@crossauth/frontend 0.0.30 → 0.0.33

package/dist/index.js

@@ -1,13 +1,13 @@
-var Ie = Object.defineProperty;
+var Ue = Object.defineProperty;
 var ce = (r) => {
   throw TypeError(r);
 };
-var Ue = (r, e, t) => e in r ? Ie(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t;
-var f = (r, e, t) => Ue(r, typeof e != "symbol" ? e + "" : e, t), de = (r, e, t) => e.has(r) || ce("Cannot " + t);
-var w = (r, e, t) => (de(r, e, "read from private field"), t ? t.call(r) : e.get(r)), N = (r, e, t) => e.has(r) ? ce("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), b = (r, e, t, o) => (de(r, e, "write to private field"), o ? o.call(r, t) : e.set(r, t), t);
-var Oe = Object.defineProperty, ge = (r) => {
+var Oe = (r, e, t) => e in r ? Ue(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t;
+var f = (r, e, t) => Oe(r, typeof e != "symbol" ? e + "" : e, t), de = (r, e, t) => e.has(r) || ce("Cannot " + t);
+var p = (r, e, t) => (de(r, e, "read from private field"), t ? t.call(r) : e.get(r)), A = (r, e, t) => e.has(r) ? ce("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), T = (r, e, t, o) => (de(r, e, "write to private field"), o ? o.call(r, t) : e.set(r, t), t);
+var Ne = Object.defineProperty, ye = (r) => {
   throw TypeError(r);
-}, Ne = (r, e, t) => e in r ? Oe(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t, l = (r, e, t) => Ne(r, typeof e != "symbol" ? e + "" : e, t), pe = (r, e, t) => e.has(r) || ge("Cannot " + t), p = (r, e, t) => (pe(r, e, "read from private field"), t ? t.call(r) : e.get(r)), $ = (r, e, t) => e.has(r) ? ge("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), A = (r, e, t, o) => (pe(r, e, "write to private field"), e.set(r, t), t);
+}, He = (r, e, t) => e in r ? Ne(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t, l = (r, e, t) => He(r, typeof e != "symbol" ? e + "" : e, t), we = (r, e, t) => e.has(r) || ye("Cannot " + t), w = (r, e, t) => (we(r, e, "read from private field"), e.get(r)), he = (r, e, t) => e.has(r) ? ye("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), Y = (r, e, t, o) => (we(r, e, "write to private field"), e.set(r, t), t);
 class H {
 }
 l(H, "active", "active"), /** Deactivated account.  User cannot log in */
@@ -52,18 +52,18 @@ l(H, "factor2ResetNeeded", "factor2resetneeded"), /**
 * Upon login, the user is redirected to the reset password page.
 */
 l(H, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
-class P {
+class R {
 }
-l(P, "session", "s:"), /** Password Reset Token */
-l(P, "passwordResetToken", "p:"), /** Email verification token */
-l(P, "emailVerificationToken", "e:"), /** API key */
-l(P, "apiKey", "api:"), /** OAuth authorization code */
-l(P, "authorizationCode", "authz:"), /** OAuth access token */
-l(P, "accessToken", "access:"), /** OAuth refresh token */
-l(P, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
-l(P, "mfaToken", "omfa:"), /** Device code device code */
-l(P, "deviceCode", "dc:"), /** Device code flow user code */
-l(P, "userCode", "uc:");
+l(R, "session", "s:"), /** Password Reset Token */
+l(R, "passwordResetToken", "p:"), /** Email verification token */
+l(R, "emailVerificationToken", "e:"), /** API key */
+l(R, "apiKey", "api:"), /** OAuth authorization code */
+l(R, "authorizationCode", "authz:"), /** OAuth access token */
+l(R, "accessToken", "access:"), /** OAuth refresh token */
+l(R, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
+l(R, "mfaToken", "omfa:"), /** Device code device code */
+l(R, "deviceCode", "dc:"), /** Device code flow user code */
+l(R, "userCode", "uc:");
 var m = /* @__PURE__ */ ((r) => (r[r.UserNotExist = 0] = "UserNotExist", r[r.PasswordInvalid = 1] = "PasswordInvalid", r[r.EmailNotExist = 2] = "EmailNotExist", r[r.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", r[r.InvalidClientId = 4] = "InvalidClientId", r[r.ClientExists = 5] = "ClientExists", r[r.InvalidClientSecret = 6] = "InvalidClientSecret", r[r.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", r[r.InvalidRedirectUri = 8] = "InvalidRedirectUri", r[r.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", r[r.UserNotActive = 10] = "UserNotActive", r[r.EmailNotVerified = 11] = "EmailNotVerified", r[r.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", r[r.Unauthorized = 13] = "Unauthorized", r[r.UnauthorizedClient = 14] = "UnauthorizedClient", r[r.InvalidScope = 15] = "InvalidScope", r[r.InsufficientScope = 16] = "InsufficientScope", r[r.InsufficientPriviledges = 17] = "InsufficientPriviledges", r[r.Forbidden = 18] = "Forbidden", r[r.InvalidKey = 19] = "InvalidKey", r[r.InvalidCsrf = 20] = "InvalidCsrf", r[r.InvalidSession = 21] = "InvalidSession", r[r.Expired = 22] = "Expired", r[r.Connection = 23] = "Connection", r[r.InvalidHash = 24] = "InvalidHash", r[r.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", r[r.KeyExists = 26] = "KeyExists", r[r.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", r[r.PasswordResetNeeded = 28] = "PasswordResetNeeded", r[r.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", r[r.Configuration = 30] = "Configuration", r[r.InvalidEmail = 31] = "InvalidEmail", r[r.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", r[r.InvalidUsername = 33] = "InvalidUsername", r[r.PasswordMatch = 34] = "PasswordMatch", r[r.InvalidToken = 35] = "InvalidToken", r[r.MfaRequired = 36] = "MfaRequired", r[r.PasswordFormat = 37] = "PasswordFormat", r[r.DataFormat = 38] = "DataFormat", r[r.FetchError = 39] = "FetchError", r[r.UserExists = 40] = "UserExists", r[r.FormEntry = 41] = "FormEntry", r[r.BadRequest = 42] = "BadRequest", r[r.AuthorizationPending = 43] = "AuthorizationPending", r[r.SlowDown = 44] = "SlowDown", r[r.ExpiredToken = 45] = "ExpiredToken", r[r.ConstraintViolation = 46] = "ConstraintViolation", r[r.NotImplemented = 47] = "NotImplemented", r[r.UnknownError = 48] = "UnknownError", r))(m || {});
 class g extends Error {
   /**
@@ -189,7 +189,7 @@ class g extends Error {
     return "message" in e && (o = e.message), new g(48, o);
   }
 }
-const W = class E {
+const W = class P {
   /**
    * Create a logger with the given level
    * @param level the level to report to
@@ -198,9 +198,9 @@ const W = class E {
     if (l(this, "level"), e) this.level = e;
     else if (typeof process < "u" && "CROSSAUTH_LOG_LEVEL" in process.env) {
       const t = (process.env.CROSSAUTH_LOG_LEVEL ?? "ERROR").toUpperCase();
-      E.levelName.includes(t) ? this.level = E.levelName.indexOf(t) : this.level = E.Error;
+      P.levelName.includes(t) ? this.level = P.levelName.indexOf(t) : this.level = P.Error;
     } else
-      this.level = E.Error;
+      this.level = P.Error;
   }
   /**
    * Return the singleton instance of the logger.
@@ -213,35 +213,35 @@ const W = class E {
     this.level = e;
   }
   log(e, t) {
-    e <= this.level && (typeof t == "string" ? console.log("Crossauth " + E.levelName[e] + " " + (/* @__PURE__ */ new Date()).toISOString(), t) : console.log(JSON.stringify({ level: E.levelName[e], time: (/* @__PURE__ */ new Date()).toISOString(), ...t })));
+    e <= this.level && (typeof t == "string" ? console.log("Crossauth " + P.levelName[e] + " " + (/* @__PURE__ */ new Date()).toISOString(), t) : console.log(JSON.stringify({ level: P.levelName[e], time: (/* @__PURE__ */ new Date()).toISOString(), ...t })));
   }
   /**
    * Report an error
    * @param output object to output
    */
   error(e) {
-    this.log(E.Error, e);
+    this.log(P.Error, e);
   }
   /**
    * Report an warning
    * @param output object to output
    */
   warn(e) {
-    this.log(E.Warn, e);
+    this.log(P.Warn, e);
   }
   /**
    * Report information
    * @param output object to output
    */
   info(e) {
-    this.log(E.Info, e);
+    this.log(P.Info, e);
   }
   /**
    * Print a debugging message
    * @param output object to output
    */
   debug(e) {
-    this.log(E.Debug, e);
+    this.log(P.Debug, e);
   }
   /** 
    * Override the default logger.
