npm - @tidecloak/js - Versions diffs - 0.12.33 → 0.12.39 - Mend

@tidecloak/js 0.12.33 → 0.12.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (528) hide show

package/dist/cjs/lib/tidecloak.js CHANGED Viewed

@@ -1,19 +1,9 @@
-"use strict";
 /*
  * Copyright 2016 Red Hat, Inc. and/or its affiliates
  * and other contributors as indicated by the @author tags.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
  *
  * Modifications Copyright (C) 2025 Tide Foundation Ltd
  * Tide Protocol - Infrastructure for a TRUE Zero-Trust paradigm
@@ -32,1800 +22,1784 @@
  * You should have received a copy of the Tide Community Open Code License along
  * with this program. If not, see https://tide.org/licenses_tcoc2-0-0-en
  */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ApprovalEnclave = exports.RequestEnclave = void 0;
-exports.getHumanReadableObject = getHumanReadableObject;
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var _TideCloak_instances, _TideCloak_refreshQueue, _TideCloak_adapter, _TideCloak_useNonce, _TideCloak_callbackStorage, _TideCloak_logInfo, _TideCloak_logWarn, _TideCloak_loginIframe, _TideCloak_config, _TideCloak_loadAdapter, _TideCloak_loadDefaultAdapter, _TideCloak_loadCordovaAdapter, _TideCloak_loadCordovaNativeAdapter, _TideCloak_loadConfig, _TideCloak_setupEndpoints, _TideCloak_loadOidcConfig, _TideCloak_setupOidcEndpoints, _TideCloak_check3pCookiesSupported, _TideCloak_processInit, _TideCloak_setupCheckLoginIframe, _TideCloak_checkLoginIframe, _TideCloak_checkSsoSilently, _TideCloak_parseCallback, _TideCloak_parseCallbackUrl, _TideCloak_parseCallbackParams, _TideCloak_processCallback, _TideCloak_scheduleCheckIframe, _TideCloak_getVoucherUrl, _TideCloak_setToken, _TideCloak_getRealmUrl, _TideCloak_createLogger, _LocalStorage_instances, _LocalStorage_clearInvalidValues, _LocalStorage_clearAllValues, _LocalStorage_getStoredEntries, _LocalStorage_parseExpiry, _CookieStorage_instances, _CookieStorage_getCookie, _CookieStorage_setCookie, _CookieStorage_cookieExpiration;
 // MODIFIED: Added dependency to external Tide helper libraries.
-const heimdall_tide_1 = require("heimdall-tide");
-const Serialization_js_1 = require("../modules/tide-js/Cryptide/Serialization.js");
-const AuthorizedEncryptionFlow_js_1 = require("../modules/tide-js/Flow/EncryptionFlows/AuthorizedEncryptionFlow.js");
-const dVVKSigningFlow_DEPRECATED_js_1 = __importDefault(require("../modules/tide-js/Flow/SigningFlows/dVVKSigningFlow_DEPRECATED.js"));
-const CardanoTxBodySignRequest_js_1 = __importDefault(require("../modules/tide-js/Models/Transactions/CardanoTxBodySignRequest.js"));
-const RuleSettingSignRequest_js_1 = __importDefault(require("../modules/tide-js/Models/Rules/RuleSettingSignRequest.js"));
-const AuthorizationBuilder_js_1 = __importDefault(require("../modules/tide-js/Models/AuthorizationBuilder.js"));
-const Math_js_1 = require("../modules/tide-js/Cryptide/Math.js");
-const NetworkClient_js_1 = __importDefault(require("../modules/tide-js/Clients/NetworkClient.js"));
-const ModelRegistry_js_1 = require("../modules/tide-js/Models/ModelRegistry.js");
-const thresholdRules_js_1 = __importDefault(require("../modules/tide-js/RulesEngine/thresholdRules.js"));
-const dVVKDecryptionFlow_js_1 = __importDefault(require("../modules/tide-js/Flow/DecryptionFlows/dVVKDecryptionFlow.js"));
-const dVVKSigningFlow_js_1 = __importDefault(require("../modules/tide-js/Flow/SigningFlows/dVVKSigningFlow.js"));
-// MODIFIED: Refactored `Keycloak` class into `TideCloak`.
-function TideCloak(config) {
-    if (!(this instanceof TideCloak)) {
-        throw new Error("The 'TideCloak' constructor must be invoked with 'new'.");
-    }
-    if (typeof config !== 'string' && !isObject(config)) {
-        throw new Error("The 'TideCloak' constructor must be provided with a configuration object, or a URL to a JSON configuration file.");
-    }
-    if (isObject(config)) {
-        const requiredProperties = 'oidcProvider' in config
-            ? ['clientId']
-            : ['url', 'realm', 'clientId', 'homeOrkUrl', 'vendorId', 'clientOriginAuth'];
-        for (const property of requiredProperties) {
-            if (!config[property]) {
-                throw new Error(`The configuration object is missing the required '${property}' property.`);
-            }
-        }
+import { RequestEnclave, ApprovalEnclave, ApprovalEnclaveNew } from "heimdall-tide";
+const CONTENT_TYPE_JSON = 'application/json';
+/**
+ * @typedef {Object} Endpoints
+ * @property {() => string} authorize
+ * @property {() => string} token
+ * @property {() => string} logout
+ * @property {() => string} checkSessionIframe
+ * @property {() => string=} thirdPartyCookiesIframe
+ * @property {() => string} register
+ * @property {() => string} userinfo
+ */
+/**
+ * @typedef {Object} LoginIframe
+ * @property {boolean} enable
+ * @property {((error: Error | null, value?: boolean) => void)[]} callbackList
+ * @property {number} interval
+ * @property {HTMLIFrameElement=} iframe
+ * @property {string=} iframeOrigin
+ */
+export { RequestEnclave, ApprovalEnclave, ApprovalEnclaveNew, TideMemory, BaseTideRequest, PolicySignRequest, Policy, PolicyParameters } from "heimdall-tide";
+class TideCloak {
+    /**
+     * @param {KeycloakConfig} config
+     */
+    constructor(config) {
+        _TideCloak_instances.add(this);
+        /** @type {Pick<PromiseWithResolvers<boolean>, 'resolve' | 'reject'>[]} */
+        _TideCloak_refreshQueue.set(this, []
+        /** @type {KeycloakAdapter} */
+        );
+        /** @type {KeycloakAdapter} */
+        _TideCloak_adapter.set(this, void 0);
+        /** @type {boolean} */
+        _TideCloak_useNonce.set(this, true
+        /** @type {CallbackStorage} */
+        );
+        /** @type {CallbackStorage} */
+        _TideCloak_callbackStorage.set(this, void 0);
+        _TideCloak_logInfo.set(this, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_createLogger).call(this, console.info));
+        _TideCloak_logWarn.set(this, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_createLogger).call(this, console.warn)
+        /** @type {LoginIframe} */
+        );
+        /** @type {LoginIframe} */
+        _TideCloak_loginIframe.set(this, {
+            enable: true,
+            callbackList: [],
+            interval: 5
+        }
+        /** @type {KeycloakConfig} config */
+        );
+        /** @type {KeycloakConfig} config */
+        _TideCloak_config.set(this, void 0);
+        this.didInitialize = false;
+        this.authenticated = false;
+        this.loginRequired = false;
+        /** @type {KeycloakResponseMode} */
+        this.responseMode = 'fragment';
+        /** @type {KeycloakResponseType} */
+        this.responseType = 'code';
+        /** @type {KeycloakFlow} */
+        this.flow = 'standard';
+        /** @type {boolean} */
+        this.silentCheckSsoFallback = true;
+        /** @type {KeycloakPkceMethod} */
+        this.pkceMethod = 'S256';
+        this.enableLogging = false;
+        /** @type {'GET' | 'POST'} */
+        this.logoutMethod = 'GET';
+        this.messageReceiveTimeout = 10000;
+        if (typeof config !== 'string' && !isObject(config)) {
+            throw new Error("The 'TideCloak' constructor must be provided with a configuration object, or a URL to a JSON configuration file.");
+        }
+        // if (isObject(config)) {
+        //   const requiredProperties = 'oidcProvider' in config
+        //     ? ['clientId']
+        //     : ['url', 'realm', 'clientId', 'homeOrkUrl', 'vendorId', 'clientOriginAuth']
+        //   for (const property of requiredProperties) {
+        //     if (!config[property]) {
+        //       throw new Error(`The configuration object is missing the required '${property}' property.`)
+        //     }
+        //   }
+        // }
+        if (!globalThis.isSecureContext) {
+            __classPrivateFieldGet(this, _TideCloak_logWarn, "f").call(this, "[TIDECLOAK] TideCloak JS must be used in a 'secure context' to function properly as it relies on browser APIs that are otherwise not available.\n" +
+                'Continuing to run your application insecurely will lead to unexpected behavior and breakage.\n\n' +
+                'For more information see: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts');
+        }
+        __classPrivateFieldSet(this, _TideCloak_config, config, "f");
     }
-    var kc = this;
-    var adapter;
-    var refreshQueue = [];
-    var callbackStorage;
-    var loginIframe = {
-        enable: true,
-        callbackList: [],
-        interval: 5
-    };
-    kc.didInitialize = false;
-    var useNonce = true;
-    var logInfo = createLogger(console.info);
-    var logWarn = createLogger(console.warn);
-    if (!globalThis.isSecureContext) {
-        logWarn("[TIDECLOAK] TideCloak-JS must be used in a 'secure context' to function properly as it relies on browser APIs that are otherwise not available.\n" +
-            "Continuing to run your application insecurely will lead to unexpected behavior and breakage.\n\n" +
-            "For more information see: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts");
-    }
-    kc.init = function (initOptions = {}) {
-        if (kc.didInitialize) {
+    /**
+     * @param {KeycloakInitOptions} initOptions
+     * @returns {Promise<boolean>}
+     */
+    async init(initOptions = {}) {
+        var _a;
+        if (this.didInitialize) {
             throw new Error("A 'TideCloak' instance can only be initialized once.");
         }
-        kc.didInitialize = true;
-        kc.authenticated = false;
-        callbackStorage = createCallbackStorage();
-        var adapters = ['default', 'cordova', 'cordova-native'];
-        if (adapters.indexOf(initOptions.adapter) > -1) {
-            adapter = loadAdapter(initOptions.adapter);
+        this.didInitialize = true;
+        __classPrivateFieldSet(this, _TideCloak_callbackStorage, createCallbackStorage(), "f");
+        const adapters = ['default', 'cordova', 'cordova-native'];
+        if (typeof initOptions.adapter === 'string' && adapters.includes(initOptions.adapter)) {
+            __classPrivateFieldSet(this, _TideCloak_adapter, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadAdapter).call(this, initOptions.adapter), "f");
+        }
+        else if (typeof initOptions.adapter === 'object') {
+            __classPrivateFieldSet(this, _TideCloak_adapter, initOptions.adapter, "f");
         }
-        else if (typeof initOptions.adapter === "object") {
-            adapter = initOptions.adapter;
+        else if ('Cordova' in window || 'cordova' in window) {
+            __classPrivateFieldSet(this, _TideCloak_adapter, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadAdapter).call(this, 'cordova'), "f");
         }
         else {
-            if (window.Cordova || window.cordova) {
-                adapter = loadAdapter('cordova');
-            }
-            else {
-                adapter = loadAdapter();
-            }
+            __classPrivateFieldSet(this, _TideCloak_adapter, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadAdapter).call(this, 'default'), "f");
         }
         if (typeof initOptions.useNonce !== 'undefined') {
-            useNonce = initOptions.useNonce;
+            __classPrivateFieldSet(this, _TideCloak_useNonce, initOptions.useNonce, "f");
         }
         if (typeof initOptions.checkLoginIframe !== 'undefined') {
-            loginIframe.enable = initOptions.checkLoginIframe;
+            __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable = initOptions.checkLoginIframe;
         }
         if (initOptions.checkLoginIframeInterval) {
-            loginIframe.interval = initOptions.checkLoginIframeInterval;
+            __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").interval = initOptions.checkLoginIframeInterval;
         }
         if (initOptions.onLoad === 'login-required') {
-            kc.loginRequired = true;
+            this.loginRequired = true;
         }
         if (initOptions.responseMode) {
             if (initOptions.responseMode === 'query' || initOptions.responseMode === 'fragment') {
-                kc.responseMode = initOptions.responseMode;
+                this.responseMode = initOptions.responseMode;
             }
             else {
-                throw 'Invalid value for responseMode';
+                throw new Error('Invalid value for responseMode');
             }
         }
         if (initOptions.flow) {
             switch (initOptions.flow) {
                 case 'standard':
-                    kc.responseType = 'code';
+                    this.responseType = 'code';
                     break;
                 case 'implicit':
-                    kc.responseType = 'id_token token';
+                    this.responseType = 'id_token token';
                     break;
                 case 'hybrid':
-                    kc.responseType = 'code id_token token';
+                    this.responseType = 'code id_token token';
                     break;
                 default:
-                    throw 'Invalid value for flow';
+                    throw new Error('Invalid value for flow');
             }
-            kc.flow = initOptions.flow;
+            this.flow = initOptions.flow;
         }
-        if (initOptions.timeSkew != null) {
-            kc.timeSkew = initOptions.timeSkew;
+        if (typeof initOptions.timeSkew === 'number') {
+            this.timeSkew = initOptions.timeSkew;
         }
         if (initOptions.redirectUri) {
-            kc.redirectUri = initOptions.redirectUri;
+            this.redirectUri = initOptions.redirectUri;
         }
         if (initOptions.silentCheckSsoRedirectUri) {
-            kc.silentCheckSsoRedirectUri = initOptions.silentCheckSsoRedirectUri;
+            this.silentCheckSsoRedirectUri = initOptions.silentCheckSsoRedirectUri;
         }
         if (typeof initOptions.silentCheckSsoFallback === 'boolean') {
-            kc.silentCheckSsoFallback = initOptions.silentCheckSsoFallback;
-        }
-        else {
-            kc.silentCheckSsoFallback = true;
+            this.silentCheckSsoFallback = initOptions.silentCheckSsoFallback;
         }
-        if (typeof initOptions.pkceMethod !== "undefined") {
-            if (initOptions.pkceMethod !== "S256" && initOptions.pkceMethod !== false) {
+        if (typeof initOptions.pkceMethod !== 'undefined') {
+            if (initOptions.pkceMethod !== 'S256' && initOptions.pkceMethod !== false) {
                 throw new TypeError(`Invalid value for pkceMethod', expected 'S256' or false but got ${initOptions.pkceMethod}.`);
             }
-            kc.pkceMethod = initOptions.pkceMethod;
-        }
-        else {
-            kc.pkceMethod = "S256";
+            this.pkceMethod = initOptions.pkceMethod;
         }
         if (typeof initOptions.enableLogging === 'boolean') {
-            kc.enableLogging = initOptions.enableLogging;
-        }
-        else {
-            kc.enableLogging = false;
+            this.enableLogging = initOptions.enableLogging;
         }
         if (initOptions.logoutMethod === 'POST') {
-            kc.logoutMethod = 'POST';
-        }
-        else {
-            kc.logoutMethod = 'GET';
+            this.logoutMethod = 'POST';
         }
         if (typeof initOptions.scope === 'string') {
-            kc.scope = initOptions.scope;
+            this.scope = initOptions.scope;
         }
         if (typeof initOptions.acrValues === 'string') {
-            kc.acrValues = initOptions.acrValues;
+            this.acrValues = initOptions.acrValues;
         }
         if (typeof initOptions.messageReceiveTimeout === 'number' && initOptions.messageReceiveTimeout > 0) {
-            kc.messageReceiveTimeout = initOptions.messageReceiveTimeout;
+            this.messageReceiveTimeout = initOptions.messageReceiveTimeout;
         }
-        else {
-            kc.messageReceiveTimeout = 10000;
-        }
-        if (!kc.responseMode) {
-            kc.responseMode = 'fragment';
-        }
-        if (!kc.responseType) {
-            kc.responseType = 'code';
-            kc.flow = 'standard';
-        }
-        var promise = createPromise();
-        var initPromise = createPromise();
-        initPromise.promise.then(function () {
-            kc.onReady && kc.onReady(kc.authenticated);
-            promise.setSuccess(kc.authenticated);
-        }).catch(function (error) {
-            promise.setError(error);
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadConfig).call(this);
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_check3pCookiesSupported).call(this);
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processInit).call(this, initOptions);
+        (_a = this.onReady) === null || _a === void 0 ? void 0 : _a.call(this, this.authenticated);
+        return this.authenticated;
+    }
+    ;
+    /**
+     * @param {KeycloakLoginOptions} [options]
+     * @returns {Promise<void>}
+     */
+    login(options) {
+        return __classPrivateFieldGet(this, _TideCloak_adapter, "f").login(options);
+    }
+    /**
+     * Ensure the access token is valid, refreshing if needed.
