@icp-sdk/auth 6.0.0 → 6.2.0

package/README.md

@@ -42,22 +42,20 @@ import { AuthClient } from '@icp-sdk/auth/client';
 
 const authClient = new AuthClient();
 
-// Check for an existing session (synchronous)
-if (authClient.isAuthenticated()) {
-  const identity = await authClient.getIdentity();
-  console.log('Restored session:', identity.getPrincipal().toString());
-}
-
-// Log in
+// restore an existing session if there is one, otherwise sign in
+let identity;
 try {
-  await authClient.login();
-  const identity = await authClient.getIdentity();
-  console.log('Logged in:', identity.getPrincipal().toString());
+  identity = authClient.isAuthenticated()
+    ? await authClient.getIdentity()
+    : await authClient.signIn();
 } catch (error) {
-  console.error('Login failed:', error);
+  console.error('Sign-in failed:', error);
+  throw error;
 }
 
-// Log out
+console.log('Identity:', identity.getPrincipal().toString());
+
+// later, to end the session
 await authClient.logout();
 ```
 
@@ -69,8 +67,82 @@ Skip the Internet Identity authentication method screen and offer sign-in option
 const authClient = new AuthClient({
   openIdProvider: 'google', // or 'apple' or 'microsoft'
 });
+```
+
+### Requesting Identity Attributes
+
+Internet Identity can provide signed identity attributes (e.g., email) alongside authentication. Your backend canister initiates the flow by issuing a nonce tied to the action — this way, even if an attribute bundle is intercepted, it can't be replayed or used for a different action.
+
+Here's a registration flow where the backend needs the user's email:
+
+```typescript
+import { AuthClient } from '@icp-sdk/auth/client';
+import { AttributesIdentity } from '@icp-sdk/core/identity';
+import { HttpAgent, Actor } from '@icp-sdk/core/agent';
+
+const authClient = new AuthClient();
+
+// the backend issues a nonce scoped to registration —
+// this starts the action and binds the upcoming attributes to it
+const anonymousAgent = await HttpAgent.create();
+const backend = Actor.createActor(backendIdl, { agent: anonymousAgent, canisterId });
+const nonce: Uint8Array = await backend.registerBegin();
+
+// sign-in and attribute request happen in parallel — the user sees a single II interaction
+try {
+  const signInPromise = authClient.signIn();
+  const attributesPromise = authClient.requestAttributes({ keys: ['email'], nonce });
+
+  await signInPromise;
+  const { data, signature } = await attributesPromise;
+
+  // wrap the identity so the signed attributes are included in the canister call
+  const identityWithAttributes = new AttributesIdentity({
+    inner: await authClient.getIdentity(),
+    attributes: { data, signature },
+    signer: { canisterId: Principal.fromText('rdmx6-jaaaa-aaaaa-aaadq-cai') }, // Internet Identity canister ID
+  });
+  const agent = await HttpAgent.create({ identity: identityWithAttributes });
+  const app = Actor.createActor(appIdl, { agent, canisterId });
+
+  // the backend verifies the nonce, origin, and timestamp, then extracts the email
+  await app.registerFinish();
+} catch (error) {
+  console.error('Registration failed:', error);
+}
+```
+
+The signed attribute bundle includes implicit fields that your backend canister should verify:
+
+- **`implicit:nonce`** — ties the attributes to a specific canister-initiated action, preventing replay and cross-action reuse. Must originate from the backend, not the frontend.
+- **`implicit:origin`** — the requesting origin, verified by the canister to prevent a malicious dapp from forwarding attribute bundles to your backend.
+- **`implicit:issued_at_timestamp_ns`** — issuance timestamp, allowing the canister to reject stale attributes even if the nonce hasn't expired yet.
+
+> Attributes can also be requested after sign-in — for example, when a user later triggers an action like linking an email. The flow is the same: the backend issues a nonce for that action, the frontend calls `requestAttributes`, and the backend verifies the result.
+
+#### OpenID-Scoped Attributes
+
+When using one-click sign-in, attributes can be scoped to the OpenID provider. Scoped attributes have implicit consent — the user authenticates and shares attributes in a single step without an additional prompt:
+
+```typescript
+import { AuthClient, scopedKeys } from '@icp-sdk/auth/client';
+
+const authClient = new AuthClient({
+  openIdProvider: 'google',
+});
+
+const nonce: Uint8Array = await backend.registerBegin();
+const signInPromise = authClient.signIn();
+// requests name, email, and verified_email from the
+// Google account linked to the user's Internet Identity
+const attributesPromise = authClient.requestAttributes({
+  keys: scopedKeys({ openIdProvider: 'google' }),
+  nonce,
+});
 
-await authClient.login();
+await signInPromise;
+const { data, signature } = await attributesPromise;
+// ... wrap with AttributesIdentity and complete the action as above
 ```
 
 Additional documentation can be found [here](https://js.icp.build/auth/latest/).