@@ -262,7 +262,7 @@ l(W, "Error", 1), /** Log errors and warning */
 l(W, "Warn", 2), /** Log errors, warnings and info messages */
 l(W, "Info", 3), /** Log everything */
 l(W, "Debug", 4), l(W, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
-let c = W;
+let d = W;
 function h(r) {
   let e;
   typeof r == "object" && "err" in r && typeof r.err == "object" && (e = r.err.stack);
@@ -284,9 +284,9 @@ function h(r) {
   }
   return typeof r == "string" || globalThis.crossauthLoggerAcceptsJson ? r : JSON.stringify(r);
 }
-globalThis.crossauthLogger = new c(c.None);
+globalThis.crossauthLogger = new d(d.None);
 globalThis.crossauthLoggerAcceptsJson = !0;
-const ye = {
+const me = {
   issuer: "",
   authorization_endpoint: "",
   token_endpoint: "",
@@ -301,8 +301,8 @@ const ye = {
   request_parameter_supported: !1,
   request_uri_parameter_supported: !0,
   require_request_uri_registration: !1
-}, te = crypto, we = (r) => r instanceof CryptoKey, X = new TextEncoder(), G = new TextDecoder();
-function He(...r) {
+}, te = crypto, ve = (r) => r instanceof CryptoKey, X = new TextEncoder(), G = new TextDecoder();
+function je(...r) {
   const e = r.reduce((i, { length: n }) => i + n, 0), t = new Uint8Array(e);
   let o = 0;
   for (const i of r)
@@ -314,7 +314,7 @@ const xe = (r) => {
   for (let o = 0; o < e.length; o++)
     t[o] = e.charCodeAt(o);
   return t;
-}, M = (r) => {
+}, F = (r) => {
   let e = r;
   e instanceof Uint8Array && (e = G.decode(e)), e = e.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
   try {
@@ -332,7 +332,7 @@ class oe extends Error {
     super(e), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (t = Error.captureStackTrace) == null || t.call(Error, this, this.constructor);
   }
 }
-class I extends oe {
+class U extends oe {
   constructor() {
     super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
   }
@@ -348,7 +348,7 @@ class S extends oe {
     return "ERR_JWS_INVALID";
   }
 }
-class z extends oe {
+class D extends oe {
   constructor() {
     super(...arguments), this.code = "ERR_JWT_INVALID";
   }
@@ -356,7 +356,7 @@ class z extends oe {
     return "ERR_JWT_INVALID";
   }
 }
-class je extends oe {
+class Ke extends oe {
   constructor() {
     super(...arguments), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED", this.message = "signature verification failed";
   }
@@ -364,16 +364,16 @@ class je extends oe {
     return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
   }
 }
-function U(r, e = "algorithm.name") {
+function O(r, e = "algorithm.name") {
   return new TypeError(`CryptoKey does not support this operation, its ${e} must be ${r}`);
 }
-function Q(r, e) {
+function Z(r, e) {
   return r.name === e;
 }
 function ie(r) {
   return parseInt(r.name.slice(4), 10);
 }
-function Ke(r) {
+function ze(r) {
   switch (r) {
     case "ES256":
       return "P-256";
@@ -395,51 +395,51 @@ function De(r, e) {
     throw new TypeError(t);
   }
 }
-function ze(r, e, ...t) {
+function We(r, e, ...t) {
   switch (e) {
     case "HS256":
     case "HS384":
     case "HS512": {
-      if (!Q(r.algorithm, "HMAC"))
-        throw U("HMAC");
+      if (!Z(r.algorithm, "HMAC"))
+        throw O("HMAC");
       const o = parseInt(e.slice(2), 10);
       if (ie(r.algorithm.hash) !== o)
-        throw U(`SHA-${o}`, "algorithm.hash");
+        throw O(`SHA-${o}`, "algorithm.hash");
       break;
     }
     case "RS256":
     case "RS384":
     case "RS512": {
-      if (!Q(r.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw U("RSASSA-PKCS1-v1_5");
+      if (!Z(r.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw O("RSASSA-PKCS1-v1_5");
       const o = parseInt(e.slice(2), 10);
       if (ie(r.algorithm.hash) !== o)
-        throw U(`SHA-${o}`, "algorithm.hash");
+        throw O(`SHA-${o}`, "algorithm.hash");
       break;
     }
     case "PS256":
     case "PS384":
     case "PS512": {
-      if (!Q(r.algorithm, "RSA-PSS"))
-        throw U("RSA-PSS");
+      if (!Z(r.algorithm, "RSA-PSS"))
+        throw O("RSA-PSS");
       const o = parseInt(e.slice(2), 10);
       if (ie(r.algorithm.hash) !== o)
-        throw U(`SHA-${o}`, "algorithm.hash");
+        throw O(`SHA-${o}`, "algorithm.hash");
       break;
     }
     case "EdDSA": {
       if (r.algorithm.name !== "Ed25519" && r.algorithm.name !== "Ed448")
-        throw U("Ed25519 or Ed448");
+        throw O("Ed25519 or Ed448");
       break;
     }
     case "ES256":
     case "ES384":
     case "ES512": {
-      if (!Q(r.algorithm, "ECDSA"))
-        throw U("ECDSA");
-      const o = Ke(e);
+      if (!Z(r.algorithm, "ECDSA"))
+        throw O("ECDSA");
+      const o = ze(e);
       if (r.algorithm.namedCurve !== o)
-        throw U(o, "algorithm.namedCurve");
+        throw O(o, "algorithm.namedCurve");
       break;
     }
     default:
@@ -447,7 +447,7 @@ function ze(r, e, ...t) {
   }
   De(r, t);
 }
-function me(r, e, ...t) {
+function ke(r, e, ...t) {
   var o;
   if (t.length > 2) {
     const i = t.pop();
@@ -455,11 +455,11 @@ function me(r, e, ...t) {
   } else t.length === 2 ? r += `one of type ${t[0]} or ${t[1]}.` : r += `of type ${t[0]}.`;
   return e == null ? r += ` Received ${e}` : typeof e == "function" && e.name ? r += ` Received function ${e.name}` : typeof e == "object" && e != null && (o = e.constructor) != null && o.name && (r += ` Received an instance of ${e.constructor.name}`), r;
 }
-const he = (r, ...e) => me("Key must be ", r, ...e);
-function ve(r, e, ...t) {
-  return me(`Key for the ${r} algorithm must be `, e, ...t);
+const le = (r, ...e) => ke("Key must be ", r, ...e);
+function Ce(r, e, ...t) {
+  return ke(`Key for the ${r} algorithm must be `, e, ...t);
 }
-const ke = (r) => we(r) ? !0 : (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", re = ["CryptoKey"], We = (...r) => {
+const _e = (r) => ve(r) ? !0 : (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", re = ["CryptoKey"], Fe = (...r) => {
   const e = r.filter(Boolean);
   if (e.length === 0 || e.length === 1)
     return !0;
@@ -478,11 +478,11 @@ const ke = (r) => we(r) ? !0 : (r == null ? void 0 : r[Symbol.toStringTag]) ===
   }
   return !0;
 };
-function Fe(r) {
+function Je(r) {
   return typeof r == "object" && r !== null;
 }
-function V(r) {
-  if (!Fe(r) || Object.prototype.toString.call(r) !== "[object Object]")
+function $(r) {
+  if (!Je(r) || Object.prototype.toString.call(r) !== "[object Object]")
     return !1;
   if (Object.getPrototypeOf(r) === null)
     return !0;
@@ -491,14 +491,14 @@ function V(r) {
     e = Object.getPrototypeOf(e);
   return Object.getPrototypeOf(r) === e;
 }
-const Je = (r, e) => {
+const Me = (r, e) => {
   if (r.startsWith("RS") || r.startsWith("PS")) {
     const { modulusLength: t } = e.algorithm;
     if (typeof t != "number" || t < 2048)
       throw new TypeError(`${r} requires key modulusLength to be 2048 bits or larger`);
   }
 };
-function Me(r) {
+function Be(r) {
   let e, t;
   switch (r.kty) {
     case "RSA": {
@@ -523,7 +523,7 @@ function Me(r) {
           }, t = r.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new U('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
@@ -545,7 +545,7 @@ function Me(r) {
           e = { name: "ECDH", namedCurve: r.crv }, t = r.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new U('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
@@ -561,83 +561,83 @@ function Me(r) {
           e = { name: r.crv }, t = r.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new U('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
     default:
-      throw new I('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+      throw new U('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
   }
   return { algorithm: e, keyUsages: t };
 }
-const Ce = async (r) => {
+const Se = async (r) => {
   if (!r.alg)
     throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  const { algorithm: e, keyUsages: t } = Me(r), o = [
+  const { algorithm: e, keyUsages: t } = Be(r), o = [
     e,
     r.ext ?? !1,
     r.key_ops ?? t
   ], i = { ...r };
   return delete i.alg, delete i.use, te.subtle.importKey("jwk", i, ...o);
-}, _e = (r) => M(r);
+}, Te = (r) => F(r);
 let se, ne;
-const Se = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", Te = async (r, e, t, o) => {
+const be = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", Ee = async (r, e, t, o) => {
   let i = r.get(e);
   if (i != null && i[o])
     return i[o];
-  const n = await Ce({ ...t, alg: o });
+  const n = await Se({ ...t, alg: o });
   return i ? i[o] = n : r.set(e, { [o]: n }), n;
-}, Be = (r, e) => {
-  if (Se(r)) {
+}, Le = (r, e) => {
+  if (be(r)) {
     let t = r.export({ format: "jwk" });
-    return delete t.d, delete t.dp, delete t.dq, delete t.p, delete t.q, delete t.qi, t.k ? _e(t.k) : (ne || (ne = /* @__PURE__ */ new WeakMap()), Te(ne, r, t, e));
+    return delete t.d, delete t.dp, delete t.dq, delete t.p, delete t.q, delete t.qi, t.k ? Te(t.k) : (ne || (ne = /* @__PURE__ */ new WeakMap()), Ee(ne, r, t, e));
   }
   return r;
-}, Le = (r, e) => {
-  if (Se(r)) {
+}, $e = (r, e) => {
+  if (be(r)) {
     let t = r.export({ format: "jwk" });
-    return t.k ? _e(t.k) : (se || (se = /* @__PURE__ */ new WeakMap()), Te(se, r, t, e));
+    return t.k ? Te(t.k) : (se || (se = /* @__PURE__ */ new WeakMap()), Ee(se, r, t, e));
   }
   return r;
-}, $e = { normalizePublicKey: Be, normalizePrivateKey: Le }, x = (r, e, t = 0) => {
+}, qe = { normalizePublicKey: Le, normalizePrivateKey: $e }, j = (r, e, t = 0) => {
   t === 0 && (e.unshift(e.length), e.unshift(6));
   const o = r.indexOf(e[0], t);
   if (o === -1)
     return !1;
   const i = r.subarray(o, o + e.length);
-  return i.length !== e.length ? !1 : i.every((n, s) => n === e[s]) || x(r, e, o + 1);
-}, le = (r) => {
+  return i.length !== e.length ? !1 : i.every((n, s) => n === e[s]) || j(r, e, o + 1);
+}, ue = (r) => {
   switch (!0) {
-    case x(r, [42, 134, 72, 206, 61, 3, 1, 7]):
+    case j(r, [42, 134, 72, 206, 61, 3, 1, 7]):
       return "P-256";
-    case x(r, [43, 129, 4, 0, 34]):
+    case j(r, [43, 129, 4, 0, 34]):
       return "P-384";
-    case x(r, [43, 129, 4, 0, 35]):
+    case j(r, [43, 129, 4, 0, 35]):
       return "P-521";
-    case x(r, [43, 101, 110]):
+    case j(r, [43, 101, 110]):
       return "X25519";
-    case x(r, [43, 101, 111]):
+    case j(r, [43, 101, 111]):
       return "X448";
-    case x(r, [43, 101, 112]):
+    case j(r, [43, 101, 112]):
       return "Ed25519";
-    case x(r, [43, 101, 113]):
+    case j(r, [43, 101, 113]):
       return "Ed448";
     default:
-      throw new I("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
+      throw new U("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
   }
-}, be = async (r, e, t, o, i) => {
+}, Ae = async (r, e, t, o, i) => {
   let n, s;
-  const a = new Uint8Array(atob(t.replace(r, "")).split("").map((u) => u.charCodeAt(0))), d = e === "spki";
+  const a = new Uint8Array(atob(t.replace(r, "")).split("").map((u) => u.charCodeAt(0))), c = e === "spki";
   switch (o) {
     case "PS256":
     case "PS384":
     case "PS512":
-      n = { name: "RSA-PSS", hash: `SHA-${o.slice(-3)}` }, s = d ? ["verify"] : ["sign"];
+      n = { name: "RSA-PSS", hash: `SHA-${o.slice(-3)}` }, s = c ? ["verify"] : ["sign"];
       break;
     case "RS256":
     case "RS384":
     case "RS512":
-      n = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${o.slice(-3)}` }, s = d ? ["verify"] : ["sign"];
+      n = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${o.slice(-3)}` }, s = c ? ["verify"] : ["sign"];
       break;
     case "RSA-OAEP":
     case "RSA-OAEP-256":
@@ -646,81 +646,81 @@ const Se = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject",
       n = {
         name: "RSA-OAEP",
         hash: `SHA-${parseInt(o.slice(-3), 10) || 1}`
