@tidecloak/js 0.12.33 → 0.12.40

package/dist/esm/lib/tidecloak.js

@@ -4,15 +4,6 @@
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
  *
  * Modifications Copyright (C) 2025 Tide Foundation Ltd
  * Tide Protocol - Infrastructure for a TRUE Zero-Trust paradigm
@@ -31,1792 +22,1784 @@
  * You should have received a copy of the Tide Community Open Code License along
  * with this program. If not, see https://tide.org/licenses_tcoc2-0-0-en
  */
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var _TideCloak_instances, _TideCloak_refreshQueue, _TideCloak_adapter, _TideCloak_useNonce, _TideCloak_callbackStorage, _TideCloak_logInfo, _TideCloak_logWarn, _TideCloak_loginIframe, _TideCloak_config, _TideCloak_loadAdapter, _TideCloak_loadDefaultAdapter, _TideCloak_loadCordovaAdapter, _TideCloak_loadCordovaNativeAdapter, _TideCloak_loadConfig, _TideCloak_setupEndpoints, _TideCloak_loadOidcConfig, _TideCloak_setupOidcEndpoints, _TideCloak_check3pCookiesSupported, _TideCloak_processInit, _TideCloak_setupCheckLoginIframe, _TideCloak_checkLoginIframe, _TideCloak_checkSsoSilently, _TideCloak_parseCallback, _TideCloak_parseCallbackUrl, _TideCloak_parseCallbackParams, _TideCloak_processCallback, _TideCloak_scheduleCheckIframe, _TideCloak_getVoucherUrl, _TideCloak_setToken, _TideCloak_getRealmUrl, _TideCloak_createLogger, _LocalStorage_instances, _LocalStorage_clearInvalidValues, _LocalStorage_clearAllValues, _LocalStorage_getStoredEntries, _LocalStorage_parseExpiry, _CookieStorage_instances, _CookieStorage_getCookie, _CookieStorage_setCookie, _CookieStorage_cookieExpiration;
 // MODIFIED: Added dependency to external Tide helper libraries.
-import { RequestEnclave, ApprovalEnclave } from "heimdall-tide";
-import { StringFromUint8Array, StringToUint8Array, CreateTideMemory } from "../modules/tide-js/Cryptide/Serialization.js";
-import { AuthorizedEncryptionFlow } from "../modules/tide-js/Flow/EncryptionFlows/AuthorizedEncryptionFlow.js";
-import dVVKSigningFlow_DEPRECATED from "../modules/tide-js/Flow/SigningFlows/dVVKSigningFlow_DEPRECATED.js";
-import CardanoTxBodySignRequest from "../modules/tide-js/Models/Transactions/CardanoTxBodySignRequest.js";
-import RuleSettingsSignRequest from "../modules/tide-js/Models/Rules/RuleSettingSignRequest.js";
-import AuthorizationBuilder from "../modules/tide-js/Models/AuthorizationBuilder.js";
-import { GenSessKey, GetPublic } from "../modules/tide-js/Cryptide/Math.js";
-import NetworkClient from "../modules/tide-js/Clients/NetworkClient.js";
-import { ModelRegistry } from "../modules/tide-js/Models/ModelRegistry.js";
-import processThresholdRules from "../modules/tide-js/RulesEngine/thresholdRules.js";
-import dVVKDecryptionFlow from "../modules/tide-js/Flow/DecryptionFlows/dVVKDecryptionFlow.js";
-import dVVKSigningFlow from "../modules/tide-js/Flow/SigningFlows/dVVKSigningFlow.js";
-// MODIFIED: Refactored `Keycloak` class into `TideCloak`.
-function TideCloak(config) {
-    if (!(this instanceof TideCloak)) {
-        throw new Error("The 'TideCloak' constructor must be invoked with 'new'.");
-    }
-    if (typeof config !== 'string' && !isObject(config)) {
-        throw new Error("The 'TideCloak' constructor must be provided with a configuration object, or a URL to a JSON configuration file.");
-    }
-    if (isObject(config)) {
-        const requiredProperties = 'oidcProvider' in config
-            ? ['clientId']
-            : ['url', 'realm', 'clientId', 'homeOrkUrl', 'vendorId', 'clientOriginAuth'];
-        for (const property of requiredProperties) {
-            if (!config[property]) {
-                throw new Error(`The configuration object is missing the required '${property}' property.`);
-            }
-        }
+import { RequestEnclave, ApprovalEnclave, ApprovalEnclaveNew } from "heimdall-tide";
+const CONTENT_TYPE_JSON = 'application/json';
+/**
+ * @typedef {Object} Endpoints
+ * @property {() => string} authorize
+ * @property {() => string} token
+ * @property {() => string} logout
+ * @property {() => string} checkSessionIframe
+ * @property {() => string=} thirdPartyCookiesIframe
+ * @property {() => string} register
+ * @property {() => string} userinfo
+ */
+/**
+ * @typedef {Object} LoginIframe
+ * @property {boolean} enable
+ * @property {((error: Error | null, value?: boolean) => void)[]} callbackList
+ * @property {number} interval
+ * @property {HTMLIFrameElement=} iframe
+ * @property {string=} iframeOrigin
+ */
+export { RequestEnclave, ApprovalEnclave, ApprovalEnclaveNew, TideMemory, BaseTideRequest, PolicySignRequest, Policy, PolicyParameters } from "heimdall-tide";
+class TideCloak {
+    /**
+     * @param {KeycloakConfig} config
+     */
+    constructor(config) {
+        _TideCloak_instances.add(this);
+        /** @type {Pick<PromiseWithResolvers<boolean>, 'resolve' | 'reject'>[]} */
+        _TideCloak_refreshQueue.set(this, []
+        /** @type {KeycloakAdapter} */
+        );
+        /** @type {KeycloakAdapter} */
+        _TideCloak_adapter.set(this, void 0);
+        /** @type {boolean} */
+        _TideCloak_useNonce.set(this, true
+        /** @type {CallbackStorage} */
+        );
+        /** @type {CallbackStorage} */
+        _TideCloak_callbackStorage.set(this, void 0);
+        _TideCloak_logInfo.set(this, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_createLogger).call(this, console.info));
+        _TideCloak_logWarn.set(this, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_createLogger).call(this, console.warn)
+        /** @type {LoginIframe} */
+        );
+        /** @type {LoginIframe} */
+        _TideCloak_loginIframe.set(this, {
+            enable: true,
+            callbackList: [],
+            interval: 5
+        }
+        /** @type {KeycloakConfig} config */
+        );
+        /** @type {KeycloakConfig} config */
+        _TideCloak_config.set(this, void 0);
+        this.didInitialize = false;
+        this.authenticated = false;
+        this.loginRequired = false;
+        /** @type {KeycloakResponseMode} */
+        this.responseMode = 'fragment';
+        /** @type {KeycloakResponseType} */
+        this.responseType = 'code';
+        /** @type {KeycloakFlow} */
+        this.flow = 'standard';
+        /** @type {boolean} */
+        this.silentCheckSsoFallback = true;
+        /** @type {KeycloakPkceMethod} */
+        this.pkceMethod = 'S256';
+        this.enableLogging = false;
+        /** @type {'GET' | 'POST'} */
+        this.logoutMethod = 'GET';
+        this.messageReceiveTimeout = 10000;
+        if (typeof config !== 'string' && !isObject(config)) {
+            throw new Error("The 'TideCloak' constructor must be provided with a configuration object, or a URL to a JSON configuration file.");
+        }
+        // if (isObject(config)) {
+        //   const requiredProperties = 'oidcProvider' in config
+        //     ? ['clientId']
+        //     : ['url', 'realm', 'clientId', 'homeOrkUrl', 'vendorId', 'clientOriginAuth']
+        //   for (const property of requiredProperties) {
+        //     if (!config[property]) {
+        //       throw new Error(`The configuration object is missing the required '${property}' property.`)
+        //     }
+        //   }
+        // }
+        if (!globalThis.isSecureContext) {
+            __classPrivateFieldGet(this, _TideCloak_logWarn, "f").call(this, "[TIDECLOAK] TideCloak JS must be used in a 'secure context' to function properly as it relies on browser APIs that are otherwise not available.\n" +
+                'Continuing to run your application insecurely will lead to unexpected behavior and breakage.\n\n' +
+                'For more information see: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts');
+        }
+        __classPrivateFieldSet(this, _TideCloak_config, config, "f");
     }
-    var kc = this;
-    var adapter;
-    var refreshQueue = [];
-    var callbackStorage;
-    var loginIframe = {
-        enable: true,
-        callbackList: [],
-        interval: 5
-    };
-    kc.didInitialize = false;
-    var useNonce = true;
-    var logInfo = createLogger(console.info);
-    var logWarn = createLogger(console.warn);
-    if (!globalThis.isSecureContext) {
-        logWarn("[TIDECLOAK] TideCloak-JS must be used in a 'secure context' to function properly as it relies on browser APIs that are otherwise not available.\n" +
-            "Continuing to run your application insecurely will lead to unexpected behavior and breakage.\n\n" +
-            "For more information see: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts");
-    }
-    kc.init = function (initOptions = {}) {
-        if (kc.didInitialize) {
+    /**
+     * @param {KeycloakInitOptions} initOptions
+     * @returns {Promise<boolean>}
+     */
+    async init(initOptions = {}) {
+        var _a;
+        if (this.didInitialize) {
             throw new Error("A 'TideCloak' instance can only be initialized once.");
         }
-        kc.didInitialize = true;
-        kc.authenticated = false;
-        callbackStorage = createCallbackStorage();
-        var adapters = ['default', 'cordova', 'cordova-native'];
-        if (adapters.indexOf(initOptions.adapter) > -1) {
-            adapter = loadAdapter(initOptions.adapter);
+        this.didInitialize = true;
+        __classPrivateFieldSet(this, _TideCloak_callbackStorage, createCallbackStorage(), "f");
+        const adapters = ['default', 'cordova', 'cordova-native'];
+        if (typeof initOptions.adapter === 'string' && adapters.includes(initOptions.adapter)) {
+            __classPrivateFieldSet(this, _TideCloak_adapter, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadAdapter).call(this, initOptions.adapter), "f");
         }
-        else if (typeof initOptions.adapter === "object") {
-            adapter = initOptions.adapter;
+        else if (typeof initOptions.adapter === 'object') {
+            __classPrivateFieldSet(this, _TideCloak_adapter, initOptions.adapter, "f");
+        }
+        else if ('Cordova' in window || 'cordova' in window) {
+            __classPrivateFieldSet(this, _TideCloak_adapter, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadAdapter).call(this, 'cordova'), "f");
         }
         else {
-            if (window.Cordova || window.cordova) {
-                adapter = loadAdapter('cordova');
-            }
-            else {
-                adapter = loadAdapter();
-            }
+            __classPrivateFieldSet(this, _TideCloak_adapter, __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadAdapter).call(this, 'default'), "f");
         }
         if (typeof initOptions.useNonce !== 'undefined') {
-            useNonce = initOptions.useNonce;
+            __classPrivateFieldSet(this, _TideCloak_useNonce, initOptions.useNonce, "f");
         }
         if (typeof initOptions.checkLoginIframe !== 'undefined') {
-            loginIframe.enable = initOptions.checkLoginIframe;
+            __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable = initOptions.checkLoginIframe;
         }
         if (initOptions.checkLoginIframeInterval) {
-            loginIframe.interval = initOptions.checkLoginIframeInterval;
+            __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").interval = initOptions.checkLoginIframeInterval;
         }
         if (initOptions.onLoad === 'login-required') {
-            kc.loginRequired = true;
+            this.loginRequired = true;
         }
         if (initOptions.responseMode) {
             if (initOptions.responseMode === 'query' || initOptions.responseMode === 'fragment') {
-                kc.responseMode = initOptions.responseMode;
+                this.responseMode = initOptions.responseMode;
             }
             else {
-                throw 'Invalid value for responseMode';
+                throw new Error('Invalid value for responseMode');
             }
         }
         if (initOptions.flow) {
             switch (initOptions.flow) {
                 case 'standard':
-                    kc.responseType = 'code';
+                    this.responseType = 'code';
                     break;
                 case 'implicit':
-                    kc.responseType = 'id_token token';
+                    this.responseType = 'id_token token';
                     break;
                 case 'hybrid':
-                    kc.responseType = 'code id_token token';
+                    this.responseType = 'code id_token token';
                     break;
                 default:
-                    throw 'Invalid value for flow';
+                    throw new Error('Invalid value for flow');
             }
-            kc.flow = initOptions.flow;
+            this.flow = initOptions.flow;
         }
-        if (initOptions.timeSkew != null) {
-            kc.timeSkew = initOptions.timeSkew;
+        if (typeof initOptions.timeSkew === 'number') {
+            this.timeSkew = initOptions.timeSkew;
         }
         if (initOptions.redirectUri) {
-            kc.redirectUri = initOptions.redirectUri;
+            this.redirectUri = initOptions.redirectUri;
         }
         if (initOptions.silentCheckSsoRedirectUri) {
-            kc.silentCheckSsoRedirectUri = initOptions.silentCheckSsoRedirectUri;
+            this.silentCheckSsoRedirectUri = initOptions.silentCheckSsoRedirectUri;
         }
         if (typeof initOptions.silentCheckSsoFallback === 'boolean') {
-            kc.silentCheckSsoFallback = initOptions.silentCheckSsoFallback;
-        }
-        else {
-            kc.silentCheckSsoFallback = true;
+            this.silentCheckSsoFallback = initOptions.silentCheckSsoFallback;
         }
-        if (typeof initOptions.pkceMethod !== "undefined") {
-            if (initOptions.pkceMethod !== "S256" && initOptions.pkceMethod !== false) {
+        if (typeof initOptions.pkceMethod !== 'undefined') {
+            if (initOptions.pkceMethod !== 'S256' && initOptions.pkceMethod !== false) {
                 throw new TypeError(`Invalid value for pkceMethod', expected 'S256' or false but got ${initOptions.pkceMethod}.`);
             }
-            kc.pkceMethod = initOptions.pkceMethod;
-        }
-        else {
-            kc.pkceMethod = "S256";
+            this.pkceMethod = initOptions.pkceMethod;
         }
         if (typeof initOptions.enableLogging === 'boolean') {
-            kc.enableLogging = initOptions.enableLogging;
-        }
-        else {
-            kc.enableLogging = false;
+            this.enableLogging = initOptions.enableLogging;
         }
         if (initOptions.logoutMethod === 'POST') {
-            kc.logoutMethod = 'POST';
-        }
-        else {
-            kc.logoutMethod = 'GET';
+            this.logoutMethod = 'POST';
         }
         if (typeof initOptions.scope === 'string') {
-            kc.scope = initOptions.scope;
+            this.scope = initOptions.scope;
         }
         if (typeof initOptions.acrValues === 'string') {
-            kc.acrValues = initOptions.acrValues;
+            this.acrValues = initOptions.acrValues;
         }
         if (typeof initOptions.messageReceiveTimeout === 'number' && initOptions.messageReceiveTimeout > 0) {
-            kc.messageReceiveTimeout = initOptions.messageReceiveTimeout;
+            this.messageReceiveTimeout = initOptions.messageReceiveTimeout;
         }
-        else {
-            kc.messageReceiveTimeout = 10000;
-        }
-        if (!kc.responseMode) {
-            kc.responseMode = 'fragment';
-        }
-        if (!kc.responseType) {
-            kc.responseType = 'code';
-            kc.flow = 'standard';
-        }
-        var promise = createPromise();
-        var initPromise = createPromise();
-        initPromise.promise.then(function () {
-            kc.onReady && kc.onReady(kc.authenticated);
-            promise.setSuccess(kc.authenticated);
-        }).catch(function (error) {
-            promise.setError(error);
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadConfig).call(this);
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_check3pCookiesSupported).call(this);
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processInit).call(this, initOptions);
+        (_a = this.onReady) === null || _a === void 0 ? void 0 : _a.call(this, this.authenticated);
+        return this.authenticated;
+    }
+    ;
+    /**
+     * @param {KeycloakLoginOptions} [options]
+     * @returns {Promise<void>}
+     */
+    login(options) {
+        return __classPrivateFieldGet(this, _TideCloak_adapter, "f").login(options);
+    }
+    /**
+     * Ensure the access token is valid, refreshing if needed.
+     * @returns {Promise<void>}
+     */
+    async ensureTokenReady() {
+        if (!this.tokenParsed)
+            return;
+        if (this.isTokenExpired()) {
+            await this.updateToken(-1);
+        }
+    }
+    /**
+     * @param {KeycloakLoginOptions} [options]
+     * @returns {Promise<string>}
+     */
+    async createLoginUrl(options) {
+        const state = createUUID();
+        const nonce = createUUID();
+        const redirectUri = __classPrivateFieldGet(this, _TideCloak_adapter, "f").redirectUri(options);
+        /** @type {CallbackState} */
+        const callbackState = {
+            state,
+            nonce,
+            redirectUri,
+            loginOptions: options
+        };
+        if (options === null || options === void 0 ? void 0 : options.prompt) {
+            callbackState.prompt = options.prompt;
+        }
+        const url = (options === null || options === void 0 ? void 0 : options.action) === 'register'
+            ? this.endpoints.register()
+            : this.endpoints.authorize();
+        let scope = (options === null || options === void 0 ? void 0 : options.scope) || this.scope;
+        const scopeValues = scope ? scope.split(' ') : [];
+        // Ensure the 'openid' scope is always included.