package/dist/esm/client/auth-client.d.ts

@@ -7,6 +7,12 @@ declare const ECDSA_KEY_LABEL = "ECDSA";
 declare const ED25519_KEY_LABEL = "Ed25519";
 type BaseKeyType = typeof ECDSA_KEY_LABEL | typeof ED25519_KEY_LABEL;
 export type OpenIdProvider = 'google' | 'apple' | 'microsoft';
+export declare const OPENID_PROVIDER_URLS: {
+    readonly google: "https://accounts.google.com";
+    readonly apple: "https://appleid.apple.com";
+    readonly microsoft: "https://login.microsoftonline.com/{tid}/v2.0";
+};
+declare const DEFAULT_OPENID_SCOPE_KEYS: readonly ["name", "email", "verified_email"];
 /**
  * Options for creating an {@link AuthClient}.
  */
@@ -21,7 +27,7 @@ export interface AuthClientCreateOptions {
      */
     storage?: AuthClientStorage;
     /**
-     * Type of session key to generate on each login.
+     * Type of session key to generate on each sign-in.
      *
      * Use `'Ed25519'` when your storage provider does not support `CryptoKey`.
      * @default 'ECDSA'
@@ -66,12 +72,10 @@ export interface IdleOptions extends IdleManagerOptions {
      */
     disableDefaultIdleCallback?: boolean;
 }
-export type OnSuccessFunc = () => void | Promise<void>;
-export type OnErrorFunc = (error?: string) => void | Promise<void>;
 /**
- * Options for {@link AuthClient.login}.
+ * Options for {@link AuthClient.signIn}.
  */
-export interface AuthClientLoginOptions {
+export interface AuthClientSignInOptions {
     /**
      * Maximum lifetime of the delegation in nanoseconds.
      * @default 8 hours
@@ -81,15 +85,10 @@ export interface AuthClientLoginOptions {
      * Restrict the delegation to specific canisters.
      */
     targets?: Principal[];
-    /**
-     * Called after a successful login.
-     */
-    onSuccess?: OnSuccessFunc;
-    /**
-     * Called when login fails. When provided the error is **not** re-thrown,
-     * allowing the caller to handle it via this callback instead.
-     */
-    onError?: OnErrorFunc;
+}
+export interface SignedAttributes {
+    data: Uint8Array;
+    signature: Uint8Array;
 }
 /**
  * Manages authentication and identity for Internet Computer web apps.
@@ -97,13 +96,9 @@ export interface AuthClientLoginOptions {
  * @example
  * const authClient = new AuthClient();
  *
- * if (authClient.isAuthenticated()) {
- *   const identity = await authClient.getIdentity();
- * }
- *
- * await authClient.login({
- *   onSuccess: () => console.log('Logged in!'),
- * });
+ * const identity = authClient.isAuthenticated()
+ *   ? await authClient.getIdentity()
+ *   : await authClient.signIn();
  */
 export declare class AuthClient {
     #private;
@@ -118,22 +113,35 @@ export declare class AuthClient {
      */
     isAuthenticated(): boolean;
     /**
-     * Opens the identity provider and requests a delegation.
+     * Opens the identity provider, requests a delegation, and returns the authenticated identity.
      *
-     * @param options - Login options.
+     * @param options - Sign-in options.
      * @param options.maxTimeToLive - Maximum lifetime of the delegation in nanoseconds.
      * @param options.targets - Restrict the delegation to specific canisters.
-     * @param options.onSuccess - Called after a successful login.
-     * @param options.onError - Called when login fails. When provided the error is not re-thrown.
-     * @throws When authentication fails and no `onError` callback is provided.
+     * @returns The authenticated identity.
+     * @throws When authentication fails.
      *
      * @example
-     * await authClient.login({
-     *   onSuccess: () => console.log('Logged in!'),
-     *   onError: (err) => console.error(err),
-     * });
+     * try {
+     *   const identity = await authClient.signIn();
+     * } catch (error) {
+     *   console.error('Sign-in failed:', error);
+     * }
      */
-    login(options?: AuthClientLoginOptions): Promise<void>;
+    signIn(options?: AuthClientSignInOptions): Promise<Identity>;
+    /**
+     * Requests signed identity attributes from the identity provider.
+     *
+     * @param params - Request parameters.
+     * @param params.keys - Attribute keys to request (e.g. `['email', 'name']`).
+     * @param params.nonce - 32-byte nonce issued by the RP canister.
+     * @returns Signed attribute data and signature.
+     * @throws When the identity provider returns an error or an invalid response.
+     */
+    requestAttributes(params: {
+        keys: string[];
+        nonce: Uint8Array;
+    }): Promise<SignedAttributes>;
     /**
      * Clears the stored session and resets the client to an anonymous state.
      *
@@ -144,4 +152,22 @@ export declare class AuthClient {
         returnTo?: string;
     }): Promise<void>;
 }
+/**
+ * Scopes attribute keys to an OpenID provider.
+ *
+ * When using one-click sign-in, attributes can be scoped to the same provider
+ * so the user grants access in a single step without an additional prompt.
+ *
+ * @param params.openIdProvider - The OpenID provider the keys should be scoped to.
+ * @param params.keys - The attribute keys to scope. Defaults to `['name', 'email', 'verified_email']`.
+ * @returns The scoped attribute keys as `openid:<provider-url>:<key>`.
+ *
+ * @example
+ * scopedKeys({ openIdProvider: 'google', keys: ['email'] });
+ * // ['openid:https://accounts.google.com:email']
+ */
+export declare function scopedKeys<P extends keyof typeof OPENID_PROVIDER_URLS, K extends string = (typeof DEFAULT_OPENID_SCOPE_KEYS)[number]>(params: {
+    openIdProvider: P;
+    keys?: readonly K[];
+}): `openid:${(typeof OPENID_PROVIDER_URLS)[P]}:${K}`[];
 export {};