-      }, s = d ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+      }, s = c ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
       break;
     case "ES256":
-      n = { name: "ECDSA", namedCurve: "P-256" }, s = d ? ["verify"] : ["sign"];
+      n = { name: "ECDSA", namedCurve: "P-256" }, s = c ? ["verify"] : ["sign"];
       break;
     case "ES384":
-      n = { name: "ECDSA", namedCurve: "P-384" }, s = d ? ["verify"] : ["sign"];
+      n = { name: "ECDSA", namedCurve: "P-384" }, s = c ? ["verify"] : ["sign"];
       break;
     case "ES512":
-      n = { name: "ECDSA", namedCurve: "P-521" }, s = d ? ["verify"] : ["sign"];
+      n = { name: "ECDSA", namedCurve: "P-521" }, s = c ? ["verify"] : ["sign"];
       break;
     case "ECDH-ES":
     case "ECDH-ES+A128KW":
     case "ECDH-ES+A192KW":
     case "ECDH-ES+A256KW": {
-      const u = le(a);
-      n = u.startsWith("P-") ? { name: "ECDH", namedCurve: u } : { name: u }, s = d ? [] : ["deriveBits"];
+      const u = ue(a);
+      n = u.startsWith("P-") ? { name: "ECDH", namedCurve: u } : { name: u }, s = c ? [] : ["deriveBits"];
       break;
     }
     case "EdDSA":
-      n = { name: le(a) }, s = d ? ["verify"] : ["sign"];
+      n = { name: ue(a) }, s = c ? ["verify"] : ["sign"];
       break;
     default:
-      throw new I('Invalid or unsupported "alg" (Algorithm) value');
+      throw new U('Invalid or unsupported "alg" (Algorithm) value');
   }
   return te.subtle.importKey(e, a, n, !1, s);
-}, qe = (r, e, t) => be(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", r, e), Ve = (r, e, t) => be(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", r, e);
-async function Ge(r, e, t) {
+}, Ve = (r, e, t) => Ae(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", r, e), Ge = (r, e, t) => Ae(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", r, e);
+async function Ye(r, e, t) {
   if (typeof r != "string" || r.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
     throw new TypeError('"spki" must be SPKI formatted string');
-  return Ve(r, e);
+  return Ge(r, e);
 }
-async function Ye(r, e, t) {
+async function Xe(r, e, t) {
   if (typeof r != "string" || r.indexOf("-----BEGIN PRIVATE KEY-----") !== 0)
     throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
-  return qe(r, e);
+  return Ve(r, e);
 }
-async function ue(r, e) {
-  if (!V(r))
+async function fe(r, e) {
+  if (!$(r))
     throw new TypeError("JWK must be an object");
   switch (e || (e = r.alg), r.kty) {
     case "oct":
       if (typeof r.k != "string" || !r.k)
         throw new TypeError('missing "k" (Key Value) Parameter value');
-      return M(r.k);
+      return F(r.k);
     case "RSA":
       if (r.oth !== void 0)
-        throw new I('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+        throw new U('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
     case "EC":
     case "OKP":
-      return Ce({ ...r, alg: e });
+      return Se({ ...r, alg: e });
     default:
-      throw new I('Unsupported "kty" (Key Type) Parameter value');
+      throw new U('Unsupported "kty" (Key Type) Parameter value');
   }
 }
-const ee = (r) => r == null ? void 0 : r[Symbol.toStringTag], Xe = (r, e) => {
+const ee = (r) => r == null ? void 0 : r[Symbol.toStringTag], Ze = (r, e) => {
   if (!(e instanceof Uint8Array)) {
-    if (!ke(e))
-      throw new TypeError(ve(r, e, ...re, "Uint8Array"));
+    if (!_e(e))
+      throw new TypeError(Ce(r, e, ...re, "Uint8Array"));
     if (e.type !== "secret")
       throw new TypeError(`${ee(e)} instances for symmetric algorithms must be of type "secret"`);
   }
 }, Qe = (r, e, t) => {
-  if (!ke(e))
-    throw new TypeError(ve(r, e, ...re));
+  if (!_e(e))
+    throw new TypeError(Ce(r, e, ...re));
   if (e.type === "secret")
     throw new TypeError(`${ee(e)} instances for asymmetric algorithms must not be of type "secret"`);
   if (e.algorithm && t === "verify" && e.type === "private")
     throw new TypeError(`${ee(e)} instances for asymmetric algorithm verifying must be of type "public"`);
   if (e.algorithm && t === "encrypt" && e.type === "private")
     throw new TypeError(`${ee(e)} instances for asymmetric algorithm encryption must be of type "public"`);
-}, Ze = (r, e, t) => {
-  r.startsWith("HS") || r === "dir" || r.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(r) ? Xe(r, e) : Qe(r, e, t);
+}, er = (r, e, t) => {
+  r.startsWith("HS") || r === "dir" || r.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(r) ? Ze(r, e) : Qe(r, e, t);
 };
-function er(r, e, t, o, i) {
+function rr(r, e, t, o, i) {
   if (i.crit !== void 0 && (o == null ? void 0 : o.crit) === void 0)
     throw new r('"crit" (Critical) Header Parameter MUST be integrity protected');
   if (!o || o.crit === void 0)
@@ -731,7 +731,7 @@ function er(r, e, t, o, i) {
   n = e;
   for (const s of o.crit) {
     if (!n.has(s))
-      throw new I(`Extension Header Parameter "${s}" is not recognized`);
+      throw new U(`Extension Header Parameter "${s}" is not recognized`);
     if (i[s] === void 0)
       throw new r(`Extension Header Parameter "${s}" is missing`);
     if (n.get(s) && o[s] === void 0)
@@ -739,7 +739,7 @@ function er(r, e, t, o, i) {
   }
   return new Set(o.crit);
 }
-function rr(r, e) {
+function tr(r, e) {
   const t = `SHA-${r.slice(-3)}`;
   switch (r) {
     case "HS256":
@@ -761,31 +761,31 @@ function rr(r, e) {
     case "EdDSA":
       return { name: e.name };
     default:
-      throw new I(`alg ${r} is not supported either by JOSE or your javascript runtime`);
+      throw new U(`alg ${r} is not supported either by JOSE or your javascript runtime`);
   }
 }
-async function tr(r, e, t) {
-  if (e = await $e.normalizePublicKey(e, r), we(e))
-    return ze(e, r, t), e;
+async function or(r, e, t) {
+  if (e = await qe.normalizePublicKey(e, r), ve(e))
+    return We(e, r, t), e;
   if (e instanceof Uint8Array) {
     if (!r.startsWith("HS"))
-      throw new TypeError(he(e, ...re));
+      throw new TypeError(le(e, ...re));
     return te.subtle.importKey("raw", e, { hash: `SHA-${r.slice(-3)}`, name: "HMAC" }, !1, [t]);
   }
-  throw new TypeError(he(e, ...re, "Uint8Array"));
+  throw new TypeError(le(e, ...re, "Uint8Array"));
 }
-const or = async (r, e, t, o) => {
-  const i = await tr(r, e, "verify");
-  Je(r, i);
-  const n = rr(r, i.algorithm);
+const ir = async (r, e, t, o) => {
+  const i = await or(r, e, "verify");
+  Me(r, i);
+  const n = tr(r, i.algorithm);
   try {
     return await te.subtle.verify(n, i, t, o);
   } catch {
     return !1;
   }
 };
-async function ir(r, e, t) {
-  if (!V(r))
+async function sr(r, e, t) {
+  if (!$(r))
     throw new S("Flattened JWS must be an object");
   if (r.protected === void 0 && r.header === void 0)
     throw new S('Flattened JWS must have either of the "protected" or "header" members');
@@ -795,22 +795,22 @@ async function ir(r, e, t) {
     throw new S("JWS Payload missing");
   if (typeof r.signature != "string")
     throw new S("JWS Signature missing or incorrect type");
-  if (r.header !== void 0 && !V(r.header))
+  if (r.header !== void 0 && !$(r.header))
     throw new S("JWS Unprotected Header incorrect type");
   let o = {};
   if (r.protected)
     try {
-      const Re = M(r.protected);
-      o = JSON.parse(G.decode(Re));
+      const L = F(r.protected);
+      o = JSON.parse(G.decode(L));
     } catch {
       throw new S("JWS Protected Header is invalid");
     }
-  if (!We(o, r.header))
+  if (!Fe(o, r.header))
     throw new S("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
   const i = {
     ...o,
     ...r.header
-  }, n = er(S, /* @__PURE__ */ new Map([["b64", !0]]), void 0, o, i);
+  }, n = rr(S, /* @__PURE__ */ new Map([["b64", !0]]), void 0, o, i);
   let s = !0;
   if (n.has("b64") && (s = o.b64, typeof s != "boolean"))
     throw new S('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
@@ -822,39 +822,39 @@ async function ir(r, e, t) {
       throw new S("JWS Payload must be a string");
   } else if (typeof r.payload != "string" && !(r.payload instanceof Uint8Array))
     throw new S("JWS Payload must be a string or an Uint8Array instance");
-  let d = !1;
-  typeof e == "function" && (e = await e(o, r), d = !0), Ze(a, e, "verify");
-  const u = He(X.encode(r.protected ?? ""), X.encode("."), typeof r.payload == "string" ? X.encode(r.payload) : r.payload);
+  let c = !1;
+  typeof e == "function" && (e = await e(o, r), c = !0), er(a, e, "verify");
+  const u = je(X.encode(r.protected ?? ""), X.encode("."), typeof r.payload == "string" ? X.encode(r.payload) : r.payload);
   let y;
   try {
-    y = M(r.signature);
+    y = F(r.signature);
   } catch {
     throw new S("Failed to base64url decode the signature");
   }
-  if (!await or(a, e, y, u))
-    throw new je();
+  if (!await ir(a, e, y, u))
+    throw new Ke();
   let k;
   if (s)
     try {
-      k = M(r.payload);
+      k = F(r.payload);
     } catch {
       throw new S("Failed to base64url decode the payload");
     }
   else typeof r.payload == "string" ? k = X.encode(r.payload) : k = r.payload;
-  const Y = { payload: k };
-  return r.protected !== void 0 && (Y.protectedHeader = o), r.header !== void 0 && (Y.unprotectedHeader = r.header), d ? { ...Y, key: e } : Y;
+  const E = { payload: k };
+  return r.protected !== void 0 && (E.protectedHeader = o), r.header !== void 0 && (E.unprotectedHeader = r.header), c ? { ...E, key: e } : E;
 }
-async function sr(r, e, t) {
+async function nr(r, e, t) {
   if (r instanceof Uint8Array && (r = G.decode(r)), typeof r != "string")
     throw new S("Compact JWS must be a string or Uint8Array");
   const { 0: o, 1: i, 2: n, length: s } = r.split(".");
   if (s !== 3)
     throw new S("Invalid Compact JWS");
-  const a = await ir({ payload: i, protected: o, signature: n }, e), d = { payload: a.payload, protectedHeader: a.protectedHeader };
-  return typeof e == "function" ? { ...d, key: a.key } : d;
+  const a = await sr({ payload: i, protected: o, signature: n }, e), c = { payload: a.payload, protectedHeader: a.protectedHeader };
+  return typeof e == "function" ? { ...c, key: a.key } : c;
 }
-const Ee = M;
-function nr(r) {
+const Pe = F;
+function ge(r) {
   let e;
   if (typeof r == "string") {
     const t = r.split(".");
@@ -867,8 +867,8 @@ function nr(r) {
   try {
     if (typeof e != "string" || !e)
       throw new Error();
-    const t = JSON.parse(G.decode(Ee(e)));
-    if (!V(t))
+    const t = JSON.parse(G.decode(Pe(e)));
+    if (!$(t))
       throw new Error();
     return t;
   } catch {
@@ -877,28 +877,28 @@ function nr(r) {
 }
 function ar(r) {
   if (typeof r != "string")
-    throw new z("JWTs must use Compact JWS serialization, JWT must be a string");
+    throw new D("JWTs must use Compact JWS serialization, JWT must be a string");
   const { 1: e, length: t } = r.split(".");
   if (t === 5)
-    throw new z("Only JWTs using Compact JWS serialization can be decoded");
+    throw new D("Only JWTs using Compact JWS serialization can be decoded");
   if (t !== 3)
-    throw new z("Invalid JWT");
+    throw new D("Invalid JWT");
   if (!e)
-    throw new z("JWTs must contain a payload");
+    throw new D("JWTs must contain a payload");
   let o;
   try {
-    o = Ee(e);
+    o = Pe(e);
   } catch {
-    throw new z("Failed to base64url decode the payload");
+    throw new D("Failed to base64url decode the payload");
   }
   let i;
   try {
     i = JSON.parse(G.decode(o));
   } catch {
-    throw new z("Failed to parse the decoded payload as JSON");
+    throw new D("Failed to parse the decoded payload as JSON");
   }
-  if (!V(i))
-    throw new z("Invalid JWT Claims Set");
+  if (!$(i))
+    throw new D("Invalid JWT Claims Set");
   return i;
 }
 const C = class v {
@@ -996,7 +996,7 @@ l(C, "flowName", {
   [C.PasswordMfa]: "Password MFA",
   [C.OidcAuthorizationCode]: "OIDC Authorization Code"
 });
-var _, T, q, F, J;
+var _, b;
 class cr {
   /**
    * Constructor.