+     * @returns {Promise<void>}
+     */
+    async ensureTokenReady() {
+        if (!this.tokenParsed)
+            return;
+        if (this.isTokenExpired()) {
+            await this.updateToken(-1);
+        }
+    }
+    /**
+     * @param {KeycloakLoginOptions} [options]
+     * @returns {Promise<string>}
+     */
+    async createLoginUrl(options) {
+        const state = createUUID();
+        const nonce = createUUID();
+        const redirectUri = __classPrivateFieldGet(this, _TideCloak_adapter, "f").redirectUri(options);
+        /** @type {CallbackState} */
+        const callbackState = {
+            state,
+            nonce,
+            redirectUri,
+            loginOptions: options
+        };
+        if (options === null || options === void 0 ? void 0 : options.prompt) {
+            callbackState.prompt = options.prompt;
+        }
+        const url = (options === null || options === void 0 ? void 0 : options.action) === 'register'
+            ? this.endpoints.register()
+            : this.endpoints.authorize();
+        let scope = (options === null || options === void 0 ? void 0 : options.scope) || this.scope;
+        const scopeValues = scope ? scope.split(' ') : [];
+        // Ensure the 'openid' scope is always included.
+        if (!scopeValues.includes('openid')) {
+            scopeValues.unshift('openid');
+        }
+        scope = scopeValues.join(' ');
+        const params = new URLSearchParams([
+            ['client_id', /** @type {string} */ (this.clientId)],
+            // The endpoint URI MUST NOT include a fragment component.
+            // https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
+            ['redirect_uri', stripHash(redirectUri)],
+            ['state', state],
+            ['response_mode', this.responseMode],
+            ['response_type', this.responseType],
+            ['scope', scope]
+        ]);
+        if (__classPrivateFieldGet(this, _TideCloak_useNonce, "f")) {
+            params.append('nonce', nonce);
+        }
+        if (options === null || options === void 0 ? void 0 : options.prompt) {
+            params.append('prompt', options.prompt);
+        }
+        if (typeof (options === null || options === void 0 ? void 0 : options.maxAge) === 'number') {
+            params.append('max_age', options.maxAge.toString());
+        }
+        if (options === null || options === void 0 ? void 0 : options.loginHint) {
+            params.append('login_hint', options.loginHint);
+        }
+        if (options === null || options === void 0 ? void 0 : options.idpHint) {
+            params.append('kc_idp_hint', options.idpHint);
+        }
+        if ((options === null || options === void 0 ? void 0 : options.action) && options.action !== 'register') {
+            params.append('kc_action', options.action);
+        }
+        if (options === null || options === void 0 ? void 0 : options.locale) {
+            params.append('ui_locales', options.locale);
+        }
+        if (options === null || options === void 0 ? void 0 : options.acr) {
+            params.append('claims', buildClaimsParameter(options.acr));
+        }
+        if ((options === null || options === void 0 ? void 0 : options.acrValues) || this.acrValues) {
+            params.append('acr_values', options.acrValues || this.acrValues);
+        }
+        if (this.pkceMethod) {
+            try {
+                const codeVerifier = generateCodeVerifier(96);
+                const pkceChallenge = await generatePkceChallenge(this.pkceMethod, codeVerifier);
+                callbackState.pkceCodeVerifier = codeVerifier;
+                params.append('code_challenge', pkceChallenge);
+                params.append('code_challenge_method', this.pkceMethod);
+            }
+            catch (error) {
+                throw new Error('Failed to generate PKCE challenge.', { cause: error });
+            }
+        }
+        __classPrivateFieldGet(this, _TideCloak_callbackStorage, "f").add(callbackState);
+        return `${url}?${params.toString()}`;
+    }
+    /**
+     * @param {KeycloakLogoutOptions} [options]
+     * @returns {Promise<void>}
+     */
+    logout(options) {
+        return __classPrivateFieldGet(this, _TideCloak_adapter, "f").logout(options);
+    }
+    /**
+     * @param {KeycloakLogoutOptions} [options]
+     * @returns {string}
+     */
+    createLogoutUrl(options) {
+        var _a;
+        const logoutMethod = (_a = options === null || options === void 0 ? void 0 : options.logoutMethod) !== null && _a !== void 0 ? _a : this.logoutMethod;
+        const url = this.endpoints.logout();
+        if (logoutMethod === 'POST') {
+            return url;
+        }
+        const params = new URLSearchParams([
+            ['client_id', /** @type {string} */ (this.clientId)],
+            ['post_logout_redirect_uri', __classPrivateFieldGet(this, _TideCloak_adapter, "f").redirectUri(options)]
+        ]);
+        if (this.idToken) {
+            params.append('id_token_hint', this.idToken);
+        }
+        return `${url}?${params.toString()}`;
+    }
+    /**
+     * @param {KeycloakRegisterOptions} [options]
+     * @returns {Promise<void>}
+     */
+    register(options) {
+        return __classPrivateFieldGet(this, _TideCloak_adapter, "f").register(options);
+    }
+    /**
+     * @param {KeycloakRegisterOptions} [options]
+     * @returns {Promise<string>}
+     */
+    createRegisterUrl(options) {
+        return this.createLoginUrl({ ...options, action: 'register' });
+    }
+    /**
+     * @param {KeycloakAccountOptions} [options]
+     * @returns {string}
+     */
+    createAccountUrl(options) {
+        const url = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this);
+        if (!url) {
+            throw new Error('Unable to create account URL, make sure the adapter is not configured using a generic OIDC provider.');
+        }
+        const params = new URLSearchParams([
+            ['referrer', /** @type {string} */ (this.clientId)],
+            ['referrer_uri', __classPrivateFieldGet(this, _TideCloak_adapter, "f").redirectUri(options)]
+        ]);
+        return `${url}/account?${params.toString()}`;
+    }
+    /**
+     * @returns {Promise<void>}
+     */
+    accountManagement() {
+        return __classPrivateFieldGet(this, _TideCloak_adapter, "f").accountManagement();
+    }
+    /**
+     * @param {string} role
+     * @returns {boolean}
+     */
+    hasRealmRole(role) {
+        const access = this.realmAccess;
+        return !!access && access.roles.indexOf(role) >= 0;
+    }
+    /**
+     * @param {string} role
+     * @param {string} [resource]
+     * @returns {boolean}
+     */
+    hasResourceRole(role, resource) {
+        if (!this.resourceAccess) {
+            return false;
+        }
+        const access = this.resourceAccess[resource || /** @type {string} */ (this.clientId)];
+        return !!access && access.roles.indexOf(role) >= 0;
+    }
+    /**
+     * @returns {Promise<KeycloakProfile>}
+     */
+    async loadUserProfile() {
+        const realmUrl = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this);
+        if (!realmUrl) {
+            throw new Error('Unable to load user profile, make sure the adapter is not configured using a generic OIDC provider.');
+        }
+        const url = `${realmUrl}/account`;
+        /** @type {KeycloakProfile} */
+        const profile = await fetchJSON(url, {
+            headers: [buildAuthorizationHeader(this.token)]
+        });
+        return (this.profile = profile);
+    }
+    /**
+     * @returns {Promise<KeycloakUserInfo>}
+     */
+    async loadUserInfo() {
+        const url = this.endpoints.userinfo();
+        /** @type {KeycloakUserInfo} */
+        const userInfo = await fetchJSON(url, {
+            headers: [buildAuthorizationHeader(this.token)]
         });
-        var configPromise = loadConfig();
-        function onLoad() {
-            var doLogin = function (prompt) {
-                if (!prompt) {
-                    options.prompt = 'none';
+        return (this.userInfo = userInfo);
+    }
+    /**
+     * @param {number} [minValidity]
+     * @returns {boolean}
+     */
+    isTokenExpired(minValidity) {
+        if (!this.tokenParsed || (!this.refreshToken && this.flow !== 'implicit')) {
+            throw new Error('Not authenticated');
+        }
+        if (this.timeSkew == null) {
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Unable to determine if token is expired as timeskew is not set');
+            return true;
+        }
+        if (typeof this.tokenParsed.exp !== 'number') {
+            return false;
+        }
+        let expiresIn = this.tokenParsed.exp - Math.ceil(new Date().getTime() / 1000) + this.timeSkew;
+        if (minValidity) {
+            if (isNaN(minValidity)) {
+                throw new Error('Invalid minValidity');
+            }
+            expiresIn -= minValidity;
+        }
+        return expiresIn < 0;
+    }
+    /**
+     * Matches Keycloak: minValidity is optional.
+     * @param {number} [minValidity]
+     * @returns {Promise<boolean>}
+     */
+    async updateToken(minValidity) {
+        var _a, _b;
+        if (!this.refreshToken) {
+            throw new Error('Unable to update token, no refresh token available.');
+        }
+        minValidity = minValidity || 5;
+        if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable) {
+            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkLoginIframe).call(this);
+        }
+        let refreshToken = false;
+        if (minValidity === -1) {
+            refreshToken = true;
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Refreshing token: forced refresh');
+        }
+        else if (!this.tokenParsed || this.isTokenExpired(minValidity)) {
+            refreshToken = true;
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Refreshing token: token expired');
+        }
+        if (!refreshToken) {
+            return false;
+        }
+        /** @type {PromiseWithResolvers<boolean>} */
+        const { promise, resolve, reject } = Promise.withResolvers();
+        __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").push({ resolve, reject });
+        if (__classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").length === 1) {
+            const url = this.endpoints.token();
+            let timeLocal = new Date().getTime();
+            try {
+                const response = await fetchRefreshToken(url, this.refreshToken, /** @type {string} */ (this.clientId));
+                __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Token refreshed');
+                timeLocal = (timeLocal + new Date().getTime()) / 2;
+                __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setToken).call(this, response.access_token, response.refresh_token, response.id_token, timeLocal, response.doken);
+                (_a = this.onAuthRefreshSuccess) === null || _a === void 0 ? void 0 : _a.call(this);
+                for (let p = __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").pop(); p != null; p = __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").pop()) {
+                    p.resolve(true);
+                }
+            }
+            catch (error) {
+                __classPrivateFieldGet(this, _TideCloak_logWarn, "f").call(this, '[TIDECLOAK] Failed to refresh token');
+                if (error instanceof NetworkError && error.response.status === 400) {
+                    this.clearToken();
                 }
-                if (initOptions.locale) {
-                    options.locale = initOptions.locale;
+                (_b = this.onAuthRefreshError) === null || _b === void 0 ? void 0 : _b.call(this);
+                for (let p = __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").pop(); p != null; p = __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").pop()) {
+                    p.reject(error);
                 }
-                kc.login(options).then(function () {
-                    initPromise.setSuccess();
-                }).catch(function (error) {
-                    initPromise.setError(error);
-                });
-            };
-            var checkSsoSilently = async function () {
-                var ifrm = document.createElement("iframe");
-                var src = await kc.createLoginUrl({ prompt: 'none', redirectUri: kc.silentCheckSsoRedirectUri });
-                ifrm.setAttribute("src", src);
-                ifrm.setAttribute("sandbox", "allow-storage-access-by-user-activation allow-scripts allow-same-origin");
-                ifrm.setAttribute("title", "keycloak-silent-check-sso");
-                ifrm.style.display = "none";
-                document.body.appendChild(ifrm);
-                var messageCallback = function (event) {
-                    if (event.origin !== window.location.origin || ifrm.contentWindow !== event.source) {
-                        return;
-                    }
-                    var oauth = parseCallback(event.data);
-                    processCallback(oauth, initPromise);
-                    document.body.removeChild(ifrm);
-                    window.removeEventListener("message", messageCallback);
-                };
-                window.addEventListener("message", messageCallback);
-            };
-            var options = {};
-            switch (initOptions.onLoad) {
-                case 'check-sso':
-                    if (loginIframe.enable) {
-                        setupCheckLoginIframe().then(function () {
-                            checkLoginIframe().then(function (unchanged) {
-                                if (!unchanged) {
-                                    kc.silentCheckSsoRedirectUri ? checkSsoSilently() : doLogin(false);
-                                }
-                                else {
-                                    initPromise.setSuccess();
-                                }
-                            }).catch(function (error) {
-                                initPromise.setError(error);
-                            });
-                        });
-                    }
-                    else {
-                        kc.silentCheckSsoRedirectUri ? checkSsoSilently() : doLogin(false);
-                    }
-                    break;
-                case 'login-required':
-                    doLogin(true);
-                    break;
-                default:
-                    throw 'Invalid value for onLoad';
             }
         }
-        function processInit() {
-            var callback = parseCallback(window.location.href);
-            if (callback) {
-                window.history.replaceState(window.history.state, null, callback.newUrl);
-            }
-            if (callback && callback.valid) {
-                return setupCheckLoginIframe().then(function () {
-                    processCallback(callback, initPromise);
-                }).catch(function (error) {
-                    initPromise.setError(error);
-                });
+        return await promise;
+    }
+    clearToken() {
+        var _a;
+        if (this.token) {
+            __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setToken).call(this);
+            (_a = this.onAuthLogout) === null || _a === void 0 ? void 0 : _a.call(this);
+            if (this.loginRequired) {
+                this.login();
             }
-            if (initOptions.token && initOptions.refreshToken) {
-                setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken);
-                if (loginIframe.enable) {
-                    setupCheckLoginIframe().then(function () {
-                        checkLoginIframe().then(function (unchanged) {
-                            if (unchanged) {
-                                kc.onAuthSuccess && kc.onAuthSuccess();
-                                initPromise.setSuccess();
-                                scheduleCheckIframe();
-                            }
-                            else {
-                                initPromise.setSuccess();
-                            }
-                        }).catch(function (error) {
-                            initPromise.setError(error);
-                        });
+        }
+    }
+    /**
+     * Initialize Tide RequestEnclave.
+     */
+    initRequestEnclave() {
+        if (!this.doken)
+            throw new Error('[TIDECLOAK] No doken found');
+        if (!this.dokenParsed)
+            throw new Error('[TIDECLOAK] Token not parsed');
+        if (!this.requestEnclave) {
+            this.requestEnclave = new RequestEnclave({
+                homeOrkOrigin: this.dokenParsed['t.uho'],
+                signed_client_origin: __classPrivateFieldGet(this, _TideCloak_config, "f")['clientOriginAuth'],
+                vendorId: __classPrivateFieldGet(this, _TideCloak_config, "f").vendorId,
+                voucherURL: __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getVoucherUrl).call(this)
+            }).init({
+                doken: this.doken,
+                dokenRefreshCallback: async () => {
+                    await this.ensureTokenReady();
+                    if (!this.doken)
+                        throw new Error('[TIDECLOAK] No doken found');
+                    return this.doken;
+                },
+                requireReloginCallback: async () => {
+                    await this.login({
+                        idpHint: 'tide',
+                        prompt: 'login',
+                        redirectUri: window.location.href
                     });
                 }
-                else {
-                    kc.updateToken(-1).then(function () {
-                        kc.onAuthSuccess && kc.onAuthSuccess();
-                        initPromise.setSuccess();
-                    }).catch(function (error) {
-                        kc.onAuthError && kc.onAuthError();
-                        if (initOptions.onLoad) {
-                            onLoad();
-                        }
-                        else {
-                            initPromise.setError(error);
-                        }
+            });
+        }
+    }
+    /**
+     * Initialize Tide ApprovalEnclave.
+     */
+    initApprovalEnclave() {
+        if (!this.doken)
+            throw new Error('[TIDECLOAK] No doken found');
+        if (!this.dokenParsed)
+            throw new Error('[TIDECLOAK] Token not parsed');
+        if (!this.approvalEnclave) {
+            this.approvalEnclave = new ApprovalEnclaveNew({
+                homeOrkOrigin: this.dokenParsed['t.uho'],
+                signed_client_origin: __classPrivateFieldGet(this, _TideCloak_config, "f")['clientOriginAuth'],
+                vendorId: __classPrivateFieldGet(this, _TideCloak_config, "f").vendorId,
+                voucherURL: __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getVoucherUrl).call(this)
+            }).init({
+                doken: this.doken,
+                dokenRefreshCallback: async () => {
+                    await this.ensureTokenReady();
+                    if (!this.doken)
+                        throw new Error('[TIDECLOAK] No doken found');
+                    return this.doken;
+                },
+                requireReloginCallback: async () => {
+                    await this.login({
+                        idpHint: 'tide',
+                        prompt: 'login',
+                        redirectUri: window.location.href
                     });
                 }
-            }
-            else if (initOptions.onLoad) {
-                onLoad();
-            }
-            else {
-                initPromise.setSuccess();
-            }
-        }
-        configPromise.then(function () {
-            check3pCookiesSupported()
-                .then(processInit)
-                .catch(function (error) {
-                promise.setError(error);
             });
-        });
-        configPromise.catch(function (error) {
-            promise.setError(error);
-        });
-        return promise.promise;
-    };
-    kc.login = function (options) {
-        return adapter.login(options);
-    };
-    kc.ensureTokenReady = async function () {
-        if (kc.isTokenExpired()) {
-            await kc.updateToken(-1);
         }
-    };
-    // MODIFIED: Added role-based encryption functionality.
-    kc.encrypt = async function (toEncrypt) {
-        await kc.ensureTokenReady();
-        // Check config
+    }
+    /**
+     * Role-based encryption via Tide RequestEnclave.