package/dist/esm/client/auth-client.js

@@ -14,24 +14,21 @@ const ED25519_KEY_LABEL = 'Ed25519';
 // localStorage key used to cache the delegation expiration so that
 // isAuthenticated() can answer synchronously without hitting IndexedDB.
 const KEY_STORAGE_EXPIRATION = 'ic-delegation_expiration';
-const OPENID_PROVIDER_URLS = {
+export const OPENID_PROVIDER_URLS = {
     google: 'https://accounts.google.com',
     apple: 'https://appleid.apple.com',
     microsoft: 'https://login.microsoftonline.com/{tid}/v2.0',
 };
+const DEFAULT_OPENID_SCOPE_KEYS = ['name', 'email', 'verified_email'];
 /**
  * Manages authentication and identity for Internet Computer web apps.
  *
  * @example
  * const authClient = new AuthClient();
  *
- * if (authClient.isAuthenticated()) {
- *   const identity = await authClient.getIdentity();
- * }
- *
- * await authClient.login({
- *   onSuccess: () => console.log('Logged in!'),
- * });
+ * const identity = authClient.isAuthenticated()
+ *   ? await authClient.getIdentity()
+ *   : await authClient.signIn();
  */
 export class AuthClient {
     #identity = new AnonymousIdentity();
@@ -80,59 +77,80 @@ export class AuthClient {
         return nowNs < expiration;
     }
     /**
-     * Opens the identity provider and requests a delegation.
+     * Opens the identity provider, requests a delegation, and returns the authenticated identity.
      *
-     * @param options - Login options.
+     * @param options - Sign-in options.
      * @param options.maxTimeToLive - Maximum lifetime of the delegation in nanoseconds.
      * @param options.targets - Restrict the delegation to specific canisters.
-     * @param options.onSuccess - Called after a successful login.
-     * @param options.onError - Called when login fails. When provided the error is not re-thrown.
-     * @throws When authentication fails and no `onError` callback is provided.
+     * @returns The authenticated identity.
+     * @throws When authentication fails.
      *
      * @example
-     * await authClient.login({
-     *   onSuccess: () => console.log('Logged in!'),
-     *   onError: (err) => console.error(err),
-     * });
+     * try {
+     *   const identity = await authClient.signIn();
+     * } catch (error) {
+     *   console.error('Sign-in failed:', error);
+     * }
+     */
+    async signIn(options) {
+        await this.#signer.openChannel();
+        const maxTimeToLive = options?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;
+        // Fresh key per sign-in so each session has its own cryptographic identity.
+        const key = this.#options.identity ?? (await generateKey(this.#options.keyType ?? ECDSA_KEY_LABEL));
+        const delegationChain = await this.#signer.requestDelegation({
+            publicKey: key.getPublicKey(),
+            targets: options?.targets,
+            maxTimeToLive,
+        });
+        this.#chain = delegationChain;
+        // PartialIdentity only has the public key — no signing capability.
+        if ('toDer' in key) {
+            this.#identity = PartialDelegationIdentity.fromDelegation(key, this.#chain);
+        }
+        else {
+            this.#identity = DelegationIdentity.fromDelegation(key, this.#chain);
+        }
+        const idleOptions = this.#options?.idleOptions;
+        if (!this.idleManager && !idleOptions?.disableIdle) {
+            this.idleManager = IdleManager.create(idleOptions);
+            this.#registerDefaultIdleCallback();
+        }
+        // Persist so the session survives page reloads.
+        await persistChain(this.#storage, this.#chain);
+        await persistKey(this.#storage, key);
+        return this.#identity;
+    }
+    /**
+     * Requests signed identity attributes from the identity provider.
+     *
+     * @param params - Request parameters.
+     * @param params.keys - Attribute keys to request (e.g. `['email', 'name']`).
+     * @param params.nonce - 32-byte nonce issued by the RP canister.
+     * @returns Signed attribute data and signature.
+     * @throws When the identity provider returns an error or an invalid response.
      */
-    async login(options) {
+    async requestAttributes(params) {
+        const nonceBytes = params.nonce;
+        const response = await this.#signer.sendRequest({
+            jsonrpc: '2.0',
+            method: 'ii-icrc3-attributes',
+            params: { keys: params.keys, nonce: toBase64(nonceBytes) },
+        });
+        if ('error' in response) {
+            throw new Error(response.error.message);
+        }
+        const result = response.result;
+        if (typeof result?.data !== 'string' || typeof result?.signature !== 'string') {
+            throw new Error('Invalid response: missing data or signature');
+        }
         try {
-            await this.#signer.openChannel();
-            const maxTimeToLive = options?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;
-            // Fresh key per login so each session has its own cryptographic identity.
-            const key = this.#options.identity ?? (await generateKey(this.#options.keyType ?? ECDSA_KEY_LABEL));
-            const delegationChain = await this.#signer.requestDelegation({
-                publicKey: key.getPublicKey(),
-                targets: options?.targets,
-                maxTimeToLive,
-            });
-            this.#chain = delegationChain;
-            // PartialIdentity only has the public key — no signing capability.
-            if ('toDer' in key) {
-                this.#identity = PartialDelegationIdentity.fromDelegation(key, this.#chain);
-            }
-            else {
-                this.#identity = DelegationIdentity.fromDelegation(key, this.#chain);
-            }
-            const idleOptions = this.#options?.idleOptions;
-            if (!this.idleManager && !idleOptions?.disableIdle) {
-                this.idleManager = IdleManager.create(idleOptions);
-                this.#registerDefaultIdleCallback();
-            }
-            // Persist so the session survives page reloads.
-            await persistChain(this.#storage, this.#chain);
-            await persistKey(this.#storage, key);
-            await options?.onSuccess?.();
+            return {
+                data: fromBase64(result.data),
+                signature: fromBase64(result.signature),
+            };
         }
-        catch (error) {
-            // If an onError callback is provided, delegate error handling to the caller.
-            // Otherwise, re-throw so the error can be caught with try/catch or .catch().
-            if (options?.onError) {
-                await options.onError(error instanceof Error ? error.message : String(error));
-            }
-            else {
-                throw error;
-            }
+        catch (cause) {
+            throw new Error('Invalid response: data or signature is not valid base64', { cause });
         }
     }
     /**
@@ -163,7 +181,7 @@ export class AuthClient {
     }
     // Attempts to restore a previous session (key + delegation chain) from
     // storage. If found and still valid, sets #identity and #chain so the
-    // client is ready to use without a new login().
+    // client is ready to use without a new signIn().
     async #hydrate() {
         const key = this.#options.identity ??
             (await restoreKey(this.#storage, this.#options.keyType ?? ECDSA_KEY_LABEL));
@@ -194,6 +212,35 @@ export class AuthClient {
         }
     }
 }
+/**
+ * Encodes a Uint8Array to a base64 string.
+ * @param bytes - The bytes to encode.
+ */
+function toBase64(bytes) {
+    if ('toBase64' in bytes && typeof bytes.toBase64 === 'function') {
+        return bytes.toBase64();
+    }
+    let binary = '';
+    for (let i = 0; i < bytes.byteLength; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return globalThis.btoa(binary);
+}
+/**
+ * Decodes a base64 string to a Uint8Array.
+ * @param str - The base64-encoded string.
+ */
+function fromBase64(str) {
+    if ('fromBase64' in Uint8Array && typeof Uint8Array.fromBase64 === 'function') {
+        return Uint8Array.fromBase64(str);
+    }
+    const binary = globalThis.atob(str);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
 /**
  * Generates a new session key.
  * @param keyType - The key algorithm to use.
@@ -333,4 +380,23 @@ async function migrateFromLocalStorage(storage, keyType) {
         return null;
     }
 }
+/**
+ * Scopes attribute keys to an OpenID provider.
+ *
+ * When using one-click sign-in, attributes can be scoped to the same provider
+ * so the user grants access in a single step without an additional prompt.
+ *
+ * @param params.openIdProvider - The OpenID provider the keys should be scoped to.
+ * @param params.keys - The attribute keys to scope. Defaults to `['name', 'email', 'verified_email']`.
+ * @returns The scoped attribute keys as `openid:<provider-url>:<key>`.
+ *
+ * @example
+ * scopedKeys({ openIdProvider: 'google', keys: ['email'] });
+ * // ['openid:https://accounts.google.com:email']
+ */
+export function scopedKeys(params) {
+    const provider = OPENID_PROVIDER_URLS[params.openIdProvider];
+    const keys = params.keys ?? DEFAULT_OPENID_SCOPE_KEYS;
+    return keys.map((key) => `openid:${provider}:${key}`);
+}
 //# sourceMappingURL=auth-client.js.map