+        if (!scopeValues.includes('openid')) {
+            scopeValues.unshift('openid');
+        }
+        scope = scopeValues.join(' ');
+        const params = new URLSearchParams([
+            ['client_id', /** @type {string} */ (this.clientId)],
+            // The endpoint URI MUST NOT include a fragment component.
+            // https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
+            ['redirect_uri', stripHash(redirectUri)],
+            ['state', state],
+            ['response_mode', this.responseMode],
+            ['response_type', this.responseType],
+            ['scope', scope]
+        ]);
+        if (__classPrivateFieldGet(this, _TideCloak_useNonce, "f")) {
+            params.append('nonce', nonce);
+        }
+        if (options === null || options === void 0 ? void 0 : options.prompt) {
+            params.append('prompt', options.prompt);
+        }
+        if (typeof (options === null || options === void 0 ? void 0 : options.maxAge) === 'number') {
+            params.append('max_age', options.maxAge.toString());
+        }
+        if (options === null || options === void 0 ? void 0 : options.loginHint) {
+            params.append('login_hint', options.loginHint);
+        }
+        if (options === null || options === void 0 ? void 0 : options.idpHint) {
+            params.append('kc_idp_hint', options.idpHint);
+        }
+        if ((options === null || options === void 0 ? void 0 : options.action) && options.action !== 'register') {
+            params.append('kc_action', options.action);
+        }
+        if (options === null || options === void 0 ? void 0 : options.locale) {
+            params.append('ui_locales', options.locale);
+        }
+        if (options === null || options === void 0 ? void 0 : options.acr) {
+            params.append('claims', buildClaimsParameter(options.acr));
+        }
+        if ((options === null || options === void 0 ? void 0 : options.acrValues) || this.acrValues) {
+            params.append('acr_values', options.acrValues || this.acrValues);
+        }
+        if (this.pkceMethod) {
+            try {
+                const codeVerifier = generateCodeVerifier(96);
+                const pkceChallenge = await generatePkceChallenge(this.pkceMethod, codeVerifier);
+                callbackState.pkceCodeVerifier = codeVerifier;
+                params.append('code_challenge', pkceChallenge);
+                params.append('code_challenge_method', this.pkceMethod);
+            }
+            catch (error) {
+                throw new Error('Failed to generate PKCE challenge.', { cause: error });
+            }
+        }
+        __classPrivateFieldGet(this, _TideCloak_callbackStorage, "f").add(callbackState);
+        return `${url}?${params.toString()}`;
+    }
+    /**
+     * @param {KeycloakLogoutOptions} [options]
+     * @returns {Promise<void>}
+     */
+    logout(options) {
+        return __classPrivateFieldGet(this, _TideCloak_adapter, "f").logout(options);
+    }
+    /**
+     * @param {KeycloakLogoutOptions} [options]
+     * @returns {string}
+     */
+    createLogoutUrl(options) {
+        var _a;
+        const logoutMethod = (_a = options === null || options === void 0 ? void 0 : options.logoutMethod) !== null && _a !== void 0 ? _a : this.logoutMethod;
+        const url = this.endpoints.logout();
+        if (logoutMethod === 'POST') {
+            return url;
+        }
+        const params = new URLSearchParams([
+            ['client_id', /** @type {string} */ (this.clientId)],
+            ['post_logout_redirect_uri', __classPrivateFieldGet(this, _TideCloak_adapter, "f").redirectUri(options)]
+        ]);
+        if (this.idToken) {
+            params.append('id_token_hint', this.idToken);
+        }
+        return `${url}?${params.toString()}`;
+    }
+    /**
+     * @param {KeycloakRegisterOptions} [options]
+     * @returns {Promise<void>}
+     */
+    register(options) {
+        return __classPrivateFieldGet(this, _TideCloak_adapter, "f").register(options);
+    }
+    /**
+     * @param {KeycloakRegisterOptions} [options]
+     * @returns {Promise<string>}
+     */
+    createRegisterUrl(options) {
+        return this.createLoginUrl({ ...options, action: 'register' });
+    }
+    /**
+     * @param {KeycloakAccountOptions} [options]
+     * @returns {string}
+     */
+    createAccountUrl(options) {
+        const url = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this);
+        if (!url) {
+            throw new Error('Unable to create account URL, make sure the adapter is not configured using a generic OIDC provider.');
+        }
+        const params = new URLSearchParams([
+            ['referrer', /** @type {string} */ (this.clientId)],
+            ['referrer_uri', __classPrivateFieldGet(this, _TideCloak_adapter, "f").redirectUri(options)]
+        ]);
+        return `${url}/account?${params.toString()}`;
+    }
+    /**
+     * @returns {Promise<void>}
+     */
+    accountManagement() {
+        return __classPrivateFieldGet(this, _TideCloak_adapter, "f").accountManagement();
+    }
+    /**
+     * @param {string} role
+     * @returns {boolean}
+     */
+    hasRealmRole(role) {
+        const access = this.realmAccess;
+        return !!access && access.roles.indexOf(role) >= 0;
+    }
+    /**
+     * @param {string} role
+     * @param {string} [resource]
+     * @returns {boolean}
+     */
+    hasResourceRole(role, resource) {
+        if (!this.resourceAccess) {
+            return false;
+        }
+        const access = this.resourceAccess[resource || /** @type {string} */ (this.clientId)];
+        return !!access && access.roles.indexOf(role) >= 0;
+    }
+    /**
+     * @returns {Promise<KeycloakProfile>}
+     */
+    async loadUserProfile() {
+        const realmUrl = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this);
+        if (!realmUrl) {
+            throw new Error('Unable to load user profile, make sure the adapter is not configured using a generic OIDC provider.');
+        }
+        const url = `${realmUrl}/account`;
+        /** @type {KeycloakProfile} */
+        const profile = await fetchJSON(url, {
+            headers: [buildAuthorizationHeader(this.token)]
         });
-        var configPromise = loadConfig();
-        function onLoad() {
-            var doLogin = function (prompt) {
-                if (!prompt) {
-                    options.prompt = 'none';
+        return (this.profile = profile);
+    }
+    /**
+     * @returns {Promise<KeycloakUserInfo>}
+     */
+    async loadUserInfo() {
+        const url = this.endpoints.userinfo();
+        /** @type {KeycloakUserInfo} */
+        const userInfo = await fetchJSON(url, {
+            headers: [buildAuthorizationHeader(this.token)]
+        });
+        return (this.userInfo = userInfo);
+    }
+    /**
+     * @param {number} [minValidity]
+     * @returns {boolean}
+     */
+    isTokenExpired(minValidity) {
+        if (!this.tokenParsed || (!this.refreshToken && this.flow !== 'implicit')) {
+            throw new Error('Not authenticated');
+        }
+        if (this.timeSkew == null) {
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Unable to determine if token is expired as timeskew is not set');
+            return true;
+        }
+        if (typeof this.tokenParsed.exp !== 'number') {
+            return false;
+        }
+        let expiresIn = this.tokenParsed.exp - Math.ceil(new Date().getTime() / 1000) + this.timeSkew;
+        if (minValidity) {
+            if (isNaN(minValidity)) {
+                throw new Error('Invalid minValidity');
+            }
+            expiresIn -= minValidity;
+        }
+        return expiresIn < 0;
+    }
+    /**
+     * Matches Keycloak: minValidity is optional.
+     * @param {number} [minValidity]
+     * @returns {Promise<boolean>}
+     */
+    async updateToken(minValidity) {
+        var _a, _b;
+        if (!this.refreshToken) {
+            throw new Error('Unable to update token, no refresh token available.');
+        }
+        minValidity = minValidity || 5;
+        if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable) {
+            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkLoginIframe).call(this);
+        }
+        let refreshToken = false;
+        if (minValidity === -1) {
+            refreshToken = true;
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Refreshing token: forced refresh');
+        }
+        else if (!this.tokenParsed || this.isTokenExpired(minValidity)) {
+            refreshToken = true;
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Refreshing token: token expired');
+        }
+        if (!refreshToken) {
+            return false;
+        }
+        /** @type {PromiseWithResolvers<boolean>} */
+        const { promise, resolve, reject } = Promise.withResolvers();
+        __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").push({ resolve, reject });
+        if (__classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").length === 1) {
+            const url = this.endpoints.token();
+            let timeLocal = new Date().getTime();
+            try {
+                const response = await fetchRefreshToken(url, this.refreshToken, /** @type {string} */ (this.clientId));
+                __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Token refreshed');
+                timeLocal = (timeLocal + new Date().getTime()) / 2;
+                __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setToken).call(this, response.access_token, response.refresh_token, response.id_token, timeLocal, response.doken);
+                (_a = this.onAuthRefreshSuccess) === null || _a === void 0 ? void 0 : _a.call(this);
+                for (let p = __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").pop(); p != null; p = __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").pop()) {
+                    p.resolve(true);
+                }
+            }
+            catch (error) {
+                __classPrivateFieldGet(this, _TideCloak_logWarn, "f").call(this, '[TIDECLOAK] Failed to refresh token');
+                if (error instanceof NetworkError && error.response.status === 400) {
+                    this.clearToken();
                 }
-                if (initOptions.locale) {
-                    options.locale = initOptions.locale;
+                (_b = this.onAuthRefreshError) === null || _b === void 0 ? void 0 : _b.call(this);
+                for (let p = __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").pop(); p != null; p = __classPrivateFieldGet(this, _TideCloak_refreshQueue, "f").pop()) {
+                    p.reject(error);
                 }
-                kc.login(options).then(function () {
-                    initPromise.setSuccess();
-                }).catch(function (error) {
-                    initPromise.setError(error);
-                });
-            };
-            var checkSsoSilently = async function () {
-                var ifrm = document.createElement("iframe");
-                var src = await kc.createLoginUrl({ prompt: 'none', redirectUri: kc.silentCheckSsoRedirectUri });
-                ifrm.setAttribute("src", src);
-                ifrm.setAttribute("sandbox", "allow-storage-access-by-user-activation allow-scripts allow-same-origin");
-                ifrm.setAttribute("title", "keycloak-silent-check-sso");
-                ifrm.style.display = "none";
-                document.body.appendChild(ifrm);
-                var messageCallback = function (event) {
-                    if (event.origin !== window.location.origin || ifrm.contentWindow !== event.source) {
-                        return;
-                    }
-                    var oauth = parseCallback(event.data);
-                    processCallback(oauth, initPromise);
-                    document.body.removeChild(ifrm);
-                    window.removeEventListener("message", messageCallback);
-                };
-                window.addEventListener("message", messageCallback);
-            };
-            var options = {};
-            switch (initOptions.onLoad) {
-                case 'check-sso':
-                    if (loginIframe.enable) {
-                        setupCheckLoginIframe().then(function () {
-                            checkLoginIframe().then(function (unchanged) {
-                                if (!unchanged) {
-                                    kc.silentCheckSsoRedirectUri ? checkSsoSilently() : doLogin(false);
-                                }
-                                else {
-                                    initPromise.setSuccess();
-                                }
-                            }).catch(function (error) {
-                                initPromise.setError(error);
-                            });
-                        });
-                    }
-                    else {
-                        kc.silentCheckSsoRedirectUri ? checkSsoSilently() : doLogin(false);
-                    }
-                    break;
-                case 'login-required':
-                    doLogin(true);
-                    break;
-                default:
-                    throw 'Invalid value for onLoad';
             }
         }
-        function processInit() {
-            var callback = parseCallback(window.location.href);
-            if (callback) {
-                window.history.replaceState(window.history.state, null, callback.newUrl);
-            }
-            if (callback && callback.valid) {
-                return setupCheckLoginIframe().then(function () {
-                    processCallback(callback, initPromise);
-                }).catch(function (error) {
-                    initPromise.setError(error);
-                });
+        return await promise;
+    }
+    clearToken() {
+        var _a;
+        if (this.token) {
+            __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setToken).call(this);
+            (_a = this.onAuthLogout) === null || _a === void 0 ? void 0 : _a.call(this);
+            if (this.loginRequired) {
+                this.login();
             }
-            if (initOptions.token && initOptions.refreshToken) {
-                setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken);
-                if (loginIframe.enable) {
-                    setupCheckLoginIframe().then(function () {
-                        checkLoginIframe().then(function (unchanged) {
-                            if (unchanged) {
-                                kc.onAuthSuccess && kc.onAuthSuccess();
-                                initPromise.setSuccess();
-                                scheduleCheckIframe();
-                            }
-                            else {
-                                initPromise.setSuccess();
-                            }
-                        }).catch(function (error) {
-                            initPromise.setError(error);
-                        });
+        }
+    }
+    /**
+     * Initialize Tide RequestEnclave.
+     */
+    initRequestEnclave() {
+        if (!this.doken)
+            throw new Error('[TIDECLOAK] No doken found');
+        if (!this.dokenParsed)
+            throw new Error('[TIDECLOAK] Token not parsed');
+        if (!this.requestEnclave) {
+            this.requestEnclave = new RequestEnclave({
+                homeOrkOrigin: this.dokenParsed['t.uho'],
+                signed_client_origin: __classPrivateFieldGet(this, _TideCloak_config, "f")['clientOriginAuth'],
+                vendorId: __classPrivateFieldGet(this, _TideCloak_config, "f").vendorId,
+                voucherURL: __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getVoucherUrl).call(this)
+            }).init({
+                doken: this.doken,
+                dokenRefreshCallback: async () => {
+                    await this.ensureTokenReady();
+                    if (!this.doken)
+                        throw new Error('[TIDECLOAK] No doken found');
+                    return this.doken;
+                },
+                requireReloginCallback: async () => {
+                    await this.login({
+                        idpHint: 'tide',
+                        prompt: 'login',
+                        redirectUri: window.location.href
                     });
                 }
-                else {
-                    kc.updateToken(-1).then(function () {
-                        kc.onAuthSuccess && kc.onAuthSuccess();
-                        initPromise.setSuccess();
-                    }).catch(function (error) {
-                        kc.onAuthError && kc.onAuthError();
-                        if (initOptions.onLoad) {
-                            onLoad();
-                        }
-                        else {
-                            initPromise.setError(error);
-                        }
+            });
+        }
+    }
+    /**
+     * Initialize Tide ApprovalEnclave.
+     */
+    initApprovalEnclave() {
+        if (!this.doken)
+            throw new Error('[TIDECLOAK] No doken found');
+        if (!this.dokenParsed)
+            throw new Error('[TIDECLOAK] Token not parsed');
+        if (!this.approvalEnclave) {
+            this.approvalEnclave = new ApprovalEnclaveNew({
+                homeOrkOrigin: this.dokenParsed['t.uho'],
+                signed_client_origin: __classPrivateFieldGet(this, _TideCloak_config, "f")['clientOriginAuth'],
+                vendorId: __classPrivateFieldGet(this, _TideCloak_config, "f").vendorId,
+                voucherURL: __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getVoucherUrl).call(this)
+            }).init({
+                doken: this.doken,
+                dokenRefreshCallback: async () => {
+                    await this.ensureTokenReady();
+                    if (!this.doken)
+                        throw new Error('[TIDECLOAK] No doken found');
+                    return this.doken;
+                },
+                requireReloginCallback: async () => {
+                    await this.login({
+                        idpHint: 'tide',
+                        prompt: 'login',
+                        redirectUri: window.location.href
                     });
                 }
-            }
-            else if (initOptions.onLoad) {
-                onLoad();
-            }
-            else {
-                initPromise.setSuccess();
-            }
-        }
-        configPromise.then(function () {
-            check3pCookiesSupported()
-                .then(processInit)
-                .catch(function (error) {
-                promise.setError(error);
             });
-        });
-        configPromise.catch(function (error) {
-            promise.setError(error);
-        });
-        return promise.promise;
-    };
-    kc.login = function (options) {
-        return adapter.login(options);
-    };
-    kc.ensureTokenReady = async function () {
-        if (kc.isTokenExpired()) {
-            await kc.updateToken(-1);
         }
-    };
-    // MODIFIED: Added role-based encryption functionality.
-    kc.encrypt = async function (toEncrypt) {
-        await kc.ensureTokenReady();
-        // Check config
+    }
+    /**
+     * Role-based encryption via Tide RequestEnclave.
