@pod-os/core 0.12.1-6af5683.0 → 0.12.1-a4967bb.0

package/dist/index.js

@@ -8,7 +8,7 @@ import {
   lit,
   namedNode,
   st
-} from "./chunk-GBIS3SJI.js";
+} from "./chunk-7VQUARYZ.js";
 import {
   __commonJS,
   __export,
@@ -41,22 +41,22 @@ var require_events = __commonJS({
     var NumberIsNaN = Number.isNaN || function NumberIsNaN2(value6) {
       return value6 !== value6;
     };
-    function EventEmitter3() {
-      EventEmitter3.init.call(this);
+    function EventEmitter2() {
+      EventEmitter2.init.call(this);
     }
-    module2.exports = EventEmitter3;
+    module2.exports = EventEmitter2;
     module2.exports.once = once;
-    EventEmitter3.EventEmitter = EventEmitter3;
-    EventEmitter3.prototype._events = void 0;
-    EventEmitter3.prototype._eventsCount = 0;
-    EventEmitter3.prototype._maxListeners = void 0;
+    EventEmitter2.EventEmitter = EventEmitter2;
+    EventEmitter2.prototype._events = void 0;
+    EventEmitter2.prototype._eventsCount = 0;
+    EventEmitter2.prototype._maxListeners = void 0;
     var defaultMaxListeners = 10;
     function checkListener(listener) {
       if (typeof listener !== "function") {
         throw new TypeError('The "listener" argument must be of type Function. Received type ' + typeof listener);
       }
     }
-    Object.defineProperty(EventEmitter3, "defaultMaxListeners", {
+    Object.defineProperty(EventEmitter2, "defaultMaxListeners", {
       enumerable: true,
       get: function() {
         return defaultMaxListeners;
@@ -68,14 +68,14 @@ var require_events = __commonJS({
         defaultMaxListeners = arg2;
       }
     });
-    EventEmitter3.init = function() {
+    EventEmitter2.init = function() {
       if (this._events === void 0 || this._events === Object.getPrototypeOf(this)._events) {
         this._events = /* @__PURE__ */ Object.create(null);
         this._eventsCount = 0;
       }
       this._maxListeners = this._maxListeners || void 0;
     };
-    EventEmitter3.prototype.setMaxListeners = function setMaxListeners(n2) {
+    EventEmitter2.prototype.setMaxListeners = function setMaxListeners(n2) {
       if (typeof n2 !== "number" || n2 < 0 || NumberIsNaN(n2)) {
         throw new RangeError('The value of "n" is out of range. It must be a non-negative number. Received ' + n2 + ".");
       }
@@ -84,13 +84,13 @@ var require_events = __commonJS({
     };
     function _getMaxListeners(that) {
       if (that._maxListeners === void 0)
-        return EventEmitter3.defaultMaxListeners;
+        return EventEmitter2.defaultMaxListeners;
       return that._maxListeners;
     }
-    EventEmitter3.prototype.getMaxListeners = function getMaxListeners() {
+    EventEmitter2.prototype.getMaxListeners = function getMaxListeners() {
       return _getMaxListeners(this);
     };
-    EventEmitter3.prototype.emit = function emit(type5) {
+    EventEmitter2.prototype.emit = function emit(type5) {
       var args = [];
       for (var i = 1; i < arguments.length; i++) args.push(arguments[i]);
       var doError = type5 === "error";
@@ -167,11 +167,11 @@ var require_events = __commonJS({
       }
       return target5;
     }
-    EventEmitter3.prototype.addListener = function addListener(type5, listener) {
+    EventEmitter2.prototype.addListener = function addListener(type5, listener) {
       return _addListener(this, type5, listener, false);
     };
-    EventEmitter3.prototype.on = EventEmitter3.prototype.addListener;
-    EventEmitter3.prototype.prependListener = function prependListener(type5, listener) {
+    EventEmitter2.prototype.on = EventEmitter2.prototype.addListener;
+    EventEmitter2.prototype.prependListener = function prependListener(type5, listener) {
       return _addListener(this, type5, listener, true);
     };
     function onceWrapper() {
@@ -190,17 +190,17 @@ var require_events = __commonJS({
       state2.wrapFn = wrapped;
       return wrapped;
     }
-    EventEmitter3.prototype.once = function once2(type5, listener) {
+    EventEmitter2.prototype.once = function once2(type5, listener) {
       checkListener(listener);
       this.on(type5, _onceWrap(this, type5, listener));
       return this;
     };
-    EventEmitter3.prototype.prependOnceListener = function prependOnceListener(type5, listener) {
+    EventEmitter2.prototype.prependOnceListener = function prependOnceListener(type5, listener) {
       checkListener(listener);
       this.prependListener(type5, _onceWrap(this, type5, listener));
       return this;
     };
-    EventEmitter3.prototype.removeListener = function removeListener(type5, listener) {
+    EventEmitter2.prototype.removeListener = function removeListener(type5, listener) {
       var list, events3, position4, i, originalListener;
       checkListener(listener);
       events3 = this._events;
@@ -240,8 +240,8 @@ var require_events = __commonJS({
       }
       return this;
     };
-    EventEmitter3.prototype.off = EventEmitter3.prototype.removeListener;
-    EventEmitter3.prototype.removeAllListeners = function removeAllListeners(type5) {
+    EventEmitter2.prototype.off = EventEmitter2.prototype.removeListener;
+    EventEmitter2.prototype.removeAllListeners = function removeAllListeners(type5) {
       var listeners, events3, i;
       events3 = this._events;
       if (events3 === void 0)
@@ -281,7 +281,7 @@ var require_events = __commonJS({
       }
       return this;
     };
-    function _listeners(target5, type5, unwrap3) {
+    function _listeners(target5, type5, unwrap) {
       var events3 = target5._events;
       if (events3 === void 0)
         return [];
@@ -289,23 +289,23 @@ var require_events = __commonJS({
       if (evlistener === void 0)
         return [];
       if (typeof evlistener === "function")
-        return unwrap3 ? [evlistener.listener || evlistener] : [evlistener];
-      return unwrap3 ? unwrapListeners(evlistener) : arrayClone(evlistener, evlistener.length);
+        return unwrap ? [evlistener.listener || evlistener] : [evlistener];
+      return unwrap ? unwrapListeners(evlistener) : arrayClone(evlistener, evlistener.length);
     }
-    EventEmitter3.prototype.listeners = function listeners(type5) {
+    EventEmitter2.prototype.listeners = function listeners(type5) {
       return _listeners(this, type5, true);
     };
-    EventEmitter3.prototype.rawListeners = function rawListeners(type5) {
+    EventEmitter2.prototype.rawListeners = function rawListeners(type5) {
       return _listeners(this, type5, false);
     };
-    EventEmitter3.listenerCount = function(emitter, type5) {
+    EventEmitter2.listenerCount = function(emitter, type5) {
       if (typeof emitter.listenerCount === "function") {
         return emitter.listenerCount(type5);
       } else {
         return listenerCount.call(emitter, type5);
       }
     };
-    EventEmitter3.prototype.listenerCount = listenerCount;
+    EventEmitter2.prototype.listenerCount = listenerCount;
     function listenerCount(type5) {
       var events3 = this._events;
       if (events3 !== void 0) {
@@ -318,7 +318,7 @@ var require_events = __commonJS({
       }
       return 0;
     }
-    EventEmitter3.prototype.eventNames = function eventNames() {
+    EventEmitter2.prototype.eventNames = function eventNames() {
       return this._eventsCount > 0 ? ReflectOwnKeys(this._events) : [];
     };
     function arrayClone(arr, n2) {
@@ -6741,20 +6741,20 @@ var require_lunr = __commonJS({
         if (obj === null || obj === void 0) {
           return obj;
         }
-        var clone = /* @__PURE__ */ Object.create(null), keys = Object.keys(obj);
+        var clone2 = /* @__PURE__ */ Object.create(null), keys = Object.keys(obj);
         for (var i = 0; i < keys.length; i++) {
           var key3 = keys[i], val = obj[key3];
           if (Array.isArray(val)) {
-            clone[key3] = val.slice();
+            clone2[key3] = val.slice();
             continue;
           }
           if (typeof val === "string" || typeof val === "number" || typeof val === "boolean") {
-            clone[key3] = val;
+            clone2[key3] = val;
             continue;
           }
           throw new TypeError("clone is not deep and does not support nested objects");
         }
-        return clone;
+        return clone2;
       };
       lunr2.FieldRef = function(docRef, fieldName, stringValue) {
         this.docRef = docRef;
@@ -10119,18 +10119,11 @@ function tap(observerOrNext, error4, complete2) {
   }) : identity;
 }
 
-// ../node_modules/@inrupt/solid-client-authn-core/dist/index.mjs
-var import_events = __toESM(require_events(), 1);
-
-// ../node_modules/@inrupt/universal-fetch/dist/index-browser.mjs
-var indexBrowser = globalThis.fetch;
-var { fetch: fetch2, Response, Request, Headers } = globalThis;
-
-// ../node_modules/jose/dist/browser/runtime/webcrypto.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/webcrypto.js
 var webcrypto_default = crypto;
 var isCryptoKey = (key3) => key3 instanceof CryptoKey;
 
-// ../node_modules/jose/dist/browser/lib/buffer_utils.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/buffer_utils.js
 var encoder = new TextEncoder();
 var decoder = new TextDecoder();
 var MAX_INT32 = 2 ** 32;
@@ -10138,14 +10131,14 @@ function concat(...buffers) {
   const size4 = buffers.reduce((acc, { length: length2 }) => acc + length2, 0);
   const buf = new Uint8Array(size4);
   let i = 0;
-  buffers.forEach((buffer) => {
+  for (const buffer of buffers) {
     buf.set(buffer, i);
     i += buffer.length;
-  });
+  }
   return buf;
 }
 
-// ../node_modules/jose/dist/browser/runtime/base64url.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/base64url.js
 var encodeBase64 = (input2) => {
   let unencoded = input2;
   if (typeof unencoded === "string") {
@@ -10177,44 +10170,45 @@ var decode = (input2) => {
   encoded = encoded.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
   try {
     return decodeBase64(encoded);
-  } catch (_a) {
+  } catch {
     throw new TypeError("The input to be decoded is not correctly encoded.");
   }
 };
 
-// ../node_modules/jose/dist/browser/util/errors.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/util/errors.js
 var JOSEError = class extends Error {
   static get code() {
     return "ERR_JOSE_GENERIC";
   }
   constructor(message4) {
-    var _a;
     super(message4);
     this.code = "ERR_JOSE_GENERIC";
     this.name = this.constructor.name;
-    (_a = Error.captureStackTrace) === null || _a === void 0 ? void 0 : _a.call(Error, this, this.constructor);
+    Error.captureStackTrace?.(this, this.constructor);
   }
 };
 var JWTClaimValidationFailed = class extends JOSEError {
   static get code() {
     return "ERR_JWT_CLAIM_VALIDATION_FAILED";
   }
-  constructor(message4, claim2 = "unspecified", reason2 = "unspecified") {
+  constructor(message4, payload4, claim2 = "unspecified", reason2 = "unspecified") {
     super(message4);
     this.code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
     this.claim = claim2;
     this.reason = reason2;
+    this.payload = payload4;
   }
 };
 var JWTExpired = class extends JOSEError {
   static get code() {
     return "ERR_JWT_EXPIRED";
   }
-  constructor(message4, claim2 = "unspecified", reason2 = "unspecified") {
+  constructor(message4, payload4, claim2 = "unspecified", reason2 = "unspecified") {
     super(message4);
     this.code = "ERR_JWT_EXPIRED";
     this.claim = claim2;
     this.reason = reason2;
+    this.payload = payload4;
   }
 };
 var JOSEAlgNotAllowed = class extends JOSEError {
@@ -10253,6 +10247,45 @@ var JWTInvalid = class extends JOSEError {
     return "ERR_JWT_INVALID";
   }
 };
+var JWKSInvalid = class extends JOSEError {
+  constructor() {
+    super(...arguments);
+    this.code = "ERR_JWKS_INVALID";
+  }
+  static get code() {
+    return "ERR_JWKS_INVALID";
+  }
+};
+var JWKSNoMatchingKey = class extends JOSEError {
+  constructor() {
+    super(...arguments);
+    this.code = "ERR_JWKS_NO_MATCHING_KEY";
+    this.message = "no applicable key found in the JSON Web Key Set";
+  }
+  static get code() {
+    return "ERR_JWKS_NO_MATCHING_KEY";
+  }
+};
+var JWKSMultipleMatchingKeys = class extends JOSEError {
+  constructor() {
+    super(...arguments);
+    this.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+    this.message = "multiple matching keys found in the JSON Web Key Set";
+  }
+  static get code() {
+    return "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+  }
+};
+var JWKSTimeout = class extends JOSEError {
+  constructor() {
+    super(...arguments);
+    this.code = "ERR_JWKS_TIMEOUT";
+    this.message = "request timed out";
+  }
+  static get code() {
+    return "ERR_JWKS_TIMEOUT";
+  }
+};
 var JWSSignatureVerificationFailed = class extends JOSEError {
   constructor() {
     super(...arguments);
@@ -10264,10 +10297,7 @@ var JWSSignatureVerificationFailed = class extends JOSEError {
   }
 };
 