package/dist/esm/client/auth-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-client.js","sourceRoot":"","sources":["../../../src/client/auth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAoC,MAAM,qBAAqB,CAAC;AAC1F,OAAO,EACL,eAAe,EACf,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,EACjB,yBAAyB,GAE1B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAEL,UAAU,EACV,sBAAsB,EACtB,eAAe,EACf,UAAU,EACV,YAAY,GAEb,MAAM,cAAc,CAAC;AAEtB,MAAM,sBAAsB,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC;AACrD,MAAM,gBAAgB,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;AACvC,MAAM,oBAAoB,GAAG,sBAAsB,GAAG,gBAAgB,CAAC;AAEvE,MAAM,yBAAyB,GAAG,yBAAyB,CAAC;AAC5D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,oBAAoB,CAAC;AAElE,MAAM,eAAe,GAAG,OAAO,CAAC;AAChC,MAAM,iBAAiB,GAAG,SAAS,CAAC;AAGpC,mEAAmE;AACnE,wEAAwE;AACxE,MAAM,sBAAsB,GAAG,0BAA0B,CAAC;AAI1D,MAAM,oBAAoB,GAAmC;IAC3D,MAAM,EAAE,6BAA6B;IACrC,KAAK,EAAE,2BAA2B;IAClC,SAAS,EAAE,8CAA8C;CAC1D,CAAC;AAsGF;;;;;;;;;;;;;GAaG;AACH,MAAM,OAAO,UAAU;IACrB,SAAS,GAA+B,IAAI,iBAAiB,EAAE,CAAC;IAChE,MAAM,GAA2B,IAAI,CAAC;IACtC,QAAQ,CAAoB;IAC5B,OAAO,CAAS;IAChB,QAAQ,CAA0B;IAClC,YAAY,GAAyB,IAAI,CAAC;IAC1C,WAAW,CAA0B;IAErC,YAAY,UAAmC,EAAE;QAC/C,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,UAAU,EAAE,CAAC;QAEpD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CACjC,OAAO,CAAC,gBAAgB,EAAE,QAAQ,EAAE,IAAI,yBAAyB,CAClE,CAAC;QACF,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,oBAAoB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;QAC/F,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,oBAAoB,CAAC;YACzC,GAAG,EAAE,mBAAmB,CAAC,QAAQ,EAAE;YACnC,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;SACnD,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,GAAG,IAAI,MAAM,CAAC;YACxB,SAAS;YACT,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,EAAE,QAAQ,EAAE;SACvD,CAAC,CAAC;QAEH,IAAI,CAAC,4BAA4B,EAAE,CAAC;QAEpC,2DAA2D;QAC3D,2DAA2D;QAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,eAAe;QACb,6EAA6E;QAC7E,MAAM,UAAU,GAAG,iBAAiB,EAAE,CAAC;QACvC,IAAI,UAAU,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QACtC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QACrD,OAAO,KAAK,GAAG,UAAU,CAAC;IAC5B,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,KAAK,CAAC,OAAgC;QAC1C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAEjC,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,IAAI,wBAAwB,CAAC;YAEzE,0EAA0E;YAC1E,MAAM,GAAG,GACP,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,CAAC,MAAM,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,eAAe,CAAC,CAAC,CAAC;YAE1F,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC;gBAC3D,SAAS,EAAE,GAAG,CAAC,YAAY,EAAE;gBAC7B,OAAO,EAAE,OAAO,EAAE,OAAO;gBACzB,aAAa;aACd,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC;YAE9B,mEAAmE;YACnE,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;gBACnB,IAAI,CAAC,SAAS,GAAG,yBAAyB,CAAC,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9E,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,SAAS,GAAG,kBAAkB,CAAC,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YACvE,CAAC;YAED,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC;YAC/C,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,CAAC;gBACnD,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBACnD,IAAI,CAAC,4BAA4B,EAAE,CAAC;YACtC,CAAC;YAED,gDAAgD;YAChD,MAAM,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YAErC,MAAM,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC;QAC/B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,6EAA6E;YAC7E,6EAA6E;YAC7E,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;gBACrB,MAAM,OAAO,CAAC,OAAO,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YAChF,CAAC;iBAAM,CAAC;gBACN,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,MAAM,CAAC,UAAiC,EAAE;QAC9C,MAAM,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEnC,IAAI,CAAC,SAAS,GAAG,IAAI,iBAAiB,EAAE,CAAC;QACzC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QAEnB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;IAED,gFAAgF;IAChF,KAAK;QACH,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QACtC,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,uEAAuE;IACvE,sEAAsE;IACtE,gDAAgD;IAChD,KAAK,CAAC,QAAQ;QACZ,MAAM,GAAG,GACP,IAAI,CAAC,QAAQ,CAAC,QAAQ;YACtB,CAAC,MAAM,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,eAAe,CAAC,CAAC,CAAC;QAC9E,IAAI,CAAC,GAAG;YAAE,OAAO;QAEjB,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;YACnB,IAAI,CAAC,SAAS,GAAG,yBAAyB,CAAC,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxE,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,SAAS,GAAG,kBAAkB,CAAC,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACjE,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACjE,IAAI,CAAC,4BAA4B,EAAE,CAAC;QACtC,CAAC;IACH,CAAC;IAED,4BAA4B;QAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC;QAC/C,IAAI,CAAC,WAAW,EAAE,MAAM,IAAI,CAAC,WAAW,EAAE,0BAA0B,EAAE,CAAC;YACrE,IAAI,CAAC,WAAW,EAAE,gBAAgB,CAAC,GAAG,EAAE;gBACtC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACd,QAAQ,CAAC,MAAM,EAAE,CAAC;YACpB,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,KAAK,UAAU,WAAW,CAAC,OAAoB;IAC7C,IAAI,OAAO,KAAK,iBAAiB,EAAE,CAAC;QAClC,OAAO,kBAAkB,CAAC,QAAQ,EAAE,CAAC;IACvC,CAAC;IACD,OAAO,MAAM,gBAAgB,CAAC,QAAQ,EAAE,CAAC;AAC3C,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,UAAU,CACvB,OAA0B,EAC1B,GAAmC;IAEnC,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;AACxD,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,UAAU,CACvB,OAA0B,EAC1B,OAAoB;IAEpB,IAAI,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,MAAM,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,CAAC;QACH,wDAAwD;QACxD,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,OAAO,MAAM,gBAAgB,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;QACnE,iEAAiE;QACjE,2CAA2C;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,YAAY,CAAC,GAAmC;IACvD,IAAI,GAAG,YAAY,gBAAgB;QAAE,OAAO,GAAG,CAAC,UAAU,EAAE,CAAC;IAC7D,IAAI,GAAG,YAAY,kBAAkB;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3E,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,YAAY,CAAC,OAA0B,EAAE,KAAsB;IAC5E,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAE1E,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,KAAK,MAAM,EAAE,UAAU,EAAE,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QAC/C,IAAI,QAAQ,KAAK,IAAI,IAAI,UAAU,CAAC,UAAU,GAAG,QAAQ,EAAE,CAAC;YAC1D,QAAQ,GAAG,UAAU,CAAC,UAAU,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,YAAY,CAAC,OAAO,CAAC,sBAAsB,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,YAAY,CAAC,OAA0B;IACpD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACtD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAEjD,MAAM,KAAK,GAAG,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACjB,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,aAAa,CAAC,OAA0B;IACrD,MAAM,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACtC,MAAM,OAAO,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;IAC7C,MAAM,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACjC,YAAY,CAAC,UAAU,CAAC,sBAAsB,CAAC,CAAC;AAClD,CAAC;AAED,8EAA8E;AAC9E,SAAS,iBAAiB;IACxB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC3D,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;AACvB,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,uBAAuB,CACpC,OAA0B,EAC1B,OAAoB;IAEpB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;QACpC,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAErD,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ,IAAI,OAAO,KAAK,eAAe;YAAE,OAAO,IAAI,CAAC;QAEzE,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;QACrF,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;QACtD,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAC7C,MAAM,QAAQ,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC9C,MAAM,QAAQ,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAEvC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,mDAAmD,KAAK,EAAE,CAAC,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
