@shokirovr16/frontend-library 0.1.2

package/src/auth/core/AuthEngine.js

@@ -0,0 +1,623 @@
+import { createAuthEventBus } from '../events/AuthEventBus.js';
+import { loadOidcDiscovery } from './OidcDiscovery.js';
+import { createOidcClient } from './OidcClient.js';
+import { generateCodeVerifier, codeChallengeS256 } from './Pkce.js';
+import { createInMemoryTokenStore } from '../storage/InMemoryTokenStore.js';
+import { createTransactionStore } from '../storage/TransactionStore.js';
+import { randomString } from '../utils/random.js';
+import { getCurrentUrl, parseUrlParams, stripQueryParams, toAbsoluteUrl } from '../utils/url.js';
+import { normalizeClaims } from '../permissions/ClaimsNormalizer.js';
+import * as perm from '../permissions/permissions.js';
+import { createDefaultTenantResolver } from '../tenancy/TenantResolver.js';
+import { createBroadcastChannelSync } from '../sync/BroadcastChannelSync.js';
+import { isJwtExpired } from '../utils/jwt.js';
+
+function nowSec() {
+  return Math.floor(Date.now() / 1000);
+}
+
+function isDebugEnabled() {
+  try {
+    return typeof window !== 'undefined' && /^(localhost|127\.0\.0\.1)$/.test(window.location.hostname);
+  } catch {
+    return false;
+  }
+}
+
+function debugLog(event, details) {
+  if (!isDebugEnabled()) return;
+  try {
+    const payload = { event, details: details || {}, ts: Date.now() };
+    if (typeof window !== 'undefined') {
+      window.__CMFRT_AUTH_DEBUG__ = window.__CMFRT_AUTH_DEBUG__ || [];
+      window.__CMFRT_AUTH_DEBUG__.push(payload);
+    }
+    // eslint-disable-next-line no-console
+    console.log(`[cmfrt/auth][debug] ${event}`, details || {});
+  } catch {
+    // ignore
+  }
+}
+
+function defaultValidateAndNormalizeConfig(cfg) {
+  if (!cfg) throw new Error('[cmfrt/auth] runtime config is required.');
+  if (!cfg.tenantId) throw new Error('[cmfrt/auth] runtime config: tenantId is required.');
+  if (!cfg.issuer) throw new Error('[cmfrt/auth] runtime config: issuer is required.');
+  if (!cfg.clientId) throw new Error('[cmfrt/auth] runtime config: clientId is required.');
+  if (!cfg.redirectUri) throw new Error('[cmfrt/auth] runtime config: redirectUri is required.');
+
+  return {
+    mode: 'spa-direct',
+    scopes: ['openid', 'profile', 'email'],
+    checkSsoPolicy: 'onLoad',
+    tokenPolicy: { minValiditySec: 30, refreshLeewaySec: 5 },
+    logoutPolicy: { frontChannel: true, broadcast: true },
+    claimsPolicy: {},
+    ...cfg,
+    redirectUri: toAbsoluteUrl(cfg.redirectUri) || cfg.redirectUri,
+    postLogoutRedirectUri: cfg.postLogoutRedirectUri ? toAbsoluteUrl(cfg.postLogoutRedirectUri) : undefined,
+    silentCheckSsoRedirectUri: cfg.silentCheckSsoRedirectUri ? toAbsoluteUrl(cfg.silentCheckSsoRedirectUri) : undefined,
+  };
+}
+
+function createSnapshot({ status, tenantId, user, error }) {
+  return {
+    status,
+    tenantId: tenantId || null,
+    user: user || null,
+    isAuthenticated: !!user,
+    error: error || null,
+  };
+}
+
+export function createAuthEngine(options) {
+  const eventBus = createAuthEventBus();
+  const stateListeners = new Set();
+
+  const tenantResolver = options?.tenantResolver || createDefaultTenantResolver();
+  const validateAndNormalizeConfig = options?.validateAndNormalizeConfig || defaultValidateAndNormalizeConfig;
+
+  let status = 'idle';
+  let tenantId = null;
+  let config = null;
+  let discovery = null;
+  let oidc = null;
+  let user = null;
+  let lastError = null;
+
+  const tokenStore = createInMemoryTokenStore();
+  let refreshPromise = null;
+
+  let transactionStore = createTransactionStore({ namespace: 'cmfrt.auth.txn' });
+
+  const channelName =
+    options?.broadcastChannelName || (typeof window !== 'undefined' ? `cmfrt.auth.${window.location.origin}` : 'cmfrt.auth');
+  const sync = createBroadcastChannelSync({
+    name: channelName,
+    onMessage: async (msg) => {
+      if (!msg || typeof msg !== 'object') return;
+      if (msg.type === 'LOGOUT' && msg.tenantId === tenantId) {
+        clearSession('broadcast_logout');
+      }
+      if (msg.type === 'TENANT_SWITCH' && msg.fromTenantId === tenantId) {
+        clearSession('broadcast_tenant_switch');
+      }
+    },
+  });
+
+  function emitEvent(event) {
