@crossauth/frontend 0.0.2

package/dist/index.js

@@ -0,0 +1,3005 @@
+var __defProp = Object.defineProperty;
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+var _accessToken, _refreshToken, _idTokenPayload, _accessTokenPayload, _refreshTokenPayload, _client_id, _client_secret;
+var fe = Object.defineProperty;
+var G = (e) => {
+  throw TypeError(e);
+};
+var pe = (e, t, r) => t in e ? fe(e, t, { enumerable: true, configurable: true, writable: true, value: r }) : e[t] = r;
+var a = (e, t, r) => pe(e, typeof t != "symbol" ? t + "" : t, r), Y = (e, t, r) => t.has(e) || G("Cannot " + r);
+var u = (e, t, r) => (Y(e, t, "read from private field"), r ? r.call(e) : t.get(e)), O = (e, t, r) => t.has(e) ? G("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), _ = (e, t, r, n) => (Y(e, t, "write to private field"), t.set(e, r), r);
+class k {
+}
+a(k, "active", "active"), /** Deactivated account.  User cannot log in */
+a(k, "disabled", "disabled"), /** Two factor authentication has been actived for this user
+* but has not yet been configured.  Once a user logs in,
+* they will be directed to a page to configure 2FA and will
+* not be able to do anything else (that requires login) until
+* they have done so.
+*/
+a(k, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
+* verified his or her email address.  Cannot log on until it has
+* been verified.
+*/
+a(k, "awaitingEmailVerification", "awaitingemailverification"), /**
+* If the state is set to this, the user may not access any
+* login-required functions unless he or she has changed their password.
+* 
+* Upon login, the user is redirected to the change password page.
+*/
+a(k, "passwordChangeNeeded", "passwordchangeneeded"), /**
+* If the state is set to this, the user may not access any
+* login-required functions unless he or she has reset their password.
+* 
+* Upon login, the user is redirected to the reset password page.
+*/
+a(k, "passwordResetNeeded", "passwordresetneeded"), /**
+* If the state is set to this, the user may not access any
+* login-required functions unless he or she has reset their second
+* factor configuration.
+* 
+* Upon login, the user is redirected to the 2FA configuration page.
+* 
+* If you create a user and 2FA is mandatory, you can set state to 
+* this value and the user will then be prompted to configure 2FA 
+* upon login.
+*/
+a(k, "factor2ResetNeeded", "factor2resetneeded"), /**
+* If the state is set to this, the user may not access any
+* login-required functions unless he or she has reset their password
+* and then resets factor2.
+* 
+* Upon login, the user is redirected to the reset password page.
+*/
+a(k, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
+class C {
+}
+a(C, "session", "s:"), /** Password Reset Token */
+a(C, "passwordResetToken", "p:"), /** Email verification token */
+a(C, "emailVerificationToken", "e:"), /** API key */
+a(C, "apiKey", "api:"), /** OAuth authorization code */
+a(C, "authorizationCode", "authz:"), /** OAuth access token */
+a(C, "accessToken", "access:"), /** OAuth refresh token */
+a(C, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
+a(C, "mfaToken", "omfa:"), /** Device code device code */
+a(C, "deviceCode", "dc:"), /** Device code flow user code */
+a(C, "userCode", "uc:");
+var y = /* @__PURE__ */ ((e) => (e[e.UserNotExist = 0] = "UserNotExist", e[e.PasswordInvalid = 1] = "PasswordInvalid", e[e.EmailNotExist = 2] = "EmailNotExist", e[e.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", e[e.InvalidClientId = 4] = "InvalidClientId", e[e.ClientExists = 5] = "ClientExists", e[e.InvalidClientSecret = 6] = "InvalidClientSecret", e[e.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", e[e.InvalidRedirectUri = 8] = "InvalidRedirectUri", e[e.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", e[e.UserNotActive = 10] = "UserNotActive", e[e.EmailNotVerified = 11] = "EmailNotVerified", e[e.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", e[e.Unauthorized = 13] = "Unauthorized", e[e.UnauthorizedClient = 14] = "UnauthorizedClient", e[e.InvalidScope = 15] = "InvalidScope", e[e.InsufficientScope = 16] = "InsufficientScope", e[e.InsufficientPriviledges = 17] = "InsufficientPriviledges", e[e.Forbidden = 18] = "Forbidden", e[e.InvalidKey = 19] = "InvalidKey", e[e.InvalidCsrf = 20] = "InvalidCsrf", e[e.InvalidSession = 21] = "InvalidSession", e[e.Expired = 22] = "Expired", e[e.Connection = 23] = "Connection", e[e.InvalidHash = 24] = "InvalidHash", e[e.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", e[e.KeyExists = 26] = "KeyExists", e[e.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", e[e.PasswordResetNeeded = 28] = "PasswordResetNeeded", e[e.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", e[e.Configuration = 30] = "Configuration", e[e.InvalidEmail = 31] = "InvalidEmail", e[e.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", e[e.InvalidUsername = 33] = "InvalidUsername", e[e.PasswordMatch = 34] = "PasswordMatch", e[e.InvalidToken = 35] = "InvalidToken", e[e.MfaRequired = 36] = "MfaRequired", e[e.PasswordFormat = 37] = "PasswordFormat", e[e.DataFormat = 38] = "DataFormat", e[e.FetchError = 39] = "FetchError", e[e.UserExists = 40] = "UserExists", e[e.FormEntry = 41] = "FormEntry", e[e.BadRequest = 42] = "BadRequest", e[e.AuthorizationPending = 43] = "AuthorizationPending", e[e.SlowDown = 44] = "SlowDown", e[e.ExpiredToken = 45] = "ExpiredToken", e[e.ConstraintViolation = 46] = "ConstraintViolation", e[e.NotImplemented = 47] = "NotImplemented", e[e.UnknownError = 48] = "UnknownError", e))(y || {});
+class g extends Error {
+  /**
+   * Creates a new error to throw,
+   * 
+   * @param code describes the type of error
+   * @param message if provided, this error will display.  Otherwise a default one for the error code will be used.
+   */
+  constructor(r, n = void 0) {
+    let i, s = 500;
+    r == 0 ? (i = "User does not exist", s = 401) : r == 1 ? (i = "Password doesn't match", s = 401) : r == 3 ? (i = "Username or password incorrect", s = 401) : r == 4 ? (i = "Client id is invalid", s = 401) : r == 5 ? (i = "Client ID or name already exists", s = 500) : r == 6 ? (i = "Client secret is invalid", s = 401) : r == 7 ? (i = "Client id or secret is invalid", s = 401) : r == 8 ? (i = "Redirect Uri is not registered", s = 401) : r == 9 ? (i = "Invalid OAuth flow type", s = 500) : r == 2 ? (i = "No user exists with that email address", s = 401) : r == 10 ? (i = "Account is not active", s = 403) : r == 33 ? (i = "Username is not in an allowed format", s = 400) : r == 31 ? (i = "Email is not in an allowed format", s = 400) : r == 32 ? (i = "Phone number is not in an allowed format", s = 400) : r == 11 ? (i = "Email address has not been verified", s = 403) : r == 12 ? (i = "Two-factor setup is not complete", s = 403) : r == 13 ? (i = "Not authorized", s = 401) : r == 14 ? (i = "Client not authorized", s = 401) : r == 15 ? (i = "Invalid scope", s = 403) : r == 16 ? (i = "Insufficient scope", s = 403) : r == 23 ? i = "Connection failure" : r == 22 ? (i = "Token has expired", s = 401) : r == 24 ? i = "Hash is not in a valid format" : r == 19 ? (i = "Key is invalid", s = 401) : r == 18 ? (i = "You do not have permission to access this resource", s = 403) : r == 17 ? (i = "You do not have the right privileges to access this resource", s = 401) : r == 20 ? (i = "CSRF token is invalid", s = 401) : r == 21 ? (i = "Session cookie is invalid", s = 401) : r == 25 ? i = "Algorithm not supported" : r == 26 ? i = "Attempt to create a key that already exists" : r == 27 ? (i = "User must change password", s = 403) : r == 28 ? (i = "User must reset password", s = 403) : r == 29 ? (i = "User must reset 2FA", s = 403) : r == 30 ? i = "There was an error in the configuration" : r == 34 ? (i = "Passwords do not match", s = 401) : r == 35 ? (i = "Token is not valid", s = 401) : r == 36 ? (i = "MFA is required", s = 401) : r == 37 ? (i = "Password format was incorrect", s = 401) : r == 40 ? (i = "User already exists", s = 400) : r == 42 ? (i = "The request is invalid", s = 400) : r == 38 ? (i = "Session data has unexpected format", s = 500) : r == 39 ? (i = "Couldn't execute a fetch", s = 500) : r == 43 ? (i = "Waiting for authorization", s = 200) : r == 44 ? (i = "Slow polling down by 5 seconds", s = 200) : r == 45 ? (i = "Token has expired", s = 401) : r == 46 ? (i = "Database update/insert caused a constraint violation", s = 500) : r == 47 ? (i = "This method has not been implemented", s = 500) : (i = "Unknown error", s = 500), n != null && !Array.isArray(n) ? i = n : Array.isArray(n) && (i = n.join(". "));
+    super(i);
+    a(this, "isCrossauthError", true);
+    a(this, "httpStatus");
+    a(this, "code");
+    a(this, "codeName");
+    a(this, "messages");
+    this.code = r, this.codeName = y[r], this.httpStatus = s, this.name = "CrossauthError", Array.isArray(n) ? this.messages = n : this.messages = [i], Object.setPrototypeOf(this, g.prototype);
+  }
+  /**
+   * OAuth defines certain error types.  To convert the error in an OAuth
+   * response into a CrossauthError object, call this function.
+   * 
+   * @param error as returned by an OAuth call (converted to an {@link @crossauth/common!ErrorCode}).
+   * @param error_description as returned by an OAuth call (put in the `message`)
+   * @returns a `CrossauthError` instance.
+   */
+  static fromOAuthError(r, n) {
+    let i;
+    switch (r) {
+      case "invalid_request":
+        i = 42;
+        break;
+      case "unauthorized_client":
+        i = 14;
+        break;
+      case "access_denied":
+        i = 13;
+        break;
+      case "unsupported_response_type":
+        i = 42;
+        break;
+      case "invalid_scope":
+        i = 15;
+        break;
+      case "server_error":
+        i = 48;
+        break;
+      case "temporarily_unavailable":
+        i = 23;
+        break;
+      case "invalid_token":
+        i = 35;
+        break;
+      case "expired_token":
+        i = 45;
+        break;
+      case "insufficient_scope":
+        i = 35;
+        break;
+      case "mfa_required":
+        i = 36;
+        break;
+      case "authorization_pending":
+        i = 43;
+        break;
+      case "slow_down":
+        i = 44;
+        break;
+      default:
+        i = 48;
+    }
+    return new g(i, n);
+  }
+  get oauthErrorCode() {
+    switch (this.code) {
+      case 42:
+        return "invalid_request";
+      case 14:
+        return "unauthorized_client";
+      case 13:
+        return "access_denied";
+      case 15:
+        return "invalid_scope";
+      case 23:
+        return "temporarily_unavailable";
+      case 35:
+        return "invalid_token";
+      case 36:
+        return "mfa_required";
+      case 43:
+        return "authorization_pending";
+      case 44:
+        return "slow_down";
+      case 45:
+        return "expired_token";
+      case 22:
+        return "expired_token";
+      default:
+        return "server_error";
+    }
+  }
+  /**
+   * If the passed object is a `CrossauthError` instance, simply returns
+   * it.  
+   * If not and it is an object with `errorCode` in it, creates a 
+   * CrossauthError from that and `errorMessage`, if present.
+   * Otherwise creates a `CrossauthError` object with {@link @crossauth/common!ErrorCode}
+   * of `Unknown` from it, setting the `message` if possible.
+   * 
+   * @param e the error to convert.
+   * @returns  a `CrossauthError` instance.
+   */
+  static asCrossauthError(r, n) {
+    if (r instanceof Error)
+      return "isCrossauthError" in r ? r : new g(48, r.message);
+    if ("errorCode" in r) {
+      let s = 48;
+      try {
+        s = Number(r.errorCode) ?? 48;
+      } catch {
+      }
+      let o = n ?? y[s];
+      return "errorMessage" in r ? o = r.errorMessage : "message" in r && (o = r.message), new g(s, o);
+    }
+    let i = n ?? y[
+      48
+      /* UnknownError */
+    ];
+    return "message" in r && (i = r.message), new g(48, i);
+  }
+}
+const m = class m2 {
+  /**
+   * Create a logger with the given level
+   * @param level the level to report to
+   */
+  constructor(t) {
+    a(this, "level");
+    if (t) this.level = t;
+    else if (typeof process < "u" && "CROSSAUTH_LOG_LEVEL" in process.env) {
+      const r = (process.env.CROSSAUTH_LOG_LEVEL ?? "ERROR").toUpperCase();
+      m2.levelName.includes(r) ? this.level = m2.levelName.indexOf(r) : this.level = m2.Error;
+    } else
+      this.level = m2.Error;
+  }
+  /**
+   * Return the singleton instance of the logger.
+   * @returns the logger
+   */
+  static get logger() {
+    return globalThis.crossauthLogger;
+  }
+  setLevel(t) {
+    this.level = t;
+  }
+  log(t, r) {
+    t <= this.level && (typeof r == "string" ? console.log("Crossauth " + m2.levelName[t] + " " + (/* @__PURE__ */ new Date()).toISOString(), r) : console.log(JSON.stringify({ level: m2.levelName[t], time: (/* @__PURE__ */ new Date()).toISOString(), ...r })));
+  }
+  /**
+   * Report an error
+   * @param output object to output
+   */
+  error(t) {
+    this.log(m2.Error, t);
+  }
+  /**
+   * Report an warning
+   * @param output object to output
+   */
+  warn(t) {
+    this.log(m2.Warn, t);
+  }
+  /**
+   * Report information
+   * @param output object to output
+   */
+  info(t) {
+    this.log(m2.Info, t);
+  }
+  /**
+   * Print a debugging message
+   * @param output object to output
+   */
+  debug(t) {
+    this.log(m2.Debug, t);
+  }
+  /** 
+   * Override the default logger.
