@logto/client 2.1.0 → 2.2.1

package/lib/adapter/index.cjs

@@ -0,0 +1,63 @@
+'use strict';
+
+var essentials = require('@silverhand/essentials');
+var types = require('./types.cjs');
+
+class ClientAdapterInstance {
+    /* END OF IMPLEMENTATION */
+    constructor(adapter) {
+        // eslint-disable-next-line @silverhand/fp/no-mutating-assign
+        Object.assign(this, adapter);
+    }
+    async setStorageItem(key, value) {
+        if (!value) {
+            await this.storage.removeItem(key);
+            return;
+        }
+        await this.storage.setItem(key, value);
+    }
+    /**
+     * Try to get the string value from the cache and parse as JSON.
+     * Return the parsed value if it is an object, return `undefined` otherwise.
+     *
+     * @param key The cache key to get value from.
+     */
+    async getCachedObject(key) {
+        const cached = await essentials.trySafe(async () => {
+            const data = await this.unstable_cache?.getItem(key);
+            // It's actually `unknown`
+            // eslint-disable-next-line no-restricted-syntax
+            return essentials.conditional(data && JSON.parse(data));
+        });
+        if (cached && typeof cached === 'object') {
+            // Trust cache for now
+            // eslint-disable-next-line no-restricted-syntax
+            return cached;
+        }
+    }
+    /**
+     * Try to get the value from the cache first, if it doesn't exist in cache,
+     * run the getter function and store the result into cache.
+     *
+     * @param key The cache key to get value from.
+     */
+    async getWithCache(key, getter) {
+        const cached = await this.getCachedObject(key);
+        if (cached) {
+            return cached;
+        }
+        const result = await getter();
+        await this.unstable_cache?.setItem(key, JSON.stringify(result));
+        return result;
+    }
+}
+
+Object.defineProperty(exports, 'CacheKey', {
+    enumerable: true,
+    get: function () { return types.CacheKey; }
+});
+Object.defineProperty(exports, 'PersistKey', {
+    enumerable: true,
+    get: function () { return types.PersistKey; }
+});
+exports.ClientAdapterInstance = ClientAdapterInstance;

package/lib/adapter/index.d.ts

@@ -0,0 +1,29 @@
+import { type Requester } from '@logto/js';
+import { type Nullable } from '@silverhand/essentials';
+import { type CacheKey, type Navigate, type PersistKey, type Storage, type StorageKey, type ClientAdapter, type InferStorageKey } from './types.js';
+export declare class ClientAdapterInstance implements ClientAdapter {
+    requester: Requester;
+    storage: Storage<StorageKey | PersistKey>;
+    unstable_cache?: Storage<CacheKey> | undefined;
+    navigate: Navigate;
+    generateState: () => string;
+    generateCodeVerifier: () => string;
+    generateCodeChallenge: (codeVerifier: string) => Promise<string>;
+    constructor(adapter: ClientAdapter);
+    setStorageItem(key: InferStorageKey<typeof this.storage>, value: Nullable<string>): Promise<void>;
+    /**
+     * Try to get the string value from the cache and parse as JSON.
+     * Return the parsed value if it is an object, return `undefined` otherwise.
+     *
+     * @param key The cache key to get value from.
+     */
+    getCachedObject<T>(key: CacheKey): Promise<T | undefined>;
+    /**
+     * Try to get the value from the cache first, if it doesn't exist in cache,
+     * run the getter function and store the result into cache.
+     *
+     * @param key The cache key to get value from.
+     */
+    getWithCache<T>(key: CacheKey, getter: () => Promise<T>): Promise<T>;
+}
+export * from './types.js';

package/lib/adapter/index.js

@@ -0,0 +1,53 @@
+import { trySafe, conditional } from '@silverhand/essentials';
+export { CacheKey, PersistKey } from './types.js';
+
+class ClientAdapterInstance {
+    /* END OF IMPLEMENTATION */
+    constructor(adapter) {
+        // eslint-disable-next-line @silverhand/fp/no-mutating-assign
+        Object.assign(this, adapter);
+    }
+    async setStorageItem(key, value) {
+        if (!value) {
+            await this.storage.removeItem(key);
+            return;
+        }
+        await this.storage.setItem(key, value);
+    }
+    /**
+     * Try to get the string value from the cache and parse as JSON.
+     * Return the parsed value if it is an object, return `undefined` otherwise.
+     *
+     * @param key The cache key to get value from.
+     */
+    async getCachedObject(key) {
+        const cached = await trySafe(async () => {
+            const data = await this.unstable_cache?.getItem(key);
+            // It's actually `unknown`
+            // eslint-disable-next-line no-restricted-syntax
+            return conditional(data && JSON.parse(data));
+        });
+        if (cached && typeof cached === 'object') {
+            // Trust cache for now
+            // eslint-disable-next-line no-restricted-syntax
+            return cached;
+        }
+    }
+    /**
+     * Try to get the value from the cache first, if it doesn't exist in cache,
+     * run the getter function and store the result into cache.
+     *
+     * @param key The cache key to get value from.
+     */
+    async getWithCache(key, getter) {
+        const cached = await this.getCachedObject(key);
+        if (cached) {
+            return cached;
+        }
+        const result = await getter();
+        await this.unstable_cache?.setItem(key, JSON.stringify(result));
+        return result;
+    }
+}
+
+export { ClientAdapterInstance };

package/lib/adapter/index.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/adapter/types.cjs