+     * @param {{ data: string | Uint8Array, tags: string[] }[]} toEncrypt
+     * @returns {Promise<(string | Uint8Array)[]>}
+     */
+    async encrypt(toEncrypt) {
+        await this.ensureTokenReady();
         if (!Array.isArray(toEncrypt)) {
-            throw 'Pass array as parameter';
+            throw new Error('Pass array as parameter');
         }
-        // Check user authenticated
-        if (!kc.tokenParsed) {
-            throw 'Not authenticated';
+        if (!this.tokenParsed) {
+            throw new Error('Not authenticated');
         }
-        const dataToSend = toEncrypt.map(e => {
+        const dataToSend = toEncrypt.map((e) => {
             if (!isObject(e))
-                throw 'All entries must be an object to encrypt';
-            for (const property of ["data", "tags"]) {
+                throw new Error('All entries must be an object to encrypt');
+            for (const property of ['data', 'tags']) {
                 if (!e[property]) {
                     throw new Error(`The configuration object is missing the required '${property}' property.`);
                 }
             }
             if (!Array.isArray(e.tags))
-                throw 'tags must be provided as a string array in object to encrypt';
-            if (typeof e.data !== "string" && !(e.data instanceof Uint8Array))
-                throw 'data must be provded as string or Uint8Array in object to encrypt';
-            // Check that the user has the roles required to encrypt the datas
+                throw new Error('tags must be provided as a string array in object to encrypt');
+            if (typeof e.data !== 'string' && !(e.data instanceof Uint8Array)) {
+                throw new Error('data must be provided as string or Uint8Array in object to encrypt');
+            }
             for (const tag of e.tags) {
-                if (typeof tag !== "string")
-                    throw "tags must be provided as an array of strings";
-                var tagAccess = kc.hasRealmRole("_tide_" + tag + ".selfencrypt");
+                if (typeof tag !== 'string')
+                    throw new Error('tags must be provided as an array of strings');
+                const tagAccess = this.hasRealmRole(`_tide_${tag}.selfencrypt`);
                 if (!tagAccess)
-                    throw `'User has not been given any access to '${tag}'`;
+                    throw new Error(`User has not been given any access to '${tag}'`);
             }
             return {
-                data: typeof e.data === "string" ? StringToUint8Array(e.data) : e.data, // convert data to byte array or leave as is if its already a byte array
+                data: typeof e.data === 'string' ? StringToUint8Array(e.data) : e.data,
                 tags: e.tags,
-                isRaw: typeof e.data === "string" ? false : true // indicate whether this piece of data was encrypted raw or not
+                isRaw: typeof e.data === 'string' ? false : true
             };
         });
-        kc.initEnclave();
-        // Now lets actually encrypt
-        // Construct Tide serialized data payloads
-        return (await kc.requestEnclave.encrypt(dataToSend)).map((e, i) => dataToSend[i].isRaw ? e : bytesToBase64(e)); // return a byte array cipher if encrypted as byte array, or a string cipher if encrypted as a string
-    };
-    function StringToUint8Array(string) {
-        const enc = new TextEncoder();
-        return enc.encode(string);
-    }
-    function StringFromUint8Array(bytes) {
-        const decoder = new TextDecoder('utf-8');
-        return decoder.decode(bytes);
-    }
-    kc.initEnclave = function () {
-        if (!kc.doken)
-            throw '[TIDECLOAK] No doken found';
-        if (!kc.tokenParsed)
-            throw '[TIDECLOAK] Token not parsed';
-        // Now lets actually encrypt
-        if (!kc.requestEnclave) {
-            kc.requestEnclave = new heimdall_tide_1.RequestEnclave({
-                homeOrkOrigin: kc.dokenParsed["t.uho"],
-                signed_client_origin: config['clientOriginAuth'],
-                vendorId: config.vendorId,
-                voucherURL: getVoucherUrl()
-            }).init({
-                doken: kc.doken,
-                dokenRefreshCallback: async () => {
-                    await kc.ensureTokenReady();
-                    if (!kc.doken)
-                        throw '[TIDECLOAK] No doken found';
-                    return kc.doken;
-                },
-                requireReloginCallback: async () => {
-                    kc.login({
-                        idpHint: 'tide', // the “alias” of the IdP you’ve configured in the realm
-                        prompt: 'login', // forces them to actually re-enter credentials
-                        redirectUri: window.location.href // send them back to the exact same URL
-                    });
-                }
-            });
-        }
-    };
-    // MODIFIED: Added Tide-based micro-vouchers.
-    function getVoucherUrl() {
-        if (!kc.tokenParsed)
-            throw 'User authentication required to access voucher service';
-        const sid = kc.tokenParsed["sid"];
-        return getRealmUrl() + '/tidevouchers/fromUserSession?sessionId=' + sid;
-    }
-    // MODIFIED: Added role-based decryption functionality.
-    kc.decrypt = async function (toDecrypt) {
-        await kc.ensureTokenReady();
-        // Check config
+        this.initRequestEnclave();
+        const encrypted = await this.requestEnclave.encrypt(dataToSend);
+        return encrypted.map((cipher, i) => (dataToSend[i].isRaw ? cipher : bytesToBase64(cipher)));
+    }
+    /**
+     * Initialize a Tide request that requires operator approvals.
+     * @param {Uint8Array} encodedRequest
+     * @returns {Promise<Uint8Array>}
+     */
+    async createTideRequest(encodedRequest) {
+        await this.ensureTokenReady();
+        this.initRequestEnclave();
+        return await this.requestEnclave.initializeRequest(encodedRequest);
+    }
+    /**
+     * Request Tide operator approval.
+     * @param {{id: string, request: Uint8Array}[]} requests
+     * @returns {Promise<{approved: {id: string, request: Uint8Array}[], denied: {id: string}[], pending: {id: string}[]}>}
+     */
+    async requestTideOperatorApproval(requests) {
+        await this.ensureTokenReady();
+        this.initApprovalEnclave();
+        return await this.approvalEnclave.approve(requests);
+    }
+    /**
+     * Execute a Tide Sign Request
+     * @param {Uint8Array} request
+     * @returns Array of signatures
+     */
+    async executeSignRequest(request) {
+        await this.ensureTokenReady();
+        this.initRequestEnclave();
+        return await this.requestEnclave.execute(request);
+    }
+    /**
+     * Role-based decryption via Tide RequestEnclave.
+     * @param {{ encrypted: string | Uint8Array, tags: string[] }[]} toDecrypt
+     * @returns {Promise<(string | Uint8Array)[]>}
+     */
+    async decrypt(toDecrypt) {
+        await this.ensureTokenReady();
         if (!Array.isArray(toDecrypt)) {
-            throw 'Pass array as parameter';
+            throw new Error('Pass array as parameter');
         }
-        // Check user authenticated
-        if (!kc.tokenParsed) {
-            throw 'Not authenticated';
+        if (!this.tokenParsed) {
+            throw new Error('Not authenticated');
         }
-        const dataToSend = toDecrypt.map(e => {
+        const dataToSend = toDecrypt.map((e) => {
             if (!isObject(e))
-                throw 'All entries must be an object to decrypt';
-            for (const property of ["encrypted", "tags"]) {
+                throw new Error('All entries must be an object to decrypt');
+            for (const property of ['encrypted', 'tags']) {
                 if (!e[property]) {
                     throw new Error(`The configuration object is missing the required '${property}' property.`);
                 }
             }
             if (!Array.isArray(e.tags))
-                throw 'tags must be provided as a string array in object to decrypt';
-            if (typeof e.encrypted !== "string" && !(e.encrypted instanceof Uint8Array))
-                throw 'data must be provded as string or Uint8Array in object to decrypt';
-            // Check that the user has the roles required to encrypt the datas
+                throw new Error('tags must be provided as a string array in object to decrypt');
+            if (typeof e.encrypted !== 'string' && !(e.encrypted instanceof Uint8Array)) {
+                throw new Error('encrypted must be provided as string or Uint8Array in object to decrypt');
+            }
             for (const tag of e.tags) {
-                if (typeof tag !== "string")
-                    throw "tags must be provided as an array of strings";
-                var tagAccess = kc.hasRealmRole("_tide_" + tag + ".selfdecrypt");
+                if (typeof tag !== 'string')
+                    throw new Error('tags must be provided as an array of strings');
+                const tagAccess = this.hasRealmRole(`_tide_${tag}.selfdecrypt`);
                 if (!tagAccess)
-                    throw `'User has not been given any access to '${tag}'`;
+                    throw new Error(`User has not been given any access to '${tag}'`);
             }
             return {
-                encrypted: typeof e.encrypted === "string" ? base64ToBytes(e.encrypted) : e.encrypted,
+                encrypted: typeof e.encrypted === 'string' ? base64ToBytes(e.encrypted) : e.encrypted,
                 tags: e.tags,
-                isRaw: typeof e.encrypted === "string" ? false : true
+                isRaw: typeof e.encrypted === 'string' ? false : true
             };
         });
-        kc.initEnclave();
-        // Now lets actually decrypt
-        // Construct Tide serialized data payloads
-        return (await kc.requestEnclave.decrypt(dataToSend)).map((d, i) => dataToSend[i].isRaw ? d : StringFromUint8Array(d));
+        this.initRequestEnclave();
+        const decrypted = await this.requestEnclave.decrypt(dataToSend);
+        return decrypted.map((d, i) => (dataToSend[i].isRaw ? d : StringFromUint8Array(d)));
+    }
+}
+_TideCloak_refreshQueue = new WeakMap(), _TideCloak_adapter = new WeakMap(), _TideCloak_useNonce = new WeakMap(), _TideCloak_callbackStorage = new WeakMap(), _TideCloak_logInfo = new WeakMap(), _TideCloak_logWarn = new WeakMap(), _TideCloak_loginIframe = new WeakMap(), _TideCloak_config = new WeakMap(), _TideCloak_instances = new WeakSet(), _TideCloak_loadAdapter = function _TideCloak_loadAdapter(type) {
+    if (type === 'default') {
+        return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadDefaultAdapter).call(this);
+    }
+    if (type === 'cordova') {
+        __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable = false;
+        return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadCordovaAdapter).call(this);
+    }
+    if (type === 'cordova-native') {
+        __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable = false;
+        return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadCordovaNativeAdapter).call(this);
+    }
+    throw new Error('invalid adapter type: ' + type);
+}, _TideCloak_loadDefaultAdapter = function _TideCloak_loadDefaultAdapter() {
+    /** @type {KeycloakAdapter['redirectUri']}{} */
+    const redirectUri = (options) => {
+        return (options === null || options === void 0 ? void 0 : options.redirectUri) || this.redirectUri || globalThis.location.href;
     };
-    function generateRandomData(len) {
-        if (typeof crypto === "undefined" || typeof crypto.getRandomValues === "undefined") {
-            throw new Error("Web Crypto API is not available.");
-        }
-        return crypto.getRandomValues(new Uint8Array(len));
-    }
-    function generateCodeVerifier(len) {
-        return generateRandomString(len, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
-    }
-    function generateRandomString(len, alphabet) {
-        var randomData = generateRandomData(len);
-        var chars = new Array(len);
-        for (var i = 0; i < len; i++) {
-            chars[i] = alphabet.charCodeAt(randomData[i] % alphabet.length);
-        }
-        return String.fromCharCode.apply(null, chars);
-    }
-    async function generatePkceChallenge(pkceMethod, codeVerifier) {
-        if (pkceMethod !== "S256") {
-            throw new TypeError(`Invalid value for 'pkceMethod', expected 'S256' but got '${pkceMethod}'.`);
-        }
-        // hash codeVerifier, then encode as url-safe base64 without padding
-        const hashBytes = new Uint8Array(await sha256Digest(codeVerifier));
-        const encodedHash = bytesToBase64(hashBytes)
-            .replace(/\+/g, '-')
-            .replace(/\//g, '_')
-            .replace(/\=/g, '');
-        return encodedHash;
-    }
-    function buildClaimsParameter(requestedAcr) {
-        var claims = {
-            id_token: {
-                acr: requestedAcr
+    return {
+        login: async (options) => {
+            window.location.assign(await this.createLoginUrl(options));
+            return await new Promise(() => { });
+        },
+        logout: async (options) => {
+            var _a;
+            const logoutMethod = (_a = options === null || options === void 0 ? void 0 : options.logoutMethod) !== null && _a !== void 0 ? _a : this.logoutMethod;
+            if (logoutMethod === 'GET') {
+                window.location.replace(this.createLogoutUrl(options));
+                return;
             }
-        };
-        return JSON.stringify(claims);
-    }
-    kc.createLoginUrl = async function (options) {
-        var state = createUUID();
-        var nonce = createUUID();
-        var redirectUri = adapter.redirectUri(options);
-        var callbackState = {
-            state: state,
-            nonce: nonce,
-            redirectUri: encodeURIComponent(redirectUri),
-            loginOptions: options
-        };
-        if (options && options.prompt) {
-            callbackState.prompt = options.prompt;
-        }
-        var baseUrl;
-        if (options && options.action == 'register') {
-            baseUrl = kc.endpoints.register();
-        }
-        else {
-            baseUrl = kc.endpoints.authorize();
-        }
-        var scope = options && options.scope || kc.scope;
-        if (!scope) {
-            // if scope is not set, default to "openid"
-            scope = "openid";
-        }
-        else if (scope.indexOf("openid") === -1) {
-            // if openid scope is missing, prefix the given scopes with it
-            scope = "openid " + scope;
-        }
-        var url = baseUrl
-            + '?client_id=' + encodeURIComponent(kc.clientId)
-            + '&redirect_uri=' + encodeURIComponent(redirectUri)
-            + '&state=' + encodeURIComponent(state)
-            + '&response_mode=' + encodeURIComponent(kc.responseMode)
-            + '&response_type=' + encodeURIComponent(kc.responseType)
-            + '&scope=' + encodeURIComponent(scope);
-        if (useNonce) {
-            url = url + '&nonce=' + encodeURIComponent(nonce);
-        }
-        if (options && options.prompt) {
-            url += '&prompt=' + encodeURIComponent(options.prompt);
-        }
-        if (options && typeof options.maxAge === 'number') {
-            url += '&max_age=' + encodeURIComponent(options.maxAge);
-        }
-        if (options && options.loginHint) {
-            url += '&login_hint=' + encodeURIComponent(options.loginHint);
-        }
-        if (options && options.idpHint) {
-            url += '&kc_idp_hint=' + encodeURIComponent(options.idpHint);
-        }
-        if (options && options.action && options.action != 'register') {
-            url += '&kc_action=' + encodeURIComponent(options.action);
-        }
-        if (options && options.locale) {
-            url += '&ui_locales=' + encodeURIComponent(options.locale);
-        }
-        if (options && options.acr) {
-            var claimsParameter = buildClaimsParameter(options.acr);
-            url += '&claims=' + encodeURIComponent(claimsParameter);
-        }
-        if ((options && options.acrValues) || kc.acrValues) {
-            url += '&acr_values=' + encodeURIComponent(options.acrValues || kc.acrValues);
-        }
-        if (kc.pkceMethod) {
-            try {
-                const codeVerifier = generateCodeVerifier(96);
-                const pkceChallenge = await generatePkceChallenge(kc.pkceMethod, codeVerifier);
-                callbackState.pkceCodeVerifier = codeVerifier;
-                url += '&code_challenge=' + pkceChallenge;
-                url += '&code_challenge_method=' + kc.pkceMethod;
+            // Create form to send POST request.
+            const form = document.createElement('form');
+            form.setAttribute('method', 'POST');
+            form.setAttribute('action', this.createLogoutUrl(options));
+            form.style.display = 'none';
+            // Add data to form as hidden input fields.
+            const data = {
+                id_token_hint: this.idToken,
+                client_id: this.clientId,
+                post_logout_redirect_uri: redirectUri(options)
+            };
+            for (const [name, value] of Object.entries(data)) {
+                const input = document.createElement('input');
+                input.setAttribute('type', 'hidden');
+                input.setAttribute('name', name);
+                input.setAttribute('value', /** @type {string} */ (value));
+                form.appendChild(input);
+            }
+            // Append form to page and submit it to perform logout and redirect.