+   * 
+   * The only requirement is that the logger has the functions `error()`, `warn()`, `info()` and `debug()`.
+   * These functions must accept either an object or a string.  If they can only accept a string,
+   * set `acceptsJson` to false.  
+   * 
+   * @param logger a new logger instance of any supported class
+   * @param acceptsJson set this to false if the logger can only take strings.
+   */
+  static setLogger(t, r) {
+    globalThis.crossauthLogger = t, globalThis.crossauthLoggerAcceptsJson = r;
+  }
+};
+a(m, "None", 0), /** Only log errors */
+a(m, "Error", 1), /** Log errors and warning */
+a(m, "Warn", 2), /** Log errors, warnings and info messages */
+a(m, "Info", 3), /** Log everything */
+a(m, "Debug", 4), a(m, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
+let d = m;
+function h(e) {
+  let t;
+  typeof e == "object" && "err" in e && typeof e.err == "object" && (t = e.err.stack);
+  try {
+    typeof e == "object" && "err" in e && typeof e.err == "object" && e.err && "message" in e.err && !("msg" in e) && (e.msg = e.err.message);
+  } catch {
+  }
+  try {
+    typeof e == "object" && "err" in e && typeof e.err == "object" && (e.err = { ...e.err, stack: t });
+  } catch {
+  }
+  try {
+    typeof e == "object" && "err" in e && !("msg" in e) && (e.msg = e.msg = "An unknown error occurred");
+  } catch {
+  }
+  try {
+    typeof e == "object" && "cerr" in e && "isCrossauthError" in e.cerr && e.cerr && (e.errorCode = e.cerr.code, e.errorCodeName = e.cerr.codeName, e.httpStatus = e.cerr.httpStatus, "msg" in e || (e.msg = e.cerr.message), delete e.cerr);
+  } catch {
+  }
+  return typeof e == "string" || globalThis.crossauthLoggerAcceptsJson ? e : JSON.stringify(e);
+}
+globalThis.crossauthLogger = new d(d.None);
+globalThis.crossauthLoggerAcceptsJson = true;
+const te = {
+  issuer: "",
+  authorization_endpoint: "",
+  token_endpoint: "",
+  jwks_uri: "",
+  response_types_supported: [],
+  subject_types_supported: [],
+  response_modes_supported: ["query", "fragment"],
+  grant_types_supported: ["authorization_code", "implicit"],
+  id_token_signing_alg_values_supported: [],
+  claim_types_supported: ["normal"],
+  claims_parameter_supported: false,
+  request_parameter_supported: false,
+  request_uri_parameter_supported: true,
+  require_request_uri_registration: false
+}, F = crypto, re = (e) => e instanceof CryptoKey, H = new TextEncoder(), z = new TextDecoder();
+function ge(...e) {
+  const t = e.reduce((i, { length: s }) => i + s, 0), r = new Uint8Array(t);
+  let n = 0;
+  for (const i of e)
+    r.set(i, n), n += i.length;
+  return r;
+}
+const ye = (e) => {
+  const t = atob(e), r = new Uint8Array(t.length);
+  for (let n = 0; n < t.length; n++)
+    r[n] = t.charCodeAt(n);
+  return r;
+}, K = (e) => {
+  let t = e;
+  t instanceof Uint8Array && (t = z.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
+  try {
+    return ye(t);
+  } catch {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+};
+class $ extends Error {
+  static get code() {
+    return "ERR_JOSE_GENERIC";
+  }
+  constructor(t) {
+    var r;
+    super(t), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+  }
+}
+class b extends $ {
+  constructor() {
+    super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
+  }
+  static get code() {
+    return "ERR_JOSE_NOT_SUPPORTED";
+  }
+}
+class v extends $ {
+  constructor() {
+    super(...arguments), this.code = "ERR_JWS_INVALID";
+  }
+  static get code() {
+    return "ERR_JWS_INVALID";
+  }
+}
+class E extends $ {
+  constructor() {
+    super(...arguments), this.code = "ERR_JWT_INVALID";
+  }
+  static get code() {
+    return "ERR_JWT_INVALID";
+  }
+}
+class me extends $ {
+  constructor() {
+    super(...arguments), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED", this.message = "signature verification failed";
+  }
+  static get code() {
+    return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  }
+}
+function A(e, t = "algorithm.name") {
+  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
+}
+function J(e, t) {
+  return e.name === t;
+}
+function L(e) {
+  return parseInt(e.name.slice(4), 10);
+}
+function we(e) {
+  switch (e) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function ve(e, t) {
+  if (t.length && !t.some((r) => e.usages.includes(r))) {
+    let r = "CryptoKey does not support this operation, its usages must include ";
+    if (t.length > 2) {
+      const n = t.pop();
+      r += `one of ${t.join(", ")}, or ${n}.`;
+    } else t.length === 2 ? r += `one of ${t[0]} or ${t[1]}.` : r += `${t[0]}.`;
+    throw new TypeError(r);
+  }
+}
+function Se(e, t, ...r) {
+  switch (t) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!J(e.algorithm, "HMAC"))
+        throw A("HMAC");
+      const n = parseInt(t.slice(2), 10);
+      if (L(e.algorithm.hash) !== n)
+        throw A(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!J(e.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw A("RSASSA-PKCS1-v1_5");
+      const n = parseInt(t.slice(2), 10);
+      if (L(e.algorithm.hash) !== n)
+        throw A(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!J(e.algorithm, "RSA-PSS"))
+        throw A("RSA-PSS");
+      const n = parseInt(t.slice(2), 10);
+      if (L(e.algorithm.hash) !== n)
+        throw A(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "EdDSA": {
+      if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
+        throw A("Ed25519 or Ed448");
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!J(e.algorithm, "ECDSA"))
+        throw A("ECDSA");
+      const n = we(t);
+      if (e.algorithm.namedCurve !== n)
+        throw A(n, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  ve(e, r);
+}
+function ie(e, t, ...r) {
+  var n;
+  if (r.length > 2) {
+    const i = r.pop();
+    e += `one of type ${r.join(", ")}, or ${i}.`;
+  } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
+  return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
+}
+const X = (e, ...t) => ie("Key must be ", e, ...t);
+function ne(e, t, ...r) {
+  return ie(`Key for the ${e} algorithm must be `, t, ...r);
+}
+const se = (e) => re(e) ? true : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", M = ["CryptoKey"], _e = (...e) => {
+  const t = e.filter(Boolean);
+  if (t.length === 0 || t.length === 1)
+    return true;
+  let r;
+  for (const n of t) {
+    const i = Object.keys(n);
+    if (!r || r.size === 0) {
+      r = new Set(i);
+      continue;
+    }
+    for (const s of i) {
+      if (r.has(s))
+        return false;
+      r.add(s);
+    }
+  }
+  return true;
+};
+function Ce(e) {
+  return typeof e == "object" && e !== null;
+}
+function x(e) {
+  if (!Ce(e) || Object.prototype.toString.call(e) !== "[object Object]")
+    return false;
+  if (Object.getPrototypeOf(e) === null)
+    return true;
+  let t = e;
+  for (; Object.getPrototypeOf(t) !== null; )
+    t = Object.getPrototypeOf(t);
+  return Object.getPrototypeOf(e) === t;
+}
+const be = (e, t) => {
+  if (e.startsWith("RS") || e.startsWith("PS")) {
+    const { modulusLength: r } = t.algorithm;
+    if (typeof r != "number" || r < 2048)
+      throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
+  }
+};
+function Ae(e) {
+  let t, r;
+  switch (e.kty) {
+    case "RSA": {
+      switch (e.alg) {
+        case "PS256":
+        case "PS384":
+        case "PS512":
+          t = { name: "RSA-PSS", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "RS256":
+        case "RS384":
+        case "RS512":
+          t = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "RSA-OAEP":
+        case "RSA-OAEP-256":
+        case "RSA-OAEP-384":
+        case "RSA-OAEP-512":
+          t = {
+            name: "RSA-OAEP",
+            hash: `SHA-${parseInt(e.alg.slice(-3), 10) || 1}`
+          }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+          break;
+        default:
+          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "EC": {
+      switch (e.alg) {
+        case "ES256":
+          t = { name: "ECDSA", namedCurve: "P-256" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ES384":
+          t = { name: "ECDSA", namedCurve: "P-384" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ES512":
+          t = { name: "ECDSA", namedCurve: "P-521" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "OKP": {
+      switch (e.alg) {
+        case "EdDSA":
+          t = { name: e.crv }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    default:
+      throw new b('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+  }
+  return { algorithm: t, keyUsages: r };
+}
+const oe = async (e) => {
+  if (!e.alg)
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  const { algorithm: t, keyUsages: r } = Ae(e), n = [
+    t,
+    e.ext ?? false,
+    e.key_ops ?? r
+  ], i = { ...e };
+  return delete i.alg, delete i.use, F.subtle.importKey("jwk", i, ...n);
+}, ae = (e) => K(e);
+let V, j;
+const ce = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", de = async (e, t, r, n) => {
+  let i = e.get(t);
+  if (i != null && i[n])
+    return i[n];
+  const s = await oe({ ...r, alg: n });
+  return i ? i[n] = s : e.set(t, { [n]: s }), s;
+}, Pe = (e, t) => {
+  if (ce(e)) {
+    let r = e.export({ format: "jwk" });
+    return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? ae(r.k) : (j || (j = /* @__PURE__ */ new WeakMap()), de(j, e, r, t));
+  }
+  return e;
+}, ke = (e, t) => {
+  if (ce(e)) {
+    let r = e.export({ format: "jwk" });
+    return r.k ? ae(r.k) : (V || (V = /* @__PURE__ */ new WeakMap()), de(V, e, r, t));
+  }
+  return e;
+}, Ie = { normalizePublicKey: Pe, normalizePrivateKey: ke }, I = (e, t, r = 0) => {
+  r === 0 && (t.unshift(t.length), t.unshift(6));
+  const n = e.indexOf(t[0], r);
+  if (n === -1)
+    return false;
+  const i = e.subarray(n, n + t.length);
+  return i.length !== t.length ? false : i.every((s, o) => s === t[o]) || I(e, t, n + 1);
+}, Q = (e) => {
+  switch (true) {
+    case I(e, [42, 134, 72, 206, 61, 3, 1, 7]):
+      return "P-256";
+    case I(e, [43, 129, 4, 0, 34]):
+      return "P-384";
+    case I(e, [43, 129, 4, 0, 35]):
+      return "P-521";
+    case I(e, [43, 101, 110]):
+      return "X25519";
+    case I(e, [43, 101, 111]):
+      return "X448";
+    case I(e, [43, 101, 112]):
+      return "Ed25519";
+    case I(e, [43, 101, 113]):
+      return "Ed448";
+    default:
+      throw new b("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
+  }
+}, le = async (e, t, r, n, i) => {
+  let s, o;
+  const l = new Uint8Array(atob(r.replace(e, "")).split("").map((p) => p.charCodeAt(0))), f = t === "spki";
+  switch (n) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      s = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      s = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512":
+      s = {
+        name: "RSA-OAEP",
+        hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
+      }, o = f ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+      break;
+    case "ES256":
+      s = { name: "ECDSA", namedCurve: "P-256" }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "ES384":
+      s = { name: "ECDSA", namedCurve: "P-384" }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "ES512":
+      s = { name: "ECDSA", namedCurve: "P-521" }, o = f ? ["verify"] : ["sign"];
+      break;
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW": {
+      const p = Q(l);
+      s = p.startsWith("P-") ? { name: "ECDH", namedCurve: p } : { name: p }, o = f ? [] : ["deriveBits"];
+      break;
+    }
+    case "EdDSA":
+      s = { name: Q(l) }, o = f ? ["verify"] : ["sign"];
+      break;
+    default:
+      throw new b('Invalid or unsupported "alg" (Algorithm) value');
+  }
+  return F.subtle.importKey(t, l, s, false, o);
+}, Te = (e, t, r) => le(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", e, t), Re = (e, t, r) => le(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
+async function Ee(e, t, r) {
+  if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
+    throw new TypeError('"spki" must be SPKI formatted string');
+  return Re(e, t);
+}
+async function Oe(e, t, r) {
+  if (typeof e != "string" || e.indexOf("-----BEGIN PRIVATE KEY-----") !== 0)
+    throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
+  return Te(e, t);
+}
+async function Z(e, t) {
+  if (!x(e))
+    throw new TypeError("JWK must be an object");
+  switch (t || (t = e.alg), e.kty) {
+    case "oct":
+      if (typeof e.k != "string" || !e.k)
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      return K(e.k);
+    case "RSA":
+      if (e.oth !== void 0)
+        throw new b('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+    case "EC":
+    case "OKP":
+      return oe({ ...e, alg: t });
+    default:
+      throw new b('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+const q = (e) => e == null ? void 0 : e[Symbol.toStringTag], Ke = (e, t) => {
+  if (!(t instanceof Uint8Array)) {
+    if (!se(t))
+      throw new TypeError(ne(e, t, ...M, "Uint8Array"));
+    if (t.type !== "secret")
+      throw new TypeError(`${q(t)} instances for symmetric algorithms must be of type "secret"`);
+  }
+}, Ne = (e, t, r) => {
+  if (!se(t))
+    throw new TypeError(ne(e, t, ...M));
+  if (t.type === "secret")
+    throw new TypeError(`${q(t)} instances for asymmetric algorithms must not be of type "secret"`);
+  if (t.algorithm && r === "verify" && t.type === "private")
+    throw new TypeError(`${q(t)} instances for asymmetric algorithm verifying must be of type "public"`);
+  if (t.algorithm && r === "encrypt" && t.type === "private")
+    throw new TypeError(`${q(t)} instances for asymmetric algorithm encryption must be of type "public"`);
+}, Ue = (e, t, r) => {