@@ -0,0 +1,24 @@
+'use strict';
+
+exports.PersistKey = void 0;
+(function (PersistKey) {
+    PersistKey["IdToken"] = "idToken";
+    PersistKey["RefreshToken"] = "refreshToken";
+    PersistKey["AccessToken"] = "accessToken";
+    PersistKey["SignInSession"] = "signInSession";
+})(exports.PersistKey || (exports.PersistKey = {}));
+exports.CacheKey = void 0;
+(function (CacheKey) {
+    /**
+     * OpenID Configuration endpoint response.
+     *
+     * @see {@link https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse | OpenID Connect Discovery 1.0}
+     */
+    CacheKey["OpenidConfig"] = "openidConfiguration";
+    /**
+     * The content of OpenID Provider's `jwks_uri` (JSON Web Key Set).
+     *
+     * @see {@link https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata | OpenID Connect Discovery 1.0}
+     */
+    CacheKey["Jwks"] = "jwks";
+})(exports.CacheKey || (exports.CacheKey = {}));

package/lib/adapter/types.d.ts

@@ -0,0 +1,45 @@
+import type { Requester } from '@logto/js';
+import type { Nullable } from '@silverhand/essentials';
+/** @deprecated Use {@link PersistKey} instead. */
+export type StorageKey = 'idToken' | 'refreshToken' | 'accessToken' | 'signInSession';
+export declare enum PersistKey {
+    IdToken = "idToken",
+    RefreshToken = "refreshToken",
+    AccessToken = "accessToken",
+    SignInSession = "signInSession"
+}
+export declare enum CacheKey {
+    /**
+     * OpenID Configuration endpoint response.
+     *
+     * @see {@link https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse | OpenID Connect Discovery 1.0}
+     */
+    OpenidConfig = "openidConfiguration",
+    /**
+     * The content of OpenID Provider's `jwks_uri` (JSON Web Key Set).
+     *
+     * @see {@link https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata | OpenID Connect Discovery 1.0}
+     */
+    Jwks = "jwks"
+}
+export type Storage<Keys extends string> = {
+    getItem(key: Keys): Promise<Nullable<string>>;
+    setItem(key: Keys, value: string): Promise<void>;
+    removeItem(key: Keys): Promise<void>;
+};
+export type InferStorageKey<S> = S extends Storage<infer Key> ? Key : never;
+export type Navigate = (url: string) => void;
+export type ClientAdapter = {
+    requester: Requester;
+    storage: Storage<StorageKey | PersistKey>;
+    /**
+     * An optional storage for caching well-known data.
+     *
+     * @see {@link CacheKey}
+     */
+    unstable_cache?: Storage<CacheKey>;
+    navigate: Navigate;
+    generateState: () => string;
+    generateCodeVerifier: () => string;
+    generateCodeChallenge: (codeVerifier: string) => Promise<string>;
+};

package/lib/adapter/types.js

@@ -0,0 +1,24 @@
+var PersistKey;
+(function (PersistKey) {
+    PersistKey["IdToken"] = "idToken";
+    PersistKey["RefreshToken"] = "refreshToken";
+    PersistKey["AccessToken"] = "accessToken";
+    PersistKey["SignInSession"] = "signInSession";
+})(PersistKey || (PersistKey = {}));
+var CacheKey;
+(function (CacheKey) {
+    /**
+     * OpenID Configuration endpoint response.
+     *
+     * @see {@link https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse | OpenID Connect Discovery 1.0}
+     */
+    CacheKey["OpenidConfig"] = "openidConfiguration";
+    /**
+     * The content of OpenID Provider's `jwks_uri` (JSON Web Key Set).
+     *
+     * @see {@link https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata | OpenID Connect Discovery 1.0}
+     */
+    CacheKey["Jwks"] = "jwks";
+})(CacheKey || (CacheKey = {}));
+
+export { CacheKey, PersistKey };

package/lib/index.cache.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/index.cjs

@@ -4,23 +4,27 @@ Object.defineProperty(exports, '__esModule', { value: true });
 
 var js = require('@logto/js');
 var jose = require('jose');
+var index$1 = require('./adapter/index.cjs');
 var errors = require('./errors.cjs');
+var remoteJwkSet = require('./remote-jwk-set.cjs');
 var index = require('./types/index.cjs');
-var index$1 = require('./utils/index.cjs');
+var index$2 = require('./utils/index.cjs');
+var memoize = require('./utils/memoize.cjs');
 var once = require('./utils/once.cjs');
+var types = require('./adapter/types.cjs');
 var requester = require('./utils/requester.cjs');
 