+    const enriched = { ts: Date.now(), tenantId, ...event };
+    eventBus.emit(enriched);
+    options?.onEvent?.(enriched);
+  }
+
+  function notifySnapshot() {
+    const snapshot = getSnapshot();
+    for (const listener of stateListeners) {
+      try {
+        listener(snapshot);
+      } catch {
+        // best-effort
+      }
+    }
+  }
+
+  function setStatus(next, err) {
+    status = next;
+    if (err) lastError = String(err?.message || err);
+    debugLog('status', { next, err: err ? String(err?.message || err) : null, tenantId, clientId: config?.clientId });
+    notifySnapshot();
+    emitEvent({ type: 'STATUS', status: next, error: err ? String(err?.message || err) : null });
+  }
+
+  function computeUser() {
+    const claims = tokenStore.getClaims();
+    const accessClaims = claims?.access || null;
+    const idClaims = claims?.id || null;
+    const normalized = normalizeClaims({
+      accessClaims,
+      idClaims,
+      clientId: config?.clientId,
+      claimsPolicy: config?.claimsPolicy,
+    });
+    user = normalized ? { ...normalized } : null;
+  }
+
+  async function loadRuntimeConfig() {
+    const runtimeConfig = options?.runtimeConfig;
+    if (typeof runtimeConfig === 'function') return runtimeConfig();
+    return runtimeConfig;
+  }
+
+  async function init({ checkSso } = {}) {
+    setStatus('loading_config');
+    const t = await Promise.resolve(tenantResolver.resolve());
+    tenantId = t?.tenantId || 'default';
+
+    const rawCfg = await loadRuntimeConfig();
+    // Explicit runtime config must win over URL-derived tenant hints.
+    config = validateAndNormalizeConfig({ ...(t || {}), ...(rawCfg || {}) });
+    if (config.tenantId !== tenantId) tenantId = config.tenantId;
+
+    transactionStore = createTransactionStore({
+      namespace: `cmfrt.auth.txn.${config.tenantId}.${config.clientId}`,
+    });
+    debugLog('init.config', {
+      tenantId,
+      configTenantId: config.tenantId,
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      silentCheckSsoRedirectUri: config.silentCheckSsoRedirectUri,
+      checkSsoPolicy: config.checkSsoPolicy,
+      path: typeof window !== 'undefined' ? window.location.pathname : null,
+    });
+
+    setStatus('discovering');
+    discovery = await loadOidcDiscovery(config.issuer);
+    oidc = createOidcClient({ config, discovery });
+
+    setStatus('ready');
+    emitEvent({ type: 'READY', config: safeConfigForEvents(config) });
+
+    const shouldCheckSso =
+      checkSso ?? (config.checkSsoPolicy === 'onLoad' && typeof window !== 'undefined' && !tokenStore.getAccessToken());
+    if (shouldCheckSso) {
+      try {
+        await checkSsoSilent();
+      } catch (e) {
+        // check-sso must never hard-fail init
+        emitEvent({ type: 'CHECK_SSO_FAILED', error: String(e?.message || e) });
+      }
+    }
+
+    if (tokenStore.getAccessToken()) {
+      computeUser();
+      setStatus('authenticated');
+    } else {
+      setStatus('logged_out');
+    }
+  }
+
+  function safeConfigForEvents(cfg) {
+    if (!cfg) return null;
+    const { issuer, tenantId: tId, clientId } = cfg;
+    return { issuer, tenantId: tId, clientId };
+  }
+
+  function getSnapshot() {
+    return createSnapshot({ status, tenantId, user, error: lastError });
+  }
+
+  function subscribe(listener) {
+    stateListeners.add(listener);
+    listener(getSnapshot());
+    return () => stateListeners.delete(listener);
+  }
+
+  function subscribeAuthEvents(listener) {
+    return eventBus.subscribe(listener);
+  }
+
+  function isAuthenticated() {
+    return !!user && !!tokenStore.getAccessToken();
+  }
+
+  function getAccessToken() {
+    return tokenStore.getAccessToken();
+  }
+
+  function getIdToken() {
+    return tokenStore.getIdToken();
+  }
+
+  function getUser() {
+    return user;
+  }
+
+  function clearSession(reason = 'clear') {
+    tokenStore.clear();
+    user = null;
+    refreshPromise = null;
+    lastError = null;
+    transactionStore.clearAll();
+    setStatus('logged_out');
+    emitEvent({ type: 'SESSION_CLEARED', reason });
+  }
+
+  async function ensureFreshToken(minValiditySec) {
+    const token = tokenStore.getAccessToken();
+    if (!token) return;
+    const minValid = minValiditySec ?? config?.tokenPolicy?.minValiditySec ?? 30;
