@crossauth/frontend 0.0.5 → 0.0.8

package/dist/index.js

@@ -1,47 +1,39 @@
-var __defProp = Object.defineProperty;
-var __typeError = (msg) => {
-  throw TypeError(msg);
+var Ie = Object.defineProperty;
+var ce = (r) => {
+  throw TypeError(r);
 };
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
-var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
-var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
-var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
-var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
-var _accessToken, _refreshToken, _idTokenPayload, _accessTokenPayload, _refreshTokenPayload, _client_id, _client_secret;
-var fe = Object.defineProperty;
-var G = (e) => {
-  throw TypeError(e);
-};
-var pe = (e, t, r) => t in e ? fe(e, t, { enumerable: true, configurable: true, writable: true, value: r }) : e[t] = r;
-var a = (e, t, r) => pe(e, typeof t != "symbol" ? t + "" : t, r), Y = (e, t, r) => t.has(e) || G("Cannot " + r);
-var u = (e, t, r) => (Y(e, t, "read from private field"), r ? r.call(e) : t.get(e)), O = (e, t, r) => t.has(e) ? G("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), _ = (e, t, r, n) => (Y(e, t, "write to private field"), t.set(e, r), r);
-class k {
+var Ue = (r, e, t) => e in r ? Ie(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t;
+var f = (r, e, t) => Ue(r, typeof e != "symbol" ? e + "" : e, t), de = (r, e, t) => e.has(r) || ce("Cannot " + t);
+var w = (r, e, t) => (de(r, e, "read from private field"), t ? t.call(r) : e.get(r)), N = (r, e, t) => e.has(r) ? ce("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), b = (r, e, t, o) => (de(r, e, "write to private field"), o ? o.call(r, t) : e.set(r, t), t);
+var Oe = Object.defineProperty, ge = (r) => {
+  throw TypeError(r);
+}, Ne = (r, e, t) => e in r ? Oe(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t, l = (r, e, t) => Ne(r, typeof e != "symbol" ? e + "" : e, t), pe = (r, e, t) => e.has(r) || ge("Cannot " + t), p = (r, e, t) => (pe(r, e, "read from private field"), t ? t.call(r) : e.get(r)), $ = (r, e, t) => e.has(r) ? ge("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), A = (r, e, t, o) => (pe(r, e, "write to private field"), e.set(r, t), t);
+class H {
 }
-a(k, "active", "active"), /** Deactivated account.  User cannot log in */
-a(k, "disabled", "disabled"), /** Two factor authentication has been actived for this user
+l(H, "active", "active"), /** Deactivated account.  User cannot log in */
+l(H, "disabled", "disabled"), /** Two factor authentication has been actived for this user
 * but has not yet been configured.  Once a user logs in,
 * they will be directed to a page to configure 2FA and will
 * not be able to do anything else (that requires login) until
 * they have done so.
 */
-a(k, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
+l(H, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
 * verified his or her email address.  Cannot log on until it has
 * been verified.
 */
-a(k, "awaitingEmailVerification", "awaitingemailverification"), /**
+l(H, "awaitingEmailVerification", "awaitingemailverification"), /**
 * If the state is set to this, the user may not access any
 * login-required functions unless he or she has changed their password.
 * 
 * Upon login, the user is redirected to the change password page.
 */
-a(k, "passwordChangeNeeded", "passwordchangeneeded"), /**
+l(H, "passwordChangeNeeded", "passwordchangeneeded"), /**
 * If the state is set to this, the user may not access any
 * login-required functions unless he or she has reset their password.
 * 
 * Upon login, the user is redirected to the reset password page.
 */
-a(k, "passwordResetNeeded", "passwordresetneeded"), /**
+l(H, "passwordResetNeeded", "passwordresetneeded"), /**
 * If the state is set to this, the user may not access any
 * login-required functions unless he or she has reset their second
 * factor configuration.
@@ -52,27 +44,27 @@ a(k, "passwordResetNeeded", "passwordresetneeded"), /**
 * this value and the user will then be prompted to configure 2FA 
 * upon login.
 */
-a(k, "factor2ResetNeeded", "factor2resetneeded"), /**
+l(H, "factor2ResetNeeded", "factor2resetneeded"), /**
 * If the state is set to this, the user may not access any
 * login-required functions unless he or she has reset their password
 * and then resets factor2.
 * 
 * Upon login, the user is redirected to the reset password page.
 */
-a(k, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
-class C {
+l(H, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
+class P {
 }
-a(C, "session", "s:"), /** Password Reset Token */
-a(C, "passwordResetToken", "p:"), /** Email verification token */
-a(C, "emailVerificationToken", "e:"), /** API key */
-a(C, "apiKey", "api:"), /** OAuth authorization code */
-a(C, "authorizationCode", "authz:"), /** OAuth access token */
-a(C, "accessToken", "access:"), /** OAuth refresh token */
-a(C, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
-a(C, "mfaToken", "omfa:"), /** Device code device code */
-a(C, "deviceCode", "dc:"), /** Device code flow user code */
-a(C, "userCode", "uc:");
-var y = /* @__PURE__ */ ((e) => (e[e.UserNotExist = 0] = "UserNotExist", e[e.PasswordInvalid = 1] = "PasswordInvalid", e[e.EmailNotExist = 2] = "EmailNotExist", e[e.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", e[e.InvalidClientId = 4] = "InvalidClientId", e[e.ClientExists = 5] = "ClientExists", e[e.InvalidClientSecret = 6] = "InvalidClientSecret", e[e.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", e[e.InvalidRedirectUri = 8] = "InvalidRedirectUri", e[e.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", e[e.UserNotActive = 10] = "UserNotActive", e[e.EmailNotVerified = 11] = "EmailNotVerified", e[e.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", e[e.Unauthorized = 13] = "Unauthorized", e[e.UnauthorizedClient = 14] = "UnauthorizedClient", e[e.InvalidScope = 15] = "InvalidScope", e[e.InsufficientScope = 16] = "InsufficientScope", e[e.InsufficientPriviledges = 17] = "InsufficientPriviledges", e[e.Forbidden = 18] = "Forbidden", e[e.InvalidKey = 19] = "InvalidKey", e[e.InvalidCsrf = 20] = "InvalidCsrf", e[e.InvalidSession = 21] = "InvalidSession", e[e.Expired = 22] = "Expired", e[e.Connection = 23] = "Connection", e[e.InvalidHash = 24] = "InvalidHash", e[e.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", e[e.KeyExists = 26] = "KeyExists", e[e.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", e[e.PasswordResetNeeded = 28] = "PasswordResetNeeded", e[e.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", e[e.Configuration = 30] = "Configuration", e[e.InvalidEmail = 31] = "InvalidEmail", e[e.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", e[e.InvalidUsername = 33] = "InvalidUsername", e[e.PasswordMatch = 34] = "PasswordMatch", e[e.InvalidToken = 35] = "InvalidToken", e[e.MfaRequired = 36] = "MfaRequired", e[e.PasswordFormat = 37] = "PasswordFormat", e[e.DataFormat = 38] = "DataFormat", e[e.FetchError = 39] = "FetchError", e[e.UserExists = 40] = "UserExists", e[e.FormEntry = 41] = "FormEntry", e[e.BadRequest = 42] = "BadRequest", e[e.AuthorizationPending = 43] = "AuthorizationPending", e[e.SlowDown = 44] = "SlowDown", e[e.ExpiredToken = 45] = "ExpiredToken", e[e.ConstraintViolation = 46] = "ConstraintViolation", e[e.NotImplemented = 47] = "NotImplemented", e[e.UnknownError = 48] = "UnknownError", e))(y || {});
+l(P, "session", "s:"), /** Password Reset Token */
+l(P, "passwordResetToken", "p:"), /** Email verification token */
+l(P, "emailVerificationToken", "e:"), /** API key */
+l(P, "apiKey", "api:"), /** OAuth authorization code */
+l(P, "authorizationCode", "authz:"), /** OAuth access token */
+l(P, "accessToken", "access:"), /** OAuth refresh token */
+l(P, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
+l(P, "mfaToken", "omfa:"), /** Device code device code */
+l(P, "deviceCode", "dc:"), /** Device code flow user code */
+l(P, "userCode", "uc:");
+var m = /* @__PURE__ */ ((r) => (r[r.UserNotExist = 0] = "UserNotExist", r[r.PasswordInvalid = 1] = "PasswordInvalid", r[r.EmailNotExist = 2] = "EmailNotExist", r[r.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", r[r.InvalidClientId = 4] = "InvalidClientId", r[r.ClientExists = 5] = "ClientExists", r[r.InvalidClientSecret = 6] = "InvalidClientSecret", r[r.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", r[r.InvalidRedirectUri = 8] = "InvalidRedirectUri", r[r.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", r[r.UserNotActive = 10] = "UserNotActive", r[r.EmailNotVerified = 11] = "EmailNotVerified", r[r.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", r[r.Unauthorized = 13] = "Unauthorized", r[r.UnauthorizedClient = 14] = "UnauthorizedClient", r[r.InvalidScope = 15] = "InvalidScope", r[r.InsufficientScope = 16] = "InsufficientScope", r[r.InsufficientPriviledges = 17] = "InsufficientPriviledges", r[r.Forbidden = 18] = "Forbidden", r[r.InvalidKey = 19] = "InvalidKey", r[r.InvalidCsrf = 20] = "InvalidCsrf", r[r.InvalidSession = 21] = "InvalidSession", r[r.Expired = 22] = "Expired", r[r.Connection = 23] = "Connection", r[r.InvalidHash = 24] = "InvalidHash", r[r.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", r[r.KeyExists = 26] = "KeyExists", r[r.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", r[r.PasswordResetNeeded = 28] = "PasswordResetNeeded", r[r.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", r[r.Configuration = 30] = "Configuration", r[r.InvalidEmail = 31] = "InvalidEmail", r[r.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", r[r.InvalidUsername = 33] = "InvalidUsername", r[r.PasswordMatch = 34] = "PasswordMatch", r[r.InvalidToken = 35] = "InvalidToken", r[r.MfaRequired = 36] = "MfaRequired", r[r.PasswordFormat = 37] = "PasswordFormat", r[r.DataFormat = 38] = "DataFormat", r[r.FetchError = 39] = "FetchError", r[r.UserExists = 40] = "UserExists", r[r.FormEntry = 41] = "FormEntry", r[r.BadRequest = 42] = "BadRequest", r[r.AuthorizationPending = 43] = "AuthorizationPending", r[r.SlowDown = 44] = "SlowDown", r[r.ExpiredToken = 45] = "ExpiredToken", r[r.ConstraintViolation = 46] = "ConstraintViolation", r[r.NotImplemented = 47] = "NotImplemented", r[r.UnknownError = 48] = "UnknownError", r))(m || {});
 class g extends Error {
   /**
    * Creates a new error to throw,
@@ -80,16 +72,9 @@ class g extends Error {
    * @param code describes the type of error
    * @param message if provided, this error will display.  Otherwise a default one for the error code will be used.
    */
-  constructor(r, n = void 0) {
-    let i, s = 500;
-    r == 0 ? (i = "User does not exist", s = 401) : r == 1 ? (i = "Password doesn't match", s = 401) : r == 3 ? (i = "Username or password incorrect", s = 401) : r == 4 ? (i = "Client id is invalid", s = 401) : r == 5 ? (i = "Client ID or name already exists", s = 500) : r == 6 ? (i = "Client secret is invalid", s = 401) : r == 7 ? (i = "Client id or secret is invalid", s = 401) : r == 8 ? (i = "Redirect Uri is not registered", s = 401) : r == 9 ? (i = "Invalid OAuth flow type", s = 500) : r == 2 ? (i = "No user exists with that email address", s = 401) : r == 10 ? (i = "Account is not active", s = 403) : r == 33 ? (i = "Username is not in an allowed format", s = 400) : r == 31 ? (i = "Email is not in an allowed format", s = 400) : r == 32 ? (i = "Phone number is not in an allowed format", s = 400) : r == 11 ? (i = "Email address has not been verified", s = 403) : r == 12 ? (i = "Two-factor setup is not complete", s = 403) : r == 13 ? (i = "Not authorized", s = 401) : r == 14 ? (i = "Client not authorized", s = 401) : r == 15 ? (i = "Invalid scope", s = 403) : r == 16 ? (i = "Insufficient scope", s = 403) : r == 23 ? i = "Connection failure" : r == 22 ? (i = "Token has expired", s = 401) : r == 24 ? i = "Hash is not in a valid format" : r == 19 ? (i = "Key is invalid", s = 401) : r == 18 ? (i = "You do not have permission to access this resource", s = 403) : r == 17 ? (i = "You do not have the right privileges to access this resource", s = 401) : r == 20 ? (i = "CSRF token is invalid", s = 401) : r == 21 ? (i = "Session cookie is invalid", s = 401) : r == 25 ? i = "Algorithm not supported" : r == 26 ? i = "Attempt to create a key that already exists" : r == 27 ? (i = "User must change password", s = 403) : r == 28 ? (i = "User must reset password", s = 403) : r == 29 ? (i = "User must reset 2FA", s = 403) : r == 30 ? i = "There was an error in the configuration" : r == 34 ? (i = "Passwords do not match", s = 401) : r == 35 ? (i = "Token is not valid", s = 401) : r == 36 ? (i = "MFA is required", s = 401) : r == 37 ? (i = "Password format was incorrect", s = 401) : r == 40 ? (i = "User already exists", s = 400) : r == 42 ? (i = "The request is invalid", s = 400) : r == 38 ? (i = "Session data has unexpected format", s = 500) : r == 39 ? (i = "Couldn't execute a fetch", s = 500) : r == 43 ? (i = "Waiting for authorization", s = 200) : r == 44 ? (i = "Slow polling down by 5 seconds", s = 200) : r == 45 ? (i = "Token has expired", s = 401) : r == 46 ? (i = "Database update/insert caused a constraint violation", s = 500) : r == 47 ? (i = "This method has not been implemented", s = 500) : (i = "Unknown error", s = 500), n != null && !Array.isArray(n) ? i = n : Array.isArray(n) && (i = n.join(". "));
-    super(i);
-    a(this, "isCrossauthError", true);
-    a(this, "httpStatus");
-    a(this, "code");
-    a(this, "codeName");
-    a(this, "messages");
-    this.code = r, this.codeName = y[r], this.httpStatus = s, this.name = "CrossauthError", Array.isArray(n) ? this.messages = n : this.messages = [i], Object.setPrototypeOf(this, g.prototype);
+  constructor(e, t = void 0) {
+    let o, s = 500;
+    e == 0 ? (o = "User does not exist", s = 401) : e == 1 ? (o = "Password doesn't match", s = 401) : e == 3 ? (o = "Username or password incorrect", s = 401) : e == 4 ? (o = "Client id is invalid", s = 401) : e == 5 ? (o = "Client ID or name already exists", s = 500) : e == 6 ? (o = "Client secret is invalid", s = 401) : e == 7 ? (o = "Client id or secret is invalid", s = 401) : e == 8 ? (o = "Redirect Uri is not registered", s = 401) : e == 9 ? (o = "Invalid OAuth flow type", s = 500) : e == 2 ? (o = "No user exists with that email address", s = 401) : e == 10 ? (o = "Account is not active", s = 403) : e == 33 ? (o = "Username is not in an allowed format", s = 400) : e == 31 ? (o = "Email is not in an allowed format", s = 400) : e == 32 ? (o = "Phone number is not in an allowed format", s = 400) : e == 11 ? (o = "Email address has not been verified", s = 403) : e == 12 ? (o = "Two-factor setup is not complete", s = 403) : e == 13 ? (o = "Not authorized", s = 401) : e == 14 ? (o = "Client not authorized", s = 401) : e == 15 ? (o = "Invalid scope", s = 403) : e == 16 ? (o = "Insufficient scope", s = 403) : e == 23 ? o = "Connection failure" : e == 22 ? (o = "Token has expired", s = 401) : e == 24 ? o = "Hash is not in a valid format" : e == 19 ? (o = "Key is invalid", s = 401) : e == 18 ? (o = "You do not have permission to access this resource", s = 403) : e == 17 ? (o = "You do not have the right privileges to access this resource", s = 401) : e == 20 ? (o = "CSRF token is invalid", s = 401) : e == 21 ? (o = "Session cookie is invalid", s = 401) : e == 25 ? o = "Algorithm not supported" : e == 26 ? o = "Attempt to create a key that already exists" : e == 27 ? (o = "User must change password", s = 403) : e == 28 ? (o = "User must reset password", s = 403) : e == 29 ? (o = "User must reset 2FA", s = 403) : e == 30 ? o = "There was an error in the configuration" : e == 34 ? (o = "Passwords do not match", s = 401) : e == 35 ? (o = "Token is not valid", s = 401) : e == 36 ? (o = "MFA is required", s = 401) : e == 37 ? (o = "Password format was incorrect", s = 401) : e == 40 ? (o = "User already exists", s = 400) : e == 42 ? (o = "The request is invalid", s = 400) : e == 38 ? (o = "Session data has unexpected format", s = 500) : e == 39 ? (o = "Couldn't execute a fetch", s = 500) : e == 43 ? (o = "Waiting for authorization", s = 200) : e == 44 ? (o = "Slow polling down by 5 seconds", s = 200) : e == 45 ? (o = "Token has expired", s = 401) : e == 46 ? (o = "Database update/insert caused a constraint violation", s = 500) : e == 47 ? (o = "This method has not been implemented", s = 500) : (o = "Unknown error", s = 500), t != null && !Array.isArray(t) ? o = t : Array.isArray(t) && (o = t.join(". ")), super(o), l(this, "isCrossauthError", !0), l(this, "httpStatus"), l(this, "code"), l(this, "codeName"), l(this, "messages"), this.code = e, this.codeName = m[e], this.httpStatus = s, this.name = "CrossauthError", Array.isArray(t) ? this.messages = t : this.messages = [o], Object.setPrototypeOf(this, g.prototype);
   }
   /**
    * OAuth defines certain error types.  To convert the error in an OAuth
@@ -99,52 +84,52 @@ class g extends Error {
    * @param error_description as returned by an OAuth call (put in the `message`)
    * @returns a `CrossauthError` instance.
    */
-  static fromOAuthError(r, n) {
-    let i;
-    switch (r) {
+  static fromOAuthError(e, t) {
+    let o;
+    switch (e) {
       case "invalid_request":
-        i = 42;
+        o = 42;
         break;
       case "unauthorized_client":
-        i = 14;
+        o = 14;
         break;
       case "access_denied":
-        i = 13;
+        o = 13;
         break;
       case "unsupported_response_type":
-        i = 42;
+        o = 42;
         break;
       case "invalid_scope":
-        i = 15;
+        o = 15;
         break;
       case "server_error":
-        i = 48;
+        o = 48;
         break;
       case "temporarily_unavailable":
-        i = 23;
+        o = 23;
         break;
       case "invalid_token":
-        i = 35;
+        o = 35;
         break;
       case "expired_token":
-        i = 45;
+        o = 45;
         break;
       case "insufficient_scope":
-        i = 35;
+        o = 35;
         break;
       case "mfa_required":
-        i = 36;
+        o = 36;
         break;
       case "authorization_pending":
-        i = 43;
+        o = 43;
         break;
       case "slow_down":
-        i = 44;
+        o = 44;
         break;
       default:
-        i = 48;
+        o = 48;
     }
-    return new g(i, n);
+    return new g(o, t);
   }
   get oauthErrorCode() {
     switch (this.code) {
@@ -185,38 +170,37 @@ class g extends Error {
    * @param e the error to convert.
    * @returns  a `CrossauthError` instance.
    */
-  static asCrossauthError(r, n) {
-    if (r instanceof Error)
-      return "isCrossauthError" in r ? r : new g(48, r.message);
-    if ("errorCode" in r) {
+  static asCrossauthError(e, t) {
+    if (e instanceof Error)
+      return "isCrossauthError" in e ? e : new g(48, e.message);
+    if ("errorCode" in e) {
       let s = 48;
       try {
-        s = Number(r.errorCode) ?? 48;
+        s = Number(e.errorCode) ?? 48;
       } catch {
       }
-      let o = n ?? y[s];
-      return "errorMessage" in r ? o = r.errorMessage : "message" in r && (o = r.message), new g(s, o);
+      let n = t ?? m[s];
+      return "errorMessage" in e ? n = e.errorMessage : "message" in e && (n = e.message), new g(s, n);
     }
-    let i = n ?? y[
+    let o = t ?? m[
       48
       /* UnknownError */
     ];
-    return "message" in r && (i = r.message), new g(48, i);
+    return "message" in e && (o = e.message), new g(48, o);
   }
 }
-const m = class m2 {
+const W = class E {
   /**
    * Create a logger with the given level
    * @param level the level to report to
    */
-  constructor(t) {
-    a(this, "level");
-    if (t) this.level = t;
+  constructor(e) {
+    if (l(this, "level"), e) this.level = e;
     else if (typeof process < "u" && "CROSSAUTH_LOG_LEVEL" in process.env) {
-      const r = (process.env.CROSSAUTH_LOG_LEVEL ?? "ERROR").toUpperCase();
-      m2.levelName.includes(r) ? this.level = m2.levelName.indexOf(r) : this.level = m2.Error;
+      const t = (process.env.CROSSAUTH_LOG_LEVEL ?? "ERROR").toUpperCase();
+      E.levelName.includes(t) ? this.level = E.levelName.indexOf(t) : this.level = E.Error;
     } else
-      this.level = m2.Error;
+      this.level = E.Error;
   }
   /**
    * Return the singleton instance of the logger.