+            document.body.appendChild(form);
+            form.submit();
+        },
+        register: async (options) => {
+            window.location.assign(await this.createRegisterUrl(options));
+            return await new Promise(() => { });
+        },
+        accountManagement: async () => {
+            const accountUrl = this.createAccountUrl();
+            if (typeof accountUrl !== 'undefined') {
+                window.location.href = accountUrl;
             }
-            catch (error) {
-                throw new Error("Failed to generate PKCE challenge.", { cause: error });
+            else {
+                throw new Error('Not supported by the OIDC server');
             }
-        }
-        callbackStorage.add(callbackState);
-        return url;
+            return await new Promise(() => { });
+        },
+        redirectUri
     };
-    kc.logout = function (options) {
-        return adapter.logout(options);
-    };
-    kc.createLogoutUrl = function (options) {
-        var _a;
-        const logoutMethod = (_a = options === null || options === void 0 ? void 0 : options.logoutMethod) !== null && _a !== void 0 ? _a : kc.logoutMethod;
-        if (logoutMethod === 'POST') {
-            return kc.endpoints.logout();
+}, _TideCloak_loadCordovaAdapter = function _TideCloak_loadCordovaAdapter() {
+    /**
+     * @param {string} loginUrl
+     * @param {string} target
+     * @param {string} options
+     * @returns {WindowProxy | null}
+     */
+    const cordovaOpenWindowWrapper = (loginUrl, target, options) => {
+        if (window.cordova && window.cordova.InAppBrowser) {
+            // Use inappbrowser for IOS and Android if available
+            return window.cordova.InAppBrowser.open(loginUrl, target, options);
         }
-        var url = kc.endpoints.logout()
-            + '?client_id=' + encodeURIComponent(kc.clientId)
-            + '&post_logout_redirect_uri=' + encodeURIComponent(adapter.redirectUri(options, false));
-        if (kc.idToken) {
-            url += '&id_token_hint=' + encodeURIComponent(kc.idToken);
+        else {
+            return window.open(loginUrl, target, options);
         }
-        return url;
     };
-    kc.register = function (options) {
-        return adapter.register(options);
-    };
-    kc.createRegisterUrl = async function (options) {
-        if (!options) {
-            options = {};
+    const shallowCloneCordovaOptions = (userOptions) => {
+        if (userOptions && userOptions.cordovaOptions) {
+            return Object.keys(userOptions.cordovaOptions).reduce((options, optionName) => {
+                options[optionName] = userOptions.cordovaOptions[optionName];
+                return options;
+            }, {});
+        }
+        else {
+            return {};
         }
-        options.action = 'register';
-        return await kc.createLoginUrl(options);
-    };
-    kc.createAccountUrl = function (options) {
-        var realm = getRealmUrl();
-        var url = undefined;
-        if (typeof realm !== 'undefined') {
-            url = realm
-                + '/account'
-                + '?referrer=' + encodeURIComponent(kc.clientId)
-                + '&referrer_uri=' + encodeURIComponent(adapter.redirectUri(options));
-        }
-        return url;
-    };
-    kc.accountManagement = function () {
-        return adapter.accountManagement();
     };
-    kc.hasRealmRole = function (role) {
-        var access = kc.realmAccess;
-        return !!access && access.roles.indexOf(role) >= 0;
+    const formatCordovaOptions = (cordovaOptions) => {
+        return Object.keys(cordovaOptions).reduce((options, optionName) => {
+            options.push(optionName + '=' + cordovaOptions[optionName]);
+            return options;
+        }, []).join(',');
     };
-    kc.hasResourceRole = function (role, resource) {
-        if (!kc.resourceAccess) {
-            return false;
+    const createCordovaOptions = (userOptions) => {
+        const cordovaOptions = shallowCloneCordovaOptions(userOptions);
+        cordovaOptions.location = 'no';
+        if (userOptions && userOptions.prompt === 'none') {
+            cordovaOptions.hidden = 'yes';
         }
-        var access = kc.resourceAccess[resource || kc.clientId];
-        return !!access && access.roles.indexOf(role) >= 0;
+        return formatCordovaOptions(cordovaOptions);
     };
-    kc.loadUserProfile = function () {
-        var url = getRealmUrl() + '/account';
-        var req = new XMLHttpRequest();
-        req.open('GET', url, true);
-        req.setRequestHeader('Accept', 'application/json');
-        req.setRequestHeader('Authorization', 'bearer ' + kc.token);
-        var promise = createPromise();
-        req.onreadystatechange = function () {
-            if (req.readyState == 4) {
-                if (req.status == 200) {
-                    kc.profile = JSON.parse(req.responseText);
-                    promise.setSuccess(kc.profile);
-                }
-                else {
-                    promise.setError();
-                }
-            }
-        };
-        req.send();
-        return promise.promise;
+    const getCordovaRedirectUri = () => {
+        return this.redirectUri || 'http://localhost';
     };
-    kc.loadUserInfo = function () {
-        var url = kc.endpoints.userinfo();
-        var req = new XMLHttpRequest();
-        req.open('GET', url, true);
-        req.setRequestHeader('Accept', 'application/json');
-        req.setRequestHeader('Authorization', 'bearer ' + kc.token);
-        var promise = createPromise();
-        req.onreadystatechange = function () {
-            if (req.readyState == 4) {
-                if (req.status == 200) {
-                    kc.userInfo = JSON.parse(req.responseText);
-                    promise.setSuccess(kc.userInfo);
+    return {
+        login: async (options) => {
+            const cordovaOptions = createCordovaOptions(options);
+            const loginUrl = await this.createLoginUrl(options);
+            const ref = cordovaOpenWindowWrapper(loginUrl, '_blank', cordovaOptions);
+            let completed = false;
+            let closed = false;
+            function closeBrowser() {
+                closed = true;
+                ref.close();
+            }
+            ;
+            return await new Promise((resolve, reject) => {
+                ref.addEventListener('loadstart', async (event) => {
+                    if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                        const callback = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                        try {
+                            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, callback);
+                            resolve();
+                        }
+                        catch (error) {
+                            reject(error);
+                        }
+                        closeBrowser();
+                        completed = true;
+                    }
+                });
+                ref.addEventListener('loaderror', async (event) => {
+                    if (!completed) {
+                        if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                            const callback = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                            try {
+                                await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, callback);
+                                resolve();
+                            }
+                            catch (error) {
+                                reject(error);
+                            }
+                            closeBrowser();
+                            completed = true;
+                        }
+                        else {
+                            reject(new Error('Unable to process login.'));
+                            closeBrowser();
+                        }
+                    }
+                });
+                ref.addEventListener('exit', function (event) {
+                    if (!closed) {
+                        reject(new Error('User closed the login window.'));
+                    }
+                });
+            });
+        },
+        logout: async (options) => {
+            const logoutUrl = this.createLogoutUrl(options);
+            const ref = cordovaOpenWindowWrapper(logoutUrl, '_blank', 'location=no,hidden=yes,clearcache=yes');
+            let error = false;
+            ref.addEventListener('loadstart', (event) => {
+                if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                    ref.close();
+                }
+            });
+            ref.addEventListener('loaderror', (event) => {
+                if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                    ref.close();
                 }
                 else {
-                    promise.setError();
+                    error = true;
+                    ref.close();
                 }
+            });
+            await new Promise((resolve, reject) => {
+                ref.addEventListener('exit', () => {
+                    if (error) {
+                        reject(new Error('User closed the login window.'));
+                    }
+                    else {
+                        this.clearToken();
+                        resolve();
+                    }
+                });
+            });
+        },
+        register: async (options) => {
+            const registerUrl = await this.createRegisterUrl();
+            const cordovaOptions = createCordovaOptions(options);
+            const ref = cordovaOpenWindowWrapper(registerUrl, '_blank', cordovaOptions);
+            /** @type {Promise<void>} */
+            const promise = new Promise((resolve, reject) => {
+                ref.addEventListener('loadstart', async (event) => {
+                    if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                        ref.close();
+                        const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                        try {
+                            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, oauth);
+                            resolve();
+                        }
+                        catch (error) {
+                            reject(error);
+                        }
+                    }
+                });
+            });
+            await promise;
+        },
+        accountManagement: async () => {
+            const accountUrl = this.createAccountUrl();
+            if (typeof accountUrl !== 'undefined') {
+                const ref = cordovaOpenWindowWrapper(accountUrl, '_blank', 'location=no');
+                ref.addEventListener('loadstart', function (event) {
+                    if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                        ref.close();
+                    }
+                });
             }
-        };
-        req.send();
-        return promise.promise;
-    };
-    kc.isTokenExpired = function (minValidity) {
-        if (!kc.tokenParsed || (!kc.refreshToken && kc.flow != 'implicit')) {
-            throw 'Not authenticated';
-        }
-        if (kc.timeSkew == null) {
-            logInfo('[TIDECLOAK] Unable to determine if token is expired as timeskew is not set');
-            return true;
-        }
-        var expiresIn = kc.tokenParsed['exp'] - Math.ceil(new Date().getTime() / 1000) + kc.timeSkew;
-        if (minValidity) {
-            if (isNaN(minValidity)) {
-                throw 'Invalid minValidity';
+            else {
+                throw new Error('Not supported by the OIDC server');
             }
-            expiresIn -= minValidity;
+        },
+        redirectUri: () => {
+            return getCordovaRedirectUri();
         }
-        return expiresIn < 0;
     };
-    kc.updateToken = function (minValidity) {
-        var promise = createPromise();
-        if (!kc.refreshToken) {
-            promise.setError();
-            return promise.promise;
-        }
-        minValidity = minValidity || 5;
-        var exec = function () {
-            var refreshToken = false;
-            if (minValidity == -1) {
-                refreshToken = true;
-                logInfo('[TIDECLOAK] Refreshing token: forced refresh');
+}, _TideCloak_loadCordovaNativeAdapter = function _TideCloak_loadCordovaNativeAdapter() {
+    /* global universalLinks */
+    return {
+        login: async (options) => {
+            const loginUrl = await this.createLoginUrl(options);
+            await new Promise((resolve, reject) => {
+                universalLinks.subscribe('keycloak', async (event) => {
+                    universalLinks.unsubscribe('keycloak');
+                    window.cordova.plugins.browsertab.close();
+                    const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                    try {
+                        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, oauth);
+                        resolve();
+                    }
+                    catch (error) {
+                        reject(error);
+                    }
+                });
+                window.cordova.plugins.browsertab.openUrl(loginUrl);
+            });
+        },
+        logout: async (options) => {
+            const logoutUrl = this.createLogoutUrl(options);
+            await new Promise((resolve) => {
+                universalLinks.subscribe('keycloak', () => {
+                    universalLinks.unsubscribe('keycloak');
+                    window.cordova.plugins.browsertab.close();
+                    this.clearToken();
+                    resolve();
+                });
+                window.cordova.plugins.browsertab.openUrl(logoutUrl);
+            });
+        },
+        register: async (options) => {
+            const registerUrl = await this.createRegisterUrl(options);
+            await new Promise((resolve, reject) => {
+                universalLinks.subscribe('keycloak', async (event) => {
+                    universalLinks.unsubscribe('keycloak');
+                    window.cordova.plugins.browsertab.close();
+                    const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                    try {
+                        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, oauth);
+                        resolve();
+                    }
+                    catch (error) {
+                        reject(error);
+                    }
+                });
+                window.cordova.plugins.browsertab.openUrl(registerUrl);
+            });
+        },
+        accountManagement: async () => {
+            const accountUrl = this.createAccountUrl();
+            if (typeof accountUrl !== 'undefined') {
+                window.cordova.plugins.browsertab.openUrl(accountUrl);
+            }
+            else {
+                throw new Error('Not supported by the OIDC server');
             }
-            else if (!kc.tokenParsed || kc.isTokenExpired(minValidity)) {
-                refreshToken = true;
-                logInfo('[TIDECLOAK] Refreshing token: token expired');
+        },
+        redirectUri: (options) => {
+            if (options && options.redirectUri) {
+                return options.redirectUri;
             }
-            if (!refreshToken) {
-                promise.setSuccess(false);
+            else if (this.redirectUri) {
+                return this.redirectUri;
             }
             else {
-                var params = 'grant_type=refresh_token&' + 'refresh_token=' + kc.refreshToken;
-                var url = kc.endpoints.token();
-                refreshQueue.push(promise);
-                if (refreshQueue.length == 1) {
-                    var req = new XMLHttpRequest();
-                    req.open('POST', url, true);
-                    req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
-                    req.withCredentials = true;
-                    params += '&client_id=' + encodeURIComponent(kc.clientId);
-                    var timeLocal = new Date().getTime();
-                    req.onreadystatechange = function () {
-                        if (req.readyState == 4) {
-                            if (req.status == 200) {
-                                logInfo('[TIDECLOAK] Token refreshed');
-                                timeLocal = (timeLocal + new Date().getTime()) / 2;
-                                var tokenResponse = JSON.parse(req.responseText);
-                                setToken(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token'], timeLocal, tokenResponse['doken']);
-                                kc.onAuthRefreshSuccess && kc.onAuthRefreshSuccess();
-                                for (var p = refreshQueue.pop(); p != null; p = refreshQueue.pop()) {
-                                    p.setSuccess(true);
-                                }
-                            }
-                            else {
-                                logWarn('[TIDECLOAK] Failed to refresh token');
-                                if (req.status == 400) {
-                                    kc.clearToken();
-                                }
-                                if (req.status == 500) {
-                                    // Check to see if error message tells us to reauthenticate the user
-                                    console.log("CHECKING REAUTH");
-                                }
-                                kc.onAuthRefreshError && kc.onAuthRefreshError();
-                                for (var p = refreshQueue.pop(); p != null; p = refreshQueue.pop()) {
-                                    p.setError("Failed to refresh token: An unexpected HTTP error occurred while attempting to refresh the token.");
-                                }
-                            }
-                        }
-                    };
-                    req.send(params);
-                }
+                return 'http://localhost';
             }
-        };
-        if (loginIframe.enable) {
-            var iframePromise = checkLoginIframe();
-            iframePromise.then(function () {
-                exec();
-            }).catch(function (error) {
-                promise.setError(error);
-            });
         }
-        else {
-            exec();
-        }
-        return promise.promise;
-    };
-    kc.clearToken = function () {
-        if (kc.token) {
-            setToken(null, null, null);
-            kc.onAuthLogout && kc.onAuthLogout();
-            if (kc.loginRequired) {
-                kc.login();
-            }
-        }
-    };
-    // Add the checkThresholdRule function to the Heimdall instance.
-    // This function calls the generic threshold rule processor from the thresholdRules module.
-    kc.checkThresholdRule = function (key, idSubstring, ruleSettings, draftJson) {
-        // Process the threshold rules using the provided parameters and return the result.
