@wandelbots/wandelbots-js-react-components 3.5.1 → 3.6.0-pr.feat-model-retrieval-from-rdp.463.014e7d3

package/dist/auth0-spa-js.production.esm-BMSlxZC5.js

@@ -0,0 +1,3877 @@
+function ne(t, e) {
+  var n = {};
+  for (var o in t) Object.prototype.hasOwnProperty.call(t, o) && e.indexOf(o) < 0 && (n[o] = t[o]);
+  if (t != null && typeof Object.getOwnPropertySymbols == "function") {
+    var r = 0;
+    for (o = Object.getOwnPropertySymbols(t); r < o.length; r++) e.indexOf(o[r]) < 0 && Object.prototype.propertyIsEnumerable.call(t, o[r]) && (n[o[r]] = t[o[r]]);
+  }
+  return n;
+}
+var xe = typeof globalThis < "u" ? globalThis : typeof window < "u" ? window : typeof global < "u" ? global : typeof self < "u" ? self : {}, To = {}, Rn = {};
+Object.defineProperty(Rn, "__esModule", { value: !0 });
+var gr = (function() {
+  function t() {
+    var e = this;
+    this.locked = /* @__PURE__ */ new Map(), this.addToLocked = function(n, o) {
+      var r = e.locked.get(n);
+      r === void 0 ? o === void 0 ? e.locked.set(n, []) : e.locked.set(n, [o]) : o !== void 0 && (r.unshift(o), e.locked.set(n, r));
+    }, this.isLocked = function(n) {
+      return e.locked.has(n);
+    }, this.lock = function(n) {
+      return new Promise((function(o, r) {
+        e.isLocked(n) ? e.addToLocked(n, o) : (e.addToLocked(n), o());
+      }));
+    }, this.unlock = function(n) {
+      var o = e.locked.get(n);
+      if (o !== void 0 && o.length !== 0) {
+        var r = o.pop();
+        e.locked.set(n, o), r !== void 0 && setTimeout(r, 0);
+      } else e.locked.delete(n);
+    };
+  }
+  return t.getInstance = function() {
+    return t.instance === void 0 && (t.instance = new t()), t.instance;
+  }, t;
+})();
+Rn.default = function() {
+  return gr.getInstance();
+};
+var X = xe && xe.__awaiter || function(t, e, n, o) {
+  return new (n || (n = Promise))((function(r, i) {
+    function a(l) {
+      try {
+        c(o.next(l));
+      } catch (u) {
+        i(u);
+      }
+    }
+    function s(l) {
+      try {
+        c(o.throw(l));
+      } catch (u) {
+        i(u);
+      }
+    }
+    function c(l) {
+      l.done ? r(l.value) : new n((function(u) {
+        u(l.value);
+      })).then(a, s);
+    }
+    c((o = o.apply(t, e || [])).next());
+  }));
+}, Y = xe && xe.__generator || function(t, e) {
+  var n, o, r, i, a = { label: 0, sent: function() {
+    if (1 & r[0]) throw r[1];
+    return r[1];
+  }, trys: [], ops: [] };
+  return i = { next: s(0), throw: s(1), return: s(2) }, typeof Symbol == "function" && (i[Symbol.iterator] = function() {
+    return this;
+  }), i;
+  function s(c) {
+    return function(l) {
+      return (function(u) {
+        if (n) throw new TypeError("Generator is already executing.");
+        for (; a; ) try {
+          if (n = 1, o && (r = 2 & u[0] ? o.return : u[0] ? o.throw || ((r = o.return) && r.call(o), 0) : o.next) && !(r = r.call(o, u[1])).done) return r;
+          switch (o = 0, r && (u = [2 & u[0], r.value]), u[0]) {
+            case 0:
+            case 1:
+              r = u;
+              break;
+            case 4:
+              return a.label++, { value: u[1], done: !1 };
+            case 5:
+              a.label++, o = u[1], u = [0];
+              continue;
+            case 7:
+              u = a.ops.pop(), a.trys.pop();
+              continue;
+            default:
+              if (r = a.trys, !((r = r.length > 0 && r[r.length - 1]) || u[0] !== 6 && u[0] !== 2)) {
+                a = 0;
+                continue;
+              }
+              if (u[0] === 3 && (!r || u[1] > r[0] && u[1] < r[3])) {
+                a.label = u[1];
+                break;
+              }
+              if (u[0] === 6 && a.label < r[1]) {
+                a.label = r[1], r = u;
+                break;
+              }
+              if (r && a.label < r[2]) {
+                a.label = r[2], a.ops.push(u);
+                break;
+              }
+              r[2] && a.ops.pop(), a.trys.pop();
+              continue;
+          }
+          u = e.call(t, a);
+        } catch (p) {
+          u = [6, p], o = 0;
+        } finally {
+          n = r = 0;
+        }
+        if (5 & u[0]) throw u[1];
+        return { value: u[0] ? u[1] : void 0, done: !0 };
+      })([c, l]);
+    };
+  }
+}, Ve = xe;
+Object.defineProperty(To, "__esModule", { value: !0 });
+var De = Rn, pt = { key: function(t) {
+  return X(Ve, void 0, void 0, (function() {
+    return Y(this, (function(e) {
+      throw new Error("Unsupported");
+    }));
+  }));
+}, getItem: function(t) {
+  return X(Ve, void 0, void 0, (function() {
+    return Y(this, (function(e) {
+      throw new Error("Unsupported");
+    }));
+  }));
+}, clear: function() {
+  return X(Ve, void 0, void 0, (function() {
+    return Y(this, (function(t) {
+      return [2, window.localStorage.clear()];
+    }));
+  }));
+}, removeItem: function(t) {
+  return X(Ve, void 0, void 0, (function() {
+    return Y(this, (function(e) {
+      throw new Error("Unsupported");
+    }));
+  }));
+}, setItem: function(t, e) {
+  return X(Ve, void 0, void 0, (function() {
+    return Y(this, (function(n) {
+      throw new Error("Unsupported");
+    }));
+  }));
+}, keySync: function(t) {
+  return window.localStorage.key(t);
+}, getItemSync: function(t) {
+  return window.localStorage.getItem(t);
+}, clearSync: function() {
+  return window.localStorage.clear();
+}, removeItemSync: function(t) {
+  return window.localStorage.removeItem(t);
+}, setItemSync: function(t, e) {
+  return window.localStorage.setItem(t, e);
+} };
+function Ht(t) {
+  return new Promise((function(e) {
+    return setTimeout(e, t);
+  }));
+}
+function zt(t) {
+  for (var e = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz", n = "", o = 0; o < t; o++)
+    n += e[Math.floor(Math.random() * e.length)];
+  return n;
+}
+var wr = (function() {
+  function t(e) {
+    this.acquiredIatSet = /* @__PURE__ */ new Set(), this.storageHandler = void 0, this.id = Date.now().toString() + zt(15), this.acquireLock = this.acquireLock.bind(this), this.releaseLock = this.releaseLock.bind(this), this.releaseLock__private__ = this.releaseLock__private__.bind(this), this.waitForSomethingToChange = this.waitForSomethingToChange.bind(this), this.refreshLockWhileAcquired = this.refreshLockWhileAcquired.bind(this), this.storageHandler = e, t.waiters === void 0 && (t.waiters = []);
+  }
+  return t.prototype.acquireLock = function(e, n) {
+    return n === void 0 && (n = 5e3), X(this, void 0, void 0, (function() {
+      var o, r, i, a, s, c, l;
+      return Y(this, (function(u) {
+        switch (u.label) {
+          case 0:
+            o = Date.now() + zt(4), r = Date.now() + n, i = "browser-tabs-lock-key-" + e, a = this.storageHandler === void 0 ? pt : this.storageHandler, u.label = 1;
+          case 1:
+            return Date.now() < r ? [4, Ht(30)] : [3, 8];
+          case 2:
+            return u.sent(), a.getItemSync(i) !== null ? [3, 5] : (s = this.id + "-" + e + "-" + o, [4, Ht(Math.floor(25 * Math.random()))]);
+          case 3:
+            return u.sent(), a.setItemSync(i, JSON.stringify({ id: this.id, iat: o, timeoutKey: s, timeAcquired: Date.now(), timeRefreshed: Date.now() })), [4, Ht(30)];
+          case 4:
+            return u.sent(), (c = a.getItemSync(i)) !== null && (l = JSON.parse(c)).id === this.id && l.iat === o ? (this.acquiredIatSet.add(o), this.refreshLockWhileAcquired(i, o), [2, !0]) : [3, 7];
+          case 5:
+            return t.lockCorrector(this.storageHandler === void 0 ? pt : this.storageHandler), [4, this.waitForSomethingToChange(r)];
+          case 6:
+            u.sent(), u.label = 7;
+          case 7:
+            return o = Date.now() + zt(4), [3, 1];
+          case 8:
+            return [2, !1];
+        }
+      }));
+    }));
+  }, t.prototype.refreshLockWhileAcquired = function(e, n) {
+    return X(this, void 0, void 0, (function() {
+      var o = this;
+      return Y(this, (function(r) {
+        return setTimeout((function() {
+          return X(o, void 0, void 0, (function() {
+            var i, a, s;
+            return Y(this, (function(c) {
+              switch (c.label) {
+                case 0:
+                  return [4, De.default().lock(n)];
+                case 1:
+                  return c.sent(), this.acquiredIatSet.has(n) ? (i = this.storageHandler === void 0 ? pt : this.storageHandler, (a = i.getItemSync(e)) === null ? (De.default().unlock(n), [2]) : ((s = JSON.parse(a)).timeRefreshed = Date.now(), i.setItemSync(e, JSON.stringify(s)), De.default().unlock(n), this.refreshLockWhileAcquired(e, n), [2])) : (De.default().unlock(n), [2]);
+              }
+            }));
+          }));
+        }), 1e3), [2];
+      }));
+    }));
+  }, t.prototype.waitForSomethingToChange = function(e) {
+    return X(this, void 0, void 0, (function() {
+      return Y(this, (function(n) {
+        switch (n.label) {
+          case 0:
+            return [4, new Promise((function(o) {
+              var r = !1, i = Date.now(), a = !1;
+              function s() {
+                if (a || (window.removeEventListener("storage", s), t.removeFromWaiting(s), clearTimeout(c), a = !0), !r) {
+                  r = !0;
+                  var l = 50 - (Date.now() - i);
+                  l > 0 ? setTimeout(o, l) : o(null);
+                }
+              }
+              window.addEventListener("storage", s), t.addToWaiting(s);
+              var c = setTimeout(s, Math.max(0, e - Date.now()));
+            }))];
+          case 1:
+            return n.sent(), [2];
+        }
+      }));
+    }));
+  }, t.addToWaiting = function(e) {
+    this.removeFromWaiting(e), t.waiters !== void 0 && t.waiters.push(e);
+  }, t.removeFromWaiting = function(e) {
+    t.waiters !== void 0 && (t.waiters = t.waiters.filter((function(n) {
+      return n !== e;
+    })));
+  }, t.notifyWaiters = function() {
+    t.waiters !== void 0 && t.waiters.slice().forEach((function(e) {
+      return e();
+    }));
+  }, t.prototype.releaseLock = function(e) {
+    return X(this, void 0, void 0, (function() {
+      return Y(this, (function(n) {
+        switch (n.label) {
+          case 0:
+            return [4, this.releaseLock__private__(e)];
+          case 1:
+            return [2, n.sent()];
+        }
+      }));
+    }));
+  }, t.prototype.releaseLock__private__ = function(e) {
+    return X(this, void 0, void 0, (function() {
+      var n, o, r, i;
+      return Y(this, (function(a) {
+        switch (a.label) {
+          case 0:
+            return n = this.storageHandler === void 0 ? pt : this.storageHandler, o = "browser-tabs-lock-key-" + e, (r = n.getItemSync(o)) === null ? [2] : (i = JSON.parse(r)).id !== this.id ? [3, 2] : [4, De.default().lock(i.iat)];
+          case 1:
+            a.sent(), this.acquiredIatSet.delete(i.iat), n.removeItemSync(o), De.default().unlock(i.iat), t.notifyWaiters(), a.label = 2;
+          case 2:
+            return [2];
+        }
+      }));
+    }));
+  }, t.lockCorrector = function(e) {
+    for (var n = Date.now() - 5e3, o = e, r = [], i = 0; ; ) {
+      var a = o.keySync(i);
+      if (a === null) break;
+      r.push(a), i++;
+    }
+    for (var s = !1, c = 0; c < r.length; c++) {
+      var l = r[c];
+      if (l.includes("browser-tabs-lock-key")) {
+        var u = o.getItemSync(l);
+        if (u !== null) {
+          var p = JSON.parse(u);
+          (p.timeRefreshed === void 0 && p.timeAcquired < n || p.timeRefreshed !== void 0 && p.timeRefreshed < n) && (o.removeItemSync(l), s = !0);
+        }
+      }
+    }
+    s && t.notifyWaiters();
+  }, t.waiters = void 0, t;
+})(), vr = To.default = wr;
+const br = { timeoutInSeconds: 60 }, Po = { name: "auth0-spa-js", version: "2.12.0" }, Ro = () => Date.now();
+class x extends Error {
+  constructor(e, n) {
+    super(n), this.error = e, this.error_description = n, Object.setPrototypeOf(this, x.prototype);
+  }
+  static fromPayload(e) {
+    let { error: n, error_description: o } = e;
+    return new x(n, o);
+  }
+}
+class In extends x {
+  constructor(e, n, o) {
+    let r = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : null;
+    super(e, n), this.state = o, this.appState = r, Object.setPrototypeOf(this, In.prototype);
+  }
+}
+class On extends x {
+  constructor(e, n, o, r) {
+    let i = arguments.length > 4 && arguments[4] !== void 0 ? arguments[4] : null;
+    super(e, n), this.connection = o, this.state = r, this.appState = i, Object.setPrototypeOf(this, On.prototype);
+  }
+}
+class He extends x {
+  constructor() {
+    super("timeout", "Timeout"), Object.setPrototypeOf(this, He.prototype);
+  }
+}
+class xn extends He {
+  constructor(e) {
+    super(), this.popup = e, Object.setPrototypeOf(this, xn.prototype);
+  }
+}
+class Cn extends x {
+  constructor(e) {
+    super("cancelled", "Popup closed"), this.popup = e, Object.setPrototypeOf(this, Cn.prototype);
+  }
+}
+class jn extends x {
+  constructor() {
+    super("popup_open", "Unable to open a popup for loginWithPopup - window.open returned `null`"), Object.setPrototypeOf(this, jn.prototype);
+  }
+}
+class Dn extends x {
+  constructor(e, n, o) {
+    super(e, n), this.mfa_token = o, Object.setPrototypeOf(this, Dn.prototype);
+  }
+}
+class Dt extends x {
+  constructor(e, n) {
+    super("missing_refresh_token", "Missing Refresh Token (audience: '".concat(At(e, ["default"]), "', scope: '").concat(At(n), "')")), this.audience = e, this.scope = n, Object.setPrototypeOf(this, Dt.prototype);
+  }
+}
+class Kn extends x {
+  constructor(e, n) {
+    super("missing_scopes", "Missing requested scopes after refresh (audience: '".concat(At(e, ["default"]), "', missing scope: '").concat(At(n), "')")), this.audience = e, this.scope = n, Object.setPrototypeOf(this, Kn.prototype);
+  }
+}
+class Kt extends x {
+  constructor(e) {
+    super("use_dpop_nonce", "Server rejected DPoP proof: wrong nonce"), this.newDpopNonce = e, Object.setPrototypeOf(this, Kt.prototype);
+  }
+}
+function At(t) {
+  let e = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : [];
+  return t && !e.includes(t) ? t : "";
+}
+const Tt = () => window.crypto, Ge = () => {
+  const t = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";
+  let e = "";
+  return Array.from(Tt().getRandomValues(new Uint8Array(43))).forEach(((n) => e += t[n % t.length])), e;
+}, Jt = (t) => btoa(t), _r = [{ key: "name", type: ["string"] }, { key: "version", type: ["string", "number"] }, { key: "env", type: ["object"] }], kr = (t) => Object.keys(t).reduce(((e, n) => {
+  const o = _r.find(((r) => r.key === n));
+  return o && o.type.includes(typeof t[n]) && (e[n] = t[n]), e;
+}), {}), dn = (t) => {
+  var { clientId: e } = t, n = ne(t, ["clientId"]);
+  return new URLSearchParams(((o) => Object.keys(o).filter(((r) => o[r] !== void 0)).reduce(((r, i) => Object.assign(Object.assign({}, r), { [i]: o[i] })), {}))(Object.assign({ client_id: e }, n))).toString();
+}, Zn = async (t) => await Tt().subtle.digest({ name: "SHA-256" }, new TextEncoder().encode(t)), qn = (t) => ((e) => decodeURIComponent(atob(e).split("").map(((n) => "%" + ("00" + n.charCodeAt(0).toString(16)).slice(-2))).join("")))(t.replace(/_/g, "/").replace(/-/g, "+")), Bn = (t) => {