@@ -225,39 +209,39 @@ const m = class m2 {
   static get logger() {
     return globalThis.crossauthLogger;
   }
-  setLevel(t) {
-    this.level = t;
+  setLevel(e) {
+    this.level = e;
   }
-  log(t, r) {
-    t <= this.level && (typeof r == "string" ? console.log("Crossauth " + m2.levelName[t] + " " + (/* @__PURE__ */ new Date()).toISOString(), r) : console.log(JSON.stringify({ level: m2.levelName[t], time: (/* @__PURE__ */ new Date()).toISOString(), ...r })));
+  log(e, t) {
+    e <= this.level && (typeof t == "string" ? console.log("Crossauth " + E.levelName[e] + " " + (/* @__PURE__ */ new Date()).toISOString(), t) : console.log(JSON.stringify({ level: E.levelName[e], time: (/* @__PURE__ */ new Date()).toISOString(), ...t })));
   }
   /**
    * Report an error
    * @param output object to output
    */
-  error(t) {
-    this.log(m2.Error, t);
+  error(e) {
+    this.log(E.Error, e);
   }
   /**
    * Report an warning
    * @param output object to output
    */
-  warn(t) {
-    this.log(m2.Warn, t);
+  warn(e) {
+    this.log(E.Warn, e);
   }
   /**
    * Report information
    * @param output object to output
    */
-  info(t) {
-    this.log(m2.Info, t);
+  info(e) {
+    this.log(E.Info, e);
   }
   /**
    * Print a debugging message
    * @param output object to output
    */
-  debug(t) {
-    this.log(m2.Debug, t);
+  debug(e) {
+    this.log(E.Debug, e);
   }
   /** 
    * Override the default logger.
@@ -269,40 +253,40 @@ const m = class m2 {
    * @param logger a new logger instance of any supported class
    * @param acceptsJson set this to false if the logger can only take strings.
    */
-  static setLogger(t, r) {
-    globalThis.crossauthLogger = t, globalThis.crossauthLoggerAcceptsJson = r;
+  static setLogger(e, t) {
+    globalThis.crossauthLogger = e, globalThis.crossauthLoggerAcceptsJson = t;
   }
 };
-a(m, "None", 0), /** Only log errors */
-a(m, "Error", 1), /** Log errors and warning */
-a(m, "Warn", 2), /** Log errors, warnings and info messages */
-a(m, "Info", 3), /** Log everything */
-a(m, "Debug", 4), a(m, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
-let d = m;
-function h(e) {
-  let t;
-  typeof e == "object" && "err" in e && typeof e.err == "object" && (t = e.err.stack);
+l(W, "None", 0), /** Only log errors */
+l(W, "Error", 1), /** Log errors and warning */
+l(W, "Warn", 2), /** Log errors, warnings and info messages */
+l(W, "Info", 3), /** Log everything */
+l(W, "Debug", 4), l(W, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
+let c = W;
+function d(r) {
+  let e;
+  typeof r == "object" && "err" in r && typeof r.err == "object" && (e = r.err.stack);
   try {
-    typeof e == "object" && "err" in e && typeof e.err == "object" && e.err && "message" in e.err && !("msg" in e) && (e.msg = e.err.message);
+    typeof r == "object" && "err" in r && typeof r.err == "object" && r.err && "message" in r.err && !("msg" in r) && (r.msg = r.err.message);
   } catch {
   }
   try {
-    typeof e == "object" && "err" in e && typeof e.err == "object" && (e.err = { ...e.err, stack: t });
+    typeof r == "object" && "err" in r && typeof r.err == "object" && (r.err = { ...r.err, stack: e });
   } catch {
   }
   try {
-    typeof e == "object" && "err" in e && !("msg" in e) && (e.msg = e.msg = "An unknown error occurred");
+    typeof r == "object" && "err" in r && !("msg" in r) && (r.msg = r.msg = "An unknown error occurred");
   } catch {
   }
   try {
-    typeof e == "object" && "cerr" in e && "isCrossauthError" in e.cerr && e.cerr && (e.errorCode = e.cerr.code, e.errorCodeName = e.cerr.codeName, e.httpStatus = e.cerr.httpStatus, "msg" in e || (e.msg = e.cerr.message), delete e.cerr);
+    typeof r == "object" && "cerr" in r && "isCrossauthError" in r.cerr && r.cerr && (r.errorCode = r.cerr.code, r.errorCodeName = r.cerr.codeName, r.httpStatus = r.cerr.httpStatus, "msg" in r || (r.msg = r.cerr.message), delete r.cerr);
   } catch {
   }
-  return typeof e == "string" || globalThis.crossauthLoggerAcceptsJson ? e : JSON.stringify(e);
+  return typeof r == "string" || globalThis.crossauthLoggerAcceptsJson ? r : JSON.stringify(r);
 }
-globalThis.crossauthLogger = new d(d.None);
-globalThis.crossauthLoggerAcceptsJson = true;
-const te = {
+globalThis.crossauthLogger = new c(c.None);
+globalThis.crossauthLoggerAcceptsJson = !0;
+const ye = {
   issuer: "",
   authorization_endpoint: "",
   token_endpoint: "",
@@ -313,42 +297,42 @@ const te = {
   grant_types_supported: ["authorization_code", "implicit"],
   id_token_signing_alg_values_supported: [],
   claim_types_supported: ["normal"],
-  claims_parameter_supported: false,
-  request_parameter_supported: false,
-  request_uri_parameter_supported: true,
-  require_request_uri_registration: false
-}, F = crypto, re = (e) => e instanceof CryptoKey, H = new TextEncoder(), z = new TextDecoder();
-function ge(...e) {
-  const t = e.reduce((i, { length: s }) => i + s, 0), r = new Uint8Array(t);
-  let n = 0;
-  for (const i of e)
-    r.set(i, n), n += i.length;
-  return r;
+  claims_parameter_supported: !1,
+  request_parameter_supported: !1,
+  request_uri_parameter_supported: !0,
+  require_request_uri_registration: !1
+}, te = crypto, we = (r) => r instanceof CryptoKey, X = new TextEncoder(), G = new TextDecoder();
+function He(...r) {
+  const e = r.reduce((s, { length: n }) => s + n, 0), t = new Uint8Array(e);
+  let o = 0;
+  for (const s of r)
+    t.set(s, o), o += s.length;
+  return t;
 }
-const ye = (e) => {
-  const t = atob(e), r = new Uint8Array(t.length);
-  for (let n = 0; n < t.length; n++)
-    r[n] = t.charCodeAt(n);
-  return r;
-}, K = (e) => {
-  let t = e;
-  t instanceof Uint8Array && (t = z.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
+const xe = (r) => {
+  const e = atob(r), t = new Uint8Array(e.length);
+  for (let o = 0; o < e.length; o++)
+    t[o] = e.charCodeAt(o);
+  return t;
+}, M = (r) => {
+  let e = r;
+  e instanceof Uint8Array && (e = G.decode(e)), e = e.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
   try {
-    return ye(t);
+    return xe(e);
   } catch {
     throw new TypeError("The input to be decoded is not correctly encoded.");
   }
 };
-class $ extends Error {
+class oe extends Error {
   static get code() {
     return "ERR_JOSE_GENERIC";
   }
-  constructor(t) {
-    var r;
-    super(t), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+  constructor(e) {
+    var t;
+    super(e), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (t = Error.captureStackTrace) == null || t.call(Error, this, this.constructor);
   }
 }
-class b extends $ {
+class I extends oe {
   constructor() {
     super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
   }
@@ -356,7 +340,7 @@ class b extends $ {
     return "ERR_JOSE_NOT_SUPPORTED";
   }
 }
-class v extends $ {
+class S extends oe {
   constructor() {
     super(...arguments), this.code = "ERR_JWS_INVALID";
   }
@@ -364,7 +348,7 @@ class v extends $ {
     return "ERR_JWS_INVALID";
   }
 }
-class E extends $ {
+class D extends oe {
   constructor() {
     super(...arguments), this.code = "ERR_JWT_INVALID";
   }
@@ -372,7 +356,7 @@ class E extends $ {
     return "ERR_JWT_INVALID";
   }
 }
-class me extends $ {
+class je extends oe {
   constructor() {
     super(...arguments), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED", this.message = "signature verification failed";
   }
@@ -380,17 +364,17 @@ class me extends $ {
     return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
   }
 }
-function A(e, t = "algorithm.name") {
-  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
+function U(r, e = "algorithm.name") {
+  return new TypeError(`CryptoKey does not support this operation, its ${e} must be ${r}`);
 }
-function J(e, t) {
-  return e.name === t;
+function Q(r, e) {
+  return r.name === e;
 }
-function L(e) {
-  return parseInt(e.name.slice(4), 10);
+function se(r) {
+  return parseInt(r.name.slice(4), 10);
 }
-function we(e) {
-  switch (e) {
+function Ke(r) {
+  switch (r) {
     case "ES256":
       return "P-256";
     case "ES384":
@@ -401,523 +385,523 @@ function we(e) {
       throw new Error("unreachable");
   }
 }
-function ve(e, t) {
-  if (t.length && !t.some((r) => e.usages.includes(r))) {
-    let r = "CryptoKey does not support this operation, its usages must include ";
-    if (t.length > 2) {
-      const n = t.pop();
-      r += `one of ${t.join(", ")}, or ${n}.`;
-    } else t.length === 2 ? r += `one of ${t[0]} or ${t[1]}.` : r += `${t[0]}.`;
-    throw new TypeError(r);
+function ze(r, e) {
+  if (e.length && !e.some((t) => r.usages.includes(t))) {
+    let t = "CryptoKey does not support this operation, its usages must include ";
+    if (e.length > 2) {
+      const o = e.pop();
+      t += `one of ${e.join(", ")}, or ${o}.`;
+    } else e.length === 2 ? t += `one of ${e[0]} or ${e[1]}.` : t += `${e[0]}.`;
+    throw new TypeError(t);
   }
 }
-function Se(e, t, ...r) {
-  switch (t) {
+function De(r, e, ...t) {
+  switch (e) {
     case "HS256":
     case "HS384":
     case "HS512": {
-      if (!J(e.algorithm, "HMAC"))
-        throw A("HMAC");
-      const n = parseInt(t.slice(2), 10);
-      if (L(e.algorithm.hash) !== n)
-        throw A(`SHA-${n}`, "algorithm.hash");
+      if (!Q(r.algorithm, "HMAC"))
+        throw U("HMAC");
+      const o = parseInt(e.slice(2), 10);
+      if (se(r.algorithm.hash) !== o)
+        throw U(`SHA-${o}`, "algorithm.hash");
       break;
     }
     case "RS256":
     case "RS384":
     case "RS512": {
-      if (!J(e.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw A("RSASSA-PKCS1-v1_5");
-      const n = parseInt(t.slice(2), 10);
-      if (L(e.algorithm.hash) !== n)
-        throw A(`SHA-${n}`, "algorithm.hash");
+      if (!Q(r.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw U("RSASSA-PKCS1-v1_5");
+      const o = parseInt(e.slice(2), 10);
+      if (se(r.algorithm.hash) !== o)
+        throw U(`SHA-${o}`, "algorithm.hash");
       break;
     }
     case "PS256":
     case "PS384":
     case "PS512": {
-      if (!J(e.algorithm, "RSA-PSS"))
-        throw A("RSA-PSS");
-      const n = parseInt(t.slice(2), 10);
-      if (L(e.algorithm.hash) !== n)
-        throw A(`SHA-${n}`, "algorithm.hash");
+      if (!Q(r.algorithm, "RSA-PSS"))
+        throw U("RSA-PSS");
+      const o = parseInt(e.slice(2), 10);
+      if (se(r.algorithm.hash) !== o)
+        throw U(`SHA-${o}`, "algorithm.hash");
       break;
     }
     case "EdDSA": {
-      if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
-        throw A("Ed25519 or Ed448");
+      if (r.algorithm.name !== "Ed25519" && r.algorithm.name !== "Ed448")
+        throw U("Ed25519 or Ed448");
       break;
     }
     case "ES256":
     case "ES384":
     case "ES512": {
-      if (!J(e.algorithm, "ECDSA"))
-        throw A("ECDSA");
-      const n = we(t);
-      if (e.algorithm.namedCurve !== n)
-        throw A(n, "algorithm.namedCurve");
+      if (!Q(r.algorithm, "ECDSA"))
+        throw U("ECDSA");
+      const o = Ke(e);
+      if (r.algorithm.namedCurve !== o)
+        throw U(o, "algorithm.namedCurve");
       break;
     }
     default:
       throw new TypeError("CryptoKey does not support this operation");
   }
-  ve(e, r);
+  ze(r, t);
 }
-function ie(e, t, ...r) {
-  var n;
-  if (r.length > 2) {
-    const i = r.pop();
-    e += `one of type ${r.join(", ")}, or ${i}.`;
-  } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
-  return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
+function me(r, e, ...t) {
+  var o;
+  if (t.length > 2) {
+    const s = t.pop();
+    r += `one of type ${t.join(", ")}, or ${s}.`;
+  } else t.length === 2 ? r += `one of type ${t[0]} or ${t[1]}.` : r += `of type ${t[0]}.`;
+  return e == null ? r += ` Received ${e}` : typeof e == "function" && e.name ? r += ` Received function ${e.name}` : typeof e == "object" && e != null && (o = e.constructor) != null && o.name && (r += ` Received an instance of ${e.constructor.name}`), r;
 }
-const X = (e, ...t) => ie("Key must be ", e, ...t);
-function ne(e, t, ...r) {
-  return ie(`Key for the ${e} algorithm must be `, t, ...r);
+const he = (r, ...e) => me("Key must be ", r, ...e);
+function ve(r, e, ...t) {
+  return me(`Key for the ${r} algorithm must be `, e, ...t);
 }
-const se = (e) => re(e) ? true : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", M = ["CryptoKey"], _e = (...e) => {
-  const t = e.filter(Boolean);
-  if (t.length === 0 || t.length === 1)
-    return true;
-  let r;
-  for (const n of t) {
-    const i = Object.keys(n);
-    if (!r || r.size === 0) {
-      r = new Set(i);
+const Ce = (r) => we(r) ? !0 : (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", re = ["CryptoKey"], We = (...r) => {
+  const e = r.filter(Boolean);
+  if (e.length === 0 || e.length === 1)
+    return !0;
+  let t;
+  for (const o of e) {
+    const s = Object.keys(o);
+    if (!t || t.size === 0) {
+      t = new Set(s);
       continue;
     }
-    for (const s of i) {
-      if (r.has(s))
-        return false;
-      r.add(s);
+    for (const n of s) {
+      if (t.has(n))
+        return !1;
+      t.add(n);
     }
   }
-  return true;
+  return !0;
 };
-function Ce(e) {
-  return typeof e == "object" && e !== null;
+function Fe(r) {
+  return typeof r == "object" && r !== null;
 }
-function x(e) {
-  if (!Ce(e) || Object.prototype.toString.call(e) !== "[object Object]")
-    return false;
-  if (Object.getPrototypeOf(e) === null)
-    return true;
-  let t = e;
-  for (; Object.getPrototypeOf(t) !== null; )
-    t = Object.getPrototypeOf(t);
-  return Object.getPrototypeOf(e) === t;
+function V(r) {
+  if (!Fe(r) || Object.prototype.toString.call(r) !== "[object Object]")
+    return !1;
+  if (Object.getPrototypeOf(r) === null)
+    return !0;
+  let e = r;
+  for (; Object.getPrototypeOf(e) !== null; )
+    e = Object.getPrototypeOf(e);
+  return Object.getPrototypeOf(r) === e;
 }
-const be = (e, t) => {
-  if (e.startsWith("RS") || e.startsWith("PS")) {
-    const { modulusLength: r } = t.algorithm;
-    if (typeof r != "number" || r < 2048)
-      throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
+const Je = (r, e) => {
+  if (r.startsWith("RS") || r.startsWith("PS")) {
+    const { modulusLength: t } = e.algorithm;
+    if (typeof t != "number" || t < 2048)
+      throw new TypeError(`${r} requires key modulusLength to be 2048 bits or larger`);
   }
 };
-function Ae(e) {
-  let t, r;
-  switch (e.kty) {
+function Me(r) {
+  let e, t;
+  switch (r.kty) {
     case "RSA": {
-      switch (e.alg) {
+      switch (r.alg) {
         case "PS256":
         case "PS384":
         case "PS512":
-          t = { name: "RSA-PSS", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
+          e = { name: "RSA-PSS", hash: `SHA-${r.alg.slice(-3)}` }, t = r.d ? ["sign"] : ["verify"];
           break;
         case "RS256":
         case "RS384":
         case "RS512":
-          t = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
+          e = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${r.alg.slice(-3)}` }, t = r.d ? ["sign"] : ["verify"];
           break;
         case "RSA-OAEP":
         case "RSA-OAEP-256":
         case "RSA-OAEP-384":
         case "RSA-OAEP-512":
-          t = {
+          e = {
             name: "RSA-OAEP",
-            hash: `SHA-${parseInt(e.alg.slice(-3), 10) || 1}`
-          }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+            hash: `SHA-${parseInt(r.alg.slice(-3), 10) || 1}`
+          }, t = r.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
     case "EC": {
-      switch (e.alg) {
+      switch (r.alg) {
         case "ES256":
-          t = { name: "ECDSA", namedCurve: "P-256" }, r = e.d ? ["sign"] : ["verify"];
+          e = { name: "ECDSA", namedCurve: "P-256" }, t = r.d ? ["sign"] : ["verify"];
           break;
         case "ES384":
-          t = { name: "ECDSA", namedCurve: "P-384" }, r = e.d ? ["sign"] : ["verify"];
+          e = { name: "ECDSA", namedCurve: "P-384" }, t = r.d ? ["sign"] : ["verify"];
           break;
         case "ES512":
-          t = { name: "ECDSA", namedCurve: "P-521" }, r = e.d ? ["sign"] : ["verify"];
+          e = { name: "ECDSA", namedCurve: "P-521" }, t = r.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
         case "ECDH-ES+A128KW":
         case "ECDH-ES+A192KW":
         case "ECDH-ES+A256KW":
-          t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
+          e = { name: "ECDH", namedCurve: r.crv }, t = r.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
     case "OKP": {
-      switch (e.alg) {
+      switch (r.alg) {
         case "EdDSA":
-          t = { name: e.crv }, r = e.d ? ["sign"] : ["verify"];
+          e = { name: r.crv }, t = r.d ? ["sign"] : ["verify"];
           break;
         case "ECDH-ES":
         case "ECDH-ES+A128KW":
         case "ECDH-ES+A192KW":
         case "ECDH-ES+A256KW":
-          t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
+          e = { name: r.crv }, t = r.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
     default:
-      throw new b('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+      throw new I('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
   }
-  return { algorithm: t, keyUsages: r };
+  return { algorithm: e, keyUsages: t };
 }
-const oe = async (e) => {
-  if (!e.alg)
+const ke = async (r) => {
+  if (!r.alg)
     throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  const { algorithm: t, keyUsages: r } = Ae(e), n = [
-    t,
-    e.ext ?? false,
-    e.key_ops ?? r
-  ], i = { ...e };
-  return delete i.alg, delete i.use, F.subtle.importKey("jwk", i, ...n);
-}, ae = (e) => K(e);
-let V, j;
-const ce = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", de = async (e, t, r, n) => {
-  let i = e.get(t);
-  if (i != null && i[n])
-    return i[n];
-  const s = await oe({ ...r, alg: n });
-  return i ? i[n] = s : e.set(t, { [n]: s }), s;
-}, Pe = (e, t) => {
-  if (ce(e)) {
-    let r = e.export({ format: "jwk" });
-    return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? ae(r.k) : (j || (j = /* @__PURE__ */ new WeakMap()), de(j, e, r, t));
-  }
-  return e;
-}, ke = (e, t) => {
-  if (ce(e)) {
-    let r = e.export({ format: "jwk" });
-    return r.k ? ae(r.k) : (V || (V = /* @__PURE__ */ new WeakMap()), de(V, e, r, t));
-  }
-  return e;
-}, Ie = { normalizePublicKey: Pe, normalizePrivateKey: ke }, I = (e, t, r = 0) => {
-  r === 0 && (t.unshift(t.length), t.unshift(6));
-  const n = e.indexOf(t[0], r);
-  if (n === -1)
-    return false;
-  const i = e.subarray(n, n + t.length);
-  return i.length !== t.length ? false : i.every((s, o) => s === t[o]) || I(e, t, n + 1);
-}, Q = (e) => {
-  switch (true) {
-    case I(e, [42, 134, 72, 206, 61, 3, 1, 7]):
+  const { algorithm: e, keyUsages: t } = Me(r), o = [
+    e,
+    r.ext ?? !1,
+    r.key_ops ?? t
+  ], s = { ...r };
+  return delete s.alg, delete s.use, te.subtle.importKey("jwk", s, ...o);
+}, Se = (r) => M(r);
+let ie, ne;
+const _e = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", Te = async (r, e, t, o) => {
+  let s = r.get(e);
+  if (s != null && s[o])
+    return s[o];
+  const n = await ke({ ...t, alg: o });
+  return s ? s[o] = n : r.set(e, { [o]: n }), n;
+}, Be = (r, e) => {
+  if (_e(r)) {
+    let t = r.export({ format: "jwk" });
+    return delete t.d, delete t.dp, delete t.dq, delete t.p, delete t.q, delete t.qi, t.k ? Se(t.k) : (ne || (ne = /* @__PURE__ */ new WeakMap()), Te(ne, r, t, e));
+  }
+  return r;
+}, Le = (r, e) => {
+  if (_e(r)) {