+  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(e) ? Ke(e, t) : Ne(e, t, r);
+};
+function xe(e, t, r, n, i) {
+  if (i.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
+    throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
+  if (!n || n.crit === void 0)
+    return /* @__PURE__ */ new Set();
+  if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((o) => typeof o != "string" || o.length === 0))
+    throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  let s;
+  s = t;
+  for (const o of n.crit) {
+    if (!s.has(o))
+      throw new b(`Extension Header Parameter "${o}" is not recognized`);
+    if (i[o] === void 0)
+      throw new e(`Extension Header Parameter "${o}" is missing`);
+    if (s.get(o) && n[o] === void 0)
+      throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`);
+  }
+  return new Set(n.crit);
+}
+function ze(e, t) {
+  const r = `SHA-${e.slice(-3)}`;
+  switch (e) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash: r, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash: r, name: "RSA-PSS", saltLength: e.slice(-3) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash: r, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash: r, name: "ECDSA", namedCurve: t.namedCurve };
+    case "EdDSA":
+      return { name: t.name };
+    default:
+      throw new b(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function We(e, t, r) {
+  if (t = await Ie.normalizePublicKey(t, e), re(t))
+    return Se(t, e, r), t;
+  if (t instanceof Uint8Array) {
+    if (!e.startsWith("HS"))
+      throw new TypeError(X(t, ...M));
+    return F.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, false, [r]);
+  }
+  throw new TypeError(X(t, ...M, "Uint8Array"));
+}
+const De = async (e, t, r, n) => {
+  const i = await We(e, t, "verify");
+  be(e, i);
+  const s = ze(e, i.algorithm);
+  try {
+    return await F.subtle.verify(s, i, r, n);
+  } catch {
+    return false;
+  }
+};
+async function He(e, t, r) {
+  if (!x(e))
+    throw new v("Flattened JWS must be an object");
+  if (e.protected === void 0 && e.header === void 0)
+    throw new v('Flattened JWS must have either of the "protected" or "header" members');
+  if (e.protected !== void 0 && typeof e.protected != "string")
+    throw new v("JWS Protected Header incorrect type");
+  if (e.payload === void 0)
+    throw new v("JWS Payload missing");
+  if (typeof e.signature != "string")
+    throw new v("JWS Signature missing or incorrect type");
+  if (e.header !== void 0 && !x(e.header))
+    throw new v("JWS Unprotected Header incorrect type");
+  let n = {};
+  if (e.protected)
+    try {
+      const ue = K(e.protected);
+      n = JSON.parse(z.decode(ue));
+    } catch {
+      throw new v("JWS Protected Header is invalid");
+    }
+  if (!_e(n, e.header))
+    throw new v("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  const i = {
+    ...n,
+    ...e.header
+  }, s = xe(v, /* @__PURE__ */ new Map([["b64", true]]), void 0, n, i);
+  let o = true;
+  if (s.has("b64") && (o = n.b64, typeof o != "boolean"))
+    throw new v('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+  const { alg: l } = i;
+  if (typeof l != "string" || !l)
+    throw new v('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  if (o) {
+    if (typeof e.payload != "string")
+      throw new v("JWS Payload must be a string");
+  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
+    throw new v("JWS Payload must be a string or an Uint8Array instance");
+  let f = false;
+  typeof t == "function" && (t = await t(n, e), f = true), Ue(l, t, "verify");
+  const p = ge(H.encode(e.protected ?? ""), H.encode("."), typeof e.payload == "string" ? H.encode(e.payload) : e.payload);
+  let P;
+  try {
+    P = K(e.signature);
+  } catch {
+    throw new v("Failed to base64url decode the signature");
+  }
+  if (!await De(l, t, P, p))
+    throw new me();
+  let W;
+  if (o)
+    try {
+      W = K(e.payload);
+    } catch {
+      throw new v("Failed to base64url decode the payload");
+    }
+  else typeof e.payload == "string" ? W = H.encode(e.payload) : W = e.payload;
+  const D = { payload: W };
+  return e.protected !== void 0 && (D.protectedHeader = n), e.header !== void 0 && (D.unprotectedHeader = e.header), f ? { ...D, key: t } : D;
+}
+async function Je(e, t, r) {
+  if (e instanceof Uint8Array && (e = z.decode(e)), typeof e != "string")
+    throw new v("Compact JWS must be a string or Uint8Array");
+  const { 0: n, 1: i, 2: s, length: o } = e.split(".");
+  if (o !== 3)
+    throw new v("Invalid Compact JWS");
+  const l = await He({ payload: i, protected: n, signature: s }, t), f = { payload: l.payload, protectedHeader: l.protectedHeader };
+  return typeof t == "function" ? { ...f, key: l.key } : f;
+}
+const he = K;
+function qe(e) {
+  let t;
+  if (typeof e == "string") {
+    const r = e.split(".");
+    (r.length === 3 || r.length === 5) && ([t] = r);
+  } else if (typeof e == "object" && e)
+    if ("protected" in e)
+      t = e.protected;
+    else
+      throw new TypeError("Token does not contain a Protected Header");
+  try {
+    if (typeof t != "string" || !t)
+      throw new Error();
+    const r = JSON.parse(z.decode(he(t)));
+    if (!x(r))
+      throw new Error();
+    return r;
+  } catch {
+    throw new TypeError("Invalid Token or Protected Header formatting");
+  }
+}
+function Me(e) {
+  if (typeof e != "string")
+    throw new E("JWTs must use Compact JWS serialization, JWT must be a string");
+  const { 1: t, length: r } = e.split(".");
+  if (r === 5)
+    throw new E("Only JWTs using Compact JWS serialization can be decoded");
+  if (r !== 3)
+    throw new E("Invalid JWT");
+  if (!t)
+    throw new E("JWTs must contain a payload");
+  let n;
+  try {
+    n = he(t);
+  } catch {
+    throw new E("Failed to base64url decode the payload");
+  }
+  let i;
+  try {
+    i = JSON.parse(z.decode(n));
+  } catch {
+    throw new E("Failed to parse the decoded payload as JSON");
+  }
+  if (!x(i))
+    throw new E("Invalid JWT Claims Set");
+  return i;
+}
+const c = class c2 {
+  /**
+   * Returns a user-friendly name for the given flow strings.
+   * 
+   * The value returned is the one in `flowName`.
+   * @param flows the flows to return the names of
+   * @returns an array of strings
+   */
+  static flowNames(t) {
+    let r = {};
+    return t.forEach((n) => {
+      n in c2.flowName && (r[n] = c2.flowName[n]);
+    }), r;
+  }
+  /**
+   * Returns true if the given string is a valid flow name.
+   * @param flow the flow to check
+   * @returns true or false.
+   */
+  static isValidFlow(t) {
+    return c2.allFlows().includes(t);
+  }
+  /**
+   * Returns true only if all given strings are valid flows
+   * @param flows the flows to check
+   * @returns true or false.
+   */
+  static areAllValidFlows(t) {
+    let r = true;
+    return t.forEach((n) => {
+      c2.isValidFlow(n) || (r = false);
+    }), r;
+  }
+  static allFlows() {
+    return [
+      c2.AuthorizationCode,
+      c2.AuthorizationCodeWithPKCE,
+      c2.ClientCredentials,
+      c2.RefreshToken,
+      c2.DeviceCode,
+      c2.Password,
+      c2.PasswordMfa,
+      c2.OidcAuthorizationCode
+    ];
+  }
+  /**
+   * Returns the OAuth grant types that are valid for a given flow, or 
+   * `undefined` if it is not a valid flow.
+   * @param oauthFlow the flow to get the grant type for.
+   * @returns a {@link GrantType} value
+   */
+  static grantType(t) {
+    switch (t) {
+      case c2.AuthorizationCode:
+      case c2.AuthorizationCodeWithPKCE:
+      case c2.OidcAuthorizationCode:
+        return ["authorization_code"];
+      case c2.ClientCredentials:
+        return ["client_credentials"];
+      case c2.RefreshToken:
+        return ["refresh_token"];
+      case c2.Password:
+        return ["password"];
+      case c2.PasswordMfa:
+        return ["http://auth0.com/oauth/grant-type/mfa-otp", "http://auth0.com/oauth/grant-type/mfa-oob"];
+      case c2.DeviceCode:
+        return ["urn:ietf:params:oauth:grant-type:device_code"];
+    }
+  }
+};
+a(c, "All", "all"), /** OAuth authorization code flow (without PKCE) */
+a(c, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
+a(c, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
+a(c, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
+a(c, "RefreshToken", "refreshToken"), /** OAuth device code flow */
+a(c, "DeviceCode", "deviceCode"), /** OAuth password flow */
+a(c, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
+a(c, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
+* PKCE.
+*/
+a(c, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
+* 
+* For example, if you pass "authorizationCode" 
+* (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
+*/
+a(c, "flowName", {
+  [c.AuthorizationCode]: "Authorization Code",
+  [c.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
+  [c.ClientCredentials]: "Client Credentials",
+  [c.RefreshToken]: "Refresh Token",
+  [c.DeviceCode]: "Device Code",
+  [c.Password]: "Password",
+  [c.PasswordMfa]: "Password MFA",
+  [c.OidcAuthorizationCode]: "OIDC Authorization Code"
+});
+var w, S, N, T, R;
+class Be {
+  /**
+   * Constructor.
+   * 
+   * @param options options:
+   *      - `authServerBaseUrl` the base URI for OAuth calls.  This is
+   *        the value in the isser field of a JWT.  The client will
+   *        reject any JWTs that are not from this issuer.
+   *      - `client_id` the client ID for this client.
+   *      - `redriectUri` when making OAuth calls, this value is put
+   *        in the redirect_uri field.
+   *      - `number` of characters (before base64-url-encoding) for generating
+   *        state values in OAuth calls.
+   *      - `verifierLength` of characters (before base64-url-encoding) for
+   *        generating PKCE values in OAuth calls.
+   *      - `tokenConsumer` to keep this class independent of frontend 
+   *        and backend specific funtionality (eg classes not available
+   *        in browsers), the token consumer, which determines if a token
+   *        is valid or not, is abstracted out.
+   *      - authServerCredentials credentials flag for fetch calls to the
+   *        authorization server
+   *      - authServerMode mode flag for fetch calls to the 
+   *        authorization server
+   *      - authServerHeaders headers flag for calls to the
+   *        authorization server
+   *      - `receiveTokensFn` if defined, this will be called when tokens
+   *        are received
+   */
+  constructor({
+    authServerBaseUrl: t,
+    client_id: r,
+    client_secret: n,
+    redirect_uri: i,
+    codeChallengeMethod: s,
+    stateLength: o,
+    verifierLength: l,
+    tokenConsumer: f,
+    authServerCredentials: p,
+    authServerMode: P,
+    authServerHeaders: U
+  }) {
+    a(this, "authServerBaseUrl", "");
+    O(this, w);
+    O(this, S);
+    O(this, N);
+    a(this, "codeChallengeMethod", "S256");
+    O(this, T);
+    a(this, "verifierLength", 32);
+    a(this, "redirect_uri");
+    O(this, R, "");
+    a(this, "stateLength", 32);
+    a(this, "authzCode", "");
+    a(this, "oidcConfig");
+    a(this, "tokenConsumer");
+    a(this, "authServerHeaders", {});
+    a(this, "authServerMode");
+    a(this, "authServerCredentials");
+    this.tokenConsumer = f, this.authServerBaseUrl = t, l && (this.verifierLength = l), o && (this.stateLength = o), r && _(this, w, r), n && _(this, S, n), i && (this.redirect_uri = i), s && (this.codeChallengeMethod = s), this.authServerBaseUrl = t, p && (this.authServerCredentials = p), P && (this.authServerMode = P), U && (this.authServerHeaders = U);
+  }
+  set client_id(t) {
+    _(this, w, t);
+  }
+  set client_secret(t) {
+    _(this, S, t);
+  }
+  set codeVerifier(t) {
+    _(this, T, t);
+  }
+  set codeChallenge(t) {
+    _(this, N, t);
+  }
+  set state(t) {
+    _(this, R, t);
+  }
+  /**
+   * Loads OpenID Connect configuration so that the client can determine
+   * the URLs it can call and the features the authorization server provides.
+   * 
+   * @param oidcConfig if defined, loadsa the config from this object.
+   *        Otherwise, performs a fetch by appending
+   *        `/.well-known/openid-configuration` to the 
+   *        `authServerBaseUrl`.
+   * @throws {@link @crossauth/common!CrossauthError} with the following {@link @crossauth/common!ErrorCode}s
+   *   - `Connection` if data from the URL could not be fetched or parsed.
+   */
+  async loadConfig(t) {
+    if (t) {
+      d.logger.debug(h({ msg: "Reading OIDC config locally" })), this.oidcConfig = t;
+      return;
+    }
+    let r;
+    try {
+      const n = new URL(
+        this.authServerBaseUrl + "/.well-known/openid-configuration"
+      );
+      d.logger.debug(h({ msg: `Fetching OIDC config from ${n}` }));
+      let i = { headers: this.authServerHeaders };
+      this.authServerMode && (i.mode = this.authServerMode), this.authServerCredentials && (i.credentials = this.authServerCredentials), r = await fetch(n, i);
+    } catch (n) {
+      d.logger.error(h({ err: n }));
+    }
+    if (!r || !r.ok)
+      throw new g(
+        y.Connection,
+        "Couldn't get OIDC configuration from URL" + this.authServerBaseUrl + "/.well-known/openid-configuration"
+      );
+    this.oidcConfig = { ...te };
+    try {
+      const n = await r.json();
+      for (const [i, s] of Object.entries(n))
+        this.oidcConfig[i] = s;
+    } catch {
+      throw new g(
+        y.Connection,
+        "Unrecognized response from OIDC configuration endpoint"
+      );
+    }
+  }
+  getOidcConfig() {
+    return this.oidcConfig;
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Authorization Code Flow
+  /**
+   * Starts the authorizatuin code flow, optionally with PKCE.