-        return (0, thresholdRules_js_1.default)(key, idSubstring, ruleSettings, draftJson);
-    };
-    kc.createCardanoTxDraft = function (txBody) {
-        const txBodyBytes = base64ToBytes(txBody);
-        return bytesToBase64((0, Serialization_js_1.CreateTideMemory)(txBodyBytes, txBodyBytes.length + 4));
-    };
-    kc.sign = async function (signModel, authFlow, draft, authorizers, ruleSetting, expiry) {
-        await kc.ensureTokenReady();
-        const signModelId = signModel.split(":");
-        if (signModelId.length !== 2 || !signModelId[0] || !signModelId[1]) {
-            throw "SignModel is not in the correct format. Expected format: 'ModelName:Version' (e.g. 'UserContext:1').";
-        }
-        const authFlowId = authFlow.split(":");
-        if (authFlowId.length !== 2 || !authFlowId[0] || !authFlowId[1]) {
-            throw "AuthFlow is not in the correct format. Expected format: 'ModelName:Version' (e.g. 'VRK:1').";
-        }
-        const sessKey = (0, Math_js_1.GenSessKey)();
-        const gSessKey = (0, Math_js_1.GetPublic)(sessKey);
-        const vvkInfo = await new NetworkClient_js_1.default(config.homeOrkUrl).GetKeyInfo(config.vendorId);
-        ;
-        // Check user authenticated
-        if (!kc.tokenParsed) {
-            throw 'Not authenticated';
-        }
-        // Check config
-        if (!Array.isArray(authorizers)) {
-            throw 'Pass authorizers in an array!';
-        }
-        const signRequest = new BaseTideRequest(signModelId[0], signModel[1], authFlow, draft);
-        if (expiry)
-            signRequest.setCustomExpiry(expiry);
-        new AuthorizationBuilder_js_1.default(signRequest, authorizers, ruleSetting).addAuthorization();
-        const signingFlow = new dVVKSigningFlow_DEPRECATED_js_1.default(config.vendorId, vvkInfo.UserPublic, vvkInfo.OrkInfo, sessKey, gSessKey, getVoucherUrl());
-        const result = (await signingFlow.start(signRequest));
-        return result;
     };
-    kc.signCardanoTx = async function (txBody, authorizers, ruleSettings, expiry) {
-        await kc.ensureTokenReady();
-        const sessKey = (0, Math_js_1.GenSessKey)();
-        const gSessKey = (0, Math_js_1.GetPublic)(sessKey);
-        const vvkInfo = await new NetworkClient_js_1.default(config.homeOrkUrl).GetKeyInfo(config.vendorId);
-        ;
-        // Check user authenticated
-        if (!kc.tokenParsed) {
-            throw 'Not authenticated';
-        }
-        // Check config
-        if (!Array.isArray(authorizers)) {
-            throw 'Pass authorizers in an array!';
-        }
-        const cardanoSignRequest = new CardanoTxBodySignRequest_js_1.default("BlindSig:1");
-        cardanoSignRequest.setTxBody(txBody);
-        cardanoSignRequest.serializeDraft();
-        new AuthorizationBuilder_js_1.default(cardanoSignRequest, authorizers, ruleSettings).addAuthorization();
-        cardanoSignRequest.setCustomExpiry(expiry);
-        const txSigningFlow = new dVVKSigningFlow_DEPRECATED_js_1.default(config.vendorId, vvkInfo.UserPublic, vvkInfo.OrkInfo, sessKey, gSessKey, getVoucherUrl());
-        const result = (await txSigningFlow.start(cardanoSignRequest));
-        return bytesToBase64(result[0]);
-    };
-    kc.createRuleSettingsDraft = function (ruleSettings, previousRuleSetting, previousRuleSettingCert) {
-        const ruleReqDraft = new RuleSettingSignRequest_js_1.default("Admin:1");
-        ruleReqDraft.setNewRuleSetting(StringToUint8Array(ruleSettings));
-        if (previousRuleSetting !== undefined && previousRuleSettingCert !== undefined) {
-            ruleReqDraft.setPreviousRuleSetting(StringToUint8Array(previousRuleSetting));
-            ruleReqDraft.setPreviousRuleSettingCert(base64ToBytes(previousRuleSettingCert));
-        }
-        return bytesToBase64(ruleReqDraft.getDraft());
-    };
-    function getRealmUrl() {
-        if (typeof kc.authServerUrl !== 'undefined') {
-            if (kc.authServerUrl.charAt(kc.authServerUrl.length - 1) == '/') {
-                return kc.authServerUrl + 'realms/' + encodeURIComponent(kc.realm);
-            }
-            else {
-                return kc.authServerUrl + '/realms/' + encodeURIComponent(kc.realm);
-            }
-        }
-        else {
-            return undefined;
-        }
+}, _TideCloak_loadConfig =
+/**
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_loadConfig() {
+    if (typeof __classPrivateFieldGet(this, _TideCloak_config, "f") === 'string') {
+        const jsonConfig = await fetchJsonConfig(__classPrivateFieldGet(this, _TideCloak_config, "f"));
+        this.authServerUrl = jsonConfig['auth-server-url'];
+        this.realm = jsonConfig.realm;
+        this.clientId = jsonConfig.resource;
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupEndpoints).call(this);
     }
-    function getOrigin() {
-        if (!window.location.origin) {
-            return window.location.protocol + "//" + window.location.hostname + (window.location.port ? ':' + window.location.port : '');
+    else {
+        this.clientId = __classPrivateFieldGet(this, _TideCloak_config, "f").clientId;
+        if ('oidcProvider' in __classPrivateFieldGet(this, _TideCloak_config, "f")) {
+            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadOidcConfig).call(this, __classPrivateFieldGet(this, _TideCloak_config, "f").oidcProvider);
         }
         else {
-            return window.location.origin;
+            this.authServerUrl = __classPrivateFieldGet(this, _TideCloak_config, "f").url;
+            this.realm = __classPrivateFieldGet(this, _TideCloak_config, "f").realm;
+            __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupEndpoints).call(this);
         }
     }
-    function processCallback(oauth, promise) {
-        var code = oauth.code;
-        var error = oauth.error;
-        var prompt = oauth.prompt;
-        var timeLocal = new Date().getTime();
-        if (oauth['kc_action_status']) {
-            kc.onActionUpdate && kc.onActionUpdate(oauth['kc_action_status'], oauth['kc_action']);
+}, _TideCloak_setupEndpoints = function _TideCloak_setupEndpoints() {
+    this.endpoints = {
+        authorize: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/auth';
+        },
+        token: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/token';
+        },
+        logout: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/logout';
+        },
+        checkSessionIframe: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/login-status-iframe.html';
+        },
+        thirdPartyCookiesIframe: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/3p-cookies/step1.html';
+        },
+        register: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/registrations';
+        },
+        userinfo: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/userinfo';
         }
-        if (error) {
-            if (prompt != 'none') {
-                if (oauth.error_description && oauth.error_description === "authentication_expired") {
-                    kc.login(oauth.loginOptions);
-                }
-                else {
-                    var errorData = { error: error, error_description: oauth.error_description };
-                    kc.onAuthError && kc.onAuthError(errorData);
-                    promise && promise.setError(errorData);
-                }
-            }
-            else {
-                promise && promise.setSuccess();
-            }
-            return;
+    };
+}, _TideCloak_loadOidcConfig =
+/**
+ * @param {string | OpenIdProviderMetadata} oidcProvider
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_loadOidcConfig(oidcProvider) {
+    if (typeof oidcProvider === 'string') {
+        const url = `${stripTrailingSlash(oidcProvider)}/.well-known/openid-configuration`;
+        const openIdConfig = await fetchOpenIdConfig(url);
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupOidcEndpoints).call(this, openIdConfig);
+    }
+    else {
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupOidcEndpoints).call(this, oidcProvider);
+    }
+}, _TideCloak_setupOidcEndpoints = function _TideCloak_setupOidcEndpoints(config) {
+    this.endpoints = {
+        authorize() {
+            return config.authorization_endpoint;
+        },
+        token() {
+            return config.token_endpoint;
+        },
+        logout() {
+            if (!config.end_session_endpoint) {
+                throw new Error('Not supported by the OIDC server');
+            }
+            return config.end_session_endpoint;
+        },
+        checkSessionIframe() {
+            if (!config.check_session_iframe) {
+                throw new Error('Not supported by the OIDC server');
+            }
+            return config.check_session_iframe;
+        },
+        register() {
+            throw new Error('Redirection to "Register user" page not supported in standard OIDC mode');
+        },
+        userinfo() {
+            if (!config.userinfo_endpoint) {
+                throw new Error('Not supported by the OIDC server');
+            }
+            return config.userinfo_endpoint;
         }
-        else if ((kc.flow != 'standard') && (oauth.access_token || oauth.id_token)) {
-            authSuccess(oauth.access_token, null, oauth.id_token, true, oauth.doken);
-        }
-        if ((kc.flow != 'implicit') && code) {
-            var params = 'code=' + code + '&grant_type=authorization_code';
-            var url = kc.endpoints.token();
-            var req = new XMLHttpRequest();
-            req.open('POST', url, true);
-            req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
-            params += '&client_id=' + encodeURIComponent(kc.clientId);
-            params += '&redirect_uri=' + oauth.redirectUri;
-            if (oauth.pkceCodeVerifier) {
-                params += '&code_verifier=' + oauth.pkceCodeVerifier;
+    };
+}, _TideCloak_check3pCookiesSupported =
+/**
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_check3pCookiesSupported() {
+    if ((!__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable && !this.silentCheckSsoRedirectUri) || typeof this.endpoints.thirdPartyCookiesIframe !== 'function') {
+        return;
+    }
+    const iframe = document.createElement('iframe');
+    iframe.setAttribute('src', this.endpoints.thirdPartyCookiesIframe());
+    iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
+    iframe.setAttribute('title', 'keycloak-3p-check-iframe');
+    iframe.style.display = 'none';
+    document.body.appendChild(iframe);
+    /** @type {Promise<void>} */
+    const promise = new Promise((resolve) => {
+        /**
+         * @param {MessageEvent} event
+         */
+        const messageCallback = (event) => {
+            if (iframe.contentWindow !== event.source) {
+                return;
             }
-            req.withCredentials = true;
-            req.onreadystatechange = function () {
-                if (req.readyState == 4) {
-                    if (req.status == 200) {
-                        var tokenResponse = JSON.parse(req.responseText);
-                        authSuccess(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token'], kc.flow === 'standard', tokenResponse['doken']); // added doken field
-                        scheduleCheckIframe();
-                    }
-                    else {
-                        if (req.status == 500) {
-                            // Check to see if error message tells us to reauthenticate the user
-                            console.log("CHECKING REAUTH");
-                        }
-                        kc.onAuthError && kc.onAuthError();
-                        promise && promise.setError();
-                    }
-                }
-            };
-            req.onerror = function () {
-                // Try to log the user in again
-                kc.login({
-                    idpHint: 'tide',
-                    prompt: 'login', // forces them to actually re-enter credentials
-                    redirectUri: window.location.href // send them back to the exact same URL
-                });
-            };
-            req.send(params);
-        }
-        function authSuccess(accessToken, refreshToken, idToken, fulfillPromise, doken = null) {
-            timeLocal = (timeLocal + new Date().getTime()) / 2;
-            setToken(accessToken, refreshToken, idToken, timeLocal, doken);
-            if (useNonce && (kc.idTokenParsed && kc.idTokenParsed.nonce != oauth.storedNonce)) {
-                logInfo('[TIDECLOAK] Invalid nonce, clearing token');
-                kc.clearToken();
-                promise && promise.setError();
+            if (event.data !== 'supported' && event.data !== 'unsupported') {
+                return;
             }
-            else {
-                if (fulfillPromise) {
-                    kc.onAuthSuccess && kc.onAuthSuccess();
-                    promise && promise.setSuccess();
+            else if (event.data === 'unsupported') {
+                __classPrivateFieldGet(this, _TideCloak_logWarn, "f").call(this, '[TIDECLOAK] Your browser is blocking access to 3rd-party cookies, this means:\n\n' +
+                    ' - It is not possible to retrieve tokens without redirecting to the TideCloak server (a.k.a. no support for silent authentication).\n' +
+                    ' - It is not possible to automatically detect changes to the session status (such as the user logging out in another tab).\n\n' +
+                    'For more information see: https://www.keycloak.org/securing-apps/javascript-adapter#_modern_browsers');
+                __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable = false;
+                if (this.silentCheckSsoFallback) {
+                    this.silentCheckSsoRedirectUri = undefined;
                 }
             }
-        }
+            document.body.removeChild(iframe);
+            window.removeEventListener('message', messageCallback);
+            resolve();
+        };
+        window.addEventListener('message', messageCallback, false);
+    });
+    return await applyTimeoutToPromise(promise, this.messageReceiveTimeout, 'Timeout when waiting for 3rd party check iframe message.');
+}, _TideCloak_processInit =
+/**
+ * @param {KeycloakInitOptions} initOptions
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_processInit(initOptions) {
+    var _a, _b, _c;
+    const callback = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, window.location.href);
+    if (callback === null || callback === void 0 ? void 0 : callback.redirectUri) {
+        window.history.replaceState(window.history.state, '', callback.redirectUri);
     }
-    function loadConfig() {
-        var promise = createPromise();
-        var configUrl;
-        if (typeof config === 'string') {
-            configUrl = config;
-        }
-        function setupOidcEndoints(oidcConfiguration) {
-            if (!oidcConfiguration) {
-                kc.endpoints = {
-                    authorize: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/auth';
-                    },
-                    token: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/token';
-                    },
-                    logout: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/logout';
-                    },
-                    checkSessionIframe: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/login-status-iframe.html';
-                    },
-                    thirdPartyCookiesIframe: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/3p-cookies/step1.html';
-                    },
-                    register: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/registrations';
-                    },
-                    userinfo: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/userinfo';
-                    }
-                };
-            }
-            else {
-                kc.endpoints = {
-                    authorize: function () {
-                        return oidcConfiguration.authorization_endpoint;
-                    },
-                    token: function () {
-                        return oidcConfiguration.token_endpoint;
-                    },
-                    logout: function () {
-                        if (!oidcConfiguration.end_session_endpoint) {
-                            throw "Not supported by the OIDC server";
-                        }
-                        return oidcConfiguration.end_session_endpoint;
-                    },
-                    checkSessionIframe: function () {
-                        if (!oidcConfiguration.check_session_iframe) {
-                            throw "Not supported by the OIDC server";
-                        }
-                        return oidcConfiguration.check_session_iframe;
-                    },
-                    register: function () {
-                        throw 'Redirection to "Register user" page not supported in standard OIDC mode';
-                    },
-                    userinfo: function () {
-                        if (!oidcConfiguration.userinfo_endpoint) {
-                            throw "Not supported by the OIDC server";
-                        }
-                        return oidcConfiguration.userinfo_endpoint;
-                    }
-                };
-            }
+    if (callback && callback.valid) {
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupCheckLoginIframe).call(this);
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, callback);
+        return;
+    }
+    /** @param {boolean} prompt */
+    const doLogin = async (prompt) => {
+        /** @type {KeycloakLoginOptions} */
+        const options = {};
+        if (!prompt) {
+            options.prompt = 'none';
         }
-        if (configUrl) {
-            var req = new XMLHttpRequest();
-            req.open('GET', configUrl, true);
-            req.setRequestHeader('Accept', 'application/json');
-            req.onreadystatechange = function () {
-                if (req.readyState == 4) {
-                    if (req.status == 200 || fileLoaded(req)) {
-                        var config = JSON.parse(req.responseText);
-                        kc.authServerUrl = config['auth-server-url'];
-                        kc.realm = config['realm'];
-                        kc.clientId = config['resource'];
-                        setupOidcEndoints(null);
-                        promise.setSuccess();
-                    }
-                    else {
-                        promise.setError();
-                    }
-                }
-            };
-            req.send();
+        if (initOptions.locale) {
+            options.locale = initOptions.locale;
         }
-        else {
-            kc.clientId = config.clientId;
-            var oidcProvider = config['oidcProvider'];
-            if (!oidcProvider) {
-                kc.authServerUrl = config.url;
-                kc.realm = config.realm;
-                setupOidcEndoints(null);
-                promise.setSuccess();
-            }
-            else {
-                if (typeof oidcProvider === 'string') {
-                    var oidcProviderConfigUrl;
-                    if (oidcProvider.charAt(oidcProvider.length - 1) == '/') {
-                        oidcProviderConfigUrl = oidcProvider + '.well-known/openid-configuration';
-                    }
-                    else {
-                        oidcProviderConfigUrl = oidcProvider + '/.well-known/openid-configuration';
+        await this.login(options);
+    };
+    const onLoad = async () => {
+        switch (initOptions.onLoad) {
+            case 'check-sso':
+                if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable) {
+                    await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupCheckLoginIframe).call(this);
+                    const unchanged = await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkLoginIframe).call(this);
+                    if (!unchanged) {
+                        this.silentCheckSsoRedirectUri ? await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkSsoSilently).call(this) : await doLogin(false);
                     }
-                    var req = new XMLHttpRequest();
-                    req.open('GET', oidcProviderConfigUrl, true);
-                    req.setRequestHeader('Accept', 'application/json');
-                    req.onreadystatechange = function () {
-                        if (req.readyState == 4) {
-                            if (req.status == 200 || fileLoaded(req)) {
-                                var oidcProviderConfig = JSON.parse(req.responseText);
-                                setupOidcEndoints(oidcProviderConfig);
-                                promise.setSuccess();
-                            }
-                            else {
-                                promise.setError();
-                            }
-                        }
-                    };
-                    req.send();
                 }
                 else {
-                    setupOidcEndoints(oidcProvider);
-                    promise.setSuccess();
+                    this.silentCheckSsoRedirectUri ? await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkSsoSilently).call(this) : await doLogin(false);
                 }
-            }
-        }
-        return promise.promise;
-    }
-    function fileLoaded(xhr) {
-        return xhr.status == 0 && xhr.responseText && xhr.responseURL.startsWith('file:');
-    }
-    function setToken(token, refreshToken, idToken, timeLocal, doken = null) {
-        if (kc.tokenTimeoutHandle) {
-            clearTimeout(kc.tokenTimeoutHandle);
-            kc.tokenTimeoutHandle = null;
-        }
-        if (refreshToken) {
-            kc.refreshToken = refreshToken;
-            kc.refreshTokenParsed = decodeToken(refreshToken);
-        }
-        else {
-            delete kc.refreshToken;
-            delete kc.refreshTokenParsed;
+                break;
+            case 'login-required':
+                await doLogin(true);
+                break;
+            default:
+                throw new Error('Invalid value for onLoad');
         }
-        if (idToken) {
-            kc.idToken = idToken;
-            kc.idTokenParsed = decodeToken(idToken);
+    };
+    if (initOptions.token && initOptions.refreshToken) {
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setToken).call(this, initOptions.token, initOptions.refreshToken, initOptions.idToken);
+        if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable) {
+            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupCheckLoginIframe).call(this);
+            const unchanged = await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkLoginIframe).call(this);
+            if (unchanged) {
+                (_a = this.onAuthSuccess) === null || _a === void 0 ? void 0 : _a.call(this);
+                __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_scheduleCheckIframe).call(this);
+            }
         }
         else {
-            delete kc.idToken;
-            delete kc.idTokenParsed;
-        }
-        if (token) {
-            kc.token = token;
-            kc.tokenParsed = decodeToken(token);
-            kc.sessionId = kc.tokenParsed.sid;
-            kc.authenticated = true;
-            kc.subject = kc.tokenParsed.sub;
-            kc.realmAccess = kc.tokenParsed.realm_access;
-            kc.resourceAccess = kc.tokenParsed.resource_access;
-            if (timeLocal) {