+  const e = new Uint8Array(t);
+  return ((n) => {
+    const o = { "+": "-", "/": "_", "=": "" };
+    return n.replace(/[+/=]/g, ((r) => o[r]));
+  })(window.btoa(String.fromCharCode(...Array.from(e))));
+}, Sr = new TextEncoder(), Er = new TextDecoder();
+function Ye(t) {
+  return typeof t == "string" ? Sr.encode(t) : Er.decode(t);
+}
+function Xn(t) {
+  if (typeof t.modulusLength != "number" || t.modulusLength < 2048) throw new Tr(`${t.name} modulusLength must be at least 2048 bits`);
+}
+async function Ar(t, e, n) {
+  if (n.usages.includes("sign") === !1) throw new TypeError('private CryptoKey instances used for signing assertions must include "sign" in their "usages"');
+  const o = `${Qe(Ye(JSON.stringify(t)))}.${Qe(Ye(JSON.stringify(e)))}`;
+  return `${o}.${Qe(await crypto.subtle.sign((function(r) {
+    switch (r.algorithm.name) {
+      case "ECDSA":
+        return { name: r.algorithm.name, hash: "SHA-256" };
+      case "RSA-PSS":
+        return Xn(r.algorithm), { name: r.algorithm.name, saltLength: 32 };
+      case "RSASSA-PKCS1-v1_5":
+        return Xn(r.algorithm), { name: r.algorithm.name };
+      case "Ed25519":
+        return { name: r.algorithm.name };
+    }
+    throw new Ie();
+  })(n), n, Ye(o)))}`;
+}
+let hn;
+Uint8Array.prototype.toBase64 ? hn = (t) => (t instanceof ArrayBuffer && (t = new Uint8Array(t)), t.toBase64({ alphabet: "base64url", omitPadding: !0 })) : hn = (e) => {
+  e instanceof ArrayBuffer && (e = new Uint8Array(e));
+  const n = [];
+  for (let o = 0; o < e.byteLength; o += 32768) n.push(String.fromCharCode.apply(null, e.subarray(o, o + 32768)));
+  return btoa(n.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+};
+function Qe(t) {
+  return hn(t);
+}
+class Ie extends Error {
+  constructor(e) {
+    var n;
+    super(e ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) === null || n === void 0 || n.call(Error, this, this.constructor);
+  }
+}
+class Tr extends Error {
+  constructor(e) {
+    var n;
+    super(e), this.name = this.constructor.name, (n = Error.captureStackTrace) === null || n === void 0 || n.call(Error, this, this.constructor);
+  }
+}
+function Pr(t) {
+  switch (t.algorithm.name) {
+    case "RSA-PSS":
+      return (function(e) {
+        if (e.algorithm.hash.name === "SHA-256") return "PS256";
+        throw new Ie("unsupported RsaHashedKeyAlgorithm hash name");
+      })(t);
+    case "RSASSA-PKCS1-v1_5":
+      return (function(e) {
+        if (e.algorithm.hash.name === "SHA-256") return "RS256";
+        throw new Ie("unsupported RsaHashedKeyAlgorithm hash name");
+      })(t);
+    case "ECDSA":
+      return (function(e) {
+        if (e.algorithm.namedCurve === "P-256") return "ES256";
+        throw new Ie("unsupported EcKeyAlgorithm namedCurve");
+      })(t);
+    case "Ed25519":
+      return "Ed25519";
+    default:
+      throw new Ie("unsupported CryptoKey algorithm name");
+  }
+}
+function Io(t) {
+  return t instanceof CryptoKey;
+}
+function Oo(t) {
+  return Io(t) && t.type === "public";
+}
+async function Rr(t, e, n, o, r, i) {
+  const a = t == null ? void 0 : t.privateKey, s = t == null ? void 0 : t.publicKey;
+  if (!Io(c = a) || c.type !== "private") throw new TypeError('"keypair.privateKey" must be a private CryptoKey');
+  var c;
+  if (!Oo(s)) throw new TypeError('"keypair.publicKey" must be a public CryptoKey');
+  if (s.extractable !== !0) throw new TypeError('"keypair.publicKey.extractable" must be true');
+  if (typeof e != "string") throw new TypeError('"htu" must be a string');
+  if (typeof n != "string") throw new TypeError('"htm" must be a string');
+  if (o !== void 0 && typeof o != "string") throw new TypeError('"nonce" must be a string or undefined');
+  if (r !== void 0 && typeof r != "string") throw new TypeError('"accessToken" must be a string or undefined');
+  return Ar({ alg: Pr(a), typ: "dpop+jwt", jwk: await xo(s) }, Object.assign(Object.assign({}, i), { iat: Math.floor(Date.now() / 1e3), jti: crypto.randomUUID(), htm: n, nonce: o, htu: e, ath: r ? Qe(await crypto.subtle.digest("SHA-256", Ye(r))) : void 0 }), a);
+}
+async function xo(t) {
+  const { kty: e, e: n, n: o, x: r, y: i, crv: a } = await crypto.subtle.exportKey("jwk", t);
+  return { kty: e, crv: a, e: n, n: o, x: r, y: i };
+}
+const Ir = ["authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange"];
+function Or() {
+  return (async function(t, e) {
+    var n;
+    let o;
+    if (t.length === 0) throw new TypeError('"alg" must be a non-empty string');
+    switch (t) {
+      case "PS256":
+        o = { name: "RSA-PSS", hash: "SHA-256", modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]) };
+        break;
+      case "RS256":
+        o = { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256", modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]) };
+        break;
+      case "ES256":
+        o = { name: "ECDSA", namedCurve: "P-256" };
+        break;
+      case "Ed25519":
+        o = { name: "Ed25519" };
+        break;
+      default:
+        throw new Ie();
+    }
+    return crypto.subtle.generateKey(o, (n = e == null ? void 0 : e.extractable) !== null && n !== void 0 && n, ["sign", "verify"]);
+  })("ES256", { extractable: !1 });
+}
+function xr(t) {
+  return (async function(e) {
+    if (!Oo(e)) throw new TypeError('"publicKey" must be a public CryptoKey');
+    if (e.extractable !== !0) throw new TypeError('"publicKey.extractable" must be true');
+    const n = await xo(e);
+    let o;
+    switch (n.kty) {
+      case "EC":
+        o = { crv: n.crv, kty: n.kty, x: n.x, y: n.y };
+        break;
+      case "OKP":
+        o = { crv: n.crv, kty: n.kty, x: n.x };
+        break;
+      case "RSA":
+        o = { e: n.e, kty: n.kty, n: n.n };
+        break;
+      default:
+        throw new Ie("unsupported JWK kty");
+    }
+    return Qe(await crypto.subtle.digest({ name: "SHA-256" }, Ye(JSON.stringify(o))));
+  })(t.publicKey);
+}
+function Cr(t) {
+  let { keyPair: e, url: n, method: o, nonce: r, accessToken: i } = t;
+  const a = (function(s) {
+    const c = new URL(s);
+    return c.search = "", c.hash = "", c.href;
+  })(n);
+  return Rr(e, a, o, r, i);
+}
+const jr = async (t, e) => {
+  const n = await fetch(t, e);
+  return { ok: n.ok, json: await n.json(), headers: (o = n.headers, [...o].reduce(((r, i) => {
+    let [a, s] = i;
+    return r[a] = s, r;
+  }), {})) };
+  var o;
+}, Dr = async (t, e, n) => {
+  const o = new AbortController();
+  let r;
+  return e.signal = o.signal, Promise.race([jr(t, e), new Promise(((i, a) => {
+    r = setTimeout((() => {
+      o.abort(), a(new Error("Timeout when executing 'fetch'"));
+    }), n);
+  }))]).finally((() => {
+    clearTimeout(r);
+  }));
+}, Kr = async (t, e, n, o, r, i, a, s) => ((c, l) => new Promise((function(u, p) {
+  const h = new MessageChannel();
+  h.port1.onmessage = function(d) {
+    d.data.error ? p(new Error(d.data.error)) : u(d.data), h.port1.close();
+  }, l.postMessage(c, [h.port2]);
+})))({ auth: { audience: e, scope: n }, timeout: r, fetchUrl: t, fetchOptions: o, useFormData: a, useMrrt: s }, i), Lr = async function(t, e, n, o, r, i) {
+  let a = arguments.length > 6 && arguments[6] !== void 0 ? arguments[6] : 1e4, s = arguments.length > 7 ? arguments[7] : void 0;
+  return r ? Kr(t, e, n, o, a, r, i, s) : Dr(t, o, a);
+};
+async function Co(t, e, n, o, r, i, a, s, c, l) {
+  if (c) {
+    const k = await c.generateProof({ url: t, method: r.method || "GET", nonce: await c.getNonce() });
+    r.headers = Object.assign(Object.assign({}, r.headers), { dpop: k });
+  }
+  let u, p = null;
+  for (let k = 0; k < 3; k++) try {
+    u = await Lr(t, n, o, r, i, a, e, s), p = null;
+    break;
+  } catch (E) {
+    p = E;
+  }
+  if (p) throw p;
+  const h = u.json, { error: d, error_description: g } = h, f = ne(h, ["error", "error_description"]), { headers: m, ok: w } = u;
+  let _;
+  if (c && (_ = m["dpop-nonce"], _ && await c.setNonce(_)), !w) {
+    const k = g || "HTTP error. Unable to fetch ".concat(t);
+    if (d === "mfa_required") throw new Dn(d, k, f.mfa_token);
+    if (d === "missing_refresh_token") throw new Dt(n, o);
+    if (d === "use_dpop_nonce") {
+      if (!c || !_ || l) throw new Kt(_);
+      return Co(t, e, n, o, r, i, a, s, c, !0);
+    }
+    throw new x(d || "request_error", k);
+  }
+  return f;
+}
+async function Ur(t, e) {
+  var { baseUrl: n, timeout: o, audience: r, scope: i, auth0Client: a, useFormData: s, useMrrt: c, dpop: l } = t, u = ne(t, ["baseUrl", "timeout", "audience", "scope", "auth0Client", "useFormData", "useMrrt", "dpop"]);
+  const p = u.grant_type === "urn:ietf:params:oauth:grant-type:token-exchange", h = u.grant_type === "refresh_token" && c, d = Object.assign(Object.assign(Object.assign(Object.assign({}, u), p && r && { audience: r }), p && i && { scope: i }), h && { audience: r, scope: i }), g = s ? dn(d) : JSON.stringify(d), f = (m = u.grant_type, Ir.includes(m));
+  var m;
+  return await Co("".concat(n, "/oauth/token"), o, r || "default", i, { method: "POST", body: g, headers: { "Content-Type": s ? "application/x-www-form-urlencoded" : "application/json", "Auth0-Client": btoa(JSON.stringify(kr(a || Po))) } }, e, s, c, f ? l : void 0);
+}
+const Nr = (t) => Array.from(new Set(t)), kt = function() {
+  for (var t = arguments.length, e = new Array(t), n = 0; n < t; n++) e[n] = arguments[n];
+  return Nr(e.filter(Boolean).join(" ").trim().split(/\s+/)).join(" ");
+}, mt = (t, e, n) => {
+  let o;
+  return n && (o = t[n]), o || (o = t.default), kt(o, e);
+};
+class Z {
+  constructor(e) {
+    let n = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : "@@auth0spajs@@", o = arguments.length > 2 ? arguments[2] : void 0;
+    this.prefix = n, this.suffix = o, this.clientId = e.clientId, this.scope = e.scope, this.audience = e.audience;
+  }
+  toKey() {
+    return [this.prefix, this.clientId, this.audience, this.scope, this.suffix].filter(Boolean).join("::");
+  }
+  static fromKey(e) {
+    const [n, o, r, i] = e.split("::");
+    return new Z({ clientId: o, scope: i, audience: r }, n);
+  }
+  static fromCacheEntry(e) {
+    const { scope: n, audience: o, client_id: r } = e;
+    return new Z({ scope: n, audience: o, clientId: r });
+  }
+}
+class Wr {
+  set(e, n) {
+    localStorage.setItem(e, JSON.stringify(n));
+  }
+  get(e) {
+    const n = window.localStorage.getItem(e);
+    if (n) try {
+      return JSON.parse(n);
+    } catch {
+      return;
+    }
+  }
+  remove(e) {
+    localStorage.removeItem(e);
+  }
+  allKeys() {
+    return Object.keys(window.localStorage).filter(((e) => e.startsWith("@@auth0spajs@@")));
+  }
+}
+class jo {
+  constructor() {
+    this.enclosedCache = /* @__PURE__ */ (function() {
+      let e = {};
+      return { set(n, o) {
+        e[n] = o;
+      }, get(n) {
+        const o = e[n];
+        if (o) return o;
+      }, remove(n) {
+        delete e[n];
+      }, allKeys: () => Object.keys(e) };
+    })();
+  }
+}
+class Hr {
+  constructor(e, n, o) {
+    this.cache = e, this.keyManifest = n, this.nowProvider = o || Ro;
+  }
+  async setIdToken(e, n, o) {
+    var r;
+    const i = this.getIdTokenCacheKey(e);
+    await this.cache.set(i, { id_token: n, decodedToken: o }), await ((r = this.keyManifest) === null || r === void 0 ? void 0 : r.add(i));
+  }
+  async getIdToken(e) {
+    const n = await this.cache.get(this.getIdTokenCacheKey(e.clientId));
+    if (!n && e.scope && e.audience) {
+      const o = await this.get(e);
+      return !o || !o.id_token || !o.decodedToken ? void 0 : { id_token: o.id_token, decodedToken: o.decodedToken };
+    }
+    if (n) return { id_token: n.id_token, decodedToken: n.decodedToken };
+  }
+  async get(e) {
+    let n = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : 0, o = arguments.length > 2 && arguments[2] !== void 0 && arguments[2], r = arguments.length > 3 ? arguments[3] : void 0;
+    var i;
+    let a = await this.cache.get(e.toKey());
+    if (!a) {
+      const l = await this.getCacheKeys();
+      if (!l) return;
+      const u = this.matchExistingCacheKey(e, l);
+      if (u && (a = await this.cache.get(u)), !a && o && r !== "cache-only") return this.getEntryWithRefreshToken(e, l);
+    }
+    if (!a) return;
+    const s = await this.nowProvider(), c = Math.floor(s / 1e3);
+    return a.expiresAt - n < c ? a.body.refresh_token ? this.modifiedCachedEntry(a, e) : (await this.cache.remove(e.toKey()), void await ((i = this.keyManifest) === null || i === void 0 ? void 0 : i.remove(e.toKey()))) : a.body;
+  }
+  async modifiedCachedEntry(e, n) {
+    return e.body = { refresh_token: e.body.refresh_token, audience: e.body.audience, scope: e.body.scope }, await this.cache.set(n.toKey(), e), { refresh_token: e.body.refresh_token, audience: e.body.audience, scope: e.body.scope };
+  }
+  async set(e) {
+    var n;
+    const o = new Z({ clientId: e.client_id, scope: e.scope, audience: e.audience }), r = await this.wrapCacheEntry(e);
+    await this.cache.set(o.toKey(), r), await ((n = this.keyManifest) === null || n === void 0 ? void 0 : n.add(o.toKey()));
+  }
+  async remove(e, n, o) {
+    const r = new Z({ clientId: e, scope: o, audience: n });
+    await this.cache.remove(r.toKey());
+  }
+  async clear(e) {
+    var n;
+    const o = await this.getCacheKeys();
+    o && (await o.filter(((r) => !e || r.includes(e))).reduce((async (r, i) => {
+      await r, await this.cache.remove(i);
+    }), Promise.resolve()), await ((n = this.keyManifest) === null || n === void 0 ? void 0 : n.clear()));
+  }
+  async wrapCacheEntry(e) {
+    const n = await this.nowProvider();
+    return { body: e, expiresAt: Math.floor(n / 1e3) + e.expires_in };
+  }
+  async getCacheKeys() {
+    var e;
+    return this.keyManifest ? (e = await this.keyManifest.get()) === null || e === void 0 ? void 0 : e.keys : this.cache.allKeys ? this.cache.allKeys() : void 0;
+  }
+  getIdTokenCacheKey(e) {
+    return new Z({ clientId: e }, "@@auth0spajs@@", "@@user@@").toKey();
+  }
+  matchExistingCacheKey(e, n) {
+    return n.filter(((o) => {
+      var r;
+      const i = Z.fromKey(o), a = new Set(i.scope && i.scope.split(" ")), s = ((r = e.scope) === null || r === void 0 ? void 0 : r.split(" ")) || [], c = i.scope && s.reduce(((l, u) => l && a.has(u)), !0);
+      return i.prefix === "@@auth0spajs@@" && i.clientId === e.clientId && i.audience === e.audience && c;
+    }))[0];
+  }
+  async getEntryWithRefreshToken(e, n) {
+    var o;
+    for (const r of n) {
+      const i = Z.fromKey(r);
+      if (i.prefix === "@@auth0spajs@@" && i.clientId === e.clientId) {
+        const a = await this.cache.get(r);
+        if (!((o = a == null ? void 0 : a.body) === null || o === void 0) && o.refresh_token) return this.modifiedCachedEntry(a, e);
+      }
+    }
+  }
+  async updateEntry(e, n) {
+    var o;
+    const r = await this.getCacheKeys();
+    if (r) for (const i of r) {
+      const a = await this.cache.get(i);
+      if (((o = a == null ? void 0 : a.body) === null || o === void 0 ? void 0 : o.refresh_token) === e) {