 class LogtoClient {
     constructor(logtoConfig, adapter) {
-        this.getOidcConfig = once.once(this._getOidcConfig);
-        this.getJwtVerifyGetKey = once.once(this._getJwtVerifyGetKey);
+        this.getOidcConfig = memoize.memoize(this.#getOidcConfig);
+        this.getJwtVerifyGetKey = once.once(this.#getJwtVerifyGetKey);
         this.accessTokenMap = new Map();
         this.logtoConfig = {
             ...logtoConfig,
             prompt: logtoConfig.prompt ?? js.Prompt.Consent,
             scopes: js.withDefaultScopes(logtoConfig.scopes).split(' '),
         };
-        this.adapter = adapter;
+        this.adapter = new index$1.ClientAdapterInstance(adapter);
         void this.loadAccessTokenMap();
     }
     async isAuthenticated() {
@@ -36,7 +40,7 @@ class LogtoClient {
         if (!(await this.getIdToken())) {
             throw new errors.LogtoClientError('not_authenticated');
         }
-        const accessTokenKey = index$1.buildAccessTokenKey(resource);
+        const accessTokenKey = index$2.buildAccessTokenKey(resource);
         const accessToken = this.accessTokenMap.get(accessTokenKey);
         if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
             return accessToken.token;
@@ -101,25 +105,38 @@ class LogtoClient {
         return `${origin}${pathname}` === redirectUri;
     }
     async handleSignInCallback(callbackUri) {
-        const { logtoConfig, adapter } = this;
-        const { requester } = adapter;
+        const { requester } = this.adapter;
         const signInSession = await this.getSignInSession();
         if (!signInSession) {
             throw new errors.LogtoClientError('sign_in_session.not_found');
         }
         const { redirectUri, state, codeVerifier } = signInSession;
         const code = js.verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
-        const { appId: clientId } = logtoConfig;
+        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
+        const accessTokenKey = index$2.buildAccessTokenKey();
+        const { appId: clientId } = this.logtoConfig;
         const { tokenEndpoint } = await this.getOidcConfig();
-        const codeTokenResponse = await js.fetchTokenByAuthorizationCode({
+        const requestedAt = Math.round(Date.now() / 1000);
+        const { idToken, refreshToken, accessToken, scope, expiresIn } = await js.fetchTokenByAuthorizationCode({
             clientId,
             tokenEndpoint,
             redirectUri,
             codeVerifier,
             code,
         }, requester);
-        await this.verifyIdToken(codeTokenResponse.idToken);
-        await this.saveCodeToken(codeTokenResponse);
+        await this.verifyIdToken(idToken);
+        await this.setRefreshToken(refreshToken ?? null);
+        await this.setIdToken(idToken);
+        this.accessTokenMap.set(accessTokenKey, {
+            token: accessToken,
+            scope,
+            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
+             * in the token claims. It is utilized by the client to determine if the cached access token
+             * has expired and when a new access token should be requested.
+             */
+            expiresAt: requestedAt + expiresIn,
+        });
+        await this.saveAccessTokenMap();
         await this.setSignInSession(null);
     }
     async signOut(postLogoutRedirectUri) {
@@ -156,36 +173,24 @@ class LogtoClient {
         }
         return item;
     }
-    async setSignInSession(logtoSignInSessionItem) {
-        if (!logtoSignInSessionItem) {
-            await this.adapter.storage.removeItem('signInSession');
-            return;
-        }
-        const jsonItem = JSON.stringify(logtoSignInSessionItem);
-        await this.adapter.storage.setItem('signInSession', jsonItem);
+    async setSignInSession(value) {
+        return this.adapter.setStorageItem(types.PersistKey.SignInSession, value && JSON.stringify(value));
     }
-    async setIdToken(idToken) {
-        if (!idToken) {
-            await this.adapter.storage.removeItem('idToken');
-            return;
-        }
-        await this.adapter.storage.setItem('idToken', idToken);
+    async setIdToken(value) {
+        return this.adapter.setStorageItem(types.PersistKey.IdToken, value);
     }
-    async setRefreshToken(refreshToken) {
-        if (!refreshToken) {
-            await this.adapter.storage.removeItem('refreshToken');
-            return;
-        }
-        await this.adapter.storage.setItem('refreshToken', refreshToken);
+    async setRefreshToken(value) {
+        return this.adapter.setStorageItem(types.PersistKey.RefreshToken, value);
     }
     async getAccessTokenByRefreshToken(resource) {
         const currentRefreshToken = await this.getRefreshToken();
         if (!currentRefreshToken) {
             throw new errors.LogtoClientError('not_authenticated');
         }
-        const accessTokenKey = index$1.buildAccessTokenKey(resource);
+        const accessTokenKey = index$2.buildAccessTokenKey(resource);
         const { appId: clientId } = this.logtoConfig;
         const { tokenEndpoint } = await this.getOidcConfig();
+        const requestedAt = Math.round(Date.now() / 1000);
         const { accessToken, refreshToken, idToken, scope, expiresIn } = await js.fetchTokenByRefreshToken({
             clientId,
             tokenEndpoint,
@@ -195,7 +200,11 @@ class LogtoClient {
         this.accessTokenMap.set(accessTokenKey, {
             token: accessToken,
             scope,
-            expiresAt: Math.round(Date.now() / 1000) + expiresIn,
+            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
+             * in the token claims. It is utilized by the client to determine if the cached access token
+             * has expired and when a new access token should be requested.
+             */
+            expiresAt: requestedAt + expiresIn,
         });
         await this.saveAccessTokenMap();
         await this.setRefreshToken(refreshToken);
@@ -205,30 +214,12 @@ class LogtoClient {
         }
         return accessToken;
     }
-    async _getOidcConfig() {
-        const { endpoint } = this.logtoConfig;
-        const discoveryEndpoint = index$1.getDiscoveryEndpoint(endpoint);
-        return js.fetchOidcConfig(discoveryEndpoint, this.adapter.requester);
-    }
-    async _getJwtVerifyGetKey() {
-        const { jwksUri } = await this.getOidcConfig();
-        return jose.createRemoteJWKSet(new URL(jwksUri));
-    }
     async verifyIdToken(idToken) {
         const { appId } = this.logtoConfig;
         const { issuer } = await this.getOidcConfig();
         const jwtVerifyGetKey = await this.getJwtVerifyGetKey();
         await js.verifyIdToken(idToken, appId, issuer, jwtVerifyGetKey);
     }
-    async saveCodeToken({ refreshToken, idToken, scope, accessToken, expiresIn, }) {
-        await this.setRefreshToken(refreshToken ?? null);
-        await this.setIdToken(idToken);
-        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
-        const accessTokenKey = index$1.buildAccessTokenKey();
-        const expiresAt = Date.now() / 1000 + expiresIn;
-        this.accessTokenMap.set(accessTokenKey, { token: accessToken, scope, expiresAt });
-        await this.saveAccessTokenMap();
-    }
     async saveAccessTokenMap() {
         const data = {};
         for (const [key, accessToken] of this.accessTokenMap.entries()) {
@@ -256,6 +247,19 @@ class LogtoClient {
             console.warn(error);
         }
     }
+    async #getOidcConfig() {
+        return this.adapter.getWithCache(types.CacheKey.OpenidConfig, async () => {
+            return js.fetchOidcConfig(index$2.getDiscoveryEndpoint(this.logtoConfig.endpoint), this.adapter.requester);
+        });
+    }
+    async #getJwtVerifyGetKey() {
+        const { jwksUri } = await this.getOidcConfig();
+        if (!this.adapter.unstable_cache) {
+            return jose.createRemoteJWKSet(new URL(jwksUri));
+        }
+        const cachedJwkSet = new remoteJwkSet.CachedRemoteJwkSet(new URL(jwksUri), this.adapter);
+        return async (...args) => cachedJwkSet.getKey(...args);
+    }
 }
 
