.
+ */
+a(k, "passwordResetNeeded", "passwordresetneeded"), /**
+ * If the state is set to this, the user may not access any
+ * login-required functions unless he or she has reset their second
+ * factor configuration.
+ *
+ * Upon login, the user is redirected to the 2FA configuration page.
+ *
+ * If you create a user and 2FA is mandatory, you can set state to
+ * this value and the user will then be prompted to configure 2FA
+ * upon login.
+ */
+a(k, "factor2ResetNeeded", "factor2resetneeded"), /**
+ * If the state is set to this, the user may not access any
+ * login-required functions unless he or she has reset their password
+ * and then resets factor2.
+ *
+ * Upon login, the user is redirected to the reset password page.
+ */
+a(k, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
+class C {
+}
+/** Session ID */
+a(C, "session", "s:"), /** Password Reset Token */
+a(C, "passwordResetToken", "p:"), /** Email verification token */
+a(C, "emailVerificationToken", "e:"), /** API key */
+a(C, "apiKey", "api:"), /** OAuth authorization code */
+a(C, "authorizationCode", "authz:"), /** OAuth access token */
+a(C, "accessToken", "access:"), /** OAuth refresh token */
+a(C, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
+a(C, "mfaToken", "omfa:"), /** Device code device code */
+a(C, "deviceCode", "dc:"), /** Device code flow user code */
+a(C, "userCode", "uc:");
+var y = /* @__PURE__ */ ((e) => (e[e.UserNotExist = 0] = "UserNotExist", e[e.PasswordInvalid = 1] = "PasswordInvalid", e[e.EmailNotExist = 2] = "EmailNotExist", e[e.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", e[e.InvalidClientId = 4] = "InvalidClientId", e[e.ClientExists = 5] = "ClientExists", e[e.InvalidClientSecret = 6] = "InvalidClientSecret", e[e.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", e[e.InvalidRedirectUri = 8] = "InvalidRedirectUri", e[e.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", e[e.UserNotActive = 10] = "UserNotActive", e[e.EmailNotVerified = 11] = "EmailNotVerified", e[e.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", e[e.Unauthorized = 13] = "Unauthorized", e[e.UnauthorizedClient = 14] = "UnauthorizedClient", e[e.InvalidScope = 15] = "InvalidScope", e[e.InsufficientScope = 16] = "InsufficientScope", e[e.InsufficientPriviledges = 17] = "InsufficientPriviledges", e[e.Forbidden = 18] = "Forbidden", e[e.InvalidKey = 19] = "InvalidKey", e[e.InvalidCsrf = 20] = "InvalidCsrf", e[e.InvalidSession = 21] = "InvalidSession", e[e.Expired = 22] = "Expired", e[e.Connection = 23] = "Connection", e[e.InvalidHash = 24] = "InvalidHash", e[e.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", e[e.KeyExists = 26] = "KeyExists", e[e.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", e[e.PasswordResetNeeded = 28] = "PasswordResetNeeded", e[e.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", e[e.Configuration = 30] = "Configuration", e[e.InvalidEmail = 31] = "InvalidEmail", e[e.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", e[e.InvalidUsername = 33] = "InvalidUsername", e[e.PasswordMatch = 34] = "PasswordMatch", e[e.InvalidToken = 35] = "InvalidToken", e[e.MfaRequired = 36] = "MfaRequired", e[e.PasswordFormat = 37] = "PasswordFormat", e[e.DataFormat = 38] = "DataFormat", e[e.FetchError = 39] = "FetchError", e[e.UserExists = 40] = "UserExists", e[e.FormEntry = 41] = "FormEntry", e[e.BadRequest = 42] = "BadRequest", e[e.AuthorizationPending = 43] = "AuthorizationPending", e[e.SlowDown = 44] = "SlowDown", e[e.ExpiredToken = 45] = "ExpiredToken", e[e.ConstraintViolation = 46] = "ConstraintViolation", e[e.NotImplemented = 47] = "NotImplemented", e[e.UnknownError = 48] = "UnknownError", e))(y || {});
+class g extends Error {
+  /**
+   * Creates a new error to throw,
+   *
+   * @param code describes the type of error
+   * @param message if provided, this error will display.  Otherwise a default one for the error code will be used.
+   */
+  constructor(r, n = void 0) {
+    let i, s = 500;
+    r == 0 ? (i = "User does not exist", s = 401) : r == 1 ? (i = "Password doesn't match", s = 401) : r == 3 ? (i = "Username or password incorrect", s = 401) : r == 4 ? (i = "Client id is invalid", s = 401) : r == 5 ? (i = "Client ID or name already exists", s = 500) : r == 6 ? (i = "Client secret is invalid", s = 401) : r == 7 ? (i = "Client id or secret is invalid", s = 401) : r == 8 ? (i = "Redirect Uri is not registered", s = 401) : r == 9 ? (i = "Invalid OAuth flow type", s = 500) : r == 2 ? (i = "No user exists with that email address", s = 401) : r == 10 ? (i = "Account is not active", s = 403) : r == 33 ? (i = "Username is not in an allowed format", s = 400) : r == 31 ? (i = "Email is not in an allowed format", s = 400) : r == 32 ? (i = "Phone number is not in an allowed format", s = 400) : r == 11 ? (i = "Email address has not been verified", s = 403) : r == 12 ? (i = "Two-factor setup is not complete", s = 403) : r == 13 ? (i = "Not authorized", s = 401) : r == 14 ? (i = "Client not authorized", s = 401) : r == 15 ? (i = "Invalid scope", s = 403) : r == 16 ? (i = "Insufficient scope", s = 403) : r == 23 ? i = "Connection failure" : r == 22 ? (i = "Token has expired", s = 401) : r == 24 ? i = "Hash is not in a valid format" : r == 19 ? (i = "Key is invalid", s = 401) : r == 18 ? (i = "You do not have permission to access this resource", s = 403) : r == 17 ? (i = "You do not have the right privileges to access this resource", s = 401) : r == 20 ? (i = "CSRF token is invalid", s = 401) : r == 21 ? (i = "Session cookie is invalid", s = 401) : r == 25 ? i = "Algorithm not supported" : r == 26 ? i = "Attempt to create a key that already exists" : r == 27 ? (i = "User must change password", s = 403) : r == 28 ? (i = "User must reset password", s = 403) : r == 29 ? (i = "User must reset 2FA", s = 403) : r == 30 ? i = "There was an error in the configuration" : r == 34 ? (i = "Passwords do not match", s = 401) : r == 35 ? (i = "Token is not valid", s = 401) : r == 36 ? (i = "MFA is required", s = 401) : r == 37 ? (i = "Password format was incorrect", s = 401) : r == 40 ? (i = "User already exists", s = 400) : r == 42 ? (i = "The request is invalid", s = 400) : r == 38 ? (i = "Session data has unexpected format", s = 500) : r == 39 ? (i = "Couldn't execute a fetch", s = 500) : r == 43 ? (i = "Waiting for authorization", s = 200) : r == 44 ? (i = "Slow polling down by 5 seconds", s = 200) : r == 45 ? (i = "Token has expired", s = 401) : r == 46 ? (i = "Database update/insert caused a constraint violation", s = 500) : r == 47 ? (i = "This method has not been implemented", s = 500) : (i = "Unknown error", s = 500), n != null && !Array.isArray(n) ? i = n : Array.isArray(n) && (i = n.join(". "));
+    super(i);
+    /** `typeof` won't work on this class.  To determine if the
+     * object is a `CrossauthError`, check for presence of this member.
+     */
+    a(this, "isCrossauthError", !0);
+    /** The best HTTP status to report */
+    a(this, "httpStatus");
+    /** All Crossauth errors have an error code */
+    a(this, "code");
+    /** All Crossauth errors have an error code */
+    a(this, "codeName");
+    /** A vector of error messages.  If there was only one, it will still be in this array.
+     * The inherited property `message` is also always available.  If there were multiple messages,
+     * it will be a concatenation of them with `". "` in between.
+     */
+    a(this, "messages");
+    this.code = r, this.codeName = y[r], this.httpStatus = s, this.name = "CrossauthError", Array.isArray(n) ? this.messages = n : this.messages = [i], Object.setPrototypeOf(this, g.prototype);
+  }
+  /**
+   * OAuth defines certain error types.  To convert the error in an OAuth
+   * response into a CrossauthError object, call this function.