+    let t = r.export({ format: "jwk" });
+    return t.k ? Se(t.k) : (ie || (ie = /* @__PURE__ */ new WeakMap()), Te(ie, r, t, e));
+  }
+  return r;
+}, $e = { normalizePublicKey: Be, normalizePrivateKey: Le }, x = (r, e, t = 0) => {
+  t === 0 && (e.unshift(e.length), e.unshift(6));
+  const o = r.indexOf(e[0], t);
+  if (o === -1)
+    return !1;
+  const s = r.subarray(o, o + e.length);
+  return s.length !== e.length ? !1 : s.every((n, i) => n === e[i]) || x(r, e, o + 1);
+}, le = (r) => {
+  switch (!0) {
+    case x(r, [42, 134, 72, 206, 61, 3, 1, 7]):
       return "P-256";
-    case I(e, [43, 129, 4, 0, 34]):
+    case x(r, [43, 129, 4, 0, 34]):
       return "P-384";
-    case I(e, [43, 129, 4, 0, 35]):
+    case x(r, [43, 129, 4, 0, 35]):
       return "P-521";
-    case I(e, [43, 101, 110]):
+    case x(r, [43, 101, 110]):
       return "X25519";
-    case I(e, [43, 101, 111]):
+    case x(r, [43, 101, 111]):
       return "X448";
-    case I(e, [43, 101, 112]):
+    case x(r, [43, 101, 112]):
       return "Ed25519";
-    case I(e, [43, 101, 113]):
+    case x(r, [43, 101, 113]):
       return "Ed448";
     default:
-      throw new b("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
+      throw new I("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
   }
-}, le = async (e, t, r, n, i) => {
-  let s, o;
-  const l = new Uint8Array(atob(r.replace(e, "")).split("").map((p) => p.charCodeAt(0))), f = t === "spki";
-  switch (n) {
+}, be = async (r, e, t, o, s) => {
+  let n, i;
+  const a = new Uint8Array(atob(t.replace(r, "")).split("").map((u) => u.charCodeAt(0))), h = e === "spki";
+  switch (o) {
     case "PS256":
     case "PS384":
     case "PS512":
-      s = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
+      n = { name: "RSA-PSS", hash: `SHA-${o.slice(-3)}` }, i = h ? ["verify"] : ["sign"];
       break;
     case "RS256":
     case "RS384":
     case "RS512":
-      s = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
+      n = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${o.slice(-3)}` }, i = h ? ["verify"] : ["sign"];
       break;
     case "RSA-OAEP":
     case "RSA-OAEP-256":
     case "RSA-OAEP-384":
     case "RSA-OAEP-512":
-      s = {
+      n = {
         name: "RSA-OAEP",
-        hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
-      }, o = f ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+        hash: `SHA-${parseInt(o.slice(-3), 10) || 1}`
+      }, i = h ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
       break;
     case "ES256":
-      s = { name: "ECDSA", namedCurve: "P-256" }, o = f ? ["verify"] : ["sign"];
+      n = { name: "ECDSA", namedCurve: "P-256" }, i = h ? ["verify"] : ["sign"];
       break;
     case "ES384":
-      s = { name: "ECDSA", namedCurve: "P-384" }, o = f ? ["verify"] : ["sign"];
+      n = { name: "ECDSA", namedCurve: "P-384" }, i = h ? ["verify"] : ["sign"];
       break;
     case "ES512":
-      s = { name: "ECDSA", namedCurve: "P-521" }, o = f ? ["verify"] : ["sign"];
+      n = { name: "ECDSA", namedCurve: "P-521" }, i = h ? ["verify"] : ["sign"];
       break;
     case "ECDH-ES":
     case "ECDH-ES+A128KW":
     case "ECDH-ES+A192KW":
     case "ECDH-ES+A256KW": {
-      const p = Q(l);
-      s = p.startsWith("P-") ? { name: "ECDH", namedCurve: p } : { name: p }, o = f ? [] : ["deriveBits"];
+      const u = le(a);
+      n = u.startsWith("P-") ? { name: "ECDH", namedCurve: u } : { name: u }, i = h ? [] : ["deriveBits"];
       break;
     }
     case "EdDSA":
-      s = { name: Q(l) }, o = f ? ["verify"] : ["sign"];
+      n = { name: le(a) }, i = h ? ["verify"] : ["sign"];
       break;
     default:
-      throw new b('Invalid or unsupported "alg" (Algorithm) value');
+      throw new I('Invalid or unsupported "alg" (Algorithm) value');
   }
-  return F.subtle.importKey(t, l, s, false, o);
-}, Te = (e, t, r) => le(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", e, t), Re = (e, t, r) => le(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
-async function Ee(e, t, r) {
-  if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
+  return te.subtle.importKey(e, a, n, !1, i);
+}, qe = (r, e, t) => be(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", r, e), Ve = (r, e, t) => be(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", r, e);
+async function Ge(r, e, t) {
+  if (typeof r != "string" || r.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
     throw new TypeError('"spki" must be SPKI formatted string');
-  return Re(e, t);
+  return Ve(r, e);
 }
-async function Oe(e, t, r) {
-  if (typeof e != "string" || e.indexOf("-----BEGIN PRIVATE KEY-----") !== 0)
+async function Ye(r, e, t) {
+  if (typeof r != "string" || r.indexOf("-----BEGIN PRIVATE KEY-----") !== 0)
     throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
-  return Te(e, t);
+  return qe(r, e);
 }
-async function Z(e, t) {
-  if (!x(e))
+async function ue(r, e) {
+  if (!V(r))
     throw new TypeError("JWK must be an object");
-  switch (t || (t = e.alg), e.kty) {
+  switch (e || (e = r.alg), r.kty) {
     case "oct":
-      if (typeof e.k != "string" || !e.k)
+      if (typeof r.k != "string" || !r.k)
         throw new TypeError('missing "k" (Key Value) Parameter value');
-      return K(e.k);
+      return M(r.k);
     case "RSA":
-      if (e.oth !== void 0)
-        throw new b('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      if (r.oth !== void 0)
+        throw new I('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
     case "EC":
     case "OKP":
-      return oe({ ...e, alg: t });
+      return ke({ ...r, alg: e });
     default:
-      throw new b('Unsupported "kty" (Key Type) Parameter value');
+      throw new I('Unsupported "kty" (Key Type) Parameter value');
   }
 }
-const q = (e) => e == null ? void 0 : e[Symbol.toStringTag], Ke = (e, t) => {
-  if (!(t instanceof Uint8Array)) {
-    if (!se(t))
-      throw new TypeError(ne(e, t, ...M, "Uint8Array"));
-    if (t.type !== "secret")
-      throw new TypeError(`${q(t)} instances for symmetric algorithms must be of type "secret"`);
-  }
-}, Ne = (e, t, r) => {
-  if (!se(t))
-    throw new TypeError(ne(e, t, ...M));
-  if (t.type === "secret")
-    throw new TypeError(`${q(t)} instances for asymmetric algorithms must not be of type "secret"`);
-  if (t.algorithm && r === "verify" && t.type === "private")
-    throw new TypeError(`${q(t)} instances for asymmetric algorithm verifying must be of type "public"`);
-  if (t.algorithm && r === "encrypt" && t.type === "private")
-    throw new TypeError(`${q(t)} instances for asymmetric algorithm encryption must be of type "public"`);
-}, Ue = (e, t, r) => {
-  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(e) ? Ke(e, t) : Ne(e, t, r);
+const ee = (r) => r == null ? void 0 : r[Symbol.toStringTag], Xe = (r, e) => {
+  if (!(e instanceof Uint8Array)) {
+    if (!Ce(e))
+      throw new TypeError(ve(r, e, ...re, "Uint8Array"));
+    if (e.type !== "secret")
+      throw new TypeError(`${ee(e)} instances for symmetric algorithms must be of type "secret"`);
+  }
+}, Qe = (r, e, t) => {
+  if (!Ce(e))
+    throw new TypeError(ve(r, e, ...re));
+  if (e.type === "secret")
+    throw new TypeError(`${ee(e)} instances for asymmetric algorithms must not be of type "secret"`);
+  if (e.algorithm && t === "verify" && e.type === "private")
+    throw new TypeError(`${ee(e)} instances for asymmetric algorithm verifying must be of type "public"`);
+  if (e.algorithm && t === "encrypt" && e.type === "private")
+    throw new TypeError(`${ee(e)} instances for asymmetric algorithm encryption must be of type "public"`);
+}, Ze = (r, e, t) => {
+  r.startsWith("HS") || r === "dir" || r.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(r) ? Xe(r, e) : Qe(r, e, t);
 };
-function xe(e, t, r, n, i) {
-  if (i.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
-    throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
-  if (!n || n.crit === void 0)
+function er(r, e, t, o, s) {
+  if (s.crit !== void 0 && (o == null ? void 0 : o.crit) === void 0)
+    throw new r('"crit" (Critical) Header Parameter MUST be integrity protected');
+  if (!o || o.crit === void 0)
     return /* @__PURE__ */ new Set();
-  if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((o) => typeof o != "string" || o.length === 0))
-    throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  let s;
-  s = t;
-  for (const o of n.crit) {
-    if (!s.has(o))
-      throw new b(`Extension Header Parameter "${o}" is not recognized`);
-    if (i[o] === void 0)
-      throw new e(`Extension Header Parameter "${o}" is missing`);
-    if (s.get(o) && n[o] === void 0)
-      throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`);
-  }
-  return new Set(n.crit);
+  if (!Array.isArray(o.crit) || o.crit.length === 0 || o.crit.some((i) => typeof i != "string" || i.length === 0))
+    throw new r('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  let n;
+  n = e;
+  for (const i of o.crit) {
+    if (!n.has(i))
+      throw new I(`Extension Header Parameter "${i}" is not recognized`);
+    if (s[i] === void 0)
+      throw new r(`Extension Header Parameter "${i}" is missing`);
+    if (n.get(i) && o[i] === void 0)
+      throw new r(`Extension Header Parameter "${i}" MUST be integrity protected`);
+  }
+  return new Set(o.crit);
 }
-function ze(e, t) {
-  const r = `SHA-${e.slice(-3)}`;
-  switch (e) {
+function rr(r, e) {
+  const t = `SHA-${r.slice(-3)}`;
+  switch (r) {
     case "HS256":
     case "HS384":
     case "HS512":
-      return { hash: r, name: "HMAC" };
+      return { hash: t, name: "HMAC" };
     case "PS256":
     case "PS384":
     case "PS512":
-      return { hash: r, name: "RSA-PSS", saltLength: e.slice(-3) >> 3 };
+      return { hash: t, name: "RSA-PSS", saltLength: r.slice(-3) >> 3 };
     case "RS256":
     case "RS384":
     case "RS512":
-      return { hash: r, name: "RSASSA-PKCS1-v1_5" };
+      return { hash: t, name: "RSASSA-PKCS1-v1_5" };
     case "ES256":
     case "ES384":
     case "ES512":
-      return { hash: r, name: "ECDSA", namedCurve: t.namedCurve };
+      return { hash: t, name: "ECDSA", namedCurve: e.namedCurve };
     case "EdDSA":
-      return { name: t.name };
+      return { name: e.name };
     default:
-      throw new b(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+      throw new I(`alg ${r} is not supported either by JOSE or your javascript runtime`);
   }
 }
-async function We(e, t, r) {
-  if (t = await Ie.normalizePublicKey(t, e), re(t))
-    return Se(t, e, r), t;
-  if (t instanceof Uint8Array) {
-    if (!e.startsWith("HS"))
-      throw new TypeError(X(t, ...M));
-    return F.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, false, [r]);
-  }
-  throw new TypeError(X(t, ...M, "Uint8Array"));
+async function tr(r, e, t) {
+  if (e = await $e.normalizePublicKey(e, r), we(e))
+    return De(e, r, t), e;
+  if (e instanceof Uint8Array) {
+    if (!r.startsWith("HS"))
+      throw new TypeError(he(e, ...re));
+    return te.subtle.importKey("raw", e, { hash: `SHA-${r.slice(-3)}`, name: "HMAC" }, !1, [t]);
+  }
+  throw new TypeError(he(e, ...re, "Uint8Array"));
 }
-const De = async (e, t, r, n) => {
-  const i = await We(e, t, "verify");
-  be(e, i);
-  const s = ze(e, i.algorithm);
+const or = async (r, e, t, o) => {
+  const s = await tr(r, e, "verify");
+  Je(r, s);
+  const n = rr(r, s.algorithm);
   try {
-    return await F.subtle.verify(s, i, r, n);
+    return await te.subtle.verify(n, s, t, o);
   } catch {
-    return false;
+    return !1;
   }
 };
-async function He(e, t, r) {
-  if (!x(e))
-    throw new v("Flattened JWS must be an object");
-  if (e.protected === void 0 && e.header === void 0)
-    throw new v('Flattened JWS must have either of the "protected" or "header" members');
-  if (e.protected !== void 0 && typeof e.protected != "string")
-    throw new v("JWS Protected Header incorrect type");
-  if (e.payload === void 0)
-    throw new v("JWS Payload missing");
-  if (typeof e.signature != "string")
-    throw new v("JWS Signature missing or incorrect type");
-  if (e.header !== void 0 && !x(e.header))
-    throw new v("JWS Unprotected Header incorrect type");
-  let n = {};
-  if (e.protected)
+async function sr(r, e, t) {
+  if (!V(r))
+    throw new S("Flattened JWS must be an object");
+  if (r.protected === void 0 && r.header === void 0)
+    throw new S('Flattened JWS must have either of the "protected" or "header" members');
+  if (r.protected !== void 0 && typeof r.protected != "string")
+    throw new S("JWS Protected Header incorrect type");
+  if (r.payload === void 0)
+    throw new S("JWS Payload missing");
+  if (typeof r.signature != "string")
+    throw new S("JWS Signature missing or incorrect type");
+  if (r.header !== void 0 && !V(r.header))
+    throw new S("JWS Unprotected Header incorrect type");
+  let o = {};
+  if (r.protected)
     try {
-      const ue = K(e.protected);
-      n = JSON.parse(z.decode(ue));
+      const Re = M(r.protected);
+      o = JSON.parse(G.decode(Re));
     } catch {
-      throw new v("JWS Protected Header is invalid");
-    }
-  if (!_e(n, e.header))
-    throw new v("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
-  const i = {
-    ...n,
-    ...e.header
-  }, s = xe(v, /* @__PURE__ */ new Map([["b64", true]]), void 0, n, i);
-  let o = true;
-  if (s.has("b64") && (o = n.b64, typeof o != "boolean"))
-    throw new v('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
-  const { alg: l } = i;
-  if (typeof l != "string" || !l)
-    throw new v('JWS "alg" (Algorithm) Header Parameter missing or invalid');
-  if (o) {
-    if (typeof e.payload != "string")
-      throw new v("JWS Payload must be a string");
-  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
-    throw new v("JWS Payload must be a string or an Uint8Array instance");
-  let f = false;
-  typeof t == "function" && (t = await t(n, e), f = true), Ue(l, t, "verify");
-  const p = ge(H.encode(e.protected ?? ""), H.encode("."), typeof e.payload == "string" ? H.encode(e.payload) : e.payload);
-  let P;
+      throw new S("JWS Protected Header is invalid");
+    }
+  if (!We(o, r.header))
+    throw new S("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  const s = {
+    ...o,
+    ...r.header
+  }, n = er(S, /* @__PURE__ */ new Map([["b64", !0]]), void 0, o, s);
+  let i = !0;
+  if (n.has("b64") && (i = o.b64, typeof i != "boolean"))
+    throw new S('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+  const { alg: a } = s;
+  if (typeof a != "string" || !a)
+    throw new S('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  if (i) {
+    if (typeof r.payload != "string")
+      throw new S("JWS Payload must be a string");
+  } else if (typeof r.payload != "string" && !(r.payload instanceof Uint8Array))
+    throw new S("JWS Payload must be a string or an Uint8Array instance");
+  let h = !1;
+  typeof e == "function" && (e = await e(o, r), h = !0), Ze(a, e, "verify");
+  const u = He(X.encode(r.protected ?? ""), X.encode("."), typeof r.payload == "string" ? X.encode(r.payload) : r.payload);
+  let y;
   try {
-    P = K(e.signature);
+    y = M(r.signature);
   } catch {
-    throw new v("Failed to base64url decode the signature");
+    throw new S("Failed to base64url decode the signature");
   }
-  if (!await De(l, t, P, p))
-    throw new me();
-  let W;
-  if (o)
+  if (!await or(a, e, y, u))
+    throw new je();
+  let _;
+  if (i)
     try {
-      W = K(e.payload);
+      _ = M(r.payload);
     } catch {
-      throw new v("Failed to base64url decode the payload");
+      throw new S("Failed to base64url decode the payload");
     }
-  else typeof e.payload == "string" ? W = H.encode(e.payload) : W = e.payload;
-  const D = { payload: W };
-  return e.protected !== void 0 && (D.protectedHeader = n), e.header !== void 0 && (D.unprotectedHeader = e.header), f ? { ...D, key: t } : D;
+  else typeof r.payload == "string" ? _ = X.encode(r.payload) : _ = r.payload;
+  const Y = { payload: _ };
+  return r.protected !== void 0 && (Y.protectedHeader = o), r.header !== void 0 && (Y.unprotectedHeader = r.header), h ? { ...Y, key: e } : Y;
 }
-async function Je(e, t, r) {
-  if (e instanceof Uint8Array && (e = z.decode(e)), typeof e != "string")
-    throw new v("Compact JWS must be a string or Uint8Array");
-  const { 0: n, 1: i, 2: s, length: o } = e.split(".");
-  if (o !== 3)
-    throw new v("Invalid Compact JWS");
-  const l = await He({ payload: i, protected: n, signature: s }, t), f = { payload: l.payload, protectedHeader: l.protectedHeader };
-  return typeof t == "function" ? { ...f, key: l.key } : f;
+async function ir(r, e, t) {
+  if (r instanceof Uint8Array && (r = G.decode(r)), typeof r != "string")
+    throw new S("Compact JWS must be a string or Uint8Array");
+  const { 0: o, 1: s, 2: n, length: i } = r.split(".");
+  if (i !== 3)
+    throw new S("Invalid Compact JWS");
+  const a = await sr({ payload: s, protected: o, signature: n }, e), h = { payload: a.payload, protectedHeader: a.protectedHeader };
+  return typeof e == "function" ? { ...h, key: a.key } : h;
 }
-const he = K;
-function qe(e) {
-  let t;
-  if (typeof e == "string") {
-    const r = e.split(".");
-    (r.length === 3 || r.length === 5) && ([t] = r);
-  } else if (typeof e == "object" && e)
-    if ("protected" in e)
-      t = e.protected;
+const Ee = M;
+function nr(r) {
+  let e;
+  if (typeof r == "string") {
+    const t = r.split(".");
+    (t.length === 3 || t.length === 5) && ([e] = t);
+  } else if (typeof r == "object" && r)
+    if ("protected" in r)
+      e = r.protected;
     else
       throw new TypeError("Token does not contain a Protected Header");
   try {
-    if (typeof t != "string" || !t)
+    if (typeof e != "string" || !e)
       throw new Error();
-    const r = JSON.parse(z.decode(he(t)));
-    if (!x(r))
+    const t = JSON.parse(G.decode(Ee(e)));
+    if (!V(t))
       throw new Error();
-    return r;
+    return t;
   } catch {
     throw new TypeError("Invalid Token or Protected Header formatting");
   }
 }
-function Me(e) {
-  if (typeof e != "string")
-    throw new E("JWTs must use Compact JWS serialization, JWT must be a string");
-  const { 1: t, length: r } = e.split(".");
-  if (r === 5)
-    throw new E("Only JWTs using Compact JWS serialization can be decoded");
-  if (r !== 3)
-    throw new E("Invalid JWT");
-  if (!t)
-    throw new E("JWTs must contain a payload");
-  let n;
+function ar(r) {
+  if (typeof r != "string")
+    throw new D("JWTs must use Compact JWS serialization, JWT must be a string");
+  const { 1: e, length: t } = r.split(".");
+  if (t === 5)
+    throw new D("Only JWTs using Compact JWS serialization can be decoded");
+  if (t !== 3)
+    throw new D("Invalid JWT");
+  if (!e)
+    throw new D("JWTs must contain a payload");
+  let o;
   try {
-    n = he(t);
+    o = Ee(e);
   } catch {
-    throw new E("Failed to base64url decode the payload");
+    throw new D("Failed to base64url decode the payload");
   }
-  let i;
+  let s;
   try {
-    i = JSON.parse(z.decode(n));
+    s = JSON.parse(G.decode(o));
   } catch {
-    throw new E("Failed to parse the decoded payload as JSON");
+    throw new D("Failed to parse the decoded payload as JSON");
   }
-  if (!x(i))
-    throw new E("Invalid JWT Claims Set");
-  return i;
+  if (!V(s))
+    throw new D("Invalid JWT Claims Set");
+  return s;
 }
-const c = class c2 {
+const C = class v {
   /**
    * Returns a user-friendly name for the given flow strings.