@@ -1033,27 +1033,18 @@ class cr {
     codeChallengeMethod: n,
     stateLength: s,
     verifierLength: a,
-    tokenConsumer: d,
+    tokenConsumer: c,
     authServerCredentials: u,
     authServerMode: y,
     authServerHeaders: k
   }) {
-    l(this, "authServerBaseUrl", ""), $(this, _), $(this, T), $(this, q), l(this, "codeChallengeMethod", "S256"), $(this, F), l(this, "verifierLength", 32), l(this, "redirect_uri"), $(this, J, ""), l(this, "stateLength", 32), l(this, "authzCode", ""), l(this, "oidcConfig"), l(this, "tokenConsumer"), l(this, "authServerHeaders", {}), l(this, "authServerMode"), l(this, "authServerCredentials"), this.tokenConsumer = d, this.authServerBaseUrl = e, a && (this.verifierLength = a), s && (this.stateLength = s), t && A(this, _, t), o && A(this, T, o), i && (this.redirect_uri = i), n && (this.codeChallengeMethod = n), this.authServerBaseUrl = e, u && (this.authServerCredentials = u), y && (this.authServerMode = y), k && (this.authServerHeaders = k);
+    l(this, "authServerBaseUrl", ""), he(this, _), he(this, b), l(this, "codeChallengeMethod", "S256"), l(this, "verifierLength", 32), l(this, "redirect_uri"), l(this, "stateLength", 32), l(this, "authzCode", ""), l(this, "oidcConfig"), l(this, "tokenConsumer"), l(this, "authServerHeaders", {}), l(this, "authServerMode"), l(this, "authServerCredentials"), l(this, "oauthPostType", "json"), l(this, "oauthLogFetch", !1), l(this, "oauthUseUserInfoEndpoint", !1), this.tokenConsumer = c, this.authServerBaseUrl = e, a && (this.verifierLength = a), s && (this.stateLength = s), t && Y(this, _, t), o && Y(this, b, o), i && (this.redirect_uri = i), n && (this.codeChallengeMethod = n), this.authServerBaseUrl = e, u && (this.authServerCredentials = u), y && (this.authServerMode = y), k && (this.authServerHeaders = k);
   }
   set client_id(e) {
-    A(this, _, e);
+    Y(this, _, e);
   }
   set client_secret(e) {
-    A(this, T, e);
-  }
-  set codeVerifier(e) {
-    A(this, F, e);
-  }
-  set codeChallenge(e) {
-    A(this, q, e);
-  }
-  set state(e) {
-    A(this, J, e);
+    Y(this, b, e);
   }
   /**
    * Loads OpenID Connect configuration so that the client can determine
@@ -1068,7 +1059,7 @@ class cr {
    */
   async loadConfig(e) {
     if (e) {
-      c.logger.debug(h({ msg: "Reading OIDC config locally" })), this.oidcConfig = e;
+      d.logger.debug(h({ msg: "Reading OIDC config locally" })), this.oidcConfig = e;
       return;
     }
     let t;
@@ -1076,18 +1067,18 @@ class cr {
       const o = new URL(
         this.authServerBaseUrl + "/.well-known/openid-configuration"
       );
-      c.logger.debug(h({ msg: `Fetching OIDC config from ${o}` }));
+      d.logger.debug(h({ msg: `Fetching OIDC config from ${o}` }));
       let i = { headers: this.authServerHeaders };
       this.authServerMode && (i.mode = this.authServerMode), this.authServerCredentials && (i.credentials = this.authServerCredentials), t = await fetch(o, i);
     } catch (o) {
-      c.logger.error(h({ err: o }));
+      d.logger.error(h({ err: o }));
     }
     if (!t || !t.ok)
       throw new g(
         m.Connection,
         "Couldn't get OIDC configuration from URL" + this.authServerBaseUrl + "/.well-known/openid-configuration"
       );
-    this.oidcConfig = { ...ye };
+    this.oidcConfig = { ...me };
     try {
       const o = await t.json();
       for (const [i, n] of Object.entries(o))
@@ -1121,19 +1112,19 @@ class cr {
    *          - `error_description` friendly error message or undefined
    *            if no error
    */
-  async startAuthorizationCodeFlow(e, t = !1) {
-    var o, i, n;
-    if (c.logger.debug(h({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.response_types_supported.includes("code")) || !((i = this.oidcConfig) != null && i.response_modes_supported.includes("query")))
+  async startAuthorizationCodeFlow(e, t, o, i = !1) {
+    var n, s, a;
+    if (d.logger.debug(h({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.response_types_supported.includes("code")) || !((s = this.oidcConfig) != null && s.response_modes_supported.includes("query")))
       return {
         error: "invalid_request",
         error_description: "Server does not support authorization code flow"
       };
-    if (!((n = this.oidcConfig) != null && n.authorization_endpoint))
+    if (!((a = this.oidcConfig) != null && a.authorization_endpoint))
       return {
         error: "server_error",
         error_description: "Cannot get authorize endpoint"
       };
-    if (A(this, J, this.randomValue(this.stateLength)), !p(this, _)) return {
+    if (!w(this, _)) return {
       error: "invalid_request",
       error_description: "Cannot make authorization code flow without client id"
     };
@@ -1141,8 +1132,30 @@ class cr {
       error: "invalid_request",
       error_description: "Cannot make authorization code flow without Redirect Uri"
     };
-    let s = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(p(this, _)) + "&state=" + encodeURIComponent(p(this, J)) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
-    return e && (s += "&scope=" + encodeURIComponent(e)), t && (A(this, F, this.randomValue(this.verifierLength)), A(this, q, this.codeChallengeMethod == "plain" ? p(this, F) : await this.sha256(p(this, F))), s += "&code_challenge=" + p(this, q)), { url: s };
+    let c = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(w(this, _)) + "&state=" + encodeURIComponent(e) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
+    return t && (c += "&scope=" + encodeURIComponent(t)), i && o && (c += "&code_challenge=" + o), { url: c };
+  }
+  async codeChallengeAndVerifier() {
+    const e = this.randomValue(this.verifierLength);
+    return { codeChallenge: this.codeChallengeMethod == "plain" ? e : await this.sha256(e), codeVerifier: e };
+  }
+  async getIdPayload(e, t) {
+    let o, i;
+    try {
+      let n;
+      if (n = await this.validateIdToken(e), !n)
+        return o = "access_denied", i = "Invalid ID token received", { error: o, error_description: i };
+      if (t && this.oauthUseUserInfoEndpoint) {
+        const s = await this.userInfoEndpoint(t);
+        if (s.error)
+          return o = s.error, i = "Failed getting user info: " + (s.error_description ?? "unknown error"), { error: o, error_description: i };
+        n = { ...n, ...s };
+      }
+      return { payload: n };
+    } catch (n) {
+      const s = g.asCrossauthError(n);
+      return d.logger.debug(h({ err: s })), d.logger.error(h({ msg: "Couldn't get user info", cerr: s })), o = s.oauthErrorCode, i = "Couldn't get user info: " + s.message, { error: o, error_description: i };
+    }
   }
   /**
    * This implements the functionality behind the redirect URI
@@ -1164,36 +1177,41 @@ class cr {
    * @returns The {@link OAuthTokenResponse} from the `token` endpoint
    *          request, or `error` and `error_description`.
    */
-  async redirectEndpoint(e, t, o, i) {
-    var n, s;
-    if (this.oidcConfig || await this.loadConfig(), o || !e)
-      return o || (o = "server_error"), i || (i = "Unknown error"), { error: o, error_description: i };
-    if (p(this, J) && t != p(this, J))
-      return { error: "access_denied", error_description: "State is not valid" };
-    if (this.authzCode = e, !((n = this.oidcConfig) != null && n.grant_types_supported.includes("authorization_code")))
+  async redirectEndpoint(e, t, o, i, n) {
+    var s, a;
+    if (this.oidcConfig || await this.loadConfig(), i || !e)
+      return i || (i = "server_error"), n || (n = "Unknown error"), { error: i, error_description: n };
+    if (this.authzCode = e, !((s = this.oidcConfig) != null && s.grant_types_supported.includes("authorization_code")))
       return {
         error: "invalid_request",
         error_description: "Server does not support authorization code grant"
       };
-    if (!((s = this.oidcConfig) != null && s.token_endpoint))
+    if (!((a = this.oidcConfig) != null && a.token_endpoint))
       return {
         error: "server_error",
         error_description: "Cannot get token endpoint"
       };
-    const a = this.oidcConfig.token_endpoint;
-    let d, u;
-    d = "authorization_code", u = p(this, T);
-    let y = {
-      grant_type: d,
-      client_id: p(this, _),
-      code: this.authzCode
+    const c = this.oidcConfig.token_endpoint;
+    let u, y;
+    u = "authorization_code", y = w(this, b);
+    let k = {
+      grant_type: u,
+      client_id: w(this, _),
+      code: this.authzCode,
+      redirect_uri: this.redirect_uri
     };
-    u && (y.client_secret = u), y.code_verifier = p(this, F);
+    t && (k.scope = t), y && (k.client_secret = y), o && (k.code_verifier = o);
     try {
-      const k = await this.post(a, y, this.authServerHeaders);
-      return k.id_token && !await this.validateIdToken(k.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : k;
-    } catch (k) {
-      return c.logger.error(h({ err: k })), {
+      let E = await this.post(c, k, this.authServerHeaders);
+      if (E.id_token) {
+        const L = await this.getIdPayload(E.id_token, E.access_token);
+        if (L.error)
+          return L;
+        E.id_payload = L.payload;
+      }
+      return E;
+    } catch (E) {
+      return d.logger.error(h({ err: E })), {
         error: "server_error",
         error_description: "Unable to get access token from server"
       };
@@ -1215,28 +1233,35 @@ class cr {
    */
   async clientCredentialsFlow(e) {
     var t, o;
-    if (c.logger.debug(h({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("client_credentials")))
+    if (d.logger.debug(h({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("client_credentials")))
       return {
         error: "invalid_request",
         error_description: "Server does not support client credentials grant"
       };
     if (!((o = this.oidcConfig) != null && o.token_endpoint))
       return { error: "server_error", error_description: "Cannot get token endpoint" };
-    if (!p(this, _)) return {
+    if (!w(this, _)) return {
       error: "invalid_request",
       error_description: "Cannot make client credentials flow without client id"
     };
     const i = this.oidcConfig.token_endpoint;
     let n = {
       grant_type: "client_credentials",
-      client_id: p(this, _),
-      client_secret: p(this, T)
+      client_id: w(this, _),
+      client_secret: w(this, b)
     };
     e && (n.scope = e);
     try {
-      return await this.post(i, n, this.authServerHeaders);
+      let s = await this.post(i, n, this.authServerHeaders);
+      if (s.id_token) {
+        const a = await this.getIdPayload(s.id_token, s.access_token);
+        if (a.error)
+          return a;
+        s.id_payload = a.payload;
+      }
+      return s;
     } catch (s) {
-      return c.logger.error(h({ err: s })), {
+      return d.logger.error(h({ err: s })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
@@ -1259,7 +1284,7 @@ class cr {
    */
   async passwordFlow(e, t, o) {
     var i, n;
-    if (c.logger.debug(h({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("password")))
+    if (d.logger.debug(h({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("password")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password grant"
@@ -1272,17 +1297,23 @@ class cr {
     const s = this.oidcConfig.token_endpoint;
     let a = {
       grant_type: "password",
-      client_id: p(this, _),
-      client_secret: p(this, T),
+      client_id: w(this, _),
+      client_secret: w(this, b),
       username: e,
       password: t
     };
     o && (a.scope = o);
     try {
-      let d = await this.post(s, a, this.authServerHeaders);
-      return d.id_token && !await this.validateIdToken(d.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : d;
-    } catch (d) {
-      return c.logger.error(h({ err: d })), {
+      let c = await this.post(s, a, this.authServerHeaders);
+      if (c.id_token) {
+        const u = await this.getIdPayload(c.id_token, c.access_token);
+        if (u.error)
+          return u;
+        c.id_payload = u.payload;
+      }
+      return c;
+    } catch (c) {
+      return d.logger.error(h({ err: c })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