+   *
+   * @param error as returned by an OAuth call (converted to an {@link @crossauth/common!ErrorCode}).
+   * @param error_description as returned by an OAuth call (put in the `message`)
+   * @returns a `CrossauthError` instance.
+   */
+  static fromOAuthError(r, n) {
+    let i;
+    switch (r) {
+      case "invalid_request":
+        i = 42;
+        break;
+      case "unauthorized_client":
+        i = 14;
+        break;
+      case "access_denied":
+        i = 13;
+        break;
+      case "unsupported_response_type":
+        i = 42;
+        break;
+      case "invalid_scope":
+        i = 15;
+        break;
+      case "server_error":
+        i = 48;
+        break;
+      case "temporarily_unavailable":
+        i = 23;
+        break;
+      case "invalid_token":
+        i = 35;
+        break;
+      case "expired_token":
+        i = 45;
+        break;
+      case "insufficient_scope":
+        i = 35;
+        break;
+      case "mfa_required":
+        i = 36;
+        break;
+      case "authorization_pending":
+        i = 43;
+        break;
+      case "slow_down":
+        i = 44;
+        break;
+      default:
+        i = 48;
+    }
+    return new g(i, n);
+  }
+  get oauthErrorCode() {
+    switch (this.code) {
+      case 42:
+        return "invalid_request";
+      case 14:
+        return "unauthorized_client";
+      case 13:
+        return "access_denied";
+      case 15:
+        return "invalid_scope";
+      case 23:
+        return "temporarily_unavailable";
+      case 35:
+        return "invalid_token";
+      case 36:
+        return "mfa_required";
+      case 43:
+        return "authorization_pending";
+      case 44:
+        return "slow_down";
+      case 45:
+        return "expired_token";
+      case 22:
+        return "expired_token";
+      default:
+        return "server_error";
+    }
+  }
+  /**
+   * If the passed object is a `CrossauthError` instance, simply returns
+   * it.
+   * If not and it is an object with `errorCode` in it, creates a
+   * CrossauthError from that and `errorMessage`, if present.
+   * Otherwise creates a `CrossauthError` object with {@link @crossauth/common!ErrorCode}
+   * of `Unknown` from it, setting the `message` if possible.
+   *
+   * @param e the error to convert.
+   * @returns  a `CrossauthError` instance.
+   */
+  static asCrossauthError(r, n) {
+    if (r instanceof Error)
+      return "isCrossauthError" in r ? r : new g(48, r.message);
+    if ("errorCode" in r) {
+      let s = 48;
+      try {
+        s = Number(r.errorCode) ?? 48;
+      } catch {
+      }
+      let o = n ?? y[s];
+      return "errorMessage" in r ? o = r.errorMessage : "message" in r && (o = r.message), new g(s, o);
+    }
+    let i = n ?? y[
+      48
+      /* UnknownError */
+    ];
+    return "message" in r && (i = r.message), new g(48, i);
+  }
+}
+function $e(e) {
+  return typeof e == "number" && (e = "" + e), e in B ? B[e] : B[500];
+}
+const B = {
+  200: "OK",
+  201: "Created",
+  202: "Accepted",
+  203: "Non-Authoritative Information",
+  204: "No Content",
+  205: "Reset Content",
+  206: "Partial Content",
+  300: "Multiple Choices",
+  301: "Moved Permanently",
+  302: "Found",
+  303: "See Other",
+  304: "Not Modified",
+  305: "Use Proxy",
+  306: "Unused",
+  307: "Temporary Redirect",
+  400: "Bad Request",
+  401: "Unauthorized",
+  402: "Payment Required",
+  403: "Forbidden",
+  404: "Not Found",
+  405: "Method Not Allowed",
+  406: "Not Acceptable",
+  407: "Proxy Authentication Required",
+  408: "Request Timeout",
+  409: "Conflict",
+  410: "Gone",
+  411: "Length Required",
+  412: "Precondition Required",
+  413: "Request Entry Too Large",
+  414: "Request-URI Too Long",
+  415: "Unsupported Media Type",
+  416: "Requested Range Not Satisfiable",
+  417: "Expectation Failed",
+  418: "I'm a teapot",
+  429: "Too Many Requests",
+  500: "Internal Server Error",
+  501: "Not Implemented",
+  502: "Bad Gateway",
+  503: "Service Unavailable",
+  504: "Gateway Timeout",
+  505: "HTTP Version Not Supported"
+}, m = class m {
+  /**
+   * Create a logger with the given level
+   * @param level the level to report to
+   */
+  constructor(t) {
+    /** the log level. This can be set dynamically */
+    a(this, "level");
+    if (t) this.level = t;
+    else if (typeof process < "u" && "CROSSAUTH_LOG_LEVEL" in process.env) {
+      const r = (process.env.CROSSAUTH_LOG_LEVEL ?? "ERROR").toUpperCase();
+      m.levelName.includes(r) ? this.level = m.levelName.indexOf(r) : this.level = m.Error;
+    } else
+      this.level = m.Error;
+  }
+  /**
+   * Return the singleton instance of the logger.
+   * @returns the logger
+   */
+  static get logger() {
+    return globalThis.crossauthLogger;
+  }
+  setLevel(t) {
+    this.level = t;
+  }
+  log(t, r) {
+    t <= this.level && (typeof r == "string" ? console.log("Crossauth " + m.levelName[t] + " " + (/* @__PURE__ */ new Date()).toISOString(), r) : console.log(JSON.stringify({ level: m.levelName[t], time: (/* @__PURE__ */ new Date()).toISOString(), ...r })));
+  }
+  /**
+   * Report an error
+   * @param output object to output
+   */
+  error(t) {
+    this.log(m.Error, t);
+  }
+  /**
+   * Report an warning
+   * @param output object to output
+   */
+  warn(t) {
+    this.log(m.Warn, t);
+  }
+  /**
+   * Report information
+   * @param output object to output
+   */
+  info(t) {
+    this.log(m.Info, t);
+  }
+  /**
+   * Print a debugging message
+   * @param output object to output
+   */
+  debug(t) {
+    this.log(m.Debug, t);
+  }
+  /**
+   * Override the default logger.
+   *
+   * The only requirement is that the logger has the functions `error()`, `warn()`, `info()` and `debug()`.
+   * These functions must accept either an object or a string.  If they can only accept a string,
+   * set `acceptsJson` to false.
+   *
+   * @param logger a new logger instance of any supported class
+   * @param acceptsJson set this to false if the logger can only take strings.