-                kc.timeSkew = Math.floor(timeLocal / 1000) - kc.tokenParsed.iat;
+            try {
+                await this.updateToken(-1);
+                (_b = this.onAuthSuccess) === null || _b === void 0 ? void 0 : _b.call(this);
             }
-            if (kc.timeSkew != null) {
-                logInfo('[TIDECLOAK] Estimated time difference between browser and server is ' + kc.timeSkew + ' seconds');
-                if (kc.onTokenExpired) {
-                    var expiresIn = (kc.tokenParsed['exp'] - (new Date().getTime() / 1000) + kc.timeSkew) * 1000;
-                    logInfo('[TIDECLOAK] Token expires in ' + Math.round(expiresIn / 1000) + ' s');
-                    if (expiresIn <= 0) {
-                        kc.onTokenExpired();
-                    }
-                    else {
-                        kc.tokenTimeoutHandle = setTimeout(kc.onTokenExpired, expiresIn);
-                    }
+            catch (error) {
+                (_c = this.onAuthError) === null || _c === void 0 ? void 0 : _c.call(this);
+                if (initOptions.onLoad) {
+                    await onLoad();
+                }
+                else {
+                    throw error;
                 }
             }
         }
-        else {
-            delete kc.token;
-            delete kc.tokenParsed;
-            delete kc.subject;
-            delete kc.realmAccess;
-            delete kc.resourceAccess;
-            kc.authenticated = false;
-        }
-        if (doken) {
-            kc.doken = doken;
-            kc.dokenParsed = decodeToken(doken);
-            // update heimdall's doken too
-            if (kc.requestEnclave)
-                kc.requestEnclave.updateDoken(kc.doken);
-        }
-        else {
-            delete kc.doken;
-        }
     }
-    function createUUID() {
-        if (typeof crypto === "undefined" || typeof crypto.randomUUID === "undefined") {
-            throw new Error("Web Crypto API is not available.");
-        }
-        return crypto.randomUUID();
+    else if (initOptions.onLoad) {
+        await onLoad();
+    }
+}, _TideCloak_setupCheckLoginIframe =
+/**
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_setupCheckLoginIframe() {
+    if (!__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable || __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe) {
+        return;
     }
-    function parseCallback(url) {
-        var oauth = parseCallbackUrl(url);
-        if (!oauth) {
+    const iframe = document.createElement('iframe');
+    __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe = iframe;
+    iframe.setAttribute('src', this.endpoints.checkSessionIframe());
+    iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
+    iframe.setAttribute('title', 'keycloak-session-iframe');
+    iframe.style.display = 'none';
+    document.body.appendChild(iframe);
+    /**
+     * @param {MessageEvent} event
+     */
+    const messageCallback = (event) => {
+        var _a;
+        if (event.origin !== __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin || ((_a = __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe) === null || _a === void 0 ? void 0 : _a.contentWindow) !== event.source) {
             return;
         }
-        var oauthState = callbackStorage.get(oauth.state);
-        if (oauthState) {
-            oauth.valid = true;
-            oauth.redirectUri = oauthState.redirectUri;
-            oauth.storedNonce = oauthState.nonce;
-            oauth.prompt = oauthState.prompt;
-            oauth.pkceCodeVerifier = oauthState.pkceCodeVerifier;
-            oauth.loginOptions = oauthState.loginOptions;
-        }
-        return oauth;
-    }
-    function parseCallbackUrl(url) {
-        var supportedParams;
-        switch (kc.flow) {
-            case 'standard':
-                supportedParams = ['code', 'state', 'session_state', 'kc_action_status', 'kc_action', 'iss'];
-                break;
-            case 'implicit':
-                supportedParams = ['access_token', 'token_type', 'id_token', 'state', 'session_state', 'expires_in', 'kc_action_status', 'kc_action', 'iss'];
-                break;
-            case 'hybrid':
-                supportedParams = ['access_token', 'token_type', 'id_token', 'code', 'state', 'session_state', 'expires_in', 'kc_action_status', 'kc_action', 'iss'];
-                break;
-        }
-        supportedParams.push('error');
-        supportedParams.push('error_description');
-        supportedParams.push('error_uri');
-        var queryIndex = url.indexOf('?');
-        var fragmentIndex = url.indexOf('#');
-        var newUrl;
-        var parsed;
-        if (kc.responseMode === 'query' && queryIndex !== -1) {
-            newUrl = url.substring(0, queryIndex);
-            parsed = parseCallbackParams(url.substring(queryIndex + 1, fragmentIndex !== -1 ? fragmentIndex : url.length), supportedParams);
-            if (parsed.paramsString !== '') {
-                newUrl += '?' + parsed.paramsString;
-            }
-            if (fragmentIndex !== -1) {
-                newUrl += url.substring(fragmentIndex);
-            }
+        if (!(event.data === 'unchanged' || event.data === 'changed' || event.data === 'error')) {
+            return;
         }
-        else if (kc.responseMode === 'fragment' && fragmentIndex !== -1) {
-            newUrl = url.substring(0, fragmentIndex);
-            parsed = parseCallbackParams(url.substring(fragmentIndex + 1), supportedParams);
-            if (parsed.paramsString !== '') {
-                newUrl += '#' + parsed.paramsString;
-            }
+        if (event.data !== 'unchanged') {
+            this.clearToken();
         }
-        if (parsed && parsed.oauthParams) {
-            if (kc.flow === 'standard' || kc.flow === 'hybrid') {
-                if ((parsed.oauthParams.code || parsed.oauthParams.error) && parsed.oauthParams.state) {
-                    parsed.oauthParams.newUrl = newUrl;
-                    return parsed.oauthParams;
-                }
+        const callbacks = __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").callbackList;
+        __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").callbackList = [];
+        for (const callback of callbacks.reverse()) {
+            if (event.data === 'error') {
+                callback(new Error('Error while checking login iframe'));
             }
-            else if (kc.flow === 'implicit') {
-                if ((parsed.oauthParams.access_token || parsed.oauthParams.error) && parsed.oauthParams.state) {
-                    parsed.oauthParams.newUrl = newUrl;
-                    return parsed.oauthParams;
-                }
+            else {
+                callback(null, event.data === 'unchanged');
             }
         }
-    }
-    function parseCallbackParams(paramsString, supportedParams) {
-        var p = paramsString.split('&');
-        var result = {
-            paramsString: '',
-            oauthParams: {}
-        };
-        for (var i = 0; i < p.length; i++) {
-            var split = p[i].indexOf("=");
-            var key = p[i].slice(0, split);
-            if (supportedParams.indexOf(key) !== -1) {
-                result.oauthParams[key] = p[i].slice(split + 1);
+    };
+    window.addEventListener('message', messageCallback, false);
+    /** @type {Promise<void>} */
+    const promise = new Promise((resolve) => {
+        iframe.addEventListener('load', () => {
+            const authUrl = this.endpoints.authorize();
+            if (authUrl.startsWith('/')) {
+                __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin = globalThis.location.origin;
             }
             else {
-                if (result.paramsString !== '') {
-                    result.paramsString += '&';
-                }
-                result.paramsString += p[i];
-            }
-        }
-        return result;
-    }
-    function createPromise() {
-        // Need to create a native Promise which also preserves the
-        // interface of the custom promise type previously used by the API
-        var p = {
-            setSuccess: function (result) {
-                p.resolve(result);
-            },
-            setError: function (result) {
-                p.reject(result);
+                __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin = new URL(authUrl).origin;
             }
-        };
-        p.promise = new Promise(function (resolve, reject) {
-            p.resolve = resolve;
-            p.reject = reject;
-        });
-        return p;
-    }
-    // Function to extend existing native Promise with timeout
-    function applyTimeoutToPromise(promise, timeout, errorMessage) {
-        var timeoutHandle = null;
-        var timeoutPromise = new Promise(function (resolve, reject) {
-            timeoutHandle = setTimeout(function () {
-                reject({ "error": errorMessage || "Promise is not settled within timeout of " + timeout + "ms" });
-            }, timeout);
-        });
-        return Promise.race([promise, timeoutPromise]).finally(function () {
-            clearTimeout(timeoutHandle);
+            resolve();
         });
+    });
+    await promise;
+}, _TideCloak_checkLoginIframe =
+/**
+ * @returns {Promise<boolean | undefined>}
+ */
+async function _TideCloak_checkLoginIframe() {
+    if (!__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe || !__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin) {
+        return;
     }
-    function setupCheckLoginIframe() {
-        var promise = createPromise();
-        if (!loginIframe.enable) {
-            promise.setSuccess();
-            return promise.promise;
-        }
-        if (loginIframe.iframe) {
-            promise.setSuccess();
-            return promise.promise;
-        }
-        var iframe = document.createElement('iframe');
-        loginIframe.iframe = iframe;
-        iframe.onload = function () {
-            var authUrl = kc.endpoints.authorize();
-            if (authUrl.charAt(0) === '/') {
-                loginIframe.iframeOrigin = getOrigin();
-            }
-            else {
-                loginIframe.iframeOrigin = authUrl.substring(0, authUrl.indexOf('/', 8));
-            }
-            promise.setSuccess();
-        };
-        var src = kc.endpoints.checkSessionIframe();
-        iframe.setAttribute('src', src);
-        iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
-        iframe.setAttribute('title', 'keycloak-session-iframe');
-        iframe.style.display = 'none';
-        document.body.appendChild(iframe);
-        var messageCallback = function (event) {
-            if ((event.origin !== loginIframe.iframeOrigin) || (loginIframe.iframe.contentWindow !== event.source)) {
-                return;
-            }
-            if (!(event.data == 'unchanged' || event.data == 'changed' || event.data == 'error')) {
+    const message = `${this.clientId} ${(this.sessionId ? this.sessionId : '')}`;
+    const origin = __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin;
+    /** @type {Promise<boolean>} */
+    const promise = new Promise((resolve, reject) => {
+        var _a, _b;
+        /** @type {(error: Error | null, value?: boolean) => void} */
+        const callback = (error, result) => error ? reject(error) : resolve(/** @type {boolean} */ (result));
+        __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").callbackList.push(callback);
+        if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").callbackList.length === 1) {
+            (_b = (_a = __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe) === null || _a === void 0 ? void 0 : _a.contentWindow) === null || _b === void 0 ? void 0 : _b.postMessage(message, origin);
+        }
+    });
+    return await promise;
+}, _TideCloak_checkSsoSilently =
+/**
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_checkSsoSilently() {
+    const iframe = document.createElement('iframe');
+    const src = await this.createLoginUrl({ prompt: 'none', redirectUri: this.silentCheckSsoRedirectUri });
+    iframe.setAttribute('src', src);
+    iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
+    iframe.setAttribute('title', 'keycloak-silent-check-sso');
+    iframe.style.display = 'none';
+    document.body.appendChild(iframe);
+    return await new Promise((resolve, reject) => {
+        /**
+         * @param {MessageEvent} event
+         */
+        const messageCallback = async (event) => {
+            if (event.origin !== window.location.origin || iframe.contentWindow !== event.source) {
                 return;
             }
-            if (event.data != 'unchanged') {
-                kc.clearToken();
+            const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.data);
+            try {
+                await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, oauth);
+                resolve();
             }
-            var callbacks = loginIframe.callbackList.splice(0, loginIframe.callbackList.length);
-            for (var i = callbacks.length - 1; i >= 0; --i) {
-                var promise = callbacks[i];
-                if (event.data == 'error') {
-                    promise.setError();
-                }
-                else {
-                    promise.setSuccess(event.data == 'unchanged');
-                }
+            catch (error) {
+                reject(error);
             }
+            document.body.removeChild(iframe);
+            window.removeEventListener('message', messageCallback);
         };
-        window.addEventListener('message', messageCallback, false);
-        return promise.promise;
-    }
-    function scheduleCheckIframe() {
-        if (loginIframe.enable) {
-            if (kc.token) {
-                setTimeout(function () {
-                    checkLoginIframe().then(function (unchanged) {
-                        if (unchanged) {
-                            scheduleCheckIframe();
-                        }
-                    });
-                }, loginIframe.interval * 1000);
+        window.addEventListener('message', messageCallback);
+    });
+}, _TideCloak_parseCallback = function _TideCloak_parseCallback(url) {
+    const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallbackUrl).call(this, url);
+    if (!oauth) {
+        return;
+    }
+    const oauthState = __classPrivateFieldGet(this, _TideCloak_callbackStorage, "f").get(oauth.state);
+    if (oauthState) {
+        oauth.valid = true;
+        oauth.redirectUri = oauthState.redirectUri;
+        oauth.storedNonce = oauthState.nonce;
+        oauth.prompt = oauthState.prompt;
+        oauth.pkceCodeVerifier = oauthState.pkceCodeVerifier;
+        oauth.loginOptions = oauthState.loginOptions;
+    }
+    return oauth;
+}, _TideCloak_parseCallbackUrl = function _TideCloak_parseCallbackUrl(urlString) {
+    let supportedParams = [];
+    switch (this.flow) {
+        case 'standard':
+            supportedParams = ['code', 'state', 'session_state', 'kc_action_status', 'kc_action', 'iss', 'doken'];
+            break;
+        case 'implicit':
+            supportedParams = ['access_token', 'token_type', 'id_token', 'state', 'session_state', 'expires_in', 'kc_action_status', 'kc_action', 'iss', 'doken'];
+            break;
+        case 'hybrid':
+            supportedParams = ['access_token', 'token_type', 'id_token', 'code', 'state', 'session_state', 'expires_in', 'kc_action_status', 'kc_action', 'iss', 'doken'];
+            break;
+    }
+    supportedParams.push('error');
+    supportedParams.push('error_description');
+    supportedParams.push('error_uri');
+    const url = new URL(urlString);
+    let redirectUri = '';
+    let parsed;
+    if (this.responseMode === 'query' && url.searchParams.size > 0) {
+        parsed = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallbackParams).call(this, url.search, supportedParams);
+        url.search = parsed.paramsString;
+        redirectUri = url.toString();
+    }
+    else if (this.responseMode === 'fragment' && url.hash.length > 0) {
+        parsed = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallbackParams).call(this, url.hash.substring(1), supportedParams);
+        url.hash = '';
+        redirectUri = url.toString();
+    }
+    if (parsed === null || parsed === void 0 ? void 0 : parsed.oauthParams) {
+        if (this.flow === 'standard' || this.flow === 'hybrid') {
+            if ((parsed.oauthParams.code || parsed.oauthParams.error) && parsed.oauthParams.state) {
+                parsed.oauthParams.redirectUri = redirectUri;
+                return parsed.oauthParams;
+            }
+        }
+        else if (this.flow === 'implicit') {
+            if ((parsed.oauthParams.access_token || parsed.oauthParams.error) && parsed.oauthParams.state) {
+                parsed.oauthParams.redirectUri = redirectUri;
+                return parsed.oauthParams;
             }
         }
     }
-    function checkLoginIframe() {
-        var promise = createPromise();
-        if (loginIframe.iframe && loginIframe.iframeOrigin) {
-            var msg = kc.clientId + ' ' + (kc.sessionId ? kc.sessionId : '');
-            loginIframe.callbackList.push(promise);
-            var origin = loginIframe.iframeOrigin;
-            if (loginIframe.callbackList.length == 1) {
-                loginIframe.iframe.contentWindow.postMessage(msg, origin);
+}, _TideCloak_parseCallbackParams = function _TideCloak_parseCallbackParams(paramsString, supportedParams) {
+    const params = new URLSearchParams(paramsString);
+    /** @type {Record<string, string>} */
+    const oauthParams = {};
+    for (const [key, value] of Array.from(params.entries())) {
+        if (supportedParams.includes(key)) {
+            oauthParams[key] = value;
+            params.delete(key);
+        }
+    }
+    return {
+        paramsString: params.toString(),
+        oauthParams
+    };
+}, _TideCloak_processCallback = async function _TideCloak_processCallback(oauth) {
+    var _a, _b, _c, _d;
+    const { code, error, prompt, doken } = oauth;
+    let timeLocal = new Date().getTime();
+    /**
+     * @param {string} accessToken
+     * @param {string=} refreshToken
+     * @param {string=} idToken
+     * @param {string=} dokenValue
+     */
+    const authSuccess = (accessToken, refreshToken, idToken, dokenValue) => {
+        timeLocal = (timeLocal + new Date().getTime()) / 2;
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setToken).call(this, accessToken, refreshToken, idToken, timeLocal, dokenValue);
+        if (__classPrivateFieldGet(this, _TideCloak_useNonce, "f") && (this.idTokenParsed && this.idTokenParsed.nonce !== oauth.storedNonce)) {
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Invalid nonce, clearing token');
+            this.clearToken();
+            throw new Error('Invalid nonce.');
+        }
+    };
+    if (oauth.kc_action_status) {
+        this.onActionUpdate && this.onActionUpdate(oauth.kc_action_status, oauth.kc_action);
+    }
+    if (error) {
+        if (prompt !== 'none') {
+            if (oauth.error_description && oauth.error_description === 'authentication_expired') {
+                await this.login(oauth.loginOptions);
+            }
+            else {
+                const errorData = { error, error_description: oauth.error_description };
+                (_a = this.onAuthError) === null || _a === void 0 ? void 0 : _a.call(this, errorData);
+                throw errorData;
             }
         }
-        else {
-            promise.setSuccess();
-        }
-        return promise.promise;
-    }
-    function check3pCookiesSupported() {
-        var promise = createPromise();
-        if ((loginIframe.enable || kc.silentCheckSsoRedirectUri) && typeof kc.endpoints.thirdPartyCookiesIframe === 'function') {
-            var iframe = document.createElement('iframe');
-            iframe.setAttribute('src', kc.endpoints.thirdPartyCookiesIframe());
-            iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
-            iframe.setAttribute('title', 'keycloak-3p-check-iframe');
-            iframe.style.display = 'none';
-            document.body.appendChild(iframe);
-            var messageCallback = function (event) {
-                if (iframe.contentWindow !== event.source) {
-                    return;
-                }
-                if (event.data !== "supported" && event.data !== "unsupported") {
-                    return;
-                }
-                else if (event.data === "unsupported") {
-                    logWarn("[TIDECLOAK] Your browser is blocking access to 3rd-party cookies, this means:\n\n" +
-                        " - It is not possible to retrieve tokens without redirecting to the TideCloak server (a.k.a. no support for silent authentication).\n" +
-                        " - It is not possible to automatically detect changes to the session status (such as the user logging out in another tab).\n\n" +
-                        "For more information see: https://www.keycloak.org/securing-apps/javascript-adapter#_modern_browsers");
-                    loginIframe.enable = false;
-                    if (kc.silentCheckSsoFallback) {
-                        kc.silentCheckSsoRedirectUri = false;
-                    }
-                }
-                document.body.removeChild(iframe);
-                window.removeEventListener("message", messageCallback);
-                promise.setSuccess();
-            };
-            window.addEventListener('message', messageCallback, false);
+        return;
+    }
+    else if ((this.flow !== 'standard') && (oauth.access_token || oauth.id_token)) {
+        authSuccess(oauth.access_token, undefined, oauth.id_token, doken);
+        (_b = this.onAuthSuccess) === null || _b === void 0 ? void 0 : _b.call(this);
+    }
+    if ((this.flow !== 'implicit') && code) {
+        try {
+            const response = await fetchAccessToken(this.endpoints.token(), code, /** @type {string} */ (this.clientId), oauth.redirectUri, oauth.pkceCodeVerifier);
+            authSuccess(response.access_token, response.refresh_token, response.id_token, response.doken);
+            if (this.flow === 'standard') {
+                (_c = this.onAuthSuccess) === null || _c === void 0 ? void 0 : _c.call(this);
+            }
+            __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_scheduleCheckIframe).call(this);
         }
-        else {
-            promise.setSuccess();
+        catch (error) {
+            (_d = this.onAuthError) === null || _d === void 0 ? void 0 : _d.call(this);
+            throw error;
         }
-        return applyTimeoutToPromise(promise.promise, kc.messageReceiveTimeout, "Timeout when waiting for 3rd party check iframe message.");
     }
-    function loadAdapter(type) {
-        if (!type || type == 'default') {
-            return {
-                login: async function (options) {
-                    window.location.assign(await kc.createLoginUrl(options));
-                    return createPromise().promise;
-                },
-                logout: async function (options) {
-                    var _a;
-                    const logoutMethod = (_a = options === null || options === void 0 ? void 0 : options.logoutMethod) !== null && _a !== void 0 ? _a : kc.logoutMethod;
-                    if (logoutMethod === "GET") {
-                        window.location.replace(kc.createLogoutUrl(options));
-                        return;
-                    }
-                    // Create form to send POST request.