+   * 
+   * Doesn't actually call the endpoint but rather returns its URL
+   * 
+   * @param scope optionally specify the scopes to ask the user to
+   *        authorize (space separated, non URL-encoded)
+   * @param pkce if true, initiate the Authorization Code Flow with PKCE,
+   *        otherwiswe without PKCE.
+   * @returns an object with
+   *          - `url` - the full `authorize` URL to fetch, if there was no
+   *            error, undefined otherwise
+   *          - `error` OAuth error if there was an error, undefined
+   *            otherwise.  See OAuth specification for authorize endpoint
+   *          - `error_description` friendly error message or undefined
+   *            if no error
+   */
+  async startAuthorizationCodeFlow(t, r = false) {
+    var s, o, l;
+    if (d.logger.debug(h({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.response_types_supported.includes("code")) || !((o = this.oidcConfig) != null && o.response_modes_supported.includes("query")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support authorization code flow"
+      };
+    if (!((l = this.oidcConfig) != null && l.authorization_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get authorize endpoint"
+      };
+    if (_(this, R, this.randomValue(this.stateLength)), !u(this, w)) return {
+      error: "invalid_request",
+      error_description: "Cannot make authorization code flow without client id"
+    };
+    if (!this.redirect_uri) return {
+      error: "invalid_request",
+      error_description: "Cannot make authorization code flow without Redirect Uri"
+    };
+    let i = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(u(this, w)) + "&state=" + encodeURIComponent(u(this, R)) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
+    return t && (i += "&scope=" + encodeURIComponent(t)), r && (_(this, T, this.randomValue(this.verifierLength)), _(this, N, this.codeChallengeMethod == "plain" ? u(this, T) : await this.sha256(u(this, T))), i += "&code_challenge=" + u(this, N)), { url: i };
+  }
+  /**
+   * This implements the functionality behind the redirect URI
+   * 
+   * Does not throw exceptions.
+   *
+   * If an error wasn't reported,  a POST request to the `token` endpoint with 
+   * the authorization code to get an access token, etc.  If there was 
+   * an error, this is just passed through without calling and further
+   * endpoints.
+   * 
+   * @param code the authorization code
+   * @param state the random state variable
+   * @param error if defined, it will be returned as an error.  This is
+   *              for cascading errors from previous requests.
+   * @param errorDescription if error is defined, this text is returned
+   *        as the `error_description`  It is set to `Unknown error` 
+   *        otherwise
+   * @returns The {@link OAuthTokenResponse} from the `token` endpoint
+   *          request, or `error` and `error_description`.
+   */
+  async redirectEndpoint(t, r, n, i) {
+    var p, P;
+    if (this.oidcConfig || await this.loadConfig(), n || !t)
+      return n || (n = "server_error"), i || (i = "Unknown error"), { error: n, error_description: i };
+    if (u(this, R) && r != u(this, R))
+      return { error: "access_denied", error_description: "State is not valid" };
+    if (this.authzCode = t, !((p = this.oidcConfig) != null && p.grant_types_supported.includes("authorization_code")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support authorization code grant"
+      };
+    if (!((P = this.oidcConfig) != null && P.token_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get token endpoint"
+      };
+    const s = this.oidcConfig.token_endpoint;
+    let o, l;
+    o = "authorization_code", l = u(this, S);
+    let f = {
+      grant_type: o,
+      client_id: u(this, w),
+      code: this.authzCode
+    };
+    l && (f.client_secret = l), f.code_verifier = u(this, T);
+    try {
+      return this.post(s, f, this.authServerHeaders);
+    } catch (U) {
+      return d.logger.error(h({ err: U })), {
+        error: "server_error",
+        error_description: "Unable to get access token from server"
+      };
+    }
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Client Credentials Flow
+  /**
+   * Performs the client credentials flow.
+   * 
+   * Does not throw exceptions.
+   * 
+   * Makes a POST request to the `token` endpoint with the
+   * authorization code to get an access token, etc.
+   * 
+   * @param scope the scopes to authorize for the client (optional)
+   * @returns The {@link OAuthTokenResponse} from the `token` endpoint
+   *          request, or `error` and `error_description`.
+   */
+  async clientCredentialsFlow(t) {
+    var i, s;
+    if (d.logger.debug(h({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("client_credentials")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support client credentials grant"
+      };
+    if (!((s = this.oidcConfig) != null && s.token_endpoint))
+      return { error: "server_error", error_description: "Cannot get token endpoint" };
+    if (!u(this, w)) return {
+      error: "invalid_request",
+      error_description: "Cannot make client credentials flow without client id"
+    };
+    const r = this.oidcConfig.token_endpoint;
+    let n = {
+      grant_type: "client_credentials",
+      client_id: u(this, w),
+      client_secret: u(this, S)
+    };
+    t && (n.scope = t);
+    try {
+      return await this.post(r, n, this.authServerHeaders);
+    } catch (o) {
+      return d.logger.error(h({ err: o })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Password and Password MFA Flows
+  /** Initiates the Password Flow.
+   * 
+   * Does not throw exceptions.
+   * 
+   * @param username the username
+   * @param password the user's password
+   * @param scope the scopes to authorize (optional)
+   * @returns An {@link OAuthTokenResponse} which may contain data or
+   * the OAuth error fields.  If 2FA is enabled for this user on the
+   * authorization server, the Password MFA flow is followed.  See
+   * {@link https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors}.
+   * 
+   */
+  async passwordFlow(t, r, n) {
+    var o, l;
+    if (d.logger.debug(h({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("password")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password grant"
+      };
+    if (!((l = this.oidcConfig) != null && l.token_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get token endpoint"
+      };
+    const i = this.oidcConfig.token_endpoint;
+    let s = {
+      grant_type: "password",
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      username: t,
+      password: r
+    };
+    n && (s.scope = n);
+    try {
+      return await this.post(i, s, this.authServerHeaders);
+    } catch (f) {
+      return d.logger.error(h({ err: f })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  /** Request valid authenticators using the Password MFA flow, 
+   * after the Password flow has been initiated.
+   * 
+   * Does not throw exceptions.
+   * 
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @returns Either
+   *   - authenticators an array of {@link MfaAuthenticatorResponse} objects,
+   *     as per Auth0's Password MFA documentation
+   *   - an `error` and `error_description`, also as per Auth0's Password MFA 
+   *     documentation
+   */
+  async mfaAuthenticators(t) {
+    var s, o, l;
+    if (d.logger.debug(h({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && ((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((l = this.oidcConfig) != null && l.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const r = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators", n = await this.get(r, { authorization: "Bearer " + t, ...this.authServerHeaders });
+    if (!Array.isArray(n))
+      return {
+        error: "server_error",
+        error_description: "Expected array of authenticators in mfa/authenticators response"
+      };
+    let i = [];
+    for (let f = 0; f < n.length; ++f) {
+      const p = n[f];
+      if (!p.id || !p.authenticator_type || !p.active)
+        return {
+          error: "server_error",
+          error_description: "Invalid mfa/authenticators response"
+        };
+      i.push({
+        id: p.id,
+        authenticator_type: p.authenticator_type,
+        active: p.active,
+        name: p.name,
+        oob_channel: p.oob_channel
+      });
+    }
+    return { authenticators: i };
+  }
+  /** 
+   * This is part of the Auth0 Password MFA flow.  Once the client has
+   * received a list of valid authenticators, if it wishes to initiate
+   * OTP, call this function
+   * 
+   * Does not throw exceptions.
+   * 
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @param authenticatorId the authenticator ID, as returned in the response
+   * from the `mfaAuthenticators` request.
+   */
+  async mfaOtpRequest(t, r) {
+    var s, o;
+    if (d.logger.debug(h({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((o = this.oidcConfig) != null && o.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      challenge_type: "otp",
+      mfa_token: t,
+      authenticator_id: r
+    }, this.authServerHeaders);
+    return i.challenge_type != "otp" ? {
+      error: i.error ?? "server_error",
+      error_description: i.error_description ?? "Invalid OTP challenge response"
+    } : i;
+  }
+  /**
+   * Completes the Password MFA OTP flow.
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @param otp the OTP entered by the user
+   * @returns an object with some of the following fields, depending on
+   *          authorization server configuration and whether there were
+   *          errors:
+   *   - `access_token` an OAuth access token
+   *   - `refresh_token` an OAuth access token
+   *   - `id_token` an OpenID Connect ID token
+   *   - `expires_in` number of seconds when the access token expires
+   *   - `scope` the scopes the user authorized
+   *   - `token_type` the OAuth token type
+   *   - `error` as per Auth0 Password MFA documentation
+   *   - `error_description` friendly error message
+   */
+  async mfaOtpComplete(t, r, n) {
+    var o, l;
+    if (d.logger.debug(h({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((l = this.oidcConfig) != null && l.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const i = this.oidcConfig.token_endpoint, s = await this.post(i, {
+      grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      challenge_type: "otp",
+      mfa_token: t,
+      otp: r,
+      scope: n
+    }, this.authServerHeaders);
+    return {
+      id_token: s.id_token,
+      access_token: s.access_token,
+      refresh_token: s.refresh_token,
+      expires_in: Number(s.expires_in),
+      scope: s.scope,
+      token_type: s.token_type,
+      error: s.error,
+      error_description: s.error_description
+    };
+  }
+  /** 
+   * This is part of the Auth0 Password MFA flow.  Once the client has
+   * received a list of valid authenticators, if it wishes to initiate
+   * OOB (out of band) login, call this function
+   * 
+   * Does not throw exceptions.
+   * 
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @param authenticatorId the authenticator ID, as returned in the response
+   * from the `mfaAuthenticators` request.
+   * @returns an object with one or more of the following defined:
+   *   - `challenge_type` as per the Auth0 MFA documentation
+   *   - `oob_code` as per the Auth0 MFA documentation
+   *   - `binding_method` as per the Auth0 MFA documentation
+   *   - `error` as per Auth0 Password MFA documentation
+   *   - `error_description` friendly error message
+   */
+  async mfaOobRequest(t, r) {
+    var s, o;
+    if (d.logger.debug(h({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((o = this.oidcConfig) != null && o.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      challenge_type: "oob",
+      mfa_token: t,
+      authenticator_id: r
+    }, this.authServerHeaders);
+    return i.challenge_type != "oob" || !i.oob_code || !i.binding_method ? { error: i.error ?? "server_error", error_description: i.error_description ?? "Invalid OOB challenge response" } : {
+      challenge_type: i.challenge_type,
+      oob_code: i.oob_code,
+      binding_method: i.binding_method,
+      error: i.error,
+      error_description: i.error_description
+    };
+  }
+  /**
+   * Completes the Password MFA OTP flow.
+   * 
+   * Does not throw exceptions.
+   * 
+   * @param mfaToken the MFA token that was returned by the authorization
+   *        server in the response from the Password Flow.
+   * @param oobCode the code entered by the user
+   * @returns an {@link OAuthTokenResponse} object, which may contain
+   *          an error instead of the response fields.
+   */
+  async mfaOobComplete(t, r, n, i) {
+    var l, f;
+    if (d.logger.debug(h({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((l = this.oidcConfig) != null && l.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support password_mfa grant"
+      };
+    if (!((f = this.oidcConfig) != null && f.issuer))
+      return { error: "server_error", error_description: "Cannot get issuer" };
+    const s = this.oidcConfig.token_endpoint, o = await this.post(s, {
+      grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      challenge_type: "otp",
+      mfa_token: t,
+      oob_code: r,
+      binding_code: n,
+      scope: i
+    }, this.authServerHeaders);
+    return o.error ? {
+      error: o.error,
+      error_description: o.error_description
+    } : {
+      id_token: o.id_token,
+      access_token: o.access_token,
+      refresh_token: o.refresh_token,
+      expires_in: "expires_in" in o ? Number(o.expires_in) : void 0,
+      scope: o.scope,
+      token_type: o.token_type
+    };
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Refresh Token Flow
+  async refreshTokenFlow(t) {
+    var s, o;
+    if (d.logger.debug(h({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("refresh_token")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support refresh_token grant"
+      };
+    if (!((o = this.oidcConfig) != null && o.token_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get token endpoint"
+      };
+    const r = this.oidcConfig.token_endpoint;
+    let n;
+    n = u(this, S);
+    let i = {
+      grant_type: "refresh_token",
+      refresh_token: t,
+      client_id: u(this, w)
+    };
+    n && (i.client_secret = n);
+    try {
+      return await this.post(r, i, this.authServerHeaders);
+    } catch (l) {
+      return d.logger.error(h({ err: l })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  //////////////////////////////////////////////////////////////////////
+  // Device Code Flow
+  /**
+   * Starts the Device Code Flow on the primary device (the one wanting an access token)
+   * @param url The URl for the device_authorization endpoint, as it is not defined in the OIDC configuration
+   * @param scope optional scope to request authorization for
+   * @returns See {@link OAuthDeviceAuthorizationResponse}
+   */
+  async startDeviceCodeFlow(t, r) {
+    var i;
+    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support device code grant"
+      };
+    let n = {
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+      client_id: u(this, w),
+      client_secret: u(this, S)
+    };
+    r && (n.scope = r);
+    try {
+      return await this.post(t, n, this.authServerHeaders);
+    } catch (s) {
+      return d.logger.error(h({ err: s })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  /**
+   * Polls the device endpoint to check if the device code flow has been
+   * authorized by the user.