@@ -1303,7 +1334,7 @@ class cr {
    */
   async mfaAuthenticators(e) {
     var t, o, i;
-    if (c.logger.debug(h({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && (o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob"))
+    if (d.logger.debug(h({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && (o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob"))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
@@ -1317,8 +1348,8 @@ class cr {
         error_description: "Expected array of authenticators in mfa/authenticators response"
       };
     let a = [];
-    for (let d = 0; d < s.length; ++d) {
-      const u = s[d];
+    for (let c = 0; c < s.length; ++c) {
+      const u = s[c];
       if (!u.id || !u.authenticator_type || !u.active)
         return {
           error: "server_error",
@@ -1348,7 +1379,7 @@ class cr {
    */
   async mfaOtpRequest(e, t) {
     var o, i;
-    if (c.logger.debug(h({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+    if (d.logger.debug(h({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
@@ -1356,8 +1387,8 @@ class cr {
     if (!((i = this.oidcConfig) != null && i.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
     const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", s = await this.post(n, {
-      client_id: p(this, _),
-      client_secret: p(this, T),
+      client_id: w(this, _),
+      client_secret: w(this, b),
       challenge_type: "otp",
       mfa_token: e,
       authenticator_id: t
@@ -1386,7 +1417,7 @@ class cr {
    */
   async mfaOtpComplete(e, t, o) {
     var i, n;
-    if (c.logger.debug(h({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+    if (d.logger.debug(h({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
@@ -1395,13 +1426,19 @@ class cr {
       return { error: "server_error", error_description: "Cannot get issuer" };
     const s = this.oidcConfig.token_endpoint, a = await this.post(s, {
       grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
-      client_id: p(this, _),
-      client_secret: p(this, T),
+      client_id: w(this, _),
+      client_secret: w(this, b),
       challenge_type: "otp",
       mfa_token: e,
       otp: t,
       scope: o
     }, this.authServerHeaders);
+    if (a.id_token) {
+      const c = await this.getIdPayload(a.id_token, a.access_token);
+      if (c.error)
+        return c;
+      a.id_payload = c.payload;
+    }
     return {
       id_token: a.id_token,
       access_token: a.access_token,
@@ -1433,7 +1470,7 @@ class cr {
    */
   async mfaOobRequest(e, t) {
     var o, i;
-    if (c.logger.debug(h({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+    if (d.logger.debug(h({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
@@ -1441,8 +1478,8 @@ class cr {
     if (!((i = this.oidcConfig) != null && i.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
     const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", s = await this.post(n, {
-      client_id: p(this, _),
-      client_secret: p(this, T),
+      client_id: w(this, _),
+      client_secret: w(this, b),
       challenge_type: "oob",
       mfa_token: e,
       authenticator_id: t
@@ -1468,40 +1505,48 @@ class cr {
    */
   async mfaOobComplete(e, t, o, i) {
     var n, s;
-    if (c.logger.debug(h({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
+    if (d.logger.debug(h({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
       };
     if (!((s = this.oidcConfig) != null && s.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
-    const a = this.oidcConfig.token_endpoint, d = await this.post(a, {
+    const a = this.oidcConfig.token_endpoint, c = await this.post(a, {
       grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
-      client_id: p(this, _),
-      client_secret: p(this, T),
+      client_id: w(this, _),
+      client_secret: w(this, b),
       challenge_type: "otp",
       mfa_token: e,
       oob_code: t,
       binding_code: o,
       scope: i
     }, this.authServerHeaders);
-    return d.error ? {
-      error: d.error,
-      error_description: d.error_description
-    } : d.id_token && !await this.validateIdToken(d.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : {
-      id_token: d.id_token,
-      access_token: d.access_token,
-      refresh_token: d.refresh_token,
-      expires_in: "expires_in" in d ? Number(d.expires_in) : void 0,
-      scope: d.scope,
-      token_type: d.token_type
+    if (c.error)
+      return {
+        error: c.error,
+        error_description: c.error_description
+      };
+    if (c.id_token) {
+      const u = await this.getIdPayload(c.id_token, c.access_token);
+      if (u.error)
+        return u;
+      c.id_payload = u.payload;
+    }
+    return {
+      id_token: c.id_token,
+      access_token: c.access_token,
+      refresh_token: c.refresh_token,
+      expires_in: "expires_in" in c ? Number(c.expires_in) : void 0,
+      scope: c.scope,
+      token_type: c.token_type
     };
   }
   //////////////////////////////////////////////////////////////////////
   // Refresh Token Flow
   async refreshTokenFlow(e) {
     var t, o;
-    if (c.logger.debug(h({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("refresh_token")))
+    if (d.logger.debug(h({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("refresh_token")))
       return {
         error: "invalid_request",
         error_description: "Server does not support refresh_token grant"
@@ -1513,18 +1558,24 @@ class cr {
       };
     const i = this.oidcConfig.token_endpoint;
     let n;
-    n = p(this, T);
+    n = w(this, b);
     let s = {
       grant_type: "refresh_token",
       refresh_token: e,
-      client_id: p(this, _)
+      client_id: w(this, _)
     };
     n && (s.client_secret = n);
     try {
       let a = await this.post(i, s, this.authServerHeaders);
-      return a.id_token && !await this.validateIdToken(a.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : a;
+      if (a.id_token) {
+        const c = await this.getIdPayload(a.id_token, a.access_token);
+        if (c.error)
+          return c;
+        a.id_payload = c.payload;
+      }
+      return a;
     } catch (a) {
-      return c.logger.error(h({ err: a })), {
+      return d.logger.error(h({ err: a })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
@@ -1540,22 +1591,22 @@ class cr {
    */
   async startDeviceCodeFlow(e, t) {
     var o;
-    if (c.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
+    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
       return {
         error: "invalid_request",
         error_description: "Server does not support device code grant"
       };
     let i = {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      client_id: p(this, _),
-      client_secret: p(this, T)
+      client_id: w(this, _),
+      client_secret: w(this, b)
     };
     t && (i.scope = t);
     try {
       let n = await this.post(e, i, this.authServerHeaders);
       return n.id_token && !await this.validateIdToken(n.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : n;
     } catch (n) {
-      return c.logger.error(h({ err: n })), {
+      return d.logger.error(h({ err: n })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
@@ -1570,7 +1621,7 @@ class cr {
    */
   async pollDeviceCodeFlow(e) {
     var t, o, i;
-    if (c.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
+    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
       return {
         error: "invalid_request",
         error_description: "Server does not support device code grant"
@@ -1582,20 +1633,39 @@ class cr {
       };
     let n = {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      client_id: p(this, _),
-      client_secret: p(this, T),
+      client_id: w(this, _),
+      client_secret: w(this, b),
       device_code: e
     };
     try {
       const s = await this.post((i = this.oidcConfig) == null ? void 0 : i.token_endpoint, n, this.authServerHeaders);
-      return s.error ? s : s.id_token && !await this.validateIdToken(s.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : s;
+      if (s.error) return s;
+      if (s.id_token) {
+        const a = await this.getIdPayload(s.id_token, s.access_token);
+        if (a.error)
+          return a;
+        s.id_payload = a.payload;
+      }
+      return s;
     } catch (s) {
-      return c.logger.error(h({ err: s })), {
+      return d.logger.error(h({ err: s })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
     }
   }
+  //////////////////////////////////////////////////////////////////
+  // UserInfo
+  async userInfoEndpoint(e) {
+    var t;
+    if (!((t = this.oidcConfig) != null && t.userinfo_endpoint))
+      return {
+        error: "server_error",
+        error_description: "Cannot get token endpoint"
+      };
+    const o = this.oidcConfig.userinfo_endpoint;
+    return await this.post(o, {}, { authorization: "Bearer " + e });
+  }
   /**
    * Makes a POST request to the given URL using `fetch()`.
    * 
@@ -1605,22 +1675,34 @@ class cr {
    * @throws any exception raised by `fetch()`
    */
   async post(e, t, o = {}) {
-    c.logger.debug(h({
+    d.logger.debug(h({
       msg: "Fetch POST",
       url: e,
       params: Object.keys(t)
     }));
     let i = {};
-    return this.authServerCredentials && (i.credentials = this.authServerCredentials), this.authServerMode && (i.mode = this.authServerMode), await (await fetch(e, {
+    this.authServerCredentials && (i.credentials = this.authServerCredentials), this.authServerMode && (i.mode = this.authServerMode);
+    let n = "", s = "";
+    if (this.oauthPostType == "json")
+      n = JSON.stringify(t), s = "application/json";
+    else {
+      n = "";
+      for (let c in t)
+        n != "" && (n += "&"), n += encodeURIComponent(c) + "=" + encodeURIComponent(t[c]);
+      s = "application/x-www-form-urlencoded";
+    }
+    this.oauthLogFetch && d.logger.debug(h({ msg: "OAuth fetch", method: "POST", url: e, body: n }));
+    const a = await (await fetch(e, {
       method: "POST",
       ...i,
       headers: {
         Accept: "application/json",
-        "Content-Type": "application/json",
+        "Content-Type": s,
         ...o
       },
-      body: JSON.stringify(t)
+      body: n
     })).json();
+    return this.oauthLogFetch && d.logger.debug(h({ msg: "OAuth fetch response", body: JSON.stringify(a) })), a;
   }
   /**
    * Makes a GET request to the given URL using `fetch()`.
@@ -1631,17 +1713,18 @@ class cr {
    * @throws any exception raised by `fetch()`
    */
   async get(e, t = {}) {
-    c.logger.debug(h({ msg: "Fetch GET", url: e }));
+    d.logger.debug(h({ msg: "Fetch GET", url: e }));
     let o = {};
-    return this.authServerCredentials && (o.credentials = this.authServerCredentials), this.authServerMode && (o.mode = this.authServerMode), await (await fetch(e, {
+    this.authServerCredentials && (o.credentials = this.authServerCredentials), this.authServerMode && (o.mode = this.authServerMode), this.oauthLogFetch && d.logger.debug(h({ msg: "OAuth fetch", method: "GET", url: e }));
+    const i = await (await fetch(e, {
       method: "GET",
       ...o,
       headers: {
         Accept: "application/json",
-        "Content-Type": "application/json",
         ...t
       }
     })).json();
+    return this.oauthLogFetch && d.logger.debug(h({ msg: "OAuth fetch response", body: JSON.stringify(i) })), i;
   }
   /**
    * Validates an OpenID ID token, returning undefined if it is invalid.
@@ -1670,7 +1753,7 @@ class cr {
     try {
       return await this.tokenConsumer.tokenAuthorized(e, "id");
     } catch (t) {
-      c.logger.warn(h({ err: t }));
+      d.logger.warn(h({ err: t }));
       return;
     }
   }
@@ -1678,7 +1761,7 @@ class cr {
     return ar(e);
   }
 }
-_ = /* @__PURE__ */ new WeakMap(), T = /* @__PURE__ */ new WeakMap(), q = /* @__PURE__ */ new WeakMap(), F = /* @__PURE__ */ new WeakMap(), J = /* @__PURE__ */ new WeakMap();
+_ = /* @__PURE__ */ new WeakMap(), b = /* @__PURE__ */ new WeakMap();
 class dr {
   /**
    * Constrctor
@@ -1702,7 +1785,7 @@ class dr {
    * still call this function.  This is because key loading is
    * asynchronous, and constructors may not be async.