+        const s = Object.assign(Object.assign({}, a.body), { refresh_token: n });
+        await this.set(s);
+      }
+    }
+  }
+}
+class zr {
+  constructor(e, n, o) {
+    this.storage = e, this.clientId = n, this.cookieDomain = o, this.storageKey = "".concat("a0.spajs.txs", ".").concat(this.clientId);
+  }
+  create(e) {
+    this.storage.save(this.storageKey, e, { daysUntilExpire: 1, cookieDomain: this.cookieDomain });
+  }
+  get() {
+    return this.storage.get(this.storageKey);
+  }
+  remove() {
+    this.storage.remove(this.storageKey, { cookieDomain: this.cookieDomain });
+  }
+}
+const Fe = (t) => typeof t == "number", Jr = ["iss", "aud", "exp", "nbf", "iat", "jti", "azp", "nonce", "auth_time", "at_hash", "c_hash", "acr", "amr", "sub_jwk", "cnf", "sip_from_tag", "sip_date", "sip_callid", "sip_cseq_num", "sip_via_branch", "orig", "dest", "mky", "events", "toe", "txn", "rph", "sid", "vot", "vtm"], Mr = (t) => {
+  if (!t.id_token) throw new Error("ID token is required but missing");
+  const e = ((i) => {
+    const a = i.split("."), [s, c, l] = a;
+    if (a.length !== 3 || !s || !c || !l) throw new Error("ID token could not be decoded");
+    const u = JSON.parse(qn(c)), p = { __raw: i }, h = {};
+    return Object.keys(u).forEach(((d) => {
+      p[d] = u[d], Jr.includes(d) || (h[d] = u[d]);
+    })), { encoded: { header: s, payload: c, signature: l }, header: JSON.parse(qn(s)), claims: p, user: h };
+  })(t.id_token);
+  if (!e.claims.iss) throw new Error("Issuer (iss) claim must be a string present in the ID token");
+  if (e.claims.iss !== t.iss) throw new Error('Issuer (iss) claim mismatch in the ID token; expected "'.concat(t.iss, '", found "').concat(e.claims.iss, '"'));
+  if (!e.user.sub) throw new Error("Subject (sub) claim must be a string present in the ID token");
+  if (e.header.alg !== "RS256") throw new Error('Signature algorithm of "'.concat(e.header.alg, '" is not supported. Expected the ID token to be signed with "RS256".'));
+  if (!e.claims.aud || typeof e.claims.aud != "string" && !Array.isArray(e.claims.aud)) throw new Error("Audience (aud) claim must be a string or array of strings present in the ID token");
+  if (Array.isArray(e.claims.aud)) {
+    if (!e.claims.aud.includes(t.aud)) throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(t.aud, '" but was not one of "').concat(e.claims.aud.join(", "), '"'));
+    if (e.claims.aud.length > 1) {
+      if (!e.claims.azp) throw new Error("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");
+      if (e.claims.azp !== t.aud) throw new Error('Authorized Party (azp) claim mismatch in the ID token; expected "'.concat(t.aud, '", found "').concat(e.claims.azp, '"'));
+    }
+  } else if (e.claims.aud !== t.aud) throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(t.aud, '" but found "').concat(e.claims.aud, '"'));
+  if (t.nonce) {
+    if (!e.claims.nonce) throw new Error("Nonce (nonce) claim must be a string present in the ID token");
+    if (e.claims.nonce !== t.nonce) throw new Error('Nonce (nonce) claim mismatch in the ID token; expected "'.concat(t.nonce, '", found "').concat(e.claims.nonce, '"'));
+  }
+  if (t.max_age && !Fe(e.claims.auth_time)) throw new Error("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");
+  if (e.claims.exp == null || !Fe(e.claims.exp)) throw new Error("Expiration Time (exp) claim must be a number present in the ID token");
+  if (!Fe(e.claims.iat)) throw new Error("Issued At (iat) claim must be a number present in the ID token");
+  const n = t.leeway || 60, o = new Date(t.now || Date.now()), r = /* @__PURE__ */ new Date(0);
+  if (r.setUTCSeconds(e.claims.exp + n), o > r) throw new Error("Expiration Time (exp) claim error in the ID token; current time (".concat(o, ") is after expiration time (").concat(r, ")"));
+  if (e.claims.nbf != null && Fe(e.claims.nbf)) {
+    const i = /* @__PURE__ */ new Date(0);
+    if (i.setUTCSeconds(e.claims.nbf - n), o < i) throw new Error("Not Before time (nbf) claim in the ID token indicates that this token can't be used just yet. Current time (".concat(o, ") is before ").concat(i));
+  }
+  if (e.claims.auth_time != null && Fe(e.claims.auth_time)) {
+    const i = /* @__PURE__ */ new Date(0);
+    if (i.setUTCSeconds(parseInt(e.claims.auth_time) + t.max_age + n), o > i) throw new Error("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (".concat(o, ") is after last auth at ").concat(i));
+  }
+  if (t.organization) {
+    const i = t.organization.trim();
+    if (i.startsWith("org_")) {
+      const a = i;
+      if (!e.claims.org_id) throw new Error("Organization ID (org_id) claim must be a string present in the ID token");
+      if (a !== e.claims.org_id) throw new Error('Organization ID (org_id) claim mismatch in the ID token; expected "'.concat(a, '", found "').concat(e.claims.org_id, '"'));
+    } else {
+      const a = i.toLowerCase();
+      if (!e.claims.org_name) throw new Error("Organization Name (org_name) claim must be a string present in the ID token");
+      if (a !== e.claims.org_name) throw new Error('Organization Name (org_name) claim mismatch in the ID token; expected "'.concat(a, '", found "').concat(e.claims.org_name, '"'));
+    }
+  }
+  return e;
+};
+var nt = xe && xe.__assign || function() {
+  return nt = Object.assign || function(t) {
+    for (var e, n = 1, o = arguments.length; n < o; n++) for (var r in e = arguments[n]) Object.prototype.hasOwnProperty.call(e, r) && (t[r] = e[r]);
+    return t;
+  }, nt.apply(this, arguments);
+};
+function Ze(t, e) {
+  if (!e) return "";
+  var n = "; " + t;
+  return e === !0 ? n : n + "=" + e;
+}
+function Vr(t, e, n) {
+  return encodeURIComponent(t).replace(/%(23|24|26|2B|5E|60|7C)/g, decodeURIComponent).replace(/\(/g, "%28").replace(/\)/g, "%29") + "=" + encodeURIComponent(e).replace(/%(23|24|26|2B|3A|3C|3E|3D|2F|3F|40|5B|5D|5E|60|7B|7D|7C)/g, decodeURIComponent) + (function(o) {
+    if (typeof o.expires == "number") {
+      var r = /* @__PURE__ */ new Date();
+      r.setMilliseconds(r.getMilliseconds() + 864e5 * o.expires), o.expires = r;
+    }
+    return Ze("Expires", o.expires ? o.expires.toUTCString() : "") + Ze("Domain", o.domain) + Ze("Path", o.path) + Ze("Secure", o.secure) + Ze("SameSite", o.sameSite);
+  })(n);
+}
+function Gr() {
+  return (function(t) {
+    for (var e = {}, n = t ? t.split("; ") : [], o = /(%[\dA-F]{2})+/gi, r = 0; r < n.length; r++) {
+      var i = n[r].split("="), a = i.slice(1).join("=");
+      a.charAt(0) === '"' && (a = a.slice(1, -1));
+      try {
+        e[i[0].replace(o, decodeURIComponent)] = a.replace(o, decodeURIComponent);
+      } catch {
+      }
+    }
+    return e;
+  })(document.cookie);
+}
+var Fr = function(t) {
+  return Gr()[t];
+};
+function Do(t, e, n) {
+  document.cookie = Vr(t, e, nt({ path: "/" }, n));
+}
+var Ko = Do, Lo = function(t, e) {
+  Do(t, "", nt(nt({}, e), { expires: -1 }));
+};
+const Ue = { get(t) {
+  const e = Fr(t);
+  if (e !== void 0) return JSON.parse(e);
+}, save(t, e, n) {
+  let o = {};
+  window.location.protocol === "https:" && (o = { secure: !0, sameSite: "none" }), n != null && n.daysUntilExpire && (o.expires = n.daysUntilExpire), n != null && n.cookieDomain && (o.domain = n.cookieDomain), Ko(t, JSON.stringify(e), o);
+}, remove(t, e) {
+  let n = {};
+  e != null && e.cookieDomain && (n.domain = e.cookieDomain), Lo(t, n);
+} }, Zr = { get(t) {
+  return Ue.get(t) || Ue.get("".concat("_legacy_").concat(t));
+}, save(t, e, n) {
+  let o = {};
+  window.location.protocol === "https:" && (o = { secure: !0 }), n != null && n.daysUntilExpire && (o.expires = n.daysUntilExpire), n != null && n.cookieDomain && (o.domain = n.cookieDomain), Ko("".concat("_legacy_").concat(t), JSON.stringify(e), o), Ue.save(t, e, n);
+}, remove(t, e) {
+  let n = {};
+  e != null && e.cookieDomain && (n.domain = e.cookieDomain), Lo(t, n), Ue.remove(t, e), Ue.remove("".concat("_legacy_").concat(t), e);
+} }, qr = { get(t) {
+  if (typeof sessionStorage > "u") return;
+  const e = sessionStorage.getItem(t);
+  return e != null ? JSON.parse(e) : void 0;
+}, save(t, e) {
+  sessionStorage.setItem(t, JSON.stringify(e));
+}, remove(t) {
+  sessionStorage.removeItem(t);
+} };
+var Pe;
+(function(t) {
+  t.Code = "code", t.ConnectCode = "connect_code";
+})(Pe || (Pe = {}));
+function Br(t, e, n) {
+  var o = e === void 0 ? null : e, r = (function(c, l) {
+    var u = atob(c);
+    if (l) {
+      for (var p = new Uint8Array(u.length), h = 0, d = u.length; h < d; ++h) p[h] = u.charCodeAt(h);
+      return String.fromCharCode.apply(null, new Uint16Array(p.buffer));
+    }
+    return u;
+  })(t, n !== void 0 && n), i = r.indexOf(`
+`, 10) + 1, a = r.substring(i) + (o ? "//# sourceMappingURL=" + o : ""), s = new Blob([a], { type: "application/javascript" });
+  return URL.createObjectURL(s);
+}
+var Yn, Qn, $n, Mt, Xr = (Yn = "Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwohZnVuY3Rpb24oKXsidXNlIHN0cmljdCI7Y2xhc3MgZSBleHRlbmRzIEVycm9ye2NvbnN0cnVjdG9yKHQscil7c3VwZXIociksdGhpcy5lcnJvcj10LHRoaXMuZXJyb3JfZGVzY3JpcHRpb249cixPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcyxlLnByb3RvdHlwZSl9c3RhdGljIGZyb21QYXlsb2FkKHQpe2xldHtlcnJvcjpyLGVycm9yX2Rlc2NyaXB0aW9uOnN9PXQ7cmV0dXJuIG5ldyBlKHIscyl9fWNsYXNzIHQgZXh0ZW5kcyBle2NvbnN0cnVjdG9yKGUscyl7c3VwZXIoIm1pc3NpbmdfcmVmcmVzaF90b2tlbiIsIk1pc3NpbmcgUmVmcmVzaCBUb2tlbiAoYXVkaWVuY2U6ICciLmNvbmNhdChyKGUsWyJkZWZhdWx0Il0pLCInLCBzY29wZTogJyIpLmNvbmNhdChyKHMpLCInKSIpKSx0aGlzLmF1ZGllbmNlPWUsdGhpcy5zY29wZT1zLE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLHQucHJvdG90eXBlKX19ZnVuY3Rpb24gcihlKXtsZXQgdD1hcmd1bWVudHMubGVuZ3RoPjEmJnZvaWQgMCE9PWFyZ3VtZW50c1sxXT9hcmd1bWVudHNbMV06W107cmV0dXJuIGUmJiF0LmluY2x1ZGVzKGUpP2U6IiJ9ImZ1bmN0aW9uIj09dHlwZW9mIFN1cHByZXNzZWRFcnJvciYmU3VwcHJlc3NlZEVycm9yO2NvbnN0IHM9ZT0+e3ZhcntjbGllbnRJZDp0fT1lLHI9ZnVuY3Rpb24oZSx0KXt2YXIgcj17fTtmb3IodmFyIHMgaW4gZSlPYmplY3QucHJvdG90eXBlLmhhc093blByb3BlcnR5LmNhbGwoZSxzKSYmdC5pbmRleE9mKHMpPDAmJihyW3NdPWVbc10pO2lmKG51bGwhPWUmJiJmdW5jdGlvbiI9PXR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKXt2YXIgbz0wO2ZvcihzPU9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMoZSk7bzxzLmxlbmd0aDtvKyspdC5pbmRleE9mKHNbb10pPDAmJk9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChlLHNbb10pJiYocltzW29dXT1lW3Nbb11dKX1yZXR1cm4gcn0oZSxbImNsaWVudElkIl0pO3JldHVybiBuZXcgVVJMU2VhcmNoUGFyYW1zKChlPT5PYmplY3Qua2V5cyhlKS5maWx0ZXIoKHQ9PnZvaWQgMCE9PWVbdF0pKS5yZWR1Y2UoKCh0LHIpPT5PYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sdCkse1tyXTplW3JdfSkpLHt9KSkoT2JqZWN0LmFzc2lnbih7Y2xpZW50X2lkOnR9LHIpKSkudG9TdHJpbmcoKX07bGV0IG89e307Y29uc3Qgbj0oZSx0KT0+IiIuY29uY2F0KGUsInwiKS5jb25jYXQodCk7YWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsKGFzeW5jIGU9PntsZXQgcixjLHtkYXRhOnt0aW1lb3V0OmksYXV0aDphLGZldGNoVXJsOmYsZmV0Y2hPcHRpb25zOmwsdXNlRm9ybURhdGE6cCx1c2VNcnJ0Omh9LHBvcnRzOlt1XX09ZSxkPXt9O2NvbnN0e2F1ZGllbmNlOmcsc2NvcGU6eX09YXx8e307dHJ5e2NvbnN0IGU9cD8oZT0+e2NvbnN0IHQ9bmV3IFVSTFNlYXJjaFBhcmFtcyhlKSxyPXt9O3JldHVybiB0LmZvckVhY2goKChlLHQpPT57clt0XT1lfSkpLHJ9KShsLmJvZHkpOkpTT04ucGFyc2UobC5ib2R5KTtpZighZS5yZWZyZXNoX3Rva2VuJiYicmVmcmVzaF90b2tlbiI9PT1lLmdyYW50X3R5cGUpe2lmKGM9KChlLHQpPT5vW24oZSx0KV0pKGcseSksIWMmJmgpe2NvbnN0IGU9by5sYXRlc3RfcmVmcmVzaF90b2tlbix0PSgoZSx0KT0+e2NvbnN0IHI9T2JqZWN0LmtleXMobykuZmluZCgocj0+e2lmKCJsYXRlc3RfcmVmcmVzaF90b2tlbiIhPT1yKXtjb25zdCBzPSgoZSx0KT0+dC5zdGFydHNXaXRoKCIiLmNvbmNhdChlLCJ8IikpKSh0LHIpLG89ci5zcGxpdCgifCIpWzFdLnNwbGl0KCIgIiksbj1lLnNwbGl0KCIgIikuZXZlcnkoKGU9Pm8uaW5jbHVkZXMoZSkpKTtyZXR1cm4gcyYmbn19KSk7cmV0dXJuISFyfSkoeSxnKTtlJiYhdCYmKGM9ZSl9aWYoIWMpdGhyb3cgbmV3IHQoZyx5KTtsLmJvZHk9cD9zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpOkpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpfWxldCBhLGs7ImZ1bmN0aW9uIj09dHlwZW9mIEFib3J0Q29udHJvbGxlciYmKGE9bmV3IEFib3J0Q29udHJvbGxlcixsLnNpZ25hbD1hLnNpZ25hbCk7dHJ5e2s9YXdhaXQgUHJvbWlzZS5yYWNlKFsoaj1pLG5ldyBQcm9taXNlKChlPT5zZXRUaW1lb3V0KGUsaikpKSksZmV0Y2goZixPYmplY3QuYXNzaWduKHt9LGwpKV0pfWNhdGNoKGUpe3JldHVybiB2b2lkIHUucG9zdE1lc3NhZ2Uoe2Vycm9yOmUubWVzc2FnZX0pfWlmKCFrKXJldHVybiBhJiZhLmFib3J0KCksdm9pZCB1LnBvc3RNZXNzYWdlKHtlcnJvcjoiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIn0pO189ay5oZWFkZXJzLGQ9Wy4uLl9dLnJlZHVjZSgoKGUsdCk9PntsZXRbcixzXT10O3JldHVybiBlW3JdPXMsZX0pLHt9KSxyPWF3YWl0IGsuanNvbigpLHIucmVmcmVzaF90b2tlbj8oaCYmKG8ubGF0ZXN0X3JlZnJlc2hfdG9rZW49ci5yZWZyZXNoX3Rva2VuLE89YyxiPXIucmVmcmVzaF90b2tlbixPYmplY3QuZW50cmllcyhvKS5mb3JFYWNoKChlPT57bGV0W3Qscl09ZTtyPT09TyYmKG9bdF09Yil9KSkpLCgoZSx0LHIpPT57b1tuKHQscildPWV9KShyLnJlZnJlc2hfdG9rZW4sZyx5KSxkZWxldGUgci5yZWZyZXNoX3Rva2VuKTooKGUsdCk9PntkZWxldGUgb1tuKGUsdCldfSkoZyx5KSx1LnBvc3RNZXNzYWdlKHtvazprLm9rLGpzb246cixoZWFkZXJzOmR9KX1jYXRjaChlKXt1LnBvc3RNZXNzYWdlKHtvazohMSxqc29uOntlcnJvcjplLmVycm9yLGVycm9yX2Rlc2NyaXB0aW9uOmUubWVzc2FnZX0saGVhZGVyczpkfSl9dmFyIE8sYixfLGp9KSl9KCk7Cgo=", Qn = null, $n = !1, function(t) {
+  return Mt = Mt || Br(Yn, Qn, $n), new Worker(Mt, t);
+});
+const Vt = {}, eo = async function(t) {
+  let e = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : 3;
+  for (let n = 0; n < e; n++) if (await t()) return !0;
+  return !1;
+};
+class Yr {
+  constructor(e, n) {
+    this.cache = e, this.clientId = n, this.manifestKey = this.createManifestKeyFrom(this.clientId);
+  }
+  async add(e) {
+    var n;
+    const o = new Set(((n = await this.cache.get(this.manifestKey)) === null || n === void 0 ? void 0 : n.keys) || []);
+    o.add(e), await this.cache.set(this.manifestKey, { keys: [...o] });
+  }
+  async remove(e) {
+    const n = await this.cache.get(this.manifestKey);
+    if (n) {
+      const o = new Set(n.keys);
+      return o.delete(e), o.size > 0 ? await this.cache.set(this.manifestKey, { keys: [...o] }) : await this.cache.remove(this.manifestKey);
+    }
+  }
+  get() {
+    return this.cache.get(this.manifestKey);
+  }
+  clear() {
+    return this.cache.remove(this.manifestKey);
+  }
+  createManifestKeyFrom(e) {
+    return "".concat("@@auth0spajs@@", "::").concat(e);
+  }
+}
+const Qr = { memory: () => new jo().enclosedCache, localstorage: () => new Wr() }, to = (t) => Qr[t], no = (t) => {
+  const { openUrl: e, onRedirect: n } = t, o = ne(t, ["openUrl", "onRedirect"]);
+  return Object.assign(Object.assign({}, o), { openUrl: e === !1 || e ? e : n });
+}, oo = (t, e) => {
+  const n = (e == null ? void 0 : e.split(" ")) || [];
+  return ((t == null ? void 0 : t.split(" ")) || []).every(((o) => n.includes(o)));
+}, be = { NONCE: "nonce", KEYPAIR: "keypair" };
+class $r {
+  constructor(e) {
+    this.clientId = e;
+  }
+  getVersion() {
+    return 1;
+  }
+  createDbHandle() {
+    const e = window.indexedDB.open("auth0-spa-js", this.getVersion());
+    return new Promise(((n, o) => {
+      e.onupgradeneeded = () => Object.values(be).forEach(((r) => e.result.createObjectStore(r))), e.onerror = () => o(e.error), e.onsuccess = () => n(e.result);
+    }));
+  }
+  async getDbHandle() {
+    return this.dbHandle || (this.dbHandle = await this.createDbHandle()), this.dbHandle;
+  }
+  async executeDbRequest(e, n, o) {
+    const r = o((await this.getDbHandle()).transaction(e, n).objectStore(e));
+    return new Promise(((i, a) => {
+      r.onsuccess = () => i(r.result), r.onerror = () => a(r.error);
+    }));
+  }