+   * 
+   * @param deviceCode the device code to poll
+   * @returns See {@link OAuthDeviceResponse}
+   */
+  async pollDeviceCodeFlow(t) {
+    var n, i, s;
+    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
+      return {
+        error: "invalid_request",
+        error_description: "Server does not support device code grant"
+      };
+    if (!((i = this.oidcConfig) != null && i.token_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get token endpoint"
+      };
+    let r = {
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+      client_id: u(this, w),
+      client_secret: u(this, S),
+      device_code: t
+    };
+    try {
+      const o = await this.post((s = this.oidcConfig) == null ? void 0 : s.token_endpoint, r, this.authServerHeaders);
+      return o.error, o;
+    } catch (o) {
+      return d.logger.error(h({ err: o })), {
+        error: "server_error",
+        error_description: "Error connecting to authorization server"
+      };
+    }
+  }
+  /**
+   * Makes a POST request to the given URL using `fetch()`.
+   * 
+   * @param url the URL to fetch
+   * @param params the body parameters, which are passed as JSON.
+   * @returns the parsed JSON response as an object.
+   * @throws any exception raised by `fetch()`
+   */
+  async post(t, r, n = {}) {
+    d.logger.debug(h({
+      msg: "Fetch POST",
+      url: t,
+      params: Object.keys(r)
+    }));
+    let i = {};
+    return this.authServerCredentials && (i.credentials = this.authServerCredentials), this.authServerMode && (i.mode = this.authServerMode), await (await fetch(t, {
+      method: "POST",
+      ...i,
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json",
+        ...n
+      },
+      body: JSON.stringify(r)
+    })).json();
+  }
+  /**
+   * Makes a GET request to the given URL using `fetch()`.
+   * 
+   * @param url the URL to fetch
+   * @param headers any headers to add to the request
+   * @returns the parsed JSON response as an object.
+   * @throws any exception raised by `fetch()`
+   */
+  async get(t, r = {}) {
+    d.logger.debug(h({ msg: "Fetch GET", url: t }));
+    let n = {};
+    return this.authServerCredentials && (n.credentials = this.authServerCredentials), this.authServerMode && (n.mode = this.authServerMode), await (await fetch(t, {
+      method: "GET",
+      ...n,
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json",
+        ...r
+      }
+    })).json();
+  }
+  /**
+   * Validates an OpenID ID token, returning undefined if it is invalid.
+   * 
+   * Does not raise exceptions.
+   * 
+   * @param token the token to validate.  To be valid, the signature must
+   *        be valid and the `type` claim in the payload must be set to `id`.
+   * @returns the parsed payload or undefined if the token is invalid.
+   */
+  async validateIdToken(t) {
+    try {
+      return await this.tokenConsumer.tokenAuthorized(t, "id");
+    } catch {
+      return;
+    }
+  }
+  /**
+   * Validatesd a token using the token consumer.
+   * 
+   * @param idToken the token to validate
+   * @returns the parsed JSON of the payload, or undefinedf if it is not
+   * valid.
+   */
+  async idTokenAuthorized(t) {
+    try {
+      return await this.tokenConsumer.tokenAuthorized(t, "id");
+    } catch (r) {
+      d.logger.warn(h({ err: r }));
+      return;
+    }
+  }
+  getTokenPayload(t) {
+    return Me(t);
+  }
+}
+w = /* @__PURE__ */ new WeakMap(), S = /* @__PURE__ */ new WeakMap(), N = /* @__PURE__ */ new WeakMap(), T = /* @__PURE__ */ new WeakMap(), R = /* @__PURE__ */ new WeakMap();
+class Le {
+  /**
+   * Constrctor
+   * 
+   * @param audience : this is the value expected in the `aud` field
+   *        of the JWT.  The token is rejected if it doesn't match.
+   * @param options See {@link OAuthTokenConsumerBaseOptions}.
+   */
+  constructor(t, r = {}) {
+    a(this, "audience");
+    a(this, "jwtKeyType");
+    a(this, "jwtSecretKey");
+    a(this, "jwtPublicKey");
+    a(this, "clockTolerance", 10);
+    a(this, "authServerBaseUrl", "");
+    a(this, "oidcConfig");
+    a(this, "keys", {});
+    if (this.audience = t, r.authServerBaseUrl && (this.authServerBaseUrl = r.authServerBaseUrl), r.jwtKeyType && (this.jwtKeyType = r.jwtKeyType), r.jwtSecretKey && (this.jwtSecretKey = r.jwtSecretKey), r.jwtPublicKey && (this.jwtPublicKey = r.jwtPublicKey), r.clockTolerance && (this.clockTolerance = r.clockTolerance), r.oidcConfig && (this.oidcConfig = r.oidcConfig), this.jwtPublicKey && !this.jwtKeyType)
+      throw new g(
+        y.Configuration,
+        "If specifying jwtPublic key, must also specify jwtKeyType"
+      );
+  }
+  /**
+   * This loads keys either from the ones passed in the constructor
+   * or by fetching from the authorization server.
+   * 
+   * Note that even if you pass the keys to the constructor, you must
+   * still call this function.  This is because key loading is
+   * asynchronous, and constructors may not be async.
+   */
+  async loadKeys() {
+    try {
+      if (this.jwtSecretKey) {
+        if (!this.jwtKeyType)
+          throw new g(
+            y.Configuration,
+            "Must specify jwtKeyType if setting jwtSecretKey"
+          );
+        this.keys._default = await Oe(this.jwtSecretKey, this.jwtKeyType);
+      } else if (this.jwtPublicKey) {
+        if (!this.jwtKeyType)
+          throw new g(
+            y.Configuration,
+            "Must specify jwtKeyType if setting jwtPublicKey"
+          );
+        const t = await Ee(this.jwtPublicKey, this.jwtKeyType);
+        this.keys._default = t;
+      } else {
+        if (this.oidcConfig || await this.loadConfig(), !this.oidcConfig)
+          throw new g(
+            y.Connection,
+            "Load OIDC config before Jwks"
+          );
+        await this.loadJwks();
+      }
+    } catch (t) {
+      throw d.logger.debug(h({ err: t })), new g(y.Connection, "Couldn't load keys");
+    }
+  }
+  /**
+   * Loads OpenID Connect configuration, or fetches it from the 
+   * authorization server (using the well-known enpoint appended
+   * to `authServerBaseUrl` )
+   * @param oidcConfig the configuration, or undefined to load it from
+   *        the authorization server
+   * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
+   *   - `Connection` if the fetch to the authorization server failed.
+   */
+  async loadConfig(t) {
+    if (t) {
+      this.oidcConfig = t;
+      return;
+    }
+    if (!this.authServerBaseUrl)
+      throw new g(y.Connection, "Couldn't get OIDC configuration.  Either set authServerBaseUrl or set config manually");
+    let r;
+    try {
+      r = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
+    } catch (n) {
+      d.logger.error(h({ err: n }));
+    }
+    if (!r || !r.ok)
+      throw new g(y.Connection, "Couldn't get OIDC configuration");
+    this.oidcConfig = { ...te };
+    try {
+      const n = await r.json();
+      for (const [i, s] of Object.entries(n))
+        this.oidcConfig[i] = s;
+    } catch {
+      throw new g(y.Connection, "Unrecognized response from OIDC configuration endpoint");
+    }
+  }
+  /**
+   * Loads the JWT signature validation keys, or fetches them from the 
+   * authorization server (using the URL in the OIDC configuration).
+   * @param jwks the keys to load, or undefined to fetch them from
+   *        the authorization server.
+   * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
+   *   - `Connection` if the fetch to the authorization server failed,
+   *     the OIDC configuration wasn't set or the keys could not be parsed.
+   */
+  async loadJwks(t) {
+    if (t) {
+      this.keys = {};
+      for (let r = 0; r < t.keys.length; ++r) {
+        const n = t.keys[r];
+        this.keys[n.kid ?? "_default"] = await Z(t.keys[r]);
+      }
+    } else {
+      if (!this.oidcConfig)
+        throw new g(y.Connection, "Load OIDC config before Jwks");
+      let r;
+      try {
+        r = await fetch(new URL(this.oidcConfig.jwks_uri));
+      } catch (n) {
+        d.logger.error(h({ err: n }));
+      }
+      if (!r || !r.ok)
+        throw new g(y.Connection, "Couldn't get OIDC configuration");
+      this.keys = {};
+      try {
+        const n = await r.json();
+        if (!("keys" in n) || !Array.isArray(n.keys))
+          throw new g(y.Connection, "Couldn't fetch keys");
+        for (let i = 0; i < n.keys.length; ++i)
+          try {
+            let s = "_default";
+            "kid" in n.keys[i] && typeof n.keys[i] == "string" && (s = String(n.keys[i]));
+            const o = await Z(n.keys[i]);
+            this.keys[s] = o;
+          } catch (s) {
+            throw d.logger.error(h({ err: s })), new g(y.Connection, "Couldn't load keys");
+          }
+      } catch (n) {
+        throw d.logger.error(h({ err: n })), new g(y.Connection, "Unrecognized response from OIDC jwks endpoint");
+      }
+    }
+  }
+  /**
+   * Returns JWT payload if the token is valid, undefined otherwise.
+   * 
+   * Doesn't throw exceptions.
+   * 
+   * @param token the token to validate
+   * @param tokenType either `access`, `refresh` or `id`.  If the
+   *        `type` field in the JWT payload doesn't match this, validation
+   *        fails.
+   * @returns the JWT payload if the token is valid, `undefined` otherwise.
+   */
+  async tokenAuthorized(t, r) {
+    (!this.keys || Object.keys(this.keys).length == 0) && await this.loadKeys();
+    const n = await this.validateToken(t);
+    if (n) {
+      if (n.type != r && d.logger.error(h({ msg: r + " expected but got " + n.type })), n.iss != this.authServerBaseUrl) {
+        d.logger.error(h({ msg: `Invalid issuer ${n.iss} in access token`, hashedAccessToken: await this.hash(n.jti) }));
+        return;
+      }
+      if (n.aud && (Array.isArray(n.aud) && !n.aud.includes(this.audience) || !Array.isArray(n.aud) && n.aud != this.audience)) {
+        d.logger.error(h({ msg: `Invalid audience ${n.aud} in access token`, hashedAccessToken: await this.hash(n.jti) }));
+        return;
+      }
+      return n;
+    }
+  }
+  async validateToken(t) {
+    (!this.keys || Object.keys(this.keys).length == 0) && d.logger.warn("No keys loaded so cannot validate tokens");
+    let r;
+    try {
+      r = qe(t).kid;
+    } catch {
+      d.logger.warn(h({ msg: "Invalid access token format" }));
+      return;
+    }
+    let n;
+    "_default" in this.keys && (n = this.keys._default);
+    for (let i in this.keys)
+      if (r == i) {
+        n = this.keys[i];
+        break;
+      }
+    if (!n) {
+      d.logger.warn(h({ msg: "No matching keys found for access token" }));
+      return;
+    }
+    try {
+      const { payload: i } = await Je(t, n), s = JSON.parse(new TextDecoder().decode(i));
+      if (s.exp * 1e3 < Date.now() + this.clockTolerance) {
+        d.logger.warn(h({ msg: "Access token has expired" }));
+        return;
+      }
+      return s;
+    } catch {
+      d.logger.warn(h({ msg: "Access token did not validate" }));
+      return;
+    }
+  }
+}
+const TOLERANCE_SECONDS = 30;
+const AUTOREFRESH_RETRIES = 2;
+const AUTOREFRESH_RETRY_INTERVAL_SECS = 30;
+class OAuthAutoRefresher {
+  /**
+   * Constructor
+   * 
+   * @param options
+   *   - `autoRefreshUrl` the URL to call to perform the refresh  Default is `/autorefresh`
+   *   - `csrfHeader` the header to put CSRF tokens into 
+   *        (default `X-CROSSAUTH-CSRF`))
+   *   - `mode` overrides the default `mode` in fetch calls
+   *   - `credentials` - overrides the default `credentials` for fetch calls
+   *   - `headers` - adds headers to fetfh calls
+   *   - `tokenProvider` - class for fetching tokens and adding them to requests
+   */
+  constructor(options) {
+    __publicField(this, "autoRefreshUrl", "/autorefresh");
+    __publicField(this, "csrfHeader", "X-CROSSAUTH-CSRF");
+    __publicField(this, "headers", {});
+    __publicField(this, "autoRefreshActive", false);
+    __publicField(this, "mode", "cors");
+    __publicField(this, "credentials", "same-origin");
+    __publicField(this, "tokenProvider");
+    this.tokenProvider = options.tokenProvider;
+    this.autoRefreshUrl = options.autoRefreshUrl;
+    if (options.csrfHeader) this.csrfHeader = options.csrfHeader;
+    if (options.headers) this.headers = options.headers;
+    if (options.mode) this.mode = options.mode;
+    if (options.credentials) this.credentials = options.credentials;
+  }
+  async startAutoRefresh(tokensToFetch = ["access", "id"], errorFn) {
+    if (!this.autoRefreshActive) {
+      this.autoRefreshActive = true;
+      d.logger.debug(h({ msg: "Starting auto refresh" }));
+      await this.scheduleAutoRefresh(tokensToFetch, errorFn);
+    }
+  }
+  stopAutoRefresh() {
+    this.autoRefreshActive = false;
+    d.logger.debug(h({ msg: "Stopping auto refresh" }));
+  }
+  async scheduleAutoRefresh(tokensToFetch, errorFn) {
+    const csrfTokenPromise = this.tokenProvider.getCsrfToken();
+    const csrfToken = csrfTokenPromise ? await csrfTokenPromise : void 0;
+    const expiries = await this.tokenProvider.getTokenExpiries([...tokensToFetch, "refresh"], csrfToken);
+    if (expiries.refresh == void 0) {
+      d.logger.debug(h({ msg: `No refresh token found` }));
+      return;
+    }
+    const now = Date.now();
+    let tokenExpiry = expiries.id;
+    if (!tokenExpiry || expiries.access && expiries.access < tokenExpiry) tokenExpiry = expiries.access;
+    if (!tokenExpiry) {
+      d.logger.debug(h({ msg: `No tokens expire` }));
+      return;
+    }
+    const renewTime = tokenExpiry * 1e3 - now - TOLERANCE_SECONDS;
+    if (renewTime < 0) {
+      d.logger.debug(h({ msg: `Expiry time has passed` }));
+      return;
+    }
+    if (expiries.refresh && expiries.refresh - TOLERANCE_SECONDS < renewTime) {
+      d.logger.debug(h({ msg: `Refresh token has expired` }));
+      return;
+    }