 Object.defineProperty(exports, 'LogtoError', {
@@ -285,5 +289,13 @@ Object.defineProperty(exports, 'UserScope', {
 exports.LogtoClientError = errors.LogtoClientError;
 exports.isLogtoAccessTokenMap = index.isLogtoAccessTokenMap;
 exports.isLogtoSignInSessionItem = index.isLogtoSignInSessionItem;
+Object.defineProperty(exports, 'CacheKey', {
+    enumerable: true,
+    get: function () { return types.CacheKey; }
+});
+Object.defineProperty(exports, 'PersistKey', {
+    enumerable: true,
+    get: function () { return types.PersistKey; }
+});
 exports.createRequester = requester.createRequester;
 exports.default = LogtoClient;

package/lib/index.constructor.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/index.d.ts

@@ -1,18 +1,29 @@
 import { type IdTokenClaims, type UserInfoResponse, type InteractionMode, type AccessTokenClaims } from '@logto/js';
-import type { Nullable } from '@silverhand/essentials';
-import type { ClientAdapter } from './adapter.js';
+import { type Nullable } from '@silverhand/essentials';
+import { type JWTVerifyGetKey } from 'jose';
+import { ClientAdapterInstance, type ClientAdapter } from './adapter/index.js';
 import type { AccessToken, LogtoConfig, LogtoSignInSessionItem } from './types/index.js';
 export type { IdTokenClaims, LogtoErrorCode, UserInfoResponse, InteractionMode } from '@logto/js';
 export { LogtoError, OidcError, Prompt, LogtoRequestError, ReservedScope, UserScope, } from '@logto/js';
 export * from './errors.js';
-export type { Storage, StorageKey, ClientAdapter } from './adapter.js';
+export type { Storage, StorageKey, ClientAdapter } from './adapter/index.js';
+export { PersistKey, CacheKey } from './adapter/index.js';
 export { createRequester } from './utils/index.js';
 export * from './types/index.js';
 export default class LogtoClient {
+    #private;
     protected readonly logtoConfig: LogtoConfig;
-    protected readonly getOidcConfig: typeof this._getOidcConfig;
-    protected readonly getJwtVerifyGetKey: (...args: unknown[]) => Promise<(protectedHeader?: import("jose").JWSHeaderParameters | undefined, token?: import("jose").FlattenedJWSInput | undefined) => Promise<import("jose").KeyLike>>;
-    protected readonly adapter: ClientAdapter;
+    protected readonly getOidcConfig: (this: unknown) => Promise<import("@silverhand/essentials").KeysToCamelCase<{
+        authorization_endpoint: string;
+        token_endpoint: string;
+        userinfo_endpoint: string;
+        end_session_endpoint: string;
+        revocation_endpoint: string;
+        jwks_uri: string;
+        issuer: string;
+    }>>;
+    protected readonly getJwtVerifyGetKey: (...args: unknown[]) => Promise<JWTVerifyGetKey>;
+    protected readonly adapter: ClientAdapterInstance;
     protected readonly accessTokenMap: Map<string, AccessToken>;
     constructor(logtoConfig: LogtoConfig, adapter: ClientAdapter);
     isAuthenticated(): Promise<boolean>;
@@ -27,14 +38,11 @@ export default class LogtoClient {
     handleSignInCallback(callbackUri: string): Promise<void>;
     signOut(postLogoutRedirectUri?: string): Promise<void>;
     protected getSignInSession(): Promise<Nullable<LogtoSignInSessionItem>>;
-    protected setSignInSession(logtoSignInSessionItem: Nullable<LogtoSignInSessionItem>): Promise<void>;
+    protected setSignInSession(value: Nullable<LogtoSignInSessionItem>): Promise<void>;
     private setIdToken;
     private setRefreshToken;
     private getAccessTokenByRefreshToken;
-    private _getOidcConfig;
-    private _getJwtVerifyGetKey;
     private verifyIdToken;
-    private saveCodeToken;
     private saveAccessTokenMap;
     private loadAccessTokenMap;
 }