-// ../node_modules/jose/dist/browser/runtime/random.js
-var random_default = webcrypto_default.getRandomValues.bind(webcrypto_default);
-
-// ../node_modules/jose/dist/browser/lib/crypto_key.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/crypto_key.js
 function unusable(name7, prop = "algorithm.name") {
   return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name7}`);
 }
@@ -10361,8 +10391,9 @@ function checkSigCryptoKey(key3, alg, ...usages) {
   checkUsage(key3, usages);
 }
 
-// ../node_modules/jose/dist/browser/lib/invalid_key_input.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/invalid_key_input.js
 function message(msg, actual2, ...types2) {
+  types2 = types2.filter(Boolean);
   if (types2.length > 2) {
     const last3 = types2.pop();
     msg += `one of type ${types2.join(", ")}, or ${last3}.`;
@@ -10376,7 +10407,7 @@ function message(msg, actual2, ...types2) {
   } else if (typeof actual2 === "function" && actual2.name) {
     msg += ` Received function ${actual2.name}`;
   } else if (typeof actual2 === "object" && actual2 != null) {
-    if (actual2.constructor && actual2.constructor.name) {
+    if (actual2.constructor?.name) {
       msg += ` Received an instance of ${actual2.constructor.name}`;
     }
   }
@@ -10389,13 +10420,16 @@ function withAlg(alg, actual2, ...types2) {
   return message(`Key for the ${alg} algorithm must be `, actual2, ...types2);
 }
 
-// ../node_modules/jose/dist/browser/runtime/is_key_like.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/is_key_like.js
 var is_key_like_default = (key3) => {
-  return isCryptoKey(key3);
+  if (isCryptoKey(key3)) {
+    return true;
+  }
+  return key3?.[Symbol.toStringTag] === "KeyObject";
 };
 var types = ["CryptoKey"];
 
-// ../node_modules/jose/dist/browser/lib/is_disjoint.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/is_disjoint.js
 var isDisjoint = (...headers) => {
   const sources = headers.filter(Boolean);
   if (sources.length === 0 || sources.length === 1) {
@@ -10419,7 +10453,7 @@ var isDisjoint = (...headers) => {
 };
 var is_disjoint_default = isDisjoint;
 
-// ../node_modules/jose/dist/browser/lib/is_object.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/is_object.js
 function isObjectLike(value6) {
   return typeof value6 === "object" && value6 !== null;
 }
@@ -10437,7 +10471,7 @@ function isObject(input2) {
   return Object.getPrototypeOf(input2) === proto;
 }
 
-// ../node_modules/jose/dist/browser/runtime/check_key_length.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/check_key_length.js
 var check_key_length_default = (alg, key3) => {
   if (alg.startsWith("RS") || alg.startsWith("PS")) {
     const { modulusLength } = key3.algorithm;
@@ -10447,49 +10481,25 @@ var check_key_length_default = (alg, key3) => {
   }
 };
 
-// ../node_modules/jose/dist/browser/runtime/jwk_to_key.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/is_jwk.js
+function isJWK(key3) {
+  return isObject(key3) && typeof key3.kty === "string";
+}
+function isPrivateJWK(key3) {
+  return key3.kty !== "oct" && typeof key3.d === "string";
+}
+function isPublicJWK(key3) {
+  return key3.kty !== "oct" && typeof key3.d === "undefined";
+}
+function isSecretJWK(key3) {
+  return isJWK(key3) && key3.kty === "oct" && typeof key3.k === "string";
+}
+
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/jwk_to_key.js
 function subtleMapping(jwk) {
   let algorithm3;
   let keyUsages;
   switch (jwk.kty) {
-    case "oct": {
-      switch (jwk.alg) {
-        case "HS256":
-        case "HS384":
-        case "HS512":
-          algorithm3 = { name: "HMAC", hash: `SHA-${jwk.alg.slice(-3)}` };
-          keyUsages = ["sign", "verify"];
-          break;
-        case "A128CBC-HS256":
-        case "A192CBC-HS384":
-        case "A256CBC-HS512":
-          throw new JOSENotSupported(`${jwk.alg} keys cannot be imported as CryptoKey instances`);
-        case "A128GCM":
-        case "A192GCM":
-        case "A256GCM":
-        case "A128GCMKW":
-        case "A192GCMKW":
-        case "A256GCMKW":
-          algorithm3 = { name: "AES-GCM" };
-          keyUsages = ["encrypt", "decrypt"];
-          break;
-        case "A128KW":
-        case "A192KW":
-        case "A256KW":
-          algorithm3 = { name: "AES-KW" };
-          keyUsages = ["wrapKey", "unwrapKey"];
-          break;
-        case "PBES2-HS256+A128KW":
-        case "PBES2-HS384+A192KW":
-        case "PBES2-HS512+A256KW":
-          algorithm3 = { name: "PBKDF2" };
-          keyUsages = ["deriveBits"];
-          break;
-        default:
-          throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
     case "RSA": {
       switch (jwk.alg) {
         case "PS256":
@@ -10569,19 +10579,15 @@ function subtleMapping(jwk) {
   return { algorithm: algorithm3, keyUsages };
 }
 var parse = async (jwk) => {
-  var _a, _b;
   if (!jwk.alg) {
     throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
   }
   const { algorithm: algorithm3, keyUsages } = subtleMapping(jwk);
   const rest3 = [
     algorithm3,
-    (_a = jwk.ext) !== null && _a !== void 0 ? _a : false,
-    (_b = jwk.key_ops) !== null && _b !== void 0 ? _b : keyUsages
+    jwk.ext ?? false,
+    jwk.key_ops ?? keyUsages
   ];
-  if (algorithm3.name === "PBKDF2") {
-    return webcrypto_default.subtle.importKey("raw", decode(jwk.k), ...rest3);
-  }
   const keyData = { ...jwk };
   delete keyData.alg;
   delete keyData.use;
@@ -10589,9 +10595,74 @@ var parse = async (jwk) => {
 };
 var jwk_to_key_default = parse;
 
-// ../node_modules/jose/dist/browser/key/import.js
-async function importJWK(jwk, alg, octAsKeyObject) {
-  var _a;
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/normalize_key.js
+var exportKeyValue = (k) => decode(k);
+var privCache;
+var pubCache;
+var isKeyObject = (key3) => {
+  return key3?.[Symbol.toStringTag] === "KeyObject";
+};
+var importAndCache = async (cache, key3, jwk, alg, freeze = false) => {
+  let cached = cache.get(key3);
+  if (cached?.[alg]) {
+    return cached[alg];
+  }
+  const cryptoKey = await jwk_to_key_default({ ...jwk, alg });
+  if (freeze)
+    Object.freeze(key3);
+  if (!cached) {
+    cache.set(key3, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+var normalizePublicKey = (key3, alg) => {
+  if (isKeyObject(key3)) {
+    let jwk = key3.export({ format: "jwk" });
+    delete jwk.d;
+    delete jwk.dp;
+    delete jwk.dq;
+    delete jwk.p;
+    delete jwk.q;
+    delete jwk.qi;
+    if (jwk.k) {
+      return exportKeyValue(jwk.k);
+    }
+    pubCache || (pubCache = /* @__PURE__ */ new WeakMap());
+    return importAndCache(pubCache, key3, jwk, alg);
+  }
+  if (isJWK(key3)) {
+    if (key3.k)
+      return decode(key3.k);
+    pubCache || (pubCache = /* @__PURE__ */ new WeakMap());
+    const cryptoKey = importAndCache(pubCache, key3, key3, alg, true);
+    return cryptoKey;
+  }
+  return key3;
+};
+var normalizePrivateKey = (key3, alg) => {
+  if (isKeyObject(key3)) {
+    let jwk = key3.export({ format: "jwk" });
+    if (jwk.k) {
+      return exportKeyValue(jwk.k);
+    }
+    privCache || (privCache = /* @__PURE__ */ new WeakMap());
+    return importAndCache(privCache, key3, jwk, alg);
+  }
+  if (isJWK(key3)) {
+    if (key3.k)
+      return decode(key3.k);
+    privCache || (privCache = /* @__PURE__ */ new WeakMap());
+    const cryptoKey = importAndCache(privCache, key3, key3, alg, true);
+    return cryptoKey;
+  }
+  return key3;
+};
+var normalize_key_default = { normalizePublicKey, normalizePrivateKey };
+
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/import.js
+async function importJWK(jwk, alg) {
   if (!isObject(jwk)) {
     throw new TypeError("JWK must be an object");
   }
@@ -10601,10 +10672,6 @@ async function importJWK(jwk, alg, octAsKeyObject) {
       if (typeof jwk.k !== "string" || !jwk.k) {
         throw new TypeError('missing "k" (Key Value) Parameter value');
       }
-      octAsKeyObject !== null && octAsKeyObject !== void 0 ? octAsKeyObject : octAsKeyObject = jwk.ext !== true;
-      if (octAsKeyObject) {
-        return jwk_to_key_default({ ...jwk, alg, ext: (_a = jwk.ext) !== null && _a !== void 0 ? _a : false });
-      }
       return decode(jwk.k);
     case "RSA":
       if (jwk.oth !== void 0) {
@@ -10618,50 +10685,81 @@ async function importJWK(jwk, alg, octAsKeyObject) {
   }
 }
 
-// ../node_modules/jose/dist/browser/lib/check_key_type.js
-var symmetricTypeCheck = (alg, key3) => {
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/check_key_type.js
+var tag = (key3) => key3?.[Symbol.toStringTag];
+var jwkMatchesOp = (alg, key3, usage2) => {
+  if (key3.use !== void 0 && key3.use !== "sig") {
+    throw new TypeError("Invalid key for this operation, when present its use must be sig");
+  }
+  if (key3.key_ops !== void 0 && key3.key_ops.includes?.(usage2) !== true) {
+    throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${usage2}`);
+  }
+  if (key3.alg !== void 0 && key3.alg !== alg) {
+    throw new TypeError(`Invalid key for this operation, when present its alg must be ${alg}`);
+  }
+  return true;
+};
+var symmetricTypeCheck = (alg, key3, usage2, allowJwk) => {
   if (key3 instanceof Uint8Array)
     return;
+  if (allowJwk && isJWK(key3)) {
+    if (isSecretJWK(key3) && jwkMatchesOp(alg, key3, usage2))
+      return;
+    throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+  }
   if (!is_key_like_default(key3)) {
-    throw new TypeError(withAlg(alg, key3, ...types, "Uint8Array"));
+    throw new TypeError(withAlg(alg, key3, ...types, "Uint8Array", allowJwk ? "JSON Web Key" : null));
   }
   if (key3.type !== "secret") {
-    throw new TypeError(`${types.join(" or ")} instances for symmetric algorithms must be of type "secret"`);
+    throw new TypeError(`${tag(key3)} instances for symmetric algorithms must be of type "secret"`);
   }
 };
-var asymmetricTypeCheck = (alg, key3, usage2) => {
+var asymmetricTypeCheck = (alg, key3, usage2, allowJwk) => {
+  if (allowJwk && isJWK(key3)) {
+    switch (usage2) {
+      case "sign":
+        if (isPrivateJWK(key3) && jwkMatchesOp(alg, key3, usage2))
+          return;
+        throw new TypeError(`JSON Web Key for this operation be a private JWK`);
+      case "verify":
+        if (isPublicJWK(key3) && jwkMatchesOp(alg, key3, usage2))
+          return;
+        throw new TypeError(`JSON Web Key for this operation be a public JWK`);
+    }
+  }
   if (!is_key_like_default(key3)) {
-    throw new TypeError(withAlg(alg, key3, ...types));
+    throw new TypeError(withAlg(alg, key3, ...types, allowJwk ? "JSON Web Key" : null));
   }
   if (key3.type === "secret") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithms must not be of type "secret"`);
   }
   if (usage2 === "sign" && key3.type === "public") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithm signing must be of type "private"`);
   }
   if (usage2 === "decrypt" && key3.type === "public") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithm decryption must be of type "private"`);
   }
   if (key3.algorithm && usage2 === "verify" && key3.type === "private") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithm verifying must be of type "public"`);
   }
   if (key3.algorithm && usage2 === "encrypt" && key3.type === "private") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithm encryption must be of type "public"`);
   }
 };
-var checkKeyType = (alg, key3, usage2) => {
+function checkKeyType(allowJwk, alg, key3, usage2) {
   const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(alg);
   if (symmetric) {
-    symmetricTypeCheck(alg, key3);
+    symmetricTypeCheck(alg, key3, usage2, allowJwk);
   } else {
-    asymmetricTypeCheck(alg, key3, usage2);
+    asymmetricTypeCheck(alg, key3, usage2, allowJwk);
   }
-};
-var check_key_type_default = checkKeyType;
+}
+var check_key_type_default = checkKeyType.bind(void 0, false);
+var checkKeyTypeWithJwk = checkKeyType.bind(void 0, true);
 