+    let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+    d.logger.debug(h({ msg: `Waiting ${renewTime} before refreshing tokens` }));
+    await wait(renewTime);
+    await this.autoRefresh(tokensToFetch, csrfToken, errorFn);
+  }
+  async autoRefresh(tokensToFetch, csrfToken, errorFn) {
+    if (this.autoRefreshActive) {
+      let reply = void 0;
+      let success = false;
+      let tries = 0;
+      while (!success && tries <= AUTOREFRESH_RETRIES) {
+        try {
+          let headers = { ...this.headers };
+          if (csrfToken) {
+            headers[this.csrfHeader] = csrfToken;
+          }
+          d.logger.debug(h({ msg: `Initiating auto refresh` }));
+          const resp = await this.tokenProvider.jsonFetchWithToken(
+            this.autoRefreshUrl,
+            {
+              method: "POST",
+              headers: {
+                "Accept": "application/json",
+                "Content-Type": "application/json",
+                ...headers
+              },
+              mode: this.mode,
+              credentials: this.credentials,
+              body: {
+                csrfToken
+              }
+            },
+            "refresh"
+          );
+          if (!resp.ok) {
+            d.logger.error(h({ msg: "Failed auto refreshing tokens", status: resp.status }));
+          }
+          reply = await resp.json();
+          if (reply == null ? void 0 : reply.ok) {
+            await this.scheduleAutoRefresh(tokensToFetch, errorFn);
+            success = true;
+            try {
+              await this.tokenProvider.receiveTokens(reply);
+            } catch (e) {
+              const cerr = g.asCrossauthError(e);
+              if (errorFn) {
+                errorFn("Couldn't receive tokens", cerr);
+              } else {
+                d.logger.debug(h({ err: e }));
+                d.logger.error(h({ msg: "Error receiving tokens", cerr }));
+              }
+            }
+          } else {
+            if (tries < AUTOREFRESH_RETRIES) {
+              d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${AUTOREFRESH_RETRY_INTERVAL_SECS} seconds` }));
+              let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+              await wait(AUTOREFRESH_RETRY_INTERVAL_SECS * 1e3);
+            } else {
+              d.logger.error(h({ msg: `Failed auto refreshing tokens.  Number of retries exceeded` }));
+              if (errorFn) {
+                errorFn("Failed auto refreshing tokens");
+              }
+            }
+            tries++;
+          }
+        } catch (e) {
+          const ce2 = g.asCrossauthError(e);
+          d.logger.debug(h({ err: ce2 }));
+          if (tries < AUTOREFRESH_RETRIES) {
+            d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${AUTOREFRESH_RETRIES} seconds` }));
+            let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+            await wait(AUTOREFRESH_RETRY_INTERVAL_SECS);
+          } else {
+            d.logger.error(h({ msg: `Failed auto refreshing tokens.  Number of retries exceeded` }));
+            if (errorFn) {
+              errorFn(ce2.message, ce2);
+            }
+          }
+          tries++;
+        }
+      }
+    }
+  }
+}
+class OAuthDeviceCodePoller {
+  /**
+   * Constructor
+   * 
+   * @param options
+   *   - `deviceCodePollUrl` the URL to call to poll for authorization.  Default `/devicecodepoll`
+   *   - `mode` overrides the default `mode` in fetch calls
+   *   - `credentials` - overrides the default `credentials` for fetch calls
+   *   - `headers` - adds headers to fetfh calls
+   */
+  constructor(options) {
+    __publicField(this, "deviceCodePollUrl", "/devicecodepoll");
+    __publicField(this, "headers", {});
+    __publicField(this, "pollingActive", false);
+    __publicField(this, "mode", "cors");
+    __publicField(this, "credentials", "same-origin");
+    __publicField(this, "respectRedirect", true);
+    __publicField(this, "oauthClient");
+    this.oauthClient = options.oauthClient;
+    if (options.deviceCodePollUrl != void 0) this.deviceCodePollUrl = options.deviceCodePollUrl;
+    if (options.headers) this.headers = options.headers;
+    if (options.mode) this.mode = options.mode;
+    if (options.credentials) this.credentials = options.credentials;
+  }
+  async startPolling(deviceCode, pollResultFn, interval = 5) {
+    if (!this.pollingActive) {
+      this.pollingActive = true;
+      d.logger.debug(h({ msg: "Starting auto refresh" }));
+      await this.poll(deviceCode, interval, pollResultFn);
+    }
+  }
+  stopPolling() {
+    this.pollingActive = false;
+    d.logger.debug(h({ msg: "Stopping auto refresh" }));
+  }
+  async poll(deviceCode, interval, pollResultFn) {
+    var _a;
+    if (!deviceCode) {
+      d.logger.debug(h({ msg: "device code poll: no device code provided" }));
+      pollResultFn("error", "Error waiting for authorization");
+    } else {
+      try {
+        d.logger.debug(h({ msg: "device code poll: poll" }));
+        if (!this.deviceCodePollUrl && this.oauthClient) {
+          if (!this.oauthClient.getOidcConfig()) await this.oauthClient.loadConfig();
+          if (!((_a = this.oauthClient.getOidcConfig()) == null ? void 0 : _a.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob"))) {
+            return {
+              error: "invalid_request",
+              error_description: "Server does not support password_mfa grant"
+            };
+          }
+          let config = this.oauthClient.getOidcConfig();
+          if (!(config == null ? void 0 : config.token_endpoint)) return {
+            error: "server_error",
+            error_description: "Couldn't get OIDC configuration"
+          };
+          this.deviceCodePollUrl = config.token_endpoint;
+        }
+        if (!this.deviceCodePollUrl) {
+          return {
+            error: "server_error",
+            error_description: "Must either provide deviceCodePollUrl or an oauthClient to fetch it from"
+          };
+        }
+        const resp = await fetch(this.deviceCodePollUrl, {
+          method: "POST",
+          body: JSON.stringify({ device_code: deviceCode }),
+          headers: { "content-type": "application/json" }
+        });
+        if (resp.redirected) {
+          this.pollingActive = false;
+          if (resp.redirected) {
+            pollResultFn("completeAndRedirect", void 0, resp.url);
+          }
+        } else if (!resp.ok) {
+          this.pollingActive = false;
+          pollResultFn("error", "Received an error from the authorization server");
+        } else {
+          const body = await resp.json();
+          d.logger.debug(h({ msg: "device code poll: received" + JSON.stringify(body) }));
+          if (body.error == "expired_token") {
+            this.pollingActive = false;
+            pollResultFn("expired_token", "Timeout waiting for authorization");
+          } else if (body.error == "authorization_pending" || body.error == "slow_down") {
+            if (body.error == "slow_down") interval += 5;
+            let waitseconds = body.interval ?? interval;
+            let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+            d.logger.debug(h({ msg: "device code poll: waiting " + String(waitseconds) + " seconds" }));
+            await wait(waitseconds * 1e3);
+            if (this.pollingActive) this.poll(deviceCode, interval, pollResultFn);
+          } else if (body.error) {
+            this.pollingActive = false;
+            pollResultFn("error", body.error_description ?? body.error);
+          } else {
+            this.pollingActive = false;
+            pollResultFn("complete");
+          }
+        }
+      } catch (e) {
+        this.pollingActive = false;
+        const ce2 = g.asCrossauthError(e);
+        d.logger.debug(h({ err: ce2 }));
+        d.logger.error(h({ msg: "Polling failed", cerr: ce2 }));
+        pollResultFn("error", ce2.message);
+      }
+    }
+  }
+}
+class OAuthBffClient {
+  /**
+   * Constructor
+   * 
+   * @param options
+   *   - `bffPrefix` the base url for BFF calls to the OAuth client
+   *        (eg `bff`, which is the default)
+   *   - `csrfHeader` the header to put CSRF tokens into 
+   *        (default `X-CROSSAUTH-CSRF`))
+   *   - `getCsrfTokenUrl` URL to use to fetch CSRF tokens.  Default is
+   *        `/api/getcsrftoken`
+   *   - `autoRefreshUrl` URL to use to refresh tokens.  Default is
+   *        `/api/refreshtokens`
+   *   - `tokensUrl` URL to use to fetch token payloads.  Default is
+   *        `/tokens`
+   *   - `deviceCodePollUrl` URL for polling for device code authorization.  
+   *      Default is `/devicecodepoll`
+   *   - `mode` overrides the default `mode` in fetch calls
+   *   - `credentials` - overrides the default `credentials` for fetch calls
+   *   - `headers` - adds headers to fetfh calls
+   */
+  constructor(options = {}) {
+    __publicField(this, "bffPrefix", "/bff");
+    __publicField(this, "csrfHeader", "X-CROSSAUTH-CSRF");
+    __publicField(this, "enableCsrfProtection", true);
+    __publicField(this, "headers", {});
+    __publicField(this, "mode", "cors");
+    __publicField(this, "credentials", "same-origin");
+    __publicField(this, "autoRefresher");
+    __publicField(this, "deviceCodePoller");
+    __publicField(this, "getCsrfTokenUrl", "/api/getcsrftoken");
+    __publicField(this, "autoRefreshUrl", "/api/refreshtokens");
+    __publicField(this, "tokensUrl", "/tokens");
+    if (options.bffPrefix) this.bffPrefix = options.bffPrefix;
+    if (options.csrfHeader) this.csrfHeader = options.csrfHeader;
+    if (options.enableCsrfProtection != void 0) this.enableCsrfProtection = options.enableCsrfProtection;
+    if (options.getCsrfTokenUrl) this.getCsrfTokenUrl = options.getCsrfTokenUrl;
+    if (options.tokensUrl) this.tokensUrl = options.tokensUrl;
+    if (options.autoRefreshUrl) this.autoRefreshUrl = options.autoRefreshUrl;
+    if (!this.bffPrefix.endsWith("/")) this.bffPrefix += "/";
+    if (options.headers) this.headers = options.headers;
+    if (options.mode) this.mode = options.mode;
+    if (options.credentials) this.credentials = options.credentials;
+    this.autoRefresher = new OAuthAutoRefresher({
+      ...options,
+      autoRefreshUrl: this.autoRefreshUrl,
+      tokenProvider: this
+    });
+    this.deviceCodePoller = new OAuthDeviceCodePoller({ ...options, oauthClient: void 0 });
+  }
+  /**
+   * Gets a CSRF token from the server
+   * @returns the CSRF token that can be included in
+   *          the `X-CROSSAUTH-CSRF` header
+   */
+  async getCsrfToken() {
+    if (!this.enableCsrfProtection) return void 0;
+    try {
+      const resp = await fetch(this.getCsrfTokenUrl, {
+        headers: this.headers,
+        credentials: this.credentials,
+        mode: this.mode
+      });
+      const json = await resp.json();
+      if (!json.ok) throw g.asCrossauthError(json);
+      return json.csrfToken;
+    } catch (e) {
+      throw g.asCrossauthError(e);
+    }
+  }
+  /**
+   * Fetches the ID token from the client.
+   * 
+   * This only returns something if the ID token was returned to the BFF
+   * client in a previous OAuth call.  Otherwise it returns an empty JSON.
+   * 
+   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+   *        making the request
+   * @returns the ID token payload or an empty object if there isn't one
+   */
+  async getIdToken(csrfToken) {
+    const tokens = await this.getTokens(csrfToken);
+    return (tokens == null ? void 0 : tokens.id_token) ?? null;
+  }
+  /**
+   * Returns whether or not there is an ID token stored in the BFF server
+   * for this client.
+   * 
+   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+   *        making the request
+   * @returns true or false
+   */
+  async haveIdToken(csrfToken) {
+    const tokens = await this.getTokens(csrfToken);
+    if (tokens == null) return false;
+    if (tokens.have_id_token != void 0) return tokens.have_id_token;
+    return "id_token" in tokens;
+  }
+  /**
+   * Fetches the access token from the client.
+   * 
+   * This only returns something if the access token was returned to the BFF
+   * client in a previous OAuth call.  Otherwise it returns an empty JSON.
+   * 
+   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+   *        making the request
+   * @param headers any additional headers to add (will be added to
+   *         the ones given with {@link OAuthBffClient.addHeader} )
+   * @returns the access token payload or an empty object if there isn't one
+   */
+  async getAccessToken(csrfToken) {
+    const tokens = await this.getTokens(csrfToken);
+    return (tokens == null ? void 0 : tokens.access_token) ?? null;
+  }
+  /**
+   * Returns whether or not there is an access token stored in the BFF server
+   * for this client.
+   * 
+   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+   *        making the request
+   * @returns true or false
+   */
+  async haveAccessToken(csrfToken) {
+    const tokens = await this.getTokens(csrfToken);
+    if (tokens == null) return false;
+    if (tokens.have_access_token != void 0) return tokens.have_access_token;
+    return "access_token" in tokens;
+  }
+  /**
+   * Fetches the refresh token from the client.
+   * 
+   * This only returns something if the refresh token was returned to the BFF
+   * client in a previous OAuth call.  Otherwise it returns an empty JSON.
+   * 
+   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+   *        making the request
+   * @returns the refresh token payload or an empty object if there isn't one
+   */
+  async getRefreshToken(csrfToken) {
+    const tokens = await this.getTokens(csrfToken);
+    return (tokens == null ? void 0 : tokens.refresh_token) ?? null;
+  }
+  /**
+   * Returns whether or not there is a refresh token stored in the BFF server
+   * for this client.