package/lib/index.js

@@ -1,23 +1,27 @@
-import { Prompt, withDefaultScopes, decodeIdToken, decodeAccessToken, fetchUserInfo, generateSignInUri, verifyAndParseCodeFromCallbackUri, fetchTokenByAuthorizationCode, revoke, generateSignOutUri, fetchTokenByRefreshToken, fetchOidcConfig, verifyIdToken } from '@logto/js';
+import { Prompt, withDefaultScopes, decodeIdToken, decodeAccessToken, fetchUserInfo, generateSignInUri, verifyAndParseCodeFromCallbackUri, fetchTokenByAuthorizationCode, revoke, generateSignOutUri, fetchTokenByRefreshToken, verifyIdToken, fetchOidcConfig } from '@logto/js';
 export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, UserScope } from '@logto/js';
 import { createRemoteJWKSet } from 'jose';
+import { ClientAdapterInstance } from './adapter/index.js';
 import { LogtoClientError } from './errors.js';
+import { CachedRemoteJwkSet } from './remote-jwk-set.js';
 import { isLogtoSignInSessionItem, isLogtoAccessTokenMap } from './types/index.js';
 import { buildAccessTokenKey, getDiscoveryEndpoint } from './utils/index.js';
+import { memoize } from './utils/memoize.js';
 import { once } from './utils/once.js';
+import { PersistKey, CacheKey } from './adapter/types.js';
 export { createRequester } from './utils/requester.js';
 
 class LogtoClient {
     constructor(logtoConfig, adapter) {
-        this.getOidcConfig = once(this._getOidcConfig);
-        this.getJwtVerifyGetKey = once(this._getJwtVerifyGetKey);
+        this.getOidcConfig = memoize(this.#getOidcConfig);
+        this.getJwtVerifyGetKey = once(this.#getJwtVerifyGetKey);
         this.accessTokenMap = new Map();
         this.logtoConfig = {
             ...logtoConfig,
             prompt: logtoConfig.prompt ?? Prompt.Consent,
             scopes: withDefaultScopes(logtoConfig.scopes).split(' '),
         };
-        this.adapter = adapter;
+        this.adapter = new ClientAdapterInstance(adapter);
         void this.loadAccessTokenMap();
     }
     async isAuthenticated() {
@@ -98,25 +102,38 @@ class LogtoClient {
         return `${origin}${pathname}` === redirectUri;
     }
     async handleSignInCallback(callbackUri) {
-        const { logtoConfig, adapter } = this;
-        const { requester } = adapter;
+        const { requester } = this.adapter;
         const signInSession = await this.getSignInSession();
         if (!signInSession) {
             throw new LogtoClientError('sign_in_session.not_found');
         }
         const { redirectUri, state, codeVerifier } = signInSession;
         const code = verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
-        const { appId: clientId } = logtoConfig;
+        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
+        const accessTokenKey = buildAccessTokenKey();
+        const { appId: clientId } = this.logtoConfig;
         const { tokenEndpoint } = await this.getOidcConfig();
-        const codeTokenResponse = await fetchTokenByAuthorizationCode({
+        const requestedAt = Math.round(Date.now() / 1000);
+        const { idToken, refreshToken, accessToken, scope, expiresIn } = await fetchTokenByAuthorizationCode({
             clientId,
             tokenEndpoint,
             redirectUri,
             codeVerifier,
             code,
         }, requester);
-        await this.verifyIdToken(codeTokenResponse.idToken);
-        await this.saveCodeToken(codeTokenResponse);
+        await this.verifyIdToken(idToken);
+        await this.setRefreshToken(refreshToken ?? null);
+        await this.setIdToken(idToken);
+        this.accessTokenMap.set(accessTokenKey, {
+            token: accessToken,
+            scope,
+            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
+             * in the token claims. It is utilized by the client to determine if the cached access token
+             * has expired and when a new access token should be requested.
+             */
+            expiresAt: requestedAt + expiresIn,
+        });
+        await this.saveAccessTokenMap();
         await this.setSignInSession(null);
     }
     async signOut(postLogoutRedirectUri) {
@@ -153,27 +170,14 @@ class LogtoClient {
         }
         return item;
     }
-    async setSignInSession(logtoSignInSessionItem) {
-        if (!logtoSignInSessionItem) {
-            await this.adapter.storage.removeItem('signInSession');