+     * @param {{ data: string | Uint8Array, tags: string[] }[]} toEncrypt
+     * @returns {Promise<(string | Uint8Array)[]>}
+     */
+    async encrypt(toEncrypt) {
+        await this.ensureTokenReady();
         if (!Array.isArray(toEncrypt)) {
-            throw 'Pass array as parameter';
+            throw new Error('Pass array as parameter');
         }
-        // Check user authenticated
-        if (!kc.tokenParsed) {
-            throw 'Not authenticated';
+        if (!this.tokenParsed) {
+            throw new Error('Not authenticated');
         }
-        const dataToSend = toEncrypt.map(e => {
+        const dataToSend = toEncrypt.map((e) => {
             if (!isObject(e))
-                throw 'All entries must be an object to encrypt';
-            for (const property of ["data", "tags"]) {
+                throw new Error('All entries must be an object to encrypt');
+            for (const property of ['data', 'tags']) {
                 if (!e[property]) {
                     throw new Error(`The configuration object is missing the required '${property}' property.`);
                 }
             }
             if (!Array.isArray(e.tags))
-                throw 'tags must be provided as a string array in object to encrypt';
-            if (typeof e.data !== "string" && !(e.data instanceof Uint8Array))
-                throw 'data must be provded as string or Uint8Array in object to encrypt';
-            // Check that the user has the roles required to encrypt the datas
+                throw new Error('tags must be provided as a string array in object to encrypt');
+            if (typeof e.data !== 'string' && !(e.data instanceof Uint8Array)) {
+                throw new Error('data must be provided as string or Uint8Array in object to encrypt');
+            }
             for (const tag of e.tags) {
-                if (typeof tag !== "string")
-                    throw "tags must be provided as an array of strings";
-                var tagAccess = kc.hasRealmRole("_tide_" + tag + ".selfencrypt");
+                if (typeof tag !== 'string')
+                    throw new Error('tags must be provided as an array of strings');
+                const tagAccess = this.hasRealmRole(`_tide_${tag}.selfencrypt`);
                 if (!tagAccess)
-                    throw `'User has not been given any access to '${tag}'`;
+                    throw new Error(`User has not been given any access to '${tag}'`);
             }
             return {
-                data: typeof e.data === "string" ? StringToUint8Array(e.data) : e.data, // convert data to byte array or leave as is if its already a byte array
+                data: typeof e.data === 'string' ? StringToUint8Array(e.data) : e.data,
                 tags: e.tags,
-                isRaw: typeof e.data === "string" ? false : true // indicate whether this piece of data was encrypted raw or not
+                isRaw: typeof e.data === 'string' ? false : true
             };
         });
-        kc.initEnclave();
-        // Now lets actually encrypt
-        // Construct Tide serialized data payloads
-        return (await kc.requestEnclave.encrypt(dataToSend)).map((e, i) => dataToSend[i].isRaw ? e : bytesToBase64(e)); // return a byte array cipher if encrypted as byte array, or a string cipher if encrypted as a string
-    };
-    function StringToUint8Array(string) {
-        const enc = new TextEncoder();
-        return enc.encode(string);
-    }
-    function StringFromUint8Array(bytes) {
-        const decoder = new TextDecoder('utf-8');
-        return decoder.decode(bytes);
-    }
-    kc.initEnclave = function () {
-        if (!kc.doken)
-            throw '[TIDECLOAK] No doken found';
-        if (!kc.tokenParsed)
-            throw '[TIDECLOAK] Token not parsed';
-        // Now lets actually encrypt
-        if (!kc.requestEnclave) {
-            kc.requestEnclave = new RequestEnclave({
-                homeOrkOrigin: kc.dokenParsed["t.uho"],
-                signed_client_origin: config['clientOriginAuth'],
-                vendorId: config.vendorId,
-                voucherURL: getVoucherUrl()
-            }).init({
-                doken: kc.doken,
-                dokenRefreshCallback: async () => {
-                    await kc.ensureTokenReady();
-                    if (!kc.doken)
-                        throw '[TIDECLOAK] No doken found';
-                    return kc.doken;
-                },
-                requireReloginCallback: async () => {
-                    kc.login({
-                        idpHint: 'tide', // the “alias” of the IdP you’ve configured in the realm
-                        prompt: 'login', // forces them to actually re-enter credentials
-                        redirectUri: window.location.href // send them back to the exact same URL
-                    });
-                }
-            });
-        }
-    };
-    // MODIFIED: Added Tide-based micro-vouchers.
-    function getVoucherUrl() {
-        if (!kc.tokenParsed)
-            throw 'User authentication required to access voucher service';
-        const sid = kc.tokenParsed["sid"];
-        return getRealmUrl() + '/tidevouchers/fromUserSession?sessionId=' + sid;
-    }
-    // MODIFIED: Added role-based decryption functionality.
-    kc.decrypt = async function (toDecrypt) {
-        await kc.ensureTokenReady();
-        // Check config
+        this.initRequestEnclave();
+        const encrypted = await this.requestEnclave.encrypt(dataToSend);
+        return encrypted.map((cipher, i) => (dataToSend[i].isRaw ? cipher : bytesToBase64(cipher)));
+    }
+    /**
+     * Initialize a Tide request that requires operator approvals.
+     * @param {Uint8Array} encodedRequest
+     * @returns {Promise<Uint8Array>}
+     */
+    async createTideRequest(encodedRequest) {
+        await this.ensureTokenReady();
+        this.initRequestEnclave();
+        return await this.requestEnclave.initializeRequest(encodedRequest);
+    }
+    /**
+     * Request Tide operator approval.
+     * @param {{id: string, request: Uint8Array}[]} requests
+     * @returns {Promise<{approved: {id: string, request: Uint8Array}[], denied: {id: string}[], pending: {id: string}[]}>}
+     */
+    async requestTideOperatorApproval(requests) {
+        await this.ensureTokenReady();
+        this.initApprovalEnclave();
+        return await this.approvalEnclave.approve(requests);
+    }
+    /**
+     * Execute a Tide Sign Request
+     * @param {Uint8Array} request
+     * @returns Array of signatures
+     */
+    async executeSignRequest(request) {
+        await this.ensureTokenReady();
+        this.initRequestEnclave();
+        return await this.requestEnclave.execute(request);
+    }
+    /**
+     * Role-based decryption via Tide RequestEnclave.
+     * @param {{ encrypted: string | Uint8Array, tags: string[] }[]} toDecrypt
+     * @returns {Promise<(string | Uint8Array)[]>}
+     */
+    async decrypt(toDecrypt) {
+        await this.ensureTokenReady();
         if (!Array.isArray(toDecrypt)) {
-            throw 'Pass array as parameter';
+            throw new Error('Pass array as parameter');
         }
-        // Check user authenticated
-        if (!kc.tokenParsed) {
-            throw 'Not authenticated';
+        if (!this.tokenParsed) {
+            throw new Error('Not authenticated');
         }
-        const dataToSend = toDecrypt.map(e => {
+        const dataToSend = toDecrypt.map((e) => {
             if (!isObject(e))
-                throw 'All entries must be an object to decrypt';
-            for (const property of ["encrypted", "tags"]) {
+                throw new Error('All entries must be an object to decrypt');
+            for (const property of ['encrypted', 'tags']) {
                 if (!e[property]) {
                     throw new Error(`The configuration object is missing the required '${property}' property.`);
                 }
             }
             if (!Array.isArray(e.tags))
-                throw 'tags must be provided as a string array in object to decrypt';
-            if (typeof e.encrypted !== "string" && !(e.encrypted instanceof Uint8Array))
-                throw 'data must be provded as string or Uint8Array in object to decrypt';
-            // Check that the user has the roles required to encrypt the datas
+                throw new Error('tags must be provided as a string array in object to decrypt');
+            if (typeof e.encrypted !== 'string' && !(e.encrypted instanceof Uint8Array)) {
+                throw new Error('encrypted must be provided as string or Uint8Array in object to decrypt');
+            }
             for (const tag of e.tags) {
-                if (typeof tag !== "string")
-                    throw "tags must be provided as an array of strings";
-                var tagAccess = kc.hasRealmRole("_tide_" + tag + ".selfdecrypt");
+                if (typeof tag !== 'string')
+                    throw new Error('tags must be provided as an array of strings');
+                const tagAccess = this.hasRealmRole(`_tide_${tag}.selfdecrypt`);
                 if (!tagAccess)
-                    throw `'User has not been given any access to '${tag}'`;
+                    throw new Error(`User has not been given any access to '${tag}'`);
             }
             return {
-                encrypted: typeof e.encrypted === "string" ? base64ToBytes(e.encrypted) : e.encrypted,
+                encrypted: typeof e.encrypted === 'string' ? base64ToBytes(e.encrypted) : e.encrypted,
                 tags: e.tags,
-                isRaw: typeof e.encrypted === "string" ? false : true
+                isRaw: typeof e.encrypted === 'string' ? false : true
             };
         });
-        kc.initEnclave();
-        // Now lets actually decrypt
-        // Construct Tide serialized data payloads
-        return (await kc.requestEnclave.decrypt(dataToSend)).map((d, i) => dataToSend[i].isRaw ? d : StringFromUint8Array(d));
+        this.initRequestEnclave();
+        const decrypted = await this.requestEnclave.decrypt(dataToSend);
+        return decrypted.map((d, i) => (dataToSend[i].isRaw ? d : StringFromUint8Array(d)));
+    }
+}
+_TideCloak_refreshQueue = new WeakMap(), _TideCloak_adapter = new WeakMap(), _TideCloak_useNonce = new WeakMap(), _TideCloak_callbackStorage = new WeakMap(), _TideCloak_logInfo = new WeakMap(), _TideCloak_logWarn = new WeakMap(), _TideCloak_loginIframe = new WeakMap(), _TideCloak_config = new WeakMap(), _TideCloak_instances = new WeakSet(), _TideCloak_loadAdapter = function _TideCloak_loadAdapter(type) {
+    if (type === 'default') {
+        return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadDefaultAdapter).call(this);
+    }
+    if (type === 'cordova') {
+        __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable = false;
+        return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadCordovaAdapter).call(this);
+    }
+    if (type === 'cordova-native') {
+        __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable = false;
+        return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadCordovaNativeAdapter).call(this);
+    }
+    throw new Error('invalid adapter type: ' + type);
+}, _TideCloak_loadDefaultAdapter = function _TideCloak_loadDefaultAdapter() {
+    /** @type {KeycloakAdapter['redirectUri']}{} */
+    const redirectUri = (options) => {
+        return (options === null || options === void 0 ? void 0 : options.redirectUri) || this.redirectUri || globalThis.location.href;
     };
-    function generateRandomData(len) {
-        if (typeof crypto === "undefined" || typeof crypto.getRandomValues === "undefined") {
-            throw new Error("Web Crypto API is not available.");
-        }
-        return crypto.getRandomValues(new Uint8Array(len));
-    }
-    function generateCodeVerifier(len) {
-        return generateRandomString(len, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
-    }
-    function generateRandomString(len, alphabet) {
-        var randomData = generateRandomData(len);
-        var chars = new Array(len);
-        for (var i = 0; i < len; i++) {
-            chars[i] = alphabet.charCodeAt(randomData[i] % alphabet.length);
-        }
-        return String.fromCharCode.apply(null, chars);
-    }
-    async function generatePkceChallenge(pkceMethod, codeVerifier) {
-        if (pkceMethod !== "S256") {
-            throw new TypeError(`Invalid value for 'pkceMethod', expected 'S256' but got '${pkceMethod}'.`);
-        }
-        // hash codeVerifier, then encode as url-safe base64 without padding
-        const hashBytes = new Uint8Array(await sha256Digest(codeVerifier));
-        const encodedHash = bytesToBase64(hashBytes)
-            .replace(/\+/g, '-')
-            .replace(/\//g, '_')
-            .replace(/\=/g, '');
-        return encodedHash;
-    }
-    function buildClaimsParameter(requestedAcr) {
-        var claims = {
-            id_token: {
-                acr: requestedAcr
+    return {
+        login: async (options) => {
+            window.location.assign(await this.createLoginUrl(options));
+            return await new Promise(() => { });
+        },
+        logout: async (options) => {
+            var _a;
+            const logoutMethod = (_a = options === null || options === void 0 ? void 0 : options.logoutMethod) !== null && _a !== void 0 ? _a : this.logoutMethod;
+            if (logoutMethod === 'GET') {
+                window.location.replace(this.createLogoutUrl(options));
+                return;
             }
-        };
-        return JSON.stringify(claims);
-    }
-    kc.createLoginUrl = async function (options) {
-        var state = createUUID();
-        var nonce = createUUID();
-        var redirectUri = adapter.redirectUri(options);
-        var callbackState = {
-            state: state,
-            nonce: nonce,
-            redirectUri: encodeURIComponent(redirectUri),
-            loginOptions: options
-        };
-        if (options && options.prompt) {
-            callbackState.prompt = options.prompt;
-        }
-        var baseUrl;
-        if (options && options.action == 'register') {
-            baseUrl = kc.endpoints.register();
-        }
-        else {
-            baseUrl = kc.endpoints.authorize();
-        }
-        var scope = options && options.scope || kc.scope;
-        if (!scope) {
-            // if scope is not set, default to "openid"
-            scope = "openid";
-        }
-        else if (scope.indexOf("openid") === -1) {
-            // if openid scope is missing, prefix the given scopes with it
-            scope = "openid " + scope;
-        }
-        var url = baseUrl
-            + '?client_id=' + encodeURIComponent(kc.clientId)
-            + '&redirect_uri=' + encodeURIComponent(redirectUri)
-            + '&state=' + encodeURIComponent(state)
-            + '&response_mode=' + encodeURIComponent(kc.responseMode)
-            + '&response_type=' + encodeURIComponent(kc.responseType)
-            + '&scope=' + encodeURIComponent(scope);
-        if (useNonce) {
-            url = url + '&nonce=' + encodeURIComponent(nonce);
-        }
-        if (options && options.prompt) {
-            url += '&prompt=' + encodeURIComponent(options.prompt);
-        }
-        if (options && typeof options.maxAge === 'number') {
-            url += '&max_age=' + encodeURIComponent(options.maxAge);
-        }
-        if (options && options.loginHint) {
-            url += '&login_hint=' + encodeURIComponent(options.loginHint);
-        }
-        if (options && options.idpHint) {
-            url += '&kc_idp_hint=' + encodeURIComponent(options.idpHint);
-        }
-        if (options && options.action && options.action != 'register') {
-            url += '&kc_action=' + encodeURIComponent(options.action);
-        }
-        if (options && options.locale) {
-            url += '&ui_locales=' + encodeURIComponent(options.locale);
-        }
-        if (options && options.acr) {
-            var claimsParameter = buildClaimsParameter(options.acr);
-            url += '&claims=' + encodeURIComponent(claimsParameter);
-        }
-        if ((options && options.acrValues) || kc.acrValues) {
-            url += '&acr_values=' + encodeURIComponent(options.acrValues || kc.acrValues);
-        }
-        if (kc.pkceMethod) {
-            try {
-                const codeVerifier = generateCodeVerifier(96);
-                const pkceChallenge = await generatePkceChallenge(kc.pkceMethod, codeVerifier);
-                callbackState.pkceCodeVerifier = codeVerifier;
-                url += '&code_challenge=' + pkceChallenge;
-                url += '&code_challenge_method=' + kc.pkceMethod;
+            // Create form to send POST request.
+            const form = document.createElement('form');
+            form.setAttribute('method', 'POST');
+            form.setAttribute('action', this.createLogoutUrl(options));
+            form.style.display = 'none';
+            // Add data to form as hidden input fields.
+            const data = {
+                id_token_hint: this.idToken,
+                client_id: this.clientId,
+                post_logout_redirect_uri: redirectUri(options)
+            };
+            for (const [name, value] of Object.entries(data)) {
+                const input = document.createElement('input');
+                input.setAttribute('type', 'hidden');
+                input.setAttribute('name', name);
+                input.setAttribute('value', /** @type {string} */ (value));
+                form.appendChild(input);
+            }
+            // Append form to page and submit it to perform logout and redirect.