-// ../node_modules/jose/dist/browser/lib/validate_crit.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/validate_crit.js
 function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-  if (joseHeader.crit !== void 0 && protectedHeader.crit === void 0) {
+  if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
     throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
   }
   if (!protectedHeader || protectedHeader.crit === void 0) {
@@ -10682,7 +10780,8 @@ function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader,
     }
     if (joseHeader[parameter2] === void 0) {
       throw new Err(`Extension Header Parameter "${parameter2}" is missing`);
-    } else if (recognized.get(parameter2) && protectedHeader[parameter2] === void 0) {
+    }
+    if (recognized.get(parameter2) && protectedHeader[parameter2] === void 0) {
       throw new Err(`Extension Header Parameter "${parameter2}" MUST be integrity protected`);
     }
   }
@@ -10690,7 +10789,7 @@ function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader,
 }
 var validate_crit_default = validateCrit;
 
-// ../node_modules/jose/dist/browser/lib/validate_algorithms.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/validate_algorithms.js
 var validateAlgorithms = (option5, algorithms) => {
   if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
     throw new TypeError(`"${option5}" option must be an array of strings`);
@@ -10702,7 +10801,7 @@ var validateAlgorithms = (option5, algorithms) => {
 };
 var validate_algorithms_default = validateAlgorithms;
 
-// ../node_modules/jose/dist/browser/runtime/key_to_jwk.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/key_to_jwk.js
 var keyToJWK = async (key3) => {
   if (key3 instanceof Uint8Array) {
     return {
@@ -10721,15 +10820,12 @@ var keyToJWK = async (key3) => {
 };
 var key_to_jwk_default = keyToJWK;
 
-// ../node_modules/jose/dist/browser/key/export.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/export.js
 async function exportJWK(key3) {
   return key_to_jwk_default(key3);
 }
 
-// ../node_modules/jose/dist/browser/jwe/flattened/encrypt.js
-var unprotected = Symbol();
-
-// ../node_modules/jose/dist/browser/runtime/subtle_dsa.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/subtle_dsa.js
 function subtleDsa(alg, algorithm3) {
   const hash2 = `SHA-${alg.slice(-3)}`;
   switch (alg) {
@@ -10756,8 +10852,14 @@ function subtleDsa(alg, algorithm3) {
   }
 }
 
-// ../node_modules/jose/dist/browser/runtime/get_sign_verify_key.js
-function getCryptoKey(alg, key3, usage2) {
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/get_sign_verify_key.js
+async function getCryptoKey(alg, key3, usage2) {
+  if (usage2 === "sign") {
+    key3 = await normalize_key_default.normalizePrivateKey(key3, alg);
+  }
+  if (usage2 === "verify") {
+    key3 = await normalize_key_default.normalizePublicKey(key3, alg);
+  }
   if (isCryptoKey(key3)) {
     checkSigCryptoKey(key3, alg, usage2);
     return key3;
@@ -10768,25 +10870,24 @@ function getCryptoKey(alg, key3, usage2) {
     }
     return webcrypto_default.subtle.importKey("raw", key3, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage2]);
   }
-  throw new TypeError(invalid_key_input_default(key3, ...types, "Uint8Array"));
+  throw new TypeError(invalid_key_input_default(key3, ...types, "Uint8Array", "JSON Web Key"));
 }
 
-// ../node_modules/jose/dist/browser/runtime/verify.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/verify.js
 var verify = async (alg, key3, signature2, data2) => {
   const cryptoKey = await getCryptoKey(alg, key3, "verify");
   check_key_length_default(alg, cryptoKey);
   const algorithm3 = subtleDsa(alg, cryptoKey.algorithm);
   try {
     return await webcrypto_default.subtle.verify(algorithm3, cryptoKey, signature2, data2);
-  } catch (_a) {
+  } catch {
     return false;
   }
 };
 var verify_default = verify;
 
-// ../node_modules/jose/dist/browser/jws/flattened/verify.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/flattened/verify.js
 async function flattenedVerify(jws2, key3, options) {
-  var _a;
   if (!isObject(jws2)) {
     throw new JWSInvalid("Flattened JWS must be an object");
   }
@@ -10810,7 +10911,7 @@ async function flattenedVerify(jws2, key3, options) {
     try {
       const protectedHeader = decode(jws2.protected);
       parsedProt = JSON.parse(decoder.decode(protectedHeader));
-    } catch (_b) {
+    } catch {
       throw new JWSInvalid("JWS Protected Header is invalid");
     }
   }
@@ -10821,7 +10922,7 @@ async function flattenedVerify(jws2, key3, options) {
     ...parsedProt,
     ...jws2.header
   };
-  const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);
+  const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
   let b64 = true;
   if (extensions.has("b64")) {
     b64 = parsedProt.b64;
@@ -10835,7 +10936,7 @@ async function flattenedVerify(jws2, key3, options) {
   }
   const algorithms = options && validate_algorithms_default("algorithms", options.algorithms);
   if (algorithms && !algorithms.has(alg)) {
-    throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter not allowed');
+    throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
   }
   if (b64) {
     if (typeof jws2.payload !== "string") {
@@ -10848,13 +10949,18 @@ async function flattenedVerify(jws2, key3, options) {
   if (typeof key3 === "function") {
     key3 = await key3(parsedProt, jws2);
     resolvedKey = true;
+    checkKeyTypeWithJwk(alg, key3, "verify");
+    if (isJWK(key3)) {
+      key3 = await importJWK(key3, alg);
+    }
+  } else {
+    checkKeyTypeWithJwk(alg, key3, "verify");
   }
-  check_key_type_default(alg, key3, "verify");
-  const data2 = concat(encoder.encode((_a = jws2.protected) !== null && _a !== void 0 ? _a : ""), encoder.encode("."), typeof jws2.payload === "string" ? encoder.encode(jws2.payload) : jws2.payload);
+  const data2 = concat(encoder.encode(jws2.protected ?? ""), encoder.encode("."), typeof jws2.payload === "string" ? encoder.encode(jws2.payload) : jws2.payload);
   let signature2;
   try {
     signature2 = decode(jws2.signature);
-  } catch (_c) {
+  } catch {
     throw new JWSInvalid("Failed to base64url decode the signature");
   }
   const verified2 = await verify_default(alg, key3, signature2, data2);
@@ -10865,7 +10971,7 @@ async function flattenedVerify(jws2, key3, options) {
   if (b64) {
     try {
       payload4 = decode(jws2.payload);
-    } catch (_d) {
+    } catch {
       throw new JWSInvalid("Failed to base64url decode the payload");
     }
   } else if (typeof jws2.payload === "string") {
@@ -10886,7 +10992,7 @@ async function flattenedVerify(jws2, key3, options) {
   return result5;
 }
 
-// ../node_modules/jose/dist/browser/jws/compact/verify.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/compact/verify.js
 async function compactVerify(jws2, key3, options) {
   if (jws2 instanceof Uint8Array) {
     jws2 = decoder.decode(jws2);
@@ -10906,56 +11012,67 @@ async function compactVerify(jws2, key3, options) {
   return result5;
 }
 
-// ../node_modules/jose/dist/browser/lib/epoch.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/epoch.js
 var epoch_default = (date5) => Math.floor(date5.getTime() / 1e3);
 
-// ../node_modules/jose/dist/browser/lib/secs.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/secs.js
 var minute = 60;
 var hour = minute * 60;
 var day = hour * 24;
 var week = day * 7;
 var year = day * 365.25;
-var REGEX = /^(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i;
+var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
 var secs_default = (str) => {
   const matched = REGEX.exec(str);
-  if (!matched) {
+  if (!matched || matched[4] && matched[1]) {
     throw new TypeError("Invalid time period format");
   }
-  const value6 = parseFloat(matched[1]);
-  const unit2 = matched[2].toLowerCase();
+  const value6 = parseFloat(matched[2]);
+  const unit2 = matched[3].toLowerCase();
+  let numericDate;
   switch (unit2) {
     case "sec":
     case "secs":
     case "second":
     case "seconds":
     case "s":
-      return Math.round(value6);
+      numericDate = Math.round(value6);
+      break;
     case "minute":
     case "minutes":
     case "min":
     case "mins":
     case "m":
-      return Math.round(value6 * minute);
+      numericDate = Math.round(value6 * minute);
+      break;
     case "hour":
     case "hours":
     case "hr":
     case "hrs":
     case "h":
-      return Math.round(value6 * hour);
+      numericDate = Math.round(value6 * hour);
+      break;
     case "day":
     case "days":
     case "d":
-      return Math.round(value6 * day);
+      numericDate = Math.round(value6 * day);
+      break;
     case "week":
     case "weeks":
     case "w":
-      return Math.round(value6 * week);
+      numericDate = Math.round(value6 * week);
+      break;
     default:
-      return Math.round(value6 * year);
+      numericDate = Math.round(value6 * year);
+      break;
+  }
+  if (matched[1] === "-" || matched[4] === "ago") {
+    return -numericDate;
   }
+  return numericDate;
 };
 
-// ../node_modules/jose/dist/browser/lib/jwt_claims_set.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/jwt_claims_set.js
 var normalizeTyp = (value6) => value6.toLowerCase().replace(/^application\//, "");
 var checkAudiencePresence = (audPayload, audOption) => {
   if (typeof audPayload === "string") {
@@ -10967,40 +11084,41 @@ var checkAudiencePresence = (audPayload, audOption) => {
   return false;
 };
 var jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) => {
-  const { typ } = options;
-  if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
-    throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', "typ", "check_failed");
-  }
   let payload4;
   try {
     payload4 = JSON.parse(decoder.decode(encodedPayload));
-  } catch (_a) {
+  } catch {
   }
   if (!isObject(payload4)) {
     throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
   }
+  const { typ } = options;
+  if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
+    throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload4, "typ", "check_failed");
+  }
   const { requiredClaims = [], issuer: issuer2, subject: subject5, audience: audience5, maxTokenAge } = options;
+  const presenceCheck = [...requiredClaims];
   if (maxTokenAge !== void 0)
-    requiredClaims.push("iat");
+    presenceCheck.push("iat");
   if (audience5 !== void 0)
-    requiredClaims.push("aud");
+    presenceCheck.push("aud");
   if (subject5 !== void 0)
-    requiredClaims.push("sub");
+    presenceCheck.push("sub");
   if (issuer2 !== void 0)
-    requiredClaims.push("iss");
-  for (const claim2 of new Set(requiredClaims.reverse())) {
+    presenceCheck.push("iss");
+  for (const claim2 of new Set(presenceCheck.reverse())) {
     if (!(claim2 in payload4)) {
-      throw new JWTClaimValidationFailed(`missing required "${claim2}" claim`, claim2, "missing");
+      throw new JWTClaimValidationFailed(`missing required "${claim2}" claim`, payload4, claim2, "missing");
     }
   }
   if (issuer2 && !(Array.isArray(issuer2) ? issuer2 : [issuer2]).includes(payload4.iss)) {
-    throw new JWTClaimValidationFailed('unexpected "iss" claim value', "iss", "check_failed");
+    throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload4, "iss", "check_failed");
   }
   if (subject5 && payload4.sub !== subject5) {
-    throw new JWTClaimValidationFailed('unexpected "sub" claim value', "sub", "check_failed");
+    throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload4, "sub", "check_failed");
   }
   if (audience5 && !checkAudiencePresence(payload4.aud, typeof audience5 === "string" ? [audience5] : audience5)) {
-    throw new JWTClaimValidationFailed('unexpected "aud" claim value', "aud", "check_failed");
+    throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload4, "aud", "check_failed");
   }
   let tolerance;
   switch (typeof options.clockTolerance) {
@@ -11019,42 +11137,41 @@ var jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) =>
   const { currentDate } = options;
   const now = epoch_default(currentDate || /* @__PURE__ */ new Date());
   if ((payload4.iat !== void 0 || maxTokenAge) && typeof payload4.iat !== "number") {
-    throw new JWTClaimValidationFailed('"iat" claim must be a number', "iat", "invalid");
+    throw new JWTClaimValidationFailed('"iat" claim must be a number', payload4, "iat", "invalid");
   }
   if (payload4.nbf !== void 0) {
     if (typeof payload4.nbf !== "number") {
-      throw new JWTClaimValidationFailed('"nbf" claim must be a number', "nbf", "invalid");
+      throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload4, "nbf", "invalid");
     }
     if (payload4.nbf > now + tolerance) {
-      throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', "nbf", "check_failed");
+      throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload4, "nbf", "check_failed");
     }
   }
   if (payload4.exp !== void 0) {
     if (typeof payload4.exp !== "number") {
-      throw new JWTClaimValidationFailed('"exp" claim must be a number', "exp", "invalid");
+      throw new JWTClaimValidationFailed('"exp" claim must be a number', payload4, "exp", "invalid");
     }
     if (payload4.exp <= now - tolerance) {
-      throw new JWTExpired('"exp" claim timestamp check failed', "exp", "check_failed");
+      throw new JWTExpired('"exp" claim timestamp check failed', payload4, "exp", "check_failed");
     }
   }
   if (maxTokenAge) {
     const age2 = now - payload4.iat;
     const max2 = typeof maxTokenAge === "number" ? maxTokenAge : secs_default(maxTokenAge);
     if (age2 - tolerance > max2) {
-      throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', "iat", "check_failed");
+      throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload4, "iat", "check_failed");
     }
     if (age2 < 0 - tolerance) {
-      throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', "iat", "check_failed");
+      throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload4, "iat", "check_failed");
     }
   }
   return payload4;
 };
 