-            return;
-        }
-        const jsonItem = JSON.stringify(logtoSignInSessionItem);
-        await this.adapter.storage.setItem('signInSession', jsonItem);
+    async setSignInSession(value) {
+        return this.adapter.setStorageItem(PersistKey.SignInSession, value && JSON.stringify(value));
     }
-    async setIdToken(idToken) {
-        if (!idToken) {
-            await this.adapter.storage.removeItem('idToken');
-            return;
-        }
-        await this.adapter.storage.setItem('idToken', idToken);
+    async setIdToken(value) {
+        return this.adapter.setStorageItem(PersistKey.IdToken, value);
     }
-    async setRefreshToken(refreshToken) {
-        if (!refreshToken) {
-            await this.adapter.storage.removeItem('refreshToken');
-            return;
-        }
-        await this.adapter.storage.setItem('refreshToken', refreshToken);
+    async setRefreshToken(value) {
+        return this.adapter.setStorageItem(PersistKey.RefreshToken, value);
     }
     async getAccessTokenByRefreshToken(resource) {
         const currentRefreshToken = await this.getRefreshToken();
@@ -183,6 +187,7 @@ class LogtoClient {
         const accessTokenKey = buildAccessTokenKey(resource);
         const { appId: clientId } = this.logtoConfig;
         const { tokenEndpoint } = await this.getOidcConfig();
+        const requestedAt = Math.round(Date.now() / 1000);
         const { accessToken, refreshToken, idToken, scope, expiresIn } = await fetchTokenByRefreshToken({
             clientId,
             tokenEndpoint,
@@ -192,7 +197,11 @@ class LogtoClient {
         this.accessTokenMap.set(accessTokenKey, {
             token: accessToken,
             scope,
-            expiresAt: Math.round(Date.now() / 1000) + expiresIn,
+            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
+             * in the token claims. It is utilized by the client to determine if the cached access token
+             * has expired and when a new access token should be requested.
+             */
+            expiresAt: requestedAt + expiresIn,
         });
         await this.saveAccessTokenMap();
         await this.setRefreshToken(refreshToken);
@@ -202,30 +211,12 @@ class LogtoClient {
         }
         return accessToken;
     }
-    async _getOidcConfig() {
-        const { endpoint } = this.logtoConfig;
-        const discoveryEndpoint = getDiscoveryEndpoint(endpoint);
-        return fetchOidcConfig(discoveryEndpoint, this.adapter.requester);
-    }
-    async _getJwtVerifyGetKey() {
-        const { jwksUri } = await this.getOidcConfig();
-        return createRemoteJWKSet(new URL(jwksUri));
-    }
     async verifyIdToken(idToken) {
         const { appId } = this.logtoConfig;
         const { issuer } = await this.getOidcConfig();
         const jwtVerifyGetKey = await this.getJwtVerifyGetKey();
         await verifyIdToken(idToken, appId, issuer, jwtVerifyGetKey);
     }
-    async saveCodeToken({ refreshToken, idToken, scope, accessToken, expiresIn, }) {
-        await this.setRefreshToken(refreshToken ?? null);
-        await this.setIdToken(idToken);
-        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
-        const accessTokenKey = buildAccessTokenKey();
-        const expiresAt = Date.now() / 1000 + expiresIn;
-        this.accessTokenMap.set(accessTokenKey, { token: accessToken, scope, expiresAt });
-        await this.saveAccessTokenMap();
-    }
     async saveAccessTokenMap() {
         const data = {};
         for (const [key, accessToken] of this.accessTokenMap.entries()) {
@@ -253,6 +244,19 @@ class LogtoClient {
             console.warn(error);
         }
     }
+    async #getOidcConfig() {
+        return this.adapter.getWithCache(CacheKey.OpenidConfig, async () => {
+            return fetchOidcConfig(getDiscoveryEndpoint(this.logtoConfig.endpoint), this.adapter.requester);
+        });
+    }
+    async #getJwtVerifyGetKey() {
+        const { jwksUri } = await this.getOidcConfig();
+        if (!this.adapter.unstable_cache) {
+            return createRemoteJWKSet(new URL(jwksUri));
+        }
+        const cachedJwkSet = new CachedRemoteJwkSet(new URL(jwksUri), this.adapter);
+        return async (...args) => cachedJwkSet.getKey(...args);
+    }
 }
 