+            document.body.appendChild(form);
+            form.submit();
+        },
+        register: async (options) => {
+            window.location.assign(await this.createRegisterUrl(options));
+            return await new Promise(() => { });
+        },
+        accountManagement: async () => {
+            const accountUrl = this.createAccountUrl();
+            if (typeof accountUrl !== 'undefined') {
+                window.location.href = accountUrl;
             }
-            catch (error) {
-                throw new Error("Failed to generate PKCE challenge.", { cause: error });
+            else {
+                throw new Error('Not supported by the OIDC server');
             }
-        }
-        callbackStorage.add(callbackState);
-        return url;
-    };
-    kc.logout = function (options) {
-        return adapter.logout(options);
+            return await new Promise(() => { });
+        },
+        redirectUri
     };
-    kc.createLogoutUrl = function (options) {
-        var _a;
-        const logoutMethod = (_a = options === null || options === void 0 ? void 0 : options.logoutMethod) !== null && _a !== void 0 ? _a : kc.logoutMethod;
-        if (logoutMethod === 'POST') {
-            return kc.endpoints.logout();
+}, _TideCloak_loadCordovaAdapter = function _TideCloak_loadCordovaAdapter() {
+    /**
+     * @param {string} loginUrl
+     * @param {string} target
+     * @param {string} options
+     * @returns {WindowProxy | null}
+     */
+    const cordovaOpenWindowWrapper = (loginUrl, target, options) => {
+        if (window.cordova && window.cordova.InAppBrowser) {
+            // Use inappbrowser for IOS and Android if available
+            return window.cordova.InAppBrowser.open(loginUrl, target, options);
         }
-        var url = kc.endpoints.logout()
-            + '?client_id=' + encodeURIComponent(kc.clientId)
-            + '&post_logout_redirect_uri=' + encodeURIComponent(adapter.redirectUri(options, false));
-        if (kc.idToken) {
-            url += '&id_token_hint=' + encodeURIComponent(kc.idToken);
+        else {
+            return window.open(loginUrl, target, options);
         }
-        return url;
-    };
-    kc.register = function (options) {
-        return adapter.register(options);
     };
-    kc.createRegisterUrl = async function (options) {
-        if (!options) {
-            options = {};
+    const shallowCloneCordovaOptions = (userOptions) => {
+        if (userOptions && userOptions.cordovaOptions) {
+            return Object.keys(userOptions.cordovaOptions).reduce((options, optionName) => {
+                options[optionName] = userOptions.cordovaOptions[optionName];
+                return options;
+            }, {});
+        }
+        else {
+            return {};
         }
-        options.action = 'register';
-        return await kc.createLoginUrl(options);
-    };
-    kc.createAccountUrl = function (options) {
-        var realm = getRealmUrl();
-        var url = undefined;
-        if (typeof realm !== 'undefined') {
-            url = realm
-                + '/account'
-                + '?referrer=' + encodeURIComponent(kc.clientId)
-                + '&referrer_uri=' + encodeURIComponent(adapter.redirectUri(options));
-        }
-        return url;
-    };
-    kc.accountManagement = function () {
-        return adapter.accountManagement();
     };
-    kc.hasRealmRole = function (role) {
-        var access = kc.realmAccess;
-        return !!access && access.roles.indexOf(role) >= 0;
+    const formatCordovaOptions = (cordovaOptions) => {
+        return Object.keys(cordovaOptions).reduce((options, optionName) => {
+            options.push(optionName + '=' + cordovaOptions[optionName]);
+            return options;
+        }, []).join(',');
     };
-    kc.hasResourceRole = function (role, resource) {
-        if (!kc.resourceAccess) {
-            return false;
+    const createCordovaOptions = (userOptions) => {
+        const cordovaOptions = shallowCloneCordovaOptions(userOptions);
+        cordovaOptions.location = 'no';
+        if (userOptions && userOptions.prompt === 'none') {
+            cordovaOptions.hidden = 'yes';
         }
-        var access = kc.resourceAccess[resource || kc.clientId];
-        return !!access && access.roles.indexOf(role) >= 0;
+        return formatCordovaOptions(cordovaOptions);
     };
-    kc.loadUserProfile = function () {
-        var url = getRealmUrl() + '/account';
-        var req = new XMLHttpRequest();
-        req.open('GET', url, true);
-        req.setRequestHeader('Accept', 'application/json');
-        req.setRequestHeader('Authorization', 'bearer ' + kc.token);
-        var promise = createPromise();
-        req.onreadystatechange = function () {
-            if (req.readyState == 4) {
-                if (req.status == 200) {
-                    kc.profile = JSON.parse(req.responseText);
-                    promise.setSuccess(kc.profile);
-                }
-                else {
-                    promise.setError();
-                }
-            }
-        };
-        req.send();
-        return promise.promise;
+    const getCordovaRedirectUri = () => {
+        return this.redirectUri || 'http://localhost';
     };
-    kc.loadUserInfo = function () {
-        var url = kc.endpoints.userinfo();
-        var req = new XMLHttpRequest();
-        req.open('GET', url, true);
-        req.setRequestHeader('Accept', 'application/json');
-        req.setRequestHeader('Authorization', 'bearer ' + kc.token);
-        var promise = createPromise();
-        req.onreadystatechange = function () {
-            if (req.readyState == 4) {
-                if (req.status == 200) {
-                    kc.userInfo = JSON.parse(req.responseText);
-                    promise.setSuccess(kc.userInfo);
+    return {
+        login: async (options) => {
+            const cordovaOptions = createCordovaOptions(options);
+            const loginUrl = await this.createLoginUrl(options);
+            const ref = cordovaOpenWindowWrapper(loginUrl, '_blank', cordovaOptions);
+            let completed = false;
+            let closed = false;
+            function closeBrowser() {
+                closed = true;
+                ref.close();
+            }
+            ;
+            return await new Promise((resolve, reject) => {
+                ref.addEventListener('loadstart', async (event) => {
+                    if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                        const callback = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                        try {
+                            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, callback);
+                            resolve();
+                        }
+                        catch (error) {
+                            reject(error);
+                        }
+                        closeBrowser();
+                        completed = true;
+                    }
+                });
+                ref.addEventListener('loaderror', async (event) => {
+                    if (!completed) {
+                        if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                            const callback = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                            try {
+                                await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, callback);
+                                resolve();
+                            }
+                            catch (error) {
+                                reject(error);
+                            }
+                            closeBrowser();
+                            completed = true;
+                        }
+                        else {
+                            reject(new Error('Unable to process login.'));
+                            closeBrowser();
+                        }
+                    }
+                });
+                ref.addEventListener('exit', function (event) {
+                    if (!closed) {
+                        reject(new Error('User closed the login window.'));
+                    }
+                });
+            });
+        },
+        logout: async (options) => {
+            const logoutUrl = this.createLogoutUrl(options);
+            const ref = cordovaOpenWindowWrapper(logoutUrl, '_blank', 'location=no,hidden=yes,clearcache=yes');
+            let error = false;
+            ref.addEventListener('loadstart', (event) => {
+                if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                    ref.close();
+                }
+            });
+            ref.addEventListener('loaderror', (event) => {
+                if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                    ref.close();
                 }
                 else {
-                    promise.setError();
+                    error = true;
+                    ref.close();
                 }
+            });
+            await new Promise((resolve, reject) => {
+                ref.addEventListener('exit', () => {
+                    if (error) {
+                        reject(new Error('User closed the login window.'));
+                    }
+                    else {
+                        this.clearToken();
+                        resolve();
+                    }
+                });
+            });
+        },
+        register: async (options) => {
+            const registerUrl = await this.createRegisterUrl();
+            const cordovaOptions = createCordovaOptions(options);
+            const ref = cordovaOpenWindowWrapper(registerUrl, '_blank', cordovaOptions);
+            /** @type {Promise<void>} */
+            const promise = new Promise((resolve, reject) => {
+                ref.addEventListener('loadstart', async (event) => {
+                    if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                        ref.close();
+                        const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                        try {
+                            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, oauth);
+                            resolve();
+                        }
+                        catch (error) {
+                            reject(error);
+                        }
+                    }
+                });
+            });
+            await promise;
+        },
+        accountManagement: async () => {
+            const accountUrl = this.createAccountUrl();
+            if (typeof accountUrl !== 'undefined') {
+                const ref = cordovaOpenWindowWrapper(accountUrl, '_blank', 'location=no');
+                ref.addEventListener('loadstart', function (event) {
+                    if (event.url.indexOf(getCordovaRedirectUri()) === 0) {
+                        ref.close();
+                    }
+                });
             }
-        };
-        req.send();
-        return promise.promise;
-    };
-    kc.isTokenExpired = function (minValidity) {
-        if (!kc.tokenParsed || (!kc.refreshToken && kc.flow != 'implicit')) {
-            throw 'Not authenticated';
-        }
-        if (kc.timeSkew == null) {
-            logInfo('[TIDECLOAK] Unable to determine if token is expired as timeskew is not set');
-            return true;
-        }
-        var expiresIn = kc.tokenParsed['exp'] - Math.ceil(new Date().getTime() / 1000) + kc.timeSkew;
-        if (minValidity) {
-            if (isNaN(minValidity)) {
-                throw 'Invalid minValidity';
+            else {
+                throw new Error('Not supported by the OIDC server');
             }
-            expiresIn -= minValidity;
+        },
+        redirectUri: () => {
+            return getCordovaRedirectUri();
         }
-        return expiresIn < 0;
     };
-    kc.updateToken = function (minValidity) {
-        var promise = createPromise();
-        if (!kc.refreshToken) {
-            promise.setError();
-            return promise.promise;
-        }
-        minValidity = minValidity || 5;
-        var exec = function () {
-            var refreshToken = false;
-            if (minValidity == -1) {
-                refreshToken = true;
-                logInfo('[TIDECLOAK] Refreshing token: forced refresh');
+}, _TideCloak_loadCordovaNativeAdapter = function _TideCloak_loadCordovaNativeAdapter() {
+    /* global universalLinks */
+    return {
+        login: async (options) => {
+            const loginUrl = await this.createLoginUrl(options);
+            await new Promise((resolve, reject) => {
+                universalLinks.subscribe('keycloak', async (event) => {
+                    universalLinks.unsubscribe('keycloak');
+                    window.cordova.plugins.browsertab.close();
+                    const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                    try {
+                        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, oauth);
+                        resolve();
+                    }
+                    catch (error) {
+                        reject(error);
+                    }
+                });
+                window.cordova.plugins.browsertab.openUrl(loginUrl);
+            });
+        },
+        logout: async (options) => {
+            const logoutUrl = this.createLogoutUrl(options);
+            await new Promise((resolve) => {
+                universalLinks.subscribe('keycloak', () => {
+                    universalLinks.unsubscribe('keycloak');
+                    window.cordova.plugins.browsertab.close();
+                    this.clearToken();
+                    resolve();
+                });
+                window.cordova.plugins.browsertab.openUrl(logoutUrl);
+            });
+        },
+        register: async (options) => {
+            const registerUrl = await this.createRegisterUrl(options);
+            await new Promise((resolve, reject) => {
+                universalLinks.subscribe('keycloak', async (event) => {
+                    universalLinks.unsubscribe('keycloak');
+                    window.cordova.plugins.browsertab.close();
+                    const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.url);
+                    try {
+                        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, oauth);
+                        resolve();
+                    }
+                    catch (error) {
+                        reject(error);
+                    }
+                });
+                window.cordova.plugins.browsertab.openUrl(registerUrl);
+            });
+        },
+        accountManagement: async () => {
+            const accountUrl = this.createAccountUrl();
+            if (typeof accountUrl !== 'undefined') {
+                window.cordova.plugins.browsertab.openUrl(accountUrl);
+            }
+            else {
+                throw new Error('Not supported by the OIDC server');
             }
-            else if (!kc.tokenParsed || kc.isTokenExpired(minValidity)) {
-                refreshToken = true;
-                logInfo('[TIDECLOAK] Refreshing token: token expired');
+        },
+        redirectUri: (options) => {
+            if (options && options.redirectUri) {
+                return options.redirectUri;
             }
-            if (!refreshToken) {
-                promise.setSuccess(false);
+            else if (this.redirectUri) {
+                return this.redirectUri;
             }
             else {
-                var params = 'grant_type=refresh_token&' + 'refresh_token=' + kc.refreshToken;
-                var url = kc.endpoints.token();
-                refreshQueue.push(promise);
-                if (refreshQueue.length == 1) {
-                    var req = new XMLHttpRequest();
-                    req.open('POST', url, true);
-                    req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
-                    req.withCredentials = true;
-                    params += '&client_id=' + encodeURIComponent(kc.clientId);
-                    var timeLocal = new Date().getTime();
-                    req.onreadystatechange = function () {
-                        if (req.readyState == 4) {
-                            if (req.status == 200) {
-                                logInfo('[TIDECLOAK] Token refreshed');
-                                timeLocal = (timeLocal + new Date().getTime()) / 2;
-                                var tokenResponse = JSON.parse(req.responseText);
-                                setToken(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token'], timeLocal, tokenResponse['doken']);
-                                kc.onAuthRefreshSuccess && kc.onAuthRefreshSuccess();
-                                for (var p = refreshQueue.pop(); p != null; p = refreshQueue.pop()) {
-                                    p.setSuccess(true);
-                                }
-                            }
-                            else {
-                                logWarn('[TIDECLOAK] Failed to refresh token');
-                                if (req.status == 400) {
-                                    kc.clearToken();
-                                }
-                                if (req.status == 500) {
-                                    // Check to see if error message tells us to reauthenticate the user
-                                    console.log("CHECKING REAUTH");
-                                }
-                                kc.onAuthRefreshError && kc.onAuthRefreshError();
-                                for (var p = refreshQueue.pop(); p != null; p = refreshQueue.pop()) {
-                                    p.setError("Failed to refresh token: An unexpected HTTP error occurred while attempting to refresh the token.");
-                                }
-                            }
-                        }
-                    };
-                    req.send(params);
-                }
+                return 'http://localhost';
             }
-        };
-        if (loginIframe.enable) {
-            var iframePromise = checkLoginIframe();
-            iframePromise.then(function () {
-                exec();
-            }).catch(function (error) {
-                promise.setError(error);
-            });
-        }
-        else {
-            exec();
         }
-        return promise.promise;
     };
-    kc.clearToken = function () {
-        if (kc.token) {
-            setToken(null, null, null);
-            kc.onAuthLogout && kc.onAuthLogout();
-            if (kc.loginRequired) {
-                kc.login();
-            }
-        }
-    };
-    // Add the checkThresholdRule function to the Heimdall instance.
-    // This function calls the generic threshold rule processor from the thresholdRules module.
-    kc.checkThresholdRule = function (key, idSubstring, ruleSettings, draftJson) {
-        // Process the threshold rules using the provided parameters and return the result.