+   */
+  static setLogger(t, r) {
+    globalThis.crossauthLogger = t, globalThis.crossauthLoggerAcceptsJson = r;
+  }
+};
+/** Don't log anything */
+a(m, "None", 0), /** Only log errors */
+a(m, "Error", 1), /** Log errors and warning */
+a(m, "Warn", 2), /** Log errors, warnings and info messages */
+a(m, "Info", 3), /** Log everything */
+a(m, "Debug", 4), a(m, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
+let d = m;
+function h(e) {
+  let t;
+  typeof e == "object" && "err" in e && typeof e.err == "object" && (t = e.err.stack);
+  try {
+    typeof e == "object" && "err" in e && typeof e.err == "object" && e.err && "message" in e.err && !("msg" in e) && (e.msg = e.err.message);
+  } catch {
+  }
+  try {
+    typeof e == "object" && "err" in e && typeof e.err == "object" && (e.err = { ...e.err, stack: t });
+  } catch {
+  }
+  try {
+    typeof e == "object" && "err" in e && !("msg" in e) && (e.msg = e.msg = "An unknown error occurred");
+  } catch {
+  }
+  try {
+    typeof e == "object" && "cerr" in e && "isCrossauthError" in e.cerr && e.cerr && (e.errorCode = e.cerr.code, e.errorCodeName = e.cerr.codeName, e.httpStatus = e.cerr.httpStatus, "msg" in e || (e.msg = e.cerr.message), delete e.cerr);
+  } catch {
+  }
+  return typeof e == "string" || globalThis.crossauthLoggerAcceptsJson ? e : JSON.stringify(e);
+}
+globalThis.crossauthLogger = new d(d.None);
+globalThis.crossauthLoggerAcceptsJson = !0;
+const te = {
+  issuer: "",
+  authorization_endpoint: "",
+  token_endpoint: "",
+  jwks_uri: "",
+  response_types_supported: [],
+  subject_types_supported: [],
+  response_modes_supported: ["query", "fragment"],
+  grant_types_supported: ["authorization_code", "implicit"],
+  id_token_signing_alg_values_supported: [],
+  claim_types_supported: ["normal"],
+  claims_parameter_supported: !1,
+  request_parameter_supported: !1,
+  request_uri_parameter_supported: !0,
+  require_request_uri_registration: !1
+}, F = crypto, re = (e) => e instanceof CryptoKey, H = new TextEncoder(), z = new TextDecoder();
+function ge(...e) {
+  const t = e.reduce((i, { length: s }) => i + s, 0), r = new Uint8Array(t);
+  let n = 0;
+  for (const i of e)
+    r.set(i, n), n += i.length;
+  return r;
+}
+const ye = (e) => {
+  const t = atob(e), r = new Uint8Array(t.length);
+  for (let n = 0; n < t.length; n++)
+    r[n] = t.charCodeAt(n);
+  return r;
+}, K = (e) => {
+  let t = e;
+  t instanceof Uint8Array && (t = z.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
+  try {
+    return ye(t);
+  } catch {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+};
+class $ extends Error {
+  static get code() {
+    return "ERR_JOSE_GENERIC";
+  }
+  constructor(t) {
+    var r;
+    super(t), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+  }
+}
+class b extends $ {
+  constructor() {
+    super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
+  }
+  static get code() {
+    return "ERR_JOSE_NOT_SUPPORTED";
+  }
+}
+class v extends $ {
+  constructor() {
+    super(...arguments), this.code = "ERR_JWS_INVALID";
+  }
+  static get code() {
+    return "ERR_JWS_INVALID";
+  }
+}
+class E extends $ {
+  constructor() {
+    super(...arguments), this.code = "ERR_JWT_INVALID";
+  }
+  static get code() {
+    return "ERR_JWT_INVALID";
+  }
+}
+class me extends $ {
+  constructor() {
+    super(...arguments), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED", this.message = "signature verification failed";
+  }
+  static get code() {
+    return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  }
+}
+function A(e, t = "algorithm.name") {
+  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
+}
+function J(e, t) {
+  return e.name === t;
+}
+function L(e) {
+  return parseInt(e.name.slice(4), 10);
+}
+function we(e) {
+  switch (e) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function ve(e, t) {
+  if (t.length && !t.some((r) => e.usages.includes(r))) {
+    let r = "CryptoKey does not support this operation, its usages must include ";
+    if (t.length > 2) {
+      const n = t.pop();
+      r += `one of ${t.join(", ")}, or ${n}.`;
+    } else t.length === 2 ? r += `one of ${t[0]} or ${t[1]}.` : r += `${t[0]}.`;
+    throw new TypeError(r);
+  }
+}
+function Se(e, t, ...r) {
+  switch (t) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!J(e.algorithm, "HMAC"))
+        throw A("HMAC");
+      const n = parseInt(t.slice(2), 10);
+      if (L(e.algorithm.hash) !== n)
+        throw A(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!J(e.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw A("RSASSA-PKCS1-v1_5");
+      const n = parseInt(t.slice(2), 10);
+      if (L(e.algorithm.hash) !== n)
+        throw A(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!J(e.algorithm, "RSA-PSS"))
+        throw A("RSA-PSS");
+      const n = parseInt(t.slice(2), 10);
+      if (L(e.algorithm.hash) !== n)
+        throw A(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "EdDSA": {
+      if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
+        throw A("Ed25519 or Ed448");
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!J(e.algorithm, "ECDSA"))
+        throw A("ECDSA");
+      const n = we(t);
+      if (e.algorithm.namedCurve !== n)
+        throw A(n, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  ve(e, r);
+}
+function ie(e, t, ...r) {
+  var n;
+  if (r.length > 2) {
+    const i = r.pop();
+    e += `one of type ${r.join(", ")}, or ${i}.`;
+  } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
+  return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
+}
+const X = (e, ...t) => ie("Key must be ", e, ...t);
+function ne(e, t, ...r) {
+  return ie(`Key for the ${e} algorithm must be `, t, ...r);
+}
+const se = (e) => re(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", M = ["CryptoKey"], _e = (...e) => {
+  const t = e.filter(Boolean);
+  if (t.length === 0 || t.length === 1)
+    return !0;
+  let r;
+  for (const n of t) {
+    const i = Object.keys(n);
+    if (!r || r.size === 0) {
+      r = new Set(i);
+      continue;
+    }
+    for (const s of i) {
+      if (r.has(s))
+        return !1;
+      r.add(s);
+    }
+  }
+  return !0;
+};
+function Ce(e) {
+  return typeof e == "object" && e !== null;
+}
+function x(e) {
+  if (!Ce(e) || Object.prototype.toString.call(e) !== "[object Object]")
+    return !1;
+  if (Object.getPrototypeOf(e) === null)
+    return !0;
+  let t = e;
+  for (; Object.getPrototypeOf(t) !== null; )
+    t = Object.getPrototypeOf(t);
+  return Object.getPrototypeOf(e) === t;
+}
+const be = (e, t) => {
+  if (e.startsWith("RS") || e.startsWith("PS")) {
+    const { modulusLength: r } = t.algorithm;
+    if (typeof r != "number" || r < 2048)
+      throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
+  }
+};
+function Ae(e) {
+  let t, r;
+  switch (e.kty) {
+    case "RSA": {
+      switch (e.alg) {
+        case "PS256":
+        case "PS384":
+        case "PS512":
+          t = { name: "RSA-PSS", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "RS256":
+        case "RS384":
+        case "RS512":
+          t = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "RSA-OAEP":
+        case "RSA-OAEP-256":
+        case "RSA-OAEP-384":
+        case "RSA-OAEP-512":
+          t = {
+            name: "RSA-OAEP",
+            hash: `SHA-${parseInt(e.alg.slice(-3), 10) || 1}`
+          }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+          break;
+        default:
+          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "EC": {
+      switch (e.alg) {
+        case "ES256":
+          t = { name: "ECDSA", namedCurve: "P-256" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ES384":
+          t = { name: "ECDSA", namedCurve: "P-384" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ES512":
+          t = { name: "ECDSA", namedCurve: "P-521" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "OKP": {
+      switch (e.alg) {
+        case "EdDSA":
+          t = { name: e.crv }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    default:
+      throw new b('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+  }
+  return { algorithm: t, keyUsages: r };
+}
+const oe = async (e) => {
+  if (!e.alg)
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  const { algorithm: t, keyUsages: r } = Ae(e), n = [
+    t,
+    e.ext ?? !1,
+    e.key_ops ?? r
+  ], i = { ...e };
+  return delete i.alg, delete i.use, F.subtle.importKey("jwk", i, ...n);
+}, ae = (e) => K(e);
+let V, j;
+const ce = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", de = async (e, t, r, n) => {
+  let i = e.get(t);
+  if (i != null && i[n])
+    return i[n];
+  const s = await oe({ ...r, alg: n });
+  return i ? i[n] = s : e.set(t, { [n]: s }), s;
+}, Pe = (e, t) => {
+  if (ce(e)) {
+    let r = e.export({ format: "jwk" });
+    return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? ae(r.k) : (j || (j = /* @__PURE__ */ new WeakMap()), de(j, e, r, t));
+  }
+  return e;
+}, ke = (e, t) => {
+  if (ce(e)) {
+    let r = e.export({ format: "jwk" });
+    return r.k ? ae(r.k) : (V || (V = /* @__PURE__ */ new WeakMap()), de(V, e, r, t));
+  }
+  return e;
+}, Ie = { normalizePublicKey: Pe, normalizePrivateKey: ke }, I = (e, t, r = 0) => {
+  r === 0 && (t.unshift(t.length), t.unshift(6));
+  const n = e.indexOf(t[0], r);
+  if (n === -1)
+    return !1;
+  const i = e.subarray(n, n + t.length);
+  return i.length !== t.length ? !1 : i.every((s, o) => s === t[o]) || I(e, t, n + 1);
+}, Q = (e) => {
+  switch (!0) {
+    case I(e, [42, 134, 72, 206, 61, 3, 1, 7]):
+      return "P-256";
+    case I(e, [43, 129, 4, 0, 34]):
+      return "P-384";
+    case I(e, [43, 129, 4, 0, 35]):