-// ../node_modules/jose/dist/browser/jwt/verify.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwt/verify.js
 async function jwtVerify(jwt, key3, options) {
-  var _a;
   const verified2 = await compactVerify(jwt, key3, options);
-  if (((_a = verified2.protectedHeader.crit) === null || _a === void 0 ? void 0 : _a.includes("b64")) && verified2.protectedHeader.b64 === false) {
+  if (verified2.protectedHeader.crit?.includes("b64") && verified2.protectedHeader.b64 === false) {
     throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
   }
   const payload4 = jwt_claims_set_default(verified2.protectedHeader, verified2.payload, options);
@@ -11065,7 +11182,7 @@ async function jwtVerify(jwt, key3, options) {
   return result5;
 }
 
-// ../node_modules/jose/dist/browser/runtime/sign.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/sign.js
 var sign = async (alg, key3, data2) => {
   const cryptoKey = await getCryptoKey(alg, key3, "sign");
   check_key_length_default(alg, cryptoKey);
@@ -11074,7 +11191,7 @@ var sign = async (alg, key3, data2) => {
 };
 var sign_default = sign;
 
-// ../node_modules/jose/dist/browser/jws/flattened/sign.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/flattened/sign.js
 var FlattenedSign = class {
   constructor(payload4) {
     if (!(payload4 instanceof Uint8Array)) {
@@ -11107,7 +11224,7 @@ var FlattenedSign = class {
       ...this._protectedHeader,
       ...this._unprotectedHeader
     };
-    const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);
+    const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, this._protectedHeader, joseHeader);
     let b64 = true;
     if (extensions.has("b64")) {
       b64 = this._protectedHeader.b64;
@@ -11119,7 +11236,7 @@ var FlattenedSign = class {
     if (typeof alg !== "string" || !alg) {
       throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
     }
-    check_key_type_default(alg, key3, "sign");
+    checkKeyTypeWithJwk(alg, key3, "sign");
     let payload4 = this._payload;
     if (b64) {
       payload4 = encoder.encode(encode(payload4));
@@ -11149,7 +11266,7 @@ var FlattenedSign = class {
   }
 };
 
-// ../node_modules/jose/dist/browser/jws/compact/sign.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/compact/sign.js
 var CompactSign = class {
   constructor(payload4) {
     this._flattened = new FlattenedSign(payload4);
@@ -11167,9 +11284,15 @@ var CompactSign = class {
   }
 };
 
-// ../node_modules/jose/dist/browser/jwt/produce.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwt/produce.js
+function validateInput(label4, input2) {
+  if (!Number.isFinite(input2)) {
+    throw new TypeError(`Invalid ${label4} input`);
+  }
+  return input2;
+}
 var ProduceJWT = class {
-  constructor(payload4) {
+  constructor(payload4 = {}) {
     if (!isObject(payload4)) {
       throw new TypeError("JWT Claims Set MUST be an object");
     }
@@ -11193,7 +11316,9 @@ var ProduceJWT = class {
   }
   setNotBefore(input2) {
     if (typeof input2 === "number") {
-      this._payload = { ...this._payload, nbf: input2 };
+      this._payload = { ...this._payload, nbf: validateInput("setNotBefore", input2) };
+    } else if (input2 instanceof Date) {
+      this._payload = { ...this._payload, nbf: validateInput("setNotBefore", epoch_default(input2)) };
     } else {
       this._payload = { ...this._payload, nbf: epoch_default(/* @__PURE__ */ new Date()) + secs_default(input2) };
     }
@@ -11201,7 +11326,9 @@ var ProduceJWT = class {
   }
   setExpirationTime(input2) {
     if (typeof input2 === "number") {
-      this._payload = { ...this._payload, exp: input2 };
+      this._payload = { ...this._payload, exp: validateInput("setExpirationTime", input2) };
+    } else if (input2 instanceof Date) {
+      this._payload = { ...this._payload, exp: validateInput("setExpirationTime", epoch_default(input2)) };
     } else {
       this._payload = { ...this._payload, exp: epoch_default(/* @__PURE__ */ new Date()) + secs_default(input2) };
     }
@@ -11210,41 +11337,318 @@ var ProduceJWT = class {
   setIssuedAt(input2) {
     if (typeof input2 === "undefined") {
       this._payload = { ...this._payload, iat: epoch_default(/* @__PURE__ */ new Date()) };
+    } else if (input2 instanceof Date) {
+      this._payload = { ...this._payload, iat: validateInput("setIssuedAt", epoch_default(input2)) };
+    } else if (typeof input2 === "string") {
+      this._payload = {
+        ...this._payload,
+        iat: validateInput("setIssuedAt", epoch_default(/* @__PURE__ */ new Date()) + secs_default(input2))
+      };
     } else {
-      this._payload = { ...this._payload, iat: input2 };
+      this._payload = { ...this._payload, iat: validateInput("setIssuedAt", input2) };
     }
     return this;
   }
 };
 
-// ../node_modules/jose/dist/browser/jwt/sign.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwt/sign.js
 var SignJWT = class extends ProduceJWT {
   setProtectedHeader(protectedHeader) {
     this._protectedHeader = protectedHeader;
     return this;
   }
   async sign(key3, options) {
-    var _a;
     const sig = new CompactSign(encoder.encode(JSON.stringify(this._payload)));
     sig.setProtectedHeader(this._protectedHeader);
-    if (Array.isArray((_a = this._protectedHeader) === null || _a === void 0 ? void 0 : _a.crit) && this._protectedHeader.crit.includes("b64") && this._protectedHeader.b64 === false) {
+    if (Array.isArray(this._protectedHeader?.crit) && this._protectedHeader.crit.includes("b64") && this._protectedHeader.b64 === false) {
       throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
     }
     return sig.sign(key3, options);
   }
 };
 
-// ../node_modules/jose/dist/browser/runtime/generate.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwks/local.js
+function getKtyFromAlg(alg) {
+  switch (typeof alg === "string" && alg.slice(0, 2)) {
+    case "RS":
+    case "PS":
+      return "RSA";
+    case "ES":
+      return "EC";
+    case "Ed":
+      return "OKP";
+    default:
+      throw new JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set');
+  }
+}
+function isJWKSLike(jwks) {
+  return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
+}
+function isJWKLike(key3) {
+  return isObject(key3);
+}
+function clone(obj) {
+  if (typeof structuredClone === "function") {
+    return structuredClone(obj);
+  }
+  return JSON.parse(JSON.stringify(obj));
+}
+var LocalJWKSet = class {
+  constructor(jwks) {
+    this._cached = /* @__PURE__ */ new WeakMap();
+    if (!isJWKSLike(jwks)) {
+      throw new JWKSInvalid("JSON Web Key Set malformed");
+    }
+    this._jwks = clone(jwks);
+  }
+  async getKey(protectedHeader, token) {
+    const { alg, kid } = { ...protectedHeader, ...token?.header };
+    const kty = getKtyFromAlg(alg);
+    const candidates = this._jwks.keys.filter((jwk2) => {
+      let candidate4 = kty === jwk2.kty;
+      if (candidate4 && typeof kid === "string") {
+        candidate4 = kid === jwk2.kid;
+      }
+      if (candidate4 && typeof jwk2.alg === "string") {
+        candidate4 = alg === jwk2.alg;
+      }
+      if (candidate4 && typeof jwk2.use === "string") {
+        candidate4 = jwk2.use === "sig";
+      }
+      if (candidate4 && Array.isArray(jwk2.key_ops)) {
+        candidate4 = jwk2.key_ops.includes("verify");
+      }
+      if (candidate4 && alg === "EdDSA") {
+        candidate4 = jwk2.crv === "Ed25519" || jwk2.crv === "Ed448";
+      }
+      if (candidate4) {
+        switch (alg) {
+          case "ES256":
+            candidate4 = jwk2.crv === "P-256";
+            break;
+          case "ES256K":
+            candidate4 = jwk2.crv === "secp256k1";
+            break;
+          case "ES384":
+            candidate4 = jwk2.crv === "P-384";
+            break;
+          case "ES512":
+            candidate4 = jwk2.crv === "P-521";
+            break;
+        }
+      }
+      return candidate4;
+    });
+    const { 0: jwk, length: length2 } = candidates;
+    if (length2 === 0) {
+      throw new JWKSNoMatchingKey();
+    }
+    if (length2 !== 1) {
+      const error4 = new JWKSMultipleMatchingKeys();
+      const { _cached } = this;
+      error4[Symbol.asyncIterator] = async function* () {
+        for (const jwk2 of candidates) {
+          try {
+            yield await importWithAlgCache(_cached, jwk2, alg);
+          } catch {
+          }
+        }
+      };
+      throw error4;
+    }
+    return importWithAlgCache(this._cached, jwk, alg);
+  }
+};
+async function importWithAlgCache(cache, jwk, alg) {
+  const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
+  if (cached[alg] === void 0) {
+    const key3 = await importJWK({ ...jwk, ext: true }, alg);
+    if (key3 instanceof Uint8Array || key3.type !== "public") {
+      throw new JWKSInvalid("JSON Web Key Set members must be public keys");
+    }
+    cached[alg] = key3;
+  }
+  return cached[alg];
+}
+function createLocalJWKSet(jwks) {
+  const set = new LocalJWKSet(jwks);
+  const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  Object.defineProperties(localJWKSet, {
+    jwks: {
+      value: () => clone(set._jwks),
+      enumerable: true,
+      configurable: false,
+      writable: false
+    }
+  });
+  return localJWKSet;
+}
+
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/fetch_jwks.js
+var fetchJwks = async (url7, timeout2, options) => {
+  let controller2;
+  let id4;
+  let timedOut = false;
+  if (typeof AbortController === "function") {
+    controller2 = new AbortController();
+    id4 = setTimeout(() => {
+      timedOut = true;
+      controller2.abort();
+    }, timeout2);
+  }
+  const response6 = await fetch(url7.href, {
+    signal: controller2 ? controller2.signal : void 0,
+    redirect: "manual",
+    headers: options.headers
+  }).catch((err) => {
+    if (timedOut)
+      throw new JWKSTimeout();
+    throw err;
+  });
+  if (id4 !== void 0)
+    clearTimeout(id4);
+  if (response6.status !== 200) {
+    throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
+  }
+  try {
+    return await response6.json();
+  } catch {
+    throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
+  }
+};
+var fetch_jwks_default = fetchJwks;
+
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwks/remote.js
+function isCloudflareWorkers() {
+  return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
+}
+var USER_AGENT;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
+  const NAME = "jose";
+  const VERSION = "v5.9.3";
+  USER_AGENT = `${NAME}/${VERSION}`;
+}
+var jwksCache = Symbol();
+function isFreshJwksCache(input2, cacheMaxAge) {
+  if (typeof input2 !== "object" || input2 === null) {
+    return false;
+  }
+  if (!("uat" in input2) || typeof input2.uat !== "number" || Date.now() - input2.uat >= cacheMaxAge) {
+    return false;
+  }
+  if (!("jwks" in input2) || !isObject(input2.jwks) || !Array.isArray(input2.jwks.keys) || !Array.prototype.every.call(input2.jwks.keys, isObject)) {
+    return false;
+  }
+  return true;
+}
+var RemoteJWKSet = class {
+  constructor(url7, options) {
+    if (!(url7 instanceof URL)) {
+      throw new TypeError("url must be an instance of URL");
+    }
+    this._url = new URL(url7.href);
+    this._options = { agent: options?.agent, headers: options?.headers };
+    this._timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
+    this._cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
+    this._cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
+    if (options?.[jwksCache] !== void 0) {
+      this._cache = options?.[jwksCache];
+      if (isFreshJwksCache(options?.[jwksCache], this._cacheMaxAge)) {
+        this._jwksTimestamp = this._cache.uat;
+        this._local = createLocalJWKSet(this._cache.jwks);
+      }
+    }
+  }
+  coolingDown() {
+    return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cooldownDuration : false;
+  }
+  fresh() {
+    return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cacheMaxAge : false;
+  }
+  async getKey(protectedHeader, token) {
+    if (!this._local || !this.fresh()) {
+      await this.reload();
+    }
+    try {
+      return await this._local(protectedHeader, token);
+    } catch (err) {
+      if (err instanceof JWKSNoMatchingKey) {
+        if (this.coolingDown() === false) {
+          await this.reload();
+          return this._local(protectedHeader, token);
+        }
+      }
+      throw err;
+    }
+  }
+  async reload() {
+    if (this._pendingFetch && isCloudflareWorkers()) {
+      this._pendingFetch = void 0;
+    }
+    const headers = new Headers(this._options.headers);
+    if (USER_AGENT && !headers.has("User-Agent")) {
+      headers.set("User-Agent", USER_AGENT);
+      this._options.headers = Object.fromEntries(headers.entries());
+    }
+    this._pendingFetch || (this._pendingFetch = fetch_jwks_default(this._url, this._timeoutDuration, this._options).then((json) => {
+      this._local = createLocalJWKSet(json);
+      if (this._cache) {
+        this._cache.uat = Date.now();
+        this._cache.jwks = json;
+      }
+      this._jwksTimestamp = Date.now();
+      this._pendingFetch = void 0;
+    }).catch((err) => {
+      this._pendingFetch = void 0;
+      throw err;
+    }));
+    await this._pendingFetch;
+  }
+};
+function createRemoteJWKSet(url7, options) {
+  const set = new RemoteJWKSet(url7, options);
+  const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+  Object.defineProperties(remoteJWKSet, {
+    coolingDown: {
+      get: () => set.coolingDown(),
+      enumerable: true,
+      configurable: false
+    },
+    fresh: {
+      get: () => set.fresh(),
+      enumerable: true,
+      configurable: false
+    },
+    reload: {
+      value: () => set.reload(),
+      enumerable: true,
+      configurable: false,
+      writable: false
+    },
+    reloading: {
+      get: () => !!set._pendingFetch,
+      enumerable: true,
+      configurable: false
+    },
+    jwks: {
+      value: () => set._local?.jwks(),
+      enumerable: true,
+      configurable: false,
+      writable: false
+    }
+  });
+  return remoteJWKSet;
+}
+
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/generate.js
 function getModulusLengthOption(options) {
-  var _a;
-  const modulusLength = (_a = options === null || options === void 0 ? void 0 : options.modulusLength) !== null && _a !== void 0 ? _a : 2048;
+  const modulusLength = options?.modulusLength ?? 2048;
   if (typeof modulusLength !== "number" || modulusLength < 2048) {
     throw new JOSENotSupported("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");
   }
   return modulusLength;
 }
 async function generateKeyPair(alg, options) {
-  var _a, _b, _c;
   let algorithm3;
   let keyUsages;
   switch (alg) {
@@ -11294,9 +11698,9 @@ async function generateKeyPair(alg, options) {
       algorithm3 = { name: "ECDSA", namedCurve: "P-521" };
       keyUsages = ["sign", "verify"];
       break;
-    case "EdDSA":
+    case "EdDSA": {
       keyUsages = ["sign", "verify"];
-      const crv = (_a = options === null || options === void 0 ? void 0 : options.crv) !== null && _a !== void 0 ? _a : "Ed25519";
+      const crv = options?.crv ?? "Ed25519";
       switch (crv) {
         case "Ed25519":
         case "Ed448":
@@ -11306,22 +11710,23 @@ async function generateKeyPair(alg, options) {
           throw new JOSENotSupported("Invalid or unsupported crv option provided");
       }
       break;
+    }
     case "ECDH-ES":
     case "ECDH-ES+A128KW":
     case "ECDH-ES+A192KW":
     case "ECDH-ES+A256KW": {
       keyUsages = ["deriveKey", "deriveBits"];
-      const crv2 = (_b = options === null || options === void 0 ? void 0 : options.crv) !== null && _b !== void 0 ? _b : "P-256";
-      switch (crv2) {
+      const crv = options?.crv ?? "P-256";
+      switch (crv) {
         case "P-256":
         case "P-384":
         case "P-521": {
-          algorithm3 = { name: "ECDH", namedCurve: crv2 };
+          algorithm3 = { name: "ECDH", namedCurve: crv };
           break;
         }
         case "X25519":
         case "X448":
-          algorithm3 = { name: crv2 };
+          algorithm3 = { name: crv };
           break;
         default:
           throw new JOSENotSupported("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448");
@@ -11331,15 +11736,25 @@ async function generateKeyPair(alg, options) {
     default:
       throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
   }
-  return webcrypto_default.subtle.generateKey(algorithm3, (_c = options === null || options === void 0 ? void 0 : options.extractable) !== null && _c !== void 0 ? _c : false, keyUsages);
+  return webcrypto_default.subtle.generateKey(algorithm3, options?.extractable ?? false, keyUsages);
 }
 