-export { LogtoClientError, LogtoClient as default, isLogtoAccessTokenMap, isLogtoSignInSessionItem };
+export { CacheKey, LogtoClientError, PersistKey, LogtoClient as default, isLogtoAccessTokenMap, isLogtoSignInSessionItem };

package/lib/index.sign-in.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/index.sign-out.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/mock.d.ts

@@ -1,12 +1,12 @@
 /// <reference types="jest" />
 import { Prompt } from '@logto/js';
-import type { Nullable } from '@silverhand/essentials';
-import type { Storage } from './adapter.js';
+import { type Nullable } from '@silverhand/essentials';
+import type { Storage } from './adapter/index.js';
 import type { AccessToken, LogtoConfig, LogtoSignInSessionItem } from './index.js';
 import LogtoClient from './index.js';
 export declare const appId = "app_id_value";
 export declare const endpoint = "https://logto.dev";
-export declare class MockedStorage implements Storage {
+export declare class MockedStorage implements Storage<string> {
     private storage;
     constructor(values?: Record<string, string>);
     getItem(key: string): Promise<string | null>;
@@ -33,6 +33,15 @@ export declare const accessToken = "access_token_value";
 export declare const refreshToken = "new_refresh_token_value";
 export declare const idToken = "id_token_value";
 export declare const currentUnixTimeStamp: number;
+export declare const mockFetchOidcConfig: (delay?: number) => jest.Mock<Promise<{
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+    userinfoEndpoint: string;
+    endSessionEndpoint: string;
+    revocationEndpoint: string;
+    jwksUri: string;
+    issuer: string;
+}>, [], any>;
 export declare const fetchOidcConfig: jest.Mock<Promise<{
     authorizationEndpoint: string;
     tokenEndpoint: string;
@@ -48,19 +57,30 @@ export declare const navigate: jest.Mock<any, any, any>;
 export declare const generateCodeChallenge: jest.Mock<Promise<string>, [], any>;
 export declare const generateCodeVerifier: jest.Mock<string, [], any>;
 export declare const generateState: jest.Mock<string, [], any>;
-export declare const createAdapters: () => {
+export declare const createAdapters: (withCache?: boolean) => {
     requester: jest.Mock<any, any, any>;
     storage: MockedStorage;
+    unstable_cache: import("@silverhand/essentials").Optional<MockedStorage>;
     navigate: jest.Mock<any, any, any>;
     generateCodeChallenge: jest.Mock<Promise<string>, [], any>;
     generateCodeVerifier: jest.Mock<string, [], any>;
     generateState: jest.Mock<string, [], any>;
 };
-export declare const createClient: (prompt?: Prompt, storage?: MockedStorage) => LogtoClient;
+export declare const createClient: (prompt?: Prompt, storage?: MockedStorage, withCache?: boolean) => LogtoClientWithAccessors;
 /**
- * Make LogtoClient.signInSession accessible for test
+ * Make protected fields accessible for test
  */
-export declare class LogtoClientSignInSessionAccessor extends LogtoClient {
+export declare class LogtoClientWithAccessors extends LogtoClient {
+    runGetOidcConfig(): Promise<import("@silverhand/essentials").KeysToCamelCase<{
+        authorization_endpoint: string;
+        token_endpoint: string;
+        userinfo_endpoint: string;
+        end_session_endpoint: string;
+        revocation_endpoint: string;
+        jwks_uri: string;
+        issuer: string;
+    }>>;
+    runGetJwtVerifyGetKey(): Promise<import("jose").JWTVerifyGetKey>;
     getLogtoConfig(): Nullable<LogtoConfig>;
     getSignInSessionItem(): Promise<Nullable<LogtoSignInSessionItem>>;
     setSignInSessionItem(item: Nullable<LogtoSignInSessionItem>): Promise<void>;

package/lib/remote-jwk-set.cjs

@@ -0,0 +1,62 @@
+'use strict';
+
+var essentials = require('@silverhand/essentials');
+var jose = require('jose');
+var types = require('./adapter/types.cjs');
+
+// Edited from jose's internal util `isJWKSLike`
+function isJwkSetLike(jwkSet) {
+    return Boolean(jwkSet &&
+        typeof jwkSet === 'object' &&
+        'keys' in jwkSet &&
+        Array.isArray(jwkSet.keys) &&
+        jwkSet.keys.every((element) => essentials.isObject(element)));
+}
+class CachedRemoteJwkSet {
+    constructor(url, adapter) {
+        this.url = url;
+        this.adapter = adapter;
+        if (!adapter.unstable_cache) {
+            throw new Error("No cache found in the client adapter. Use `createRemoteJWKSet()` from 'jose' instead.");
+        }
+    }
+    async getKey(...args) {
+        if (!this.jwkSet) {
+            this.jwkSet = await this.#load();
+        }
+        try {
+            return await this.#getLocalKey(...args);
+        }
+        catch (error) {
+            // Jose does not export the error definition
+            // Found in https://github.com/panva/jose/blob/d5b3cb672736112b1e1e31ac4d5e9cd641675206/src/util/errors.ts#L347
+            if (error instanceof Error && 'code' in error && error.code === 'ERR_JWKS_NO_MATCHING_KEY') {
+                this.jwkSet = await this.#load();
+                return this.#getLocalKey(...args);
+            }
+            throw error;
+        }
+    }
+    async #load() {
+        return this.adapter.getWithCache(types.CacheKey.Jwks, async () => {
+            const controller = new AbortController();
+            const response = await fetch(this.url, { signal: controller.signal, redirect: 'manual' });
+            if (!response.ok) {
+                throw new Error('Expected OK from the JSON Web Key Set HTTP response');
+            }
+            const json = await response.json();
+            if (!isJwkSetLike(json)) {
+                throw new Error('JSON Web Key Set malformed');
+            }
+            return json;
+        });
+    }
+    async #getLocalKey(...args) {
+        if (!this.jwkSet) {
+            throw new Error('No local JWK Set found.');
+        }
+        return jose.createLocalJWKSet(this.jwkSet)(...args);
+    }
+}
+
+exports.CachedRemoteJwkSet = CachedRemoteJwkSet;

package/lib/remote-jwk-set.d.ts

@@ -0,0 +1,10 @@
+import { type JSONWebKeySet, type JWTVerifyGetKey } from 'jose';
+import { type ClientAdapterInstance } from './adapter/index.js';
+export declare class CachedRemoteJwkSet {
+    #private;
+    readonly url: URL;
+    private readonly adapter;
+    protected jwkSet?: JSONWebKeySet;
+    constructor(url: URL, adapter: ClientAdapterInstance);
+    getKey(...args: Parameters<JWTVerifyGetKey>): Promise<import("jose").KeyLike>;
+}