+      return "P-521";
+    case I(e, [43, 101, 110]):
+      return "X25519";
+    case I(e, [43, 101, 111]):
+      return "X448";
+    case I(e, [43, 101, 112]):
+      return "Ed25519";
+    case I(e, [43, 101, 113]):
+      return "Ed448";
+    default:
+      throw new b("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
+  }
+}, le = async (e, t, r, n, i) => {
+  let s, o;
+  const l = new Uint8Array(atob(r.replace(e, "")).split("").map((p) => p.charCodeAt(0))), f = t === "spki";
+  switch (n) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      s = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      s = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512":
+      s = {
+        name: "RSA-OAEP",
+        hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
+      }, o = f ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+      break;
+    case "ES256":
+      s = { name: "ECDSA", namedCurve: "P-256" }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "ES384":
+      s = { name: "ECDSA", namedCurve: "P-384" }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "ES512":
+      s = { name: "ECDSA", namedCurve: "P-521" }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      const p = Q(l);
+      s = p.startsWith("P-") ? { name: "ECDH", namedCurve: p } : { name: p }, o = f ? [] : ["deriveBits"];
+      break;
+    }
+    case "EdDSA":
+      s = { name: Q(l) }, o = f ? ["verify"] : ["sign"];
+      break;
+    default:
+      throw new b('Invalid or unsupported "alg" (Algorithm) value');
+  }
+  return F.subtle.importKey(t, l, s, !1, o);
+}, Te = (e, t, r) => le(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", e, t), Re = (e, t, r) => le(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
+async function Ee(e, t, r) {
+  if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
+    throw new TypeError('"spki" must be SPKI formatted string');
+  return Re(e, t);
+}
+async function Oe(e, t, r) {
+  if (typeof e != "string" || e.indexOf("-----BEGIN PRIVATE KEY-----") !== 0)
+    throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
+  return Te(e, t);
+}
+async function Z(e, t) {
+  if (!x(e))
+    throw new TypeError("JWK must be an object");
+  switch (t || (t = e.alg), e.kty) {
+    case "oct":
+      if (typeof e.k != "string" || !e.k)
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      return K(e.k);
+    case "RSA":
+      if (e.oth !== void 0)
+        throw new b('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+    case "EC":
+    case "OKP":
+      return oe({ ...e, alg: t });
+    default:
+      throw new b('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+const q = (e) => e == null ? void 0 : e[Symbol.toStringTag], Ke = (e, t) => {
+  if (!(t instanceof Uint8Array)) {
+    if (!se(t))
+      throw new TypeError(ne(e, t, ...M, "Uint8Array"));
+    if (t.type !== "secret")
+      throw new TypeError(`${q(t)} instances for symmetric algorithms must be of type "secret"`);
+  }
+}, Ne = (e, t, r) => {
+  if (!se(t))
+    throw new TypeError(ne(e, t, ...M));
+  if (t.type === "secret")
+    throw new TypeError(`${q(t)} instances for asymmetric algorithms must not be of type "secret"`);
+  if (t.algorithm && r === "verify" && t.type === "private")
+    throw new TypeError(`${q(t)} instances for asymmetric algorithm verifying must be of type "public"`);
+  if (t.algorithm && r === "encrypt" && t.type === "private")
+    throw new TypeError(`${q(t)} instances for asymmetric algorithm encryption must be of type "public"`);
+}, Ue = (e, t, r) => {
+  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(e) ? Ke(e, t) : Ne(e, t, r);
+};
+function xe(e, t, r, n, i) {
+  if (i.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
+    throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
+  if (!n || n.crit === void 0)
+    return /* @__PURE__ */ new Set();
+  if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((o) => typeof o != "string" || o.length === 0))
+    throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  let s;
+  s = t;
+  for (const o of n.crit) {
+    if (!s.has(o))
+      throw new b(`Extension Header Parameter "${o}" is not recognized`);
+    if (i[o] === void 0)
+      throw new e(`Extension Header Parameter "${o}" is missing`);
+    if (s.get(o) && n[o] === void 0)
+      throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`);
+  }
+  return new Set(n.crit);
+}
+function ze(e, t) {
+  const r = `SHA-${e.slice(-3)}`;
+  switch (e) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash: r, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash: r, name: "RSA-PSS", saltLength: e.slice(-3) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash: r, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash: r, name: "ECDSA", namedCurve: t.namedCurve };
+    case "EdDSA":
+      return { name: t.name };
+    default:
+      throw new b(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function We(e, t, r) {
+  if (t = await Ie.normalizePublicKey(t, e), re(t))
+    return Se(t, e, r), t;
+  if (t instanceof Uint8Array) {
+    if (!e.startsWith("HS"))
+      throw new TypeError(X(t, ...M));
+    return F.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
+  }
+  throw new TypeError(X(t, ...M, "Uint8Array"));
+}
+const De = async (e, t, r, n) => {
+  const i = await We(e, t, "verify");
+  be(e, i);
+  const s = ze(e, i.algorithm);
+  try {
+    return await F.subtle.verify(s, i, r, n);
+  } catch {
+    return !1;
+  }
+};
+async function He(e, t, r) {
+  if (!x(e))
+    throw new v("Flattened JWS must be an object");
+  if (e.protected === void 0 && e.header === void 0)
+    throw new v('Flattened JWS must have either of the "protected" or "header" members');
+  if (e.protected !== void 0 && typeof e.protected != "string")
+    throw new v("JWS Protected Header incorrect type");
+  if (e.payload === void 0)
+    throw new v("JWS Payload missing");
+  if (typeof e.signature != "string")
+    throw new v("JWS Signature missing or incorrect type");
+  if (e.header !== void 0 && !x(e.header))
+    throw new v("JWS Unprotected Header incorrect type");
+  let n = {};
+  if (e.protected)
+    try {
+      const ue = K(e.protected);
+      n = JSON.parse(z.decode(ue));
+    } catch {
+      throw new v("JWS Protected Header is invalid");
+    }
+  if (!_e(n, e.header))
+    throw new v("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  const i = {
+    ...n,
+    ...e.header
+  }, s = xe(v, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, i);
+  let o = !0;
+  if (s.has("b64") && (o = n.b64, typeof o != "boolean"))
+    throw new v('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+  const { alg: l } = i;
+  if (typeof l != "string" || !l)
+    throw new v('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  if (o) {
+    if (typeof e.payload != "string")
+      throw new v("JWS Payload must be a string");
+  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
+    throw new v("JWS Payload must be a string or an Uint8Array instance");
+  let f = !1;
+  typeof t == "function" && (t = await t(n, e), f = !0), Ue(l, t, "verify");
+  const p = ge(H.encode(e.protected ?? ""), H.encode("."), typeof e.payload == "string" ? H.encode(e.payload) : e.payload);
+  let P;
+  try {
+    P = K(e.signature);
+  } catch {
+    throw new v("Failed to base64url decode the signature");
+  }
+  if (!await De(l, t, P, p))
+    throw new me();
+  let W;
+  if (o)
+    try {
+      W = K(e.payload);
+    } catch {
+      throw new v("Failed to base64url decode the payload");
+    }
+  else typeof e.payload == "string" ? W = H.encode(e.payload) : W = e.payload;
+  const D = { payload: W };
+  return e.protected !== void 0 && (D.protectedHeader = n), e.header !== void 0 && (D.unprotectedHeader = e.header), f ? { ...D, key: t } : D;
+}
+async function Je(e, t, r) {
+  if (e instanceof Uint8Array && (e = z.decode(e)), typeof e != "string")
+    throw new v("Compact JWS must be a string or Uint8Array");
+  const { 0: n, 1: i, 2: s, length: o } = e.split(".");
+  if (o !== 3)
+    throw new v("Invalid Compact JWS");
+  const l = await He({ payload: i, protected: n, signature: s }, t, r), f = { payload: l.payload, protectedHeader: l.protectedHeader };
+  return typeof t == "function" ? { ...f, key: l.key } : f;
+}
+const he = K;
+function qe(e) {
+  let t;
+  if (typeof e == "string") {
+    const r = e.split(".");
+    (r.length === 3 || r.length === 5) && ([t] = r);
+  } else if (typeof e == "object" && e)
+    if ("protected" in e)
+      t = e.protected;
+    else
+      throw new TypeError("Token does not contain a Protected Header");
+  try {
+    if (typeof t != "string" || !t)
+      throw new Error();
+    const r = JSON.parse(z.decode(he(t)));
+    if (!x(r))
+      throw new Error();
+    return r;
+  } catch {
+    throw new TypeError("Invalid Token or Protected Header formatting");
+  }
+}
+function Me(e) {
+  if (typeof e != "string")
+    throw new E("JWTs must use Compact JWS serialization, JWT must be a string");
+  const { 1: t, length: r } = e.split(".");
+  if (r === 5)
+    throw new E("Only JWTs using Compact JWS serialization can be decoded");
+  if (r !== 3)
+    throw new E("Invalid JWT");
+  if (!t)
+    throw new E("JWTs must contain a payload");
+  let n;
+  try {
+    n = he(t);
+  } catch {
+    throw new E("Failed to base64url decode the payload");
+  }
+  let i;
+  try {
+    i = JSON.parse(z.decode(n));
+  } catch {
+    throw new E("Failed to parse the decoded payload as JSON");
+  }
+  if (!x(i))
+    throw new E("Invalid JWT Claims Set");
+  return i;
+}
+const c = class c {
+  /**
+   * Returns a user-friendly name for the given flow strings.