-// ../node_modules/jose/dist/browser/key/generate_key_pair.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/generate_key_pair.js
 async function generateKeyPair2(alg, options) {
   return generateKeyPair(alg, options);
 }
 
-// ../node_modules/uuid/dist/esm-browser/rng.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/uuid/dist/esm-browser/stringify.js
+var byteToHex = [];
+for (i = 0; i < 256; ++i) {
+  byteToHex.push((i + 256).toString(16).slice(1));
+}
+var i;
+function unsafeStringify(arr, offset3 = 0) {
+  return (byteToHex[arr[offset3 + 0]] + byteToHex[arr[offset3 + 1]] + byteToHex[arr[offset3 + 2]] + byteToHex[arr[offset3 + 3]] + "-" + byteToHex[arr[offset3 + 4]] + byteToHex[arr[offset3 + 5]] + "-" + byteToHex[arr[offset3 + 6]] + byteToHex[arr[offset3 + 7]] + "-" + byteToHex[arr[offset3 + 8]] + byteToHex[arr[offset3 + 9]] + "-" + byteToHex[arr[offset3 + 10]] + byteToHex[arr[offset3 + 11]] + byteToHex[arr[offset3 + 12]] + byteToHex[arr[offset3 + 13]] + byteToHex[arr[offset3 + 14]] + byteToHex[arr[offset3 + 15]]).toLowerCase();
+}
+
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/uuid/dist/esm-browser/rng.js
 var getRandomValues;
 var rnds8 = new Uint8Array(16);
 function rng() {
@@ -11352,33 +11767,24 @@ function rng() {
   return getRandomValues(rnds8);
 }
 
-// ../node_modules/uuid/dist/esm-browser/stringify.js
-var byteToHex = [];
-for (let i = 0; i < 256; ++i) {
-  byteToHex.push((i + 256).toString(16).slice(1));
-}
-function unsafeStringify(arr, offset3 = 0) {
-  return byteToHex[arr[offset3 + 0]] + byteToHex[arr[offset3 + 1]] + byteToHex[arr[offset3 + 2]] + byteToHex[arr[offset3 + 3]] + "-" + byteToHex[arr[offset3 + 4]] + byteToHex[arr[offset3 + 5]] + "-" + byteToHex[arr[offset3 + 6]] + byteToHex[arr[offset3 + 7]] + "-" + byteToHex[arr[offset3 + 8]] + byteToHex[arr[offset3 + 9]] + "-" + byteToHex[arr[offset3 + 10]] + byteToHex[arr[offset3 + 11]] + byteToHex[arr[offset3 + 12]] + byteToHex[arr[offset3 + 13]] + byteToHex[arr[offset3 + 14]] + byteToHex[arr[offset3 + 15]];
-}
-
-// ../node_modules/uuid/dist/esm-browser/native.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/uuid/dist/esm-browser/native.js
 var randomUUID = typeof crypto !== "undefined" && crypto.randomUUID && crypto.randomUUID.bind(crypto);
 var native_default = {
   randomUUID
 };
 