    */
-  async loadKeys() {
+  async loadKeys(e) {
     try {
       if (this.jwtSecretKey) {
         if (!this.jwtKeyType)
@@ -1710,25 +1793,25 @@ class dr {
             m.Configuration,
             "Must specify jwtKeyType if setting jwtSecretKey"
           );
-        this.keys._default = await Ye(this.jwtSecretKey, this.jwtKeyType);
+        this.keys._default = await Xe(this.jwtSecretKey, this.jwtKeyType);
       } else if (this.jwtPublicKey) {
         if (!this.jwtKeyType)
           throw new g(
             m.Configuration,
             "Must specify jwtKeyType if setting jwtPublicKey"
           );
-        const e = await Ge(this.jwtPublicKey, this.jwtKeyType);
-        this.keys._default = e;
+        const t = await Ye(this.jwtPublicKey, this.jwtKeyType);
+        this.keys._default = t;
       } else {
         if (this.oidcConfig || await this.loadConfig(), !this.oidcConfig)
           throw new g(
             m.Connection,
             "Load OIDC config before Jwks"
           );
-        await this.loadJwks();
+        await this.loadJwks(void 0, e);
       }
-    } catch (e) {
-      throw c.logger.debug(h({ err: e })), new g(m.Connection, "Couldn't load keys");
+    } catch (t) {
+      throw d.logger.debug(h({ err: t })), new g(m.Connection, "Couldn't load keys");
     }
   }
   /**
@@ -1751,11 +1834,11 @@ class dr {
     try {
       t = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
     } catch (o) {
-      c.logger.error(h({ err: o }));
+      d.logger.error(h({ err: o }));
     }
     if (!t || !t.ok)
       throw new g(m.Connection, "Couldn't get OIDC configuration");
-    this.oidcConfig = { ...ye };
+    this.oidcConfig = { ...me };
     try {
       const o = await t.json();
       for (const [i, n] of Object.entries(o))
@@ -1773,40 +1856,46 @@ class dr {
    *   - `Connection` if the fetch to the authorization server failed,
    *     the OIDC configuration wasn't set or the keys could not be parsed.
    */
-  async loadJwks(e) {
+  async loadJwks(e, t) {
     if (e) {
       this.keys = {};
-      for (let t = 0; t < e.keys.length; ++t) {
-        const o = e.keys[t];
-        this.keys[o.kid ?? "_default"] = await ue(e.keys[t]);
+      for (let o = 0; o < e.keys.length; ++o) {
+        const i = e.keys[o];
+        this.keys[i.kid ?? "_default"] = await fe(e.keys[o]);
       }
     } else {
       if (!this.oidcConfig)
         throw new g(m.Connection, "Load OIDC config before Jwks");
-      let t;
+      let o;
       try {
-        t = await fetch(new URL(this.oidcConfig.jwks_uri));
-      } catch (o) {
-        c.logger.error(h({ err: o }));
+        o = await fetch(new URL(this.oidcConfig.jwks_uri));
+      } catch (i) {
+        d.logger.error(h({ err: i }));
       }
-      if (!t || !t.ok)
+      if (!o || !o.ok)
         throw new g(m.Connection, "Couldn't get OIDC configuration");
       this.keys = {};
       try {
-        const o = await t.json();
-        if (!("keys" in o) || !Array.isArray(o.keys))
+        const i = await o.json();
+        if (!("keys" in i) || !Array.isArray(i.keys))
           throw new g(m.Connection, "Couldn't fetch keys");
-        for (let i = 0; i < o.keys.length; ++i)
+        for (let n = 0; n < i.keys.length; ++n)
           try {
-            let n = "_default";
-            "kid" in o.keys[i] && typeof o.keys[i] == "string" && (n = String(o.keys[i]));
-            const s = await ue(o.keys[i]);
-            this.keys[n] = s;
-          } catch (n) {
-            throw c.logger.error(h({ err: n })), new g(m.Connection, "Couldn't load keys");
+            let s = "_default", a = { ...i.keys[n] };
+            if ("kid" in a && typeof a.kid == "string" && (s = String(a.kid)), a && !a.alg && !a.jwk_alg && t)
+              if (t.startsWith("RS") && a.kty == "RSA")
+                a.alg = t;
+              else {
+                d.logger.debug(h({ msg: "Skipping key with " + a.kty }));
+                continue;
+              }
+            const c = await fe(a);
+            this.keys[s] = c;
+          } catch (s) {
+            throw d.logger.error(h({ err: s })), new g(m.Connection, "Couldn't load keys");
           }
-      } catch (o) {
-        throw c.logger.error(h({ err: o })), new g(m.Connection, "Unrecognized response from OIDC jwks endpoint");
+      } catch (i) {
+        throw d.logger.error(h({ err: i })), new g(m.Connection, "Unrecognized response from OIDC jwks endpoint");
       }
     }
   }
@@ -1822,59 +1911,61 @@ class dr {
    * @returns the JWT payload if the token is valid, `undefined` otherwise.
    */
   async tokenAuthorized(e, t) {
-    (!this.keys || Object.keys(this.keys).length == 0) && await this.loadKeys();
+    if (!this.keys || Object.keys(this.keys).length == 0) {
+      const i = ge(e);
+      await this.loadKeys(i.alg);
+    }
     const o = await this.validateToken(e);
     if (o) {
-      if (o.type != t) {
-        c.logger.error(h({ msg: t + " expected but got " + o.type }));
-        return;
-      }
       if (o.iss != this.authServerBaseUrl) {
-        c.logger.error(h({ msg: `Invalid issuer ${o.iss} in access token`, hashedAccessToken: await this.hash(o.jti) }));
+        const i = o.jti ? o.jti : o.sid ? o.sid : "";
+        d.logger.error(h({ msg: `Invalid issuer ${o.iss} in access token`, hashedAccessToken: await this.hash(i) }));
         return;
       }
-      if (o.aud && (Array.isArray(o.aud) && !o.aud.includes(this.audience) || !Array.isArray(o.aud) && o.aud != this.audience)) {
-        c.logger.error(h({ msg: `Invalid audience ${o.aud} in access token`, hashedAccessToken: await this.hash(o.jti) }));
-        return;
+      if (o.aud) {
+        const i = o.jti ? o.jti : o.sid ? o.sid : "";
+        if (Array.isArray(o.aud) && !o.aud.includes(this.audience) || !Array.isArray(o.aud) && o.aud != this.audience) {
+          d.logger.error(h({ msg: `Invalid audience ${o.aud} in access token`, hashedAccessToken: await this.hash(i) }));
+          return;
+        }
       }
       return o;
     }
   }
   async validateToken(e) {
-    (!this.keys || Object.keys(this.keys).length == 0) && c.logger.warn("No keys loaded so cannot validate tokens");
+    (!this.keys || Object.keys(this.keys).length == 0) && d.logger.warn("No keys loaded so cannot validate tokens");
     let t;
     try {
-      t = nr(e).kid;
+      t = ge(e).kid;
     } catch {
-      c.logger.warn(h({ msg: "Invalid access token format" }));
+      d.logger.warn(h({ msg: "Invalid access token format" }));
       return;
     }
     let o;
-    "_default" in this.keys && (o = this.keys._default);
     for (let i in this.keys)
       if (t == i) {
         o = this.keys[i];
         break;
       }
-    if (!o) {
-      c.logger.warn(h({ msg: "No matching keys found for access token" }));
+    if (!o && "_default" in this.keys && (o = this.keys._default), !o) {
+      d.logger.warn(h({ msg: "No matching keys found for access token" }));
       return;
     }
     try {
-      const { payload: i } = await sr(e, o), n = JSON.parse(new TextDecoder().decode(i));
+      const { payload: i } = await nr(e, o), n = JSON.parse(new TextDecoder().decode(i));
       if (n.exp * 1e3 < Date.now() + this.clockTolerance) {
-        c.logger.warn(h({ msg: "Access token has expired" }));
+        d.logger.warn(h({ msg: "Access token has expired" }));
         return;
       }
       return n;
     } catch {
-      c.logger.warn(h({ msg: "Access token did not validate" }));
+      d.logger.warn(h({ msg: "Access token did not validate" }));
       return;
     }
   }
 }
-const fe = 30, Z = 2, ae = 30;
-class Ae {
+const pe = 30, Q = 2, ae = 30;
+class Re {
   /**
    * Constructor
    * 
@@ -1899,50 +1990,50 @@ class Ae {
   }
   async startAutoRefresh(e = ["access", "id"], t) {
     if (!this.autoRefreshActive) {
-      this.autoRefreshActive = !0, c.logger.debug(h({ msg: "Starting auto refresh" }));
+      this.autoRefreshActive = !0, d.logger.debug(h({ msg: "Starting auto refresh" }));
       try {
         await this.scheduleAutoRefresh(e, t);
       } catch (o) {
         const i = g.asCrossauthError(o);
-        c.logger.error(h({ cerr: i })), c.logger.debug(h({ err: i }));
+        d.logger.error(h({ cerr: i })), d.logger.debug(h({ err: i }));
       }
     }
   }
   stopAutoRefresh() {
-    this.autoRefreshActive = !1, c.logger.debug(h({ msg: "Stopping auto refresh" }));
+    this.autoRefreshActive = !1, d.logger.debug(h({ msg: "Stopping auto refresh" }));
   }
   async scheduleAutoRefresh(e, t) {
     const o = this.tokenProvider.getCsrfToken(), i = o ? await o : void 0, n = await this.tokenProvider.getTokenExpiries([...e, "refresh"], i);
     if (n.refresh == null) {
-      c.logger.debug(h({ msg: "No refresh token found" }));
+      d.logger.debug(h({ msg: "No refresh token found" }));
       return;
     }
     const s = Date.now();
     let a = n.id;
     if ((!a || n.access && n.access < a) && (a = n.access), !a) {
-      c.logger.debug(h({ msg: "No tokens expire" }));
+      d.logger.debug(h({ msg: "No tokens expire" }));
       return;
     }
-    const d = a * 1e3 - s - fe;
-    if (d < 0) {
-      c.logger.debug(h({ msg: "Expiry time has passed" }));
+    const c = a * 1e3 - s - pe;
+    if (c < 0) {
+      d.logger.debug(h({ msg: "Expiry time has passed" }));
       return;
     }
-    if (n.refresh && n.refresh - fe < d) {
-      c.logger.debug(h({ msg: "Refresh token has expired" }));
+    if (n.refresh && n.refresh - pe < c) {
+      d.logger.debug(h({ msg: "Refresh token has expired" }));
       return;
     }
     let u = (y) => new Promise((k) => setTimeout(k, y));
-    c.logger.debug(h({ msg: `Waiting ${d} before refreshing tokens` })), await u(d), await this.autoRefresh(e, i, t);
+    d.logger.debug(h({ msg: `Waiting ${c} before refreshing tokens` })), await u(c), await this.autoRefresh(e, i, t);
   }
   async autoRefresh(e, t, o) {
     if (this.autoRefreshActive) {
       let i, n = !1, s = 0;
-      for (; !n && s <= Z; )
+      for (; !n && s <= Q; )
         try {
           let a = { ...this.headers };
-          t && (a[this.csrfHeader] = t), c.logger.debug(h({ msg: "Initiating auto refresh" }));
-          const d = await this.tokenProvider.jsonFetchWithToken(
+          t && (a[this.csrfHeader] = t), d.logger.debug(h({ msg: "Initiating auto refresh" }));
+          const c = await this.tokenProvider.jsonFetchWithToken(
             this.autoRefreshUrl,
             {
               method: "POST",
@@ -1959,24 +2050,24 @@ class Ae {
             },
             "refresh"
           );
-          if (d.ok || c.logger.error(h({ msg: "Failed auto refreshing tokens", status: d.status })), i = await d.json(), i != null && i.ok) {
+          if (c.ok || d.logger.error(h({ msg: "Failed auto refreshing tokens", status: c.status })), i = await c.json(), i != null && i.ok) {
             await this.scheduleAutoRefresh(e, o), n = !0;
             try {
               await this.tokenProvider.receiveTokens(i);