+   *
+   * The value returned is the one in `flowName`.
+   * @param flows the flows to return the names of
+   * @returns an array of strings
+   */
+  static flowNames(t) {
+    let r = {};
+    return t.forEach((n) => {
+      n in c.flowName && (r[n] = c.flowName[n]);
+    }), r;
+  }
+  /**
+   * Returns true if the given string is a valid flow name.
+   * @param flow the flow to check
+   * @returns true or false.
+   */
+  static isValidFlow(t) {
+    return c.allFlows().includes(t);
+  }
+  /**
+   * Returns true only if all given strings are valid flows
+   * @param flows the flows to check
+   * @returns true or false.
+   */
+  static areAllValidFlows(t) {
+    let r = !0;
+    return t.forEach((n) => {
+      c.isValidFlow(n) || (r = !1);
+    }), r;
+  }
+  static allFlows() {
+    return [
+      c.AuthorizationCode,
+      c.AuthorizationCodeWithPKCE,
+      c.ClientCredentials,
+      c.RefreshToken,
+      c.DeviceCode,
+      c.Password,
+      c.PasswordMfa,
+      c.OidcAuthorizationCode
+    ];
+  }
+  /**
+   * Returns the OAuth grant types that are valid for a given flow, or
+   * `undefined` if it is not a valid flow.
+   * @param oauthFlow the flow to get the grant type for.
+   * @returns a {@link GrantType} value
+   */
+  static grantType(t) {
+    switch (t) {
+      case c.AuthorizationCode:
+      case c.AuthorizationCodeWithPKCE:
+      case c.OidcAuthorizationCode:
+        return ["authorization_code"];
+      case c.ClientCredentials:
+        return ["client_credentials"];
+      case c.RefreshToken:
+        return ["refresh_token"];
+      case c.Password:
+        return ["password"];
+      case c.PasswordMfa:
+        return ["http://auth0.com/oauth/grant-type/mfa-otp", "http://auth0.com/oauth/grant-type/mfa-oob"];
+      case c.DeviceCode:
+        return ["urn:ietf:params:oauth:grant-type:device_code"];
+    }
+  }
+};
+/** All flows are allowed */
+a(c, "All", "all"), /** OAuth authorization code flow (without PKCE) */
+a(c, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
+a(c, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
+a(c, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
+a(c, "RefreshToken", "refreshToken"), /** OAuth device code flow */
+a(c, "DeviceCode", "deviceCode"), /** OAuth password flow */
+a(c, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
+a(c, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
+ * PKCE.
+ */
+a(c, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
+ *
+ * For example, if you pass "authorizationCode"
+ * (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
+ */
+a(c, "flowName", {
+  [c.AuthorizationCode]: "Authorization Code",
+  [c.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
+  [c.ClientCredentials]: "Client Credentials",
+  [c.RefreshToken]: "Refresh Token",
+  [c.DeviceCode]: "Device Code",
+  [c.Password]: "Password",
+  [c.PasswordMfa]: "Password MFA",
+  [c.OidcAuthorizationCode]: "OIDC Authorization Code"
+});
+let ee = c;
+var w, S, N, T, R;
+class Be {
+  /**
+   * Constructor.
+   *
+   * @param options options:
+   *      - `authServerBaseUrl` the base URI for OAuth calls.  This is
+   *        the value in the isser field of a JWT.  The client will
+   *        reject any JWTs that are not from this issuer.
+   *      - `client_id` the client ID for this client.
+   *      - `redriectUri` when making OAuth calls, this value is put
+   *        in the redirect_uri field.
+   *      - `number` of characters (before base64-url-encoding) for generating
+   *        state values in OAuth calls.
+   *      - `verifierLength` of characters (before base64-url-encoding) for
+   *        generating PKCE values in OAuth calls.
+   *      - `tokenConsumer` to keep this class independent of frontend
+   *        and backend specific funtionality (eg classes not available
+   *        in browsers), the token consumer, which determines if a token
+   *        is valid or not, is abstracted out.
+   *      - authServerCredentials credentials flag for fetch calls to the
+   *        authorization server
+   *      - authServerMode mode flag for fetch calls to the
+   *        authorization server
+   *      - authServerHeaders headers flag for calls to the
+   *        authorization server
+   *      - `receiveTokensFn` if defined, this will be called when tokens
+   *        are received
+   */
+  constructor({
+    authServerBaseUrl: t,
+    client_id: r,
+    client_secret: n,
+    redirect_uri: i,
+    codeChallengeMethod: s,
+    stateLength: o,
+    verifierLength: l,
+    tokenConsumer: f,
+    authServerCredentials: p,
+    authServerMode: P,
+    authServerHeaders: U
+  }) {
+    a(this, "authServerBaseUrl", "");
+    O(this, w);
+    O(this, S);
+    O(this, N);
+    a(this, "codeChallengeMethod", "S256");
+    O(this, T);
+    a(this, "verifierLength", 32);
+    a(this, "redirect_uri");
+    O(this, R, "");
+    a(this, "stateLength", 32);
+    a(this, "authzCode", "");
+    a(this, "oidcConfig");
+    a(this, "tokenConsumer");
+    a(this, "authServerHeaders", {});
+    a(this, "authServerMode");
+    a(this, "authServerCredentials");
+    this.tokenConsumer = f, this.authServerBaseUrl = t, l && (this.verifierLength = l), o && (this.stateLength = o), r && _(this, w, r), n && _(this, S, n), i && (this.redirect_uri = i), s && (this.codeChallengeMethod = s), this.authServerBaseUrl = t, p && (this.authServerCredentials = p), P && (this.authServerMode = P), U && (this.authServerHeaders = U);
+  }
+  set client_id(t) {
+    _(this, w, t);
+  }
+  set client_secret(t) {
+    _(this, S, t);
+  }
+  set codeVerifier(t) {
+    _(this, T, t);
+  }
+  set codeChallenge(t) {
+    _(this, N, t);
+  }
+  set state(t) {
+    _(this, R, t);
+  }
+  /**
+   * Loads OpenID Connect configuration so that the client can determine
+   * the URLs it can call and the features the authorization server provides.
+   *
+   * @param oidcConfig if defined, loadsa the config from this object.
+   *        Otherwise, performs a fetch by appending
+   *        `/.well-known/openid-configuration` to the
+   *        `authServerBaseUrl`.
+   * @throws {@link @crossauth/common!CrossauthError} with the following {@link @crossauth/common!ErrorCode}s
+   *   - `Connection` if data from the URL could not be fetched or parsed.
+   */
+  async loadConfig(t) {
+    if (t) {
+      d.logger.debug(h({ msg: "Reading OIDC config locally" })), this.oidcConfig = t;
+      return;
+    }
+    let r;
+    try {
+      const n = new URL(
+        this.authServerBaseUrl + "/.well-known/openid-configuration"
+      );
+      d.logger.debug(h({ msg: `Fetching OIDC config from ${n}` }));
+      let i = { headers: this.authServerHeaders };
+      this.authServerMode && (i.mode = this.authServerMode), this.authServerCredentials && (i.credentials = this.authServerCredentials), r = await fetch(n, i);
+    } catch (n) {
+      d.logger.error(h({ err: n }));
+    }
+    if (!r || !r.ok)
+      throw new g(
+        y.Connection,
+        "Couldn't get OIDC configuration from URL" + this.authServerBaseUrl + "/.well-known/openid-configuration"
+      );
+    this.oidcConfig = { ...te };
+    try {
+      const n = await r.json();
+      for (const [i, s] of Object.entries(n))
+        this.oidcConfig[i] = s;
+    } catch {
+      throw new g(
+        y.Connection,
+        "Unrecognized response from OIDC configuration endpoint"
+      );
+    }
+  }
+  getOidcConfig() {
+    return this.oidcConfig;
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Authorization Code Flow
+  /**
+   * Starts the authorizatuin code flow, optionally with PKCE.