-// ../node_modules/uuid/dist/esm-browser/v4.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/uuid/dist/esm-browser/v4.js
 function v4(options, buf, offset3) {
   if (native_default.randomUUID && !buf && !options) {
     return native_default.randomUUID();
   }
   options = options || {};
-  const rnds = options.random || (options.rng || rng)();
+  var rnds = options.random || (options.rng || rng)();
   rnds[6] = rnds[6] & 15 | 64;
   rnds[8] = rnds[8] & 63 | 128;
   if (buf) {
     offset3 = offset3 || 0;
-    for (let i = 0; i < 16; ++i) {
+    for (var i = 0; i < 16; ++i) {
       buf[offset3 + i] = rnds[i];
     }
     return buf;
@@ -11406,17 +11812,6 @@ var SCOPE_OPENID = "openid";
 var SCOPE_OFFLINE = "offline_access";
 var SCOPE_WEBID = "webid";
 var DEFAULT_SCOPES = [SCOPE_OPENID, SCOPE_OFFLINE, SCOPE_WEBID].join(" ");
-var buildProxyHandler = (toExclude, errorMessage) => ({
-  // This proxy is only a temporary measure until Session no longer extends
-  // SessionEventEmitter, and the proxying is no longer necessary.
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  get(target5, prop, receiver2) {
-    if (!Object.getOwnPropertyNames(import_events.EventEmitter).includes(prop) && Object.getOwnPropertyNames(toExclude).includes(prop)) {
-      throw new Error(`${errorMessage}: [${prop}] is not supported`);
-    }
-    return Reflect.get(target5, prop, receiver2);
-  }
-});
 var AggregateHandler = class {
   constructor(handleables) {
     this.handleables = handleables;
@@ -11453,24 +11848,11 @@ var AggregateHandler = class {
     }).join(", ")}`);
   }
 };
-async function fetchJwks(jwksIri, issuerIri) {
-  const jwksResponse = await fetch2.call(globalThis, jwksIri);
-  if (jwksResponse.status !== 200) {
-    throw new Error(`Could not fetch JWKS for [${issuerIri}] at [${jwksIri}]: ${jwksResponse.status} ${jwksResponse.statusText}`);
-  }
-  let jwk;
-  try {
-    jwk = (await jwksResponse.json()).keys[0];
-  } catch (e) {
-    throw new Error(`Malformed JWKS for [${issuerIri}] at [${jwksIri}]: ${e.message}`);
-  }
-  return jwk;
-}
 async function getWebidFromTokenPayload(idToken, jwksIri, issuerIri, clientId) {
-  const jwk = await fetchJwks(jwksIri, issuerIri);
   let payload4;
+  let clientIdInPayload;
   try {
-    const { payload: verifiedPayload } = await jwtVerify(idToken, await importJWK(jwk), {
+    const { payload: verifiedPayload } = await jwtVerify(idToken, createRemoteJWKSet(new URL(jwksIri)), {
       issuer: issuerIri,
       audience: clientId
     });
@@ -11478,15 +11860,24 @@ async function getWebidFromTokenPayload(idToken, jwksIri, issuerIri, clientId) {
   } catch (e) {
     throw new Error(`Token verification failed: ${e.stack}`);
   }
+  if (typeof payload4.azp === "string") {
+    clientIdInPayload = payload4.azp;
+  }
   if (typeof payload4.webid === "string") {
-    return payload4.webid;
+    return {
+      webId: payload4.webid,
+      clientId: clientIdInPayload
+    };
   }
   if (typeof payload4.sub !== "string") {
     throw new Error(`The token ${JSON.stringify(payload4)} is invalid: it has no 'webid' claim and no 'sub' claim.`);
   }
   try {
     new URL(payload4.sub);
-    return payload4.sub;
+    return {
+      webId: payload4.sub,
+      clientId: clientIdInPayload
+    };
   } catch (e) {
     throw new Error(`The token has no 'webid' claim, and its 'sub' claim of [${payload4.sub}] is invalid as a URL - error [${e}].`);
   }
@@ -11510,17 +11901,29 @@ function removeOpenIdParams(redirectUrl) {
   cleanedUpUrl.searchParams.delete("iss");
   return cleanedUpUrl;
 }
+function booleanWithFallback(value6, fallback) {
+  if (typeof value6 === "boolean") {
+    return Boolean(value6);
+  }
+  return Boolean(fallback);
+}
 var AuthorizationCodeWithPkceOidcHandlerBase = class {
   constructor(storageUtility, redirector) {
     this.storageUtility = storageUtility;
     this.redirector = redirector;
+    this.parametersGuard = (oidcLoginOptions) => {
+      return oidcLoginOptions.issuerConfiguration.grantTypesSupported !== void 0 && oidcLoginOptions.issuerConfiguration.grantTypesSupported.indexOf("authorization_code") > -1 && oidcLoginOptions.redirectUrl !== void 0;
+    };
     this.storageUtility = storageUtility;
     this.redirector = redirector;
   }
   async canHandle(oidcLoginOptions) {
-    return !!(oidcLoginOptions.issuerConfiguration.grantTypesSupported && oidcLoginOptions.issuerConfiguration.grantTypesSupported.indexOf("authorization_code") > -1);
+    return this.parametersGuard(oidcLoginOptions);
   }
   async handleRedirect({ oidcLoginOptions, state: state2, codeVerifier, targetUrl: targetUrl3 }) {
+    if (!this.parametersGuard(oidcLoginOptions)) {
+      throw new Error("The authorization code grant requires a redirectUrl.");
+    }
     await Promise.all([
       // We use the OAuth 'state' value (which should be crypto-random) as
       // the key in our storage to store our actual SessionID. We do this
@@ -11531,7 +11934,6 @@ var AuthorizationCodeWithPkceOidcHandlerBase = class {
       // that session ID can be any developer-specified value, and therefore
       // may not be appropriate (since the OAuth 'state' value should really
       // be an unguessable crypto-random value).
-      // eslint-disable-next-line no-underscore-dangle
       this.storageUtility.setForUser(state2, {
         sessionId: oidcLoginOptions.sessionId
       }),
@@ -11540,12 +11942,12 @@ var AuthorizationCodeWithPkceOidcHandlerBase = class {
       // our session ID is unnecessary, but it provides a slightly cleaner
       // separation of concerns.
       this.storageUtility.setForUser(oidcLoginOptions.sessionId, {
-        // eslint-disable-next-line no-underscore-dangle
         codeVerifier,
         issuer: oidcLoginOptions.issuer.toString(),
         // The redirect URL is read after redirect, so it must be stored now.
         redirectUrl: oidcLoginOptions.redirectUrl,
-        dpop: oidcLoginOptions.dpop ? "true" : "false"
+        dpop: Boolean(oidcLoginOptions.dpop).toString(),
+        keepAlive: booleanWithFallback(oidcLoginOptions.keepAlive, true).toString()
       })
     ]);
     this.redirector.redirect(targetUrl3, {
@@ -11607,7 +12009,7 @@ function getUnauthenticatedSession() {
   return {
     isLoggedIn: false,
     sessionId: v4_default(),
-    fetch: (...args) => fetch2.call(globalThis, ...args)
+    fetch: (...args) => fetch(...args)
   };
 }
 async function clear(sessionId, storage2) {
@@ -11701,48 +12103,51 @@ function determineSigningAlg(supported, preferred2) {
     return supported.includes(signingAlg);
   })) !== null && _a !== void 0 ? _a : null;
 }
-function determineClientType(options, issuerConfig) {
-  if (options.clientId !== void 0 && !isValidUrl(options.clientId)) {
-    return "static";
-  }
-  if (issuerConfig.scopesSupported.includes("webid") && options.clientId !== void 0 && isValidUrl(options.clientId)) {
-    return "solid-oidc";
-  }
-  return "dynamic";
+function isStaticClient(options) {
+  return options.clientId !== void 0 && !isValidUrl(options.clientId);
+}
+function isSolidOidcClient(options, issuerConfig) {
+  return issuerConfig.scopesSupported.includes("webid") && options.clientId !== void 0 && isValidUrl(options.clientId);
+}
+function isKnownClientType(clientType) {
+  return typeof clientType === "string" && ["dynamic", "static", "solid-oidc"].includes(clientType);
 }
 async function handleRegistration(options, issuerConfig, storageUtility, clientRegistrar) {
-  const clientType = determineClientType(options, issuerConfig);
-  if (clientType === "dynamic") {
+  let clientInfo;
+  if (isSolidOidcClient(options, issuerConfig)) {
+    clientInfo = {
+      clientId: options.clientId,
+      clientName: options.clientName,
+      clientType: "solid-oidc"
+    };
+  } else if (isStaticClient(options)) {
+    clientInfo = {
+      clientId: options.clientId,
+      clientSecret: options.clientSecret,
+      clientName: options.clientName,
+      clientType: "static"
+    };
+  } else {
     return clientRegistrar.getClient({
       sessionId: options.sessionId,
       clientName: options.clientName,
       redirectUrl: options.redirectUrl
     }, issuerConfig);
   }
-  await storageUtility.setForUser(options.sessionId, {
-    // If the client is either static or solid-oidc compliant, its client ID cannot be undefined.
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    clientId: options.clientId
-  });
-  if (options.clientSecret) {
-    await storageUtility.setForUser(options.sessionId, {
-      clientSecret: options.clientSecret
-    });
+  const infoToSave = {
+    clientId: clientInfo.clientId,
+    clientType: clientInfo.clientType
+  };
+  if (clientInfo.clientType === "static") {
+    infoToSave.clientSecret = clientInfo.clientSecret;
   }
-  if (options.clientName) {
-    await storageUtility.setForUser(options.sessionId, {
-      clientName: options.clientName
-    });
+  if (clientInfo.clientName) {
+    infoToSave.clientName = clientInfo.clientName;
   }
-  return {
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    clientId: options.clientId,
-    clientSecret: options.clientSecret,
-    clientName: options.clientName,
-    clientType
-  };
+  await storageUtility.setForUser(options.sessionId, infoToSave);
+  return clientInfo;
 }
-var globalFetch = (request2, init) => fetch2.call(globalThis, request2, init);
+var boundFetch = (request2, init) => fetch(request2, init);
 var ClientAuthentication = class {
   constructor(loginHandler, redirectHandler, logoutHandler, sessionInfoManager, issuerConfigFetcher) {
     this.loginHandler = loginHandler;
@@ -11750,13 +12155,13 @@ var ClientAuthentication = class {
     this.logoutHandler = logoutHandler;
     this.sessionInfoManager = sessionInfoManager;
     this.issuerConfigFetcher = issuerConfigFetcher;
-    this.fetch = globalFetch;
+    this.fetch = boundFetch;
     this.logout = async (sessionId, options) => {
       await this.logoutHandler.handle(sessionId, (options === null || options === void 0 ? void 0 : options.logoutType) === "idp" ? {
         ...options,
         toLogoutUrl: this.boundLogout
       } : options);
-      this.fetch = globalFetch;
+      this.fetch = boundFetch;
       delete this.boundLogout;
     };
     this.getSessionInfo = async (sessionId) => {
@@ -11774,13 +12179,14 @@ var ClientAuthentication = class {
 };
 async function loadOidcContextFromStorage(sessionId, storageUtility, configFetcher) {
   try {
-    const [issuerIri, codeVerifier, storedRedirectIri, dpop] = await Promise.all([
+    const [issuerIri, codeVerifier, storedRedirectIri, dpop, keepAlive] = await Promise.all([
       storageUtility.getForUser(sessionId, "issuer", {
         errorIfNull: true
       }),
       storageUtility.getForUser(sessionId, "codeVerifier"),
       storageUtility.getForUser(sessionId, "redirectUrl"),
-      storageUtility.getForUser(sessionId, "dpop", { errorIfNull: true })
+      storageUtility.getForUser(sessionId, "dpop", { errorIfNull: true }),
+      storageUtility.getForUser(sessionId, "keepAlive")
     ]);
     await storageUtility.deleteForUser(sessionId, "codeVerifier");
     const issuerConfig = await configFetcher.fetchConfig(issuerIri);
@@ -11788,12 +12194,34 @@ async function loadOidcContextFromStorage(sessionId, storageUtility, configFetch
       codeVerifier,
       redirectUrl: storedRedirectIri,
       issuerConfig,
-      dpop: dpop === "true"
+      dpop: dpop === "true",
+      // Default keepAlive to true if not found in storage.
+      keepAlive: typeof keepAlive === "string" ? keepAlive === "true" : true
     };
   } catch (e) {
     throw new Error(`Failed to retrieve OIDC context from storage associated with session [${sessionId}]: ${e}`);
   }
 }
+async function saveSessionInfoToStorage(storageUtility, sessionId, webId, clientId, isLoggedIn2, refreshToken, secure, dpopKey) {
+  if (refreshToken !== void 0) {
+    await storageUtility.setForUser(sessionId, { refreshToken }, { secure });
+  }
+  if (webId !== void 0) {
+    await storageUtility.setForUser(sessionId, { webId }, { secure });
+  }
+  if (clientId !== void 0) {
+    await storageUtility.setForUser(sessionId, { clientId }, { secure });
+  }
+  if (isLoggedIn2 !== void 0) {
+    await storageUtility.setForUser(sessionId, { isLoggedIn: isLoggedIn2 }, { secure });
+  }
+  if (dpopKey !== void 0) {
+    await storageUtility.setForUser(sessionId, {
+      publicKey: JSON.stringify(dpopKey.publicKey),
+      privateKey: JSON.stringify(await exportJWK(dpopKey.privateKey))
+    }, { secure });
+  }
+}
 var StorageUtility = class {
   constructor(secureStorage, insecureStorage) {
     this.secureStorage = secureStorage;
@@ -11945,8 +12373,8 @@ async function buildAuthenticatedHeaders(targetUrl3, authToken, dpopKey, default
     headers
   };
 }
-async function makeAuthenticatedRequest(unauthFetch, accessToken, url7, defaultRequestInit, dpopKey) {
-  return unauthFetch(url7, await buildAuthenticatedHeaders(url7.toString(), accessToken, dpopKey, defaultRequestInit));
+async function makeAuthenticatedRequest(accessToken, url7, defaultRequestInit, dpopKey) {
+  return fetch(url7, await buildAuthenticatedHeaders(url7.toString(), accessToken, dpopKey, defaultRequestInit));
 }
 async function refreshAccessToken(refreshOptions, dpopKey, eventEmitter) {
   var _a;
@@ -11970,7 +12398,7 @@ var computeRefreshDelay = (expiresIn) => {
   }
   return DEFAULT_EXPIRATION_TIME_SECONDS;
 };
-async function buildAuthenticatedFetch(unauthFetch, accessToken, options) {
+async function buildAuthenticatedFetch(accessToken, options) {
   var _a;
   let currentAccessToken = accessToken;
   let latestTimeout;
@@ -12018,7 +12446,7 @@ async function buildAuthenticatedFetch(unauthFetch, accessToken, options) {
     options.eventEmitter.emit(EVENTS.TIMEOUT_SET, expirationTimeout);
   }
   return async (url7, requestInit) => {
-    let response6 = await makeAuthenticatedRequest(unauthFetch, currentAccessToken, url7, requestInit, options === null || options === void 0 ? void 0 : options.dpopKey);
+    let response6 = await makeAuthenticatedRequest(currentAccessToken, url7, requestInit, options === null || options === void 0 ? void 0 : options.dpopKey);
     const failedButNotExpectedAuthError = !response6.ok && !isExpectedAuthError(response6.status);
     if (response6.ok || failedButNotExpectedAuthError) {
       return response6;
@@ -12026,7 +12454,6 @@ async function buildAuthenticatedFetch(unauthFetch, accessToken, options) {
     const hasBeenRedirected = response6.url !== url7;
     if (hasBeenRedirected && (options === null || options === void 0 ? void 0 : options.dpopKey) !== void 0) {
       response6 = await makeAuthenticatedRequest(
-        unauthFetch,
         currentAccessToken,
         // Replace the original target IRI (`url`) by the redirection target
         response6.url,
@@ -12038,8 +12465,57 @@ async function buildAuthenticatedFetch(unauthFetch, accessToken, options) {
   };
 }
 
+// ../node_modules/@inrupt/solid-client-authn-browser/node_modules/uuid/dist/esm-browser/stringify.js
+var byteToHex2 = [];
+for (i = 0; i < 256; ++i) {
+  byteToHex2.push((i + 256).toString(16).slice(1));
+}
+var i;
+function unsafeStringify2(arr, offset3 = 0) {
+  return (byteToHex2[arr[offset3 + 0]] + byteToHex2[arr[offset3 + 1]] + byteToHex2[arr[offset3 + 2]] + byteToHex2[arr[offset3 + 3]] + "-" + byteToHex2[arr[offset3 + 4]] + byteToHex2[arr[offset3 + 5]] + "-" + byteToHex2[arr[offset3 + 6]] + byteToHex2[arr[offset3 + 7]] + "-" + byteToHex2[arr[offset3 + 8]] + byteToHex2[arr[offset3 + 9]] + "-" + byteToHex2[arr[offset3 + 10]] + byteToHex2[arr[offset3 + 11]] + byteToHex2[arr[offset3 + 12]] + byteToHex2[arr[offset3 + 13]] + byteToHex2[arr[offset3 + 14]] + byteToHex2[arr[offset3 + 15]]).toLowerCase();
+}
+
+// ../node_modules/@inrupt/solid-client-authn-browser/node_modules/uuid/dist/esm-browser/rng.js
+var getRandomValues2;
+var rnds82 = new Uint8Array(16);
+function rng2() {
+  if (!getRandomValues2) {
+    getRandomValues2 = typeof crypto !== "undefined" && crypto.getRandomValues && crypto.getRandomValues.bind(crypto);
+    if (!getRandomValues2) {
+      throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");
+    }
+  }
+  return getRandomValues2(rnds82);
+}
+
+// ../node_modules/@inrupt/solid-client-authn-browser/node_modules/uuid/dist/esm-browser/native.js
+var randomUUID2 = typeof crypto !== "undefined" && crypto.randomUUID && crypto.randomUUID.bind(crypto);
+var native_default2 = {
+  randomUUID: randomUUID2
+};
+
+// ../node_modules/@inrupt/solid-client-authn-browser/node_modules/uuid/dist/esm-browser/v4.js
+function v42(options, buf, offset3) {
+  if (native_default2.randomUUID && !buf && !options) {
+    return native_default2.randomUUID();
+  }
+  options = options || {};
+  var rnds = options.random || (options.rng || rng2)();
+  rnds[6] = rnds[6] & 15 | 64;
+  rnds[8] = rnds[8] & 63 | 128;
+  if (buf) {
+    offset3 = offset3 || 0;
+    for (var i = 0; i < 16; ++i) {
+      buf[offset3 + i] = rnds[i];
+    }
+    return buf;
+  }
+  return unsafeStringify2(rnds);
+}
+var v4_default2 = v42;
+
 // ../node_modules/@inrupt/solid-client-authn-browser/dist/index.mjs
-var import_events2 = __toESM(require_events(), 1);
+var import_events = __toESM(require_events(), 1);
 