+    const leeway = config?.tokenPolicy?.refreshLeewaySec ?? 0;
+    const exp = tokenStore.getAccessTokenExpSec();
+    if (!exp) return refresh();
+    const remaining = exp - nowSec();
+    if (remaining > minValid) return;
+    return refresh({ leeway });
+  }
+
+  async function refresh({ leeway = 0 } = {}) {
+    if (!oidc) throw new Error('[cmfrt/auth] refresh called before init.');
+    const refreshToken = tokenStore.getRefreshToken();
+    if (!refreshToken) throw new Error('[cmfrt/auth] No refresh token in memory.');
+
+    if (refreshPromise) return refreshPromise;
+    refreshPromise = (async () => {
+      setStatus('refreshing');
+      try {
+        // Prevent using a refresh token past its own expiry if present (best-effort).
+        if (isJwtExpired(refreshToken, nowSec(), leeway)) {
+          throw new Error('Refresh token expired');
+        }
+        const next = await oidc.refreshTokens({ refreshToken });
+        tokenStore.set(next);
+        computeUser();
+        setStatus('authenticated');
+        emitEvent({ type: 'TOKEN_REFRESHED' });
+      } catch (e) {
+        clearSession('refresh_failed');
+        emitEvent({ type: 'REFRESH_FAILED', error: String(e?.message || e) });
+        throw e;
+      } finally {
+        refreshPromise = null;
+      }
+    })();
+    return refreshPromise;
+  }
+
+  async function login({ returnTo, prompt } = {}) {
+    if (!oidc || !config) throw new Error('[cmfrt/auth] login called before init.');
+    if (typeof window === 'undefined') throw new Error('[cmfrt/auth] login requires a browser environment.');
+
+    setStatus('authenticating');
+
+    const state = randomString(32);
+    const nonce = randomString(32);
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = await codeChallengeS256(codeVerifier);
+
+    const effectiveReturnTo = returnTo || window.location.pathname + window.location.search + window.location.hash;
+
+    transactionStore.set('state', state);
+    transactionStore.set('nonce', nonce);
+    transactionStore.set('codeVerifier', codeVerifier);
+    transactionStore.set('returnTo', effectiveReturnTo);
+    transactionStore.set('createdAt', Date.now());
+    debugLog('login.transaction', {
+      state,
+      returnTo: effectiveReturnTo,
+      tenantId: config?.tenantId,
+      clientId: config?.clientId,
+      redirectUri: config?.redirectUri,
+      path: typeof window !== 'undefined' ? window.location.pathname : null,
+    });
+
+    emitEvent({ type: 'LOGIN_REDIRECT', returnTo: effectiveReturnTo });
+
+    const url = oidc.buildAuthorizeUrl({
+      redirectUri: config.redirectUri,
+      scope: (config.scopes || []).join(' '),
+      state,
+      nonce,
+      codeChallenge,
+      prompt,
+      audience: config.apiAudience,
+      loginHint: undefined,
+      idpHint: undefined,
+    });
+
+    window.location.assign(url);
+    // never resolves (browser navigation)
+    return new Promise(() => {});
+  }
+
+  async function handleCallback({ url } = {}) {
+    if (!oidc || !config) throw new Error('[cmfrt/auth] handleCallback called before init.');
+    const callbackUrl = url || getCurrentUrl();
+    if (!callbackUrl) throw new Error('[cmfrt/auth] handleCallback requires url (browser).');
+
+    const params = parseUrlParams(callbackUrl);
+    const error = params.error;
+    const errorDescription = params.error_description;
+    if (error) {
+      setStatus('error', new Error(errorDescription || error));
+      emitEvent({ type: 'CALLBACK_ERROR', error, errorDescription });
+      throw new Error(`[cmfrt/auth] OIDC callback error: ${error} ${errorDescription || ''}`.trim());
+    }
+
+    const code = params.code;
+    const state = params.state;
+    if (!code || !state) {
+      throw new Error('[cmfrt/auth] Missing code/state in callback.');
+    }
+
+    const expectedState = transactionStore.get('state');
+    const codeVerifier = transactionStore.get('codeVerifier');
+    const returnTo = transactionStore.get('returnTo');
+    debugLog('callback.transaction', {
+      url: callbackUrl,
+      state,
+      expectedState,
+      hasCodeVerifier: !!codeVerifier,
+      returnTo,
+      tenantId: config?.tenantId,
+      clientId: config?.clientId,