+   * 
+   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+   *        making the request
+   * @returns true or false
+   */
+  async haveRefreshToken(csrfToken) {
+    const tokens = await this.getTokens(csrfToken);
+    if (tokens == null) return false;
+    if (tokens.have_refresh_token != void 0) return tokens.have_refresh_token;
+    return "refresh_token" in tokens;
+  }
+  /**
+   * Calls an API endpoint via the BFF server
+   * @param method the HTTP method 
+   * @param endpoint the endpoint to call, relative to `bffPrefix` 
+   * @param body : the body to pass to the call
+   * @param csrfToken : the CSRF token
+   * @returns the HTTP status code and the body or null
+   */
+  async api(method, endpoint, body, csrfToken) {
+    let headers = { ...this.headers };
+    if (!csrfToken && !["GET", "HEAD", "OPTIONS"].includes(method)) {
+      csrfToken = await this.getCsrfToken();
+      if (csrfToken) headers[this.csrfHeader] = csrfToken;
+    }
+    if (endpoint.startsWith("/")) endpoint = endpoint.substring(1);
+    let params = {};
+    if (body) params.body = JSON.stringify(body);
+    const resp = await fetch(
+      this.bffPrefix + endpoint,
+      {
+        headers,
+        method,
+        mode: this.mode,
+        credentials: this.credentials,
+        ...params
+      }
+    );
+    let responseBody = null;
+    if (resp.body) responseBody = await resp.json();
+    return { status: resp.status, body: responseBody };
+  }
+  /**
+   * Return all tokens that the client has been enabled to return.
+   * 
+   * @param csrfToken the CSRF token if one is needed
+   * @returns an object with the following (whichever are enabled at the client)
+   *   - `id_token`
+   *   - `access_token`
+   *   - `refresh_token`
+   *   - `have_id_token`
+   *   - `have_access_token`
+   *   - `have_refresh_token`
+   */
+  async getTokens(csrfToken) {
+    if (!csrfToken) csrfToken = await this.getCsrfToken();
+    let headers = { ...this.headers };
+    if (csrfToken)
+      headers[this.csrfHeader] = csrfToken;
+    try {
+      const resp = await fetch(this.tokensUrl, {
+        method: "POST",
+        headers,
+        mode: this.mode,
+        credentials: this.credentials
+      });
+      if (resp.status == 204) {
+        return {};
+      }
+      const body = await resp.json();
+      return body;
+    } catch (e) {
+      throw g.asCrossauthError(e);
+    }
+  }
+  /**
+   * Turns auto refresh of tokens on
+   * @param tokensToFetch which tokens to fetch
+   * @param errorFn what to call in case of error
+   */
+  async startAutoRefresh(tokensToFetch = ["access", "id"], errorFn) {
+    return this.autoRefresher.startAutoRefresh(tokensToFetch, errorFn);
+  }
+  /**
+   * Turns auto refresh of tokens off
+   */
+  stopAutoRefresh() {
+    return this.autoRefresher.stopAutoRefresh();
+  }
+  /**
+   * Turns polling for a device code
+   * @param tokensToFetch which tokens to fetch
+   * @param errorFn what to call in case of error
+   */
+  async startDeviceCodePolling(deviceCode, pollResultFn, interval = 5) {
+    return this.deviceCodePoller.startPolling(deviceCode, pollResultFn, interval);
+  }
+  /**
+   * Turns off polling for a device code
+   */
+  stopDeviceCodePolling() {
+    return this.deviceCodePoller.stopPolling();
+  }
+  ///////////////////////////////////////////////////////////
+  // OAuthTokenProvider interface
+  /**
+   * Fetches the expiry times for each token.
+   * @param crfToken the CSRF token.  If emtpy
+   * , one will be fetched before
+   *        making the request
+   * @returns for each token, either the expiry, `null` if it does not
+   *          expire, or `undefined` if the token does not exist
+   */
+  async getTokenExpiries(tokensToFetch, csrfToken) {
+    const tokens = await this.getTokens(csrfToken);
+    const idToken = tokensToFetch.includes("id") ? (tokens == null ? void 0 : tokens.id_token) ?? null : null;
+    const accessToken = tokensToFetch.includes("access") ? (tokens == null ? void 0 : tokens.access_token) ?? null : null;
+    const refreshToken = tokensToFetch.includes("refresh") ? (tokens == null ? void 0 : tokens.refresh_token) ?? null : null;
+    let idTokenExpiry = void 0;
+    let accessTokenExpiry = void 0;
+    let refreshTokenExpiry = void 0;
+    if (idToken) {
+      idTokenExpiry = idToken.exp ? idToken.exp : null;
+    }
+    if (accessToken) {
+      accessTokenExpiry = accessToken.exp ? accessToken.exp : null;
+    }
+    if (refreshToken) {
+      refreshTokenExpiry = refreshToken.exp ? refreshToken.exp : null;
+    }
+    return {
+      id: idTokenExpiry,
+      access: accessTokenExpiry,
+      refresh: refreshTokenExpiry
+    };
+  }
+  /**
+   * Makes a fetch, adding in the requested token
+   * @param url the URL to fetch
+   * @param params parameters to add to the fetch
+   * @param token which token to add
+   * @returns parsed JSON response
+   */
+  async jsonFetchWithToken(url, params, _token) {
+    if (typeof params.body != "string") params.body = JSON.stringify(params.body);
+    return await fetch(url, params);
+  }
+  receiveTokens(_tokens) {
+    return new Promise((_resolve) => {
+    });
+  }
+}
+class OAuthTokenConsumer extends Le {
+  /**
+   * SHA256 and Base64-url-encodes the given test
+   * @param plaintext the text to encode
+   * @returns the SHA256 hash, Base64-url-encode
+   */
+  async hash(plaintext) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(plaintext);
+    const hash = await crypto.subtle.digest("SHA-256", data);
+    const hashArray = Array.from(new Uint8Array(hash));
+    return btoa(hashArray.reduce((acc, current) => acc + String.fromCharCode(current), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+  }
+}
+class OAuthClient extends Be {
+  /**
+   * Constructor
+   * 
+   * @param options
+   *   - `authServerBaseUrl` the base url the authorization server.
+   *      For example, the authorize endpoint would be
+   *      `authServerBaseUrl + "authorize"`.
+   *       Required: no default
+   *   - `resServerBaseUrl` the base url the resource server.
+   *      For example, Relative URLs to the resource server are relative
+   *      to this.  If you always give absolute URLs, this is optional.
+   *      If you don't give it and you do make relative URLs, it will be
+   *      relative to the page you are on.  Default: empty string.
+   *   - `redirect_uri` a URL on the site serving this app which the
+   *      authorization server will redirect to with an authorization
+   *      code.  See description in class documentation.
+   *      This is not required if you are not using OAuth flows
+   *      which require a redirect URI (eg the password flow).
+   *   - `accessTokenResponseType` where to store access tokens.  See
+   *     class documentation.  Default `return`.
+   *   - `refreshTokenResponseType` where to store refresh tokens.  See
+   *     class documentation.  Default `return`.
+   *   - `idTokenResponseType` where to store id tokens.  See
+   *     class documentation.  Default `return`.
+   *   - `accessTokenName` name for access token in local or session
+   *     storage, depending on `accessTokenResponseType`
+   *   - `refreshTokenName` name for refresh token in local or session
+   *     storage, depending on `refreshTokenResponseType`
+   *   - `idTokenName` name for id token in local or session
+   *     storage, depending on `idTokenResponseType`
+   *   - `mresServerMode` overrides the default `mode` in fetch calls
+   *   - `resServerCredentials` - overrides the default `credentials` for fetch calls
+   *   - `resServerHeaders` - adds headers to fetfh calls
+   *   - `autoRefresh` - if set and tokens are present in local or session storage, 
+   *      automatically turn on auto refresh
+   *   - `deviceAuthorization` URL, relative to the authorization server base, 
+   *      for starting the device code flow.  Default `device_authorization`
+   *      Default is `/devicecodepoll`
+   *  For other options see {@link @crossauth/common/OAuthClientBase}.
+   */
+  constructor(options) {
+    if (!options.tokenConsumer) {
+      options.tokenConsumer = new OAuthTokenConsumer(
+        options.client_id,
+        {
+          authServerBaseUrl: options.authServerBaseUrl
+        }
+      );
+    }
+    super(options);
+    __publicField(this, "resServerBaseUrl", "");
+    __publicField(this, "resServerHeaders", {});
+    __publicField(this, "resServerMode", "cors");
+    __publicField(this, "resServerCredentials", "same-origin");
+    __publicField(this, "accessTokenResponseType", "memory");
+    __publicField(this, "refreshTokenResponseType", "memory");
+    __publicField(this, "idTokenResponseType", "memory");
+    __publicField(this, "accessTokenName", "CROSSAUTH_AT");
+    __publicField(this, "refreshTokenName", "CROSSAUTH_RT");
+    __publicField(this, "idTokenName", "CROSSAUTH_IT");
+    __privateAdd(this, _accessToken);
+    __privateAdd(this, _refreshToken);
+    __privateAdd(this, _idTokenPayload);
+    __privateAdd(this, _accessTokenPayload);
+    __privateAdd(this, _refreshTokenPayload);
+    __privateAdd(this, _client_id);
+    __privateAdd(this, _client_secret);
+    __publicField(this, "autoRefresher");
+    __publicField(this, "deviceCodePoller");
+    __publicField(this, "deviceAuthorizationUrl", "device_authorization");
+    if (this.resServerBaseUrl != void 0) {
+      this.resServerBaseUrl = options.resServerBaseUrl ?? "";
+      if (this.resServerBaseUrl.length > 0 && !this.resServerBaseUrl.endsWith("/")) {
+        this.resServerBaseUrl += "/";
+      }
+    }
+    if (options.accessTokenResponseType) this.accessTokenResponseType = options.accessTokenResponseType;
+    if (options.idTokenResponseType) this.idTokenResponseType = options.idTokenResponseType;
+    if (options.refreshTokenResponseType) this.refreshTokenResponseType = options.refreshTokenResponseType;
+    if (options.accessTokenName) this.accessTokenName = options.accessTokenName;
+    if (options.idTokenName) this.idTokenName = options.idTokenName;
+    if (options.refreshTokenName) this.refreshTokenName = options.refreshTokenName;
+    if (options.resServerHeaders) this.resServerHeaders = options.resServerHeaders;
+    if (options.resServerMode) this.resServerMode = options.resServerMode;
+    if (options.resServerCredentials) this.resServerCredentials = options.resServerCredentials;
+    if (options.client_id) __privateSet(this, _client_id, options.client_id);
+    if (options.client_secret) __privateSet(this, _client_secret, options.client_secret);
+    if (options.deviceAuthorizationUrl) this.deviceAuthorizationUrl = options.deviceAuthorizationUrl;
+    this.autoRefresher = new OAuthAutoRefresher({
+      ...options,
+      autoRefreshUrl: this.authServerBaseUrl + "/token",
+      tokenProvider: this
+    });
+    this.deviceCodePoller = new OAuthDeviceCodePoller({ ...options, oauthClient: this, deviceCodePollUrl: null });
+    let idToken;
+    let accessToken;
+    let refreshToken;
+    if (this.idTokenResponseType == "sessionStorage") {
+      idToken = sessionStorage.getItem(this.idTokenName);
+    } else if (this.idTokenResponseType == "localStorage") {
+      idToken = localStorage.getItem(this.idTokenName);
+    }
+    if (this.accessTokenResponseType == "sessionStorage") {
+      accessToken = sessionStorage.getItem(this.accessTokenName);
+    } else if (this.accessTokenResponseType == "localStorage") {
+      accessToken = localStorage.getItem(this.accessTokenName);
+    }
+    if (this.refreshTokenResponseType == "sessionStorage") {
+      refreshToken = sessionStorage.getItem(this.refreshTokenName);
+    } else if (this.refreshTokenResponseType == "localStorage") {
+      refreshToken = localStorage.getItem(this.refreshTokenName);
+    }
+    this.receiveTokens({
+      access_token: accessToken,
+      id_token: idToken,
+      refresh_token: refreshToken
+    });
+    if (accessToken) {
+      const payload = this.getTokenPayload(accessToken);
+      if (payload) {
+        __privateSet(this, _accessToken, accessToken);
+        __privateSet(this, _accessTokenPayload, payload);
+      }
+    }
+    if (refreshToken) {
+      const payload = this.getTokenPayload(refreshToken);
+      if (payload) {
+        __privateSet(this, _refreshToken, refreshToken);
+        __privateSet(this, _refreshTokenPayload, payload);
+      }
+    }
+    if (idToken) {
+      this.validateIdToken(idToken).then((payload) => {
+        __privateSet(this, _idTokenPayload, payload);
+        if (options.autoRefresh) {
+          this.startAutoRefresh(options.autoRefresh).then().catch((err) => {
+            d.logger.debug(h({ err, msg: "Couldn't start auto refresh" }));
+          });
+        }
+      }).catch((err) => {
+        d.logger.debug(h({ err, msg: "Couldn't validate ID token" }));
+      });
+    } else if (__privateGet(this, _accessToken) && options.autoRefresh && refreshToken) {
+      this.startAutoRefresh(options.autoRefresh).then().catch((err) => {
+        d.logger.debug(h({ err, msg: "Couldn't start auto refresh" }));
+      });
+    } else if (refreshToken && !accessToken) {
+      this.refreshTokenFlow(refreshToken).then((_resp) => {
+        d.logger.debug(h({ msg: "Refreshed tokens" }));
+        if (options.autoRefresh) {
+          this.startAutoRefresh(options.autoRefresh).then().catch((err) => {
+            d.logger.debug(h({ err, msg: "Couldn't start auto refresh" }));
+          });
+        }
+      }).catch((err) => {
+        const ce2 = g.asCrossauthError(err);
+        d.logger.debug(h({ err: ce2 }));
+        d.logger.error(h({ msg: "failed refreshing tokens", cerr: ce2 }));
+      });
+    }
+  }
+  get idTokenPayload() {
+    return __privateGet(this, _idTokenPayload);
+  }
+  /**
+   * Processes the query parameters for a Redirect URI request if they
+   * exist in the URL.