+  buildKey(e) {
+    const n = e ? "_".concat(e) : "auth0";
+    return "".concat(this.clientId, "::").concat(n);
+  }
+  setNonce(e, n) {
+    return this.save(be.NONCE, this.buildKey(n), e);
+  }
+  setKeyPair(e) {
+    return this.save(be.KEYPAIR, this.buildKey(), e);
+  }
+  async save(e, n, o) {
+    await this.executeDbRequest(e, "readwrite", ((r) => r.put(o, n)));
+  }
+  findNonce(e) {
+    return this.find(be.NONCE, this.buildKey(e));
+  }
+  findKeyPair() {
+    return this.find(be.KEYPAIR, this.buildKey());
+  }
+  find(e, n) {
+    return this.executeDbRequest(e, "readonly", ((o) => o.get(n)));
+  }
+  async deleteBy(e, n) {
+    const o = await this.executeDbRequest(e, "readonly", ((r) => r.getAllKeys()));
+    o == null || o.filter(n).map(((r) => this.executeDbRequest(e, "readwrite", ((i) => i.delete(r)))));
+  }
+  deleteByClientId(e, n) {
+    return this.deleteBy(e, ((o) => typeof o == "string" && o.startsWith("".concat(n, "::"))));
+  }
+  clearNonces() {
+    return this.deleteByClientId(be.NONCE, this.clientId);
+  }
+  clearKeyPairs() {
+    return this.deleteByClientId(be.KEYPAIR, this.clientId);
+  }
+}
+class ei {
+  constructor(e) {
+    this.storage = new $r(e);
+  }
+  getNonce(e) {
+    return this.storage.findNonce(e);
+  }
+  setNonce(e, n) {
+    return this.storage.setNonce(e, n);
+  }
+  async getOrGenerateKeyPair() {
+    let e = await this.storage.findKeyPair();
+    return e || (e = await Or(), await this.storage.setKeyPair(e)), e;
+  }
+  async generateProof(e) {
+    const n = await this.getOrGenerateKeyPair();
+    return Cr(Object.assign({ keyPair: n }, e));
+  }
+  async calculateThumbprint() {
+    return xr(await this.getOrGenerateKeyPair());
+  }
+  async clear() {
+    await Promise.all([this.storage.clearNonces(), this.storage.clearKeyPairs()]);
+  }
+}
+var Ne, ft, Gt;
+(function(t) {
+  t.Bearer = "Bearer", t.DPoP = "DPoP";
+})(Ne || (Ne = {}));
+class ti {
+  constructor(e, n) {
+    this.hooks = n, this.config = Object.assign(Object.assign({}, e), { fetch: e.fetch || (typeof window > "u" ? fetch : window.fetch.bind(window)) });
+  }
+  isAbsoluteUrl(e) {
+    return /^(https?:)?\/\//i.test(e);
+  }
+  buildUrl(e, n) {
+    if (n) {
+      if (this.isAbsoluteUrl(n)) return n;
+      if (e) return "".concat(e.replace(/\/?\/$/, ""), "/").concat(n.replace(/^\/+/, ""));
+    }
+    throw new TypeError("`url` must be absolute or `baseUrl` non-empty.");
+  }
+  getAccessToken(e) {
+    return this.config.getAccessToken ? this.config.getAccessToken(e) : this.hooks.getAccessToken(e);
+  }
+  extractUrl(e) {
+    return typeof e == "string" ? e : e instanceof URL ? e.href : e.url;
+  }
+  buildBaseRequest(e, n) {
+    if (!this.config.baseUrl) return new Request(e, n);
+    const o = this.buildUrl(this.config.baseUrl, this.extractUrl(e)), r = e instanceof Request ? new Request(o, e) : o;
+    return new Request(r, n);
+  }
+  setAuthorizationHeader(e, n) {
+    let o = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : Ne.Bearer;
+    e.headers.set("authorization", "".concat(o, " ").concat(n));
+  }
+  async setDpopProofHeader(e, n) {
+    if (!this.config.dpopNonceId) return;
+    const o = await this.hooks.getDpopNonce(), r = await this.hooks.generateDpopProof({ accessToken: n, method: e.method, nonce: o, url: e.url });
+    e.headers.set("dpop", r);
+  }
+  async prepareRequest(e, n) {
+    const o = await this.getAccessToken(n);
+    let r, i;
+    typeof o == "string" ? (r = this.config.dpopNonceId ? Ne.DPoP : Ne.Bearer, i = o) : (r = o.token_type, i = o.access_token), this.setAuthorizationHeader(e, i, r), r === Ne.DPoP && await this.setDpopProofHeader(e, i);
+  }
+  getHeader(e, n) {
+    return Array.isArray(e) ? new Headers(e).get(n) || "" : typeof e.get == "function" ? e.get(n) || "" : e[n] || "";
+  }
+  hasUseDpopNonceError(e) {
+    if (e.status !== 401) return !1;
+    const n = this.getHeader(e.headers, "www-authenticate");
+    return n.includes("invalid_dpop_nonce") || n.includes("use_dpop_nonce");
+  }
+  async handleResponse(e, n) {
+    const o = this.getHeader(e.headers, "dpop-nonce");
+    if (o && await this.hooks.setDpopNonce(o), !this.hasUseDpopNonceError(e)) return e;
+    if (!o || !n.onUseDpopNonceError) throw new Kt(o);
+    return n.onUseDpopNonceError();
+  }
+  async internalFetchWithAuth(e, n, o, r) {
+    const i = this.buildBaseRequest(e, n);
+    await this.prepareRequest(i, r);
+    const a = await this.config.fetch(i);
+    return this.handleResponse(a, o);
+  }
+  fetchWithAuth(e, n, o) {
+    const r = { onUseDpopNonceError: () => this.internalFetchWithAuth(e, n, Object.assign(Object.assign({}, r), { onUseDpopNonceError: void 0 }), o) };
+    return this.internalFetchWithAuth(e, n, r, o);
+  }
+}
+class ni {
+  constructor(e, n) {
+    this.myAccountFetcher = e, this.apiBase = n;
+  }
+  async connectAccount(e) {
+    const n = await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase, "v1/connected-accounts/connect"), { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(e) });
+    return this._handleResponse(n);
+  }
+  async completeAccount(e) {
+    const n = await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase, "v1/connected-accounts/complete"), { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(e) });
+    return this._handleResponse(n);
+  }
+  async _handleResponse(e) {
+    let n;
+    try {
+      n = await e.text(), n = JSON.parse(n);
+    } catch (o) {
+      throw new Pt({ type: "invalid_json", status: e.status, title: "Invalid JSON response", detail: n || String(o) });
+    }
+    if (e.ok) return n;
+    throw new Pt(n);
+  }
+}
+class Pt extends Error {
+  constructor(e) {
+    let { type: n, status: o, title: r, detail: i, validation_errors: a } = e;
+    super(i), this.name = "MyAccountApiError", this.type = n, this.status = o, this.title = r, this.detail = i, this.validation_errors = a, Object.setPrototypeOf(this, Pt.prototype);
+  }
+}
+function Uo(t, e) {
+  this.v = t, this.k = e;
+}
+function j(t, e, n) {
+  if (typeof t == "function" ? t === e : t.has(e)) return arguments.length < 3 ? e : n;
+  throw new TypeError("Private element is not present on this object");
+}
+function oi(t) {
+  return new Uo(t, 0);
+}
+function No(t, e) {
+  if (e.has(t)) throw new TypeError("Cannot initialize the same private elements twice on an object");
+}
+function v(t, e) {
+  return t.get(j(t, e));
+}
+function K(t, e, n) {
+  No(t, e), e.set(t, n);
+}
+function O(t, e, n) {
+  return t.set(j(t, e), n), n;
+}
+function b(t, e, n) {
+  return (e = (function(o) {
+    var r = (function(i, a) {
+      if (typeof i != "object" || !i) return i;
+      var s = i[Symbol.toPrimitive];
+      if (s !== void 0) {
+        var c = s.call(i, a);
+        if (typeof c != "object") return c;
+        throw new TypeError("@@toPrimitive must return a primitive value.");
+      }
+      return (a === "string" ? String : Number)(i);
+    })(o, "string");
+    return typeof r == "symbol" ? r : r + "";
+  })(e)) in t ? Object.defineProperty(t, e, { value: n, enumerable: !0, configurable: !0, writable: !0 }) : t[e] = n, t;
+}
+function ro(t, e) {
+  var n = Object.keys(t);
+  if (Object.getOwnPropertySymbols) {
+    var o = Object.getOwnPropertySymbols(t);
+    e && (o = o.filter((function(r) {
+      return Object.getOwnPropertyDescriptor(t, r).enumerable;
+    }))), n.push.apply(n, o);
+  }
+  return n;
+}
+function S(t) {
+  for (var e = 1; e < arguments.length; e++) {
+    var n = arguments[e] != null ? arguments[e] : {};
+    e % 2 ? ro(Object(n), !0).forEach((function(o) {
+      b(t, o, n[o]);
+    })) : Object.getOwnPropertyDescriptors ? Object.defineProperties(t, Object.getOwnPropertyDescriptors(n)) : ro(Object(n)).forEach((function(o) {
+      Object.defineProperty(t, o, Object.getOwnPropertyDescriptor(n, o));
+    }));
+  }
+  return t;
+}
+function io(t, e) {
+  if (t == null) return {};
+  var n, o, r = (function(a, s) {
+    if (a == null) return {};
+    var c = {};
+    for (var l in a) if ({}.hasOwnProperty.call(a, l)) {
+      if (s.indexOf(l) !== -1) continue;
+      c[l] = a[l];
+    }
+    return c;
+  })(t, e);
+  if (Object.getOwnPropertySymbols) {
+    var i = Object.getOwnPropertySymbols(t);
+    for (o = 0; o < i.length; o++) n = i[o], e.indexOf(n) === -1 && {}.propertyIsEnumerable.call(t, n) && (r[n] = t[n]);
+  }
+  return r;
+}
+function ri(t) {
+  return function() {
+    return new Xe(t.apply(this, arguments));
+  };
+}
+function Xe(t) {
+  var e, n;
+  function o(i, a) {
+    try {
+      var s = t[i](a), c = s.value, l = c instanceof Uo;
+      Promise.resolve(l ? c.v : c).then((function(u) {
+        if (l) {
+          var p = i === "return" ? "return" : "next";
+          if (!c.k || u.done) return o(p, u);
+          u = t[p](u).value;
+        }
+        r(s.done ? "return" : "normal", u);
+      }), (function(u) {
+        o("throw", u);
+      }));
+    } catch (u) {
+      r("throw", u);
+    }
+  }
+  function r(i, a) {
+    switch (i) {
+      case "return":
+        e.resolve({ value: a, done: !0 });
+        break;
+      case "throw":
+        e.reject(a);
+        break;
+      default:
+        e.resolve({ value: a, done: !1 });
+    }
+    (e = e.next) ? o(e.key, e.arg) : n = null;
+  }
+  this._invoke = function(i, a) {
+    return new Promise((function(s, c) {
+      var l = { key: i, arg: a, resolve: s, reject: c, next: null };
+      n ? n = n.next = l : (e = n = l, o(i, a));
+    }));
+  }, typeof t.return != "function" && (this.return = void 0);
+}
+let pn;
+Xe.prototype[typeof Symbol == "function" && Symbol.asyncIterator || "@@asyncIterator"] = function() {
+  return this;
+}, Xe.prototype.next = function(t) {
+  return this._invoke("next", t);
+}, Xe.prototype.throw = function(t) {
+  return this._invoke("throw", t);
+}, Xe.prototype.return = function(t) {
+  return this._invoke("return", t);
+}, (typeof navigator > "u" || (ft = navigator.userAgent) === null || ft === void 0 || (Gt = ft.startsWith) === null || Gt === void 0 || !Gt.call(ft, "Mozilla/5.0 ")) && (pn = "".concat("oauth4webapi", "/").concat("v3.8.3"));
+function Me(t, e) {
+  if (t == null) return !1;
+  try {
+    return t instanceof e || Object.getPrototypeOf(t)[Symbol.toStringTag] === e.prototype[Symbol.toStringTag];
+  } catch {
+    return !1;
+  }
+}
+function R(t, e, n) {
+  const o = new TypeError(t, { cause: n });
+  return Object.assign(o, { code: e }), o;
+}
+const q = Symbol(), mn = Symbol(), fn = Symbol(), ee = Symbol(), ce = Symbol(), ii = new TextEncoder(), ai = new TextDecoder();
+function ze(t) {
+  return typeof t == "string" ? ii.encode(t) : ai.decode(t);
+}
+let yn, Wo;
+Uint8Array.prototype.toBase64 ? yn = (t) => (t instanceof ArrayBuffer && (t = new Uint8Array(t)), t.toBase64({ alphabet: "base64url", omitPadding: !0 })) : yn = (e) => {
+  e instanceof ArrayBuffer && (e = new Uint8Array(e));
+  const n = [];
+  for (let o = 0; o < e.byteLength; o += 32768) n.push(String.fromCharCode.apply(null, e.subarray(o, o + 32768)));
+  return btoa(n.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+};
+function Oe(t) {
+  return typeof t == "string" ? Wo(t) : yn(t);
+}
+Wo = Uint8Array.fromBase64 ? (t) => {
+  try {
+    return Uint8Array.fromBase64(t, { alphabet: "base64url" });
+  } catch (e) {
+    throw R("The input to be decoded is not correctly encoded.", "ERR_INVALID_ARG_VALUE", e);
+  }
+} : (t) => {
+  try {
+    const e = atob(t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(e.length);
+    for (let o = 0; o < e.length; o++) n[o] = e.charCodeAt(o);
+    return n;
+  } catch (e) {
+    throw R("The input to be decoded is not correctly encoded.", "ERR_INVALID_ARG_VALUE", e);
+  }
+};
+class G extends Error {
+  constructor(e, n) {
+    var o;
+    super(e, n), b(this, "code", void 0), this.name = this.constructor.name, this.code = vn, (o = Error.captureStackTrace) === null || o === void 0 || o.call(Error, this, this.constructor);
+  }
+}
+class Ln extends Error {
+  constructor(e, n) {
+    var o;
+    super(e, n), b(this, "code", void 0), this.name = this.constructor.name, n != null && n.code && (this.code = n == null ? void 0 : n.code), (o = Error.captureStackTrace) === null || o === void 0 || o.call(Error, this, this.constructor);
+  }
+}
+function A(t, e, n) {
+  return new Ln(t, { code: e, cause: n });
+}
+function si(t, e) {
+  if ((function(n, o) {
+    if (!(n instanceof CryptoKey)) throw R("".concat(o, " must be a CryptoKey"), "ERR_INVALID_ARG_TYPE");
+  })(t, e), t.type !== "private") throw R("".concat(e, " must be a private CryptoKey"), "ERR_INVALID_ARG_VALUE");
+}
+function Rt(t) {
+  return t !== null && typeof t == "object" && !Array.isArray(t);
+}
+function Lt(t) {
+  Me(t, Headers) && (t = Object.fromEntries(t.entries()));
+  const e = new Headers(t ?? {});
+  if (pn && !e.has("user-agent") && e.set("user-agent", pn), e.has("authorization")) throw R('"options.headers" must not include the "authorization" header name', "ERR_INVALID_ARG_VALUE");
+  return e;
+}
+function Ho(t, e) {
+  if (e !== void 0) {
+    if (typeof e == "function" && (e = e(t.href)), !(e instanceof AbortSignal)) throw R('"options.signal" must return or be an instance of AbortSignal', "ERR_INVALID_ARG_TYPE");
+    return e;
+  }
+}
+function ao(t) {
+  return t.includes("//") ? t.replace("//", "/") : t;
+}
+async function ci(t, e) {
+  return (async function(n, o, r, i) {
+    if (!(n instanceof URL)) throw R('"'.concat(o, '" must be an instance of URL'), "ERR_INVALID_ARG_TYPE");
+    Un(n, (i == null ? void 0 : i[q]) !== !0);
+    const a = r(new URL(n.href)), s = Lt(i == null ? void 0 : i.headers);
+    return s.set("accept", "application/json"), ((i == null ? void 0 : i[ee]) || fetch)(a.href, { body: void 0, headers: Object.fromEntries(s.entries()), method: "GET", redirect: "manual", signal: Ho(a, i == null ? void 0 : i.signal) });
+  })(t, "issuerIdentifier", ((n) => {
+    switch (e == null ? void 0 : e.algorithm) {
+      case void 0:
+      case "oidc":
+        (function(o, r) {
+          o.pathname = ao("".concat(o.pathname, "/").concat(r));
+        })(n, ".well-known/openid-configuration");
+        break;
+      case "oauth2":
+        (function(o, r) {
+          let i = arguments.length > 2 && arguments[2] !== void 0 && arguments[2];
+          o.pathname === "/" ? o.pathname = r : o.pathname = ao("".concat(r, "/").concat(i ? o.pathname : o.pathname.replace(/(\/)$/, "")));
+        })(n, ".well-known/oauth-authorization-server");
+        break;
+      default:
+        throw R('"options.algorithm" must be "oidc" (default), or "oauth2"', "ERR_INVALID_ARG_VALUE");
+    }
+    return n;
+  }), e);
+}
+function ge(t, e, n, o, r) {
+  try {
+    if (typeof t != "number" || !Number.isFinite(t)) throw R("".concat(n, " must be a number"), "ERR_INVALID_ARG_TYPE", r);
+    if (t > 0) return;
+    if (e) {
+      if (t !== 0) throw R("".concat(n, " must be a non-negative number"), "ERR_INVALID_ARG_VALUE", r);
+      return;
+    }
+    throw R("".concat(n, " must be a positive number"), "ERR_INVALID_ARG_VALUE", r);
+  } catch (i) {
+    throw o ? A(i.message, o, r) : i;
+  }
+}
+function D(t, e, n, o) {
+  try {