+   *
+   * Doesn't actually call the endpoint but rather returns its URL
+   *
+   * @param scope optionally specify the scopes to ask the user to
+   *        authorize (space separated, non URL-encoded)
+   * @param pkce if true, initiate the Authorization Code Flow with PKCE,
+   *        otherwiswe without PKCE.
+   * @returns an object with
+   *          - `url` - the full `authorize` URL to fetch, if there was no
+   *            error, undefined otherwise
+   *          - `error` OAuth error if there was an error, undefined
+   *            otherwise.  See OAuth specification for authorize endpoint
+   *          - `error_description` friendly error message or undefined
+   *            if no error
+   */
+  async startAuthorizationCodeFlow(t, r = !1) {
+    var s, o, l;
+    if (d.logger.debug(h({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.response_types_supported.includes("code")) || !((o = this.oidcConfig) != null && o.response_modes_supported.includes("query")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support authorization code flow"
+      };
+    if (!((l = this.oidcConfig) != null && l.authorization_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get authorize endpoint"
+      };
+    if (_(this, R, this.randomValue(this.stateLength)), !u(this, w)) return {
+      error: "invalid_request",
+      error_description: "Cannot make authorization code flow without client id"
+    };
+    if (!this.redirect_uri) return {
+      error: "invalid_request",
+      error_description: "Cannot make authorization code flow without Redirect Uri"
+    };
+    let i = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(u(this, w)) + "&state=" + encodeURIComponent(u(this, R)) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
+    return t && (i += "&scope=" + encodeURIComponent(t)), r && (_(this, T, this.randomValue(this.verifierLength)), _(this, N, this.codeChallengeMethod == "plain" ? u(this, T) : await this.sha256(u(this, T))), i += "&code_challenge=" + u(this, N)), { url: i };
+  }
+  /**
+   * This implements the functionality behind the redirect URI
+   *
+   * Does not throw exceptions.
+   *
+   * If an error wasn't reported,  a POST request to the `token` endpoint with
+   * the authorization code to get an access token, etc.  If there was
+   * an error, this is just passed through without calling and further
+   * endpoints.
+   *
+   * @param code the authorization code
+   * @param state the random state variable
+   * @param error if defined, it will be returned as an error.  This is
+   *              for cascading errors from previous requests.
+   * @param errorDescription if error is defined, this text is returned
+   *        as the `error_description`  It is set to `Unknown error`
+   *        otherwise
+   * @returns The {@link OAuthTokenResponse} from the `token` endpoint
+   *          request, or `error` and `error_description`.
+   */
+  async redirectEndpoint(t, r, n, i) {
+    var p, P;
+    if (this.oidcConfig || await this.loadConfig(), n || !t)
+      return n || (n = "server_error"), i || (i = "Unknown error"), { error: n, error_description: i };
+    if (u(this, R) && r != u(this, R))
+      return { error: "access_denied", error_description: "State is not valid" };
+    if (this.authzCode = t, !((p = this.oidcConfig) != null && p.grant_types_supported.includes("authorization_code")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support authorization code grant"
+      };
+    if (!((P = this.oidcConfig) != null && P.token_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get token endpoint"
+      };
+    const s = this.oidcConfig.token_endpoint;
+    let o, l;
+    o = "authorization_code", l = u(this, S);
+    let f = {
+      grant_type: o,
+      client_id: u(this, w),
+      code: this.authzCode
+    };
+    l && (f.client_secret = l), f.code_verifier = u(this, T);
+    try {
+      return this.post(s, f, this.authServerHeaders);
+    } catch (U) {
+      return d.logger.error(h({ err: U })), {
+        error: "server_error",
+        error_description: "Unable to get access token from server"
+      };
+    }
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Client Credentials Flow
+  /**
+   * Performs the client credentials flow.
+   *
+   * Does not throw exceptions.
+   *
+   * Makes a POST request to the `token` endpoint with the
+   * authorization code to get an access token, etc.
+   *
+   * @param scope the scopes to authorize for the client (optional)
+   * @returns The {@link OAuthTokenResponse} from the `token` endpoint
+   *          request, or `error` and `error_description`.
+   */
+  async clientCredentialsFlow(t) {
+    var i, s;
+    if (d.logger.debug(h({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("client_credentials")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support client credentials grant"
+      };
+    if (!((s = this.oidcConfig) != null && s.token_endpoint))
+      return { error: "server_error", error_description: "Cannot get token endpoint" };
+    if (!u(this, w)) return {
+      error: "invalid_request",
+      error_description: "Cannot make client credentials flow without client id"
+    };
+    const r = this.oidcConfig.token_endpoint;
+    let n = {
+      grant_type: "client_credentials",
+      client_id: u(this, w),
+      client_secret: u(this, S)
+    };
+    t && (n.scope = t);
+    try {
+      return await this.post(r, n, this.authServerHeaders);
+    } catch (o) {
+      return d.logger.error(h({ err: o })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Password and Password MFA Flows
+  /** Initiates the Password Flow.
+   *
+   * Does not throw exceptions.
+   *
+   * @param username the username
+   * @param password the user's password
+   * @param scope the scopes to authorize (optional)
+   * @returns An {@link OAuthTokenResponse} which may contain data or
+   * the OAuth error fields.  If 2FA is enabled for this user on the
+   * authorization server, the Password MFA flow is followed.  See
+   * {@link https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors}.
+   *
+   */
+  async passwordFlow(t, r, n) {
+    var o, l;
+    if (d.logger.debug(h({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("password")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password grant"
+      };
+    if (!((l = this.oidcConfig) != null && l.token_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get token endpoint"
+      };
+    const i = this.oidcConfig.token_endpoint;
+    let s = {
+      grant_type: "password",
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      username: t,
+      password: r
+    };
+    n && (s.scope = n);
+    try {
+      return await this.post(i, s, this.authServerHeaders);
+    } catch (f) {
+      return d.logger.error(h({ err: f })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  /** Request valid authenticators using the Password MFA flow,
+   * after the Password flow has been initiated.
+   *
+   * Does not throw exceptions.
+   *
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @returns Either
+   *   - authenticators an array of {@link MfaAuthenticatorResponse} objects,
+   *     as per Auth0's Password MFA documentation
+   *   - an `error` and `error_description`, also as per Auth0's Password MFA
+   *     documentation
+   */
+  async mfaAuthenticators(t) {
+    var s, o, l;
+    if (d.logger.debug(h({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && ((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((l = this.oidcConfig) != null && l.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const r = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators", n = await this.get(r, { authorization: "Bearer " + t, ...this.authServerHeaders });
+    if (!Array.isArray(n))
+      return {
+        error: "server_error",
+        error_description: "Expected array of authenticators in mfa/authenticators response"
+      };
+    let i = [];
+    for (let f = 0; f < n.length; ++f) {
+      const p = n[f];
+      if (!p.id || !p.authenticator_type || !p.active)
+        return {
+          error: "server_error",
+          error_description: "Invalid mfa/authenticators response"
+        };
+      i.push({
+        id: p.id,
+        authenticator_type: p.authenticator_type,
+        active: p.active,
+        name: p.name,
+        oob_channel: p.oob_channel
+      });
+    }
+    return { authenticators: i };
+  }
+  /**
+   * This is part of the Auth0 Password MFA flow.  Once the client has
+   * received a list of valid authenticators, if it wishes to initiate
+   * OTP, call this function
+   *
+   * Does not throw exceptions.
+   *
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @param authenticatorId the authenticator ID, as returned in the response
+   * from the `mfaAuthenticators` request.
+   */
+  async mfaOtpRequest(t, r) {
+    var s, o;
+    if (d.logger.debug(h({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((o = this.oidcConfig) != null && o.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      challenge_type: "otp",
+      mfa_token: t,
+      authenticator_id: r
+    }, this.authServerHeaders);
+    return i.challenge_type != "otp" ? {
+      error: i.error ?? "server_error",
+      error_description: i.error_description ?? "Invalid OTP challenge response"
+    } : i;
+  }
+  /**
+   * Completes the Password MFA OTP flow.