+{"version":3,"file":"auth-client.js","sourceRoot":"","sources":["../../../src/client/auth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAoC,MAAM,qBAAqB,CAAC;AAC1F,OAAO,EACL,eAAe,EACf,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,EACjB,yBAAyB,GAE1B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAEL,UAAU,EACV,sBAAsB,EACtB,eAAe,EACf,UAAU,EACV,YAAY,GAEb,MAAM,cAAc,CAAC;AAEtB,MAAM,sBAAsB,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC;AACrD,MAAM,gBAAgB,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;AACvC,MAAM,oBAAoB,GAAG,sBAAsB,GAAG,gBAAgB,CAAC;AAEvE,MAAM,yBAAyB,GAAG,yBAAyB,CAAC;AAC5D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,oBAAoB,CAAC;AAElE,MAAM,eAAe,GAAG,OAAO,CAAC;AAChC,MAAM,iBAAiB,GAAG,SAAS,CAAC;AAGpC,mEAAmE;AACnE,wEAAwE;AACxE,MAAM,sBAAsB,GAAG,0BAA0B,CAAC;AAI1D,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,MAAM,EAAE,6BAA6B;IACrC,KAAK,EAAE,2BAA2B;IAClC,SAAS,EAAE,8CAA8C;CACR,CAAC;AAEpD,MAAM,yBAAyB,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,gBAAgB,CAAU,CAAC;AA4F/E;;;;;;;;;GASG;AACH,MAAM,OAAO,UAAU;IACrB,SAAS,GAA+B,IAAI,iBAAiB,EAAE,CAAC;IAChE,MAAM,GAA2B,IAAI,CAAC;IACtC,QAAQ,CAAoB;IAC5B,OAAO,CAAS;IAChB,QAAQ,CAA0B;IAClC,YAAY,GAAyB,IAAI,CAAC;IAC1C,WAAW,CAA0B;IAErC,YAAY,UAAmC,EAAE;QAC/C,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,UAAU,EAAE,CAAC;QAEpD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CACjC,OAAO,CAAC,gBAAgB,EAAE,QAAQ,EAAE,IAAI,yBAAyB,CAClE,CAAC;QACF,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,oBAAoB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;QAC/F,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,oBAAoB,CAAC;YACzC,GAAG,EAAE,mBAAmB,CAAC,QAAQ,EAAE;YACnC,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;SACnD,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,GAAG,IAAI,MAAM,CAAC;YACxB,SAAS;YACT,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,EAAE,QAAQ,EAAE;SACvD,CAAC,CAAC;QAEH,IAAI,CAAC,4BAA4B,EAAE,CAAC;QAEpC,2DAA2D;QAC3D,2DAA2D;QAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,eAAe;QACb,6EAA6E;QAC7E,MAAM,UAAU,GAAG,iBAAiB,EAAE,CAAC;QACvC,IAAI,UAAU,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QACtC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QACrD,OAAO,KAAK,GAAG,UAAU,CAAC;IAC5B,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,MAAM,CAAC,OAAiC;QAC5C,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QAEjC,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,IAAI,wBAAwB,CAAC;QAEzE,4EAA4E;QAC5E,MAAM,GAAG,GACP,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,CAAC,MAAM,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,eAAe,CAAC,CAAC,CAAC;QAE1F,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC;YAC3D,SAAS,EAAE,GAAG,CAAC,YAAY,EAAE;YAC7B,OAAO,EAAE,OAAO,EAAE,OAAO;YACzB,aAAa;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC;QAE9B,mEAAmE;QACnE,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;YACnB,IAAI,CAAC,SAAS,GAAG,yBAAyB,CAAC,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9E,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,SAAS,GAAG,kBAAkB,CAAC,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC;QAC/C,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,CAAC;YACnD,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACnD,IAAI,CAAC,4BAA4B,EAAE,CAAC;QACtC,CAAC;QAED,gDAAgD;QAChD,MAAM,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAErC,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,iBAAiB,CAAC,MAGvB;QACC,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC;QAEhC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC;YAC9C,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,qBAAqB;YAC7B,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,EAAE;SAC3D,CAAC,CAAC;QAEH,IAAI,OAAO,IAAI,QAAQ,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,QAAQ,CAAC,MAA6C,CAAC;QACtE,IAAI,OAAO,MAAM,EAAE,IAAI,KAAK,QAAQ,IAAI,OAAO,MAAM,EAAE,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC9E,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACjE,CAAC;QAED,IAAI,CAAC;YACH,OAAO;gBACL,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC;gBAC7B,SAAS,EAAE,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC;aACxC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,yDAAyD,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,MAAM,CAAC,UAAiC,EAAE;QAC9C,MAAM,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEnC,IAAI,CAAC,SAAS,GAAG,IAAI,iBAAiB,EAAE,CAAC;QACzC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QAEnB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;IAED,gFAAgF;IAChF,KAAK;QACH,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QACtC,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,uEAAuE;IACvE,sEAAsE;IACtE,iDAAiD;IACjD,KAAK,CAAC,QAAQ;QACZ,MAAM,GAAG,GACP,IAAI,CAAC,QAAQ,CAAC,QAAQ;YACtB,CAAC,MAAM,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,eAAe,CAAC,CAAC,CAAC;QAC9E,IAAI,CAAC,GAAG;YAAE,OAAO;QAEjB,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,KAAK;YAAE,OAAO;QAEnB,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;YACnB,IAAI,CAAC,SAAS,GAAG,yBAAyB,CAAC,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxE,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,SAAS,GAAG,kBAAkB,CAAC,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACjE,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACjE,IAAI,CAAC,4BAA4B,EAAE,CAAC;QACtC,CAAC;IACH,CAAC;IAED,4BAA4B;QAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC;QAC/C,IAAI,CAAC,WAAW,EAAE,MAAM,IAAI,CAAC,WAAW,EAAE,0BAA0B,EAAE,CAAC;YACrE,IAAI,CAAC,WAAW,EAAE,gBAAgB,CAAC,GAAG,EAAE;gBACtC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACd,QAAQ,CAAC,MAAM,EAAE,CAAC;YACpB,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,SAAS,QAAQ,CAAC,KAAiB;IACjC,IAAI,UAAU,IAAI,KAAK,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC,QAAQ,EAAE,CAAC;IAC1B,CAAC;IACD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,GAAW;IAC7B,IAAI,YAAY,IAAI,UAAU,IAAI,OAAO,UAAU,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAC9E,OAAO,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,WAAW,CAAC,OAAoB;IAC7C,IAAI,OAAO,KAAK,iBAAiB,EAAE,CAAC;QAClC,OAAO,kBAAkB,CAAC,QAAQ,EAAE,CAAC;IACvC,CAAC;IACD,OAAO,MAAM,gBAAgB,CAAC,QAAQ,EAAE,CAAC;AAC3C,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,UAAU,CACvB,OAA0B,EAC1B,GAAmC;IAEnC,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;AACxD,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,UAAU,CACvB,OAA0B,EAC1B,OAAoB;IAEpB,IAAI,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,MAAM,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,CAAC;QACH,wDAAwD;QACxD,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,OAAO,MAAM,gBAAgB,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;QACnE,iEAAiE;QACjE,2CAA2C;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,YAAY,CAAC,GAAmC;IACvD,IAAI,GAAG,YAAY,gBAAgB;QAAE,OAAO,GAAG,CAAC,UAAU,EAAE,CAAC;IAC7D,IAAI,GAAG,YAAY,kBAAkB;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3E,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,YAAY,CAAC,OAA0B,EAAE,KAAsB;IAC5E,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAE1E,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,KAAK,MAAM,EAAE,UAAU,EAAE,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QAC/C,IAAI,QAAQ,KAAK,IAAI,IAAI,UAAU,CAAC,UAAU,GAAG,QAAQ,EAAE,CAAC;YAC1D,QAAQ,GAAG,UAAU,CAAC,UAAU,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,YAAY,CAAC,OAAO,CAAC,sBAAsB,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,YAAY,CAAC,OAA0B;IACpD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACtD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAEjD,MAAM,KAAK,GAAG,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACjB,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,aAAa,CAAC,OAA0B;IACrD,MAAM,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACtC,MAAM,OAAO,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;IAC7C,MAAM,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACjC,YAAY,CAAC,UAAU,CAAC,sBAAsB,CAAC,CAAC;AAClD,CAAC;AAED,8EAA8E;AAC9E,SAAS,iBAAiB;IACxB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC3D,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;AACvB,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,uBAAuB,CACpC,OAA0B,EAC1B,OAAoB;IAEpB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;QACpC,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAErD,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ,IAAI,OAAO,KAAK,eAAe;YAAE,OAAO,IAAI,CAAC;QAEzE,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;QACrF,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;QACtD,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAC7C,MAAM,QAAQ,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC9C,MAAM,QAAQ,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAEvC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,mDAAmD,KAAK,EAAE,CAAC,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,UAAU,CAGxB,MAGD;IACC,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC7D,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,yBAAyB,CAAC;IACtD,OAAO,IAAI,CAAC,GAAG,CACb,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,QAAQ,IAAI,GAAG,EAAuD,CAC1F,CAAC;AACJ,CAAC"}