+    if (typeof t != "string") throw R("".concat(e, " must be a string"), "ERR_INVALID_ARG_TYPE", o);
+    if (t.length === 0) throw R("".concat(e, " must not be empty"), "ERR_INVALID_ARG_VALUE", o);
+  } catch (r) {
+    throw n ? A(r.message, n, o) : r;
+  }
+}
+function zo(t) {
+  (function(e, n) {
+    if (Go(e) !== n) throw (function(o) {
+      let r = '"response" content-type must be ';
+      for (var i = arguments.length, a = new Array(i > 1 ? i - 1 : 0), s = 1; s < i; s++) a[s - 1] = arguments[s];
+      if (a.length > 2) {
+        const c = a.pop();
+        r += "".concat(a.join(", "), ", or ").concat(c);
+      } else a.length === 2 ? r += "".concat(a[0], " or ").concat(a[1]) : r += a[0];
+      return A(r, Zo, o);
+    })(e, n);
+  })(t, "application/json");
+}
+function Jo() {
+  return Oe(crypto.getRandomValues(new Uint8Array(32)));
+}
+function ui(t) {
+  switch (t.algorithm.name) {
+    case "RSA-PSS":
+      return (function(e) {
+        switch (e.algorithm.hash.name) {
+          case "SHA-256":
+            return "PS256";
+          case "SHA-384":
+            return "PS384";
+          case "SHA-512":
+            return "PS512";
+          default:
+            throw new G("unsupported RsaHashedKeyAlgorithm hash name", { cause: e });
+        }
+      })(t);
+    case "RSASSA-PKCS1-v1_5":
+      return (function(e) {
+        switch (e.algorithm.hash.name) {
+          case "SHA-256":
+            return "RS256";
+          case "SHA-384":
+            return "RS384";
+          case "SHA-512":
+            return "RS512";
+          default:
+            throw new G("unsupported RsaHashedKeyAlgorithm hash name", { cause: e });
+        }
+      })(t);
+    case "ECDSA":
+      return (function(e) {
+        switch (e.algorithm.namedCurve) {
+          case "P-256":
+            return "ES256";
+          case "P-384":
+            return "ES384";
+          case "P-521":
+            return "ES512";
+          default:
+            throw new G("unsupported EcKeyAlgorithm namedCurve", { cause: e });
+        }
+      })(t);
+    case "Ed25519":
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return t.algorithm.name;
+    case "EdDSA":
+      return "Ed25519";
+    default:
+      throw new G("unsupported CryptoKey algorithm name", { cause: t });
+  }
+}
+function It(t) {
+  const e = t == null ? void 0 : t[mn];
+  return typeof e == "number" && Number.isFinite(e) ? e : 0;
+}
+function gn(t) {
+  const e = t == null ? void 0 : t[fn];
+  return typeof e == "number" && Number.isFinite(e) && Math.sign(e) !== -1 ? e : 30;
+}
+function Ot() {
+  return Math.floor(Date.now() / 1e3);
+}
+function Q(t) {
+  if (typeof t != "object" || t === null) throw R('"as" must be an object', "ERR_INVALID_ARG_TYPE");
+  D(t.issuer, '"as.issuer"');
+}
+function $(t) {
+  if (typeof t != "object" || t === null) throw R('"client" must be an object', "ERR_INVALID_ARG_TYPE");
+  D(t.client_id, '"client.client_id"');
+}
+function so(t) {
+  return D(t, '"clientSecret"'), (e, n, o, r) => {
+    o.set("client_id", n.client_id), o.set("client_secret", t);
+  };
+}
+function li(t, e) {
+  const { key: n, kid: o } = (r = t) instanceof CryptoKey ? { key: r } : (r == null ? void 0 : r.key) instanceof CryptoKey ? (r.kid !== void 0 && D(r.kid, '"kid"'), { key: r.key, kid: r.kid }) : {};
+  var r;
+  return si(n, '"clientPrivateKey.key"'), async (i, a, s, c) => {
+    const l = { alg: ui(n), kid: o }, u = (function(p, h) {
+      const d = Ot() + It(h);
+      return { jti: Jo(), aud: p.issuer, exp: d + 60, iat: d, nbf: d, iss: h.client_id, sub: h.client_id };
+    })(i, a);
+    s.set("client_id", a.client_id), s.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), s.set("client_assertion", await (async function(p, h, d) {
+      if (!d.usages.includes("sign")) throw R('CryptoKey instances used for signing assertions must include "sign" in their "usages"', "ERR_INVALID_ARG_VALUE");
+      const g = "".concat(Oe(ze(JSON.stringify(p))), ".").concat(Oe(ze(JSON.stringify(h)))), f = Oe(await crypto.subtle.sign((function(m) {
+        switch (m.algorithm.name) {
+          case "ECDSA":
+            return { name: m.algorithm.name, hash: Ri(m) };
+          case "RSA-PSS":
+            switch (lo(m), m.algorithm.hash.name) {
+              case "SHA-256":
+              case "SHA-384":
+              case "SHA-512":
+                return { name: m.algorithm.name, saltLength: parseInt(m.algorithm.hash.name.slice(-3), 10) >> 3 };
+              default:
+                throw new G("unsupported RSA-PSS hash name", { cause: m });
+            }
+          case "RSASSA-PKCS1-v1_5":
+            return lo(m), m.algorithm.name;
+          case "ML-DSA-44":
+          case "ML-DSA-65":
+          case "ML-DSA-87":
+          case "Ed25519":
+            return m.algorithm.name;
+        }
+        throw new G("unsupported CryptoKey algorithm name", { cause: m });
+      })(d), d, ze(g)));
+      return "".concat(g, ".").concat(f);
+    })(l, u, n));
+  };
+}
+const di = URL.parse ? (t, e) => URL.parse(t, e) : (t, e) => {
+  try {
+    return new URL(t, e);
+  } catch {
+    return null;
+  }
+};
+function Un(t, e) {
+  if (e && t.protocol !== "https:") throw A("only requests to HTTPS are allowed", qo, t);
+  if (t.protocol !== "https:" && t.protocol !== "http:") throw A("only HTTP and HTTPS requests are allowed", Bo, t);
+}
+function co(t, e, n, o) {
+  let r;
+  if (typeof t != "string" || !(r = di(t))) throw A("authorization server metadata does not contain a valid ".concat(n ? '"as.mtls_endpoint_aliases.'.concat(e, '"') : '"as.'.concat(e, '"')), t === void 0 ? Ti : Pi, { attribute: n ? "mtls_endpoint_aliases.".concat(e) : e });
+  return Un(r, o), r;
+}
+function it(t, e, n, o) {
+  return n && t.mtls_endpoint_aliases && e in t.mtls_endpoint_aliases ? co(t.mtls_endpoint_aliases[e], e, n, o) : co(t[e], e, n, o);
+}
+class Ut extends Error {
+  constructor(e, n) {
+    var o;
+    super(e, n), b(this, "cause", void 0), b(this, "code", void 0), b(this, "error", void 0), b(this, "status", void 0), b(this, "error_description", void 0), b(this, "response", void 0), this.name = this.constructor.name, this.code = Ei, this.cause = n.cause, this.error = n.cause.error, this.status = n.response.status, this.error_description = n.cause.error_description, Object.defineProperty(this, "response", { enumerable: !1, value: n.response }), (o = Error.captureStackTrace) === null || o === void 0 || o.call(Error, this, this.constructor);
+  }
+}
+class Mo extends Error {
+  constructor(e, n) {
+    var o, r;
+    super(e, n), b(this, "cause", void 0), b(this, "code", void 0), b(this, "error", void 0), b(this, "error_description", void 0), this.name = this.constructor.name, this.code = Ai, this.cause = n.cause, this.error = n.cause.get("error"), this.error_description = (o = n.cause.get("error_description")) !== null && o !== void 0 ? o : void 0, (r = Error.captureStackTrace) === null || r === void 0 || r.call(Error, this, this.constructor);
+  }
+}
+class Nn extends Error {
+  constructor(e, n) {
+    var o;
+    super(e, n), b(this, "cause", void 0), b(this, "code", void 0), b(this, "response", void 0), b(this, "status", void 0), this.name = this.constructor.name, this.code = Si, this.cause = n.cause, this.status = n.response.status, this.response = n.response, Object.defineProperty(this, "response", { enumerable: !1 }), (o = Error.captureStackTrace) === null || o === void 0 || o.call(Error, this, this.constructor);
+  }
+}
+const hi = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+", pi = new RegExp("^[,\\s]*(" + hi + ")"), mi = new RegExp('^[,\\s]*([a-zA-Z0-9!#$%&\\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*"((?:[^"\\\\]|\\\\[\\s\\S])*)"[,\\s]*(.*)'), fi = new RegExp("^[,\\s]*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)[,\\s]*(.*)"), yi = new RegExp("^([a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2})(?:$|[,\\s])(.*)");
+async function Wn(t, e, n) {
+  if (t.status !== e) {
+    let r;
+    var o;
+    throw (function(i) {
+      let a;
+      if (a = (function(s) {
+        if (!Me(s, Response)) throw R('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+        const c = s.headers.get("www-authenticate");
+        if (c === null) return;
+        const l = [];
+        let u = c;
+        for (; u; ) {
+          var p;
+          let h = u.match(pi);
+          const d = (p = h) === null || p === void 0 ? void 0 : p[1].toLowerCase();
+          if (!d) return;
+          const g = u.substring(h[0].length);
+          if (g && !g.match(/^[\s,]/)) return;
+          const f = g.match(/^\s+(.*)$/), m = !!f;
+          u = f ? f[1] : void 0;
+          const w = {};
+          let _;
+          if (m) for (; u; ) {
+            let E, y;
+            if (h = u.match(mi)) {
+              if ([, E, y, u] = h, y.includes("\\")) try {
+                y = JSON.parse('"'.concat(y, '"'));
+              } catch {
+              }
+              w[E.toLowerCase()] = y;
+            } else {
+              if (!(h = u.match(fi))) {
+                if (h = u.match(yi)) {
+                  if (Object.keys(w).length) break;
+                  [, _, u] = h;
+                  break;
+                }
+                return;
+              }
+              [, E, y, u] = h, w[E.toLowerCase()] = y;
+            }
+          }
+          else u = g || void 0;
+          const k = { scheme: d, parameters: w };
+          _ && (k.token68 = _), l.push(k);
+        }
+        return l.length ? l : void 0;
+      })(i)) throw new Nn("server responded with a challenge in the WWW-Authenticate HTTP Header", { cause: a, response: i });
+    })(t), (r = await (async function(i) {
+      if (i.status > 399 && i.status < 500) {
+        st(i), zo(i);
+        try {
+          const a = await i.clone().json();
+          if (Rt(a) && typeof a.error == "string" && a.error.length) return a;
+        } catch {
+        }
+      }
+    })(t)) ? (await ((o = t.body) === null || o === void 0 ? void 0 : o.cancel()), new Ut("server responded with an error in the response body", { cause: r, response: t })) : A('"response" is not a conform '.concat(n, " response (unexpected HTTP status code)"), Jn, t);
+  }
+}
+function Vo(t) {
+  if (!zn.has(t)) throw R('"options.DPoP" is not a valid DPoPHandle', "ERR_INVALID_ARG_VALUE");
+}
+function Go(t) {
+  var e;
+  return (e = t.headers.get("content-type")) === null || e === void 0 ? void 0 : e.split(";")[0];
+}
+async function Hn(t, e, n, o, r, i, a) {
+  return await n(t, e, r, i), i.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((a == null ? void 0 : a[ee]) || fetch)(o.href, { body: r, headers: Object.fromEntries(i.entries()), method: "POST", redirect: "manual", signal: Ho(o, a == null ? void 0 : a.signal) });
+}
+async function at(t, e, n, o, r, i) {
+  var a;
+  const s = it(t, "token_endpoint", e.use_mtls_endpoint_aliases, (i == null ? void 0 : i[q]) !== !0);
+  r.set("grant_type", o);
+  const c = Lt(i == null ? void 0 : i.headers);
+  c.set("accept", "application/json"), (i == null ? void 0 : i.DPoP) !== void 0 && (Vo(i.DPoP), await i.DPoP.addProof(s, c, "POST"));
+  const l = await Hn(t, e, n, s, r, c, i);
+  return i == null || (a = i.DPoP) === null || a === void 0 || a.cacheNonce(l, s), l;
+}
+const Fo = /* @__PURE__ */ new WeakMap(), gi = /* @__PURE__ */ new WeakMap();
+function wn(t) {
+  if (!t.id_token) return;
+  const e = Fo.get(t);
+  if (!e) throw R('"ref" was already garbage collected or did not resolve from the proper sources', "ERR_INVALID_ARG_VALUE");
+  return e;
+}
+async function Je(t, e, n, o, r, i) {
+  if (Q(t), $(e), !Me(n, Response)) throw R('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+  await Wn(n, 200, "Token Endpoint"), st(n);
+  const a = await Nt(n);
+  if (D(a.access_token, '"response" body "access_token" property', T, { body: a }), D(a.token_type, '"response" body "token_type" property', T, { body: a }), a.token_type = a.token_type.toLowerCase(), a.expires_in !== void 0) {
+    let s = typeof a.expires_in != "number" ? parseFloat(a.expires_in) : a.expires_in;
+    ge(s, !0, '"response" body "expires_in" property', T, { body: a }), a.expires_in = s;
+  }
+  if (a.refresh_token !== void 0 && D(a.refresh_token, '"response" body "refresh_token" property', T, { body: a }), a.scope !== void 0 && typeof a.scope != "string") throw A('"response" body "scope" property must be a string', T, { body: a });
+  if (a.id_token !== void 0) {
+    D(a.id_token, '"response" body "id_token" property', T, { body: a });
+    const s = ["aud", "exp", "iat", "iss", "sub"];
+    e.require_auth_time === !0 && s.push("auth_time"), e.default_max_age !== void 0 && (ge(e.default_max_age, !0, '"client.default_max_age"'), s.push("auth_time")), o != null && o.length && s.push(...o);
+    const { claims: c, jwt: l } = await (async function(u, p, h, d, g) {
+      let f, m, { 0: w, 1: _, length: k } = u.split(".");
+      if (k === 5) {
+        if (g === void 0) throw new G("JWE decryption is not configured", { cause: u });
+        u = await g(u), { 0: w, 1: _, length: k } = u.split(".");
+      }
+      if (k !== 3) throw A("Invalid JWT", T, u);
+      try {
+        f = JSON.parse(ze(Oe(w)));
+      } catch (y) {
+        throw A("failed to parse JWT Header body as base64url encoded JSON", xt, y);
+      }
+      if (!Rt(f)) throw A("JWT Header must be a top level object", T, u);
+      if (p(f), f.crit !== void 0) throw new G('no JWT "crit" header parameter extensions are supported', { cause: { header: f } });
+      try {
+        m = JSON.parse(ze(Oe(_)));
+      } catch (y) {
+        throw A("failed to parse JWT Payload body as base64url encoded JSON", xt, y);
+      }
+      if (!Rt(m)) throw A("JWT Payload must be a top level object", T, u);
+      const E = Ot() + h;
+      if (m.exp !== void 0) {
+        if (typeof m.exp != "number") throw A('unexpected JWT "exp" (expiration time) claim type', T, { claims: m });
+        if (m.exp <= E - d) throw A('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', ot, { claims: m, now: E, tolerance: d, claim: "exp" });
+      }
+      if (m.iat !== void 0 && typeof m.iat != "number") throw A('unexpected JWT "iat" (issued at) claim type', T, { claims: m });
+      if (m.iss !== void 0 && typeof m.iss != "string") throw A('unexpected JWT "iss" (issuer) claim type', T, { claims: m });
+      if (m.nbf !== void 0) {
+        if (typeof m.nbf != "number") throw A('unexpected JWT "nbf" (not before) claim type', T, { claims: m });
+        if (m.nbf > E + d) throw A('unexpected JWT "nbf" (not before) claim value', ot, { claims: m, now: E, tolerance: d, claim: "nbf" });
+      }
+      if (m.aud !== void 0 && typeof m.aud != "string" && !Array.isArray(m.aud)) throw A('unexpected JWT "aud" (audience) claim type', T, { claims: m });
+      return { header: f, claims: m, jwt: u };
+    })(a.id_token, Oi.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported, "RS256"), It(e), gn(e), r).then(_i.bind(void 0, s)).then(vi.bind(void 0, t)).then(wi.bind(void 0, e.client_id));
+    if (Array.isArray(c.aud) && c.aud.length !== 1) {