+      path: typeof window !== 'undefined' ? window.location.pathname : null,
+    });
+
+    if (!expectedState || state !== expectedState) {
+      clearSession('state_mismatch');
+      debugLog('callback.state_mismatch', {
+        state,
+        expectedState,
+        tenantId: config?.tenantId,
+        clientId: config?.clientId,
+      });
+      throw new Error('[cmfrt/auth] State mismatch in callback.');
+    }
+    if (!codeVerifier) {
+      clearSession('missing_code_verifier');
+      throw new Error('[cmfrt/auth] Missing codeVerifier (sessionStorage cleared?).');
+    }
+
+    setStatus('authenticating');
+
+    const tokenResponse = await oidc.exchangeCodeForTokens({
+      code,
+      codeVerifier,
+      redirectUri: config.redirectUri,
+    });
+    tokenStore.set(tokenResponse);
+    computeUser();
+
+    transactionStore.clearAll();
+
+    setStatus('authenticated');
+    emitEvent({ type: 'LOGIN_SUCCESS' });
+
+    // Optional: clean URL to avoid leaking code in history.
+    if (typeof window !== 'undefined') {
+      try {
+        const clean = stripQueryParams(callbackUrl, ['code', 'state', 'session_state']);
+        window.history.replaceState({}, '', clean);
+      } catch {
+        // ignore
+      }
+    }
+
+    return { returnTo: returnTo || undefined };
+  }
+
+  async function checkSsoSilent() {
+    if (!oidc || !config) throw new Error('[cmfrt/auth] checkSsoSilent called before init.');
+    if (typeof window === 'undefined') return;
+    if (!config.silentCheckSsoRedirectUri) {
+      emitEvent({ type: 'CHECK_SSO_SKIPPED', reason: 'missing_silentCheckSsoRedirectUri' });
+      return;
+    }
+
+    const state = randomString(32);
+    const nonce = randomString(32);
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = await codeChallengeS256(codeVerifier);
+
+    transactionStore.set('silentState', state);
+    transactionStore.set('silentCodeVerifier', codeVerifier);
+    transactionStore.set('silentNonce', nonce);
+    debugLog('silent_sso.start', {
+      silentState: state,
+      tenantId: config?.tenantId,
+      clientId: config?.clientId,
+      silentCheckSsoRedirectUri: config?.silentCheckSsoRedirectUri,
+      path: typeof window !== 'undefined' ? window.location.pathname : null,
+    });
+
+    const url = oidc.buildAuthorizeUrl({
+      redirectUri: config.silentCheckSsoRedirectUri,
+      scope: (config.scopes || []).join(' '),
+      state,
+      nonce,
+      codeChallenge,
+      prompt: 'none',
+      audience: config.apiAudience,
+    });
+
+    emitEvent({ type: 'CHECK_SSO_START' });
+
+    await runHiddenIFrameFlow({
+      url,
+      messageType: 'CMFRT_OIDC_SILENT_CALLBACK',
+      timeoutMs: 8000,
+      onMessage: async (payload) => {
+        const p = payload?.params || {};
+        if (p.error) {
+          emitEvent({ type: 'CHECK_SSO_RESULT', result: 'no_session', error: p.error });
+          return;
+        }
+        if (!p.code || !p.state) return;
+        if (p.state !== transactionStore.get('silentState')) {
+          debugLog('silent_sso.state_mismatch', {
+            state: p.state,
+            expectedState: transactionStore.get('silentState'),
+            tenantId: config?.tenantId,
+            clientId: config?.clientId,
+          });
+          emitEvent({ type: 'CHECK_SSO_RESULT', result: 'state_mismatch' });
+          return;
+        }
+        const silentVerifier = transactionStore.get('silentCodeVerifier');
+        const tokenResponse = await oidc.exchangeCodeForTokens({
+          code: p.code,
+          codeVerifier: silentVerifier,
+          redirectUri: config.silentCheckSsoRedirectUri,
+        });
+        tokenStore.set(tokenResponse);
+        computeUser();
+        setStatus('authenticated');
+        emitEvent({ type: 'CHECK_SSO_RESULT', result: 'authenticated' });
+      },
+    });
+  }
+
+  async function handleSilentCallbackMessage(event) {
+    // Optional external wiring if app prefers manual listener:
+    // window.addEventListener('message', (ev)=>engine.handleSilentCallbackMessage(ev))
+    const data = event?.data;
+    if (!data || data.type !== 'CMFRT_OIDC_SILENT_CALLBACK') return;
+    // No-op: checkSsoSilent registers its own listener via runHiddenIFrameFlow.