-        return processThresholdRules(key, idSubstring, ruleSettings, draftJson);
-    };
-    kc.createCardanoTxDraft = function (txBody) {
-        const txBodyBytes = base64ToBytes(txBody);
-        return bytesToBase64(CreateTideMemory(txBodyBytes, txBodyBytes.length + 4));
-    };
-    kc.sign = async function (signModel, authFlow, draft, authorizers, ruleSetting, expiry) {
-        await kc.ensureTokenReady();
-        const signModelId = signModel.split(":");
-        if (signModelId.length !== 2 || !signModelId[0] || !signModelId[1]) {
-            throw "SignModel is not in the correct format. Expected format: 'ModelName:Version' (e.g. 'UserContext:1').";
-        }
-        const authFlowId = authFlow.split(":");
-        if (authFlowId.length !== 2 || !authFlowId[0] || !authFlowId[1]) {
-            throw "AuthFlow is not in the correct format. Expected format: 'ModelName:Version' (e.g. 'VRK:1').";
-        }
-        const sessKey = GenSessKey();
-        const gSessKey = GetPublic(sessKey);
-        const vvkInfo = await new NetworkClient(config.homeOrkUrl).GetKeyInfo(config.vendorId);
-        ;
-        // Check user authenticated
-        if (!kc.tokenParsed) {
-            throw 'Not authenticated';
-        }
-        // Check config
-        if (!Array.isArray(authorizers)) {
-            throw 'Pass authorizers in an array!';
-        }
-        const signRequest = new BaseTideRequest(signModelId[0], signModel[1], authFlow, draft);
-        if (expiry)
-            signRequest.setCustomExpiry(expiry);
-        new AuthorizationBuilder(signRequest, authorizers, ruleSetting).addAuthorization();
-        const signingFlow = new dVVKSigningFlow_DEPRECATED(config.vendorId, vvkInfo.UserPublic, vvkInfo.OrkInfo, sessKey, gSessKey, getVoucherUrl());
-        const result = (await signingFlow.start(signRequest));
-        return result;
-    };
-    kc.signCardanoTx = async function (txBody, authorizers, ruleSettings, expiry) {
-        await kc.ensureTokenReady();
-        const sessKey = GenSessKey();
-        const gSessKey = GetPublic(sessKey);
-        const vvkInfo = await new NetworkClient(config.homeOrkUrl).GetKeyInfo(config.vendorId);
-        ;
-        // Check user authenticated
-        if (!kc.tokenParsed) {
-            throw 'Not authenticated';
-        }
-        // Check config
-        if (!Array.isArray(authorizers)) {
-            throw 'Pass authorizers in an array!';
-        }
-        const cardanoSignRequest = new CardanoTxBodySignRequest("BlindSig:1");
-        cardanoSignRequest.setTxBody(txBody);
-        cardanoSignRequest.serializeDraft();
-        new AuthorizationBuilder(cardanoSignRequest, authorizers, ruleSettings).addAuthorization();
-        cardanoSignRequest.setCustomExpiry(expiry);
-        const txSigningFlow = new dVVKSigningFlow_DEPRECATED(config.vendorId, vvkInfo.UserPublic, vvkInfo.OrkInfo, sessKey, gSessKey, getVoucherUrl());
-        const result = (await txSigningFlow.start(cardanoSignRequest));
-        return bytesToBase64(result[0]);
-    };
-    kc.createRuleSettingsDraft = function (ruleSettings, previousRuleSetting, previousRuleSettingCert) {
-        const ruleReqDraft = new RuleSettingsSignRequest("Admin:1");
-        ruleReqDraft.setNewRuleSetting(StringToUint8Array(ruleSettings));
-        if (previousRuleSetting !== undefined && previousRuleSettingCert !== undefined) {
-            ruleReqDraft.setPreviousRuleSetting(StringToUint8Array(previousRuleSetting));
-            ruleReqDraft.setPreviousRuleSettingCert(base64ToBytes(previousRuleSettingCert));
-        }
-        return bytesToBase64(ruleReqDraft.getDraft());
-    };
-    function getRealmUrl() {
-        if (typeof kc.authServerUrl !== 'undefined') {
-            if (kc.authServerUrl.charAt(kc.authServerUrl.length - 1) == '/') {
-                return kc.authServerUrl + 'realms/' + encodeURIComponent(kc.realm);
-            }
-            else {
-                return kc.authServerUrl + '/realms/' + encodeURIComponent(kc.realm);
-            }
-        }
-        else {
-            return undefined;
-        }
+}, _TideCloak_loadConfig = 
+/**
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_loadConfig() {
+    if (typeof __classPrivateFieldGet(this, _TideCloak_config, "f") === 'string') {
+        const jsonConfig = await fetchJsonConfig(__classPrivateFieldGet(this, _TideCloak_config, "f"));
+        this.authServerUrl = jsonConfig['auth-server-url'];
+        this.realm = jsonConfig.realm;
+        this.clientId = jsonConfig.resource;
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupEndpoints).call(this);
     }
-    function getOrigin() {
-        if (!window.location.origin) {
-            return window.location.protocol + "//" + window.location.hostname + (window.location.port ? ':' + window.location.port : '');
+    else {
+        this.clientId = __classPrivateFieldGet(this, _TideCloak_config, "f").clientId;
+        if ('oidcProvider' in __classPrivateFieldGet(this, _TideCloak_config, "f")) {
+            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_loadOidcConfig).call(this, __classPrivateFieldGet(this, _TideCloak_config, "f").oidcProvider);
         }
         else {
-            return window.location.origin;
+            this.authServerUrl = __classPrivateFieldGet(this, _TideCloak_config, "f").url;
+            this.realm = __classPrivateFieldGet(this, _TideCloak_config, "f").realm;
+            __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupEndpoints).call(this);
         }
     }
-    function processCallback(oauth, promise) {
-        var code = oauth.code;
-        var error = oauth.error;
-        var prompt = oauth.prompt;
-        var timeLocal = new Date().getTime();
-        if (oauth['kc_action_status']) {
-            kc.onActionUpdate && kc.onActionUpdate(oauth['kc_action_status'], oauth['kc_action']);
+}, _TideCloak_setupEndpoints = function _TideCloak_setupEndpoints() {
+    this.endpoints = {
+        authorize: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/auth';
+        },
+        token: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/token';
+        },
+        logout: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/logout';
+        },
+        checkSessionIframe: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/login-status-iframe.html';
+        },
+        thirdPartyCookiesIframe: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/3p-cookies/step1.html';
+        },
+        register: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/registrations';
+        },
+        userinfo: () => {
+            return __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this) + '/protocol/openid-connect/userinfo';
         }
-        if (error) {
-            if (prompt != 'none') {
-                if (oauth.error_description && oauth.error_description === "authentication_expired") {
-                    kc.login(oauth.loginOptions);
-                }
-                else {
-                    var errorData = { error: error, error_description: oauth.error_description };
-                    kc.onAuthError && kc.onAuthError(errorData);
-                    promise && promise.setError(errorData);
-                }
-            }
-            else {
-                promise && promise.setSuccess();
-            }
-            return;
+    };
+}, _TideCloak_loadOidcConfig = 
+/**
+ * @param {string | OpenIdProviderMetadata} oidcProvider
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_loadOidcConfig(oidcProvider) {
+    if (typeof oidcProvider === 'string') {
+        const url = `${stripTrailingSlash(oidcProvider)}/.well-known/openid-configuration`;
+        const openIdConfig = await fetchOpenIdConfig(url);
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupOidcEndpoints).call(this, openIdConfig);
+    }
+    else {
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupOidcEndpoints).call(this, oidcProvider);
+    }
+}, _TideCloak_setupOidcEndpoints = function _TideCloak_setupOidcEndpoints(config) {
+    this.endpoints = {
+        authorize() {
+            return config.authorization_endpoint;
+        },
+        token() {
+            return config.token_endpoint;
+        },
+        logout() {
+            if (!config.end_session_endpoint) {
+                throw new Error('Not supported by the OIDC server');
+            }
+            return config.end_session_endpoint;
+        },
+        checkSessionIframe() {
+            if (!config.check_session_iframe) {
+                throw new Error('Not supported by the OIDC server');
+            }
+            return config.check_session_iframe;
+        },
+        register() {
+            throw new Error('Redirection to "Register user" page not supported in standard OIDC mode');
+        },
+        userinfo() {
+            if (!config.userinfo_endpoint) {
+                throw new Error('Not supported by the OIDC server');
+            }
+            return config.userinfo_endpoint;
         }
-        else if ((kc.flow != 'standard') && (oauth.access_token || oauth.id_token)) {
-            authSuccess(oauth.access_token, null, oauth.id_token, true, oauth.doken);
-        }
-        if ((kc.flow != 'implicit') && code) {
-            var params = 'code=' + code + '&grant_type=authorization_code';
-            var url = kc.endpoints.token();
-            var req = new XMLHttpRequest();
-            req.open('POST', url, true);
-            req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
-            params += '&client_id=' + encodeURIComponent(kc.clientId);
-            params += '&redirect_uri=' + oauth.redirectUri;
-            if (oauth.pkceCodeVerifier) {
-                params += '&code_verifier=' + oauth.pkceCodeVerifier;
+    };
+}, _TideCloak_check3pCookiesSupported = 
+/**
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_check3pCookiesSupported() {
+    if ((!__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable && !this.silentCheckSsoRedirectUri) || typeof this.endpoints.thirdPartyCookiesIframe !== 'function') {
+        return;
+    }
+    const iframe = document.createElement('iframe');
+    iframe.setAttribute('src', this.endpoints.thirdPartyCookiesIframe());
+    iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
+    iframe.setAttribute('title', 'keycloak-3p-check-iframe');
+    iframe.style.display = 'none';
+    document.body.appendChild(iframe);
+    /** @type {Promise<void>} */
+    const promise = new Promise((resolve) => {
+        /**
+         * @param {MessageEvent} event
+         */
+        const messageCallback = (event) => {
+            if (iframe.contentWindow !== event.source) {
+                return;
             }
-            req.withCredentials = true;
-            req.onreadystatechange = function () {
-                if (req.readyState == 4) {
-                    if (req.status == 200) {
-                        var tokenResponse = JSON.parse(req.responseText);
-                        authSuccess(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token'], kc.flow === 'standard', tokenResponse['doken']); // added doken field
-                        scheduleCheckIframe();
-                    }
-                    else {
-                        if (req.status == 500) {
-                            // Check to see if error message tells us to reauthenticate the user
-                            console.log("CHECKING REAUTH");
-                        }
-                        kc.onAuthError && kc.onAuthError();
-                        promise && promise.setError();
-                    }
-                }
-            };
-            req.onerror = function () {
-                // Try to log the user in again
-                kc.login({
-                    idpHint: 'tide',
-                    prompt: 'login', // forces them to actually re-enter credentials
-                    redirectUri: window.location.href // send them back to the exact same URL
-                });
-            };
-            req.send(params);
-        }
-        function authSuccess(accessToken, refreshToken, idToken, fulfillPromise, doken = null) {
-            timeLocal = (timeLocal + new Date().getTime()) / 2;
-            setToken(accessToken, refreshToken, idToken, timeLocal, doken);
-            if (useNonce && (kc.idTokenParsed && kc.idTokenParsed.nonce != oauth.storedNonce)) {
-                logInfo('[TIDECLOAK] Invalid nonce, clearing token');
-                kc.clearToken();
-                promise && promise.setError();
+            if (event.data !== 'supported' && event.data !== 'unsupported') {
+                return;
             }
-            else {
-                if (fulfillPromise) {
-                    kc.onAuthSuccess && kc.onAuthSuccess();
-                    promise && promise.setSuccess();
+            else if (event.data === 'unsupported') {
+                __classPrivateFieldGet(this, _TideCloak_logWarn, "f").call(this, '[TIDECLOAK] Your browser is blocking access to 3rd-party cookies, this means:\n\n' +
+                    ' - It is not possible to retrieve tokens without redirecting to the TideCloak server (a.k.a. no support for silent authentication).\n' +
+                    ' - It is not possible to automatically detect changes to the session status (such as the user logging out in another tab).\n\n' +
+                    'For more information see: https://www.keycloak.org/securing-apps/javascript-adapter#_modern_browsers');
+                __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable = false;
+                if (this.silentCheckSsoFallback) {
+                    this.silentCheckSsoRedirectUri = undefined;
                 }
             }
-        }
+            document.body.removeChild(iframe);
+            window.removeEventListener('message', messageCallback);
+            resolve();
+        };
+        window.addEventListener('message', messageCallback, false);
+    });
+    return await applyTimeoutToPromise(promise, this.messageReceiveTimeout, 'Timeout when waiting for 3rd party check iframe message.');
+}, _TideCloak_processInit = 
+/**
+ * @param {KeycloakInitOptions} initOptions
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_processInit(initOptions) {
+    var _a, _b, _c;
+    const callback = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, window.location.href);
+    if (callback === null || callback === void 0 ? void 0 : callback.redirectUri) {
+        window.history.replaceState(window.history.state, '', callback.redirectUri);
     }
-    function loadConfig() {
-        var promise = createPromise();
-        var configUrl;
-        if (typeof config === 'string') {
-            configUrl = config;
-        }
-        function setupOidcEndoints(oidcConfiguration) {
-            if (!oidcConfiguration) {
-                kc.endpoints = {
-                    authorize: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/auth';
-                    },
-                    token: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/token';
-                    },
-                    logout: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/logout';
-                    },
-                    checkSessionIframe: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/login-status-iframe.html';
-                    },
-                    thirdPartyCookiesIframe: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/3p-cookies/step1.html';
-                    },
-                    register: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/registrations';
-                    },
-                    userinfo: function () {
-                        return getRealmUrl() + '/protocol/openid-connect/userinfo';
-                    }
-                };
-            }
-            else {
-                kc.endpoints = {
-                    authorize: function () {
-                        return oidcConfiguration.authorization_endpoint;
-                    },
-                    token: function () {
-                        return oidcConfiguration.token_endpoint;
-                    },
-                    logout: function () {
-                        if (!oidcConfiguration.end_session_endpoint) {
-                            throw "Not supported by the OIDC server";
-                        }
-                        return oidcConfiguration.end_session_endpoint;
-                    },
-                    checkSessionIframe: function () {
-                        if (!oidcConfiguration.check_session_iframe) {
-                            throw "Not supported by the OIDC server";
-                        }
-                        return oidcConfiguration.check_session_iframe;
-                    },
-                    register: function () {
-                        throw 'Redirection to "Register user" page not supported in standard OIDC mode';
-                    },
-                    userinfo: function () {
-                        if (!oidcConfiguration.userinfo_endpoint) {
-                            throw "Not supported by the OIDC server";
-                        }
-                        return oidcConfiguration.userinfo_endpoint;
-                    }
-                };
-            }
+    if (callback && callback.valid) {
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupCheckLoginIframe).call(this);
+        await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, callback);
+        return;
+    }
+    /** @param {boolean} prompt */
+    const doLogin = async (prompt) => {
+        /** @type {KeycloakLoginOptions} */
+        const options = {};
+        if (!prompt) {
+            options.prompt = 'none';
         }
-        if (configUrl) {
-            var req = new XMLHttpRequest();
-            req.open('GET', configUrl, true);
-            req.setRequestHeader('Accept', 'application/json');
-            req.onreadystatechange = function () {
-                if (req.readyState == 4) {
-                    if (req.status == 200 || fileLoaded(req)) {
-                        var config = JSON.parse(req.responseText);
-                        kc.authServerUrl = config['auth-server-url'];
-                        kc.realm = config['realm'];
-                        kc.clientId = config['resource'];
-                        setupOidcEndoints(null);
-                        promise.setSuccess();
-                    }
-                    else {
-                        promise.setError();
-                    }
-                }
-            };
-            req.send();
+        if (initOptions.locale) {
+            options.locale = initOptions.locale;
         }
-        else {
-            kc.clientId = config.clientId;
-            var oidcProvider = config['oidcProvider'];
-            if (!oidcProvider) {
-                kc.authServerUrl = config.url;
-                kc.realm = config.realm;
-                setupOidcEndoints(null);
-                promise.setSuccess();
-            }
-            else {
-                if (typeof oidcProvider === 'string') {
-                    var oidcProviderConfigUrl;
-                    if (oidcProvider.charAt(oidcProvider.length - 1) == '/') {
-                        oidcProviderConfigUrl = oidcProvider + '.well-known/openid-configuration';
-                    }
-                    else {
-                        oidcProviderConfigUrl = oidcProvider + '/.well-known/openid-configuration';
+        await this.login(options);
+    };
+    const onLoad = async () => {
+        switch (initOptions.onLoad) {
+            case 'check-sso':
+                if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable) {
+                    await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupCheckLoginIframe).call(this);
+                    const unchanged = await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkLoginIframe).call(this);
+                    if (!unchanged) {
+                        this.silentCheckSsoRedirectUri ? await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkSsoSilently).call(this) : await doLogin(false);
                     }
-                    var req = new XMLHttpRequest();
-                    req.open('GET', oidcProviderConfigUrl, true);
-                    req.setRequestHeader('Accept', 'application/json');
-                    req.onreadystatechange = function () {
-                        if (req.readyState == 4) {
-                            if (req.status == 200 || fileLoaded(req)) {
-                                var oidcProviderConfig = JSON.parse(req.responseText);
-                                setupOidcEndoints(oidcProviderConfig);
-                                promise.setSuccess();
-                            }
-                            else {
-                                promise.setError();
-                            }
-                        }
-                    };
-                    req.send();
                 }
                 else {
-                    setupOidcEndoints(oidcProvider);
-                    promise.setSuccess();
+                    this.silentCheckSsoRedirectUri ? await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkSsoSilently).call(this) : await doLogin(false);
                 }
-            }
-        }
-        return promise.promise;
-    }
-    function fileLoaded(xhr) {
-        return xhr.status == 0 && xhr.responseText && xhr.responseURL.startsWith('file:');
-    }
-    function setToken(token, refreshToken, idToken, timeLocal, doken = null) {
-        if (kc.tokenTimeoutHandle) {
-            clearTimeout(kc.tokenTimeoutHandle);
-            kc.tokenTimeoutHandle = null;
-        }
-        if (refreshToken) {
-            kc.refreshToken = refreshToken;
-            kc.refreshTokenParsed = decodeToken(refreshToken);
-        }
-        else {
-            delete kc.refreshToken;
-            delete kc.refreshTokenParsed;
+                break;
+            case 'login-required':
+                await doLogin(true);
+                break;
+            default:
+                throw new Error('Invalid value for onLoad');
         }
-        if (idToken) {
-            kc.idToken = idToken;
-            kc.idTokenParsed = decodeToken(idToken);
+    };
+    if (initOptions.token && initOptions.refreshToken) {
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setToken).call(this, initOptions.token, initOptions.refreshToken, initOptions.idToken);
+        if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable) {
+            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setupCheckLoginIframe).call(this);
+            const unchanged = await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkLoginIframe).call(this);
+            if (unchanged) {
+                (_a = this.onAuthSuccess) === null || _a === void 0 ? void 0 : _a.call(this);
+                __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_scheduleCheckIframe).call(this);
+            }
         }
         else {
-            delete kc.idToken;
-            delete kc.idTokenParsed;
-        }
-        if (token) {
-            kc.token = token;
-            kc.tokenParsed = decodeToken(token);
-            kc.sessionId = kc.tokenParsed.sid;
-            kc.authenticated = true;
-            kc.subject = kc.tokenParsed.sub;
-            kc.realmAccess = kc.tokenParsed.realm_access;
-            kc.resourceAccess = kc.tokenParsed.resource_access;
-            if (timeLocal) {
-                kc.timeSkew = Math.floor(timeLocal / 1000) - kc.tokenParsed.iat;
+            try {