package/dist/esm/client/idle-manager.d.ts

@@ -36,7 +36,7 @@ export declare class IdleManager {
      * on the existing instance.
      * @param {IdleManagerOptions} options Optional configuration
      * @see {@link IdleManagerOptions}
-     * @param options.onIdle Callback once user has been idle. Use to prompt for fresh login, and use `Actor.agentOf(your_actor).invalidateIdentity()` to protect the user
+     * @param options.onIdle Callback once user has been idle. Use to prompt for fresh sign-in, and use `Actor.agentOf(your_actor).invalidateIdentity()` to protect the user
      * @param options.idleTimeout timeout in ms
      * @param options.captureScroll capture scroll events
      * @param options.scrollDebounce scroll debounce time in ms

package/dist/esm/client/idle-manager.js

@@ -19,7 +19,7 @@ export class IdleManager {
      * on the existing instance.
      * @param {IdleManagerOptions} options Optional configuration
      * @see {@link IdleManagerOptions}
-     * @param options.onIdle Callback once user has been idle. Use to prompt for fresh login, and use `Actor.agentOf(your_actor).invalidateIdentity()` to protect the user
+     * @param options.onIdle Callback once user has been idle. Use to prompt for fresh sign-in, and use `Actor.agentOf(your_actor).invalidateIdentity()` to protect the user
      * @param options.idleTimeout timeout in ms
      * @param options.captureScroll capture scroll events
      * @param options.scrollDebounce scroll debounce time in ms