-                    const form = document.createElement("form");
-                    form.setAttribute("method", "POST");
-                    form.setAttribute("action", kc.createLogoutUrl(options));
-                    form.style.display = "none";
-                    // Add data to form as hidden input fields.
-                    const data = {
-                        id_token_hint: kc.idToken,
-                        client_id: kc.clientId,
-                        post_logout_redirect_uri: adapter.redirectUri(options, false)
-                    };
-                    for (const [name, value] of Object.entries(data)) {
-                        const input = document.createElement("input");
-                        input.setAttribute("type", "hidden");
-                        input.setAttribute("name", name);
-                        input.setAttribute("value", value);
-                        form.appendChild(input);
-                    }
-                    // Append form to page and submit it to perform logout and redirect.
-                    document.body.appendChild(form);
-                    form.submit();
-                },
-                register: async function (options) {
-                    window.location.assign(await kc.createRegisterUrl(options));
-                    return createPromise().promise;
-                },
-                accountManagement: function () {
-                    var accountUrl = kc.createAccountUrl();
-                    if (typeof accountUrl !== 'undefined') {
-                        window.location.href = accountUrl;
-                    }
-                    else {
-                        throw "Not supported by the OIDC server";
-                    }
-                    return createPromise().promise;
-                },
-                redirectUri: function (options, encodeHash) {
-                    if (arguments.length == 1) {
-                        encodeHash = true;
-                    }
-                    if (options && options.redirectUri) {
-                        return options.redirectUri;
-                    }
-                    else if (kc.redirectUri) {
-                        return kc.redirectUri;
-                    }
-                    else {
-                        return location.href;
-                    }
-                }
-            };
+}, _TideCloak_scheduleCheckIframe = async function _TideCloak_scheduleCheckIframe() {
+    if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable && this.token) {
+        await waitForTimeout(__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").interval * 1000);
+        const unchanged = await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkLoginIframe).call(this);
+        if (unchanged) {
+            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_scheduleCheckIframe).call(this);
         }
-        if (type == 'cordova') {
-            loginIframe.enable = false;
-            var cordovaOpenWindowWrapper = function (loginUrl, target, options) {
-                if (window.cordova && window.cordova.InAppBrowser) {
-                    // Use inappbrowser for IOS and Android if available
-                    return window.cordova.InAppBrowser.open(loginUrl, target, options);
-                }
-                else {
-                    return window.open(loginUrl, target, options);
-                }
-            };
-            var shallowCloneCordovaOptions = function (userOptions) {
-                if (userOptions && userOptions.cordovaOptions) {
-                    return Object.keys(userOptions.cordovaOptions).reduce(function (options, optionName) {
-                        options[optionName] = userOptions.cordovaOptions[optionName];
-                        return options;
-                    }, {});
+    }
+}, _TideCloak_getVoucherUrl = function _TideCloak_getVoucherUrl() {
+    if (!this.tokenParsed)
+        throw new Error('User authentication required to access voucher service');
+    const sid = this.tokenParsed['sid'];
+    const realmUrl = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this);
+    if (!realmUrl)
+        throw new Error('Unable to build voucher URL, realm URL not configured');
+    return `${realmUrl}/tidevouchers/fromUserSession?sessionId=${encodeURIComponent(sid)}`;
+}, _TideCloak_setToken = function _TideCloak_setToken(token, refreshToken, idToken, timeLocal, doken) {
+    if (this.tokenTimeoutHandle) {
+        clearTimeout(this.tokenTimeoutHandle);
+        this.tokenTimeoutHandle = undefined;
+    }
+    if (refreshToken) {
+        this.refreshToken = refreshToken;
+        this.refreshTokenParsed = decodeToken(refreshToken);
+    }
+    else {
+        delete this.refreshToken;
+        delete this.refreshTokenParsed;
+    }
+    if (idToken) {
+        this.idToken = idToken;
+        this.idTokenParsed = decodeToken(idToken);
+    }
+    else {
+        delete this.idToken;
+        delete this.idTokenParsed;
+    }
+    if (token) {
+        this.token = token;
+        this.tokenParsed = decodeToken(token);
+        this.sessionId = this.tokenParsed.sid;
+        this.authenticated = true;
+        this.subject = this.tokenParsed.sub;
+        this.realmAccess = this.tokenParsed.realm_access;
+        this.resourceAccess = this.tokenParsed.resource_access;
+        if (timeLocal) {
+            this.timeSkew = Math.floor(timeLocal / 1000) - this.tokenParsed.iat;
+        }
+        if (typeof this.timeSkew === 'number') {
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Estimated time difference between browser and server is ' + this.timeSkew + ' seconds');
+            if (this.onTokenExpired) {
+                const expiresIn = (this.tokenParsed.exp - (new Date().getTime() / 1000) + this.timeSkew) * 1000;
+                __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Token expires in ' + Math.round(expiresIn / 1000) + ' s');
+                if (expiresIn <= 0) {
+                    this.onTokenExpired();
                 }
                 else {
-                    return {};
-                }
-            };
-            var formatCordovaOptions = function (cordovaOptions) {
-                return Object.keys(cordovaOptions).reduce(function (options, optionName) {
-                    options.push(optionName + "=" + cordovaOptions[optionName]);
-                    return options;
-                }, []).join(",");
-            };
-            var createCordovaOptions = function (userOptions) {
-                var cordovaOptions = shallowCloneCordovaOptions(userOptions);
-                cordovaOptions.location = 'no';
-                if (userOptions && userOptions.prompt == 'none') {
-                    cordovaOptions.hidden = 'yes';
-                }
-                return formatCordovaOptions(cordovaOptions);
-            };
-            var getCordovaRedirectUri = function () {
-                return kc.redirectUri || 'http://localhost';
-            };
-            return {
-                login: async function (options) {
-                    var promise = createPromise();
-                    var cordovaOptions = createCordovaOptions(options);
-                    var loginUrl = await kc.createLoginUrl(options);
-                    var ref = cordovaOpenWindowWrapper(loginUrl, '_blank', cordovaOptions);
-                    var completed = false;
-                    var closed = false;
-                    var closeBrowser = function () {
-                        closed = true;
-                        ref.close();
-                    };
-                    ref.addEventListener('loadstart', function (event) {
-                        if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                            var callback = parseCallback(event.url);
-                            processCallback(callback, promise);
-                            closeBrowser();
-                            completed = true;
-                        }
-                    });
-                    ref.addEventListener('loaderror', function (event) {
-                        if (!completed) {
-                            if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                                var callback = parseCallback(event.url);
-                                processCallback(callback, promise);
-                                closeBrowser();
-                                completed = true;
-                            }
-                            else {
-                                promise.setError();
-                                closeBrowser();
-                            }
-                        }
-                    });
-                    ref.addEventListener('exit', function (event) {
-                        if (!closed) {
-                            promise.setError({
-                                reason: "closed_by_user"
-                            });
-                        }
-                    });
-                    return promise.promise;
-                },
-                logout: function (options) {
-                    var promise = createPromise();
-                    var logoutUrl = kc.createLogoutUrl(options);
-                    var ref = cordovaOpenWindowWrapper(logoutUrl, '_blank', 'location=no,hidden=yes,clearcache=yes');
-                    var error;
-                    ref.addEventListener('loadstart', function (event) {
-                        if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                            ref.close();
-                        }
-                    });
-                    ref.addEventListener('loaderror', function (event) {
-                        if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                            ref.close();
-                        }
-                        else {
-                            error = true;
-                            ref.close();
-                        }
-                    });
-                    ref.addEventListener('exit', function (event) {
-                        if (error) {
-                            promise.setError();
-                        }
-                        else {
-                            kc.clearToken();
-                            promise.setSuccess();
-                        }
-                    });
-                    return promise.promise;
-                },
-                register: async function (options) {
-                    var promise = createPromise();
-                    var registerUrl = await kc.createRegisterUrl();
-                    var cordovaOptions = createCordovaOptions(options);
-                    var ref = cordovaOpenWindowWrapper(registerUrl, '_blank', cordovaOptions);
-                    ref.addEventListener('loadstart', function (event) {
-                        if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                            ref.close();
-                            var oauth = parseCallback(event.url);
-                            processCallback(oauth, promise);
-                        }
-                    });
-                    return promise.promise;
-                },
-                accountManagement: function () {
-                    var accountUrl = kc.createAccountUrl();
-                    if (typeof accountUrl !== 'undefined') {
-                        var ref = cordovaOpenWindowWrapper(accountUrl, '_blank', 'location=no');
-                        ref.addEventListener('loadstart', function (event) {
-                            if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                                ref.close();
-                            }
-                        });
-                    }
-                    else {
-                        throw "Not supported by the OIDC server";
-                    }
-                },
-                redirectUri: function (options) {
-                    return getCordovaRedirectUri();
+                    this.tokenTimeoutHandle = window.setTimeout(this.onTokenExpired, expiresIn);
                 }
-            };
-        }
-        if (type == 'cordova-native') {
-            loginIframe.enable = false;
-            return {
-                login: async function (options) {
-                    var promise = createPromise();
-                    var loginUrl = await kc.createLoginUrl(options);
-                    universalLinks.subscribe('keycloak', function (event) {
-                        universalLinks.unsubscribe('keycloak');
-                        window.cordova.plugins.browsertab.close();
-                        var oauth = parseCallback(event.url);
-                        processCallback(oauth, promise);
-                    });
-                    window.cordova.plugins.browsertab.openUrl(loginUrl);
-                    return promise.promise;
-                },
-                logout: function (options) {
-                    var promise = createPromise();
-                    var logoutUrl = kc.createLogoutUrl(options);
-                    universalLinks.subscribe('keycloak', function (event) {
-                        universalLinks.unsubscribe('keycloak');
-                        window.cordova.plugins.browsertab.close();
-                        kc.clearToken();
-                        promise.setSuccess();
-                    });
-                    window.cordova.plugins.browsertab.openUrl(logoutUrl);
-                    return promise.promise;
-                },
-                register: async function (options) {
-                    var promise = createPromise();
-                    var registerUrl = await kc.createRegisterUrl(options);
-                    universalLinks.subscribe('keycloak', function (event) {
-                        universalLinks.unsubscribe('keycloak');
-                        window.cordova.plugins.browsertab.close();
-                        var oauth = parseCallback(event.url);
-                        processCallback(oauth, promise);
-                    });
-                    window.cordova.plugins.browsertab.openUrl(registerUrl);
-                    return promise.promise;
-                },
-                accountManagement: function () {
-                    var accountUrl = kc.createAccountUrl();
-                    if (typeof accountUrl !== 'undefined') {
-                        window.cordova.plugins.browsertab.openUrl(accountUrl);
-                    }
-                    else {
-                        throw "Not supported by the OIDC server";
-                    }
-                },
-                redirectUri: function (options) {
-                    if (options && options.redirectUri) {
-                        return options.redirectUri;
-                    }
-                    else if (kc.redirectUri) {
-                        return kc.redirectUri;
-                    }
-                    else {
-                        return "http://localhost";
-                    }
-                }
-            };
+            }
         }
-        throw 'invalid adapter type: ' + type;
     }
-    const STORAGE_KEY_PREFIX = 'kc-callback-';
-    var LocalStorage = function () {
-        if (!(this instanceof LocalStorage)) {
-            return new LocalStorage();
+    else {
+        delete this.token;
+        delete this.tokenParsed;
+        delete this.subject;
+        delete this.realmAccess;
+        delete this.resourceAccess;
+        this.authenticated = false;
+    }
+    // Tide doken handling
+    if (doken) {
+        this.doken = doken;
+        this.dokenParsed = decodeToken(doken);
+        if (this.requestEnclave && typeof this.requestEnclave.updateDoken === 'function') {
+            this.requestEnclave.updateDoken(this.doken);
         }
-        localStorage.setItem('kc-test', 'test');
-        localStorage.removeItem('kc-test');
-        var cs = this;
-        /**
-         * Clears all values from local storage that are no longer valid.
-         */
-        function clearInvalidValues() {
-            const currentTime = Date.now();
-            for (const [key, value] of getStoredEntries()) {
-                // Attempt to parse the expiry time from the value.
-                const expiry = parseExpiry(value);
-                // Discard the value if it is malformed or expired.
-                if (expiry === null || expiry < currentTime) {
-                    localStorage.removeItem(key);
-                }
-            }
+    }
+    else {
+        delete this.doken;
+        delete this.dokenParsed;
+        if (this.requestEnclave && typeof this.requestEnclave.updateDoken === 'function') {
+            this.requestEnclave.updateDoken(undefined);
         }
-        /**
-         * Clears all known values from local storage.
-         */
-        function clearAllValues() {
-            for (const [key] of getStoredEntries()) {
-                localStorage.removeItem(key);
-            }
+    }
+}, _TideCloak_getRealmUrl = function _TideCloak_getRealmUrl() {
+    if (typeof this.authServerUrl === 'undefined') {
+        return;
+    }
+    return `${stripTrailingSlash(this.authServerUrl)}/realms/${encodeURIComponent(/** @type {string} */ (this.realm))}`;
+}, _TideCloak_createLogger = function _TideCloak_createLogger(fn) {
+    return (message) => {
+        if (this.enableLogging) {
+            fn.call(console, message);
         }
-        /**
-         * Gets all entries stored in local storage that are known to be managed by this class.
-         * @returns {Array<[string, unknown]>} An array of key-value pairs.
-         */
-        function getStoredEntries() {
-            return Object.entries(localStorage).filter(([key]) => key.startsWith(STORAGE_KEY_PREFIX));
+    };
+};
+export default TideCloak;
+/**
+ * @returns {string}
+ */
+function createUUID() {
+    if (typeof crypto === 'undefined' || typeof crypto.randomUUID === 'undefined') {
+        throw new Error('Web Crypto API is not available.');
+    }
+    return crypto.randomUUID();
+}
+/**
+ * @param {Acr} requestedAcr
+ * @returns {string}
+ */
+function buildClaimsParameter(requestedAcr) {
+    return JSON.stringify({
+        id_token: {
+            acr: requestedAcr
         }
-        /**
-         * Parses the expiry time from a value stored in local storage.
-         * @param {unknown} value
-         * @returns {number | null} The expiry time in milliseconds, or `null` if the value is malformed.
-         */
-        function parseExpiry(value) {
-            let parsedValue;
-            // Attempt to parse the value as JSON.
-            try {
-                parsedValue = JSON.parse(value);
-            }
-            catch (error) {
-                return null;
-            }
-            // Attempt to extract the 'expires' property.
-            if (isObject(parsedValue) && 'expires' in parsedValue && typeof parsedValue.expires === 'number') {
-                return parsedValue.expires;
-            }
+    });
+}
+/**
+ * @param {number} len
+ * @returns {string}
+ */
+function generateCodeVerifier(len) {
+    return generateRandomString(len, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
+}
+/**
+ * @param {string} pkceMethod
+ * @param {string} codeVerifier
+ * @returns {Promise<string>}
+ */
+async function generatePkceChallenge(pkceMethod, codeVerifier) {
+    if (pkceMethod !== 'S256') {
+        throw new TypeError(`Invalid value for 'pkceMethod', expected 'S256' but got '${pkceMethod}'.`);
+    }
+    // hash codeVerifier, then encode as url-safe base64 without padding
+    const hashBytes = new Uint8Array(await sha256Digest(codeVerifier));
+    const encodedHash = bytesToBase64(hashBytes)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+    return encodedHash;
+}
+/**
+ * @param {number} len
+ * @param {string} alphabet
+ * @returns {string}
+ */
+function generateRandomString(len, alphabet) {
+    const randomData = generateRandomData(len);
+    const chars = new Array(len);
+    for (let i = 0; i < len; i++) {
+        chars[i] = alphabet.charCodeAt(randomData[i] % alphabet.length);
+    }
+    return String.fromCharCode.apply(null, chars);
+}
+/**
+ * @param {number} len
+ * @returns {Uint8Array<ArrayBuffer>}
+ */
+function generateRandomData(len) {
+    if (typeof crypto === 'undefined' || typeof crypto.getRandomValues === 'undefined') {
+        throw new Error('Web Crypto API is not available.');
+    }
+    return crypto.getRandomValues(new Uint8Array(len));
+}
+/**
+ * Function to extend existing native Promise with timeout
+ *
+ * @template T
+ * @param {Promise<T>} promise
+ * @param {number} timeout
+ * @param {string} errorMessage
+ * @returns {Promise<T>}
+ */
+function applyTimeoutToPromise(promise, timeout, errorMessage) {
+    /** @type {number} */
+    let timeoutHandle;
+    const timeoutPromise = new Promise(function (resolve, reject) {
+        timeoutHandle = window.setTimeout(function () {
+            reject(new Error(errorMessage || 'Promise is not settled within timeout of ' + timeout + 'ms'));
+        }, timeout);
+    });
+    return Promise.race([promise, timeoutPromise]).finally(function () {
+        clearTimeout(timeoutHandle);
+    });
+}
+/**
+ * @returns {CallbackStorage}
+ */
+function createCallbackStorage() {
+    try {
+        return new LocalStorage();
+    }
+    catch (err) {
+        return new CookieStorage();
+    }
+}
+const STORAGE_KEY_PREFIX = 'kc-callback-';
+/**
+ * @typedef {Object} CallbackState
+ * @property {string} state
+ * @property {string} nonce
+ * @property {string} redirectUri
+ * @property {KeycloakLoginOptions} [loginOptions]
+ * @property {KeycloakLoginOptions['prompt']} [prompt]
+ * @property {string} [pkceCodeVerifier]
+ */
+/**
+ * @typedef {Object} CallbackStorage
+ * @property {(state?: string) => CallbackState | null} get
+ * @property {(state: CallbackState) => void} add
+ */
+/**
+ * @implements {CallbackStorage}
+ */
+class LocalStorage {
+    constructor() {
+        _LocalStorage_instances.add(this);
+        globalThis.localStorage.setItem('kc-test', 'test');
+        globalThis.localStorage.removeItem('kc-test');
+    }
+    /**
+     * @param {string} [state]
+     * @returns {CallbackState | null}
+     */
+    get(state) {
+        if (!state) {
             return null;
         }
-        cs.get = function (state) {
-            if (!state) {
-                return;
-            }
-            var key = STORAGE_KEY_PREFIX + state;
-            var value = localStorage.getItem(key);
-            if (value) {
-                localStorage.removeItem(key);
-                value = JSON.parse(value);
-            }
-            clearInvalidValues();
-            return value;
-        };
-        cs.add = function (state) {
-            clearInvalidValues();
-            const key = STORAGE_KEY_PREFIX + state.state;
-            const value = JSON.stringify({
-                ...state,
-                // Set the expiry time to 1 hour from now.