+      if (c.azp === void 0) throw A('ID Token "aud" (audience) claim includes additional untrusted audiences', se, { claims: c, claim: "aud" });
+      if (c.azp !== e.client_id) throw A('unexpected ID Token "azp" (authorized party) claim value', se, { expected: e.client_id, claims: c, claim: "azp" });
+    }
+    c.auth_time !== void 0 && ge(c.auth_time, !0, 'ID Token "auth_time" (authentication time)', T, { claims: c }), gi.set(n, l), Fo.set(a, c);
+  }
+  if ((i == null ? void 0 : i[a.token_type]) !== void 0) i[a.token_type](n, a);
+  else if (a.token_type !== "dpop" && a.token_type !== "bearer") throw new G("unsupported `token_type` value", { cause: { body: a } });
+  return a;
+}
+function wi(t, e) {
+  if (Array.isArray(e.claims.aud)) {
+    if (!e.claims.aud.includes(t)) throw A('unexpected JWT "aud" (audience) claim value', se, { expected: t, claims: e.claims, claim: "aud" });
+  } else if (e.claims.aud !== t) throw A('unexpected JWT "aud" (audience) claim value', se, { expected: t, claims: e.claims, claim: "aud" });
+  return e;
+}
+function vi(t, e) {
+  var n, o;
+  const r = (n = (o = t[Xo]) === null || o === void 0 ? void 0 : o.call(t, e)) !== null && n !== void 0 ? n : t.issuer;
+  if (e.claims.iss !== r) throw A('unexpected JWT "iss" (issuer) claim value', se, { expected: r, claims: e.claims, claim: "iss" });
+  return e;
+}
+const zn = /* @__PURE__ */ new WeakSet(), uo = Symbol(), bi = { aud: "audience", c_hash: "code hash", client_id: "client id", exp: "expiration time", iat: "issued at", iss: "issuer", jti: "jwt id", nonce: "nonce", s_hash: "state hash", sub: "subject", ath: "access token hash", htm: "http method", htu: "http uri", cnf: "confirmation", auth_time: "authentication time" };
+function _i(t, e) {
+  for (const n of t) if (e.claims[n] === void 0) throw A('JWT "'.concat(n, '" (').concat(bi[n], ") claim missing"), T, { claims: e.claims });
+  return e;
+}
+const Ft = Symbol(), Zt = Symbol();
+async function ki(t, e, n, o) {
+  return typeof (o == null ? void 0 : o.expectedNonce) == "string" || typeof (o == null ? void 0 : o.maxAge) == "number" || o != null && o.requireIdToken ? (async function(r, i, a, s, c, l, u) {
+    const p = [];
+    switch (s) {
+      case void 0:
+        s = Ft;
+        break;
+      case Ft:
+        break;
+      default:
+        D(s, '"expectedNonce" argument'), p.push("nonce");
+    }
+    switch (c != null || (c = i.default_max_age), c) {
+      case void 0:
+        c = Zt;
+        break;
+      case Zt:
+        break;
+      default:
+        ge(c, !0, '"maxAge" argument'), p.push("auth_time");
+    }
+    const h = await Je(r, i, a, p, l, u);
+    D(h.id_token, '"response" body "id_token" property', T, { body: h });
+    const d = wn(h);
+    if (c !== Zt) {
+      const g = Ot() + It(i), f = gn(i);
+      if (d.auth_time + c < g - f) throw A("too much time has elapsed since the last End-User authentication", ot, { claims: d, now: g, tolerance: f, claim: "auth_time" });
+    }
+    if (s === Ft) {
+      if (d.nonce !== void 0) throw A('unexpected ID Token "nonce" claim value', se, { expected: void 0, claims: d, claim: "nonce" });
+    } else if (d.nonce !== s) throw A('unexpected ID Token "nonce" claim value', se, { expected: s, claims: d, claim: "nonce" });
+    return h;
+  })(t, e, n, o.expectedNonce, o.maxAge, o[ce], o.recognizedTokenTypes) : (async function(r, i, a, s, c) {
+    const l = await Je(r, i, a, void 0, s, c), u = wn(l);
+    if (u) {
+      if (i.default_max_age !== void 0) {
+        ge(i.default_max_age, !0, '"client.default_max_age"');
+        const p = Ot() + It(i), h = gn(i);
+        if (u.auth_time + i.default_max_age < p - h) throw A("too much time has elapsed since the last End-User authentication", ot, { claims: u, now: p, tolerance: h, claim: "auth_time" });
+      }
+      if (u.nonce !== void 0) throw A('unexpected ID Token "nonce" claim value', se, { expected: void 0, claims: u, claim: "nonce" });
+    }
+    return l;
+  })(t, e, n, o == null ? void 0 : o[ce], o == null ? void 0 : o.recognizedTokenTypes);
+}
+const Si = "OAUTH_WWW_AUTHENTICATE_CHALLENGE", Ei = "OAUTH_RESPONSE_BODY_ERROR", vn = "OAUTH_UNSUPPORTED_OPERATION", Ai = "OAUTH_AUTHORIZATION_RESPONSE_ERROR", xt = "OAUTH_PARSE_ERROR", T = "OAUTH_INVALID_RESPONSE", Zo = "OAUTH_RESPONSE_IS_NOT_JSON", Jn = "OAUTH_RESPONSE_IS_NOT_CONFORM", qo = "OAUTH_HTTP_REQUEST_FORBIDDEN", Bo = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN", ot = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED", se = "OAUTH_JWT_CLAIM_COMPARISON_FAILED", bn = "OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED", Ti = "OAUTH_MISSING_SERVER_METADATA", Pi = "OAUTH_INVALID_SERVER_METADATA";
+function st(t) {
+  if (t.bodyUsed) throw R('"response" body has been used already', "ERR_INVALID_ARG_VALUE");
+}
+function lo(t) {
+  const { algorithm: e } = t;
+  if (typeof e.modulusLength != "number" || e.modulusLength < 2048) throw new G("unsupported ".concat(e.name, " modulusLength"), { cause: t });
+}
+function Ri(t) {
+  const { algorithm: e } = t;
+  switch (e.namedCurve) {
+    case "P-256":
+      return "SHA-256";
+    case "P-384":
+      return "SHA-384";
+    case "P-521":
+      return "SHA-512";
+    default:
+      throw new G("unsupported ECDSA namedCurve", { cause: t });
+  }
+}
+async function Ii(t) {
+  if (t.method !== "POST") throw R("form_post responses are expected to use the POST method", "ERR_INVALID_ARG_VALUE", { cause: t });
+  if (Go(t) !== "application/x-www-form-urlencoded") throw R("form_post responses are expected to use the application/x-www-form-urlencoded content-type", "ERR_INVALID_ARG_VALUE", { cause: t });
+  return (async function(e) {
+    if (e.bodyUsed) throw R("form_post Request instances must contain a readable body", "ERR_INVALID_ARG_VALUE", { cause: e });
+    return e.text();
+  })(t);
+}
+function Oi(t, e, n, o) {
+  if (t === void 0) if (Array.isArray(e)) {
+    if (!e.includes(o.alg)) throw A('unexpected JWT "alg" header parameter', T, { header: o, expected: e, reason: "authorization server metadata" });
+  } else {
+    if (n === void 0) throw A('missing client or server configuration to verify used JWT "alg" header parameter', void 0, { client: t, issuer: e, fallback: n });
+    if (typeof n == "string" ? o.alg !== n : typeof n == "function" ? !n(o.alg) : !n.includes(o.alg)) throw A('unexpected JWT "alg" header parameter', T, { header: o, expected: n, reason: "default value" });
+  }
+  else if (typeof t == "string" ? o.alg !== t : !t.includes(o.alg)) throw A('unexpected JWT "alg" header parameter', T, { header: o, expected: t, reason: "client configuration" });
+}
+function Te(t, e) {
+  const { 0: n, length: o } = t.getAll(e);
+  if (o > 1) throw A('"'.concat(e, '" parameter must be provided only once'), T);
+  return n;
+}
+const xi = Symbol(), Ci = Symbol();
+function ji(t, e, n, o) {
+  if (Q(t), $(e), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams)) throw R('"parameters" must be an instance of URLSearchParams, or URL', "ERR_INVALID_ARG_TYPE");
+  if (Te(n, "response")) throw A('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()', T, { parameters: n });
+  const r = Te(n, "iss"), i = Te(n, "state");
+  if (!r && t.authorization_response_iss_parameter_supported) throw A('response parameter "iss" (issuer) missing', T, { parameters: n });
+  if (r && r !== t.issuer) throw A('unexpected "iss" (issuer) response parameter value', T, { expected: t.issuer, parameters: n });
+  switch (o) {
+    case void 0:
+    case Ci:
+      if (i !== void 0) throw A('unexpected "state" response parameter encountered', T, { expected: void 0, parameters: n });
+      break;
+    case xi:
+      break;
+    default:
+      if (D(o, '"expectedState" argument'), i !== o) throw A(i === void 0 ? 'response parameter "state" missing' : 'unexpected "state" response parameter value', T, { expected: o, parameters: n });
+  }
+  if (Te(n, "error")) throw new Mo("authorization response from the server is an error", { cause: n });
+  const a = Te(n, "id_token"), s = Te(n, "token");
+  if (a !== void 0 || s !== void 0) throw new G("implicit and hybrid flows are not supported");
+  return c = new URLSearchParams(n), zn.add(c), c;
+  var c;
+}
+async function Nt(t) {
+  let e, n = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : zo;
+  try {
+    e = await t.json();
+  } catch (o) {
+    throw n(t), A('failed to parse "response" body as JSON', xt, o);
+  }
+  if (!Rt(e)) throw A('"response" body must be a top level object', T, { body: e });
+  return e;
+}
+const qt = Symbol(), Xo = Symbol(), ho = new TextEncoder(), rt = new TextDecoder();
+function Bt(t) {
+  const e = new Uint8Array(t.length);
+  for (let n = 0; n < t.length; n++) {
+    const o = t.charCodeAt(n);
+    if (o > 127) throw new TypeError("non-ASCII string encountered in encode()");
+    e[n] = o;
+  }
+  return e;
+}
+function Yo(t) {
+  if (Uint8Array.fromBase64) return Uint8Array.fromBase64(t);
+  const e = atob(t), n = new Uint8Array(e.length);
+  for (let o = 0; o < e.length; o++) n[o] = e.charCodeAt(o);
+  return n;
+}
+function $e(t) {
+  if (Uint8Array.fromBase64) return Uint8Array.fromBase64(typeof t == "string" ? t : rt.decode(t), { alphabet: "base64url" });
+  let e = t;
+  e instanceof Uint8Array && (e = rt.decode(e)), e = e.replace(/-/g, "+").replace(/_/g, "/");
+  try {
+    return Yo(e);
+  } catch {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+}
+class W extends Error {
+  constructor(e, n) {
+    var o;
+    super(e, n), b(this, "code", "ERR_JOSE_GENERIC"), this.name = this.constructor.name, (o = Error.captureStackTrace) === null || o === void 0 || o.call(Error, this, this.constructor);
+  }
+}
+b(W, "code", "ERR_JOSE_GENERIC");
+class B extends W {
+  constructor(e, n) {
+    let o = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : "unspecified", r = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : "unspecified";
+    super(e, { cause: { claim: o, reason: r, payload: n } }), b(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED"), b(this, "claim", void 0), b(this, "reason", void 0), b(this, "payload", void 0), this.claim = o, this.reason = r, this.payload = n;
+  }
+}
+b(B, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
+class _n extends W {
+  constructor(e, n) {
+    let o = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : "unspecified", r = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : "unspecified";
+    super(e, { cause: { claim: o, reason: r, payload: n } }), b(this, "code", "ERR_JWT_EXPIRED"), b(this, "claim", void 0), b(this, "reason", void 0), b(this, "payload", void 0), this.claim = o, this.reason = r, this.payload = n;
+  }
+}
+b(_n, "code", "ERR_JWT_EXPIRED");
+class Qo extends W {
+  constructor() {
+    super(...arguments), b(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+  }
+}
+b(Qo, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+class V extends W {
+  constructor() {
+    super(...arguments), b(this, "code", "ERR_JOSE_NOT_SUPPORTED");
+  }
+}
+b(V, "code", "ERR_JOSE_NOT_SUPPORTED");
+b(class extends W {
+  constructor() {
+    super(arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : "decryption operation failed", arguments.length > 1 ? arguments[1] : void 0), b(this, "code", "ERR_JWE_DECRYPTION_FAILED");
+  }
+}, "code", "ERR_JWE_DECRYPTION_FAILED");
+b(class extends W {
+  constructor() {
+    super(...arguments), b(this, "code", "ERR_JWE_INVALID");
+  }
+}, "code", "ERR_JWE_INVALID");
+class L extends W {
+  constructor() {
+    super(...arguments), b(this, "code", "ERR_JWS_INVALID");
+  }
+}
+b(L, "code", "ERR_JWS_INVALID");
+class kn extends W {
+  constructor() {
+    super(...arguments), b(this, "code", "ERR_JWT_INVALID");
+  }
+}
+b(kn, "code", "ERR_JWT_INVALID");
+b(class extends W {
+  constructor() {
+    super(...arguments), b(this, "code", "ERR_JWK_INVALID");
+  }
+}, "code", "ERR_JWK_INVALID");
+class Mn extends W {
+  constructor() {
+    super(...arguments), b(this, "code", "ERR_JWKS_INVALID");
+  }
+}
+b(Mn, "code", "ERR_JWKS_INVALID");
+class Vn extends W {
+  constructor() {
+    super(arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : "no applicable key found in the JSON Web Key Set", arguments.length > 1 ? arguments[1] : void 0), b(this, "code", "ERR_JWKS_NO_MATCHING_KEY");
+  }
+}
+b(Vn, "code", "ERR_JWKS_NO_MATCHING_KEY");
+class $o extends W {
+  constructor() {
+    super(arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : "multiple matching keys found in the JSON Web Key Set", arguments.length > 1 ? arguments[1] : void 0), b(this, Symbol.asyncIterator, void 0), b(this, "code", "ERR_JWKS_MULTIPLE_MATCHING_KEYS");
+  }
+}
+b($o, "code", "ERR_JWKS_MULTIPLE_MATCHING_KEYS");
+class er extends W {
+  constructor() {
+    super(arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : "request timed out", arguments.length > 1 ? arguments[1] : void 0), b(this, "code", "ERR_JWKS_TIMEOUT");
+  }
+}
+b(er, "code", "ERR_JWKS_TIMEOUT");
+class tr extends W {
+  constructor() {
+    super(arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : "signature verification failed", arguments.length > 1 ? arguments[1] : void 0), b(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+  }
+}
+b(tr, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+const te = function(t) {
+  let e = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : "algorithm.name";
+  return new TypeError("CryptoKey does not support this operation, its ".concat(e, " must be ").concat(t));
+}, Ke = (t, e) => t.name === e;
+function Xt(t) {
+  return parseInt(t.name.slice(4), 10);
+}
+function Di(t, e, n) {
+  switch (e) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!Ke(t.algorithm, "HMAC")) throw te("HMAC");
+      const o = parseInt(e.slice(2), 10);
+      if (Xt(t.algorithm.hash) !== o) throw te("SHA-".concat(o), "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!Ke(t.algorithm, "RSASSA-PKCS1-v1_5")) throw te("RSASSA-PKCS1-v1_5");
+      const o = parseInt(e.slice(2), 10);
+      if (Xt(t.algorithm.hash) !== o) throw te("SHA-".concat(o), "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!Ke(t.algorithm, "RSA-PSS")) throw te("RSA-PSS");
+      const o = parseInt(e.slice(2), 10);
+      if (Xt(t.algorithm.hash) !== o) throw te("SHA-".concat(o), "algorithm.hash");
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA":
+      if (!Ke(t.algorithm, "Ed25519")) throw te("Ed25519");
+      break;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      if (!Ke(t.algorithm, e)) throw te(e);
+      break;
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!Ke(t.algorithm, "ECDSA")) throw te("ECDSA");
+      const o = (function(r) {
+        switch (r) {
+          case "ES256":
+            return "P-256";
+          case "ES384":
+            return "P-384";
+          case "ES512":
+            return "P-521";
+          default:
+            throw new Error("unreachable");
+        }
+      })(e);
+      if (t.algorithm.namedCurve !== o) throw te(o, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  (function(o, r) {
+    if (!o.usages.includes(r)) throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(r, "."));
+  })(t, n);
+}