+                await this.updateToken(-1);
+                (_b = this.onAuthSuccess) === null || _b === void 0 ? void 0 : _b.call(this);
             }
-            if (kc.timeSkew != null) {
-                logInfo('[TIDECLOAK] Estimated time difference between browser and server is ' + kc.timeSkew + ' seconds');
-                if (kc.onTokenExpired) {
-                    var expiresIn = (kc.tokenParsed['exp'] - (new Date().getTime() / 1000) + kc.timeSkew) * 1000;
-                    logInfo('[TIDECLOAK] Token expires in ' + Math.round(expiresIn / 1000) + ' s');
-                    if (expiresIn <= 0) {
-                        kc.onTokenExpired();
-                    }
-                    else {
-                        kc.tokenTimeoutHandle = setTimeout(kc.onTokenExpired, expiresIn);
-                    }
+            catch (error) {
+                (_c = this.onAuthError) === null || _c === void 0 ? void 0 : _c.call(this);
+                if (initOptions.onLoad) {
+                    await onLoad();
+                }
+                else {
+                    throw error;
                 }
             }
         }
-        else {
-            delete kc.token;
-            delete kc.tokenParsed;
-            delete kc.subject;
-            delete kc.realmAccess;
-            delete kc.resourceAccess;
-            kc.authenticated = false;
-        }
-        if (doken) {
-            kc.doken = doken;
-            kc.dokenParsed = decodeToken(doken);
-            // update heimdall's doken too
-            if (kc.requestEnclave)
-                kc.requestEnclave.updateDoken(kc.doken);
-        }
-        else {
-            delete kc.doken;
-        }
     }
-    function createUUID() {
-        if (typeof crypto === "undefined" || typeof crypto.randomUUID === "undefined") {
-            throw new Error("Web Crypto API is not available.");
-        }
-        return crypto.randomUUID();
+    else if (initOptions.onLoad) {
+        await onLoad();
     }
-    function parseCallback(url) {
-        var oauth = parseCallbackUrl(url);
-        if (!oauth) {
+}, _TideCloak_setupCheckLoginIframe = 
+/**
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_setupCheckLoginIframe() {
+    if (!__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable || __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe) {
+        return;
+    }
+    const iframe = document.createElement('iframe');
+    __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe = iframe;
+    iframe.setAttribute('src', this.endpoints.checkSessionIframe());
+    iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
+    iframe.setAttribute('title', 'keycloak-session-iframe');
+    iframe.style.display = 'none';
+    document.body.appendChild(iframe);
+    /**
+     * @param {MessageEvent} event
+     */
+    const messageCallback = (event) => {
+        var _a;
+        if (event.origin !== __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin || ((_a = __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe) === null || _a === void 0 ? void 0 : _a.contentWindow) !== event.source) {
             return;
         }
-        var oauthState = callbackStorage.get(oauth.state);
-        if (oauthState) {
-            oauth.valid = true;
-            oauth.redirectUri = oauthState.redirectUri;
-            oauth.storedNonce = oauthState.nonce;
-            oauth.prompt = oauthState.prompt;
-            oauth.pkceCodeVerifier = oauthState.pkceCodeVerifier;
-            oauth.loginOptions = oauthState.loginOptions;
-        }
-        return oauth;
-    }
-    function parseCallbackUrl(url) {
-        var supportedParams;
-        switch (kc.flow) {
-            case 'standard':
-                supportedParams = ['code', 'state', 'session_state', 'kc_action_status', 'kc_action', 'iss'];
-                break;
-            case 'implicit':
-                supportedParams = ['access_token', 'token_type', 'id_token', 'state', 'session_state', 'expires_in', 'kc_action_status', 'kc_action', 'iss'];
-                break;
-            case 'hybrid':
-                supportedParams = ['access_token', 'token_type', 'id_token', 'code', 'state', 'session_state', 'expires_in', 'kc_action_status', 'kc_action', 'iss'];
-                break;
-        }
-        supportedParams.push('error');
-        supportedParams.push('error_description');
-        supportedParams.push('error_uri');
-        var queryIndex = url.indexOf('?');
-        var fragmentIndex = url.indexOf('#');
-        var newUrl;
-        var parsed;
-        if (kc.responseMode === 'query' && queryIndex !== -1) {
-            newUrl = url.substring(0, queryIndex);
-            parsed = parseCallbackParams(url.substring(queryIndex + 1, fragmentIndex !== -1 ? fragmentIndex : url.length), supportedParams);
-            if (parsed.paramsString !== '') {
-                newUrl += '?' + parsed.paramsString;
-            }
-            if (fragmentIndex !== -1) {
-                newUrl += url.substring(fragmentIndex);
-            }
+        if (!(event.data === 'unchanged' || event.data === 'changed' || event.data === 'error')) {
+            return;
         }
-        else if (kc.responseMode === 'fragment' && fragmentIndex !== -1) {
-            newUrl = url.substring(0, fragmentIndex);
-            parsed = parseCallbackParams(url.substring(fragmentIndex + 1), supportedParams);
-            if (parsed.paramsString !== '') {
-                newUrl += '#' + parsed.paramsString;
-            }
+        if (event.data !== 'unchanged') {
+            this.clearToken();
         }
-        if (parsed && parsed.oauthParams) {
-            if (kc.flow === 'standard' || kc.flow === 'hybrid') {
-                if ((parsed.oauthParams.code || parsed.oauthParams.error) && parsed.oauthParams.state) {
-                    parsed.oauthParams.newUrl = newUrl;
-                    return parsed.oauthParams;
-                }
+        const callbacks = __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").callbackList;
+        __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").callbackList = [];
+        for (const callback of callbacks.reverse()) {
+            if (event.data === 'error') {
+                callback(new Error('Error while checking login iframe'));
             }
-            else if (kc.flow === 'implicit') {
-                if ((parsed.oauthParams.access_token || parsed.oauthParams.error) && parsed.oauthParams.state) {
-                    parsed.oauthParams.newUrl = newUrl;
-                    return parsed.oauthParams;
-                }
+            else {
+                callback(null, event.data === 'unchanged');
             }
         }
-    }
-    function parseCallbackParams(paramsString, supportedParams) {
-        var p = paramsString.split('&');
-        var result = {
-            paramsString: '',
-            oauthParams: {}
-        };
-        for (var i = 0; i < p.length; i++) {
-            var split = p[i].indexOf("=");
-            var key = p[i].slice(0, split);
-            if (supportedParams.indexOf(key) !== -1) {
-                result.oauthParams[key] = p[i].slice(split + 1);
+    };
+    window.addEventListener('message', messageCallback, false);
+    /** @type {Promise<void>} */
+    const promise = new Promise((resolve) => {
+        iframe.addEventListener('load', () => {
+            const authUrl = this.endpoints.authorize();
+            if (authUrl.startsWith('/')) {
+                __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin = globalThis.location.origin;
             }
             else {
-                if (result.paramsString !== '') {
-                    result.paramsString += '&';
-                }
-                result.paramsString += p[i];
+                __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin = new URL(authUrl).origin;
             }
-        }
-        return result;
-    }
-    function createPromise() {
-        // Need to create a native Promise which also preserves the
-        // interface of the custom promise type previously used by the API
-        var p = {
-            setSuccess: function (result) {
-                p.resolve(result);
-            },
-            setError: function (result) {
-                p.reject(result);
-            }
-        };
-        p.promise = new Promise(function (resolve, reject) {
-            p.resolve = resolve;
-            p.reject = reject;
-        });
-        return p;
-    }
-    // Function to extend existing native Promise with timeout
-    function applyTimeoutToPromise(promise, timeout, errorMessage) {
-        var timeoutHandle = null;
-        var timeoutPromise = new Promise(function (resolve, reject) {
-            timeoutHandle = setTimeout(function () {
-                reject({ "error": errorMessage || "Promise is not settled within timeout of " + timeout + "ms" });
-            }, timeout);
-        });
-        return Promise.race([promise, timeoutPromise]).finally(function () {
-            clearTimeout(timeoutHandle);
+            resolve();
         });
+    });
+    await promise;
+}, _TideCloak_checkLoginIframe = 
+/**
+ * @returns {Promise<boolean | undefined>}
+ */
+async function _TideCloak_checkLoginIframe() {
+    if (!__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe || !__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin) {
+        return;
     }
-    function setupCheckLoginIframe() {
-        var promise = createPromise();
-        if (!loginIframe.enable) {
-            promise.setSuccess();
-            return promise.promise;
-        }
-        if (loginIframe.iframe) {
-            promise.setSuccess();
-            return promise.promise;
-        }
-        var iframe = document.createElement('iframe');
-        loginIframe.iframe = iframe;
-        iframe.onload = function () {
-            var authUrl = kc.endpoints.authorize();
-            if (authUrl.charAt(0) === '/') {
-                loginIframe.iframeOrigin = getOrigin();
-            }
-            else {
-                loginIframe.iframeOrigin = authUrl.substring(0, authUrl.indexOf('/', 8));
-            }
-            promise.setSuccess();
-        };
-        var src = kc.endpoints.checkSessionIframe();
-        iframe.setAttribute('src', src);
-        iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
-        iframe.setAttribute('title', 'keycloak-session-iframe');
-        iframe.style.display = 'none';
-        document.body.appendChild(iframe);
-        var messageCallback = function (event) {
-            if ((event.origin !== loginIframe.iframeOrigin) || (loginIframe.iframe.contentWindow !== event.source)) {
-                return;
-            }
-            if (!(event.data == 'unchanged' || event.data == 'changed' || event.data == 'error')) {
+    const message = `${this.clientId} ${(this.sessionId ? this.sessionId : '')}`;
+    const origin = __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframeOrigin;
+    /** @type {Promise<boolean>} */
+    const promise = new Promise((resolve, reject) => {
+        var _a, _b;
+        /** @type {(error: Error | null, value?: boolean) => void} */
+        const callback = (error, result) => error ? reject(error) : resolve(/** @type {boolean} */ (result));
+        __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").callbackList.push(callback);
+        if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").callbackList.length === 1) {
+            (_b = (_a = __classPrivateFieldGet(this, _TideCloak_loginIframe, "f").iframe) === null || _a === void 0 ? void 0 : _a.contentWindow) === null || _b === void 0 ? void 0 : _b.postMessage(message, origin);
+        }
+    });
+    return await promise;
+}, _TideCloak_checkSsoSilently = 
+/**
+ * @returns {Promise<void>}
+ */
+async function _TideCloak_checkSsoSilently() {
+    const iframe = document.createElement('iframe');
+    const src = await this.createLoginUrl({ prompt: 'none', redirectUri: this.silentCheckSsoRedirectUri });
+    iframe.setAttribute('src', src);
+    iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
+    iframe.setAttribute('title', 'keycloak-silent-check-sso');
+    iframe.style.display = 'none';
+    document.body.appendChild(iframe);
+    return await new Promise((resolve, reject) => {
+        /**
+         * @param {MessageEvent} event
+         */
+        const messageCallback = async (event) => {
+            if (event.origin !== window.location.origin || iframe.contentWindow !== event.source) {
                 return;
             }
-            if (event.data != 'unchanged') {
-                kc.clearToken();
+            const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallback).call(this, event.data);
+            try {
+                await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_processCallback).call(this, oauth);
+                resolve();
             }
-            var callbacks = loginIframe.callbackList.splice(0, loginIframe.callbackList.length);
-            for (var i = callbacks.length - 1; i >= 0; --i) {
-                var promise = callbacks[i];
-                if (event.data == 'error') {
-                    promise.setError();
-                }
-                else {
-                    promise.setSuccess(event.data == 'unchanged');
-                }
+            catch (error) {
+                reject(error);
             }
+            document.body.removeChild(iframe);
+            window.removeEventListener('message', messageCallback);
         };
-        window.addEventListener('message', messageCallback, false);
-        return promise.promise;
-    }
-    function scheduleCheckIframe() {
-        if (loginIframe.enable) {
-            if (kc.token) {
-                setTimeout(function () {
-                    checkLoginIframe().then(function (unchanged) {
-                        if (unchanged) {
-                            scheduleCheckIframe();
-                        }
-                    });
-                }, loginIframe.interval * 1000);
+        window.addEventListener('message', messageCallback);
+    });
+}, _TideCloak_parseCallback = function _TideCloak_parseCallback(url) {
+    const oauth = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallbackUrl).call(this, url);
+    if (!oauth) {
+        return;
+    }
+    const oauthState = __classPrivateFieldGet(this, _TideCloak_callbackStorage, "f").get(oauth.state);
+    if (oauthState) {
+        oauth.valid = true;
+        oauth.redirectUri = oauthState.redirectUri;
+        oauth.storedNonce = oauthState.nonce;
+        oauth.prompt = oauthState.prompt;
+        oauth.pkceCodeVerifier = oauthState.pkceCodeVerifier;
+        oauth.loginOptions = oauthState.loginOptions;
+    }
+    return oauth;
+}, _TideCloak_parseCallbackUrl = function _TideCloak_parseCallbackUrl(urlString) {
+    let supportedParams = [];
+    switch (this.flow) {
+        case 'standard':
+            supportedParams = ['code', 'state', 'session_state', 'kc_action_status', 'kc_action', 'iss', 'doken'];
+            break;
+        case 'implicit':
+            supportedParams = ['access_token', 'token_type', 'id_token', 'state', 'session_state', 'expires_in', 'kc_action_status', 'kc_action', 'iss', 'doken'];
+            break;
+        case 'hybrid':
+            supportedParams = ['access_token', 'token_type', 'id_token', 'code', 'state', 'session_state', 'expires_in', 'kc_action_status', 'kc_action', 'iss', 'doken'];
+            break;
+    }
+    supportedParams.push('error');
+    supportedParams.push('error_description');
+    supportedParams.push('error_uri');
+    const url = new URL(urlString);
+    let redirectUri = '';
+    let parsed;
+    if (this.responseMode === 'query' && url.searchParams.size > 0) {
+        parsed = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallbackParams).call(this, url.search, supportedParams);
+        url.search = parsed.paramsString;
+        redirectUri = url.toString();
+    }
+    else if (this.responseMode === 'fragment' && url.hash.length > 0) {
+        parsed = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_parseCallbackParams).call(this, url.hash.substring(1), supportedParams);
+        url.hash = '';
+        redirectUri = url.toString();
+    }
+    if (parsed === null || parsed === void 0 ? void 0 : parsed.oauthParams) {
+        if (this.flow === 'standard' || this.flow === 'hybrid') {
+            if ((parsed.oauthParams.code || parsed.oauthParams.error) && parsed.oauthParams.state) {
+                parsed.oauthParams.redirectUri = redirectUri;
+                return parsed.oauthParams;
+            }
+        }
+        else if (this.flow === 'implicit') {
+            if ((parsed.oauthParams.access_token || parsed.oauthParams.error) && parsed.oauthParams.state) {
+                parsed.oauthParams.redirectUri = redirectUri;
+                return parsed.oauthParams;
             }
         }
     }
-    function checkLoginIframe() {
-        var promise = createPromise();
-        if (loginIframe.iframe && loginIframe.iframeOrigin) {
-            var msg = kc.clientId + ' ' + (kc.sessionId ? kc.sessionId : '');
-            loginIframe.callbackList.push(promise);
-            var origin = loginIframe.iframeOrigin;
-            if (loginIframe.callbackList.length == 1) {
-                loginIframe.iframe.contentWindow.postMessage(msg, origin);
+}, _TideCloak_parseCallbackParams = function _TideCloak_parseCallbackParams(paramsString, supportedParams) {
+    const params = new URLSearchParams(paramsString);
+    /** @type {Record<string, string>} */
+    const oauthParams = {};
+    for (const [key, value] of Array.from(params.entries())) {
+        if (supportedParams.includes(key)) {
+            oauthParams[key] = value;
+            params.delete(key);
+        }
+    }
+    return {
+        paramsString: params.toString(),
+        oauthParams
+    };
+}, _TideCloak_processCallback = async function _TideCloak_processCallback(oauth) {
+    var _a, _b, _c, _d;
+    const { code, error, prompt, doken } = oauth;
+    let timeLocal = new Date().getTime();
+    /**
+     * @param {string} accessToken
+     * @param {string=} refreshToken
+     * @param {string=} idToken
+     * @param {string=} dokenValue
+     */
+    const authSuccess = (accessToken, refreshToken, idToken, dokenValue) => {
+        timeLocal = (timeLocal + new Date().getTime()) / 2;
+        __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_setToken).call(this, accessToken, refreshToken, idToken, timeLocal, dokenValue);
+        if (__classPrivateFieldGet(this, _TideCloak_useNonce, "f") && (this.idTokenParsed && this.idTokenParsed.nonce !== oauth.storedNonce)) {
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Invalid nonce, clearing token');
+            this.clearToken();
+            throw new Error('Invalid nonce.');
+        }
+    };
+    if (oauth.kc_action_status) {
+        this.onActionUpdate && this.onActionUpdate(oauth.kc_action_status, oauth.kc_action);
+    }
+    if (error) {
+        if (prompt !== 'none') {
+            if (oauth.error_description && oauth.error_description === 'authentication_expired') {
+                await this.login(oauth.loginOptions);
+            }
+            else {
+                const errorData = { error, error_description: oauth.error_description };
+                (_a = this.onAuthError) === null || _a === void 0 ? void 0 : _a.call(this, errorData);
+                throw errorData;
             }
         }
-        else {
-            promise.setSuccess();
-        }
-        return promise.promise;
-    }
-    function check3pCookiesSupported() {
-        var promise = createPromise();
-        if ((loginIframe.enable || kc.silentCheckSsoRedirectUri) && typeof kc.endpoints.thirdPartyCookiesIframe === 'function') {
-            var iframe = document.createElement('iframe');
-            iframe.setAttribute('src', kc.endpoints.thirdPartyCookiesIframe());
-            iframe.setAttribute('sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin');
-            iframe.setAttribute('title', 'keycloak-3p-check-iframe');
-            iframe.style.display = 'none';
-            document.body.appendChild(iframe);
-            var messageCallback = function (event) {
-                if (iframe.contentWindow !== event.source) {
-                    return;
-                }
-                if (event.data !== "supported" && event.data !== "unsupported") {
-                    return;
-                }
-                else if (event.data === "unsupported") {
-                    logWarn("[TIDECLOAK] Your browser is blocking access to 3rd-party cookies, this means:\n\n" +
-                        " - It is not possible to retrieve tokens without redirecting to the TideCloak server (a.k.a. no support for silent authentication).\n" +
-                        " - It is not possible to automatically detect changes to the session status (such as the user logging out in another tab).\n\n" +
-                        "For more information see: https://www.keycloak.org/securing-apps/javascript-adapter#_modern_browsers");
-                    loginIframe.enable = false;
-                    if (kc.silentCheckSsoFallback) {
-                        kc.silentCheckSsoRedirectUri = false;
-                    }
-                }
-                document.body.removeChild(iframe);
-                window.removeEventListener("message", messageCallback);
-                promise.setSuccess();
-            };
-            window.addEventListener('message', messageCallback, false);
+        return;
+    }
+    else if ((this.flow !== 'standard') && (oauth.access_token || oauth.id_token)) {
+        authSuccess(oauth.access_token, undefined, oauth.id_token, doken);
+        (_b = this.onAuthSuccess) === null || _b === void 0 ? void 0 : _b.call(this);
+    }
+    if ((this.flow !== 'implicit') && code) {
+        try {
+            const response = await fetchAccessToken(this.endpoints.token(), code, /** @type {string} */ (this.clientId), oauth.redirectUri, oauth.pkceCodeVerifier);
+            authSuccess(response.access_token, response.refresh_token, response.id_token, response.doken);
+            if (this.flow === 'standard') {
+                (_c = this.onAuthSuccess) === null || _c === void 0 ? void 0 : _c.call(this);
+            }
+            __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_scheduleCheckIframe).call(this);
         }
-        else {
-            promise.setSuccess();
+        catch (error) {
+            (_d = this.onAuthError) === null || _d === void 0 ? void 0 : _d.call(this);
+            throw error;
         }
-        return applyTimeoutToPromise(promise.promise, kc.messageReceiveTimeout, "Timeout when waiting for 3rd party check iframe message.");
     }
-    function loadAdapter(type) {
-        if (!type || type == 'default') {
-            return {
-                login: async function (options) {
-                    window.location.assign(await kc.createLoginUrl(options));
-                    return createPromise().promise;
-                },
-                logout: async function (options) {
-                    var _a;
-                    const logoutMethod = (_a = options === null || options === void 0 ? void 0 : options.logoutMethod) !== null && _a !== void 0 ? _a : kc.logoutMethod;
-                    if (logoutMethod === "GET") {
-                        window.location.replace(kc.createLogoutUrl(options));
-                        return;
-                    }
-                    // Create form to send POST request.