    * 
@@ -925,41 +909,41 @@ const c = class c2 {
    * @param flows the flows to return the names of
    * @returns an array of strings
    */
-  static flowNames(t) {
-    let r = {};
-    return t.forEach((n) => {
-      n in c2.flowName && (r[n] = c2.flowName[n]);
-    }), r;
+  static flowNames(e) {
+    let t = {};
+    return e.forEach((o) => {
+      o in v.flowName && (t[o] = v.flowName[o]);
+    }), t;
   }
   /**
    * Returns true if the given string is a valid flow name.
    * @param flow the flow to check
    * @returns true or false.
    */
-  static isValidFlow(t) {
-    return c2.allFlows().includes(t);
+  static isValidFlow(e) {
+    return v.allFlows().includes(e);
   }
   /**
    * Returns true only if all given strings are valid flows
    * @param flows the flows to check
    * @returns true or false.
    */
-  static areAllValidFlows(t) {
-    let r = true;
-    return t.forEach((n) => {
-      c2.isValidFlow(n) || (r = false);
-    }), r;
+  static areAllValidFlows(e) {
+    let t = !0;
+    return e.forEach((o) => {
+      v.isValidFlow(o) || (t = !1);
+    }), t;
   }
   static allFlows() {
     return [
-      c2.AuthorizationCode,
-      c2.AuthorizationCodeWithPKCE,
-      c2.ClientCredentials,
-      c2.RefreshToken,
-      c2.DeviceCode,
-      c2.Password,
-      c2.PasswordMfa,
-      c2.OidcAuthorizationCode
+      v.AuthorizationCode,
+      v.AuthorizationCodeWithPKCE,
+      v.ClientCredentials,
+      v.RefreshToken,
+      v.DeviceCode,
+      v.Password,
+      v.PasswordMfa,
+      v.OidcAuthorizationCode
     ];
   }
   /**
@@ -968,52 +952,52 @@ const c = class c2 {
    * @param oauthFlow the flow to get the grant type for.
    * @returns a {@link GrantType} value
    */
-  static grantType(t) {
-    switch (t) {
-      case c2.AuthorizationCode:
-      case c2.AuthorizationCodeWithPKCE:
-      case c2.OidcAuthorizationCode:
+  static grantType(e) {
+    switch (e) {
+      case v.AuthorizationCode:
+      case v.AuthorizationCodeWithPKCE:
+      case v.OidcAuthorizationCode:
         return ["authorization_code"];
-      case c2.ClientCredentials:
+      case v.ClientCredentials:
         return ["client_credentials"];
-      case c2.RefreshToken:
+      case v.RefreshToken:
         return ["refresh_token"];
-      case c2.Password:
+      case v.Password:
         return ["password"];
-      case c2.PasswordMfa:
+      case v.PasswordMfa:
         return ["http://auth0.com/oauth/grant-type/mfa-otp", "http://auth0.com/oauth/grant-type/mfa-oob"];
-      case c2.DeviceCode:
+      case v.DeviceCode:
         return ["urn:ietf:params:oauth:grant-type:device_code"];
     }
   }
 };
-a(c, "All", "all"), /** OAuth authorization code flow (without PKCE) */
-a(c, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
-a(c, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
-a(c, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
-a(c, "RefreshToken", "refreshToken"), /** OAuth device code flow */
-a(c, "DeviceCode", "deviceCode"), /** OAuth password flow */
-a(c, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
-a(c, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
+l(C, "All", "all"), /** OAuth authorization code flow (without PKCE) */
+l(C, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
+l(C, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
+l(C, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
+l(C, "RefreshToken", "refreshToken"), /** OAuth device code flow */
+l(C, "DeviceCode", "deviceCode"), /** OAuth password flow */
+l(C, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
+l(C, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
 * PKCE.
 */
-a(c, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
+l(C, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
 * 
 * For example, if you pass "authorizationCode" 
 * (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
 */
-a(c, "flowName", {
-  [c.AuthorizationCode]: "Authorization Code",
-  [c.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
-  [c.ClientCredentials]: "Client Credentials",
-  [c.RefreshToken]: "Refresh Token",
-  [c.DeviceCode]: "Device Code",
-  [c.Password]: "Password",
-  [c.PasswordMfa]: "Password MFA",
-  [c.OidcAuthorizationCode]: "OIDC Authorization Code"
+l(C, "flowName", {
+  [C.AuthorizationCode]: "Authorization Code",
+  [C.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
+  [C.ClientCredentials]: "Client Credentials",
+  [C.RefreshToken]: "Refresh Token",
+  [C.DeviceCode]: "Device Code",
+  [C.Password]: "Password",
+  [C.PasswordMfa]: "Password MFA",
+  [C.OidcAuthorizationCode]: "OIDC Authorization Code"
 });
-var w, S, N, T, R;
-class Be {
+var k, T, q, F, J;
+class cr {
   /**
    * Constructor.
    * 
@@ -1042,50 +1026,34 @@ class Be {
    *        are received
    */
   constructor({
-    authServerBaseUrl: t,
-    client_id: r,
-    client_secret: n,
-    redirect_uri: i,
-    codeChallengeMethod: s,
-    stateLength: o,
-    verifierLength: l,
-    tokenConsumer: f,
-    authServerCredentials: p,
-    authServerMode: P,
-    authServerHeaders: U
+    authServerBaseUrl: e,
+    client_id: t,
+    client_secret: o,
+    redirect_uri: s,
+    codeChallengeMethod: n,
+    stateLength: i,
+    verifierLength: a,
+    tokenConsumer: h,
+    authServerCredentials: u,
+    authServerMode: y,
+    authServerHeaders: _
   }) {
-    a(this, "authServerBaseUrl", "");
-    O(this, w);
-    O(this, S);
-    O(this, N);
-    a(this, "codeChallengeMethod", "S256");
-    O(this, T);
-    a(this, "verifierLength", 32);
-    a(this, "redirect_uri");
-    O(this, R, "");
-    a(this, "stateLength", 32);
-    a(this, "authzCode", "");
-    a(this, "oidcConfig");
-    a(this, "tokenConsumer");
-    a(this, "authServerHeaders", {});
-    a(this, "authServerMode");
-    a(this, "authServerCredentials");
-    this.tokenConsumer = f, this.authServerBaseUrl = t, l && (this.verifierLength = l), o && (this.stateLength = o), r && _(this, w, r), n && _(this, S, n), i && (this.redirect_uri = i), s && (this.codeChallengeMethod = s), this.authServerBaseUrl = t, p && (this.authServerCredentials = p), P && (this.authServerMode = P), U && (this.authServerHeaders = U);
-  }
-  set client_id(t) {
-    _(this, w, t);
-  }
-  set client_secret(t) {
-    _(this, S, t);
-  }
-  set codeVerifier(t) {
-    _(this, T, t);
-  }
-  set codeChallenge(t) {
-    _(this, N, t);
-  }
-  set state(t) {
-    _(this, R, t);
+    l(this, "authServerBaseUrl", ""), $(this, k), $(this, T), $(this, q), l(this, "codeChallengeMethod", "S256"), $(this, F), l(this, "verifierLength", 32), l(this, "redirect_uri"), $(this, J, ""), l(this, "stateLength", 32), l(this, "authzCode", ""), l(this, "oidcConfig"), l(this, "tokenConsumer"), l(this, "authServerHeaders", {}), l(this, "authServerMode"), l(this, "authServerCredentials"), this.tokenConsumer = h, this.authServerBaseUrl = e, a && (this.verifierLength = a), i && (this.stateLength = i), t && A(this, k, t), o && A(this, T, o), s && (this.redirect_uri = s), n && (this.codeChallengeMethod = n), this.authServerBaseUrl = e, u && (this.authServerCredentials = u), y && (this.authServerMode = y), _ && (this.authServerHeaders = _);
+  }
+  set client_id(e) {
+    A(this, k, e);
+  }
+  set client_secret(e) {
+    A(this, T, e);
+  }
+  set codeVerifier(e) {
+    A(this, F, e);
+  }
+  set codeChallenge(e) {
+    A(this, q, e);
+  }
+  set state(e) {
+    A(this, J, e);
   }
   /**
    * Loads OpenID Connect configuration so that the client can determine
@@ -1098,35 +1066,35 @@ class Be {
    * @throws {@link @crossauth/common!CrossauthError} with the following {@link @crossauth/common!ErrorCode}s
    *   - `Connection` if data from the URL could not be fetched or parsed.
    */
-  async loadConfig(t) {
-    if (t) {
-      d.logger.debug(h({ msg: "Reading OIDC config locally" })), this.oidcConfig = t;
+  async loadConfig(e) {
+    if (e) {
+      c.logger.debug(d({ msg: "Reading OIDC config locally" })), this.oidcConfig = e;
       return;
     }
-    let r;
+    let t;
     try {
-      const n = new URL(
+      const o = new URL(
         this.authServerBaseUrl + "/.well-known/openid-configuration"
       );
-      d.logger.debug(h({ msg: `Fetching OIDC config from ${n}` }));
-      let i = { headers: this.authServerHeaders };
-      this.authServerMode && (i.mode = this.authServerMode), this.authServerCredentials && (i.credentials = this.authServerCredentials), r = await fetch(n, i);
-    } catch (n) {
-      d.logger.error(h({ err: n }));
+      c.logger.debug(d({ msg: `Fetching OIDC config from ${o}` }));
+      let s = { headers: this.authServerHeaders };
+      this.authServerMode && (s.mode = this.authServerMode), this.authServerCredentials && (s.credentials = this.authServerCredentials), t = await fetch(o, s);
+    } catch (o) {
+      c.logger.error(d({ err: o }));
     }
-    if (!r || !r.ok)
+    if (!t || !t.ok)
       throw new g(
-        y.Connection,
+        m.Connection,
         "Couldn't get OIDC configuration from URL" + this.authServerBaseUrl + "/.well-known/openid-configuration"
       );
-    this.oidcConfig = { ...te };
+    this.oidcConfig = { ...ye };
     try {
-      const n = await r.json();
-      for (const [i, s] of Object.entries(n))
-        this.oidcConfig[i] = s;
+      const o = await t.json();
+      for (const [s, n] of Object.entries(o))
+        this.oidcConfig[s] = n;
     } catch {
       throw new g(
-        y.Connection,
+        m.Connection,
         "Unrecognized response from OIDC configuration endpoint"
       );
     }
@@ -1153,19 +1121,19 @@ class Be {
    *          - `error_description` friendly error message or undefined
    *            if no error
    */
-  async startAuthorizationCodeFlow(t, r = false) {
-    var s, o, l;
-    if (d.logger.debug(h({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.response_types_supported.includes("code")) || !((o = this.oidcConfig) != null && o.response_modes_supported.includes("query")))
+  async startAuthorizationCodeFlow(e, t = !1) {
+    var o, s, n;
+    if (c.logger.debug(d({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.response_types_supported.includes("code")) || !((s = this.oidcConfig) != null && s.response_modes_supported.includes("query")))
       return {
         error: "invalid_request",
         error_description: "Server does not support authorization code flow"
       };
-    if (!((l = this.oidcConfig) != null && l.authorization_endpoint))
+    if (!((n = this.oidcConfig) != null && n.authorization_endpoint))
       return {
         error: "server_error",
         error_description: "Cannot get authorize endpoint"
       };
-    if (_(this, R, this.randomValue(this.stateLength)), !u(this, w)) return {
+    if (A(this, J, this.randomValue(this.stateLength)), !p(this, k)) return {
       error: "invalid_request",
       error_description: "Cannot make authorization code flow without client id"
     };
@@ -1173,8 +1141,8 @@ class Be {
       error: "invalid_request",
       error_description: "Cannot make authorization code flow without Redirect Uri"
     };
-    let i = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(u(this, w)) + "&state=" + encodeURIComponent(u(this, R)) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
-    return t && (i += "&scope=" + encodeURIComponent(t)), r && (_(this, T, this.randomValue(this.verifierLength)), _(this, N, this.codeChallengeMethod == "plain" ? u(this, T) : await this.sha256(u(this, T))), i += "&code_challenge=" + u(this, N)), { url: i };
+    let i = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(p(this, k)) + "&state=" + encodeURIComponent(p(this, J)) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
+    return e && (i += "&scope=" + encodeURIComponent(e)), t && (A(this, F, this.randomValue(this.verifierLength)), A(this, q, this.codeChallengeMethod == "plain" ? p(this, F) : await this.sha256(p(this, F))), i += "&code_challenge=" + p(this, q)), { url: i };
   }
   /**
    * This implements the functionality behind the redirect URI
@@ -1196,35 +1164,35 @@ class Be {
    * @returns The {@link OAuthTokenResponse} from the `token` endpoint
    *          request, or `error` and `error_description`.
    */
-  async redirectEndpoint(t, r, n, i) {
-    var p, P;
-    if (this.oidcConfig || await this.loadConfig(), n || !t)
-      return n || (n = "server_error"), i || (i = "Unknown error"), { error: n, error_description: i };
-    if (u(this, R) && r != u(this, R))
+  async redirectEndpoint(e, t, o, s) {
+    var n, i;
+    if (this.oidcConfig || await this.loadConfig(), o || !e)
+      return o || (o = "server_error"), s || (s = "Unknown error"), { error: o, error_description: s };
+    if (p(this, J) && t != p(this, J))
       return { error: "access_denied", error_description: "State is not valid" };
-    if (this.authzCode = t, !((p = this.oidcConfig) != null && p.grant_types_supported.includes("authorization_code")))
+    if (this.authzCode = e, !((n = this.oidcConfig) != null && n.grant_types_supported.includes("authorization_code")))
       return {
         error: "invalid_request",
         error_description: "Server does not support authorization code grant"
       };
-    if (!((P = this.oidcConfig) != null && P.token_endpoint))
+    if (!((i = this.oidcConfig) != null && i.token_endpoint))
       return {
         error: "server_error",
         error_description: "Cannot get token endpoint"
       };
-    const s = this.oidcConfig.token_endpoint;
-    let o, l;
-    o = "authorization_code", l = u(this, S);
-    let f = {
-      grant_type: o,
-      client_id: u(this, w),
+    const a = this.oidcConfig.token_endpoint;
+    let h, u;
+    h = "authorization_code", u = p(this, T);
+    let y = {
+      grant_type: h,
+      client_id: p(this, k),
       code: this.authzCode
     };
-    l && (f.client_secret = l), f.code_verifier = u(this, T);
+    u && (y.client_secret = u), y.code_verifier = p(this, F);
     try {
-      return this.post(s, f, this.authServerHeaders);
-    } catch (U) {
-      return d.logger.error(h({ err: U })), {
+      return this.post(a, y, this.authServerHeaders);
+    } catch (_) {
+      return c.logger.error(d({ err: _ })), {
         error: "server_error",
         error_description: "Unable to get access token from server"
       };
@@ -1244,30 +1212,30 @@ class Be {
    * @returns The {@link OAuthTokenResponse} from the `token` endpoint
    *          request, or `error` and `error_description`.
    */
-  async clientCredentialsFlow(t) {
-    var i, s;
-    if (d.logger.debug(h({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("client_credentials")))
+  async clientCredentialsFlow(e) {
+    var t, o;
+    if (c.logger.debug(d({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("client_credentials")))
       return {
         error: "invalid_request",
         error_description: "Server does not support client credentials grant"
       };
-    if (!((s = this.oidcConfig) != null && s.token_endpoint))
+    if (!((o = this.oidcConfig) != null && o.token_endpoint))
       return { error: "server_error", error_description: "Cannot get token endpoint" };
-    if (!u(this, w)) return {
+    if (!p(this, k)) return {
       error: "invalid_request",
       error_description: "Cannot make client credentials flow without client id"
     };
-    const r = this.oidcConfig.token_endpoint;
+    const s = this.oidcConfig.token_endpoint;
     let n = {
       grant_type: "client_credentials",
-      client_id: u(this, w),
-      client_secret: u(this, S)
+      client_id: p(this, k),
+      client_secret: p(this, T)
     };
-    t && (n.scope = t);
+    e && (n.scope = e);
     try {
-      return await this.post(r, n, this.authServerHeaders);
-    } catch (o) {
-      return d.logger.error(h({ err: o })), {
+      return await this.post(s, n, this.authServerHeaders);
+    } catch (i) {
+      return c.logger.error(d({ err: i })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
@@ -1288,31 +1256,31 @@ class Be {
    * {@link https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors}.
    * 
    */
-  async passwordFlow(t, r, n) {
-    var o, l;
-    if (d.logger.debug(h({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("password")))
+  async passwordFlow(e, t, o) {
+    var s, n;
+    if (c.logger.debug(d({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("password")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password grant"
       };
-    if (!((l = this.oidcConfig) != null && l.token_endpoint))
+    if (!((n = this.oidcConfig) != null && n.token_endpoint))
       return {
         error: "server_error",
         error_description: "Cannot get token endpoint"
       };
     const i = this.oidcConfig.token_endpoint;
-    let s = {
+    let a = {
       grant_type: "password",
-      client_id: u(this, w),
-      client_secret: u(this, S),
-      username: t,
-      password: r
+      client_id: p(this, k),
+      client_secret: p(this, T),
+      username: e,
+      password: t
     };
-    n && (s.scope = n);
+    o && (a.scope = o);
     try {
-      return await this.post(i, s, this.authServerHeaders);
-    } catch (f) {
-      return d.logger.error(h({ err: f })), {
+      return await this.post(i, a, this.authServerHeaders);
+    } catch (h) {
+      return c.logger.error(d({ err: h })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
@@ -1331,38 +1299,38 @@ class Be {
    *   - an `error` and `error_description`, also as per Auth0's Password MFA 
    *     documentation
    */
-  async mfaAuthenticators(t) {
-    var s, o, l;
-    if (d.logger.debug(h({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && ((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
+  async mfaAuthenticators(e) {
+    var t, o, s;
+    if (c.logger.debug(d({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && (o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob"))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
       };
-    if (!((l = this.oidcConfig) != null && l.issuer))
+    if (!((s = this.oidcConfig) != null && s.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
-    const r = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators", n = await this.get(r, { authorization: "Bearer " + t, ...this.authServerHeaders });
-    if (!Array.isArray(n))
+    const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators", i = await this.get(n, { authorization: "Bearer " + e, ...this.authServerHeaders });
+    if (!Array.isArray(i))
       return {
         error: "server_error",
         error_description: "Expected array of authenticators in mfa/authenticators response"
       };
-    let i = [];
-    for (let f = 0; f < n.length; ++f) {
-      const p = n[f];
-      if (!p.id || !p.authenticator_type || !p.active)
+    let a = [];
+    for (let h = 0; h < i.length; ++h) {
+      const u = i[h];
+      if (!u.id || !u.authenticator_type || !u.active)
         return {
           error: "server_error",
           error_description: "Invalid mfa/authenticators response"
         };
-      i.push({
-        id: p.id,
-        authenticator_type: p.authenticator_type,
-        active: p.active,
-        name: p.name,
-        oob_channel: p.oob_channel
+      a.push({
+        id: u.id,
+        authenticator_type: u.authenticator_type,
+        active: u.active,
+        name: u.name,
+        oob_channel: u.oob_channel
       });
     }
-    return { authenticators: i };
+    return { authenticators: a };
   }
   /** 
    * This is part of the Auth0 Password MFA flow.  Once the client has
@@ -1376,21 +1344,21 @@ class Be {
    * @param authenticatorId the authenticator ID, as returned in the response
    * from the `mfaAuthenticators` request.