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @param otp the OTP entered by the user
+   * @returns an object with some of the following fields, depending on
+   *          authorization server configuration and whether there were
+   *          errors:
+   *   - `access_token` an OAuth access token
+   *   - `refresh_token` an OAuth access token
+   *   - `id_token` an OpenID Connect ID token
+   *   - `expires_in` number of seconds when the access token expires
+   *   - `scope` the scopes the user authorized
+   *   - `token_type` the OAuth token type
+   *   - `error` as per Auth0 Password MFA documentation
+   *   - `error_description` friendly error message
+   */
+  async mfaOtpComplete(t, r, n) {
+    var o, l;
+    if (d.logger.debug(h({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((l = this.oidcConfig) != null && l.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const i = this.oidcConfig.token_endpoint, s = await this.post(i, {
+      grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      challenge_type: "otp",
+      mfa_token: t,
+      otp: r,
+      scope: n
+    }, this.authServerHeaders);
+    return {
+      id_token: s.id_token,
+      access_token: s.access_token,
+      refresh_token: s.refresh_token,
+      expires_in: Number(s.expires_in),
+      scope: s.scope,
+      token_type: s.token_type,
+      error: s.error,
+      error_description: s.error_description
+    };
+  }
+  /**
+   * This is part of the Auth0 Password MFA flow.  Once the client has
+   * received a list of valid authenticators, if it wishes to initiate
+   * OOB (out of band) login, call this function
+   *
+   * Does not throw exceptions.
+   *
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @param authenticatorId the authenticator ID, as returned in the response
+   * from the `mfaAuthenticators` request.
+   * @returns an object with one or more of the following defined:
+   *   - `challenge_type` as per the Auth0 MFA documentation
+   *   - `oob_code` as per the Auth0 MFA documentation
+   *   - `binding_method` as per the Auth0 MFA documentation
+   *   - `error` as per Auth0 Password MFA documentation
+   *   - `error_description` friendly error message
+   */
+  async mfaOobRequest(t, r) {
+    var s, o;
+    if (d.logger.debug(h({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((o = this.oidcConfig) != null && o.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      challenge_type: "oob",
+      mfa_token: t,
+      authenticator_id: r
+    }, this.authServerHeaders);
+    return i.challenge_type != "oob" || !i.oob_code || !i.binding_method ? { error: i.error ?? "server_error", error_description: i.error_description ?? "Invalid OOB challenge response" } : {
+      challenge_type: i.challenge_type,
+      oob_code: i.oob_code,
+      binding_method: i.binding_method,
+      error: i.error,
+      error_description: i.error_description
+    };
+  }
+  /**
+   * Completes the Password MFA OTP flow.
+   *
+   * Does not throw exceptions.
+   *
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @param oobCode the code entered by the user
+   * @returns an {@link OAuthTokenResponse} object, which may contain
+   *          an error instead of the response fields.
+   */
+  async mfaOobComplete(t, r, n, i) {
+    var l, f;
+    if (d.logger.debug(h({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((l = this.oidcConfig) != null && l.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((f = this.oidcConfig) != null && f.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const s = this.oidcConfig.token_endpoint, o = await this.post(s, {
+      grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      challenge_type: "otp",
+      mfa_token: t,
+      oob_code: r,
+      binding_code: n,
+      scope: i
+    }, this.authServerHeaders);
+    return o.error ? {
+      error: o.error,
+      error_description: o.error_description
+    } : {
+      id_token: o.id_token,
+      access_token: o.access_token,
+      refresh_token: o.refresh_token,
+      expires_in: "expires_in" in o ? Number(o.expires_in) : void 0,
+      scope: o.scope,
+      token_type: o.token_type
+    };
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Refresh Token Flow
+  async refreshTokenFlow(t) {
+    var s, o;
+    if (d.logger.debug(h({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("refresh_token")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support refresh_token grant"
+      };
+    if (!((o = this.oidcConfig) != null && o.token_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get token endpoint"
+      };
+    const r = this.oidcConfig.token_endpoint;
+    let n;
+    n = u(this, S);
+    let i = {
+      grant_type: "refresh_token",
+      refresh_token: t,
+      client_id: u(this, w)
+    };
+    n && (i.client_secret = n);
+    try {
+      return await this.post(r, i, this.authServerHeaders);
+    } catch (l) {
+      return d.logger.error(h({ err: l })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Device Code Flow
+  /**
+   * Starts the Device Code Flow on the primary device (the one wanting an access token)
+   * @param url The URl for the device_authorization endpoint, as it is not defined in the OIDC configuration
+   * @param scope optional scope to request authorization for
+   * @returns See {@link OAuthDeviceAuthorizationResponse}
+   */
+  async startDeviceCodeFlow(t, r) {
+    var i;
+    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support device code grant"
+      };
+    let n = {
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+      client_id: u(this, w),
+      client_secret: u(this, S)
+    };
+    r && (n.scope = r);
+    try {
+      return await this.post(t, n, this.authServerHeaders);
+    } catch (s) {
+      return d.logger.error(h({ err: s })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  /**
+   * Polls the device endpoint to check if the device code flow has been
+   * authorized by the user.
+   *
+   * @param deviceCode the device code to poll
+   * @returns See {@link OAuthDeviceResponse}
+   */
+  async pollDeviceCodeFlow(t) {
+    var n, i, s;
+    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support device code grant"
+      };
+    if (!((i = this.oidcConfig) != null && i.token_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get token endpoint"
+      };
+    let r = {
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      device_code: t
+    };
+    try {
+      const o = await this.post((s = this.oidcConfig) == null ? void 0 : s.token_endpoint, r, this.authServerHeaders);
+      return o.error, o;
+    } catch (o) {
+      return d.logger.error(h({ err: o })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  /**
+   * Makes a POST request to the given URL using `fetch()`.
+   *
+   * @param url the URL to fetch
+   * @param params the body parameters, which are passed as JSON.
+   * @returns the parsed JSON response as an object.
+   * @throws any exception raised by `fetch()`
+   */
+  async post(t, r, n = {}) {
+    d.logger.debug(h({
+      msg: "Fetch POST",
+      url: t,
+      params: Object.keys(r)
+    }));
+    let i = {};
+    return this.authServerCredentials && (i.credentials = this.authServerCredentials), this.authServerMode && (i.mode = this.authServerMode), await (await fetch(t, {
+      method: "POST",
+      ...i,
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json",
+        ...n
+      },
+      body: JSON.stringify(r)
+    })).json();
+  }
+  /**
+   * Makes a GET request to the given URL using `fetch()`.
+   *
+   * @param url the URL to fetch
+   * @param headers any headers to add to the request
+   * @returns the parsed JSON response as an object.
+   * @throws any exception raised by `fetch()`
+   */
+  async get(t, r = {}) {
+    d.logger.debug(h({ msg: "Fetch GET", url: t }));
+    let n = {};
+    return this.authServerCredentials && (n.credentials = this.authServerCredentials), this.authServerMode && (n.mode = this.authServerMode), await (await fetch(t, {
+      method: "GET",
+      ...n,
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json",
+        ...r
+      }
+    })).json();
+  }
+  /**
+   * Validates an OpenID ID token, returning undefined if it is invalid.
+   *
+   * Does not raise exceptions.
+   *
+   * @param token the token to validate.  To be valid, the signature must
+   *        be valid and the `type` claim in the payload must be set to `id`.
+   * @returns the parsed payload or undefined if the token is invalid.
+   */
+  async validateIdToken(t) {
+    try {
+      return await this.tokenConsumer.tokenAuthorized(t, "id");
+    } catch {
+      return;
+    }
+  }
+  /**
+   * Validatesd a token using the token consumer.
+   *
+   * @param idToken the token to validate
+   * @returns the parsed JSON of the payload, or undefinedf if it is not
+   * valid.
+   */
+  async idTokenAuthorized(t) {
+    try {
+      return await this.tokenConsumer.tokenAuthorized(t, "id");
+    } catch (r) {
+      d.logger.warn(h({ err: r }));
+      return;
+    }
+  }
+  getTokenPayload(t) {
+    return Me(t);
+  }
+}
+w = new WeakMap(), S = new WeakMap(), N = new WeakMap(), T = new WeakMap(), R = new WeakMap();
+class Le {
+  /**
+   * Constrctor
+   *
+   * @param audience : this is the value expected in the `aud` field
+   *        of the JWT.  The token is rejected if it doesn't match.