+function nr(t, e) {
+  for (var n = arguments.length, o = new Array(n > 2 ? n - 2 : 0), r = 2; r < n; r++) o[r - 2] = arguments[r];
+  if ((o = o.filter(Boolean)).length > 2) {
+    const a = o.pop();
+    t += "one of type ".concat(o.join(", "), ", or ").concat(a, ".");
+  } else o.length === 2 ? t += "one of type ".concat(o[0], " or ").concat(o[1], ".") : t += "of type ".concat(o[0], ".");
+  if (e == null) t += " Received ".concat(e);
+  else if (typeof e == "function" && e.name) t += " Received function ".concat(e.name);
+  else if (typeof e == "object" && e != null) {
+    var i;
+    (i = e.constructor) !== null && i !== void 0 && i.name && (t += " Received an instance of ".concat(e.constructor.name));
+  }
+  return t;
+}
+const po = function(t, e) {
+  for (var n = arguments.length, o = new Array(n > 2 ? n - 2 : 0), r = 2; r < n; r++) o[r - 2] = arguments[r];
+  return nr("Key for the ".concat(t, " algorithm must be "), e, ...o);
+}, or = (t) => {
+  if ((t == null ? void 0 : t[Symbol.toStringTag]) === "CryptoKey") return !0;
+  try {
+    return t instanceof CryptoKey;
+  } catch {
+    return !1;
+  }
+}, rr = (t) => (t == null ? void 0 : t[Symbol.toStringTag]) === "KeyObject", mo = (t) => or(t) || rr(t);
+function ve(t) {
+  if (typeof (e = t) != "object" || e === null || Object.prototype.toString.call(t) !== "[object Object]") return !1;
+  var e;
+  if (Object.getPrototypeOf(t) === null) return !0;
+  let n = t;
+  for (; Object.getPrototypeOf(n) !== null; ) n = Object.getPrototypeOf(n);
+  return Object.getPrototypeOf(t) === n;
+}
+const Yt = (t, e) => {
+  if (t.byteLength !== e.length) return !1;
+  for (let n = 0; n < t.byteLength; n++) if (t[n] !== e[n]) return !1;
+  return !0;
+}, et = (t) => {
+  const e = t.data[t.pos++];
+  if (128 & e) {
+    const n = 127 & e;
+    let o = 0;
+    for (let r = 0; r < n; r++) o = o << 8 | t.data[t.pos++];
+    return o;
+  }
+  return e;
+}, tt = (t, e, n) => {
+  if (t.data[t.pos++] !== e) throw new Error(n);
+}, fo = (t, e) => {
+  const n = t.data.subarray(t.pos, t.pos + e);
+  return t.pos += e, n;
+}, Ki = (t) => {
+  const e = ((r) => {
+    tt(r, 6, "Expected algorithm OID");
+    const i = et(r);
+    return fo(r, i);
+  })(t);
+  if (Yt(e, [43, 101, 110])) return "X25519";
+  if (!Yt(e, [42, 134, 72, 206, 61, 2, 1])) throw new Error("Unsupported key algorithm");
+  tt(t, 6, "Expected curve OID");
+  const n = et(t), o = fo(t, n);
+  for (const { name: r, oid: i } of [{ name: "P-256", oid: [42, 134, 72, 206, 61, 3, 1, 7] }, { name: "P-384", oid: [43, 129, 4, 0, 34] }, { name: "P-521", oid: [43, 129, 4, 0, 35] }]) if (Yt(o, i)) return r;
+  throw new Error("Unsupported named curve");
+}, Li = async (t, e, n, o) => {
+  var r;
+  let i, a;
+  const s = () => ["sign"];
+  switch (n) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      i = { name: "RSA-PSS", hash: "SHA-".concat(n.slice(-3)) }, a = s();
+      break;
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      i = { name: "RSASSA-PKCS1-v1_5", hash: "SHA-".concat(n.slice(-3)) }, a = s();
+      break;
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512":
+      i = { name: "RSA-OAEP", hash: "SHA-".concat(parseInt(n.slice(-3), 10) || 1) }, a = ["decrypt", "unwrapKey"];
+      break;
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      i = { name: "ECDSA", namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[n] }, a = s();
+      break;
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW":
+      try {
+        const c = o.getNamedCurve(e);
+        i = c === "X25519" ? { name: "X25519" } : { name: "ECDH", namedCurve: c };
+      } catch {
+        throw new V("Invalid or unsupported key format");
+      }
+      a = ["deriveBits"];
+      break;
+    case "Ed25519":
+    case "EdDSA":
+      i = { name: "Ed25519" }, a = s();
+      break;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      i = { name: n }, a = s();
+      break;
+    default:
+      throw new V('Invalid or unsupported "alg" (Algorithm) value');
+  }
+  return crypto.subtle.importKey(t, e, i, (r = o == null ? void 0 : o.extractable) !== null && r !== void 0 ? r : !1, a);
+}, Ui = (t, e, n) => {
+  var o;
+  const r = ((a, s) => Yo(a.replace(s, "")))(t, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
+  let i = n;
+  return e != null && (o = e.startsWith) !== null && o !== void 0 && o.call(e, "ECDH-ES") && (i || (i = {}), i.getNamedCurve = (a) => {
+    const s = { data: a, pos: 0 };
+    return (function(c) {
+      tt(c, 48, "Invalid PKCS#8 structure"), et(c), tt(c, 2, "Expected version field");
+      const l = et(c);
+      c.pos += l, tt(c, 48, "Expected algorithm identifier"), et(c);
+    })(s), Ki(s);
+  }), Li("pkcs8", r, e, i);
+};
+async function St(t) {
+  var e, n;
+  if (!t.alg) throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  const { algorithm: o, keyUsages: r } = (function(a) {
+    let s, c;
+    switch (a.kty) {
+      case "AKP":
+        switch (a.alg) {
+          case "ML-DSA-44":
+          case "ML-DSA-65":
+          case "ML-DSA-87":
+            s = { name: a.alg }, c = a.priv ? ["sign"] : ["verify"];
+            break;
+          default:
+            throw new V('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+        }
+        break;
+      case "RSA":
+        switch (a.alg) {
+          case "PS256":
+          case "PS384":
+          case "PS512":
+            s = { name: "RSA-PSS", hash: "SHA-".concat(a.alg.slice(-3)) }, c = a.d ? ["sign"] : ["verify"];
+            break;
+          case "RS256":
+          case "RS384":
+          case "RS512":
+            s = { name: "RSASSA-PKCS1-v1_5", hash: "SHA-".concat(a.alg.slice(-3)) }, c = a.d ? ["sign"] : ["verify"];
+            break;
+          case "RSA-OAEP":
+          case "RSA-OAEP-256":
+          case "RSA-OAEP-384":
+          case "RSA-OAEP-512":
+            s = { name: "RSA-OAEP", hash: "SHA-".concat(parseInt(a.alg.slice(-3), 10) || 1) }, c = a.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+            break;
+          default:
+            throw new V('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+        }
+        break;
+      case "EC":
+        switch (a.alg) {
+          case "ES256":
+            s = { name: "ECDSA", namedCurve: "P-256" }, c = a.d ? ["sign"] : ["verify"];
+            break;
+          case "ES384":
+            s = { name: "ECDSA", namedCurve: "P-384" }, c = a.d ? ["sign"] : ["verify"];
+            break;
+          case "ES512":
+            s = { name: "ECDSA", namedCurve: "P-521" }, c = a.d ? ["sign"] : ["verify"];
+            break;
+          case "ECDH-ES":
+          case "ECDH-ES+A128KW":
+          case "ECDH-ES+A192KW":
+          case "ECDH-ES+A256KW":
+            s = { name: "ECDH", namedCurve: a.crv }, c = a.d ? ["deriveBits"] : [];
+            break;
+          default:
+            throw new V('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+        }
+        break;
+      case "OKP":
+        switch (a.alg) {
+          case "Ed25519":
+          case "EdDSA":
+            s = { name: "Ed25519" }, c = a.d ? ["sign"] : ["verify"];
+            break;
+          case "ECDH-ES":
+          case "ECDH-ES+A128KW":
+          case "ECDH-ES+A192KW":
+          case "ECDH-ES+A256KW":
+            s = { name: a.crv }, c = a.d ? ["deriveBits"] : [];
+            break;
+          default:
+            throw new V('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+        }
+        break;
+      default:
+        throw new V('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+    }
+    return { algorithm: s, keyUsages: c };
+  })(t), i = S({}, t);
+  return i.kty !== "AKP" && delete i.alg, delete i.use, crypto.subtle.importKey("jwk", i, o, (e = t.ext) !== null && e !== void 0 ? e : !t.d && !t.priv, (n = t.key_ops) !== null && n !== void 0 ? n : r);
+}
+const Sn = (t) => ve(t) && typeof t.kty == "string";
+let fe;
+const yo = async function(t, e, n) {
+  let o = arguments.length > 3 && arguments[3] !== void 0 && arguments[3];
+  fe || (fe = /* @__PURE__ */ new WeakMap());
+  let r = fe.get(t);
+  if (r != null && r[n]) return r[n];
+  const i = await St(S(S({}, e), {}, { alg: n }));
+  return o && Object.freeze(t), r ? r[n] = i : fe.set(t, { [n]: i }), i;
+};
+async function Ni(t, e) {
+  if (t instanceof Uint8Array || or(t)) return t;
+  if (rr(t)) {
+    if (t.type === "secret") return t.export();
+    if ("toCryptoKey" in t && typeof t.toCryptoKey == "function") try {
+      return ((o, r) => {
+        fe || (fe = /* @__PURE__ */ new WeakMap());
+        let i = fe.get(o);
+        if (i != null && i[r]) return i[r];
+        const a = o.type === "public", s = !!a;
+        let c;
+        if (o.asymmetricKeyType === "x25519") {
+          switch (r) {
+            case "ECDH-ES":
+            case "ECDH-ES+A128KW":
+            case "ECDH-ES+A192KW":
+            case "ECDH-ES+A256KW":
+              break;
+            default:
+              throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+          }
+          c = o.toCryptoKey(o.asymmetricKeyType, s, a ? [] : ["deriveBits"]);
+        }
+        if (o.asymmetricKeyType === "ed25519") {
+          if (r !== "EdDSA" && r !== "Ed25519") throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+          c = o.toCryptoKey(o.asymmetricKeyType, s, [a ? "verify" : "sign"]);
+        }
+        switch (o.asymmetricKeyType) {
+          case "ml-dsa-44":
+          case "ml-dsa-65":
+          case "ml-dsa-87":
+            if (r !== o.asymmetricKeyType.toUpperCase()) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+            c = o.toCryptoKey(o.asymmetricKeyType, s, [a ? "verify" : "sign"]);
+        }
+        if (o.asymmetricKeyType === "rsa") {
+          let u;
+          switch (r) {
+            case "RSA-OAEP":
+              u = "SHA-1";
+              break;
+            case "RS256":
+            case "PS256":
+            case "RSA-OAEP-256":
+              u = "SHA-256";
+              break;
+            case "RS384":
+            case "PS384":
+            case "RSA-OAEP-384":
+              u = "SHA-384";
+              break;
+            case "RS512":
+            case "PS512":
+            case "RSA-OAEP-512":
+              u = "SHA-512";
+              break;
+            default:
+              throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+          }
+          if (r.startsWith("RSA-OAEP")) return o.toCryptoKey({ name: "RSA-OAEP", hash: u }, s, a ? ["encrypt"] : ["decrypt"]);
+          c = o.toCryptoKey({ name: r.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5", hash: u }, s, [a ? "verify" : "sign"]);
+        }
+        if (o.asymmetricKeyType === "ec") {
+          var l;
+          const u = (/* @__PURE__ */ new Map([["prime256v1", "P-256"], ["secp384r1", "P-384"], ["secp521r1", "P-521"]])).get((l = o.asymmetricKeyDetails) === null || l === void 0 ? void 0 : l.namedCurve);
+          if (!u) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+          r === "ES256" && u === "P-256" && (c = o.toCryptoKey({ name: "ECDSA", namedCurve: u }, s, [a ? "verify" : "sign"])), r === "ES384" && u === "P-384" && (c = o.toCryptoKey({ name: "ECDSA", namedCurve: u }, s, [a ? "verify" : "sign"])), r === "ES512" && u === "P-521" && (c = o.toCryptoKey({ name: "ECDSA", namedCurve: u }, s, [a ? "verify" : "sign"])), r.startsWith("ECDH-ES") && (c = o.toCryptoKey({ name: "ECDH", namedCurve: u }, s, a ? [] : ["deriveBits"]));
+        }
+        if (!c) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        return i ? i[r] = c : fe.set(o, { [r]: c }), c;
+      })(t, e);
+    } catch (o) {
+      if (o instanceof TypeError) throw o;
+    }
+    let n = t.export({ format: "jwk" });
+    return yo(t, n, e);
+  }
+  if (Sn(t)) return t.k ? $e(t.k) : yo(t, t, e, !0);
+  throw new Error("unreachable");
+}
+const Le = (t) => t == null ? void 0 : t[Symbol.toStringTag], Qt = (t, e, n) => {
+  if (e.use !== void 0) {
+    let i;
+    switch (n) {
+      case "sign":
+      case "verify":
+        i = "sig";
+        break;
+      case "encrypt":
+      case "decrypt":
+        i = "enc";
+    }
+    if (e.use !== i) throw new TypeError('Invalid key for this operation, its "use" must be "'.concat(i, '" when present'));
+  }
+  if (e.alg !== void 0 && e.alg !== t) throw new TypeError('Invalid key for this operation, its "alg" must be "'.concat(t, '" when present'));
+  if (Array.isArray(e.key_ops)) {
+    var o, r;
+    let i;
+    switch (!0) {
+      case n === "verify":
+      case t === "dir":
+      case t.includes("CBC-HS"):
+        i = n;
+        break;
+      case t.startsWith("PBES2"):
+        i = "deriveBits";
+        break;
+      case /^A\d{3}(?:GCM)?(?:KW)?$/.test(t):
+        i = !t.includes("GCM") && t.endsWith("KW") ? "unwrapKey" : n;
+        break;
+      case n === "encrypt":
+        i = "wrapKey";
+        break;
+      case n === "decrypt":
+        i = t.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+    }
+    if (i && ((o = e.key_ops) === null || o === void 0 || (r = o.includes) === null || r === void 0 ? void 0 : r.call(o, i)) === !1) throw new TypeError('Invalid key for this operation, its "key_ops" must include "'.concat(i, '" when present'));
+  }
+  return !0;
+};
+function Wi(t, e, n) {
+  switch (t.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      ((o, r, i) => {
+        if (!(r instanceof Uint8Array)) {
+          if (Sn(r)) {
+            if (((a) => a.kty === "oct" && typeof a.k == "string")(r) && Qt(o, r, i)) return;
+            throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
+          }
+          if (!mo(r)) throw new TypeError(po(o, r, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+          if (r.type !== "secret") throw new TypeError("".concat(Le(r), ' instances for symmetric algorithms must be of type "secret"'));
+        }
+      })(t, e, n);
+      break;
+    default:
+      ((o, r, i) => {
+        if (Sn(r)) switch (i) {
+          case "decrypt":
+          case "sign":
+            if (((a) => a.kty !== "oct" && (a.kty === "AKP" && typeof a.priv == "string" || typeof a.d == "string"))(r) && Qt(o, r, i)) return;
+            throw new TypeError("JSON Web Key for this operation must be a private JWK");
+          case "encrypt":
+          case "verify":
+            if (((a) => a.kty !== "oct" && a.d === void 0 && a.priv === void 0)(r) && Qt(o, r, i)) return;
+            throw new TypeError("JSON Web Key for this operation must be a public JWK");
+        }
+        if (!mo(r)) throw new TypeError(po(o, r, "CryptoKey", "KeyObject", "JSON Web Key"));
+        if (r.type === "secret") throw new TypeError("".concat(Le(r), ' instances for asymmetric algorithms must not be of type "secret"'));
+        if (r.type === "public") switch (i) {
+          case "sign":
+            throw new TypeError("".concat(Le(r), ' instances for asymmetric algorithm signing must be of type "private"'));
+          case "decrypt":
+            throw new TypeError("".concat(Le(r), ' instances for asymmetric algorithm decryption must be of type "private"'));
+        }
+        if (r.type === "private") switch (i) {