+   * 
+   * Call this on page load to see if it was called as redirect URI.
+   * 
+   * If this URL doesn't match the redirect URI passed in the constructor,
+   * or this URL was not called with OAuth Redirect URI query parameters,
+   * undefined is returned.
+   * 
+   * If this URL contains the error query parameter, `errorFn` is called.
+   * It is also called if the state does not match.
+   * 
+   * If an authorization code was in the query parameters, the token
+   * endpoint is called.  Depending on whether that returned an error,
+   * either `receiveTokenFn` or `errorFn` will be called.
+   * 
+   * @param receiveTokenFn if defined, called if a token is returned.
+   *        
+   * @param errorFn if defined, called if any OAuth endpoint returned `error`, 
+   *        or if the `state` was not correct.
+   * 
+   * @returns the result of `receiveTokenFn`, `errorFn` or `undefined`.  If
+   *          `receiveTokenFn`/`errorFn` is not defined, rather than calling
+   *          it, this function just returns the OAuth response.
+   *       
+   */
+  async handleRedirectUri() {
+    const url = new URL(window.location.href);
+    if (url.origin + url.pathname != this.redirect_uri) return void 0;
+    const params = new URLSearchParams(window.location.search);
+    let code = void 0;
+    let state = void 0;
+    let error = void 0;
+    let error_description = void 0;
+    for (const [key, value] of params) {
+      if (key == "code") code = value;
+      if (key == "state") state = value;
+      if (key == "error") error = value;
+      if (key == "error_description") error_description = value;
+    }
+    if (!error && !code) return void 0;
+    if (error) {
+      const cerr = g.fromOAuthError(error, error_description);
+      d.logger.debug(h({ err: cerr }));
+      d.logger.error(h({ cerr, msg: "Error from authorize endpoint: " + error }));
+      throw cerr;
+    }
+    const resp = await this.redirectEndpoint(code, state, error, error_description);
+    if (resp.error) {
+      const cerr = g.fromOAuthError(resp.error, error_description);
+      d.logger.debug(h({ err: cerr }));
+      d.logger.error(h({ cerr, msg: "Error from redirect endpoint: " + resp.error }));
+      throw cerr;
+    }
+    await this.receiveTokens(resp);
+    return resp;
+  }
+  /**
+   * Turns auto refresh of tokens on
+   * @param tokensToFetch which tokens to fetch
+   * @param errorFn what to call in case of error
+   */
+  async startAutoRefresh(tokensToFetch = ["access", "id"], errorFn) {
+    return this.autoRefresher.startAutoRefresh(tokensToFetch, errorFn);
+  }
+  /**
+   * Turns auto refresh of tokens off
+   */
+  stopAutoRefresh() {
+    return this.autoRefresher.stopAutoRefresh();
+  }
+  /**
+   * Turns polling for a device code
+   * @param tokensToFetch which tokens to fetch
+   * @param errorFn what to call in case of error
+   */
+  async startDeviceCodePolling(deviceCode, pollResultFn, interval = 5) {
+    return this.deviceCodePoller.startPolling(deviceCode, pollResultFn, interval);
+  }
+  /**
+   * Turns off polling for a device code
+   */
+  stopDeviceCodePolling() {
+    return this.deviceCodePoller.stopPolling();
+  }
+  /**
+   * Return the ID token payload
+   * 
+   * This does the same thign as {@link idTokenPayload}.  We have it here
+   * as well for consistency with {@link OAuthBffClient}.
+   * 
+   * @returns the payload as an object
+   */
+  getIdToken() {
+    return __privateGet(this, _idTokenPayload);
+  }
+  ///////
+  // Implementation of abstract methods
+  /**
+   * Produce a random Base64-url-encoded string, whose length before 
+   * base64-url-encoding is the given length,
+   * @param length the length of the random array before base64-url-encoding.
+   * @returns the random value as a Base64-url-encoded srting
+   */
+  randomValue(length) {
+    const array = new Uint8Array(length);
+    self.crypto.getRandomValues(array);
+    return btoa(array.reduce((acc, current) => acc + String.fromCharCode(current), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+  }
+  /**
+   * SHA256 and Base64-url-encodes the given test
+   * @param plaintext the text to encode
+   * @returns the SHA256 hash, Base64-url-encode
+   */
+  async sha256(plaintext) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(plaintext);
+    const hash = await crypto.subtle.digest("SHA-256", data);
+    const hashArray = Array.from(new Uint8Array(hash));
+    return btoa(hashArray.reduce((acc, current) => acc + String.fromCharCode(current), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+  }
+  /**
+   * Calls an API endpoint on the resource server
+   * @param method the HTTP method 
+   * @param endpoint the endpoint to call, relative to `resServerBaseUrl` 
+   * @param body : the body to pass to the call
+   * @returns the HTTP status code and the body or null
+   */
+  async api(method, endpoint, body) {
+    let headers = { ...this.resServerHeaders };
+    if (endpoint.startsWith("/")) endpoint = endpoint.substring(1);
+    let params = {};
+    if (body) params.body = JSON.stringify(body);
+    let accessToken;
+    if (this.accessTokenResponseType == "sessionStorage") {
+      accessToken = sessionStorage.getItem(this.accessTokenName);
+    } else if (this.accessTokenResponseType == "localStorage") {
+      accessToken = localStorage.getItem(this.accessTokenName);
+    }
+    headers.authorization = "Bearer " + accessToken;
+    const resp = await fetch(
+      this.resServerBaseUrl + endpoint,
+      {
+        headers,
+        method,
+        mode: this.resServerMode,
+        credentials: this.resServerCredentials,
+        ...params
+      }
+    );
+    let responseBody = null;
+    if (resp.body) responseBody = await resp.json();
+    return { status: resp.status, body: responseBody };
+  }
+  ///////////////////////////////////////////////////////////
+  // OAuthTokenProvider interface
+  /**
+   * Fetches the expiry times for each token.
+   * @param crfToken the CSRF token.  If emtpy
+   * , one will be fetched before
+   *        making the request
+   * @returns for each token, either the expiry, `null` if it does not
+   *          expire, or `undefined` if the token does not exist
+   */
+  async getTokenExpiries(_tokensToFetch, _csrfToken) {
+    let idTokenExpiry = void 0;
+    let accessTokenExpiry = void 0;
+    let refreshTokenExpiry = void 0;
+    if (__privateGet(this, _idTokenPayload)) {
+      idTokenExpiry = __privateGet(this, _idTokenPayload).exp ? __privateGet(this, _idTokenPayload).exp : null;
+    }
+    if (__privateGet(this, _accessTokenPayload)) {
+      accessTokenExpiry = __privateGet(this, _accessTokenPayload).exp ? __privateGet(this, _accessTokenPayload).exp : null;
+    }
+    if (__privateGet(this, _refreshTokenPayload)) {
+      refreshTokenExpiry = __privateGet(this, _refreshTokenPayload).exp ? __privateGet(this, _refreshTokenPayload).exp : null;
+    }
+    return {
+      id: idTokenExpiry,
+      access: accessTokenExpiry,
+      refresh: refreshTokenExpiry
+    };
+  }
+  /**
+   * Makes a fetch, adding in the requested token.  
+   * 
+   * Also adds client ID and secret if they are defined.
+   * 
+   * @param url the URL to fetch
+   * @param params parameters to add to the fetch
+   * @param token which token to add
+   * @returns parsed JSON response
+   */
+  async jsonFetchWithToken(url, params, token) {
+    if (token == "access") {
+      if (!__privateGet(this, _accessToken)) {
+        throw new g(y.InvalidToken, "Cannot make fetch with access token - no access token defined");
+      }
+      if (!params.headers) params.headers = {};
+      params.headers.authorization = "Bearer " + __privateGet(this, _accessToken);
+    } else {
+      if (!params.body) params.body = {};
+      if (!__privateGet(this, _refreshToken)) {
+        throw new g(y.InvalidToken, "Cannot make fetch with refresh token - no refresh token defined");
+      }
+      params.body.refresh_token = __privateGet(this, _refreshToken);
+      params.body.grant_type = "refresh_token";
+    }
+    if (__privateGet(this, _client_id)) {
+      if (!params.body) params.body = {};
+      params.body.client_id = __privateGet(this, _client_id);
+      if (__privateGet(this, _client_secret)) {
+        params.body.client_secret = __privateGet(this, _client_secret);
+      }
+    }
+    if (typeof params.body != "string") params.body = JSON.stringify(params.body);
+    return await fetch(url, params);
+  }
+  /**
+   * Does nothing as CSRF tokens are not needed for this class
+   * @returns `undefined`
+   */
+  async getCsrfToken() {
+    return void 0;
+  }
+  async receiveTokens(tokens) {
+    if (tokens.access_token) {
+      const payload = this.getTokenPayload(tokens.access_token);
+      if (payload) {
+        __privateSet(this, _accessToken, tokens.access_token);
+        __privateSet(this, _accessTokenPayload, payload);
+      }
+      if (this.accessTokenResponseType == "localStorage") {
+        localStorage.setItem(this.accessTokenName, tokens.access_token);
+      } else if (this.accessTokenResponseType == "sessionStorage") {
+        sessionStorage.setItem(this.accessTokenName, tokens.access_token);
+      }
+    }
+    if (tokens.refresh_token) {
+      const payload = this.getTokenPayload(tokens.refresh_token);
+      if (payload) {
+        __privateSet(this, _refreshToken, tokens.refresh_token);
+        __privateSet(this, _refreshTokenPayload, payload);
+      }
+      if (this.refreshTokenResponseType == "localStorage") {
+        localStorage.setItem(this.refreshTokenName, tokens.refresh_token);
+      } else if (this.accessTokenResponseType == "sessionStorage") {
+        sessionStorage.setItem(this.refreshTokenName, tokens.refresh_token);
+      }
+    }
+    if (tokens.id_token) {
+      const payload = await this.validateIdToken(tokens.id_token);
+      __privateSet(this, _idTokenPayload, payload);
+      if (this.idTokenResponseType == "localStorage") {
+        localStorage.setItem(this.idTokenName, tokens.id_token);
+      } else if (this.idTokenResponseType == "sessionStorage") {
+        sessionStorage.setItem(this.idTokenName, tokens.id_token);
+      }
+    }
+  }
+  /////////
+  // Wrap flow functions
+  /**
+   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+   * then saves the tokens, as per the requested method
+   * @param scope 
+   */
+  async clientCredentialsFlow(scope) {
+    const resp = await super.clientCredentialsFlow(scope);
+    await this.receiveTokens(resp);
+    return resp;
+  }
+  /**
+   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+   * then saves the tokens, as per the requested method
+   * @param scope 
+   */
+  async passwordFlow(username, password, scope) {
+    const resp = await super.passwordFlow(username, password, scope);
+    await this.receiveTokens(resp);
+    return resp;
+  }
+  /**
+   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+   * then saves the tokens, as per the requested method
+   * @param scope 
+   */
+  async deviceCodeFlow(scope) {
+    let url = this.authServerBaseUrl;
+    if (!url.endsWith("/")) url += "/";
+    url += this.deviceAuthorizationUrl;
+    const resp = await super.startDeviceCodeFlow(url, scope);
+    return resp;
+  }
+  /**
+   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+   * then saves the tokens, as per the requested method
+   * @param scope 
+   */
+  async mfaOtpComplete(mfaToken, otp) {
+    const resp = await super.mfaOtpComplete(mfaToken, otp);
+    await this.receiveTokens(resp);
+    return resp;
+  }
+  /**
+   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+   * then saves the tokens, as per the requested method
+   * @param scope 
+   */
+  async mfaOobComplete(mfaToken, oobCode, bindingCode) {
+    const resp = await super.mfaOobComplete(mfaToken, oobCode, bindingCode);
+    await this.receiveTokens(resp);
+    return resp;
+  }
+  /**
+   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+   * then saves the tokens, as per the requested method
+   * @param scope 
+   */
+  async refreshTokenFlow(refreshToken) {
+    if (!refreshToken) {
+      if (__privateGet(this, _refreshToken)) {
+        refreshToken = __privateGet(this, _refreshToken);
+      } else {
+        throw new g(y.InvalidToken, "Cannot refresh tokens: no refresh token present");
+      }
+    }
+    const resp = await super.refreshTokenFlow(refreshToken);
+    await this.receiveTokens(resp);
+    return resp;
+  }
+  /**
+   * Executes the authorization code flow
+   * @param scope the scope to request
+   * @param pkce whether or not to use PKCE.
+   */
+  async authorizationCodeFlow(scope, pkce = false) {
+    const resp = await super.startAuthorizationCodeFlow(scope, pkce);
+    if (resp.error || !resp.url) {
+      const cerr = g.fromOAuthError(
+        resp.error ?? "Couldn't create URL for authorization code flow",
+        resp.error_description
+      );
+      d.logger.debug(h({ err: cerr }));
+      throw cerr;
+    }
+    location.href = resp.url;
+  }
+}
+_accessToken = new WeakMap();
+_refreshToken = new WeakMap();
+_idTokenPayload = new WeakMap();
+_accessTokenPayload = new WeakMap();
+_refreshTokenPayload = new WeakMap();
+_client_id = new WeakMap();
+_client_secret = new WeakMap();
+export {
+  g as CrossauthError,
+  d as CrossauthLogger,
+  OAuthBffClient,
+  OAuthClient,
+  h as j
+};