    */
-  async mfaOtpRequest(t, r) {
-    var s, o;
-    if (d.logger.debug(h({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+  async mfaOtpRequest(e, t) {
+    var o, s;
+    if (c.logger.debug(d({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
       };
-    if (!((o = this.oidcConfig) != null && o.issuer))
+    if (!((s = this.oidcConfig) != null && s.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
     const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
-      client_id: u(this, w),
-      client_secret: u(this, S),
+      client_id: p(this, k),
+      client_secret: p(this, T),
       challenge_type: "otp",
-      mfa_token: t,
-      authenticator_id: r
+      mfa_token: e,
+      authenticator_id: t
     }, this.authServerHeaders);
     return i.challenge_type != "otp" ? {
       error: i.error ?? "server_error",
@@ -1414,33 +1382,33 @@ class Be {
    *   - `error` as per Auth0 Password MFA documentation
    *   - `error_description` friendly error message
    */
-  async mfaOtpComplete(t, r, n) {
-    var o, l;
-    if (d.logger.debug(h({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+  async mfaOtpComplete(e, t, o) {
+    var s, n;
+    if (c.logger.debug(d({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
       };
-    if (!((l = this.oidcConfig) != null && l.issuer))
+    if (!((n = this.oidcConfig) != null && n.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
-    const i = this.oidcConfig.token_endpoint, s = await this.post(i, {
+    const i = this.oidcConfig.token_endpoint, a = await this.post(i, {
       grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
-      client_id: u(this, w),
-      client_secret: u(this, S),
+      client_id: p(this, k),
+      client_secret: p(this, T),
       challenge_type: "otp",
-      mfa_token: t,
-      otp: r,
-      scope: n
+      mfa_token: e,
+      otp: t,
+      scope: o
     }, this.authServerHeaders);
     return {
-      id_token: s.id_token,
-      access_token: s.access_token,
-      refresh_token: s.refresh_token,
-      expires_in: Number(s.expires_in),
-      scope: s.scope,
-      token_type: s.token_type,
-      error: s.error,
-      error_description: s.error_description
+      id_token: a.id_token,
+      access_token: a.access_token,
+      refresh_token: a.refresh_token,
+      expires_in: Number(a.expires_in),
+      scope: a.scope,
+      token_type: a.token_type,
+      error: a.error,
+      error_description: a.error_description
     };
   }
   /** 
@@ -1461,21 +1429,21 @@ class Be {
    *   - `error` as per Auth0 Password MFA documentation
    *   - `error_description` friendly error message
    */
-  async mfaOobRequest(t, r) {
-    var s, o;
-    if (d.logger.debug(h({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
+  async mfaOobRequest(e, t) {
+    var o, s;
+    if (c.logger.debug(d({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
       };
-    if (!((o = this.oidcConfig) != null && o.issuer))
+    if (!((s = this.oidcConfig) != null && s.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
     const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
-      client_id: u(this, w),
-      client_secret: u(this, S),
+      client_id: p(this, k),
+      client_secret: p(this, T),
       challenge_type: "oob",
-      mfa_token: t,
-      authenticator_id: r
+      mfa_token: e,
+      authenticator_id: t
     }, this.authServerHeaders);
     return i.challenge_type != "oob" || !i.oob_code || !i.binding_method ? { error: i.error ?? "server_error", error_description: i.error_description ?? "Invalid OOB challenge response" } : {
       challenge_type: i.challenge_type,
@@ -1496,42 +1464,42 @@ class Be {
    * @returns an {@link OAuthTokenResponse} object, which may contain
    *          an error instead of the response fields.
    */
-  async mfaOobComplete(t, r, n, i) {
-    var l, f;
-    if (d.logger.debug(h({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((l = this.oidcConfig) != null && l.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
+  async mfaOobComplete(e, t, o, s) {
+    var n, i;
+    if (c.logger.debug(d({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
       return {
         error: "invalid_request",
         error_description: "Server does not support password_mfa grant"
       };
-    if (!((f = this.oidcConfig) != null && f.issuer))
+    if (!((i = this.oidcConfig) != null && i.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
-    const s = this.oidcConfig.token_endpoint, o = await this.post(s, {
+    const a = this.oidcConfig.token_endpoint, h = await this.post(a, {
       grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
-      client_id: u(this, w),
-      client_secret: u(this, S),
+      client_id: p(this, k),
+      client_secret: p(this, T),
       challenge_type: "otp",
-      mfa_token: t,
-      oob_code: r,
-      binding_code: n,
-      scope: i
+      mfa_token: e,
+      oob_code: t,
+      binding_code: o,
+      scope: s
     }, this.authServerHeaders);
-    return o.error ? {
-      error: o.error,
-      error_description: o.error_description
+    return h.error ? {
+      error: h.error,
+      error_description: h.error_description
     } : {
-      id_token: o.id_token,
-      access_token: o.access_token,
-      refresh_token: o.refresh_token,
-      expires_in: "expires_in" in o ? Number(o.expires_in) : void 0,
-      scope: o.scope,
-      token_type: o.token_type
+      id_token: h.id_token,
+      access_token: h.access_token,
+      refresh_token: h.refresh_token,
+      expires_in: "expires_in" in h ? Number(h.expires_in) : void 0,
+      scope: h.scope,
+      token_type: h.token_type
     };
   }
   //////////////////////////////////////////////////////////////////////
   // Refresh Token Flow
-  async refreshTokenFlow(t) {
-    var s, o;
-    if (d.logger.debug(h({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("refresh_token")))
+  async refreshTokenFlow(e) {
+    var t, o;
+    if (c.logger.debug(d({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("refresh_token")))
       return {
         error: "invalid_request",
         error_description: "Server does not support refresh_token grant"
@@ -1541,19 +1509,19 @@ class Be {
         error: "server_error",
         error_description: "Cannot get token endpoint"
       };
-    const r = this.oidcConfig.token_endpoint;
+    const s = this.oidcConfig.token_endpoint;
     let n;
-    n = u(this, S);
+    n = p(this, T);
     let i = {
       grant_type: "refresh_token",
-      refresh_token: t,
-      client_id: u(this, w)
+      refresh_token: e,
+      client_id: p(this, k)
     };
     n && (i.client_secret = n);
     try {
-      return await this.post(r, i, this.authServerHeaders);
-    } catch (l) {
-      return d.logger.error(h({ err: l })), {
+      return await this.post(s, i, this.authServerHeaders);
+    } catch (a) {
+      return c.logger.error(d({ err: a })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
@@ -1567,23 +1535,23 @@ class Be {
    * @param scope optional scope to request authorization for
    * @returns See {@link OAuthDeviceAuthorizationResponse}
    */
-  async startDeviceCodeFlow(t, r) {
-    var i;
-    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
+  async startDeviceCodeFlow(e, t) {
+    var o;
+    if (c.logger.debug(d({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
       return {
         error: "invalid_request",
         error_description: "Server does not support device code grant"
       };
-    let n = {
+    let s = {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      client_id: u(this, w),
-      client_secret: u(this, S)
+      client_id: p(this, k),
+      client_secret: p(this, T)
     };
-    r && (n.scope = r);
+    t && (s.scope = t);
     try {
-      return await this.post(t, n, this.authServerHeaders);
-    } catch (s) {
-      return d.logger.error(h({ err: s })), {
+      return await this.post(e, s, this.authServerHeaders);
+    } catch (n) {
+      return c.logger.error(d({ err: n })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
@@ -1596,29 +1564,29 @@ class Be {
    * @param deviceCode the device code to poll
    * @returns See {@link OAuthDeviceResponse}
    */
-  async pollDeviceCodeFlow(t) {
-    var n, i, s;
-    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
+  async pollDeviceCodeFlow(e) {
+    var t, o, s;
+    if (c.logger.debug(d({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
       return {
         error: "invalid_request",
         error_description: "Server does not support device code grant"
       };
-    if (!((i = this.oidcConfig) != null && i.token_endpoint))
+    if (!((o = this.oidcConfig) != null && o.token_endpoint))
       return {
         error: "server_error",
         error_description: "Cannot get token endpoint"
       };
-    let r = {
+    let n = {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      client_id: u(this, w),
-      client_secret: u(this, S),
-      device_code: t
+      client_id: p(this, k),
+      client_secret: p(this, T),
+      device_code: e
     };
     try {
-      const o = await this.post((s = this.oidcConfig) == null ? void 0 : s.token_endpoint, r, this.authServerHeaders);
-      return o.error, o;
-    } catch (o) {
-      return d.logger.error(h({ err: o })), {
+      const i = await this.post((s = this.oidcConfig) == null ? void 0 : s.token_endpoint, n, this.authServerHeaders);
+      return i.error, i;
+    } catch (i) {
+      return c.logger.error(d({ err: i })), {
         error: "server_error",
         error_description: "Error connecting to authorization server"
       };
@@ -1632,22 +1600,22 @@ class Be {
    * @returns the parsed JSON response as an object.
    * @throws any exception raised by `fetch()`
    */
-  async post(t, r, n = {}) {
-    d.logger.debug(h({
+  async post(e, t, o = {}) {
+    c.logger.debug(d({
       msg: "Fetch POST",
-      url: t,
-      params: Object.keys(r)
+      url: e,
+      params: Object.keys(t)
     }));
-    let i = {};
-    return this.authServerCredentials && (i.credentials = this.authServerCredentials), this.authServerMode && (i.mode = this.authServerMode), await (await fetch(t, {
+    let s = {};
+    return this.authServerCredentials && (s.credentials = this.authServerCredentials), this.authServerMode && (s.mode = this.authServerMode), await (await fetch(e, {
       method: "POST",
-      ...i,
+      ...s,
       headers: {
         Accept: "application/json",
         "Content-Type": "application/json",
-        ...n
+        ...o
       },
-      body: JSON.stringify(r)
+      body: JSON.stringify(t)
     })).json();
   }
   /**
@@ -1658,16 +1626,16 @@ class Be {
    * @returns the parsed JSON response as an object.
    * @throws any exception raised by `fetch()`
    */
-  async get(t, r = {}) {
-    d.logger.debug(h({ msg: "Fetch GET", url: t }));
-    let n = {};
-    return this.authServerCredentials && (n.credentials = this.authServerCredentials), this.authServerMode && (n.mode = this.authServerMode), await (await fetch(t, {
+  async get(e, t = {}) {
+    c.logger.debug(d({ msg: "Fetch GET", url: e }));
+    let o = {};
+    return this.authServerCredentials && (o.credentials = this.authServerCredentials), this.authServerMode && (o.mode = this.authServerMode), await (await fetch(e, {
       method: "GET",
-      ...n,
+      ...o,
       headers: {
         Accept: "application/json",
         "Content-Type": "application/json",
-        ...r
+        ...t
       }
     })).json();
   }
@@ -1680,9 +1648,9 @@ class Be {
    *        be valid and the `type` claim in the payload must be set to `id`.
    * @returns the parsed payload or undefined if the token is invalid.
    */
-  async validateIdToken(t) {
+  async validateIdToken(e) {
     try {
-      return await this.tokenConsumer.tokenAuthorized(t, "id");
+      return await this.tokenConsumer.tokenAuthorized(e, "id");
     } catch {
       return;
     }
@@ -1694,20 +1662,20 @@ class Be {
    * @returns the parsed JSON of the payload, or undefinedf if it is not
    * valid.
    */
-  async idTokenAuthorized(t) {
+  async idTokenAuthorized(e) {
     try {
-      return await this.tokenConsumer.tokenAuthorized(t, "id");
-    } catch (r) {
-      d.logger.warn(h({ err: r }));
+      return await this.tokenConsumer.tokenAuthorized(e, "id");
+    } catch (t) {
+      c.logger.warn(d({ err: t }));
       return;
     }
   }
-  getTokenPayload(t) {
-    return Me(t);
+  getTokenPayload(e) {
+    return ar(e);
   }
 }
-w = /* @__PURE__ */ new WeakMap(), S = /* @__PURE__ */ new WeakMap(), N = /* @__PURE__ */ new WeakMap(), T = /* @__PURE__ */ new WeakMap(), R = /* @__PURE__ */ new WeakMap();
-class Le {
+k = /* @__PURE__ */ new WeakMap(), T = /* @__PURE__ */ new WeakMap(), q = /* @__PURE__ */ new WeakMap(), F = /* @__PURE__ */ new WeakMap(), J = /* @__PURE__ */ new WeakMap();
+class dr {
   /**
    * Constrctor
    * 
@@ -1715,18 +1683,10 @@ class Le {
    *        of the JWT.  The token is rejected if it doesn't match.
    * @param options See {@link OAuthTokenConsumerBaseOptions}.
    */
-  constructor(t, r = {}) {
-    a(this, "audience");
-    a(this, "jwtKeyType");
-    a(this, "jwtSecretKey");
-    a(this, "jwtPublicKey");
-    a(this, "clockTolerance", 10);
-    a(this, "authServerBaseUrl", "");
-    a(this, "oidcConfig");
-    a(this, "keys", {});
-    if (this.audience = t, r.authServerBaseUrl && (this.authServerBaseUrl = r.authServerBaseUrl), r.jwtKeyType && (this.jwtKeyType = r.jwtKeyType), r.jwtSecretKey && (this.jwtSecretKey = r.jwtSecretKey), r.jwtPublicKey && (this.jwtPublicKey = r.jwtPublicKey), r.clockTolerance && (this.clockTolerance = r.clockTolerance), r.oidcConfig && (this.oidcConfig = r.oidcConfig), this.jwtPublicKey && !this.jwtKeyType)
+  constructor(e, t = {}) {
+    if (l(this, "audience"), l(this, "jwtKeyType"), l(this, "jwtSecretKey"), l(this, "jwtPublicKey"), l(this, "clockTolerance", 10), l(this, "authServerBaseUrl", ""), l(this, "oidcConfig"), l(this, "keys", {}), this.audience = e, t.authServerBaseUrl && (this.authServerBaseUrl = t.authServerBaseUrl), t.jwtKeyType && (this.jwtKeyType = t.jwtKeyType), t.jwtSecretKey && (this.jwtSecretKey = t.jwtSecretKey), t.jwtPublicKey && (this.jwtPublicKey = t.jwtPublicKey), t.clockTolerance && (this.clockTolerance = t.clockTolerance), t.oidcConfig && (this.oidcConfig = t.oidcConfig), this.jwtPublicKey && !this.jwtKeyType)
       throw new g(
-        y.Configuration,
+        m.Configuration,
         "If specifying jwtPublic key, must also specify jwtKeyType"
       );
   }
@@ -1743,28 +1703,28 @@ class Le {
       if (this.jwtSecretKey) {
         if (!this.jwtKeyType)
           throw new g(
-            y.Configuration,
+            m.Configuration,
             "Must specify jwtKeyType if setting jwtSecretKey"
           );
-        this.keys._default = await Oe(this.jwtSecretKey, this.jwtKeyType);
+        this.keys._default = await Ye(this.jwtSecretKey, this.jwtKeyType);
       } else if (this.jwtPublicKey) {
         if (!this.jwtKeyType)
           throw new g(
-            y.Configuration,
+            m.Configuration,
             "Must specify jwtKeyType if setting jwtPublicKey"
           );
-        const t = await Ee(this.jwtPublicKey, this.jwtKeyType);
-        this.keys._default = t;
+        const e = await Ge(this.jwtPublicKey, this.jwtKeyType);
+        this.keys._default = e;
       } else {
         if (this.oidcConfig || await this.loadConfig(), !this.oidcConfig)
           throw new g(
-            y.Connection,
+            m.Connection,
             "Load OIDC config before Jwks"
           );
         await this.loadJwks();
       }
-    } catch (t) {
-      throw d.logger.debug(h({ err: t })), new g(y.Connection, "Couldn't load keys");
+    } catch (e) {
+      throw c.logger.debug(d({ err: e })), new g(m.Connection, "Couldn't load keys");
     }
   }
   /**
@@ -1776,28 +1736,28 @@ class Le {
    * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
    *   - `Connection` if the fetch to the authorization server failed.
    */
-  async loadConfig(t) {
-    if (t) {
-      this.oidcConfig = t;
+  async loadConfig(e) {
+    if (e) {
+      this.oidcConfig = e;
       return;
     }
     if (!this.authServerBaseUrl)
-      throw new g(y.Connection, "Couldn't get OIDC configuration.  Either set authServerBaseUrl or set config manually");
-    let r;
+      throw new g(m.Connection, "Couldn't get OIDC configuration.  Either set authServerBaseUrl or set config manually");
+    let t;
     try {
-      r = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
-    } catch (n) {
-      d.logger.error(h({ err: n }));
+      t = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
+    } catch (o) {
+      c.logger.error(d({ err: o }));
     }
-    if (!r || !r.ok)
-      throw new g(y.Connection, "Couldn't get OIDC configuration");
-    this.oidcConfig = { ...te };
+    if (!t || !t.ok)
+      throw new g(m.Connection, "Couldn't get OIDC configuration");
+    this.oidcConfig = { ...ye };
     try {
-      const n = await r.json();
-      for (const [i, s] of Object.entries(n))
-        this.oidcConfig[i] = s;
+      const o = await t.json();
+      for (const [s, n] of Object.entries(o))
+        this.oidcConfig[s] = n;
     } catch {
-      throw new g(y.Connection, "Unrecognized response from OIDC configuration endpoint");
+      throw new g(m.Connection, "Unrecognized response from OIDC configuration endpoint");
     }
   }
   /**
@@ -1809,40 +1769,40 @@ class Le {
    *   - `Connection` if the fetch to the authorization server failed,
    *     the OIDC configuration wasn't set or the keys could not be parsed.
    */
-  async loadJwks(t) {
-    if (t) {
+  async loadJwks(e) {
+    if (e) {
       this.keys = {};
-      for (let r = 0; r < t.keys.length; ++r) {
-        const n = t.keys[r];
-        this.keys[n.kid ?? "_default"] = await Z(t.keys[r]);
+      for (let t = 0; t < e.keys.length; ++t) {
+        const o = e.keys[t];
+        this.keys[o.kid ?? "_default"] = await ue(e.keys[t]);
       }
     } else {
       if (!this.oidcConfig)
-        throw new g(y.Connection, "Load OIDC config before Jwks");
-      let r;
+        throw new g(m.Connection, "Load OIDC config before Jwks");
+      let t;
       try {
-        r = await fetch(new URL(this.oidcConfig.jwks_uri));
-      } catch (n) {
-        d.logger.error(h({ err: n }));
+        t = await fetch(new URL(this.oidcConfig.jwks_uri));
+      } catch (o) {
+        c.logger.error(d({ err: o }));
       }
-      if (!r || !r.ok)
-        throw new g(y.Connection, "Couldn't get OIDC configuration");
+      if (!t || !t.ok)
+        throw new g(m.Connection, "Couldn't get OIDC configuration");
       this.keys = {};
       try {
-        const n = await r.json();
-        if (!("keys" in n) || !Array.isArray(n.keys))
-          throw new g(y.Connection, "Couldn't fetch keys");
-        for (let i = 0; i < n.keys.length; ++i)
+        const o = await t.json();
+        if (!("keys" in o) || !Array.isArray(o.keys))
+          throw new g(m.Connection, "Couldn't fetch keys");
+        for (let s = 0; s < o.keys.length; ++s)
           try {
-            let s = "_default";
-            "kid" in n.keys[i] && typeof n.keys[i] == "string" && (s = String(n.keys[i]));
-            const o = await Z(n.keys[i]);
-            this.keys[s] = o;
-          } catch (s) {
-            throw d.logger.error(h({ err: s })), new g(y.Connection, "Couldn't load keys");
+            let n = "_default";
+            "kid" in o.keys[s] && typeof o.keys[s] == "string" && (n = String(o.keys[s]));
+            const i = await ue(o.keys[s]);
+            this.keys[n] = i;
+          } catch (n) {
+            throw c.logger.error(d({ err: n })), new g(m.Connection, "Couldn't load keys");
           }
-      } catch (n) {
-        throw d.logger.error(h({ err: n })), new g(y.Connection, "Unrecognized response from OIDC jwks endpoint");
+      } catch (o) {
+        throw c.logger.error(d({ err: o })), new g(m.Connection, "Unrecognized response from OIDC jwks endpoint");
       }
     }
   }
@@ -1857,58 +1817,56 @@ class Le {
    *        fails.
    * @returns the JWT payload if the token is valid, `undefined` otherwise.