-                    const form = document.createElement("form");
-                    form.setAttribute("method", "POST");
-                    form.setAttribute("action", kc.createLogoutUrl(options));
-                    form.style.display = "none";
-                    // Add data to form as hidden input fields.
-                    const data = {
-                        id_token_hint: kc.idToken,
-                        client_id: kc.clientId,
-                        post_logout_redirect_uri: adapter.redirectUri(options, false)
-                    };
-                    for (const [name, value] of Object.entries(data)) {
-                        const input = document.createElement("input");
-                        input.setAttribute("type", "hidden");
-                        input.setAttribute("name", name);
-                        input.setAttribute("value", value);
-                        form.appendChild(input);
-                    }
-                    // Append form to page and submit it to perform logout and redirect.
-                    document.body.appendChild(form);
-                    form.submit();
-                },
-                register: async function (options) {
-                    window.location.assign(await kc.createRegisterUrl(options));
-                    return createPromise().promise;
-                },
-                accountManagement: function () {
-                    var accountUrl = kc.createAccountUrl();
-                    if (typeof accountUrl !== 'undefined') {
-                        window.location.href = accountUrl;
-                    }
-                    else {
-                        throw "Not supported by the OIDC server";
-                    }
-                    return createPromise().promise;
-                },
-                redirectUri: function (options, encodeHash) {
-                    if (arguments.length == 1) {
-                        encodeHash = true;
-                    }
-                    if (options && options.redirectUri) {
-                        return options.redirectUri;
-                    }
-                    else if (kc.redirectUri) {
-                        return kc.redirectUri;
-                    }
-                    else {
-                        return location.href;
-                    }
-                }
-            };
+}, _TideCloak_scheduleCheckIframe = async function _TideCloak_scheduleCheckIframe() {
+    if (__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").enable && this.token) {
+        await waitForTimeout(__classPrivateFieldGet(this, _TideCloak_loginIframe, "f").interval * 1000);
+        const unchanged = await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_checkLoginIframe).call(this);
+        if (unchanged) {
+            await __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_scheduleCheckIframe).call(this);
         }
-        if (type == 'cordova') {
-            loginIframe.enable = false;
-            var cordovaOpenWindowWrapper = function (loginUrl, target, options) {
-                if (window.cordova && window.cordova.InAppBrowser) {
-                    // Use inappbrowser for IOS and Android if available
-                    return window.cordova.InAppBrowser.open(loginUrl, target, options);
-                }
-                else {
-                    return window.open(loginUrl, target, options);
-                }
-            };
-            var shallowCloneCordovaOptions = function (userOptions) {
-                if (userOptions && userOptions.cordovaOptions) {
-                    return Object.keys(userOptions.cordovaOptions).reduce(function (options, optionName) {
-                        options[optionName] = userOptions.cordovaOptions[optionName];
-                        return options;
-                    }, {});
+    }
+}, _TideCloak_getVoucherUrl = function _TideCloak_getVoucherUrl() {
+    if (!this.tokenParsed)
+        throw new Error('User authentication required to access voucher service');
+    const sid = this.tokenParsed['sid'];
+    const realmUrl = __classPrivateFieldGet(this, _TideCloak_instances, "m", _TideCloak_getRealmUrl).call(this);
+    if (!realmUrl)
+        throw new Error('Unable to build voucher URL, realm URL not configured');
+    return `${realmUrl}/tidevouchers/fromUserSession?sessionId=${encodeURIComponent(sid)}`;
+}, _TideCloak_setToken = function _TideCloak_setToken(token, refreshToken, idToken, timeLocal, doken) {
+    if (this.tokenTimeoutHandle) {
+        clearTimeout(this.tokenTimeoutHandle);
+        this.tokenTimeoutHandle = undefined;
+    }
+    if (refreshToken) {
+        this.refreshToken = refreshToken;
+        this.refreshTokenParsed = decodeToken(refreshToken);
+    }
+    else {
+        delete this.refreshToken;
+        delete this.refreshTokenParsed;
+    }
+    if (idToken) {
+        this.idToken = idToken;
+        this.idTokenParsed = decodeToken(idToken);
+    }
+    else {
+        delete this.idToken;
+        delete this.idTokenParsed;
+    }
+    if (token) {
+        this.token = token;
+        this.tokenParsed = decodeToken(token);
+        this.sessionId = this.tokenParsed.sid;
+        this.authenticated = true;
+        this.subject = this.tokenParsed.sub;
+        this.realmAccess = this.tokenParsed.realm_access;
+        this.resourceAccess = this.tokenParsed.resource_access;
+        if (timeLocal) {
+            this.timeSkew = Math.floor(timeLocal / 1000) - this.tokenParsed.iat;
+        }
+        if (typeof this.timeSkew === 'number') {
+            __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Estimated time difference between browser and server is ' + this.timeSkew + ' seconds');
+            if (this.onTokenExpired) {
+                const expiresIn = (this.tokenParsed.exp - (new Date().getTime() / 1000) + this.timeSkew) * 1000;
+                __classPrivateFieldGet(this, _TideCloak_logInfo, "f").call(this, '[TIDECLOAK] Token expires in ' + Math.round(expiresIn / 1000) + ' s');
+                if (expiresIn <= 0) {
+                    this.onTokenExpired();
                 }
                 else {
-                    return {};
-                }
-            };
-            var formatCordovaOptions = function (cordovaOptions) {
-                return Object.keys(cordovaOptions).reduce(function (options, optionName) {
-                    options.push(optionName + "=" + cordovaOptions[optionName]);
-                    return options;
-                }, []).join(",");
-            };
-            var createCordovaOptions = function (userOptions) {
-                var cordovaOptions = shallowCloneCordovaOptions(userOptions);
-                cordovaOptions.location = 'no';
-                if (userOptions && userOptions.prompt == 'none') {
-                    cordovaOptions.hidden = 'yes';
-                }
-                return formatCordovaOptions(cordovaOptions);
-            };
-            var getCordovaRedirectUri = function () {
-                return kc.redirectUri || 'http://localhost';
-            };
-            return {
-                login: async function (options) {
-                    var promise = createPromise();
-                    var cordovaOptions = createCordovaOptions(options);
-                    var loginUrl = await kc.createLoginUrl(options);
-                    var ref = cordovaOpenWindowWrapper(loginUrl, '_blank', cordovaOptions);
-                    var completed = false;
-                    var closed = false;
-                    var closeBrowser = function () {
-                        closed = true;
-                        ref.close();
-                    };
-                    ref.addEventListener('loadstart', function (event) {
-                        if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                            var callback = parseCallback(event.url);
-                            processCallback(callback, promise);
-                            closeBrowser();
-                            completed = true;
-                        }
-                    });
-                    ref.addEventListener('loaderror', function (event) {
-                        if (!completed) {
-                            if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                                var callback = parseCallback(event.url);
-                                processCallback(callback, promise);
-                                closeBrowser();
-                                completed = true;
-                            }
-                            else {
-                                promise.setError();
-                                closeBrowser();
-                            }
-                        }
-                    });
-                    ref.addEventListener('exit', function (event) {
-                        if (!closed) {
-                            promise.setError({
-                                reason: "closed_by_user"
-                            });
-                        }
-                    });
-                    return promise.promise;
-                },
-                logout: function (options) {
-                    var promise = createPromise();
-                    var logoutUrl = kc.createLogoutUrl(options);
-                    var ref = cordovaOpenWindowWrapper(logoutUrl, '_blank', 'location=no,hidden=yes,clearcache=yes');
-                    var error;
-                    ref.addEventListener('loadstart', function (event) {
-                        if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                            ref.close();
-                        }
-                    });
-                    ref.addEventListener('loaderror', function (event) {
-                        if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                            ref.close();
-                        }
-                        else {
-                            error = true;
-                            ref.close();
-                        }
-                    });
-                    ref.addEventListener('exit', function (event) {
-                        if (error) {
-                            promise.setError();
-                        }
-                        else {
-                            kc.clearToken();
-                            promise.setSuccess();
-                        }
-                    });
-                    return promise.promise;
-                },
-                register: async function (options) {
-                    var promise = createPromise();
-                    var registerUrl = await kc.createRegisterUrl();
-                    var cordovaOptions = createCordovaOptions(options);
-                    var ref = cordovaOpenWindowWrapper(registerUrl, '_blank', cordovaOptions);
-                    ref.addEventListener('loadstart', function (event) {
-                        if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                            ref.close();
-                            var oauth = parseCallback(event.url);
-                            processCallback(oauth, promise);
-                        }
-                    });
-                    return promise.promise;
-                },
-                accountManagement: function () {
-                    var accountUrl = kc.createAccountUrl();
-                    if (typeof accountUrl !== 'undefined') {
-                        var ref = cordovaOpenWindowWrapper(accountUrl, '_blank', 'location=no');
-                        ref.addEventListener('loadstart', function (event) {
-                            if (event.url.indexOf(getCordovaRedirectUri()) == 0) {
-                                ref.close();
-                            }
-                        });
-                    }
-                    else {
-                        throw "Not supported by the OIDC server";
-                    }
-                },
-                redirectUri: function (options) {
-                    return getCordovaRedirectUri();
+                    this.tokenTimeoutHandle = window.setTimeout(this.onTokenExpired, expiresIn);
                 }
-            };
-        }
-        if (type == 'cordova-native') {
-            loginIframe.enable = false;
-            return {
-                login: async function (options) {
-                    var promise = createPromise();
-                    var loginUrl = await kc.createLoginUrl(options);
-                    universalLinks.subscribe('keycloak', function (event) {
-                        universalLinks.unsubscribe('keycloak');
-                        window.cordova.plugins.browsertab.close();
-                        var oauth = parseCallback(event.url);
-                        processCallback(oauth, promise);
-                    });
-                    window.cordova.plugins.browsertab.openUrl(loginUrl);
-                    return promise.promise;
-                },
-                logout: function (options) {
-                    var promise = createPromise();
-                    var logoutUrl = kc.createLogoutUrl(options);
-                    universalLinks.subscribe('keycloak', function (event) {
-                        universalLinks.unsubscribe('keycloak');
-                        window.cordova.plugins.browsertab.close();
-                        kc.clearToken();
-                        promise.setSuccess();
-                    });
-                    window.cordova.plugins.browsertab.openUrl(logoutUrl);
-                    return promise.promise;
-                },
-                register: async function (options) {
-                    var promise = createPromise();
-                    var registerUrl = await kc.createRegisterUrl(options);
-                    universalLinks.subscribe('keycloak', function (event) {
-                        universalLinks.unsubscribe('keycloak');
-                        window.cordova.plugins.browsertab.close();
-                        var oauth = parseCallback(event.url);
-                        processCallback(oauth, promise);
-                    });
-                    window.cordova.plugins.browsertab.openUrl(registerUrl);
-                    return promise.promise;
-                },
-                accountManagement: function () {
-                    var accountUrl = kc.createAccountUrl();
-                    if (typeof accountUrl !== 'undefined') {
-                        window.cordova.plugins.browsertab.openUrl(accountUrl);
-                    }
-                    else {
-                        throw "Not supported by the OIDC server";
-                    }
-                },
-                redirectUri: function (options) {
-                    if (options && options.redirectUri) {
-                        return options.redirectUri;
-                    }
-                    else if (kc.redirectUri) {
-                        return kc.redirectUri;
-                    }
-                    else {
-                        return "http://localhost";
-                    }
-                }
-            };
+            }
         }
-        throw 'invalid adapter type: ' + type;
     }
-    const STORAGE_KEY_PREFIX = 'kc-callback-';
-    var LocalStorage = function () {
-        if (!(this instanceof LocalStorage)) {
-            return new LocalStorage();
+    else {
+        delete this.token;
+        delete this.tokenParsed;
+        delete this.subject;
+        delete this.realmAccess;
+        delete this.resourceAccess;
+        this.authenticated = false;
+    }
+    // Tide doken handling
+    if (doken) {
+        this.doken = doken;
+        this.dokenParsed = decodeToken(doken);
+        if (this.requestEnclave && typeof this.requestEnclave.updateDoken === 'function') {
+            this.requestEnclave.updateDoken(this.doken);
         }
-        localStorage.setItem('kc-test', 'test');
-        localStorage.removeItem('kc-test');
-        var cs = this;
-        /**
-         * Clears all values from local storage that are no longer valid.
-         */
-        function clearInvalidValues() {
-            const currentTime = Date.now();
-            for (const [key, value] of getStoredEntries()) {
-                // Attempt to parse the expiry time from the value.
-                const expiry = parseExpiry(value);
-                // Discard the value if it is malformed or expired.
-                if (expiry === null || expiry < currentTime) {
-                    localStorage.removeItem(key);
-                }
-            }
+    }
+    else {
+        delete this.doken;
+        delete this.dokenParsed;
+        if (this.requestEnclave && typeof this.requestEnclave.updateDoken === 'function') {
+            this.requestEnclave.updateDoken(undefined);
         }
-        /**
-         * Clears all known values from local storage.
-         */
-        function clearAllValues() {
-            for (const [key] of getStoredEntries()) {
-                localStorage.removeItem(key);
-            }
+    }
+}, _TideCloak_getRealmUrl = function _TideCloak_getRealmUrl() {
+    if (typeof this.authServerUrl === 'undefined') {
+        return;
+    }
+    return `${stripTrailingSlash(this.authServerUrl)}/realms/${encodeURIComponent(/** @type {string} */ (this.realm))}`;
+}, _TideCloak_createLogger = function _TideCloak_createLogger(fn) {
+    return (message) => {
+        if (this.enableLogging) {
+            fn.call(console, message);
         }
-        /**
-         * Gets all entries stored in local storage that are known to be managed by this class.
-         * @returns {Array<[string, unknown]>} An array of key-value pairs.
-         */
-        function getStoredEntries() {
-            return Object.entries(localStorage).filter(([key]) => key.startsWith(STORAGE_KEY_PREFIX));
+    };
+};
+export default TideCloak;
+/**
+ * @returns {string}
+ */
+function createUUID() {
+    if (typeof crypto === 'undefined' || typeof crypto.randomUUID === 'undefined') {
+        throw new Error('Web Crypto API is not available.');
+    }
+    return crypto.randomUUID();
+}
+/**
+ * @param {Acr} requestedAcr
+ * @returns {string}
+ */
+function buildClaimsParameter(requestedAcr) {
+    return JSON.stringify({
+        id_token: {
+            acr: requestedAcr
         }
-        /**
-         * Parses the expiry time from a value stored in local storage.
-         * @param {unknown} value
-         * @returns {number | null} The expiry time in milliseconds, or `null` if the value is malformed.
-         */
-        function parseExpiry(value) {
-            let parsedValue;
-            // Attempt to parse the value as JSON.
-            try {
-                parsedValue = JSON.parse(value);
-            }
-            catch (error) {
-                return null;
-            }
-            // Attempt to extract the 'expires' property.