+   * @param options See {@link OAuthTokenConsumerBaseOptions}.
+   */
+  constructor(t, r = {}) {
+    a(this, "audience");
+    a(this, "jwtKeyType");
+    a(this, "jwtSecretKey");
+    a(this, "jwtPublicKey");
+    a(this, "clockTolerance", 10);
+    a(this, "authServerBaseUrl", "");
+    /**
+     * The OpenID Connect configuration for the authorization server,
+     * either passed to the constructor or fetched from the authorization
+     * server.
+     */
+    a(this, "oidcConfig");
+    /**
+     * The RSA public keys or symmetric keys for the authorization server,
+     * either passed to the constructor or fetched from the authorization
+     * server.
+     */
+    a(this, "keys", {});
+    if (this.audience = t, r.authServerBaseUrl && (this.authServerBaseUrl = r.authServerBaseUrl), r.jwtKeyType && (this.jwtKeyType = r.jwtKeyType), r.jwtSecretKey && (this.jwtSecretKey = r.jwtSecretKey), r.jwtPublicKey && (this.jwtPublicKey = r.jwtPublicKey), r.clockTolerance && (this.clockTolerance = r.clockTolerance), r.oidcConfig && (this.oidcConfig = r.oidcConfig), this.jwtPublicKey && !this.jwtKeyType)
+      throw new g(
+        y.Configuration,
+        "If specifying jwtPublic key, must also specify jwtKeyType"
+      );
+  }
+  /**
+   * This loads keys either from the ones passed in the constructor
+   * or by fetching from the authorization server.
+   *
+   * Note that even if you pass the keys to the constructor, you must
+   * still call this function.  This is because key loading is
+   * asynchronous, and constructors may not be async.
+   */
+  async loadKeys() {
+    try {
+      if (this.jwtSecretKey) {
+        if (!this.jwtKeyType)
+          throw new g(
+            y.Configuration,
+            "Must specify jwtKeyType if setting jwtSecretKey"
+          );
+        this.keys._default = await Oe(this.jwtSecretKey, this.jwtKeyType);
+      } else if (this.jwtPublicKey) {
+        if (!this.jwtKeyType)
+          throw new g(
+            y.Configuration,
+            "Must specify jwtKeyType if setting jwtPublicKey"
+          );
+        const t = await Ee(this.jwtPublicKey, this.jwtKeyType);
+        this.keys._default = t;
+      } else {
+        if (this.oidcConfig || await this.loadConfig(), !this.oidcConfig)
+          throw new g(
+            y.Connection,
+            "Load OIDC config before Jwks"
+          );
+        await this.loadJwks();
+      }
+    } catch (t) {
+      throw d.logger.debug(h({ err: t })), new g(y.Connection, "Couldn't load keys");
+    }
+  }
+  /**
+   * Loads OpenID Connect configuration, or fetches it from the
+   * authorization server (using the well-known enpoint appended
+   * to `authServerBaseUrl` )
+   * @param oidcConfig the configuration, or undefined to load it from
+   *        the authorization server
+   * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
+   *   - `Connection` if the fetch to the authorization server failed.
+   */
+  async loadConfig(t) {
+    if (t) {
+      this.oidcConfig = t;
+      return;
+    }
+    if (!this.authServerBaseUrl)
+      throw new g(y.Connection, "Couldn't get OIDC configuration.  Either set authServerBaseUrl or set config manually");
+    let r;
+    try {
+      r = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
+    } catch (n) {
+      d.logger.error(h({ err: n }));
+    }
+    if (!r || !r.ok)
+      throw new g(y.Connection, "Couldn't get OIDC configuration");
+    this.oidcConfig = { ...te };
+    try {
+      const n = await r.json();
+      for (const [i, s] of Object.entries(n))
+        this.oidcConfig[i] = s;
+    } catch {
+      throw new g(y.Connection, "Unrecognized response from OIDC configuration endpoint");
+    }
+  }
+  /**
+   * Loads the JWT signature validation keys, or fetches them from the
+   * authorization server (using the URL in the OIDC configuration).
+   * @param jwks the keys to load, or undefined to fetch them from
+   *        the authorization server.
+   * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
+   *   - `Connection` if the fetch to the authorization server failed,
+   *     the OIDC configuration wasn't set or the keys could not be parsed.
+   */
+  async loadJwks(t) {
+    if (t) {
+      this.keys = {};
+      for (let r = 0; r < t.keys.length; ++r) {
+        const n = t.keys[r];
+        this.keys[n.kid ?? "_default"] = await Z(t.keys[r]);
+      }
+    } else {
+      if (!this.oidcConfig)
+        throw new g(y.Connection, "Load OIDC config before Jwks");
+      let r;
+      try {
+        r = await fetch(new URL(this.oidcConfig.jwks_uri));
+      } catch (n) {
+        d.logger.error(h({ err: n }));
+      }
+      if (!r || !r.ok)
+        throw new g(y.Connection, "Couldn't get OIDC configuration");
+      this.keys = {};
+      try {
+        const n = await r.json();
+        if (!("keys" in n) || !Array.isArray(n.keys))
+          throw new g(y.Connection, "Couldn't fetch keys");
+        for (let i = 0; i < n.keys.length; ++i)
+          try {
+            let s = "_default";
+            "kid" in n.keys[i] && typeof n.keys[i] == "string" && (s = String(n.keys[i]));
+            const o = await Z(n.keys[i]);
+            this.keys[s] = o;
+          } catch (s) {
+            throw d.logger.error(h({ err: s })), new g(y.Connection, "Couldn't load keys");
+          }
+      } catch (n) {
+        throw d.logger.error(h({ err: n })), new g(y.Connection, "Unrecognized response from OIDC jwks endpoint");
+      }
+    }
+  }
+  /**
+   * Returns JWT payload if the token is valid, undefined otherwise.
+   *
+   * Doesn't throw exceptions.
+   *
+   * @param token the token to validate
+   * @param tokenType either `access`, `refresh` or `id`.  If the
+   *        `type` field in the JWT payload doesn't match this, validation
+   *        fails.
+   * @returns the JWT payload if the token is valid, `undefined` otherwise.
+   */
+  async tokenAuthorized(t, r) {
+    (!this.keys || Object.keys(this.keys).length == 0) && await this.loadKeys();
+    const n = await this.validateToken(t);
+    if (n) {
+      if (n.type != r && d.logger.error(h({ msg: r + " expected but got " + n.type })), n.iss != this.authServerBaseUrl) {
+        d.logger.error(h({ msg: `Invalid issuer ${n.iss} in access token`, hashedAccessToken: await this.hash(n.jti) }));
+        return;
+      }
+      if (n.aud && (Array.isArray(n.aud) && !n.aud.includes(this.audience) || !Array.isArray(n.aud) && n.aud != this.audience)) {
+        d.logger.error(h({ msg: `Invalid audience ${n.aud} in access token`, hashedAccessToken: await this.hash(n.jti) }));
+        return;
+      }
+      return n;
+    }
+  }
+  async validateToken(t) {
+    (!this.keys || Object.keys(this.keys).length == 0) && d.logger.warn("No keys loaded so cannot validate tokens");
+    let r;
+    try {
+      r = qe(t).kid;
+    } catch {
+      d.logger.warn(h({ msg: "Invalid access token format" }));
+      return;
+    }
+    let n;
+    "_default" in this.keys && (n = this.keys._default);
+    for (let i in this.keys)
+      if (r == i) {
+        n = this.keys[i];
+        break;
+      }
+    if (!n) {
+      d.logger.warn(h({ msg: "No matching keys found for access token" }));
+      return;
+    }
+    try {
+      const { payload: i } = await Je(t, n), s = JSON.parse(new TextDecoder().decode(i));
+      if (s.exp * 1e3 < Date.now() + this.clockTolerance) {
+        d.logger.warn(h({ msg: "Access token has expired" }));
+        return;
+      }
+      return s;
+    } catch {
+      d.logger.warn(h({ msg: "Access token did not validate" }));
+      return;
+    }
+  }
+}
+export {
+  g as CrossauthError,
+  d as CrossauthLogger,
+  te as DEFAULT_OIDCCONFIG,
+  y as ErrorCode,
+  C as KeyPrefix,
+  Be as OAuthClientBase,
+  ee as OAuthFlows,
+  Le as OAuthTokenConsumerBase,
+  k as UserState,
+  $e as httpStatus,
+  h as j
+};