 // ../node_modules/@inrupt/oidc-client-ext/dist/index.es.js
 var import_oidc_client = __toESM(require_oidc_client_min());
@@ -12187,79 +12663,20 @@ async function getTokens(issuer2, client, data2, dpop) {
     headers,
     body: new URLSearchParams(requestBody).toString()
   };
-  const rawTokenResponse = await fetch2(issuer2.tokenEndpoint, tokenRequestInit);
+  const rawTokenResponse = await fetch(issuer2.tokenEndpoint, tokenRequestInit);
   const jsonTokenResponse = await rawTokenResponse.json();
   const tokenResponse = validateTokenEndpointResponse(jsonTokenResponse, dpop);
-  const webId = await getWebidFromTokenPayload(tokenResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
+  const { webId, clientId } = await getWebidFromTokenPayload(tokenResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
   return {
     accessToken: tokenResponse.access_token,
     idToken: tokenResponse.id_token,
     refreshToken: hasRefreshToken(tokenResponse) ? tokenResponse.refresh_token : void 0,
     webId,
+    clientId,
     dpopKey,
     expiresIn: tokenResponse.expires_in
   };
 }
-async function getBearerToken(redirectUrl) {
-  let signinResponse;
-  try {
-    const client = new import_oidc_client.OidcClient({
-      // TODO: We should look at the various interfaces being used for storage,
-      //  i.e. between oidc-client-js (WebStorageStoreState), localStorage
-      //  (which has an interface Storage), and our own proprietary interface
-      //  IStorage - i.e. we should really just be using the browser Web Storage
-      //  API, e.g. "stateStore: window.localStorage,".
-      // We are instantiating a new instance here, so the only value we need to
-      // explicitly provide is the response mode (default otherwise will look
-      // for a hash '#' fragment!).
-      // eslint-disable-next-line camelcase
-      response_mode: "query",
-      // The userinfo endpoint on NSS fails, so disable this for now
-      // Note that in Solid, information should be retrieved from the
-      // profile referenced by the WebId.
-      // TODO: Note that this is heavy-handed, and that this userinfo check
-      //  verifies that the `sub` claim in the id token you get along with the
-      //  access token matches the sub claim associated with the access token at
-      //  the userinfo endpoint.
-      // That is a useful check, and in the future it should be only disabled
-      // against NSS, and not in general.
-      // Issue tracker: https://github.com/solid/node-solid-server/issues/1490
-      loadUserInfo: false
-    });
-    signinResponse = await client.processSigninResponse(redirectUrl);
-    if (client.settings.metadata === void 0) {
-      throw new Error("Cannot retrieve issuer metadata from client information in storage.");
-    }
-    if (client.settings.metadata.jwks_uri === void 0) {
-      throw new Error("Missing some issuer metadata from client information in storage: 'jwks_uri' is undefined");
-    }
-    if (client.settings.metadata.issuer === void 0) {
-      throw new Error("Missing some issuer metadata from client information in storage: 'issuer' is undefined");
-    }
-    if (client.settings.client_id === void 0) {
-      throw new Error("Missing some client information in storage: 'client_id' is undefined");
-    }
-    const webId = await getWebidFromTokenPayload(signinResponse.id_token, client.settings.metadata.jwks_uri, client.settings.metadata.issuer, client.settings.client_id);
-    return {
-      accessToken: signinResponse.access_token,
-      idToken: signinResponse.id_token,
-      webId,
-      // Although not a field in the TypeScript response interface, the refresh
-      // token (which can optionally come back with the access token (if, as per
-      // the OAuth2 spec, we requested one using the scope of 'offline_access')
-      // will be included in the signin response object.
-      // eslint-disable-next-line camelcase
-      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-      // @ts-ignore
-      refreshToken: signinResponse.refresh_token
-    };
-  } catch (err) {
-    throw new Error(`Problem handling Auth Code Grant (Flow) redirect - URL [${redirectUrl}]: ${err}`);
-  }
-}
-async function getDpopToken(issuer2, client, data2) {
-  return getTokens(issuer2, client, data2, true);
-}
 var isValidUrl2 = (url7) => {
   try {
     new URL(url7);
@@ -12293,7 +12710,7 @@ async function refresh(refreshToken, issuer2, client, dpopKey) {
   } else if (isValidUrl2(client.clientId)) {
     requestBody.client_id = client.clientId;
   }
-  const rawResponse = await fetch2(issuer2.tokenEndpoint, {
+  const rawResponse = await fetch(issuer2.tokenEndpoint, {
     method: "POST",
     body: new URLSearchParams(requestBody).toString(),
     headers: {
@@ -12309,7 +12726,7 @@ async function refresh(refreshToken, issuer2, client, dpopKey) {
     throw new Error(`The token endpoint of issuer ${issuer2.issuer} returned a malformed response.`);
   }
   const validatedResponse = validateTokenEndpointResponse(response6, dpopKey !== void 0);
-  const webId = await getWebidFromTokenPayload(validatedResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
+  const { webId } = await getWebidFromTokenPayload(validatedResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
   return {
     accessToken: validatedResponse.access_token,
     idToken: validatedResponse.id_token,
@@ -12391,7 +12808,7 @@ var ClientAuthentication2 = class extends ClientAuthentication {
     };
     this.handleIncomingRedirect = async (url7, eventEmitter) => {
       try {
-        const redirectInfo = await this.redirectHandler.handle(url7, eventEmitter);
+        const redirectInfo = await this.redirectHandler.handle(url7, eventEmitter, void 0);
         this.fetch = redirectInfo.fetch.bind(window);
         this.boundLogout = redirectInfo.getLogoutUrl;
         await this.cleanUrlAfterRedirect(url7);
@@ -12399,7 +12816,8 @@ var ClientAuthentication2 = class extends ClientAuthentication {
           isLoggedIn: redirectInfo.isLoggedIn,
           webId: redirectInfo.webId,
           sessionId: redirectInfo.sessionId,
-          expirationDate: redirectInfo.expirationDate
+          expirationDate: redirectInfo.expirationDate,
+          clientAppId: redirectInfo.clientAppId
         };
       } catch (err) {
         await this.cleanUrlAfterRedirect(url7);
@@ -12470,8 +12888,7 @@ var AuthorizationCodeWithPkceOidcHandler = class extends AuthorizationCodeWithPk
       authority: oidcLoginOptions.issuer.toString(),
       client_id: oidcLoginOptions.client.clientId,
       client_secret: oidcLoginOptions.client.clientSecret,
-      redirect_uri: oidcLoginOptions.redirectUrl.toString(),
-      post_logout_redirect_uri: oidcLoginOptions.redirectUrl.toString(),
+      redirect_uri: oidcLoginOptions.redirectUrl,
       response_type: "code",
       scope: DEFAULT_SCOPES,
       filterProtocolClaims: true,
@@ -12617,7 +13034,7 @@ var IssuerConfigFetcher = class _IssuerConfigFetcher {
       // includes the full issuer path. See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig.
       issuer2.endsWith("/") ? issuer2 : `${issuer2}/`
     ).href;
-    const issuerConfigRequestBody = await fetch2.call(globalThis, openIdConfigUrl);
+    const issuerConfigRequestBody = await fetch(openIdConfigUrl);
     try {
       issuerConfig = processConfig(await issuerConfigRequestBody.json());
     } catch (err) {
@@ -12708,7 +13125,6 @@ var FallbackRedirectHandler = class {
     return getUnauthenticatedSession();
   }
 };
-var globalFetch2 = (...args) => fetch2.call(globalThis, ...args);
 var AuthCodeRedirectHandler = class {
   constructor(storageUtility, sessionInfoManager, issuerConfigFetcher, clientRegistrar, tokerRefresher) {
     this.storageUtility = storageUtility;
@@ -12751,21 +13167,16 @@ var AuthCodeRedirectHandler = class {
       throw new Error(`The redirect URL for session ${storedSessionId} is missing from storage.`);
     }
     const client = await this.clientRegistrar.getClient({ sessionId: storedSessionId }, issuerConfig);
-    let tokens;
     const tokenCreatedAt = Date.now();
-    if (isDpop) {
-      tokens = await getDpopToken(issuerConfig, client, {
-        grantType: "authorization_code",
-        // We rely on our 'canHandle' function checking that the OAuth 'code'
-        // parameter is present in our query string.
-        code: url7.searchParams.get("code"),
-        codeVerifier,
-        redirectUrl: storedRedirectIri
-      });
-      window.localStorage.removeItem(`oidc.${oauthState}`);
-    } else {
-      tokens = await getBearerToken(url7.toString());
-    }
+    const tokens = await getTokens(issuerConfig, client, {
+      grantType: "authorization_code",
+      // We rely on our 'canHandle' function checking that the OAuth 'code'
+      // parameter is present in our query string.
+      code: url7.searchParams.get("code"),
+      codeVerifier,
+      redirectUrl: storedRedirectIri
+    }, isDpop);
+    window.localStorage.removeItem(`oidc.${oauthState}`);
     let refreshOptions;
     if (tokens.refreshToken !== void 0) {
       refreshOptions = {
@@ -12774,16 +13185,13 @@ var AuthCodeRedirectHandler = class {
         tokenRefresher: this.tokerRefresher
       };
     }
-    const authFetch = await buildAuthenticatedFetch(globalFetch2, tokens.accessToken, {
+    const authFetch = await buildAuthenticatedFetch(tokens.accessToken, {
       dpopKey: tokens.dpopKey,
       refreshOptions,
       eventEmitter,
       expiresIn: tokens.expiresIn
     });
-    await this.storageUtility.setForUser(storedSessionId, {
-      webId: tokens.webId,
-      isLoggedIn: "true"
-    }, { secure: true });
+    await saveSessionInfoToStorage(this.storageUtility, storedSessionId, tokens.webId, tokens.clientId, "true", void 0, true);
     const sessionInfo = await this.sessionInfoManager.get(storedSessionId);
     if (!sessionInfo) {
       throw new Error(`Could not retrieve session: [${storedSessionId}].`);
@@ -12834,33 +13242,34 @@ var ClientRegistrar = class {
     this.storageUtility = storageUtility;
   }
   async getClient(options, issuerConfig) {
-    const [
-      storedClientId,
-      storedClientSecret
-      // storedClientName,
-    ] = await Promise.all([
+    const [storedClientId, storedClientSecret, storedClientName, storedClientType] = await Promise.all([
       this.storageUtility.getForUser(options.sessionId, "clientId", {
         secure: false
       }),
       this.storageUtility.getForUser(options.sessionId, "clientSecret", {
         secure: false
+      }),
+      this.storageUtility.getForUser(options.sessionId, "clientName", {
+        secure: false
+      }),
+      this.storageUtility.getForUser(options.sessionId, "clientType", {
+        secure: false
       })
-      // this.storageUtility.getForUser(options.sessionId, "clientName", {
-      //   // FIXME: figure out how to persist secure storage at reload
-      //   secure: false,
-      // }),
     ]);
-    if (storedClientId) {
+    if (storedClientId && isKnownClientType(storedClientType)) {
       return {
         clientId: storedClientId,
         clientSecret: storedClientSecret,
-        clientType: "dynamic"
+        clientName: storedClientName,
+        // Note: static clients are not applicable in a browser context.
+        clientType: storedClientType
       };
     }
     try {
       const registeredClient = await registerClient(options, issuerConfig);
       const infoToSave = {
-        clientId: registeredClient.clientId
+        clientId: registeredClient.clientId,
+        clientType: "dynamic"
       };
       if (registeredClient.clientSecret) {
         infoToSave.clientSecret = registeredClient.clientSecret;
@@ -12919,9 +13328,6 @@ var TokenRefresher = class {
     const tokenSet = await refresh(refreshToken, oidcContext.issuerConfig, clientInfo, dpopKey);
     if (tokenSet.refreshToken !== void 0) {
       eventEmitter === null || eventEmitter === void 0 ? void 0 : eventEmitter.emit(EVENTS.NEW_REFRESH_TOKEN, tokenSet.refreshToken);
-      await this.storageUtility.setForUser(sessionId, {
-        refreshToken: tokenSet.refreshToken
-      });
     }
     return tokenSet;
   }
@@ -12969,7 +13375,7 @@ async function silentlyAuthenticate(sessionId, clientAuthn, session4) {
 function isLoggedIn(sessionInfo) {
   return !!(sessionInfo === null || sessionInfo === void 0 ? void 0 : sessionInfo.isLoggedIn);
 }
-var Session = class _Session extends import_events2.default {
+var Session = class {
   /**
    * Session object constructor. Typically called as follows:
    *
@@ -12986,7 +13392,6 @@ var Session = class _Session extends import_events2.default {
    *
    */
   constructor(sessionOptions = {}, sessionId = void 0) {
-    super();
     this.tokenRequestInProgress = false;
     this.login = async (options) => {
       var _a;
@@ -13043,7 +13448,7 @@ var Session = class _Session extends import_events2.default {
       this.tokenRequestInProgress = false;
       return sessionInfo;
     };
-    this.events = new Proxy(this, buildProxyHandler(_Session.prototype, "events only implements ISessionEventListener"));
+    this.events = new import_events.default();
     if (sessionOptions.clientAuthentication) {
       this.clientAuthentication = sessionOptions.clientAuthentication;
     } else if (sessionOptions.secureStorage && sessionOptions.insecureStorage) {
@@ -13058,11 +13463,12 @@ var Session = class _Session extends import_events2.default {
       this.info = {
         sessionId: sessionOptions.sessionInfo.sessionId,
         isLoggedIn: false,
-        webId: sessionOptions.sessionInfo.webId
+        webId: sessionOptions.sessionInfo.webId,
+        clientAppId: sessionOptions.sessionInfo.clientAppId
       };
     } else {
       this.info = {
-        sessionId: sessionId !== null && sessionId !== void 0 ? sessionId : v4_default(),
+        sessionId: sessionId !== null && sessionId !== void 0 ? sessionId : v4_default2(),
         isLoggedIn: false
       };
     }
@@ -13070,62 +13476,11 @@ var Session = class _Session extends import_events2.default {
     this.events.on(EVENTS.SESSION_EXPIRED, () => this.internalLogout(false));
     this.events.on(EVENTS.ERROR, () => this.internalLogout(false));
   }
-  /**
-   * Register a callback function to be called when a user completes login.
-   *
-   * The callback is called when {@link handleIncomingRedirect} completes successfully.
-   *
-   * @param callback The function called when a user completes login.
-   * @deprecated Prefer session.events.on(EVENTS.LOGIN, callback)
-   */
-  onLogin(callback) {
-    this.events.on(EVENTS.LOGIN, callback);
-  }
-  /**
-   * Register a callback function to be called when a user logs out:
-   *
-   * @param callback The function called when a user completes logout.
-   * @deprecated Prefer session.events.on(EVENTS.LOGOUT, callback)
-   */
-  onLogout(callback) {
-    this.events.on(EVENTS.LOGOUT, callback);
-  }
-  /**
-   * Register a callback function to be called when a user logs out:
-   *
-   * @param callback The function called when an error occurs.
-   * @since 1.11.0
-   * @deprecated Prefer session.events.on(EVENTS.ERROR, callback)
-   */
-  onError(callback) {
-    this.events.on(EVENTS.ERROR, callback);
-  }
-  /**
-   * Register a callback function to be called when a session is restored.
-   *
-   * Note: the callback will be called with the saved value of the 'current URL'
-   * at the time the session was restored.
-   *
-   * @param callback The function called when a user's already logged-in session is restored, e.g., after a silent authentication is completed after a page refresh.
-   * @deprecated Prefer session.events.on(EVENTS.SESSION_RESTORED, callback)
-   */
-  onSessionRestore(callback) {
-    this.events.on(EVENTS.SESSION_RESTORED, callback);
-  }
-  /**
-   * Register a callback that runs when the session expires and can no longer
-   * make authenticated requests, but following a user logout.
-   * @param callback The function that runs on session expiration.
-   * @since 1.11.0
-   * @deprecated Prefer session.events.on(EVENTS.SESSION_EXPIRED, callback)
-   */
-  onSessionExpiration(callback) {
-    this.events.on(EVENTS.SESSION_EXPIRED, callback);
-  }
   setSessionInfo(sessionInfo) {
     this.info.isLoggedIn = sessionInfo.isLoggedIn;
     this.info.webId = sessionInfo.webId;
     this.info.sessionId = sessionInfo.sessionId;
+    this.info.clientAppId = sessionInfo.clientAppId;
     this.info.expirationDate = sessionInfo.expirationDate;
     this.events.on(EVENTS.SESSION_EXTENDED, (expiresIn) => {
       this.info.expirationDate = Date.now() + expiresIn * 1e3;
@@ -13172,16 +13527,19 @@ var BrowserSession = class {
    * @deprecated use observeSession instead
    */
   trackSession(callback) {
-    this.session.on(EVENTS.LOGIN, () => callback(this.session.info));
-    this.session.on(EVENTS.LOGOUT, () => callback(this.session.info));
-    this.session.on(EVENTS.SESSION_RESTORED, () => callback(this.session.info));
+    this.session.events.on(EVENTS.LOGIN, () => callback(this.session.info));
+    this.session.events.on(EVENTS.LOGOUT, () => callback(this.session.info));
+    this.session.events.on(
+      EVENTS.SESSION_RESTORED,
+      () => callback(this.session.info)
+    );
     callback(this.session.info);
   }
   observeSession() {
     return this.sessionInfo$;
   }
   onSessionRestore(callback) {
-    this.session.on(EVENTS.SESSION_RESTORED, callback);
+    this.session.events.on(EVENTS.SESSION_RESTORED, callback);
   }
 };
 