    */
-  async tokenAuthorized(t, r) {
+  async tokenAuthorized(e, t) {
     (!this.keys || Object.keys(this.keys).length == 0) && await this.loadKeys();
-    const n = await this.validateToken(t);
-    if (n) {
-      if (n.type != r && d.logger.error(h({ msg: r + " expected but got " + n.type })), n.iss != this.authServerBaseUrl) {
-        d.logger.error(h({ msg: `Invalid issuer ${n.iss} in access token`, hashedAccessToken: await this.hash(n.jti) }));
+    const o = await this.validateToken(e);
+    if (o) {
+      if (o.type != t && c.logger.error(d({ msg: t + " expected but got " + o.type })), o.iss != this.authServerBaseUrl) {
+        c.logger.error(d({ msg: `Invalid issuer ${o.iss} in access token`, hashedAccessToken: await this.hash(o.jti) }));
         return;
       }
-      if (n.aud && (Array.isArray(n.aud) && !n.aud.includes(this.audience) || !Array.isArray(n.aud) && n.aud != this.audience)) {
-        d.logger.error(h({ msg: `Invalid audience ${n.aud} in access token`, hashedAccessToken: await this.hash(n.jti) }));
+      if (o.aud && (Array.isArray(o.aud) && !o.aud.includes(this.audience) || !Array.isArray(o.aud) && o.aud != this.audience)) {
+        c.logger.error(d({ msg: `Invalid audience ${o.aud} in access token`, hashedAccessToken: await this.hash(o.jti) }));
         return;
       }
-      return n;
+      return o;
     }
   }
-  async validateToken(t) {
-    (!this.keys || Object.keys(this.keys).length == 0) && d.logger.warn("No keys loaded so cannot validate tokens");
-    let r;
+  async validateToken(e) {
+    (!this.keys || Object.keys(this.keys).length == 0) && c.logger.warn("No keys loaded so cannot validate tokens");
+    let t;
     try {
-      r = qe(t).kid;
+      t = nr(e).kid;
     } catch {
-      d.logger.warn(h({ msg: "Invalid access token format" }));
+      c.logger.warn(d({ msg: "Invalid access token format" }));
       return;
     }
-    let n;
-    "_default" in this.keys && (n = this.keys._default);
-    for (let i in this.keys)
-      if (r == i) {
-        n = this.keys[i];
+    let o;
+    "_default" in this.keys && (o = this.keys._default);
+    for (let s in this.keys)
+      if (t == s) {
+        o = this.keys[s];
         break;
       }
-    if (!n) {
-      d.logger.warn(h({ msg: "No matching keys found for access token" }));
+    if (!o) {
+      c.logger.warn(d({ msg: "No matching keys found for access token" }));
       return;
     }
     try {
-      const { payload: i } = await Je(t, n), s = JSON.parse(new TextDecoder().decode(i));
-      if (s.exp * 1e3 < Date.now() + this.clockTolerance) {
-        d.logger.warn(h({ msg: "Access token has expired" }));
+      const { payload: s } = await ir(e, o), n = JSON.parse(new TextDecoder().decode(s));
+      if (n.exp * 1e3 < Date.now() + this.clockTolerance) {
+        c.logger.warn(d({ msg: "Access token has expired" }));
         return;
       }
-      return s;
+      return n;
     } catch {
-      d.logger.warn(h({ msg: "Access token did not validate" }));
+      c.logger.warn(d({ msg: "Access token did not validate" }));
       return;
     }
   }
 }
-const TOLERANCE_SECONDS = 30;
-const AUTOREFRESH_RETRIES = 2;
-const AUTOREFRESH_RETRY_INTERVAL_SECS = 30;
-class OAuthAutoRefresher {
+const fe = 30, Z = 2, ae = 30;
+class Ae {
   /**
    * Constructor
    * 
@@ -1921,141 +1879,88 @@ class OAuthAutoRefresher {
    *   - `headers` - adds headers to fetfh calls
    *   - `tokenProvider` - class for fetching tokens and adding them to requests
    */
-  constructor(options) {
-    __publicField(this, "autoRefreshUrl", "/autorefresh");
-    __publicField(this, "csrfHeader", "X-CROSSAUTH-CSRF");
-    __publicField(this, "headers", {});
-    __publicField(this, "autoRefreshActive", false);
-    __publicField(this, "mode", "cors");
-    __publicField(this, "credentials", "same-origin");
-    __publicField(this, "tokenProvider");
-    this.tokenProvider = options.tokenProvider;
-    this.autoRefreshUrl = options.autoRefreshUrl;
-    if (options.csrfHeader) this.csrfHeader = options.csrfHeader;
-    if (options.headers) this.headers = options.headers;
-    if (options.mode) this.mode = options.mode;
-    if (options.credentials) this.credentials = options.credentials;
-  }
-  async startAutoRefresh(tokensToFetch = ["access", "id"], errorFn) {
-    if (!this.autoRefreshActive) {
-      this.autoRefreshActive = true;
-      d.logger.debug(h({ msg: "Starting auto refresh" }));
-      await this.scheduleAutoRefresh(tokensToFetch, errorFn);
-    }
+  constructor(e) {
+    f(this, "autoRefreshUrl", "/autorefresh");
+    f(this, "csrfHeader", "X-CROSSAUTH-CSRF");
+    f(this, "headers", {});
+    f(this, "autoRefreshActive", !1);
+    f(this, "mode", "cors");
+    f(this, "credentials", "same-origin");
+    f(this, "tokenProvider");
+    this.tokenProvider = e.tokenProvider, this.autoRefreshUrl = e.autoRefreshUrl, e.csrfHeader && (this.csrfHeader = e.csrfHeader), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials);
+  }
+  async startAutoRefresh(e = ["access", "id"], t) {
+    this.autoRefreshActive || (this.autoRefreshActive = !0, c.logger.debug(d({ msg: "Starting auto refresh" })), await this.scheduleAutoRefresh(e, t));
   }
   stopAutoRefresh() {
-    this.autoRefreshActive = false;
-    d.logger.debug(h({ msg: "Stopping auto refresh" }));
-  }
-  async scheduleAutoRefresh(tokensToFetch, errorFn) {
-    const csrfTokenPromise = this.tokenProvider.getCsrfToken();
-    const csrfToken = csrfTokenPromise ? await csrfTokenPromise : void 0;
-    const expiries = await this.tokenProvider.getTokenExpiries([...tokensToFetch, "refresh"], csrfToken);
-    if (expiries.refresh == void 0) {
-      d.logger.debug(h({ msg: `No refresh token found` }));
+    this.autoRefreshActive = !1, c.logger.debug(d({ msg: "Stopping auto refresh" }));
+  }
+  async scheduleAutoRefresh(e, t) {
+    const o = this.tokenProvider.getCsrfToken(), s = o ? await o : void 0, n = await this.tokenProvider.getTokenExpiries([...e, "refresh"], s);
+    if (n.refresh == null) {
+      c.logger.debug(d({ msg: "No refresh token found" }));
       return;
     }
-    const now = Date.now();
-    let tokenExpiry = expiries.id;
-    if (!tokenExpiry || expiries.access && expiries.access < tokenExpiry) tokenExpiry = expiries.access;
-    if (!tokenExpiry) {
-      d.logger.debug(h({ msg: `No tokens expire` }));
+    const i = Date.now();
+    let a = n.id;
+    if ((!a || n.access && n.access < a) && (a = n.access), !a) {
+      c.logger.debug(d({ msg: "No tokens expire" }));
       return;
     }
-    const renewTime = tokenExpiry * 1e3 - now - TOLERANCE_SECONDS;
-    if (renewTime < 0) {
-      d.logger.debug(h({ msg: `Expiry time has passed` }));
+    const h = a * 1e3 - i - fe;
+    if (h < 0) {
+      c.logger.debug(d({ msg: "Expiry time has passed" }));
       return;
     }
-    if (expiries.refresh && expiries.refresh - TOLERANCE_SECONDS < renewTime) {
-      d.logger.debug(h({ msg: `Refresh token has expired` }));
+    if (n.refresh && n.refresh - fe < h) {
+      c.logger.debug(d({ msg: "Refresh token has expired" }));
       return;
     }
-    let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-    d.logger.debug(h({ msg: `Waiting ${renewTime} before refreshing tokens` }));
-    await wait(renewTime);
-    await this.autoRefresh(tokensToFetch, csrfToken, errorFn);
+    let u = (y) => new Promise((_) => setTimeout(_, y));
+    c.logger.debug(d({ msg: `Waiting ${h} before refreshing tokens` })), await u(h), await this.autoRefresh(e, s, t);
   }
-  async autoRefresh(tokensToFetch, csrfToken, errorFn) {
+  async autoRefresh(e, t, o) {
     if (this.autoRefreshActive) {
-      let reply = void 0;
-      let success = false;
-      let tries = 0;
-      while (!success && tries <= AUTOREFRESH_RETRIES) {
+      let s, n = !1, i = 0;
+      for (; !n && i <= Z; )
         try {
-          let headers = { ...this.headers };
-          if (csrfToken) {
-            headers[this.csrfHeader] = csrfToken;
-          }
-          d.logger.debug(h({ msg: `Initiating auto refresh` }));
-          const resp = await this.tokenProvider.jsonFetchWithToken(
+          let a = { ...this.headers };
+          t && (a[this.csrfHeader] = t), c.logger.debug(d({ msg: "Initiating auto refresh" }));
+          const h = await this.tokenProvider.jsonFetchWithToken(
             this.autoRefreshUrl,
             {
               method: "POST",
               headers: {
-                "Accept": "application/json",
+                Accept: "application/json",
                 "Content-Type": "application/json",
-                ...headers
+                ...a
               },
               mode: this.mode,
               credentials: this.credentials,
               body: {
-                csrfToken
+                csrfToken: t
               }
             },
             "refresh"
           );
-          if (!resp.ok) {
-            d.logger.error(h({ msg: "Failed auto refreshing tokens", status: resp.status }));
-          }
-          reply = await resp.json();
-          if (reply == null ? void 0 : reply.ok) {
-            await this.scheduleAutoRefresh(tokensToFetch, errorFn);
-            success = true;
+          if (h.ok || c.logger.error(d({ msg: "Failed auto refreshing tokens", status: h.status })), s = await h.json(), s != null && s.ok) {
+            await this.scheduleAutoRefresh(e, o), n = !0;
             try {
-              await this.tokenProvider.receiveTokens(reply);
-            } catch (e) {
-              const cerr = g.asCrossauthError(e);
-              if (errorFn) {
-                errorFn("Couldn't receive tokens", cerr);
-              } else {
-                d.logger.debug(h({ err: e }));
-                d.logger.error(h({ msg: "Error receiving tokens", cerr }));
-              }
+              await this.tokenProvider.receiveTokens(s);
+            } catch (u) {
+              const y = g.asCrossauthError(u);
+              o ? o("Couldn't receive tokens", y) : (c.logger.debug(d({ err: u })), c.logger.error(d({ msg: "Error receiving tokens", cerr: y })));
             }
-          } else {
-            if (tries < AUTOREFRESH_RETRIES) {
-              d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${AUTOREFRESH_RETRY_INTERVAL_SECS} seconds` }));
-              let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-              await wait(AUTOREFRESH_RETRY_INTERVAL_SECS * 1e3);
-            } else {
-              d.logger.error(h({ msg: `Failed auto refreshing tokens.  Number of retries exceeded` }));
-              if (errorFn) {
-                errorFn("Failed auto refreshing tokens");
-              }
-            }
-            tries++;
-          }
-        } catch (e) {
-          const ce2 = g.asCrossauthError(e);
-          d.logger.debug(h({ err: ce2 }));
-          if (tries < AUTOREFRESH_RETRIES) {
-            d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${AUTOREFRESH_RETRIES} seconds` }));
-            let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-            await wait(AUTOREFRESH_RETRY_INTERVAL_SECS);
-          } else {
-            d.logger.error(h({ msg: `Failed auto refreshing tokens.  Number of retries exceeded` }));
-            if (errorFn) {
-              errorFn(ce2.message, ce2);
-            }
-          }
-          tries++;
+          } else
+            i < Z ? (c.logger.error(d({ msg: `Failed auto refreshing tokens.  Retrying in ${ae} seconds` })), await ((y) => new Promise((_) => setTimeout(_, y)))(ae * 1e3)) : (c.logger.error(d({ msg: "Failed auto refreshing tokens.  Number of retries exceeded" })), o && o("Failed auto refreshing tokens")), i++;
+        } catch (a) {
+          const h = g.asCrossauthError(a);
+          c.logger.debug(d({ err: h })), i < Z ? (c.logger.error(d({ msg: `Failed auto refreshing tokens.  Retrying in ${Z} seconds` })), await ((y) => new Promise((_) => setTimeout(_, y)))(ae)) : (c.logger.error(d({ msg: "Failed auto refreshing tokens.  Number of retries exceeded" })), o && o(h.message, h)), i++;
         }
-      }
     }
   }
 }
-class OAuthDeviceCodePoller {
+class Pe {
   /**
    * Constructor
    * 
@@ -2065,105 +1970,73 @@ class OAuthDeviceCodePoller {
    *   - `credentials` - overrides the default `credentials` for fetch calls
    *   - `headers` - adds headers to fetfh calls
    */
-  constructor(options) {
-    __publicField(this, "deviceCodePollUrl", "/devicecodepoll");
-    __publicField(this, "headers", {});
-    __publicField(this, "pollingActive", false);
-    __publicField(this, "mode", "cors");
-    __publicField(this, "credentials", "same-origin");
-    __publicField(this, "respectRedirect", true);
-    __publicField(this, "oauthClient");
-    this.oauthClient = options.oauthClient;
-    if (options.deviceCodePollUrl != void 0) this.deviceCodePollUrl = options.deviceCodePollUrl;
-    if (options.headers) this.headers = options.headers;
-    if (options.mode) this.mode = options.mode;
-    if (options.credentials) this.credentials = options.credentials;
-  }
-  async startPolling(deviceCode, pollResultFn, interval = 5) {
-    if (!this.pollingActive) {
-      this.pollingActive = true;
-      d.logger.debug(h({ msg: "Starting auto refresh" }));
-      await this.poll(deviceCode, interval, pollResultFn);
-    }
+  constructor(e) {
+    f(this, "deviceCodePollUrl", "/devicecodepoll");
+    f(this, "headers", {});
+    f(this, "pollingActive", !1);
+    f(this, "mode", "cors");
+    f(this, "credentials", "same-origin");
+    f(this, "respectRedirect", !0);
+    f(this, "oauthClient");
+    this.oauthClient = e.oauthClient, e.deviceCodePollUrl != null && (this.deviceCodePollUrl = e.deviceCodePollUrl), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials);
+  }
+  async startPolling(e, t, o = 5) {
+    this.pollingActive || (this.pollingActive = !0, c.logger.debug(d({ msg: "Starting auto refresh" })), await this.poll(e, o, t));
   }
   stopPolling() {
-    this.pollingActive = false;
-    d.logger.debug(h({ msg: "Stopping auto refresh" }));
-  }
-  async poll(deviceCode, interval, pollResultFn) {
-    var _a;
-    if (!deviceCode) {
-      d.logger.debug(h({ msg: "device code poll: no device code provided" }));
-      pollResultFn("error", "Error waiting for authorization");
-    } else {
+    this.pollingActive = !1, c.logger.debug(d({ msg: "Stopping auto refresh" }));
+  }
+  async poll(e, t, o) {
+    var s;
+    if (!e)
+      c.logger.debug(d({ msg: "device code poll: no device code provided" })), o("error", "Error waiting for authorization");
+    else
       try {
-        d.logger.debug(h({ msg: "device code poll: poll" }));
-        if (!this.deviceCodePollUrl && this.oauthClient) {
-          if (!this.oauthClient.getOidcConfig()) await this.oauthClient.loadConfig();
-          if (!((_a = this.oauthClient.getOidcConfig()) == null ? void 0 : _a.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob"))) {
+        if (c.logger.debug(d({ msg: "device code poll: poll" })), !this.deviceCodePollUrl && this.oauthClient) {
+          if (this.oauthClient.getOidcConfig() || await this.oauthClient.loadConfig(), !((s = this.oauthClient.getOidcConfig()) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
             return {
               error: "invalid_request",
               error_description: "Server does not support password_mfa grant"
             };
-          }
-          let config = this.oauthClient.getOidcConfig();
-          if (!(config == null ? void 0 : config.token_endpoint)) return {
+          let i = this.oauthClient.getOidcConfig();
+          if (!(i != null && i.token_endpoint)) return {
             error: "server_error",
             error_description: "Couldn't get OIDC configuration"
           };
-          this.deviceCodePollUrl = config.token_endpoint;
+          this.deviceCodePollUrl = i.token_endpoint;
         }
-        if (!this.deviceCodePollUrl) {
+        if (!this.deviceCodePollUrl)
           return {
             error: "server_error",
             error_description: "Must either provide deviceCodePollUrl or an oauthClient to fetch it from"
           };
-        }
-        const resp = await fetch(this.deviceCodePollUrl, {
+        const n = await fetch(this.deviceCodePollUrl, {
           method: "POST",
-          body: JSON.stringify({ device_code: deviceCode }),
+          body: JSON.stringify({ device_code: e }),
           headers: { "content-type": "application/json" }
         });
-        if (resp.redirected) {
-          this.pollingActive = false;
-          if (resp.redirected) {
-            pollResultFn("completeAndRedirect", void 0, resp.url);
-          }
-        } else if (!resp.ok) {
-          this.pollingActive = false;
-          pollResultFn("error", "Received an error from the authorization server");
-        } else {
-          const body = await resp.json();
-          d.logger.debug(h({ msg: "device code poll: received" + JSON.stringify(body) }));
-          if (body.error == "expired_token") {
-            this.pollingActive = false;
-            pollResultFn("expired_token", "Timeout waiting for authorization");
-          } else if (body.error == "authorization_pending" || body.error == "slow_down") {
-            if (body.error == "slow_down") interval += 5;
-            let waitseconds = body.interval ?? interval;
-            let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-            d.logger.debug(h({ msg: "device code poll: waiting " + String(waitseconds) + " seconds" }));
-            await wait(waitseconds * 1e3);
-            if (this.pollingActive) this.poll(deviceCode, interval, pollResultFn);
-          } else if (body.error) {
-            this.pollingActive = false;
-            pollResultFn("error", body.error_description ?? body.error);
-          } else {
-            this.pollingActive = false;
-            pollResultFn("complete");
-          }
+        if (n.redirected)
+          this.pollingActive = !1, n.redirected && o("completeAndRedirect", void 0, n.url);
+        else if (!n.ok)
+          this.pollingActive = !1, o("error", "Received an error from the authorization server");
+        else {
+          const i = await n.json();
+          if (c.logger.debug(d({ msg: "device code poll: received" + JSON.stringify(i) })), i.error == "expired_token")
+            this.pollingActive = !1, o("expired_token", "Timeout waiting for authorization");
+          else if (i.error == "authorization_pending" || i.error == "slow_down") {
+            i.error == "slow_down" && (t += 5);
+            let a = i.interval ?? t, h = (u) => new Promise((y) => setTimeout(y, u));
+            c.logger.debug(d({ msg: "device code poll: waiting " + String(a) + " seconds" })), await h(a * 1e3), this.pollingActive && this.poll(e, t, o);
+          } else i.error ? (this.pollingActive = !1, o("error", i.error_description ?? i.error)) : (this.pollingActive = !1, o("complete"));
         }
-      } catch (e) {
-        this.pollingActive = false;
-        const ce2 = g.asCrossauthError(e);
-        d.logger.debug(h({ err: ce2 }));
-        d.logger.error(h({ msg: "Polling failed", cerr: ce2 }));
-        pollResultFn("error", ce2.message);
+      } catch (n) {
+        this.pollingActive = !1;
+        const i = g.asCrossauthError(n);
+        c.logger.debug(d({ err: i })), c.logger.error(d({ msg: "Polling failed", cerr: i })), o("error", i.message);
       }
-    }
   }
 }
-class OAuthBffClient {
+class ur {
   /**
    * Constructor
    * 
@@ -2184,34 +2057,23 @@ class OAuthBffClient {
    *   - `credentials` - overrides the default `credentials` for fetch calls
    *   - `headers` - adds headers to fetfh calls
    */
-  constructor(options = {}) {
-    __publicField(this, "bffPrefix", "/bff");
-    __publicField(this, "csrfHeader", "X-CROSSAUTH-CSRF");
-    __publicField(this, "enableCsrfProtection", true);
-    __publicField(this, "headers", {});
-    __publicField(this, "mode", "cors");
-    __publicField(this, "credentials", "same-origin");
-    __publicField(this, "autoRefresher");
-    __publicField(this, "deviceCodePoller");
-    __publicField(this, "getCsrfTokenUrl", "/api/getcsrftoken");
-    __publicField(this, "autoRefreshUrl", "/api/refreshtokens");
-    __publicField(this, "tokensUrl", "/tokens");
-    if (options.bffPrefix) this.bffPrefix = options.bffPrefix;
-    if (options.csrfHeader) this.csrfHeader = options.csrfHeader;
-    if (options.enableCsrfProtection != void 0) this.enableCsrfProtection = options.enableCsrfProtection;
-    if (options.getCsrfTokenUrl) this.getCsrfTokenUrl = options.getCsrfTokenUrl;
-    if (options.tokensUrl) this.tokensUrl = options.tokensUrl;
-    if (options.autoRefreshUrl) this.autoRefreshUrl = options.autoRefreshUrl;
-    if (!this.bffPrefix.endsWith("/")) this.bffPrefix += "/";
-    if (options.headers) this.headers = options.headers;
-    if (options.mode) this.mode = options.mode;
-    if (options.credentials) this.credentials = options.credentials;
-    this.autoRefresher = new OAuthAutoRefresher({
-      ...options,
+  constructor(e = {}) {
+    f(this, "bffPrefix", "/bff");
+    f(this, "csrfHeader", "X-CROSSAUTH-CSRF");
+    f(this, "enableCsrfProtection", !0);
+    f(this, "headers", {});
+    f(this, "mode", "cors");
+    f(this, "credentials", "same-origin");
+    f(this, "autoRefresher");
+    f(this, "deviceCodePoller");
+    f(this, "getCsrfTokenUrl", "/api/getcsrftoken");
+    f(this, "autoRefreshUrl", "/api/refreshtokens");
+    f(this, "tokensUrl", "/tokens");
+    e.bffPrefix && (this.bffPrefix = e.bffPrefix), e.csrfHeader && (this.csrfHeader = e.csrfHeader), e.enableCsrfProtection != null && (this.enableCsrfProtection = e.enableCsrfProtection), e.getCsrfTokenUrl && (this.getCsrfTokenUrl = e.getCsrfTokenUrl), e.tokensUrl && (this.tokensUrl = e.tokensUrl), e.autoRefreshUrl && (this.autoRefreshUrl = e.autoRefreshUrl), this.bffPrefix.endsWith("/") || (this.bffPrefix += "/"), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials), this.autoRefresher = new Ae({
+      ...e,
       autoRefreshUrl: this.autoRefreshUrl,
       tokenProvider: this
-    });
-    this.deviceCodePoller = new OAuthDeviceCodePoller({ ...options, oauthClient: void 0 });
+    }), this.deviceCodePoller = new Pe({ ...e, oauthClient: void 0 });
   }
   /**
    * Gets a CSRF token from the server
@@ -2219,19 +2081,18 @@ class OAuthBffClient {
    *          the `X-CROSSAUTH-CSRF` header
    */
   async getCsrfToken() {
-    if (!this.enableCsrfProtection) return void 0;
-    try {
-      const resp = await fetch(this.getCsrfTokenUrl, {
-        headers: this.headers,
-        credentials: this.credentials,
-        mode: this.mode
-      });
-      const json = await resp.json();
-      if (!json.ok) throw g.asCrossauthError(json);
-      return json.csrfToken;
-    } catch (e) {
-      throw g.asCrossauthError(e);
-    }
+    if (this.enableCsrfProtection)
+      try {
+        const t = await (await fetch(this.getCsrfTokenUrl, {
+          headers: this.headers,
+          credentials: this.credentials,
+          mode: this.mode
+        })).json();
+        if (!t.ok) throw g.asCrossauthError(t);
+        return t.csrfToken;
+      } catch (e) {
+        throw g.asCrossauthError(e);
+      }
   }
   /**
    * Fetches the ID token from the client.