-                expires: Date.now() + (60 * 60 * 1000)
-            });
-            try {
-                localStorage.setItem(key, value);
-            }
-            catch (error) {
-                // If the storage is full, clear all known values and try again.
-                clearAllValues();
-                localStorage.setItem(key, value);
-            }
-        };
-    };
-    var CookieStorage = function () {
-        if (!(this instanceof CookieStorage)) {
-            return new CookieStorage();
+        __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_clearInvalidValues).call(this);
+        const key = STORAGE_KEY_PREFIX + state;
+        const value = globalThis.localStorage.getItem(key);
+        if (value) {
+            globalThis.localStorage.removeItem(key);
+            return JSON.parse(value);
         }
-        var cs = this;
-        cs.get = function (state) {
-            if (!state) {
-                return;
-            }
-            var value = getCookie(STORAGE_KEY_PREFIX + state);
-            setCookie(STORAGE_KEY_PREFIX + state, '', cookieExpiration(-100));
-            if (value) {
-                return JSON.parse(value);
-            }
-        };
-        cs.add = function (state) {
-            setCookie(STORAGE_KEY_PREFIX + state.state, JSON.stringify(state), cookieExpiration(60));
-        };
-        cs.removeItem = function (key) {
-            setCookie(key, '', cookieExpiration(-100));
-        };
-        var cookieExpiration = function (minutes) {
-            var exp = new Date();
-            exp.setTime(exp.getTime() + (minutes * 60 * 1000));
-            return exp;
-        };
-        var getCookie = function (key) {
-            var name = key + '=';
-            var ca = document.cookie.split(';');
-            for (var i = 0; i < ca.length; i++) {
-                var c = ca[i];
-                while (c.charAt(0) == ' ') {
-                    c = c.substring(1);
-                }
-                if (c.indexOf(name) == 0) {
-                    return c.substring(name.length, c.length);
-                }
-            }
-            return '';
-        };
-        var setCookie = function (key, value, expirationDate) {
-            var cookie = key + '=' + value + '; '
-                + 'expires=' + expirationDate.toUTCString() + '; ';
-            document.cookie = cookie;
-        };
-    };
-    function createCallbackStorage() {
+        return null;
+    }
+    ;
+    /**
+     * @param {CallbackState} state
+     */
+    add(state) {
+        __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_clearInvalidValues).call(this);
+        const key = STORAGE_KEY_PREFIX + state.state;
+        const value = JSON.stringify({
+            ...state,
+            // Set the expiry time to 1 hour from now.
+            expires: Date.now() + (60 * 60 * 1000)
+        });
         try {
-            return new LocalStorage();
+            globalThis.localStorage.setItem(key, value);
         }
-        catch (err) {
+        catch (error) {
+            // If the storage is full, clear all known values and try again.
+            __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_clearAllValues).call(this);
+            globalThis.localStorage.setItem(key, value);
         }
-        return new CookieStorage();
     }
-    function createLogger(fn) {
-        return function () {
-            if (kc.enableLogging) {
-                fn.apply(console, Array.prototype.slice.call(arguments));
-            }
-        };
+    ;
+}
+_LocalStorage_instances = new WeakSet(), _LocalStorage_clearInvalidValues = function _LocalStorage_clearInvalidValues() {
+    const currentTime = Date.now();
+    for (const [key, value] of __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_getStoredEntries).call(this)) {
+        // Attempt to parse the expiry time from the value.
+        const expiry = __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_parseExpiry).call(this, value);
+        // Discard the value if it is malformed or expired.
+        if (expiry === null || expiry < currentTime) {
+            globalThis.localStorage.removeItem(key);
+        }
+    }
+}, _LocalStorage_clearAllValues = function _LocalStorage_clearAllValues() {
+    for (const [key] of __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_getStoredEntries).call(this)) {
+        globalThis.localStorage.removeItem(key);
+    }
+}, _LocalStorage_getStoredEntries = function _LocalStorage_getStoredEntries() {
+    return Object.entries(globalThis.localStorage).filter(([key]) => key.startsWith(STORAGE_KEY_PREFIX));
+}, _LocalStorage_parseExpiry = function _LocalStorage_parseExpiry(value) {
+    let parsedValue;
+    // Attempt to parse the value as JSON.
+    try {
+        parsedValue = JSON.parse(value);
+    }
+    catch (error) {
+        return null;
+    }
+    // Attempt to extract the 'expires' property.
+    if (isObject(parsedValue) && 'expires' in parsedValue && typeof parsedValue.expires === 'number') {
+        return parsedValue.expires;
+    }
+    return null;
+};
+/**
+ * @implements {CallbackStorage}
+ */
+class CookieStorage {
+    constructor() {
+        _CookieStorage_instances.add(this);
+    }
+    /**
+     * @param {string} [state]
+     * @returns {CallbackState | null}
+     */
+    get(state) {
+        if (!state) {
+            return null;
+        }
+        const value = __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_getCookie).call(this, STORAGE_KEY_PREFIX + state);
+        __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_setCookie).call(this, STORAGE_KEY_PREFIX + state, '', __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_cookieExpiration).call(this, -100));
+        if (value) {
+            return JSON.parse(value);
+        }
+        return null;
+    }
+    /**
+     * @param {CallbackState} state
+     */
+    add(state) {
+        __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_setCookie).call(this, STORAGE_KEY_PREFIX + state.state, JSON.stringify(state), __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_cookieExpiration).call(this, 60));
     }
 }
-exports.default = TideCloak;
-var heimdall_tide_2 = require("heimdall-tide");
-Object.defineProperty(exports, "RequestEnclave", { enumerable: true, get: function () { return heimdall_tide_2.RequestEnclave; } });
-Object.defineProperty(exports, "ApprovalEnclave", { enumerable: true, get: function () { return heimdall_tide_2.ApprovalEnclave; } });
+_CookieStorage_instances = new WeakSet(), _CookieStorage_getCookie = function _CookieStorage_getCookie(key) {
+    const name = key + '=';
+    const ca = document.cookie.split(';');
+    for (let i = 0; i < ca.length; i++) {
+        let c = ca[i];
+        while (c.charAt(0) === ' ') {
+            c = c.substring(1);
+        }
+        if (c.indexOf(name) === 0) {
+            return c.substring(name.length, c.length);
+        }
+    }
+    return '';
+}, _CookieStorage_setCookie = function _CookieStorage_setCookie(key, value, expirationDate) {
+    const cookie = key + '=' + value + '; ' +
+        'expires=' + expirationDate.toUTCString() + '; ';
+    document.cookie = cookie;
+}, _CookieStorage_cookieExpiration = function _CookieStorage_cookieExpiration(minutes) {
+    const exp = new Date();
+    exp.setTime(exp.getTime() + (minutes * 60 * 1000));
+    return exp;
+};
 /**
- * @param {ArrayBuffer} bytes
+ * @param {Uint8Array<ArrayBuffer>} bytes
  * @see https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
  */
 function bytesToBase64(bytes) {
@@ -1835,15 +1809,12 @@ function bytesToBase64(bytes) {
 /**
  * @param {string} base64
  * @returns {Uint8Array}
- * @see https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
  */
 function base64ToBytes(base64) {
-    // Decode to “binary” JS string where each char’s code point 0–255 is one byte
     const binString = atob(base64);
     const len = binString.length;
     const bytes = new Uint8Array(len);
     for (let i = 0; i < len; i++) {
-        // codePointAt is safe here because each char was originally from 0–255
         bytes[i] = binString.codePointAt(i);
     }
     return bytes;
@@ -1855,31 +1826,32 @@ function base64ToBytes(base64) {
 async function sha256Digest(message) {
     const encoder = new TextEncoder();
     const data = encoder.encode(message);
-    if (typeof crypto === "undefined" || typeof crypto.subtle === "undefined") {
-        throw new Error("Web Crypto API is not available.");
+    if (typeof crypto === 'undefined' || typeof crypto.subtle === 'undefined') {
+        throw new Error('Web Crypto API is not available.');
     }
-    return await crypto.subtle.digest("SHA-256", data);
+    return await crypto.subtle.digest('SHA-256', data);
 }
 /**
  * @param {string} token
+ * @returns {KeycloakTokenParsed}
  */
 function decodeToken(token) {
-    const [header, payload] = token.split(".");
-    if (typeof payload !== "string") {
-        throw new Error("Unable to decode token, payload not found.");
+    const [, payload] = token.split('.');
+    if (typeof payload !== 'string') {
+        throw new Error('Unable to decode token, payload not found.');
     }
     let decoded;
     try {
         decoded = base64UrlDecode(payload);
     }
     catch (error) {
-        throw new Error("Unable to decode token, payload is not a valid Base64URL value.", { cause: error });
+        throw new Error('Unable to decode token, payload is not a valid Base64URL value.', { cause: error });
     }
     try {
         return JSON.parse(decoded);
     }
     catch (error) {
-        throw new Error("Unable to decode token, payload is not a valid JSON value.", { cause: error });
+        throw new Error('Unable to decode token, payload is not a valid JSON value.', { cause: error });
     }
 }
 /**
@@ -1887,19 +1859,19 @@ function decodeToken(token) {
  */
 function base64UrlDecode(input) {
     let output = input
-        .replaceAll("-", "+")
-        .replaceAll("_", "/");
+        .replaceAll('-', '+')
+        .replaceAll('_', '/');
     switch (output.length % 4) {
         case 0:
             break;
         case 2:
-            output += "==";
+            output += '==';
             break;
         case 3:
-            output += "=";
+            output += '=';
             break;
         default:
-            throw new Error("Input is not of the correct length.");
+            throw new Error('Input is not of the correct length.');
     }
     try {
         return b64DecodeUnicode(output);
@@ -1915,9 +1887,9 @@ function b64DecodeUnicode(input) {
     return decodeURIComponent(atob(input).replace(/(.)/g, (m, p) => {
         let code = p.charCodeAt(0).toString(16).toUpperCase();
         if (code.length < 2) {
-            code = "0" + code;
+            code = '0' + code;
         }
-        return "%" + code;
+        return '%' + code;
     }));
 }
 /**
@@ -1927,10 +1899,152 @@ function b64DecodeUnicode(input) {
 function isObject(input) {
     return typeof input === 'object' && input !== null;
 }
-function getHumanReadableObject(modelId, data, expiry) {
-    return ModelRegistry_js_1.ModelRegistry.getHumanReadableModelBuilder(modelId, data, expiry).getHumanReadableObject();
+/**
+ * @typedef {Object} JsonConfig The JSON version of the adapter configuration.
+ * @property {string} auth-server-url The URL of the authentication server.
+ * @property {string} realm The name of the realm.
+ * @property {string} resource The name of the resource, usually the client ID.
+ */
+/**
+ * Fetch the adapter configuration from the given URL.
+ * @param {string} url
+ * @returns {Promise<JsonConfig>}
+ */
+async function fetchJsonConfig(url) {
+    return await fetchJSON(url);
+}
+/**
+ * Fetch the OpenID configuration from the given URL.
+ * @param {string} url
+ * @returns {Promise<OpenIdProviderMetadata>}
+ */
+async function fetchOpenIdConfig(url) {
+    return await fetchJSON(url);
 }
-var Serialization_js_2 = require("../modules/tide-js/Cryptide/Serialization.js");
-Object.defineProperty(exports, "bytesToBase64", { enumerable: true, get: function () { return Serialization_js_2.bytesToBase64; } });
-Object.defineProperty(exports, "base64ToBytes", { enumerable: true, get: function () { return Serialization_js_2.base64ToBytes; } });
+/**
+ * @typedef {Object} AccessTokenResponse The successful token response from the authorization server, based on the {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.1 OAuth 2.0 Authorization Framework specification}.
+ * @property {string} access_token The access token issued by the authorization server.
+ * @property {string} token_type The type of the token issued by the authorization server.
+ * @property {number} [expires_in] The lifetime in seconds of the access token.
+ * @property {string} [refresh_token] The refresh token issued by the authorization server.
+ * @property {string} [id_token] The ID token issued by the authorization server, if requested.
+ * @property {string} [scope] The scope of the access token.
+ */
+/**
+ * Fetch the access token from the given URL.
+ * @param {string} url
+ * @param {string} code
+ * @param {string} clientId
+ * @param {string} redirectUri
+ * @param {string} [pkceCodeVerifier]
+ * @returns {Promise<AccessTokenResponse>}
+ */
+async function fetchAccessToken(url, code, clientId, redirectUri, pkceCodeVerifier) {
+    const body = new URLSearchParams([
+        ['code', code],
+        ['grant_type', 'authorization_code'],
+        ['client_id', clientId],
+        ['redirect_uri', stripHash(redirectUri)]
+    ]);
+    if (pkceCodeVerifier) {
+        body.append('code_verifier', pkceCodeVerifier);
+    }
+    return await fetchJSON(url, {
+        method: 'POST',
+        credentials: 'include',
+        body
+    });
+}
+/**
+ * Fetch the refresh token from the given URL.
+ * @param {string} url
+ * @param {string} refreshToken
+ * @param {string} clientId
+ * @returns {Promise<AccessTokenResponse>}
+ */
+async function fetchRefreshToken(url, refreshToken, clientId) {
+    const body = new URLSearchParams([
+        ['grant_type', 'refresh_token'],
+        ['refresh_token', refreshToken],
+        ['client_id', clientId]
+    ]);
+    return await fetchJSON(url, {
+        method: 'POST',
+        credentials: 'include',
+        body
+    });
+}
+/**
+ * @template [T=unknown]
+ * @param {string} url
+ * @param {RequestInit} init
+ * @returns {Promise<T>}
+ */
+async function fetchJSON(url, init = {}) {
+    const headers = new Headers(init.headers);
+    headers.set('Accept', CONTENT_TYPE_JSON);
+    const response = await fetchWithErrorHandling(url, {
+        ...init,
+        headers
+    });
+    return await response.json();
+}
+/**
+ * @param {string} url
+ * @param {RequestInit} [init]
+ * @returns {Promise<Response>}
+ */
+async function fetchWithErrorHandling(url, init) {
+    const response = await fetch(url, init);
+    if (!response.ok) {
+        throw new NetworkError('Server responded with an invalid status.', { response });
+    }
+    return response;
+}
+/**
+ * @param {string} [token]
+ * @returns {[string, string]}
+ */
+function buildAuthorizationHeader(token) {
+    if (!token) {
+        throw new Error('Unable to build authorization header, token is not set, make sure the user is authenticated.');
+    }
+    return ['Authorization', `bearer ${token}`];
+}
+/**
+ * @param {string} url
+ * @returns {string}
+ */
+function stripTrailingSlash(url) {
+    return url.endsWith('/') ? url.slice(0, -1) : url;
+}
+/**
+ * @param {string} url
+ * @returns {string}
+ */
+function stripHash(url) {
+    const parsedUrl = new URL(url);
+    parsedUrl.hash = '';
+    return parsedUrl.toString();
+}
+/**
+ * @typedef {Object} NetworkErrorOptionsProperties
+ * @property {Response} response
+ * @typedef {ErrorOptions & NetworkErrorOptionsProperties} NetworkErrorOptions
+ */
+export class NetworkError extends Error {
+    /**
+     * @param {string} message
+     * @param {NetworkErrorOptions} options
+     */
+    constructor(message, options) {
+        super(message, options);
+        this.response = options.response;
+    }
+}
+/**
+ * @param {number} delay
+ * @returns {Promise<void>}
+ */
+const waitForTimeout = (delay) => new Promise((resolve) => setTimeout(resolve, delay));
 //# sourceMappingURL=tidecloak.js.map