             } catch (u) {
               const y = g.asCrossauthError(u);
-              o ? o("Couldn't receive tokens", y) : (c.logger.debug(h({ err: u })), c.logger.error(h({ msg: "Error receiving tokens", cerr: y })));
+              o ? o("Couldn't receive tokens", y) : (d.logger.debug(h({ err: u })), d.logger.error(h({ msg: "Error receiving tokens", cerr: y })));
             }
           } else
-            s < Z ? (c.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${ae} seconds` })), await ((y) => new Promise((k) => setTimeout(k, y)))(ae * 1e3)) : (c.logger.error(h({ msg: "Failed auto refreshing tokens.  Number of retries exceeded" })), o && o("Failed auto refreshing tokens")), s++;
+            s < Q ? (d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${ae} seconds` })), await ((y) => new Promise((k) => setTimeout(k, y)))(ae * 1e3)) : (d.logger.error(h({ msg: "Failed auto refreshing tokens.  Number of retries exceeded" })), o && o("Failed auto refreshing tokens")), s++;
         } catch (a) {
-          const d = g.asCrossauthError(a);
-          c.logger.debug(h({ err: d })), s < Z ? (c.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${Z} seconds` })), await ((y) => new Promise((k) => setTimeout(k, y)))(ae)) : (c.logger.error(h({ msg: "Failed auto refreshing tokens.  Number of retries exceeded" })), o && o(d.message, d)), s++;
+          const c = g.asCrossauthError(a);
+          d.logger.debug(h({ err: c })), s < Q ? (d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${Q} seconds` })), await ((y) => new Promise((k) => setTimeout(k, y)))(ae)) : (d.logger.error(h({ msg: "Failed auto refreshing tokens.  Number of retries exceeded" })), o && o(c.message, c)), s++;
         }
     }
   }
 }
-class Pe {
+class Ie {
   /**
    * Constructor
    * 
@@ -1997,18 +2088,18 @@ class Pe {
     this.oauthClient = e.oauthClient, e.deviceCodePollUrl != null && (this.deviceCodePollUrl = e.deviceCodePollUrl), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials);
   }
   async startPolling(e, t, o = 5) {
-    this.pollingActive || (this.pollingActive = !0, c.logger.debug(h({ msg: "Starting auto refresh" })), await this.poll(e, o, t));
+    this.pollingActive || (this.pollingActive = !0, d.logger.debug(h({ msg: "Starting auto refresh" })), await this.poll(e, o, t));
   }
   stopPolling() {
-    this.pollingActive = !1, c.logger.debug(h({ msg: "Stopping auto refresh" }));
+    this.pollingActive = !1, d.logger.debug(h({ msg: "Stopping auto refresh" }));
   }
   async poll(e, t, o) {
     var i;
     if (!e)
-      c.logger.debug(h({ msg: "device code poll: no device code provided" })), o("error", "Error waiting for authorization");
+      d.logger.debug(h({ msg: "device code poll: no device code provided" })), o("error", "Error waiting for authorization");
     else
       try {
-        if (c.logger.debug(h({ msg: "device code poll: poll" })), !this.deviceCodePollUrl && this.oauthClient) {
+        if (d.logger.debug(h({ msg: "device code poll: poll" })), !this.deviceCodePollUrl && this.oauthClient) {
           if (this.oauthClient.getOidcConfig() || await this.oauthClient.loadConfig(), !((i = this.oauthClient.getOidcConfig()) != null && i.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
             return {
               error: "invalid_request",
@@ -2037,18 +2128,18 @@ class Pe {
           this.pollingActive = !1, o("error", "Received an error from the authorization server");
         else {
           const s = await n.json();
-          if (c.logger.debug(h({ msg: "device code poll: received" + JSON.stringify(s) })), s.error == "expired_token")
+          if (d.logger.debug(h({ msg: "device code poll: received" + JSON.stringify(s) })), s.error == "expired_token")
             this.pollingActive = !1, o("expired_token", "Timeout waiting for authorization");
           else if (s.error == "authorization_pending" || s.error == "slow_down") {
             s.error == "slow_down" && (t += 5);
-            let a = s.interval ?? t, d = (u) => new Promise((y) => setTimeout(y, u));
-            c.logger.debug(h({ msg: "device code poll: waiting " + String(a) + " seconds" })), await d(a * 1e3), this.pollingActive && this.poll(e, t, o);
+            let a = s.interval ?? t, c = (u) => new Promise((y) => setTimeout(y, u));
+            d.logger.debug(h({ msg: "device code poll: waiting " + String(a) + " seconds" })), await c(a * 1e3), this.pollingActive && this.poll(e, t, o);
           } else s.error ? (this.pollingActive = !1, o("error", s.error_description ?? s.error)) : (this.pollingActive = !1, o("complete"));
         }
       } catch (n) {
         this.pollingActive = !1;
         const s = g.asCrossauthError(n);
-        c.logger.debug(h({ err: s })), c.logger.error(h({ msg: "Polling failed", cerr: s })), o("error", s.message);
+        d.logger.debug(h({ err: s })), d.logger.error(h({ msg: "Polling failed", cerr: s })), o("error", s.message);
       }
   }
 }
@@ -2085,11 +2176,11 @@ class ur {
     f(this, "getCsrfTokenUrl", "/api/getcsrftoken");
     f(this, "autoRefreshUrl", "/api/refreshtokens");
     f(this, "tokensUrl", "/tokens");
-    e.bffPrefix && (this.bffPrefix = e.bffPrefix), e.csrfHeader && (this.csrfHeader = e.csrfHeader), e.enableCsrfProtection != null && (this.enableCsrfProtection = e.enableCsrfProtection), e.getCsrfTokenUrl && (this.getCsrfTokenUrl = e.getCsrfTokenUrl), e.tokensUrl && (this.tokensUrl = e.tokensUrl), e.autoRefreshUrl && (this.autoRefreshUrl = e.autoRefreshUrl), this.bffPrefix.endsWith("/") || (this.bffPrefix += "/"), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials), this.autoRefresher = new Ae({
+    e.bffPrefix && (this.bffPrefix = e.bffPrefix), e.csrfHeader && (this.csrfHeader = e.csrfHeader), e.enableCsrfProtection != null && (this.enableCsrfProtection = e.enableCsrfProtection), e.getCsrfTokenUrl && (this.getCsrfTokenUrl = e.getCsrfTokenUrl), e.tokensUrl && (this.tokensUrl = e.tokensUrl), e.autoRefreshUrl && (this.autoRefreshUrl = e.autoRefreshUrl), this.bffPrefix.endsWith("/") || (this.bffPrefix += "/"), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials), this.autoRefresher = new Re({
       ...e,
       autoRefreshUrl: this.autoRefreshUrl,
       tokenProvider: this
-    }), this.deviceCodePoller = new Pe({ ...e, oauthClient: void 0 });
+    }), this.deviceCodePoller = new Ie({ ...e, oauthClient: void 0 });
   }
   /**
    * Gets a CSRF token from the server
@@ -2211,8 +2302,8 @@ class ur {
         ...s
       }
     );
-    let d = null;
-    return a.body && (d = await a.json()), { status: a.status, body: d };
+    let c = null;
+    return a.body && (c = await a.json()), { status: a.status, body: c };
   }
   /**
    * Return all tokens that the client has been enabled to return.
@@ -2282,10 +2373,10 @@ class ur {
    */
   async getTokenExpiries(e, t) {
     const o = await this.getTokens(t), i = e.includes("id") ? (o == null ? void 0 : o.id_token) ?? null : null, n = e.includes("access") ? (o == null ? void 0 : o.access_token) ?? null : null, s = e.includes("refresh") ? (o == null ? void 0 : o.refresh_token) ?? null : null;
-    let a, d, u;
-    return i && (a = i.exp ? i.exp : null), n && (d = n.exp ? n.exp : null), s && (u = s.exp ? s.exp : null), {
+    let a, c, u;
+    return i && (a = i.exp ? i.exp : null), n && (c = n.exp ? n.exp : null), s && (u = s.exp ? s.exp : null), {
       id: a,
-      access: d,
+      access: c,
       refresh: u
     };
   }
@@ -2326,7 +2417,7 @@ class hr extends dr {
     return btoa(n.reduce((s, a) => s + String.fromCharCode(a), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
   }
 }
-var j, O, R, K, D, B, L;
+var x, N, I, K, z, J, M, q, V, B;
 class gr extends cr {
   /**
    * Constructor
@@ -2386,21 +2477,26 @@ class gr extends cr {
     f(this, "accessTokenName", "CROSSAUTH_AT");
     f(this, "refreshTokenName", "CROSSAUTH_RT");
     f(this, "idTokenName", "CROSSAUTH_IT");
-    N(this, j);
-    N(this, O);
-    N(this, R);
-    N(this, K);
-    N(this, D);
-    N(this, B);
-    N(this, L);
+    A(this, x);
+    A(this, N);
+    A(this, I);
+    A(this, K);
+    A(this, z);
+    A(this, J);
+    A(this, M);
     f(this, "autoRefresher");
     f(this, "deviceCodePoller");
     f(this, "deviceAuthorizationUrl", "device_authorization");
-    this.resServerBaseUrl != null && (this.resServerBaseUrl = t.resServerBaseUrl ?? "", this.resServerBaseUrl.length > 0 && !this.resServerBaseUrl.endsWith("/") && (this.resServerBaseUrl += "/")), t.accessTokenResponseType && (this.accessTokenResponseType = t.accessTokenResponseType), t.idTokenResponseType && (this.idTokenResponseType = t.idTokenResponseType), t.refreshTokenResponseType && (this.refreshTokenResponseType = t.refreshTokenResponseType), t.accessTokenName && (this.accessTokenName = t.accessTokenName), t.idTokenName && (this.idTokenName = t.idTokenName), t.refreshTokenName && (this.refreshTokenName = t.refreshTokenName), t.resServerHeaders && (this.resServerHeaders = t.resServerHeaders), t.resServerMode && (this.resServerMode = t.resServerMode), t.resServerCredentials && (this.resServerCredentials = t.resServerCredentials), t.client_id && b(this, B, t.client_id), t.client_secret && b(this, L, t.client_secret), t.deviceAuthorizationUrl && (this.deviceAuthorizationUrl = t.deviceAuthorizationUrl), this.autoRefresher = new Ae({
+    A(this, q);
+    A(this, V);
+    A(this, B);
+    f(this, "scope");
+    f(this, "logFetch", !1);
+    this.resServerBaseUrl != null && (this.resServerBaseUrl = t.resServerBaseUrl ?? "", this.resServerBaseUrl.length > 0 && !this.resServerBaseUrl.endsWith("/") && (this.resServerBaseUrl += "/")), t.accessTokenResponseType && (this.accessTokenResponseType = t.accessTokenResponseType), t.idTokenResponseType && (this.idTokenResponseType = t.idTokenResponseType), t.refreshTokenResponseType && (this.refreshTokenResponseType = t.refreshTokenResponseType), t.accessTokenName && (this.accessTokenName = t.accessTokenName), t.idTokenName && (this.idTokenName = t.idTokenName), t.refreshTokenName && (this.refreshTokenName = t.refreshTokenName), t.resServerHeaders && (this.resServerHeaders = t.resServerHeaders), t.resServerMode && (this.resServerMode = t.resServerMode), t.resServerCredentials && (this.resServerCredentials = t.resServerCredentials), t.client_id && T(this, J, t.client_id), t.client_secret && T(this, M, t.client_secret), t.deviceAuthorizationUrl && (this.deviceAuthorizationUrl = t.deviceAuthorizationUrl), this.autoRefresher = new Re({
       ...t,
       autoRefreshUrl: this.authServerBaseUrl + "/token",
       tokenProvider: this
-    }), this.deviceCodePoller = new Pe({ ...t, oauthClient: this, deviceCodePollUrl: null });
+    }), this.deviceCodePoller = new Ie({ ...t, oauthClient: this, deviceCodePollUrl: null });
     let o, i, n;