@@ -13242,7 +13600,7 @@ var FileFetcher = class {
 
 // src/modules/contacts.ts
 async function loadContactsModule(store) {
-  const module2 = await import("./dist-TVYD2Q5S.js");
+  const module2 = await import("./dist-F3EUFQHU.js");
   return new module2.default({
     store: store.graph,
     fetcher: store.fetcher,
@@ -13284,6 +13642,30 @@ function labelForType(typeUri) {
   }
 }
 
+// src/thing/labelFromUri.ts
+function labelFromUri(uri6) {
+  const url7 = new URL(uri6);
+  if (isTooGeneric(url7.hash)) {
+    return (getFilename(url7) || url7.host + url7.pathname) + url7.hash;
+  }
+  return labelFromFragment(url7.hash) || getFilename(url7) || url7.host;
+}
+function labelFromFragment(fragment) {
+  return fragment ? fragment.split("#")[1] : null;
+}
+function isTooGeneric(fragment) {
+  const genericFragments = ["#it", "#this", "#me", "#i"];
+  return genericFragments.includes(fragment);
+}
+function getFilename(url7) {
+  if (url7.pathname.endsWith("/")) {
+    const containerName = url7.pathname.split("/").at(-2);
+    return containerName ? containerName + "/" : null;
+  } else {
+    return url7.pathname.split("/").pop();
+  }
+}
+
 // src/thing/Thing.ts
 var Thing = class {
   constructor(uri6, store, editable = false) {
@@ -13305,13 +13687,17 @@ var Thing = class {
       "http://schema.org/caption",
       "https://schema.org/caption"
     );
-    return value6 ?? this.uri;
+    if (value6) {
+      return value6;
+    }
+    return labelFromUri(this.uri);
   }
   literals() {
     const statements = this.store.statementsMatching(namedNode(this.uri));
     const values = statements.filter((it) => isLiteral(it.object)).reduce(accumulateValues, {});
     return Object.keys(values).map((predicate2) => ({
       predicate: predicate2,
+      label: labelFromUri(predicate2),
       values: values[predicate2]
     }));
   }
@@ -13320,6 +13706,7 @@ var Thing = class {
     const values = statements.filter((it) => isNamedNode(it.object) && !isRdfType(it.predicate)).reduce(accumulateValues, {});
     return Object.keys(values).map((predicate2) => ({
       predicate: predicate2,
+      label: labelFromUri(predicate2),
       uris: values[predicate2]
     }));
   }
@@ -13332,6 +13719,7 @@ var Thing = class {
     const values = statements.reduce(accumulateSubjects, {});
     return Object.keys(values).map((predicate2) => ({
       predicate: predicate2,
+      label: labelFromUri(predicate2),
       uris: values[predicate2]
     }));
   }
@@ -13757,7 +14145,7 @@ var provider = "http://www.w3.org/ns/activitystreams#provider";
 var replies = "http://www.w3.org/ns/activitystreams#replies";
 var result = "http://www.w3.org/ns/activitystreams#result";
 var audience = "http://www.w3.org/ns/activitystreams#audience";
-var tag = "http://www.w3.org/ns/activitystreams#tag";
+var tag2 = "http://www.w3.org/ns/activitystreams#tag";
 var tags = "http://www.w3.org/ns/activitystreams#tags";
 var target = "http://www.w3.org/ns/activitystreams#target";
 var origin2 = "http://www.w3.org/ns/activitystreams#origin";
@@ -13875,7 +14263,7 @@ var asImport = /* @__PURE__ */ Object.freeze({
   replies,
   result,
   audience,
-  tag,
+  tag: tag2,
   tags,
   target,
   origin: origin2,
@@ -18326,7 +18714,7 @@ var Patient = "http://hl7.org/fhir/Patient";
 var _identified = "http://hl7.org/fhir/_identified";
 var ExplanationOfBenefitAdjudication = "http://hl7.org/fhir/ExplanationOfBenefitAdjudication";
 var _Subscription = "http://hl7.org/fhir/_Subscription";
-var tag2 = "http://hl7.org/fhir/tag";
+var tag3 = "http://hl7.org/fhir/tag";
 var _performed = "http://hl7.org/fhir/_performed";
 var _formOf = "http://hl7.org/fhir/_formOf";
 var DeviceDefinitionPackagingComponentPackagingPackaging = "http://hl7.org/fhir/DeviceDefinitionPackagingComponentPackagingPackaging";
@@ -22559,7 +22947,7 @@ var fhirImport = /* @__PURE__ */ Object.freeze({
   _identified,
   ExplanationOfBenefitAdjudication,
   _Subscription,
-  tag: tag2,
+  tag: tag3,
   _performed,
   _formOf,
   DeviceDefinitionPackagingComponentPackagingPackaging,
@@ -23163,7 +23551,7 @@ var Document3 = "http://www.w3.org/2007/ont/link#Document";
 var Mailbox = "http://www.w3.org/2007/ont/link#Mailbox";
 var ProtocolEvent = "http://www.w3.org/2007/ont/link#ProtocolEvent";
 var RDFDocument = "http://www.w3.org/2007/ont/link#RDFDocument";
-var Response2 = "http://www.w3.org/2007/ont/link#Response";
+var Response = "http://www.w3.org/2007/ont/link#Response";
 var Session3 = "http://www.w3.org/2007/ont/link#Session";
 var isMentionedIn = "http://www.w3.org/2007/ont/link#isMentionedIn";
 var mentionsClass = "http://www.w3.org/2007/ont/link#mentionsClass";
@@ -23183,7 +23571,7 @@ var linkImport = /* @__PURE__ */ Object.freeze({
   Mailbox,
   ProtocolEvent,
   RDFDocument,
-  Response: Response2,
+  Response,
   Session: Session3,
   isMentionedIn,
   mentionsClass,
@@ -33449,7 +33837,7 @@ var Document4 = "http://www.w3.org/2007/ont/link#Document";
 var Mailbox2 = "http://www.w3.org/2007/ont/link#Mailbox";
 var ProtocolEvent2 = "http://www.w3.org/2007/ont/link#ProtocolEvent";
 var RDFDocument2 = "http://www.w3.org/2007/ont/link#RDFDocument";
-var Response3 = "http://www.w3.org/2007/ont/link#Response";
+var Response2 = "http://www.w3.org/2007/ont/link#Response";
 var Session4 = "http://www.w3.org/2007/ont/link#Session";
 var isMentionedIn2 = "http://www.w3.org/2007/ont/link#isMentionedIn";
 var mentionsClass2 = "http://www.w3.org/2007/ont/link#mentionsClass";
@@ -33469,7 +33857,7 @@ var tabImport = /* @__PURE__ */ Object.freeze({
   Mailbox: Mailbox2,
   ProtocolEvent: ProtocolEvent2,
   RDFDocument: RDFDocument2,
-  Response: Response3,
+  Response: Response2,
   Session: Session4,
   isMentionedIn: isMentionedIn2,
   mentionsClass: mentionsClass2,
@@ -33491,7 +33879,7 @@ var Document5 = "http://www.w3.org/2007/ont/link#Document";
 var Mailbox3 = "http://www.w3.org/2007/ont/link#Mailbox";
 var ProtocolEvent3 = "http://www.w3.org/2007/ont/link#ProtocolEvent";
 var RDFDocument3 = "http://www.w3.org/2007/ont/link#RDFDocument";
-var Response4 = "http://www.w3.org/2007/ont/link#Response";
+var Response3 = "http://www.w3.org/2007/ont/link#Response";
 var Session5 = "http://www.w3.org/2007/ont/link#Session";
 var isMentionedIn3 = "http://www.w3.org/2007/ont/link#isMentionedIn";
 var mentionsClass3 = "http://www.w3.org/2007/ont/link#mentionsClass";
@@ -33511,7 +33899,7 @@ var tabontImport = /* @__PURE__ */ Object.freeze({
   Mailbox: Mailbox3,
   ProtocolEvent: ProtocolEvent3,
   RDFDocument: RDFDocument3,
-  Response: Response4,
+  Response: Response3,
   Session: Session5,
   isMentionedIn: isMentionedIn3,
   mentionsClass: mentionsClass3,