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@icp-sdk/auth",
-  "version": "6.0.0",
+  "version": "6.2.0",
   "author": "DFINITY Stiftung <sdk@dfinity.org>",
   "license": "Apache-2.0",
   "description": "Authentication library for Internet Computer web apps",
@@ -44,7 +44,6 @@
   "devDependencies": {
     "@biomejs/biome": "^2.4.10",
     "@icp-sdk/core": "^5.2.1",
-    "@icp-sdk/signer": "^5.2.0",
     "fake-indexeddb": "^6.2.5",
     "jsdom": "^27.4.0",
     "publint": "^0.3.18",
@@ -55,6 +54,7 @@
     "@icp-sdk/core": "^5"
   },
   "dependencies": {
+    "@icp-sdk/signer": "^5.3.0",
     "idb": "^7.1.1"
   },
   "scripts": {

package/src/client/auth-client.ts

@@ -39,11 +39,13 @@ const KEY_STORAGE_EXPIRATION = 'ic-delegation_expiration';
 
 export type OpenIdProvider = 'google' | 'apple' | 'microsoft';
 
-const OPENID_PROVIDER_URLS: Record<OpenIdProvider, string> = {
+export const OPENID_PROVIDER_URLS = {
   google: 'https://accounts.google.com',
   apple: 'https://appleid.apple.com',
   microsoft: 'https://login.microsoftonline.com/{tid}/v2.0',
-};
+} as const satisfies Record<OpenIdProvider, string>;
+
+const DEFAULT_OPENID_SCOPE_KEYS = ['name', 'email', 'verified_email'] as const;
 
 /**
  * Options for creating an {@link AuthClient}.
@@ -61,7 +63,7 @@ export interface AuthClientCreateOptions {
   storage?: AuthClientStorage;
 
   /**
-   * Type of session key to generate on each login.
+   * Type of session key to generate on each sign-in.
    *
    * Use `'Ed25519'` when your storage provider does not support `CryptoKey`.
    * @default 'ECDSA'
@@ -114,14 +116,10 @@ export interface IdleOptions extends IdleManagerOptions {
   disableDefaultIdleCallback?: boolean;
 }
 
-export type OnSuccessFunc = () => void | Promise<void>;
-
-export type OnErrorFunc = (error?: string) => void | Promise<void>;
-
 /**
- * Options for {@link AuthClient.login}.
+ * Options for {@link AuthClient.signIn}.
  */
-export interface AuthClientLoginOptions {
+export interface AuthClientSignInOptions {
   /**
    * Maximum lifetime of the delegation in nanoseconds.
    * @default 8 hours
@@ -132,17 +130,11 @@ export interface AuthClientLoginOptions {
    * Restrict the delegation to specific canisters.
    */
   targets?: Principal[];
+}
 
-  /**
-   * Called after a successful login.
-   */
-  onSuccess?: OnSuccessFunc;
-
-  /**
-   * Called when login fails. When provided the error is **not** re-thrown,
-   * allowing the caller to handle it via this callback instead.
-   */
-  onError?: OnErrorFunc;
+export interface SignedAttributes {
+  data: Uint8Array;
+  signature: Uint8Array;
 }
 
 /**
@@ -151,13 +143,9 @@ export interface AuthClientLoginOptions {
  * @example
  * const authClient = new AuthClient();
  *
- * if (authClient.isAuthenticated()) {
- *   const identity = await authClient.getIdentity();
- * }
- *
- * await authClient.login({
- *   onSuccess: () => console.log('Logged in!'),
- * });
+ * const identity = authClient.isAuthenticated()
+ *   ? await authClient.getIdentity()
+ *   : await authClient.signIn();
  */
 export class AuthClient {
   #identity: Identity | PartialIdentity = new AnonymousIdentity();
@@ -216,65 +204,95 @@ export class AuthClient {
   }
 
   /**
-   * Opens the identity provider and requests a delegation.
+   * Opens the identity provider, requests a delegation, and returns the authenticated identity.
    *
-   * @param options - Login options.
+   * @param options - Sign-in options.
    * @param options.maxTimeToLive - Maximum lifetime of the delegation in nanoseconds.
    * @param options.targets - Restrict the delegation to specific canisters.
-   * @param options.onSuccess - Called after a successful login.
-   * @param options.onError - Called when login fails. When provided the error is not re-thrown.
-   * @throws When authentication fails and no `onError` callback is provided.
+   * @returns The authenticated identity.
+   * @throws When authentication fails.
    *
    * @example
-   * await authClient.login({
-   *   onSuccess: () => console.log('Logged in!'),
-   *   onError: (err) => console.error(err),
-   * });
+   * try {
+   *   const identity = await authClient.signIn();
+   * } catch (error) {
+   *   console.error('Sign-in failed:', error);
+   * }
    */
-  async login(options?: AuthClientLoginOptions): Promise<void> {
-    try {
-      await this.#signer.openChannel();
+  async signIn(options?: AuthClientSignInOptions): Promise<Identity> {
+    await this.#signer.openChannel();
 
-      const maxTimeToLive = options?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;
+    const maxTimeToLive = options?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;
 
-      // Fresh key per login so each session has its own cryptographic identity.
-      const key =
-        this.#options.identity ?? (await generateKey(this.#options.keyType ?? ECDSA_KEY_LABEL));
+    // Fresh key per sign-in so each session has its own cryptographic identity.
+    const key =
+      this.#options.identity ?? (await generateKey(this.#options.keyType ?? ECDSA_KEY_LABEL));
 
-      const delegationChain = await this.#signer.requestDelegation({
-        publicKey: key.getPublicKey(),
-        targets: options?.targets,
-        maxTimeToLive,
-      });
+    const delegationChain = await this.#signer.requestDelegation({
+      publicKey: key.getPublicKey(),
+      targets: options?.targets,
+      maxTimeToLive,
+    });
 
-      this.#chain = delegationChain;
+    this.#chain = delegationChain;
 