     if (this.idTokenResponseType == "sessionStorage" ? o = sessionStorage.getItem(this.idTokenName) : this.idTokenResponseType == "localStorage" && (o = localStorage.getItem(this.idTokenName)), this.accessTokenResponseType == "sessionStorage" ? i = sessionStorage.getItem(this.accessTokenName) : this.accessTokenResponseType == "localStorage" && (i = localStorage.getItem(this.accessTokenName)), this.refreshTokenResponseType == "sessionStorage" ? n = sessionStorage.getItem(this.refreshTokenName) : this.refreshTokenResponseType == "localStorage" && (n = localStorage.getItem(this.refreshTokenName)), this.receiveTokens({
       access_token: i,
@@ -2408,31 +2504,31 @@ class gr extends cr {
       refresh_token: n
     }), i) {
       const s = this.getTokenPayload(i);
-      s && (b(this, j, i), b(this, K, s));
+      s && (T(this, x, i), T(this, K, s));
     }
     if (n) {
       const s = this.getTokenPayload(n);
-      s && (b(this, O, n), b(this, D, s));
+      s && (T(this, N, n), T(this, z, s));
     }
     o ? this.validateIdToken(o).then((s) => {
-      b(this, R, s), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
-        c.logger.debug(h({ err: a, msg: "Couldn't start auto refresh" }));
+      T(this, I, s), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
+        d.logger.debug(h({ err: a, msg: "Couldn't start auto refresh" }));
       });
     }).catch((s) => {
-      c.logger.debug(h({ err: s, msg: "Couldn't validate ID token" }));
-    }) : w(this, j) && t.autoRefresh && n ? this.startAutoRefresh(t.autoRefresh).then().catch((s) => {
-      c.logger.debug(h({ err: s, msg: "Couldn't start auto refresh" }));
+      d.logger.debug(h({ err: s, msg: "Couldn't validate ID token" }));
+    }) : p(this, x) && t.autoRefresh && n ? this.startAutoRefresh(t.autoRefresh).then().catch((s) => {
+      d.logger.debug(h({ err: s, msg: "Couldn't start auto refresh" }));
     }) : n && !i && this.refreshTokenFlow(n).then((s) => {
-      c.logger.debug(h({ msg: "Refreshed tokens" })), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
-        c.logger.debug(h({ err: a, msg: "Couldn't start auto refresh" }));
+      d.logger.debug(h({ msg: "Refreshed tokens" })), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
+        d.logger.debug(h({ err: a, msg: "Couldn't start auto refresh" }));
       });
     }).catch((s) => {
       const a = g.asCrossauthError(s);
-      c.logger.debug(h({ err: a })), c.logger.error(h({ msg: "failed refreshing tokens", cerr: a }));
+      d.logger.debug(h({ err: a })), d.logger.error(h({ msg: "failed refreshing tokens", cerr: a }));
     });
   }
   get idTokenPayload() {
-    return w(this, R);
+    return p(this, I);
   }
   /**
    * Processes the query parameters for a Redirect URI request if they
@@ -2466,14 +2562,19 @@ class gr extends cr {
     if (!s && !i) return;
     if (s) {
       const u = g.fromOAuthError(s, a);
-      throw c.logger.debug(h({ err: u })), c.logger.error(h({ cerr: u, msg: "Error from authorize endpoint: " + s })), u;
+      throw d.logger.debug(h({ err: u })), d.logger.error(h({ cerr: u, msg: "Error from authorize endpoint: " + s })), u;
     }
-    const d = await this.redirectEndpoint(i, n, s, a);
-    if (d.error) {
-      const u = g.fromOAuthError(d.error, a);
-      throw c.logger.debug(h({ err: u })), c.logger.error(h({ cerr: u, msg: "Error from redirect endpoint: " + d.error })), u;
+    if (p(this, B) && n != p(this, B))
+      return {
+        error: "access_denied",
+        error_description: "Invalid state"
+      };
+    const c = await this.redirectEndpoint(i, this.scope, p(this, V), s, a);
+    if (c.error) {
+      const u = g.fromOAuthError(c.error, a);
+      throw d.logger.debug(h({ err: u })), d.logger.error(h({ cerr: u, msg: "Error from redirect endpoint: " + c.error })), u;
     }
-    return await this.receiveTokens(d), d;
+    return await this.receiveTokens(c), c;
   }
   /**
    * Turns auto refresh of tokens on
@@ -2512,7 +2613,7 @@ class gr extends cr {
    * @returns the payload as an object
    */
   getIdToken() {
-    return w(this, R);
+    return p(this, I);
   }
   ///////
   // Implementation of abstract methods
@@ -2533,7 +2634,7 @@ class gr extends cr {
    */
   async sha256(t) {
     const i = new TextEncoder().encode(t), n = await crypto.subtle.digest("SHA-256", i), s = Array.from(new Uint8Array(n));
-    return btoa(s.reduce((a, d) => a + String.fromCharCode(d), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+    return btoa(s.reduce((a, c) => a + String.fromCharCode(c), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
   }
   /**
    * Calls an API endpoint on the resource server
@@ -2549,7 +2650,7 @@ class gr extends cr {
     i && (s.body = JSON.stringify(i));
     let a;
     this.accessTokenResponseType == "sessionStorage" ? a = sessionStorage.getItem(this.accessTokenName) : this.accessTokenResponseType == "localStorage" && (a = localStorage.getItem(this.accessTokenName)), n.authorization = "Bearer " + a;
-    const d = await fetch(
+    const c = await fetch(
       this.resServerBaseUrl + o,
       {
         headers: n,
@@ -2560,7 +2661,7 @@ class gr extends cr {
       }
     );
     let u = null;
-    return d.body && (u = await d.json()), { status: d.status, body: u };
+    return c.body && (u = await c.json()), { status: c.status, body: u };
   }
   ///////////////////////////////////////////////////////////
   // OAuthTokenProvider interface
@@ -2573,7 +2674,7 @@ class gr extends cr {
    */
   async getTokenExpiries(t, o) {
     let i, n, s;
-    return w(this, R) && (i = w(this, R).exp ? w(this, R).exp : null), w(this, K) && (n = w(this, K).exp ? w(this, K).exp : null), w(this, D) && (s = w(this, D).exp ? w(this, D).exp : null), {
+    return p(this, I) && (i = p(this, I).exp ? p(this, I).exp : null), p(this, K) && (n = p(this, K).exp ? p(this, K).exp : null), p(this, z) && (s = p(this, z).exp ? p(this, z).exp : null), {
       id: i,
       access: n,
       refresh: s
@@ -2591,15 +2692,15 @@ class gr extends cr {
    */
   async jsonFetchWithToken(t, o, i) {
     if (i == "access") {
-      if (!w(this, j))
+      if (!p(this, x))
         throw new g(m.InvalidToken, "Cannot make fetch with access token - no access token defined");
-      o.headers || (o.headers = {}), o.headers.authorization = "Bearer " + w(this, j);
+      o.headers || (o.headers = {}), o.headers.authorization = "Bearer " + p(this, x);
     } else {
-      if (o.body || (o.body = {}), !w(this, O))
+      if (o.body || (o.body = {}), !p(this, N))
         throw new g(m.InvalidToken, "Cannot make fetch with refresh token - no refresh token defined");
-      o.body.refresh_token = w(this, O), o.body.grant_type = "refresh_token";
+      o.body.refresh_token = p(this, N), o.body.grant_type = "refresh_token";
     }
-    return w(this, B) && (o.body || (o.body = {}), o.body.client_id = w(this, B), w(this, L) && (o.body.client_secret = w(this, L))), typeof o.body != "string" && (o.body = JSON.stringify(o.body)), await fetch(t, o);
+    return p(this, J) && (o.body || (o.body = {}), o.body.client_id = p(this, J), p(this, M) && (o.body.client_secret = p(this, M))), typeof o.body != "string" && (o.body = JSON.stringify(o.body)), await fetch(t, o);
   }
   /**
    * Does nothing as CSRF tokens are not needed for this class
@@ -2610,15 +2711,15 @@ class gr extends cr {
   async receiveTokens(t) {
     if (t.access_token) {
       const o = this.getTokenPayload(t.access_token);
-      o && (b(this, j, t.access_token), b(this, K, o)), this.accessTokenResponseType == "localStorage" ? localStorage.setItem(this.accessTokenName, t.access_token) : this.accessTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.accessTokenName, t.access_token);
+      o && (T(this, x, t.access_token), T(this, K, o)), this.accessTokenResponseType == "localStorage" ? localStorage.setItem(this.accessTokenName, t.access_token) : this.accessTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.accessTokenName, t.access_token);
     }
     if (t.refresh_token) {
       const o = this.getTokenPayload(t.refresh_token);
-      o && (b(this, O, t.refresh_token), b(this, D, o)), this.refreshTokenResponseType == "localStorage" ? localStorage.setItem(this.refreshTokenName, t.refresh_token) : this.accessTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.refreshTokenName, t.refresh_token);
+      o && (T(this, N, t.refresh_token), T(this, z, o)), this.refreshTokenResponseType == "localStorage" ? localStorage.setItem(this.refreshTokenName, t.refresh_token) : this.accessTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.refreshTokenName, t.refresh_token);
     }
     if (t.id_token) {
       const o = await this.validateIdToken(t.id_token);
-      b(this, R, o), this.idTokenResponseType == "localStorage" ? localStorage.setItem(this.idTokenName, t.id_token) : this.idTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.idTokenName, t.id_token);
+      T(this, I, o), this.idTokenResponseType == "localStorage" ? localStorage.setItem(this.idTokenName, t.id_token) : this.idTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.idTokenName, t.id_token);
     }
   }
   /////////
@@ -2680,8 +2781,8 @@ class gr extends cr {
    */
   async refreshTokenFlow(t) {
     if (!t)
-      if (w(this, O))
-        t = w(this, O);
+      if (p(this, N))
+        t = p(this, N);
       else
         throw new g(m.InvalidToken, "Cannot refresh tokens: no refresh token present");
     const o = await super.refreshTokenFlow(t);
@@ -2693,25 +2794,30 @@ class gr extends cr {
    * @param pkce whether or not to use PKCE.
    */
   async authorizationCodeFlow(t, o = !1) {
-    const i = await super.startAuthorizationCodeFlow(t, o);
-    if (i.error || !i.url) {
-      const n = g.fromOAuthError(
-        i.error ?? "Couldn't create URL for authorization code flow",
-        i.error_description
+    const i = this.randomValue(this.stateLength);
+    if (this.scope = t, o) {
+      const s = await this.codeChallengeAndVerifier();
+      T(this, q, s.codeChallenge), T(this, V, s.codeVerifier), T(this, B, i);
+    }
+    const n = await super.startAuthorizationCodeFlow(i, t, p(this, q), o);
+    if (n.error || !n.url) {
+      const s = g.fromOAuthError(
+        n.error ?? "Couldn't create URL for authorization code flow",
+        n.error_description
       );
-      throw c.logger.debug(h({ err: n })), n;
+      throw d.logger.debug(h({ err: s })), s;
     }
-    location.href = i.url;
+    location.href = n.url;
   }
 }
-j = new WeakMap(), O = new WeakMap(), R = new WeakMap(), K = new WeakMap(), D = new WeakMap(), B = new WeakMap(), L = new WeakMap();
+x = new WeakMap(), N = new WeakMap(), I = new WeakMap(), K = new WeakMap(), z = new WeakMap(), J = new WeakMap(), M = new WeakMap(), q = new WeakMap(), V = new WeakMap(), B = new WeakMap();
 export {
   g as CrossauthError,
-  c as CrossauthLogger,
-  Ae as OAuthAutoRefresher,
+  d as CrossauthLogger,
+  Re as OAuthAutoRefresher,
   ur as OAuthBffClient,
   gr as OAuthClient,
-  Pe as OAuthDeviceCodePoller,
+  Ie as OAuthDeviceCodePoller,
   hr as OAuthTokenConsumer,
   fr as OAuthTokenProvider,
   h as j