package/lib/remote-jwk-set.js

@@ -0,0 +1,60 @@
+import { isObject } from '@silverhand/essentials';
+import { createLocalJWKSet } from 'jose';
+import { CacheKey } from './adapter/types.js';
+
+// Edited from jose's internal util `isJWKSLike`
+function isJwkSetLike(jwkSet) {
+    return Boolean(jwkSet &&
+        typeof jwkSet === 'object' &&
+        'keys' in jwkSet &&
+        Array.isArray(jwkSet.keys) &&
+        jwkSet.keys.every((element) => isObject(element)));
+}
+class CachedRemoteJwkSet {
+    constructor(url, adapter) {
+        this.url = url;
+        this.adapter = adapter;
+        if (!adapter.unstable_cache) {
+            throw new Error("No cache found in the client adapter. Use `createRemoteJWKSet()` from 'jose' instead.");
+        }
+    }
+    async getKey(...args) {
+        if (!this.jwkSet) {
+            this.jwkSet = await this.#load();
+        }
+        try {
+            return await this.#getLocalKey(...args);
+        }
+        catch (error) {
+            // Jose does not export the error definition
+            // Found in https://github.com/panva/jose/blob/d5b3cb672736112b1e1e31ac4d5e9cd641675206/src/util/errors.ts#L347
+            if (error instanceof Error && 'code' in error && error.code === 'ERR_JWKS_NO_MATCHING_KEY') {
+                this.jwkSet = await this.#load();
+                return this.#getLocalKey(...args);
+            }
+            throw error;
+        }
+    }
+    async #load() {
+        return this.adapter.getWithCache(CacheKey.Jwks, async () => {
+            const controller = new AbortController();
+            const response = await fetch(this.url, { signal: controller.signal, redirect: 'manual' });
+            if (!response.ok) {
+                throw new Error('Expected OK from the JSON Web Key Set HTTP response');
+            }
+            const json = await response.json();
+            if (!isJwkSetLike(json)) {
+                throw new Error('JSON Web Key Set malformed');
+            }
+            return json;
+        });
+    }
+    async #getLocalKey(...args) {
+        if (!this.jwkSet) {
+            throw new Error('No local JWK Set found.');
+        }
+        return createLocalJWKSet(this.jwkSet)(...args);
+    }
+}
+
+export { CachedRemoteJwkSet };

package/lib/remote-jwk-set.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/utils/memoize.cjs

@@ -0,0 +1,25 @@
+'use strict';
+
+function memoize(run) {
+    const promiseCache = new Map();
+    const memoized = async function (...args) {
+        const promiseKey = args[0];
+        const cachedPromise = promiseCache.get(promiseKey);
+        if (cachedPromise) {
+            return cachedPromise;
+        }
+        const promise = (async () => {
+            try {
+                return await run.apply(this, args);
+            }
+            finally {
+                promiseCache.delete(promiseKey);
+            }
+        })();
+        promiseCache.set(promiseKey, promise);
+        return promise;
+    };
+    return memoized;
+}
+
+exports.memoize = memoize;

package/lib/utils/memoize.d.ts

@@ -0,0 +1 @@
+export declare function memoize<Args extends unknown[], Return>(run: (...args: Args) => Promise<Return>): (this: unknown, ...args: Args) => Promise<Return>;

package/lib/utils/memoize.js

@@ -0,0 +1,23 @@
+function memoize(run) {
+    const promiseCache = new Map();
+    const memoized = async function (...args) {
+        const promiseKey = args[0];
+        const cachedPromise = promiseCache.get(promiseKey);
+        if (cachedPromise) {
+            return cachedPromise;
+        }
+        const promise = (async () => {
+            try {
+                return await run.apply(this, args);
+            }
+            finally {
+                promiseCache.delete(promiseKey);
+            }
+        })();
+        promiseCache.set(promiseKey, promise);
+        return promise;
+    };
+    return memoized;
+}
+
+export { memoize };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/client",
-  "version": "2.1.0",
+  "version": "2.2.1",
   "type": "module",
   "main": "./lib/index.cjs",
   "module": "./lib/index.js",
@@ -27,18 +27,18 @@
     "jose": "^4.13.2"
   },
   "devDependencies": {
-    "@silverhand/eslint-config": "^3.0.1",
-    "@silverhand/ts-config": "^3.0.0",
+    "@silverhand/eslint-config": "^4.0.1",
+    "@silverhand/ts-config": "^4.0.0",
     "@swc/core": "^1.3.50",
     "@swc/jest": "^0.2.24",
     "@types/jest": "^29.5.0",
     "@types/node": "^18.0.0",
-    "eslint": "^8.38.0",
+    "eslint": "^8.44.0",
     "jest": "^29.5.0",
     "jest-matcher-specific-error": "^1.0.0",
     "lint-staged": "^13.0.0",
     "nock": "^13.3.0",
-    "prettier": "^2.8.7",
+    "prettier": "^3.0.0",
     "text-encoder": "^0.0.4",
     "type-fest": "^3.0.0",
     "typescript": "^5.0.0"

package/lib/adapter.d.ts

@@ -1,17 +0,0 @@
-import type { Requester } from '@logto/js';
-import type { Nullable } from '@silverhand/essentials';
-export type StorageKey = 'idToken' | 'refreshToken' | 'accessToken' | 'signInSession';
-export type Storage = {
-    getItem(key: StorageKey): Promise<Nullable<string>>;
-    setItem(key: StorageKey, value: string): Promise<void>;
-    removeItem(key: StorageKey): Promise<void>;
-};
-export type Navigate = (url: string) => void;
-export type ClientAdapter = {
-    requester: Requester;
-    storage: Storage;
-    navigate: Navigate;
-    generateState: () => string;
-    generateCodeVerifier: () => string;
-    generateCodeChallenge: (codeVerifier: string) => Promise<string>;
-};