-            if (isObject(parsedValue) && 'expires' in parsedValue && typeof parsedValue.expires === 'number') {
-                return parsedValue.expires;
-            }
+    });
+}
+/**
+ * @param {number} len
+ * @returns {string}
+ */
+function generateCodeVerifier(len) {
+    return generateRandomString(len, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
+}
+/**
+ * @param {string} pkceMethod
+ * @param {string} codeVerifier
+ * @returns {Promise<string>}
+ */
+async function generatePkceChallenge(pkceMethod, codeVerifier) {
+    if (pkceMethod !== 'S256') {
+        throw new TypeError(`Invalid value for 'pkceMethod', expected 'S256' but got '${pkceMethod}'.`);
+    }
+    // hash codeVerifier, then encode as url-safe base64 without padding
+    const hashBytes = new Uint8Array(await sha256Digest(codeVerifier));
+    const encodedHash = bytesToBase64(hashBytes)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+    return encodedHash;
+}
+/**
+ * @param {number} len
+ * @param {string} alphabet
+ * @returns {string}
+ */
+function generateRandomString(len, alphabet) {
+    const randomData = generateRandomData(len);
+    const chars = new Array(len);
+    for (let i = 0; i < len; i++) {
+        chars[i] = alphabet.charCodeAt(randomData[i] % alphabet.length);
+    }
+    return String.fromCharCode.apply(null, chars);
+}
+/**
+ * @param {number} len
+ * @returns {Uint8Array<ArrayBuffer>}
+ */
+function generateRandomData(len) {
+    if (typeof crypto === 'undefined' || typeof crypto.getRandomValues === 'undefined') {
+        throw new Error('Web Crypto API is not available.');
+    }
+    return crypto.getRandomValues(new Uint8Array(len));
+}
+/**
+ * Function to extend existing native Promise with timeout
+ *
+ * @template T
+ * @param {Promise<T>} promise
+ * @param {number} timeout
+ * @param {string} errorMessage
+ * @returns {Promise<T>}
+ */
+function applyTimeoutToPromise(promise, timeout, errorMessage) {
+    /** @type {number} */
+    let timeoutHandle;
+    const timeoutPromise = new Promise(function (resolve, reject) {
+        timeoutHandle = window.setTimeout(function () {
+            reject(new Error(errorMessage || 'Promise is not settled within timeout of ' + timeout + 'ms'));
+        }, timeout);
+    });
+    return Promise.race([promise, timeoutPromise]).finally(function () {
+        clearTimeout(timeoutHandle);
+    });
+}
+/**
+ * @returns {CallbackStorage}
+ */
+function createCallbackStorage() {
+    try {
+        return new LocalStorage();
+    }
+    catch (err) {
+        return new CookieStorage();
+    }
+}
+const STORAGE_KEY_PREFIX = 'kc-callback-';
+/**
+ * @typedef {Object} CallbackState
+ * @property {string} state
+ * @property {string} nonce
+ * @property {string} redirectUri
+ * @property {KeycloakLoginOptions} [loginOptions]
+ * @property {KeycloakLoginOptions['prompt']} [prompt]
+ * @property {string} [pkceCodeVerifier]
+ */
+/**
+ * @typedef {Object} CallbackStorage
+ * @property {(state?: string) => CallbackState | null} get
+ * @property {(state: CallbackState) => void} add
+ */
+/**
+ * @implements {CallbackStorage}
+ */
+class LocalStorage {
+    constructor() {
+        _LocalStorage_instances.add(this);
+        globalThis.localStorage.setItem('kc-test', 'test');
+        globalThis.localStorage.removeItem('kc-test');
+    }
+    /**
+     * @param {string} [state]
+     * @returns {CallbackState | null}
+     */
+    get(state) {
+        if (!state) {
             return null;
         }
-        cs.get = function (state) {
-            if (!state) {
-                return;
-            }
-            var key = STORAGE_KEY_PREFIX + state;
-            var value = localStorage.getItem(key);
-            if (value) {
-                localStorage.removeItem(key);
-                value = JSON.parse(value);
-            }
-            clearInvalidValues();
-            return value;
-        };
-        cs.add = function (state) {
-            clearInvalidValues();
-            const key = STORAGE_KEY_PREFIX + state.state;
-            const value = JSON.stringify({
-                ...state,
-                // Set the expiry time to 1 hour from now.
-                expires: Date.now() + (60 * 60 * 1000)
-            });
-            try {
-                localStorage.setItem(key, value);
-            }
-            catch (error) {
-                // If the storage is full, clear all known values and try again.
-                clearAllValues();
-                localStorage.setItem(key, value);
-            }
-        };
-    };
-    var CookieStorage = function () {
-        if (!(this instanceof CookieStorage)) {
-            return new CookieStorage();
+        __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_clearInvalidValues).call(this);
+        const key = STORAGE_KEY_PREFIX + state;
+        const value = globalThis.localStorage.getItem(key);
+        if (value) {
+            globalThis.localStorage.removeItem(key);
+            return JSON.parse(value);
         }
-        var cs = this;
-        cs.get = function (state) {
-            if (!state) {
-                return;
-            }
-            var value = getCookie(STORAGE_KEY_PREFIX + state);
-            setCookie(STORAGE_KEY_PREFIX + state, '', cookieExpiration(-100));
-            if (value) {
-                return JSON.parse(value);
-            }
-        };
-        cs.add = function (state) {
-            setCookie(STORAGE_KEY_PREFIX + state.state, JSON.stringify(state), cookieExpiration(60));
-        };
-        cs.removeItem = function (key) {
-            setCookie(key, '', cookieExpiration(-100));
-        };
-        var cookieExpiration = function (minutes) {
-            var exp = new Date();
-            exp.setTime(exp.getTime() + (minutes * 60 * 1000));
-            return exp;
-        };
-        var getCookie = function (key) {
-            var name = key + '=';
-            var ca = document.cookie.split(';');
-            for (var i = 0; i < ca.length; i++) {
-                var c = ca[i];
-                while (c.charAt(0) == ' ') {
-                    c = c.substring(1);
-                }
-                if (c.indexOf(name) == 0) {
-                    return c.substring(name.length, c.length);
-                }
-            }
-            return '';
-        };
-        var setCookie = function (key, value, expirationDate) {
-            var cookie = key + '=' + value + '; '
-                + 'expires=' + expirationDate.toUTCString() + '; ';
-            document.cookie = cookie;
-        };
-    };
-    function createCallbackStorage() {
+        return null;
+    }
+    ;
+    /**
+     * @param {CallbackState} state
+     */
+    add(state) {
+        __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_clearInvalidValues).call(this);
+        const key = STORAGE_KEY_PREFIX + state.state;
+        const value = JSON.stringify({
+            ...state,
+            // Set the expiry time to 1 hour from now.
+            expires: Date.now() + (60 * 60 * 1000)
+        });
         try {
-            return new LocalStorage();
+            globalThis.localStorage.setItem(key, value);
         }
-        catch (err) {
+        catch (error) {
+            // If the storage is full, clear all known values and try again.
+            __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_clearAllValues).call(this);
+            globalThis.localStorage.setItem(key, value);
         }
-        return new CookieStorage();
     }
-    function createLogger(fn) {
-        return function () {
-            if (kc.enableLogging) {
-                fn.apply(console, Array.prototype.slice.call(arguments));
-            }
-        };
+    ;
+}
+_LocalStorage_instances = new WeakSet(), _LocalStorage_clearInvalidValues = function _LocalStorage_clearInvalidValues() {
+    const currentTime = Date.now();
+    for (const [key, value] of __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_getStoredEntries).call(this)) {
+        // Attempt to parse the expiry time from the value.
+        const expiry = __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_parseExpiry).call(this, value);
+        // Discard the value if it is malformed or expired.
+        if (expiry === null || expiry < currentTime) {
+            globalThis.localStorage.removeItem(key);
+        }
+    }
+}, _LocalStorage_clearAllValues = function _LocalStorage_clearAllValues() {
+    for (const [key] of __classPrivateFieldGet(this, _LocalStorage_instances, "m", _LocalStorage_getStoredEntries).call(this)) {
+        globalThis.localStorage.removeItem(key);
+    }
+}, _LocalStorage_getStoredEntries = function _LocalStorage_getStoredEntries() {
+    return Object.entries(globalThis.localStorage).filter(([key]) => key.startsWith(STORAGE_KEY_PREFIX));
+}, _LocalStorage_parseExpiry = function _LocalStorage_parseExpiry(value) {
+    let parsedValue;
+    // Attempt to parse the value as JSON.
+    try {
+        parsedValue = JSON.parse(value);
+    }
+    catch (error) {
+        return null;
+    }
+    // Attempt to extract the 'expires' property.
+    if (isObject(parsedValue) && 'expires' in parsedValue && typeof parsedValue.expires === 'number') {
+        return parsedValue.expires;
+    }
+    return null;
+};
+/**
+ * @implements {CallbackStorage}
+ */
+class CookieStorage {
+    constructor() {
+        _CookieStorage_instances.add(this);
+    }
+    /**
+     * @param {string} [state]
+     * @returns {CallbackState | null}
+     */
+    get(state) {
+        if (!state) {
+            return null;
+        }
+        const value = __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_getCookie).call(this, STORAGE_KEY_PREFIX + state);
+        __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_setCookie).call(this, STORAGE_KEY_PREFIX + state, '', __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_cookieExpiration).call(this, -100));
+        if (value) {
+            return JSON.parse(value);
+        }
+        return null;
+    }
+    /**
+     * @param {CallbackState} state
+     */
+    add(state) {
+        __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_setCookie).call(this, STORAGE_KEY_PREFIX + state.state, JSON.stringify(state), __classPrivateFieldGet(this, _CookieStorage_instances, "m", _CookieStorage_cookieExpiration).call(this, 60));
     }
 }
-export default TideCloak;
-export { RequestEnclave, ApprovalEnclave } from "heimdall-tide";
+_CookieStorage_instances = new WeakSet(), _CookieStorage_getCookie = function _CookieStorage_getCookie(key) {
+    const name = key + '=';
+    const ca = document.cookie.split(';');
+    for (let i = 0; i < ca.length; i++) {
+        let c = ca[i];
+        while (c.charAt(0) === ' ') {
+            c = c.substring(1);
+        }
+        if (c.indexOf(name) === 0) {
+            return c.substring(name.length, c.length);
+        }
+    }
+    return '';
+}, _CookieStorage_setCookie = function _CookieStorage_setCookie(key, value, expirationDate) {
+    const cookie = key + '=' + value + '; ' +
+        'expires=' + expirationDate.toUTCString() + '; ';
+    document.cookie = cookie;
+}, _CookieStorage_cookieExpiration = function _CookieStorage_cookieExpiration(minutes) {
+    const exp = new Date();
+    exp.setTime(exp.getTime() + (minutes * 60 * 1000));
+    return exp;
+};
 /**
- * @param {ArrayBuffer} bytes
+ * @param {Uint8Array<ArrayBuffer>} bytes
  * @see https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
  */
 function bytesToBase64(bytes) {
@@ -1826,15 +1809,12 @@ function bytesToBase64(bytes) {
 /**
  * @param {string} base64
  * @returns {Uint8Array}
- * @see https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
  */
 function base64ToBytes(base64) {
-    // Decode to “binary” JS string where each char’s code point 0–255 is one byte
     const binString = atob(base64);
     const len = binString.length;
     const bytes = new Uint8Array(len);
     for (let i = 0; i < len; i++) {
-        // codePointAt is safe here because each char was originally from 0–255
         bytes[i] = binString.codePointAt(i);
     }
     return bytes;
@@ -1846,31 +1826,32 @@ function base64ToBytes(base64) {
 async function sha256Digest(message) {
     const encoder = new TextEncoder();
     const data = encoder.encode(message);
-    if (typeof crypto === "undefined" || typeof crypto.subtle === "undefined") {
-        throw new Error("Web Crypto API is not available.");
+    if (typeof crypto === 'undefined' || typeof crypto.subtle === 'undefined') {
+        throw new Error('Web Crypto API is not available.');
     }
-    return await crypto.subtle.digest("SHA-256", data);
+    return await crypto.subtle.digest('SHA-256', data);
 }
 /**
  * @param {string} token
+ * @returns {KeycloakTokenParsed}
  */
 function decodeToken(token) {
-    const [header, payload] = token.split(".");
-    if (typeof payload !== "string") {
-        throw new Error("Unable to decode token, payload not found.");
+    const [, payload] = token.split('.');
+    if (typeof payload !== 'string') {
+        throw new Error('Unable to decode token, payload not found.');
     }
     let decoded;
     try {
         decoded = base64UrlDecode(payload);
     }
     catch (error) {
-        throw new Error("Unable to decode token, payload is not a valid Base64URL value.", { cause: error });
+        throw new Error('Unable to decode token, payload is not a valid Base64URL value.', { cause: error });
     }
     try {
         return JSON.parse(decoded);
     }
     catch (error) {
-        throw new Error("Unable to decode token, payload is not a valid JSON value.", { cause: error });
+        throw new Error('Unable to decode token, payload is not a valid JSON value.', { cause: error });
     }
 }
 /**
@@ -1878,19 +1859,19 @@ function decodeToken(token) {
  */
 function base64UrlDecode(input) {
     let output = input
-        .replaceAll("-", "+")
-        .replaceAll("_", "/");
+        .replaceAll('-', '+')
+        .replaceAll('_', '/');
     switch (output.length % 4) {
         case 0:
             break;
         case 2:
-            output += "==";
+            output += '==';
             break;
         case 3:
-            output += "=";
+            output += '=';
             break;
         default:
-            throw new Error("Input is not of the correct length.");
+            throw new Error('Input is not of the correct length.');
     }
     try {
         return b64DecodeUnicode(output);
@@ -1906,9 +1887,9 @@ function b64DecodeUnicode(input) {
     return decodeURIComponent(atob(input).replace(/(.)/g, (m, p) => {
         let code = p.charCodeAt(0).toString(16).toUpperCase();
         if (code.length < 2) {
-            code = "0" + code;
+            code = '0' + code;
         }
-        return "%" + code;
+        return '%' + code;
     }));
 }
 /**
@@ -1918,8 +1899,152 @@ function b64DecodeUnicode(input) {
 function isObject(input) {
     return typeof input === 'object' && input !== null;
 }
-export function getHumanReadableObject(modelId, data, expiry) {
-    return ModelRegistry.getHumanReadableModelBuilder(modelId, data, expiry).getHumanReadableObject();
+/**
+ * @typedef {Object} JsonConfig The JSON version of the adapter configuration.
+ * @property {string} auth-server-url The URL of the authentication server.
+ * @property {string} realm The name of the realm.
+ * @property {string} resource The name of the resource, usually the client ID.
+ */
+/**
+ * Fetch the adapter configuration from the given URL.
+ * @param {string} url
+ * @returns {Promise<JsonConfig>}
+ */
+async function fetchJsonConfig(url) {
+    return await fetchJSON(url);
+}
+/**
+ * Fetch the OpenID configuration from the given URL.
+ * @param {string} url
+ * @returns {Promise<OpenIdProviderMetadata>}
+ */
+async function fetchOpenIdConfig(url) {
+    return await fetchJSON(url);
+}
+/**
+ * @typedef {Object} AccessTokenResponse The successful token response from the authorization server, based on the {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.1 OAuth 2.0 Authorization Framework specification}.
+ * @property {string} access_token The access token issued by the authorization server.
+ * @property {string} token_type The type of the token issued by the authorization server.
+ * @property {number} [expires_in] The lifetime in seconds of the access token.
+ * @property {string} [refresh_token] The refresh token issued by the authorization server.
+ * @property {string} [id_token] The ID token issued by the authorization server, if requested.
+ * @property {string} [scope] The scope of the access token.
+ */
+/**
+ * Fetch the access token from the given URL.
+ * @param {string} url
+ * @param {string} code
+ * @param {string} clientId
+ * @param {string} redirectUri
+ * @param {string} [pkceCodeVerifier]
+ * @returns {Promise<AccessTokenResponse>}
+ */
+async function fetchAccessToken(url, code, clientId, redirectUri, pkceCodeVerifier) {
+    const body = new URLSearchParams([
+        ['code', code],
+        ['grant_type', 'authorization_code'],
+        ['client_id', clientId],
+        ['redirect_uri', stripHash(redirectUri)]
+    ]);
+    if (pkceCodeVerifier) {
+        body.append('code_verifier', pkceCodeVerifier);
+    }
+    return await fetchJSON(url, {
+        method: 'POST',
+        credentials: 'include',
+        body
+    });
+}
+/**
+ * Fetch the refresh token from the given URL.
+ * @param {string} url
+ * @param {string} refreshToken
+ * @param {string} clientId
+ * @returns {Promise<AccessTokenResponse>}
+ */
+async function fetchRefreshToken(url, refreshToken, clientId) {
+    const body = new URLSearchParams([
+        ['grant_type', 'refresh_token'],
+        ['refresh_token', refreshToken],
+        ['client_id', clientId]
+    ]);
+    return await fetchJSON(url, {
+        method: 'POST',
+        credentials: 'include',
+        body
+    });
+}
+/**
+ * @template [T=unknown]
+ * @param {string} url
+ * @param {RequestInit} init
+ * @returns {Promise<T>}
+ */
+async function fetchJSON(url, init = {}) {
+    const headers = new Headers(init.headers);
+    headers.set('Accept', CONTENT_TYPE_JSON);
+    const response = await fetchWithErrorHandling(url, {
+        ...init,
+        headers
+    });
+    return await response.json();
+}
+/**
+ * @param {string} url
+ * @param {RequestInit} [init]
+ * @returns {Promise<Response>}
+ */
+async function fetchWithErrorHandling(url, init) {
+    const response = await fetch(url, init);
+    if (!response.ok) {
+        throw new NetworkError('Server responded with an invalid status.', { response });
+    }
+    return response;
+}
+/**
+ * @param {string} [token]
+ * @returns {[string, string]}
+ */
+function buildAuthorizationHeader(token) {
+    if (!token) {
+        throw new Error('Unable to build authorization header, token is not set, make sure the user is authenticated.');
+    }
+    return ['Authorization', `bearer ${token}`];
 }
-export { bytesToBase64, base64ToBytes } from "../modules/tide-js/Cryptide/Serialization.js";
+/**
+ * @param {string} url
+ * @returns {string}
+ */
+function stripTrailingSlash(url) {
+    return url.endsWith('/') ? url.slice(0, -1) : url;
+}
+/**
+ * @param {string} url
+ * @returns {string}
+ */
+function stripHash(url) {
+    const parsedUrl = new URL(url);
+    parsedUrl.hash = '';
+    return parsedUrl.toString();
+}
+/**
+ * @typedef {Object} NetworkErrorOptionsProperties
+ * @property {Response} response
+ * @typedef {ErrorOptions & NetworkErrorOptionsProperties} NetworkErrorOptions
+ */
+export class NetworkError extends Error {
+    /**
+     * @param {string} message
+     * @param {NetworkErrorOptions} options
+     */
+    constructor(message, options) {
+        super(message, options);
+        this.response = options.response;
+    }
+}
+/**
+ * @param {number} delay
+ * @returns {Promise<void>}
+ */
+const waitForTimeout = (delay) => new Promise((resolve) => setTimeout(resolve, delay));
 //# sourceMappingURL=tidecloak.js.map