@@ -2243,9 +2104,9 @@ class OAuthBffClient {
    *        making the request
    * @returns the ID token payload or an empty object if there isn't one
    */
-  async getIdToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    return (tokens == null ? void 0 : tokens.id_token) ?? null;
+  async getIdToken(e) {
+    const t = await this.getTokens(e);
+    return (t == null ? void 0 : t.id_token) ?? null;
   }
   /**
    * Returns whether or not there is an ID token stored in the BFF server
@@ -2255,11 +2116,9 @@ class OAuthBffClient {
    *        making the request
    * @returns true or false
    */
-  async haveIdToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    if (tokens == null) return false;
-    if (tokens.have_id_token != void 0) return tokens.have_id_token;
-    return "id_token" in tokens;
+  async haveIdToken(e) {
+    const t = await this.getTokens(e);
+    return t == null ? !1 : t.have_id_token != null ? t.have_id_token : "id_token" in t;
   }
   /**
    * Fetches the access token from the client.
@@ -2273,9 +2132,9 @@ class OAuthBffClient {
    *         the ones given with {@link OAuthBffClient.addHeader} )
    * @returns the access token payload or an empty object if there isn't one
    */
-  async getAccessToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    return (tokens == null ? void 0 : tokens.access_token) ?? null;
+  async getAccessToken(e) {
+    const t = await this.getTokens(e);
+    return (t == null ? void 0 : t.access_token) ?? null;
   }
   /**
    * Returns whether or not there is an access token stored in the BFF server
@@ -2285,11 +2144,9 @@ class OAuthBffClient {
    *        making the request
    * @returns true or false
    */
-  async haveAccessToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    if (tokens == null) return false;
-    if (tokens.have_access_token != void 0) return tokens.have_access_token;
-    return "access_token" in tokens;
+  async haveAccessToken(e) {
+    const t = await this.getTokens(e);
+    return t == null ? !1 : t.have_access_token != null ? t.have_access_token : "access_token" in t;
   }
   /**
    * Fetches the refresh token from the client.
@@ -2301,9 +2158,9 @@ class OAuthBffClient {
    *        making the request
    * @returns the refresh token payload or an empty object if there isn't one
    */
-  async getRefreshToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    return (tokens == null ? void 0 : tokens.refresh_token) ?? null;
+  async getRefreshToken(e) {
+    const t = await this.getTokens(e);
+    return (t == null ? void 0 : t.refresh_token) ?? null;
   }
   /**
    * Returns whether or not there is a refresh token stored in the BFF server
@@ -2313,11 +2170,9 @@ class OAuthBffClient {
    *        making the request
    * @returns true or false
    */
-  async haveRefreshToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    if (tokens == null) return false;
-    if (tokens.have_refresh_token != void 0) return tokens.have_refresh_token;
-    return "refresh_token" in tokens;
+  async haveRefreshToken(e) {
+    const t = await this.getTokens(e);
+    return t == null ? !1 : t.have_refresh_token != null ? t.have_refresh_token : "refresh_token" in t;
   }
   /**
    * Calls an API endpoint via the BFF server
@@ -2327,28 +2182,23 @@ class OAuthBffClient {
    * @param csrfToken : the CSRF token
    * @returns the HTTP status code and the body or null
    */
-  async api(method, endpoint, body, csrfToken) {
-    let headers = { ...this.headers };
-    if (!csrfToken && !["GET", "HEAD", "OPTIONS"].includes(method)) {
-      csrfToken = await this.getCsrfToken();
-      if (csrfToken) headers[this.csrfHeader] = csrfToken;
-    }
-    if (endpoint.startsWith("/")) endpoint = endpoint.substring(1);
-    let params = {};
-    if (body) params.body = JSON.stringify(body);
-    const resp = await fetch(
-      this.bffPrefix + endpoint,
+  async api(e, t, o, s) {
+    let n = { ...this.headers };
+    !s && !["GET", "HEAD", "OPTIONS"].includes(e) && (s = await this.getCsrfToken(), s && (n[this.csrfHeader] = s)), t.startsWith("/") && (t = t.substring(1));
+    let i = {};
+    o && (i.body = JSON.stringify(o));
+    const a = await fetch(
+      this.bffPrefix + t,
       {
-        headers,
-        method,
+        headers: n,
+        method: e,
         mode: this.mode,
         credentials: this.credentials,
-        ...params
+        ...i
       }
     );
-    let responseBody = null;
-    if (resp.body) responseBody = await resp.json();
-    return { status: resp.status, body: responseBody };
+    let h = null;
+    return a.body && (h = await a.json()), { status: a.status, body: h };
   }
   /**
    * Return all tokens that the client has been enabled to return.
@@ -2362,25 +2212,20 @@ class OAuthBffClient {
    *   - `have_access_token`
    *   - `have_refresh_token`
    */
-  async getTokens(csrfToken) {
-    if (!csrfToken) csrfToken = await this.getCsrfToken();
-    let headers = { ...this.headers };
-    if (csrfToken)
-      headers[this.csrfHeader] = csrfToken;
+  async getTokens(e) {
+    e || (e = await this.getCsrfToken());
+    let t = { ...this.headers };
+    e && (t[this.csrfHeader] = e);
     try {
-      const resp = await fetch(this.tokensUrl, {
+      const o = await fetch(this.tokensUrl, {
         method: "POST",
-        headers,
+        headers: t,
         mode: this.mode,
         credentials: this.credentials
       });
-      if (resp.status == 204) {
-        return {};
-      }
-      const body = await resp.json();
-      return body;
-    } catch (e) {
-      throw g.asCrossauthError(e);
+      return o.status == 204 ? {} : await o.json();
+    } catch (o) {
+      throw g.asCrossauthError(o);
     }
   }
   /**
@@ -2388,8 +2233,8 @@ class OAuthBffClient {
    * @param tokensToFetch which tokens to fetch
    * @param errorFn what to call in case of error
    */
-  async startAutoRefresh(tokensToFetch = ["access", "id"], errorFn) {
-    return this.autoRefresher.startAutoRefresh(tokensToFetch, errorFn);
+  async startAutoRefresh(e = ["access", "id"], t) {
+    return this.autoRefresher.startAutoRefresh(e, t);
   }
   /**
    * Turns auto refresh of tokens off
@@ -2402,8 +2247,8 @@ class OAuthBffClient {
    * @param tokensToFetch which tokens to fetch
    * @param errorFn what to call in case of error
    */
-  async startDeviceCodePolling(deviceCode, pollResultFn, interval = 5) {
-    return this.deviceCodePoller.startPolling(deviceCode, pollResultFn, interval);
+  async startDeviceCodePolling(e, t, o = 5) {
+    return this.deviceCodePoller.startPolling(e, t, o);
   }
   /**
    * Turns off polling for a device code
@@ -2421,27 +2266,13 @@ class OAuthBffClient {
    * @returns for each token, either the expiry, `null` if it does not
    *          expire, or `undefined` if the token does not exist
    */
-  async getTokenExpiries(tokensToFetch, csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    const idToken = tokensToFetch.includes("id") ? (tokens == null ? void 0 : tokens.id_token) ?? null : null;
-    const accessToken = tokensToFetch.includes("access") ? (tokens == null ? void 0 : tokens.access_token) ?? null : null;
-    const refreshToken = tokensToFetch.includes("refresh") ? (tokens == null ? void 0 : tokens.refresh_token) ?? null : null;
-    let idTokenExpiry = void 0;
-    let accessTokenExpiry = void 0;
-    let refreshTokenExpiry = void 0;
-    if (idToken) {
-      idTokenExpiry = idToken.exp ? idToken.exp : null;
-    }
-    if (accessToken) {
-      accessTokenExpiry = accessToken.exp ? accessToken.exp : null;
-    }
-    if (refreshToken) {
-      refreshTokenExpiry = refreshToken.exp ? refreshToken.exp : null;
-    }
-    return {
-      id: idTokenExpiry,
-      access: accessTokenExpiry,
-      refresh: refreshTokenExpiry
+  async getTokenExpiries(e, t) {
+    const o = await this.getTokens(t), s = e.includes("id") ? (o == null ? void 0 : o.id_token) ?? null : null, n = e.includes("access") ? (o == null ? void 0 : o.access_token) ?? null : null, i = e.includes("refresh") ? (o == null ? void 0 : o.refresh_token) ?? null : null;
+    let a, h, u;
+    return s && (a = s.exp ? s.exp : null), n && (h = n.exp ? n.exp : null), i && (u = i.exp ? i.exp : null), {
+      id: a,
+      access: h,
+      refresh: u
     };
   }
   /**
@@ -2451,30 +2282,27 @@ class OAuthBffClient {
    * @param token which token to add
    * @returns parsed JSON response
    */
-  async jsonFetchWithToken(url, params, _token) {
-    if (typeof params.body != "string") params.body = JSON.stringify(params.body);
-    return await fetch(url, params);
+  async jsonFetchWithToken(e, t, o) {
+    return typeof t.body != "string" && (t.body = JSON.stringify(t.body)), await fetch(e, t);
   }
-  receiveTokens(_tokens) {
-    return new Promise((_resolve) => {
+  receiveTokens(e) {
+    return new Promise((t) => {
     });
   }
 }
-class OAuthTokenConsumer extends Le {
+class hr extends dr {
   /**
    * SHA256 and Base64-url-encodes the given test
    * @param plaintext the text to encode
    * @returns the SHA256 hash, Base64-url-encode
    */
-  async hash(plaintext) {
-    const encoder = new TextEncoder();
-    const data = encoder.encode(plaintext);
-    const hash = await crypto.subtle.digest("SHA-256", data);
-    const hashArray = Array.from(new Uint8Array(hash));
-    return btoa(hashArray.reduce((acc, current) => acc + String.fromCharCode(current), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+  async hash(e) {
+    const o = new TextEncoder().encode(e), s = await crypto.subtle.digest("SHA-256", o), n = Array.from(new Uint8Array(s));
+    return btoa(n.reduce((i, a) => i + String.fromCharCode(a), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
   }
 }
-class OAuthClient extends Be {
+var j, O, R, K, z, B, L;
+class fr extends cr {
   /**
    * Constructor
    * 
@@ -2515,129 +2343,71 @@ class OAuthClient extends Be {
    *      Default is `/devicecodepoll`
    *  For other options see {@link @crossauth/common/OAuthClientBase}.
    */
-  constructor(options) {
-    if (!options.tokenConsumer) {
-      options.tokenConsumer = new OAuthTokenConsumer(
-        options.client_id,
-        {
-          authServerBaseUrl: options.authServerBaseUrl
-        }
-      );
-    }
-    super(options);
-    __publicField(this, "resServerBaseUrl", "");
-    __publicField(this, "resServerHeaders", {});
-    __publicField(this, "resServerMode", "cors");
-    __publicField(this, "resServerCredentials", "same-origin");
-    __publicField(this, "accessTokenResponseType", "memory");
-    __publicField(this, "refreshTokenResponseType", "memory");
-    __publicField(this, "idTokenResponseType", "memory");
-    __publicField(this, "accessTokenName", "CROSSAUTH_AT");
-    __publicField(this, "refreshTokenName", "CROSSAUTH_RT");
-    __publicField(this, "idTokenName", "CROSSAUTH_IT");
-    __privateAdd(this, _accessToken);
-    __privateAdd(this, _refreshToken);
-    __privateAdd(this, _idTokenPayload);
-    __privateAdd(this, _accessTokenPayload);
-    __privateAdd(this, _refreshTokenPayload);
-    __privateAdd(this, _client_id);
-    __privateAdd(this, _client_secret);
-    __publicField(this, "autoRefresher");
-    __publicField(this, "deviceCodePoller");
-    __publicField(this, "deviceAuthorizationUrl", "device_authorization");
-    if (this.resServerBaseUrl != void 0) {
-      this.resServerBaseUrl = options.resServerBaseUrl ?? "";
-      if (this.resServerBaseUrl.length > 0 && !this.resServerBaseUrl.endsWith("/")) {
-        this.resServerBaseUrl += "/";
+  constructor(t) {
+    t.tokenConsumer || (t.tokenConsumer = new hr(
+      t.client_id,
+      {
+        authServerBaseUrl: t.authServerBaseUrl
       }
-    }
-    if (options.accessTokenResponseType) this.accessTokenResponseType = options.accessTokenResponseType;
-    if (options.idTokenResponseType) this.idTokenResponseType = options.idTokenResponseType;
-    if (options.refreshTokenResponseType) this.refreshTokenResponseType = options.refreshTokenResponseType;
-    if (options.accessTokenName) this.accessTokenName = options.accessTokenName;
-    if (options.idTokenName) this.idTokenName = options.idTokenName;
-    if (options.refreshTokenName) this.refreshTokenName = options.refreshTokenName;
-    if (options.resServerHeaders) this.resServerHeaders = options.resServerHeaders;
-    if (options.resServerMode) this.resServerMode = options.resServerMode;
-    if (options.resServerCredentials) this.resServerCredentials = options.resServerCredentials;
-    if (options.client_id) __privateSet(this, _client_id, options.client_id);
-    if (options.client_secret) __privateSet(this, _client_secret, options.client_secret);
-    if (options.deviceAuthorizationUrl) this.deviceAuthorizationUrl = options.deviceAuthorizationUrl;
-    this.autoRefresher = new OAuthAutoRefresher({
-      ...options,
+    ));
+    super(t);
+    f(this, "resServerBaseUrl", "");
+    f(this, "resServerHeaders", {});
+    f(this, "resServerMode", "cors");
+    f(this, "resServerCredentials", "same-origin");
+    f(this, "accessTokenResponseType", "memory");
+    f(this, "refreshTokenResponseType", "memory");
+    f(this, "idTokenResponseType", "memory");
+    f(this, "accessTokenName", "CROSSAUTH_AT");
+    f(this, "refreshTokenName", "CROSSAUTH_RT");
+    f(this, "idTokenName", "CROSSAUTH_IT");
+    N(this, j);
+    N(this, O);
+    N(this, R);
+    N(this, K);
+    N(this, z);
+    N(this, B);
+    N(this, L);
+    f(this, "autoRefresher");
+    f(this, "deviceCodePoller");
+    f(this, "deviceAuthorizationUrl", "device_authorization");
+    this.resServerBaseUrl != null && (this.resServerBaseUrl = t.resServerBaseUrl ?? "", this.resServerBaseUrl.length > 0 && !this.resServerBaseUrl.endsWith("/") && (this.resServerBaseUrl += "/")), t.accessTokenResponseType && (this.accessTokenResponseType = t.accessTokenResponseType), t.idTokenResponseType && (this.idTokenResponseType = t.idTokenResponseType), t.refreshTokenResponseType && (this.refreshTokenResponseType = t.refreshTokenResponseType), t.accessTokenName && (this.accessTokenName = t.accessTokenName), t.idTokenName && (this.idTokenName = t.idTokenName), t.refreshTokenName && (this.refreshTokenName = t.refreshTokenName), t.resServerHeaders && (this.resServerHeaders = t.resServerHeaders), t.resServerMode && (this.resServerMode = t.resServerMode), t.resServerCredentials && (this.resServerCredentials = t.resServerCredentials), t.client_id && b(this, B, t.client_id), t.client_secret && b(this, L, t.client_secret), t.deviceAuthorizationUrl && (this.deviceAuthorizationUrl = t.deviceAuthorizationUrl), this.autoRefresher = new Ae({
+      ...t,
       autoRefreshUrl: this.authServerBaseUrl + "/token",
       tokenProvider: this
-    });
-    this.deviceCodePoller = new OAuthDeviceCodePoller({ ...options, oauthClient: this, deviceCodePollUrl: null });
-    let idToken;
-    let accessToken;
-    let refreshToken;
-    if (this.idTokenResponseType == "sessionStorage") {
-      idToken = sessionStorage.getItem(this.idTokenName);
-    } else if (this.idTokenResponseType == "localStorage") {
-      idToken = localStorage.getItem(this.idTokenName);
+    }), this.deviceCodePoller = new Pe({ ...t, oauthClient: this, deviceCodePollUrl: null });
+    let o, s, n;
+    if (this.idTokenResponseType == "sessionStorage" ? o = sessionStorage.getItem(this.idTokenName) : this.idTokenResponseType == "localStorage" && (o = localStorage.getItem(this.idTokenName)), this.accessTokenResponseType == "sessionStorage" ? s = sessionStorage.getItem(this.accessTokenName) : this.accessTokenResponseType == "localStorage" && (s = localStorage.getItem(this.accessTokenName)), this.refreshTokenResponseType == "sessionStorage" ? n = sessionStorage.getItem(this.refreshTokenName) : this.refreshTokenResponseType == "localStorage" && (n = localStorage.getItem(this.refreshTokenName)), this.receiveTokens({
+      access_token: s,
+      id_token: o,
+      refresh_token: n
+    }), s) {
+      const i = this.getTokenPayload(s);
+      i && (b(this, j, s), b(this, K, i));
     }
-    if (this.accessTokenResponseType == "sessionStorage") {
-      accessToken = sessionStorage.getItem(this.accessTokenName);
-    } else if (this.accessTokenResponseType == "localStorage") {
-      accessToken = localStorage.getItem(this.accessTokenName);
-    }
-    if (this.refreshTokenResponseType == "sessionStorage") {
-      refreshToken = sessionStorage.getItem(this.refreshTokenName);
-    } else if (this.refreshTokenResponseType == "localStorage") {
-      refreshToken = localStorage.getItem(this.refreshTokenName);
-    }
-    this.receiveTokens({
-      access_token: accessToken,
-      id_token: idToken,
-      refresh_token: refreshToken
-    });
-    if (accessToken) {
-      const payload = this.getTokenPayload(accessToken);
-      if (payload) {
-        __privateSet(this, _accessToken, accessToken);
-        __privateSet(this, _accessTokenPayload, payload);
-      }
-    }
-    if (refreshToken) {
-      const payload = this.getTokenPayload(refreshToken);
-      if (payload) {
-        __privateSet(this, _refreshToken, refreshToken);
-        __privateSet(this, _refreshTokenPayload, payload);
-      }
+    if (n) {
+      const i = this.getTokenPayload(n);
+      i && (b(this, O, n), b(this, z, i));
     }
-    if (idToken) {
-      this.validateIdToken(idToken).then((payload) => {
-        __privateSet(this, _idTokenPayload, payload);
-        if (options.autoRefresh) {
-          this.startAutoRefresh(options.autoRefresh).then().catch((err) => {
-            d.logger.debug(h({ err, msg: "Couldn't start auto refresh" }));
-          });
-        }
-      }).catch((err) => {
-        d.logger.debug(h({ err, msg: "Couldn't validate ID token" }));
+    o ? this.validateIdToken(o).then((i) => {
+      b(this, R, i), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
+        c.logger.debug(d({ err: a, msg: "Couldn't start auto refresh" }));
       });
-    } else if (__privateGet(this, _accessToken) && options.autoRefresh && refreshToken) {
-      this.startAutoRefresh(options.autoRefresh).then().catch((err) => {
-        d.logger.debug(h({ err, msg: "Couldn't start auto refresh" }));
+    }).catch((i) => {
+      c.logger.debug(d({ err: i, msg: "Couldn't validate ID token" }));
+    }) : w(this, j) && t.autoRefresh && n ? this.startAutoRefresh(t.autoRefresh).then().catch((i) => {
+      c.logger.debug(d({ err: i, msg: "Couldn't start auto refresh" }));
+    }) : n && !s && this.refreshTokenFlow(n).then((i) => {