-      // PartialIdentity only has the public key — no signing capability.
-      if ('toDer' in key) {
-        this.#identity = PartialDelegationIdentity.fromDelegation(key, this.#chain);
-      } else {
-        this.#identity = DelegationIdentity.fromDelegation(key, this.#chain);
-      }
+    // PartialIdentity only has the public key — no signing capability.
+    if ('toDer' in key) {
+      this.#identity = PartialDelegationIdentity.fromDelegation(key, this.#chain);
+    } else {
+      this.#identity = DelegationIdentity.fromDelegation(key, this.#chain);
+    }
 
-      const idleOptions = this.#options?.idleOptions;
-      if (!this.idleManager && !idleOptions?.disableIdle) {
-        this.idleManager = IdleManager.create(idleOptions);
-        this.#registerDefaultIdleCallback();
-      }
+    const idleOptions = this.#options?.idleOptions;
+    if (!this.idleManager && !idleOptions?.disableIdle) {
+      this.idleManager = IdleManager.create(idleOptions);
+      this.#registerDefaultIdleCallback();
+    }
 
-      // Persist so the session survives page reloads.
-      await persistChain(this.#storage, this.#chain);
-      await persistKey(this.#storage, key);
-
-      await options?.onSuccess?.();
-    } catch (error) {
-      // If an onError callback is provided, delegate error handling to the caller.
-      // Otherwise, re-throw so the error can be caught with try/catch or .catch().
-      if (options?.onError) {
-        await options.onError(error instanceof Error ? error.message : String(error));
-      } else {
-        throw error;
-      }
+    // Persist so the session survives page reloads.
+    await persistChain(this.#storage, this.#chain);
+    await persistKey(this.#storage, key);
+
+    return this.#identity;
+  }
+
+  /**
+   * Requests signed identity attributes from the identity provider.
+   *
+   * @param params - Request parameters.
+   * @param params.keys - Attribute keys to request (e.g. `['email', 'name']`).
+   * @param params.nonce - 32-byte nonce issued by the RP canister.
+   * @returns Signed attribute data and signature.
+   * @throws When the identity provider returns an error or an invalid response.
+   */
+  async requestAttributes(params: {
+    keys: string[];
+    nonce: Uint8Array;
+  }): Promise<SignedAttributes> {
+    const nonceBytes = params.nonce;
+
+    const response = await this.#signer.sendRequest({
+      jsonrpc: '2.0',
+      method: 'ii-icrc3-attributes',
+      params: { keys: params.keys, nonce: toBase64(nonceBytes) },
+    });
+
+    if ('error' in response) {
+      throw new Error(response.error.message);
+    }
+
+    const result = response.result as Record<string, unknown> | undefined;
+    if (typeof result?.data !== 'string' || typeof result?.signature !== 'string') {
+      throw new Error('Invalid response: missing data or signature');
+    }
+
+    try {
+      return {
+        data: fromBase64(result.data),
+        signature: fromBase64(result.signature),
+      };
+    } catch (cause) {
+      throw new Error('Invalid response: data or signature is not valid base64', { cause });
     }
   }
 
@@ -309,7 +327,7 @@ export class AuthClient {
 
   // Attempts to restore a previous session (key + delegation chain) from
   // storage. If found and still valid, sets #identity and #chain so the
-  // client is ready to use without a new login().
+  // client is ready to use without a new signIn().
   async #hydrate(): Promise<void> {
     const key =
       this.#options.identity ??
@@ -343,6 +361,37 @@ export class AuthClient {
   }
 }
 
+/**
+ * Encodes a Uint8Array to a base64 string.
+ * @param bytes - The bytes to encode.
+ */
+function toBase64(bytes: Uint8Array): string {
+  if ('toBase64' in bytes && typeof bytes.toBase64 === 'function') {
+    return bytes.toBase64();
+  }
+  let binary = '';
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return globalThis.btoa(binary);
+}
+
+/**
+ * Decodes a base64 string to a Uint8Array.
+ * @param str - The base64-encoded string.
+ */
+function fromBase64(str: string): Uint8Array {
+  if ('fromBase64' in Uint8Array && typeof Uint8Array.fromBase64 === 'function') {
+    return Uint8Array.fromBase64(str);
+  }
+  const binary = globalThis.atob(str);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
 /**
  * Generates a new session key.
  * @param keyType - The key algorithm to use.
@@ -496,3 +545,31 @@ async function migrateFromLocalStorage(
     return null;
   }
 }
+
+/**
+ * Scopes attribute keys to an OpenID provider.
+ *
+ * When using one-click sign-in, attributes can be scoped to the same provider
+ * so the user grants access in a single step without an additional prompt.
+ *
+ * @param params.openIdProvider - The OpenID provider the keys should be scoped to.
+ * @param params.keys - The attribute keys to scope. Defaults to `['name', 'email', 'verified_email']`.
+ * @returns The scoped attribute keys as `openid:<provider-url>:<key>`.
+ *
+ * @example
+ * scopedKeys({ openIdProvider: 'google', keys: ['email'] });
+ * // ['openid:https://accounts.google.com:email']
+ */
+export function scopedKeys<
+  P extends keyof typeof OPENID_PROVIDER_URLS,
+  K extends string = (typeof DEFAULT_OPENID_SCOPE_KEYS)[number],
+>(params: {
+  openIdProvider: P;
+  keys?: readonly K[];
+}): `openid:${(typeof OPENID_PROVIDER_URLS)[P]}:${K}`[] {
+  const provider = OPENID_PROVIDER_URLS[params.openIdProvider];
+  const keys = params.keys ?? DEFAULT_OPENID_SCOPE_KEYS;
+  return keys.map(
+    (key) => `openid:${provider}:${key}` as `openid:${(typeof OPENID_PROVIDER_URLS)[P]}:${K}`,
+  );
+}

package/src/client/idle-manager.ts

@@ -46,7 +46,7 @@ export class IdleManager {
    * on the existing instance.
    * @param {IdleManagerOptions} options Optional configuration
    * @see {@link IdleManagerOptions}
-   * @param options.onIdle Callback once user has been idle. Use to prompt for fresh login, and use `Actor.agentOf(your_actor).invalidateIdentity()` to protect the user
+   * @param options.onIdle Callback once user has been idle. Use to prompt for fresh sign-in, and use `Actor.agentOf(your_actor).invalidateIdentity()` to protect the user
    * @param options.idleTimeout timeout in ms
    * @param options.captureScroll capture scroll events
    * @param options.scrollDebounce scroll debounce time in ms