+  }
+
+  async function logout({ postLogoutRedirectUri } = {}) {
+    if (!oidc || !config) throw new Error('[cmfrt/auth] logout called before init.');
+    if (typeof window === 'undefined') return;
+
+    emitEvent({ type: 'LOGOUT_START' });
+    if (config.logoutPolicy?.broadcast) {
+      sync.post({ type: 'LOGOUT', tenantId: config.tenantId });
+    }
+
+    const idTokenHint = tokenStore.getIdToken();
+    clearSession('logout');
+
+    if (config.logoutPolicy?.frontChannel) {
+      const url = oidc.buildLogoutUrl({
+        idTokenHint,
+        postLogoutRedirectUri: postLogoutRedirectUri || config.postLogoutRedirectUri || window.location.origin,
+      });
+      if (url) {
+        window.location.assign(url);
+        return new Promise(() => {});
+      }
+    }
+  }
+
+  async function setTenant(tenant) {
+    if (!tenant?.tenantId) throw new Error('[cmfrt/auth] setTenant requires tenantId.');
+    tenantId = tenant.tenantId;
+    emitEvent({ type: 'TENANT_SET', tenantId });
+    notifySnapshot();
+  }
+
+  async function switchTenant(tenant, opts = {}) {
+    if (!tenant?.tenantId) throw new Error('[cmfrt/auth] switchTenant requires tenantId.');
+    const from = tenantId;
+    if (from === tenant.tenantId) return;
+
+    emitEvent({ type: 'TENANT_SWITCH_START', fromTenantId: from, toTenantId: tenant.tenantId });
+    sync.post({ type: 'TENANT_SWITCH', fromTenantId: from, toTenantId: tenant.tenantId });
+
+    clearSession('tenant_switch');
+    tenantId = tenant.tenantId;
+
+    // Re-init with new tenant context.
+    await init({ checkSso: opts.checkSso ?? true });
+    emitEvent({ type: 'TENANT_SWITCH_DONE', fromTenantId: from, toTenantId: tenant.tenantId });
+  }
+
+  function hasRole(role) {
+    return perm.hasRole(user, role);
+  }
+  function hasAnyRole(roles) {
+    return perm.hasAnyRole(user, roles);
+  }
+  function hasAllRoles(roles) {
+    return perm.hasAllRoles(user, roles);
+  }
+  function hasPermission(permission) {
+    return perm.hasPermission(user, permission);
+  }
+  function can(permission) {
+    return perm.can(user, permission);
+  }
+
+  // Kick init automatically for the default-engine use-case.
+  // Apps can ignore and call `engine.init()` explicitly if they prefer.