+      c.logger.debug(d({ msg: "Refreshed tokens" })), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
+        c.logger.debug(d({ err: a, msg: "Couldn't start auto refresh" }));
       });
-    } else if (refreshToken && !accessToken) {
-      this.refreshTokenFlow(refreshToken).then((_resp) => {
-        d.logger.debug(h({ msg: "Refreshed tokens" }));
-        if (options.autoRefresh) {
-          this.startAutoRefresh(options.autoRefresh).then().catch((err) => {
-            d.logger.debug(h({ err, msg: "Couldn't start auto refresh" }));
-          });
-        }
-      }).catch((err) => {
-        const ce2 = g.asCrossauthError(err);
-        d.logger.debug(h({ err: ce2 }));
-        d.logger.error(h({ msg: "failed refreshing tokens", cerr: ce2 }));
-      });
-    }
+    }).catch((i) => {
+      const a = g.asCrossauthError(i);
+      c.logger.debug(d({ err: a })), c.logger.error(d({ msg: "failed refreshing tokens", cerr: a }));
+    });
   }
   get idTokenPayload() {
-    return __privateGet(this, _idTokenPayload);
+    return w(this, R);
   }
   /**
    * Processes the query parameters for a Redirect URI request if they
@@ -2667,43 +2437,31 @@ class OAuthClient extends Be {
    *       
    */
   async handleRedirectUri() {
-    const url = new URL(window.location.href);
-    if (url.origin + url.pathname != this.redirect_uri) return void 0;
-    const params = new URLSearchParams(window.location.search);
-    let code = void 0;
-    let state = void 0;
-    let error = void 0;
-    let error_description = void 0;
-    for (const [key, value] of params) {
-      if (key == "code") code = value;
-      if (key == "state") state = value;
-      if (key == "error") error = value;
-      if (key == "error_description") error_description = value;
-    }
-    if (!error && !code) return void 0;
-    if (error) {
-      const cerr = g.fromOAuthError(error, error_description);
-      d.logger.debug(h({ err: cerr }));
-      d.logger.error(h({ cerr, msg: "Error from authorize endpoint: " + error }));
-      throw cerr;
+    const t = new URL(window.location.href);
+    if (t.origin + t.pathname != this.redirect_uri) return;
+    const o = new URLSearchParams(window.location.search);
+    let s, n, i, a;
+    for (const [u, y] of o)
+      u == "code" && (s = y), u == "state" && (n = y), u == "error" && (i = y), u == "error_description" && (a = y);
+    if (!i && !s) return;
+    if (i) {
+      const u = g.fromOAuthError(i, a);
+      throw c.logger.debug(d({ err: u })), c.logger.error(d({ cerr: u, msg: "Error from authorize endpoint: " + i })), u;
     }
-    const resp = await this.redirectEndpoint(code, state, error, error_description);
-    if (resp.error) {
-      const cerr = g.fromOAuthError(resp.error, error_description);
-      d.logger.debug(h({ err: cerr }));
-      d.logger.error(h({ cerr, msg: "Error from redirect endpoint: " + resp.error }));
-      throw cerr;
+    const h = await this.redirectEndpoint(s, n, i, a);
+    if (h.error) {
+      const u = g.fromOAuthError(h.error, a);
+      throw c.logger.debug(d({ err: u })), c.logger.error(d({ cerr: u, msg: "Error from redirect endpoint: " + h.error })), u;
     }
-    await this.receiveTokens(resp);
-    return resp;
+    return await this.receiveTokens(h), h;
   }
   /**
    * Turns auto refresh of tokens on
    * @param tokensToFetch which tokens to fetch
    * @param errorFn what to call in case of error
    */
-  async startAutoRefresh(tokensToFetch = ["access", "id"], errorFn) {
-    return this.autoRefresher.startAutoRefresh(tokensToFetch, errorFn);
+  async startAutoRefresh(t = ["access", "id"], o) {
+    return this.autoRefresher.startAutoRefresh(t, o);
   }
   /**
    * Turns auto refresh of tokens off
@@ -2716,8 +2474,8 @@ class OAuthClient extends Be {
    * @param tokensToFetch which tokens to fetch
    * @param errorFn what to call in case of error
    */
-  async startDeviceCodePolling(deviceCode, pollResultFn, interval = 5) {
-    return this.deviceCodePoller.startPolling(deviceCode, pollResultFn, interval);
+  async startDeviceCodePolling(t, o, s = 5) {
+    return this.deviceCodePoller.startPolling(t, o, s);
   }
   /**
    * Turns off polling for a device code
@@ -2734,7 +2492,7 @@ class OAuthClient extends Be {
    * @returns the payload as an object
    */
   getIdToken() {
-    return __privateGet(this, _idTokenPayload);
+    return w(this, R);
   }
   ///////
   // Implementation of abstract methods
@@ -2744,22 +2502,18 @@ class OAuthClient extends Be {
    * @param length the length of the random array before base64-url-encoding.
    * @returns the random value as a Base64-url-encoded srting
    */
-  randomValue(length) {
-    const array = new Uint8Array(length);
-    self.crypto.getRandomValues(array);
-    return btoa(array.reduce((acc, current) => acc + String.fromCharCode(current), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+  randomValue(t) {
+    const o = new Uint8Array(t);
+    return self.crypto.getRandomValues(o), btoa(o.reduce((s, n) => s + String.fromCharCode(n), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
   }
   /**
    * SHA256 and Base64-url-encodes the given test
    * @param plaintext the text to encode
    * @returns the SHA256 hash, Base64-url-encode
    */
-  async sha256(plaintext) {
-    const encoder = new TextEncoder();
-    const data = encoder.encode(plaintext);
-    const hash = await crypto.subtle.digest("SHA-256", data);
-    const hashArray = Array.from(new Uint8Array(hash));
-    return btoa(hashArray.reduce((acc, current) => acc + String.fromCharCode(current), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+  async sha256(t) {
+    const s = new TextEncoder().encode(t), n = await crypto.subtle.digest("SHA-256", s), i = Array.from(new Uint8Array(n));
+    return btoa(i.reduce((a, h) => a + String.fromCharCode(h), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
   }
   /**
    * Calls an API endpoint on the resource server
@@ -2768,31 +2522,25 @@ class OAuthClient extends Be {
    * @param body : the body to pass to the call
    * @returns the HTTP status code and the body or null
    */
-  async api(method, endpoint, body) {
-    let headers = { ...this.resServerHeaders };
-    if (endpoint.startsWith("/")) endpoint = endpoint.substring(1);
-    let params = {};
-    if (body) params.body = JSON.stringify(body);
-    let accessToken;
-    if (this.accessTokenResponseType == "sessionStorage") {
-      accessToken = sessionStorage.getItem(this.accessTokenName);
-    } else if (this.accessTokenResponseType == "localStorage") {
-      accessToken = localStorage.getItem(this.accessTokenName);
-    }
-    headers.authorization = "Bearer " + accessToken;
-    const resp = await fetch(
-      this.resServerBaseUrl + endpoint,
+  async api(t, o, s) {
+    let n = { ...this.resServerHeaders };
+    o.startsWith("/") && (o = o.substring(1));
+    let i = {};
+    s && (i.body = JSON.stringify(s));
+    let a;
+    this.accessTokenResponseType == "sessionStorage" ? a = sessionStorage.getItem(this.accessTokenName) : this.accessTokenResponseType == "localStorage" && (a = localStorage.getItem(this.accessTokenName)), n.authorization = "Bearer " + a;
+    const h = await fetch(
+      this.resServerBaseUrl + o,
       {
-        headers,
-        method,
+        headers: n,
+        method: t,
         mode: this.resServerMode,
         credentials: this.resServerCredentials,
-        ...params
+        ...i
       }
     );
-    let responseBody = null;
-    if (resp.body) responseBody = await resp.json();
-    return { status: resp.status, body: responseBody };
+    let u = null;
+    return h.body && (u = await h.json()), { status: h.status, body: u };
   }
   ///////////////////////////////////////////////////////////
   // OAuthTokenProvider interface
@@ -2804,23 +2552,12 @@ class OAuthClient extends Be {
    * @returns for each token, either the expiry, `null` if it does not
    *          expire, or `undefined` if the token does not exist
    */
-  async getTokenExpiries(_tokensToFetch, _csrfToken) {
-    let idTokenExpiry = void 0;
-    let accessTokenExpiry = void 0;
-    let refreshTokenExpiry = void 0;
-    if (__privateGet(this, _idTokenPayload)) {
-      idTokenExpiry = __privateGet(this, _idTokenPayload).exp ? __privateGet(this, _idTokenPayload).exp : null;
-    }
-    if (__privateGet(this, _accessTokenPayload)) {
-      accessTokenExpiry = __privateGet(this, _accessTokenPayload).exp ? __privateGet(this, _accessTokenPayload).exp : null;
-    }
-    if (__privateGet(this, _refreshTokenPayload)) {
-      refreshTokenExpiry = __privateGet(this, _refreshTokenPayload).exp ? __privateGet(this, _refreshTokenPayload).exp : null;
-    }
-    return {
-      id: idTokenExpiry,
-      access: accessTokenExpiry,
-      refresh: refreshTokenExpiry
+  async getTokenExpiries(t, o) {
+    let s, n, i;
+    return w(this, R) && (s = w(this, R).exp ? w(this, R).exp : null), w(this, K) && (n = w(this, K).exp ? w(this, K).exp : null), w(this, z) && (i = w(this, z).exp ? w(this, z).exp : null), {
+      id: s,
+      access: n,
+      refresh: i
     };
   }
   /**
@@ -2833,71 +2570,36 @@ class OAuthClient extends Be {
    * @param token which token to add
    * @returns parsed JSON response
    */
-  async jsonFetchWithToken(url, params, token) {
-    if (token == "access") {
-      if (!__privateGet(this, _accessToken)) {
-        throw new g(y.InvalidToken, "Cannot make fetch with access token - no access token defined");
-      }
-      if (!params.headers) params.headers = {};
-      params.headers.authorization = "Bearer " + __privateGet(this, _accessToken);
+  async jsonFetchWithToken(t, o, s) {
+    if (s == "access") {
+      if (!w(this, j))
+        throw new g(m.InvalidToken, "Cannot make fetch with access token - no access token defined");
+      o.headers || (o.headers = {}), o.headers.authorization = "Bearer " + w(this, j);
     } else {
-      if (!params.body) params.body = {};
-      if (!__privateGet(this, _refreshToken)) {
-        throw new g(y.InvalidToken, "Cannot make fetch with refresh token - no refresh token defined");
-      }
-      params.body.refresh_token = __privateGet(this, _refreshToken);
-      params.body.grant_type = "refresh_token";
+      if (o.body || (o.body = {}), !w(this, O))
+        throw new g(m.InvalidToken, "Cannot make fetch with refresh token - no refresh token defined");
+      o.body.refresh_token = w(this, O), o.body.grant_type = "refresh_token";
     }
-    if (__privateGet(this, _client_id)) {
-      if (!params.body) params.body = {};
-      params.body.client_id = __privateGet(this, _client_id);
-      if (__privateGet(this, _client_secret)) {
-        params.body.client_secret = __privateGet(this, _client_secret);
-      }
-    }
-    if (typeof params.body != "string") params.body = JSON.stringify(params.body);
-    return await fetch(url, params);
+    return w(this, B) && (o.body || (o.body = {}), o.body.client_id = w(this, B), w(this, L) && (o.body.client_secret = w(this, L))), typeof o.body != "string" && (o.body = JSON.stringify(o.body)), await fetch(t, o);
   }
   /**
    * Does nothing as CSRF tokens are not needed for this class
    * @returns `undefined`
    */
   async getCsrfToken() {
-    return void 0;
-  }
-  async receiveTokens(tokens) {
-    if (tokens.access_token) {
-      const payload = this.getTokenPayload(tokens.access_token);
-      if (payload) {
-        __privateSet(this, _accessToken, tokens.access_token);
-        __privateSet(this, _accessTokenPayload, payload);
-      }
-      if (this.accessTokenResponseType == "localStorage") {
-        localStorage.setItem(this.accessTokenName, tokens.access_token);
-      } else if (this.accessTokenResponseType == "sessionStorage") {
-        sessionStorage.setItem(this.accessTokenName, tokens.access_token);
-      }
+  }
+  async receiveTokens(t) {
+    if (t.access_token) {
+      const o = this.getTokenPayload(t.access_token);
+      o && (b(this, j, t.access_token), b(this, K, o)), this.accessTokenResponseType == "localStorage" ? localStorage.setItem(this.accessTokenName, t.access_token) : this.accessTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.accessTokenName, t.access_token);
     }
-    if (tokens.refresh_token) {
-      const payload = this.getTokenPayload(tokens.refresh_token);
-      if (payload) {
-        __privateSet(this, _refreshToken, tokens.refresh_token);
-        __privateSet(this, _refreshTokenPayload, payload);
-      }
-      if (this.refreshTokenResponseType == "localStorage") {
-        localStorage.setItem(this.refreshTokenName, tokens.refresh_token);
-      } else if (this.accessTokenResponseType == "sessionStorage") {
-        sessionStorage.setItem(this.refreshTokenName, tokens.refresh_token);
-      }
+    if (t.refresh_token) {
+      const o = this.getTokenPayload(t.refresh_token);
+      o && (b(this, O, t.refresh_token), b(this, z, o)), this.refreshTokenResponseType == "localStorage" ? localStorage.setItem(this.refreshTokenName, t.refresh_token) : this.accessTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.refreshTokenName, t.refresh_token);
     }
-    if (tokens.id_token) {
-      const payload = await this.validateIdToken(tokens.id_token);
-      __privateSet(this, _idTokenPayload, payload);
-      if (this.idTokenResponseType == "localStorage") {
-        localStorage.setItem(this.idTokenName, tokens.id_token);
-      } else if (this.idTokenResponseType == "sessionStorage") {
-        sessionStorage.setItem(this.idTokenName, tokens.id_token);
-      }
+    if (t.id_token) {
+      const o = await this.validateIdToken(t.id_token);
+      b(this, R, o), this.idTokenResponseType == "localStorage" ? localStorage.setItem(this.idTokenName, t.id_token) : this.idTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.idTokenName, t.id_token);
     }
   }
   /////////
@@ -2907,99 +2609,82 @@ class OAuthClient extends Be {
    * then saves the tokens, as per the requested method
    * @param scope 
    */
-  async clientCredentialsFlow(scope) {
-    const resp = await super.clientCredentialsFlow(scope);
-    await this.receiveTokens(resp);
-    return resp;
+  async clientCredentialsFlow(t) {
+    const o = await super.clientCredentialsFlow(t);
+    return await this.receiveTokens(o), o;
   }
   /**
    * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
    * then saves the tokens, as per the requested method
    * @param scope 
    */
-  async passwordFlow(username, password, scope) {
-    const resp = await super.passwordFlow(username, password, scope);
-    await this.receiveTokens(resp);
-    return resp;
+  async passwordFlow(t, o, s) {
+    const n = await super.passwordFlow(t, o, s);
+    return await this.receiveTokens(n), n;
   }
   /**
    * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
    * then saves the tokens, as per the requested method
    * @param scope 
    */
-  async deviceCodeFlow(scope) {
-    let url = this.authServerBaseUrl;
-    if (!url.endsWith("/")) url += "/";
-    url += this.deviceAuthorizationUrl;
-    const resp = await super.startDeviceCodeFlow(url, scope);
-    return resp;
+  async deviceCodeFlow(t) {
+    let o = this.authServerBaseUrl;
+    return o.endsWith("/") || (o += "/"), o += this.deviceAuthorizationUrl, await super.startDeviceCodeFlow(o, t);
   }
   /**
    * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
    * then saves the tokens, as per the requested method
    * @param scope 
    */
-  async mfaOtpComplete(mfaToken, otp) {
-    const resp = await super.mfaOtpComplete(mfaToken, otp);
-    await this.receiveTokens(resp);
-    return resp;
+  async mfaOtpComplete(t, o) {
+    const s = await super.mfaOtpComplete(t, o);
+    return await this.receiveTokens(s), s;
   }
   /**
    * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
    * then saves the tokens, as per the requested method
    * @param scope 
    */
-  async mfaOobComplete(mfaToken, oobCode, bindingCode) {
-    const resp = await super.mfaOobComplete(mfaToken, oobCode, bindingCode);
-    await this.receiveTokens(resp);
-    return resp;
+  async mfaOobComplete(t, o, s) {
+    const n = await super.mfaOobComplete(t, o, s);
+    return await this.receiveTokens(n), n;
   }
   /**
    * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
    * then saves the tokens, as per the requested method
    * @param scope 
    */
-  async refreshTokenFlow(refreshToken) {
-    if (!refreshToken) {
-      if (__privateGet(this, _refreshToken)) {
-        refreshToken = __privateGet(this, _refreshToken);
-      } else {
-        throw new g(y.InvalidToken, "Cannot refresh tokens: no refresh token present");
-      }
-    }
-    const resp = await super.refreshTokenFlow(refreshToken);
-    await this.receiveTokens(resp);
-    return resp;
+  async refreshTokenFlow(t) {
+    if (!t)
+      if (w(this, O))
+        t = w(this, O);
+      else
+        throw new g(m.InvalidToken, "Cannot refresh tokens: no refresh token present");
+    const o = await super.refreshTokenFlow(t);
+    return await this.receiveTokens(o), o;
   }
   /**
    * Executes the authorization code flow
    * @param scope the scope to request
    * @param pkce whether or not to use PKCE.
    */
-  async authorizationCodeFlow(scope, pkce = false) {
-    const resp = await super.startAuthorizationCodeFlow(scope, pkce);
-    if (resp.error || !resp.url) {
-      const cerr = g.fromOAuthError(
-        resp.error ?? "Couldn't create URL for authorization code flow",
-        resp.error_description
+  async authorizationCodeFlow(t, o = !1) {
+    const s = await super.startAuthorizationCodeFlow(t, o);
+    if (s.error || !s.url) {
+      const n = g.fromOAuthError(
+        s.error ?? "Couldn't create URL for authorization code flow",
+        s.error_description
       );
-      d.logger.debug(h({ err: cerr }));
-      throw cerr;
+      throw c.logger.debug(d({ err: n })), n;
     }
-    location.href = resp.url;
+    location.href = s.url;
   }
 }
-_accessToken = new WeakMap();
-_refreshToken = new WeakMap();
-_idTokenPayload = new WeakMap();
-_accessTokenPayload = new WeakMap();
-_refreshTokenPayload = new WeakMap();
-_client_id = new WeakMap();
-_client_secret = new WeakMap();
+j = new WeakMap(), O = new WeakMap(), R = new WeakMap(), K = new WeakMap(), z = new WeakMap(), B = new WeakMap(), L = new WeakMap();
 export {
   g as CrossauthError,
-  d as CrossauthLogger,
-  OAuthBffClient,
-  OAuthClient,
-  h as j
+  c as CrossauthLogger,
+  ur as OAuthBffClient,
+  fr as OAuthClient,
+  d as j
 };