+  init().catch((e) => setStatus('error', e));
+
+  return {
+    getSnapshot,
+    subscribe,
+    subscribeAuthEvents,
+    init,
+    login,
+    logout,
+    handleCallback,
+    handleSilentCallbackMessage,
+    ensureFreshToken,
+    refresh,
+    getAccessToken,
+    getIdToken,
+    isAuthenticated,
+    getUser,
+    clearSession,
+    setTenant,
+    switchTenant,
+    hasRole,
+    hasAnyRole,
+    hasAllRoles,
+    hasPermission,
+    can,
+  };
+}
+
+async function runHiddenIFrameFlow({ url, messageType, timeoutMs, onMessage }) {
+  if (typeof window === 'undefined' || typeof document === 'undefined') return;
+
+  const iframe = document.createElement('iframe');
+  iframe.style.display = 'none';
+  iframe.setAttribute('aria-hidden', 'true');
+  iframe.src = url;
+
+  let done = false;
+  let timer = null;
+
+  const cleanup = () => {
+    if (done) return;
+    done = true;
+    if (timer) clearTimeout(timer);
+    window.removeEventListener('message', handleWindowMessage);
+    try {
+      iframe.remove();
+    } catch {
+      // ignore
+    }
+  };
+
+  const handleWindowMessage = async (ev) => {
+    const data = ev?.data;
+    if (!data || data.type !== messageType) return;
+    try {
+      await onMessage(data);
+    } finally {
+      cleanup();
+    }
+  };
+
+  window.addEventListener('message', handleWindowMessage);
+  document.body.appendChild(iframe);
+
+  timer = setTimeout(() => {
+    cleanup();
+  }, timeoutMs);
+}
+

package/src/auth/core/OidcClient.js

@@ -0,0 +1,79 @@
+/**
+ * Minimal OIDC client for SPA-direct Authorization Code Flow + PKCE.
+ * Designed for Keycloak but uses standard OIDC discovery endpoints.
+ */
+
+export function createOidcClient({ config, discovery, fetchImpl = fetch }) {
+  const issuer = config.issuer.replace(/\/+$/g, '');
+  const clientId = config.clientId;
+
+  function buildAuthorizeUrl(params) {
+    const url = new URL(discovery.authorization_endpoint);
+    url.searchParams.set('client_id', clientId);
+    url.searchParams.set('response_type', 'code');
+    url.searchParams.set('redirect_uri', params.redirectUri);
+    url.searchParams.set('scope', params.scope);
+    url.searchParams.set('state', params.state);
+    url.searchParams.set('code_challenge', params.codeChallenge);
+    url.searchParams.set('code_challenge_method', 'S256');
+    if (params.nonce) url.searchParams.set('nonce', params.nonce);
+    if (params.prompt) url.searchParams.set('prompt', params.prompt);
+    if (params.audience) url.searchParams.set('audience', params.audience);
+    if (params.loginHint) url.searchParams.set('login_hint', params.loginHint);
+    if (params.idpHint) url.searchParams.set('kc_idp_hint', params.idpHint); // Keycloak-specific optional hint
+    return url.toString();
+  }
+
+  async function tokenRequest(body) {
+    const res = await fetchImpl(discovery.token_endpoint, {
+      method: 'POST',
+      headers: { 'content-type': 'application/x-www-form-urlencoded', accept: 'application/json' },
+      body: new URLSearchParams(body).toString(),
+    });
+    const json = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      const details = json?.error_description || json?.error || `${res.status} ${res.statusText}`;
+      throw new Error(`[cmfrt/auth] Token endpoint error: ${details}`);
+    }
+    return json;
+  }
+
+  async function exchangeCodeForTokens({ code, codeVerifier, redirectUri }) {
+    return tokenRequest({
+      grant_type: 'authorization_code',
+      client_id: clientId,
+      code,
+      redirect_uri: redirectUri,
+      code_verifier: codeVerifier,
+    });
+  }
+
+  async function refreshTokens({ refreshToken }) {
+    return tokenRequest({
+      grant_type: 'refresh_token',
+      client_id: clientId,
+      refresh_token: refreshToken,
+    });
+  }
+
+  function buildLogoutUrl({ idTokenHint, postLogoutRedirectUri }) {
+    const endSession = discovery.end_session_endpoint || discovery.end_session_endpoint;
+    if (!endSession) return null;
+    const url = new URL(endSession);
+    if (idTokenHint) url.searchParams.set('id_token_hint', idTokenHint);
+    if (postLogoutRedirectUri) url.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);
+    url.searchParams.set('client_id', clientId);
+    return url.toString();
+  }
+
+  return {
+    issuer,
+    clientId,
+    discovery,
+    buildAuthorizeUrl,
+    exchangeCodeForTokens,
+    refreshTokens,
+    buildLogoutUrl,
+  };
+}
+