+          case "verify":
+            throw new TypeError("".concat(Le(r), ' instances for asymmetric algorithm verifying must be of type "public"'));
+          case "encrypt":
+            throw new TypeError("".concat(Le(r), ' instances for asymmetric algorithm encryption must be of type "public"'));
+        }
+      })(t, e, n);
+  }
+}
+var yt, $t;
+let re, go;
+(typeof navigator > "u" || (yt = navigator.userAgent) === null || yt === void 0 || ($t = yt.startsWith) === null || $t === void 0 || !$t.call(yt, "Mozilla/5.0 ")) && (go = "".concat("openid-client", "/").concat("v6.8.1"), re = { "user-agent": go });
+const N = (t) => Et.get(t);
+let Et, gt;
+function ir(t) {
+  return t !== void 0 ? so(t) : (gt || (gt = /* @__PURE__ */ new WeakMap()), (e, n, o, r) => {
+    let i;
+    return (i = gt.get(n)) || ((function(a, s) {
+      if (typeof a != "string") throw ie("".concat(s, " must be a string"), ut);
+      if (a.length === 0) throw ie("".concat(s, " must not be empty"), ct);
+    })(n.client_secret, '"metadata.client_secret"'), i = so(n.client_secret), gt.set(n, i)), i(e, n, o, r);
+  });
+}
+const ye = ee, ct = "ERR_INVALID_ARG_VALUE", ut = "ERR_INVALID_ARG_TYPE";
+function ie(t, e, n) {
+  const o = new TypeError(t, { cause: n });
+  return Object.assign(o, { code: e }), o;
+}
+function Hi(t) {
+  return (async function(e) {
+    return D(e, "codeVerifier"), Oe(await crypto.subtle.digest("SHA-256", ze(e)));
+  })(t);
+}
+function zi() {
+  return Jo();
+}
+class Ct extends Error {
+  constructor(e, n) {
+    var o;
+    super(e, n), b(this, "code", void 0), this.name = this.constructor.name, this.code = n == null ? void 0 : n.code, (o = Error.captureStackTrace) === null || o === void 0 || o.call(Error, this, this.constructor);
+  }
+}
+function H(t, e, n) {
+  return new Ct(t, { cause: e, code: n });
+}
+function z(t) {
+  if (t instanceof TypeError || t instanceof Ct || t instanceof Ut || t instanceof Mo || t instanceof Nn) throw t;
+  if (t instanceof Ln) switch (t.code) {
+    case qo:
+      throw H("only requests to HTTPS are allowed", t, t.code);
+    case Bo:
+      throw H("only requests to HTTP or HTTPS are allowed", t, t.code);
+    case Jn:
+      throw H("unexpected HTTP response status code", t.cause, t.code);
+    case Zo:
+      throw H("unexpected response content-type", t.cause, t.code);
+    case xt:
+      throw H("parsing error occured", t, t.code);
+    case T:
+      throw H("invalid response encountered", t, t.code);
+    case se:
+      throw H("unexpected JWT claim value encountered", t, t.code);
+    case bn:
+      throw H("unexpected JSON attribute value encountered", t, t.code);
+    case ot:
+      throw H("JWT timestamp claim value failed validation", t, t.code);
+    default:
+      throw H(t.message, t, t.code);
+  }
+  if (t instanceof G) throw H("unsupported operation", t, t.code);
+  if (t instanceof DOMException) switch (t.name) {
+    case "OperationError":
+      throw H("runtime operation error", t, vn);
+    case "NotSupportedError":
+      throw H("runtime unsupported operation", t, vn);
+    case "TimeoutError":
+      throw H("operation timed out", t, "OAUTH_TIMEOUT");
+    case "AbortError":
+      throw H("operation aborted", t, "OAUTH_ABORT");
+  }
+  throw new Ct("something went wrong", { cause: t });
+}
+async function Ji(t, e, n, o, r) {
+  const i = await (async function(c, l) {
+    var u, p;
+    if (!(c instanceof URL)) throw ie('"server" must be an instance of URL', ut);
+    const h = !c.href.includes("/.well-known/"), d = (u = l == null ? void 0 : l.timeout) !== null && u !== void 0 ? u : 30, g = AbortSignal.timeout(1e3 * d), f = await (h ? ci(c, { algorithm: l == null ? void 0 : l.algorithm, [ee]: l == null ? void 0 : l[ye], [q]: l == null || (p = l.execute) === null || p === void 0 ? void 0 : p.includes(bo), signal: g, headers: new Headers(re) }) : ((l == null ? void 0 : l[ye]) || fetch)((Un(c, l == null || (m = l.execute) === null || m === void 0 || !m.includes(bo)), c.href), { headers: Object.fromEntries(new Headers(S({ accept: "application/json" }, re)).entries()), body: void 0, method: "GET", redirect: "manual", signal: g })).then(((w) => (async function(_, k) {
+      const E = _;
+      if (!(E instanceof URL) && E !== qt) throw R('"expectedIssuerIdentifier" must be an instance of URL', "ERR_INVALID_ARG_TYPE");
+      if (!Me(k, Response)) throw R('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+      if (k.status !== 200) throw A('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)', Jn, k);
+      st(k);
+      const y = await Nt(k);
+      if (D(y.issuer, '"response" body "issuer" property', T, { body: y }), E !== qt && new URL(y.issuer).href !== E.href) throw A('"response" body "issuer" property does not match the expected value', bn, { expected: E.href, body: y, attribute: "issuer" });
+      return y;
+    })(qt, w))).catch(z);
+    var m;
+    return h && new URL(f.issuer).href !== c.href && ((function(w, _, k) {
+      return !(w.origin !== "https://login.microsoftonline.com" || k != null && k.algorithm && k.algorithm !== "oidc" || (_[ar] = !0, 0));
+    })(c, f, l) || (function(w, _) {
+      return !(!w.hostname.endsWith(".b2clogin.com") || _ != null && _.algorithm && _.algorithm !== "oidc");
+    })(c, l) || (() => {
+      throw new Ct("discovered metadata issuer does not match the expected issuer", { code: bn, cause: { expected: c.href, body: f, attribute: "issuer" } });
+    })()), f;
+  })(t, r), a = new jt(i, e, n, o);
+  let s = N(a);
+  if (r != null && r[ye] && (s.fetch = r[ye]), r != null && r.timeout && (s.timeout = r.timeout), r != null && r.execute) for (const c of r.execute) c(a);
+  return a;
+}
+new TextDecoder();
+const ar = Symbol();
+class jt {
+  constructor(e, n, o, r) {
+    var i, a, s, c, l;
+    if (typeof n != "string" || !n.length) throw ie('"clientId" must be a non-empty string', ut);
+    if (typeof o == "string" && (o = { client_secret: o }), ((i = o) === null || i === void 0 ? void 0 : i.client_id) !== void 0 && n !== o.client_id) throw ie('"clientId" and "metadata.client_id" must be the same', ct);
+    const u = S(S({}, structuredClone(o)), {}, { client_id: n });
+    let p;
+    u[mn] = (a = (s = o) === null || s === void 0 ? void 0 : s[mn]) !== null && a !== void 0 ? a : 0, u[fn] = (c = (l = o) === null || l === void 0 ? void 0 : l[fn]) !== null && c !== void 0 ? c : 30, p = r || (typeof u.client_secret == "string" && u.client_secret.length ? ir(u.client_secret) : (f, m, w, _) => {
+      w.set("client_id", m.client_id);
+    });
+    let h = Object.freeze(u);
+    const d = structuredClone(e);
+    ar in e && (d[Xo] = (f) => {
+      let { claims: { tid: m } } = f;
+      return e.issuer.replace("{tenantid}", m);
+    });
+    let g = Object.freeze(d);
+    Et || (Et = /* @__PURE__ */ new WeakMap()), Et.set(this, { __proto__: null, as: g, c: h, auth: p, tlsOnly: !0, jwksCache: {} });
+  }
+  serverMetadata() {
+    const e = structuredClone(N(this).as);
+    return (function(n) {
+      Object.defineProperties(n, /* @__PURE__ */ (function(o) {
+        return { supportsPKCE: { __proto__: null, value() {
+          var r;
+          let i = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : "S256";
+          return ((r = o.code_challenge_methods_supported) === null || r === void 0 ? void 0 : r.includes(i)) === !0;
+        } } };
+      })(n));
+    })(e), e;
+  }
+  clientMetadata() {
+    return structuredClone(N(this).c);
+  }
+  get timeout() {
+    return N(this).timeout;
+  }
+  set timeout(e) {
+    N(this).timeout = e;
+  }
+  get [ye]() {
+    return N(this).fetch;
+  }
+  set [ye](e) {
+    N(this).fetch = e;
+  }
+}
+function lt(t) {
+  Object.defineProperties(t, (function(e) {
+    let n;
+    if (e.expires_in !== void 0) {
+      const o = /* @__PURE__ */ new Date();
+      o.setSeconds(o.getSeconds() + e.expires_in), n = o.getTime();
+    }
+    return { expiresIn: { __proto__: null, value() {
+      if (n) {
+        const o = Date.now();
+        return n > o ? Math.floor((n - o) / 1e3) : 0;
+      }
+    } }, claims: { __proto__: null, value() {
+      try {
+        return wn(this);
+      } catch {
+        return;
+      }
+    } } };
+  })(t));
+}
+async function wo(t, e, n) {
+  var o;
+  let r = arguments.length > 3 && arguments[3] !== void 0 && arguments[3];
+  const i = (o = t.headers.get("retry-after")) === null || o === void 0 ? void 0 : o.trim();
+  if (i === void 0) return;
+  let a;
+  if (/^\d+$/.test(i)) a = parseInt(i, 10);
+  else {
+    const s = new Date(i);
+    if (Number.isFinite(s.getTime())) {
+      const c = /* @__PURE__ */ new Date(), l = s.getTime() - c.getTime();
+      l > 0 && (a = Math.ceil(l / 1e3));
+    }
+  }
+  if (r && !Number.isFinite(a)) throw new Ln("invalid Retry-After header value", { cause: t });
+  a > e && await sr(a - e, n);
+}
+function sr(t, e) {
+  return new Promise(((n, o) => {
+    const r = (i) => {
+      try {
+        e.throwIfAborted();
+      } catch (s) {
+        return void o(s);
+      }
+      if (i <= 0) return void n();
+      const a = Math.min(i, 5);
+      setTimeout((() => r(i - a)), 1e3 * a);
+    };
+    r(t);
+  }));
+}
+async function vo(t, e) {
+  ue(t);
+  const { as: n, c: o, auth: r, fetch: i, tlsOnly: a, timeout: s } = N(t);
+  return (async function(c, l, u, p, h) {
+    Q(c), $(l);
+    const d = it(c, "backchannel_authentication_endpoint", l.use_mtls_endpoint_aliases, (h == null ? void 0 : h[q]) !== !0), g = new URLSearchParams(p);
+    g.set("client_id", l.client_id);
+    const f = Lt(h == null ? void 0 : h.headers);
+    return f.set("accept", "application/json"), Hn(c, l, u, d, g, f, h);
+  })(n, o, r, e, { [ee]: i, [q]: !a, headers: new Headers(re), signal: Ce(s) }).then(((c) => (async function(l, u, p) {
+    if (Q(l), $(u), !Me(p, Response)) throw R('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+    await Wn(p, 200, "Backchannel Authentication Endpoint"), st(p);
+    const h = await Nt(p);
+    D(h.auth_req_id, '"response" body "auth_req_id" property', T, { body: h });
+    let d = typeof h.expires_in != "number" ? parseFloat(h.expires_in) : h.expires_in;
+    return ge(d, !0, '"response" body "expires_in" property', T, { body: h }), h.expires_in = d, h.interval !== void 0 && ge(h.interval, !1, '"response" body "interval" property', T, { body: h }), h;
+  })(n, o, c))).catch(z);
+}
+async function cr(t, e, n, o) {
+  var r, i;
+  ue(t), n = new URLSearchParams(n);
+  let a = (r = e.interval) !== null && r !== void 0 ? r : 5;
+  const s = (i = o == null ? void 0 : o.signal) !== null && i !== void 0 ? i : AbortSignal.timeout(1e3 * e.expires_in);
+  try {
+    await sr(a, s);
+  } catch (y) {
+    z(y);
+  }
+  const { as: c, c: l, auth: u, fetch: p, tlsOnly: h, nonRepudiation: d, timeout: g, decrypt: f } = N(t), m = (y, P) => cr(t, S(S({}, e), {}, { interval: y }), n, S(S({}, o), {}, { signal: s, flag: P })), w = await (async function(y, P, M, U, de) {
+    Q(y), $(P), D(U, '"authReqId"');
+    const J = new URLSearchParams(de == null ? void 0 : de.additionalParameters);
+    return J.set("auth_req_id", U), at(y, P, M, "urn:openid:params:grant-type:ciba", J, de);
+  })(c, l, u, e.auth_req_id, { [ee]: p, [q]: !h, additionalParameters: n, DPoP: o == null ? void 0 : o.DPoP, headers: new Headers(re), signal: s.aborted ? s : Ce(g) }).catch(z);
+  var _;
+  if (w.status === 503 && w.headers.has("retry-after")) return await wo(w, a, s, !0), await ((_ = w.body) === null || _ === void 0 ? void 0 : _.cancel()), m(a);
+  const k = (async function(y, P, M, U) {
+    return Je(y, P, M, void 0, U == null ? void 0 : U[ce], U == null ? void 0 : U.recognizedTokenTypes);
+  })(c, l, w, { [ce]: f });
+  let E;
+  try {
+    E = await k;
+  } catch (y) {
+    if (dt(y, o)) return m(a, we);
+    if (y instanceof Ut) switch (y.error) {
+      case "slow_down":
+        a += 5;
+      case "authorization_pending":
+        return await wo(y.response, a, s), m(a);
+    }
+    z(y);
+  }
+  return E.id_token && await (d == null ? void 0 : d(w)), lt(E), E;
+}
+function bo(t) {
+  N(t).tlsOnly = !1;
+}
+async function ur(t, e, n, o, r) {
+  if (ue(t), !((r == null ? void 0 : r.flag) === we || e instanceof URL || (function(y, P) {
+    try {
+      return Object.getPrototypeOf(y)[Symbol.toStringTag] === P;
+    } catch {
+      return !1;
+    }
+  })(e, "Request"))) throw ie('"currentUrl" must be an instance of URL, or Request', ut);
+  let i, a;
+  const { as: s, c, auth: l, fetch: u, tlsOnly: p, jarm: h, hybrid: d, nonRepudiation: g, timeout: f, decrypt: m, implicit: w } = N(t);
+  if ((r == null ? void 0 : r.flag) === we) i = r.authResponse, a = r.redirectUri;
+  else {
+    if (!(e instanceof URL)) {
+      const y = e;
+      switch (e = new URL(e.url), y.method) {
+        case "GET":
+          break;
+        case "POST":
+          const P = new URLSearchParams(await Ii(y));
+          if (d) e.hash = P.toString();
+          else for (const [M, U] of P.entries()) e.searchParams.append(M, U);
+          break;
+        default:
+          throw ie("unexpected Request HTTP method", ct);
+      }
+    }
+    switch (a = (function(y) {
+      return (y = new URL(y)).search = "", y.hash = "", y.href;
+    })(e), !0) {
+      case !!h:
+        i = await h(e, n == null ? void 0 : n.expectedState);
+        break;
+      case !!d:
+        i = await d(e, n == null ? void 0 : n.expectedNonce, n == null ? void 0 : n.expectedState, n == null ? void 0 : n.maxAge);
+        break;
+      case !!w:
+        throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");
+      default:
+        try {
+          i = ji(s, c, e.searchParams, n == null ? void 0 : n.expectedState);
+        } catch (y) {
+          z(y);
+        }
+    }
+  }
+  const _ = await (async function(y, P, M, U, de, J, je) {
+    if (Q(y), $(P), !zn.has(U)) throw R('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()', "ERR_INVALID_ARG_VALUE");
+    D(de, '"redirectUri"');
+    const Fn = Te(U, "code");
+    if (!Fn) throw A('no authorization code in "callbackParameters"', T);
+    const ht = new URLSearchParams(je == null ? void 0 : je.additionalParameters);
+    return ht.set("redirect_uri", de), ht.set("code", Fn), J !== uo && (D(J, '"codeVerifier"'), ht.set("code_verifier", J)), at(y, P, M, "authorization_code", ht, je);
+  })(s, c, l, i, a, (n == null ? void 0 : n.pkceCodeVerifier) || uo, { additionalParameters: o, [ee]: u, [q]: !p, DPoP: r == null ? void 0 : r.DPoP, headers: new Headers(re), signal: Ce(f) }).catch(z);
+  typeof (n == null ? void 0 : n.expectedNonce) != "string" && typeof (n == null ? void 0 : n.maxAge) != "number" || (n.idTokenExpected = !0);
+  const k = ki(s, c, _, { expectedNonce: n == null ? void 0 : n.expectedNonce, maxAge: n == null ? void 0 : n.maxAge, requireIdToken: n == null ? void 0 : n.idTokenExpected, [ce]: m });
+  let E;
+  try {
+    E = await k;
+  } catch (y) {
+    if (dt(y, r)) return ur(t, void 0, n, o, S(S({}, r), {}, { flag: we, authResponse: i, redirectUri: a }));
+    z(y);
+  }
+  return E.id_token && await (g == null ? void 0 : g(_)), lt(E), E;
+}
+async function lr(t, e, n, o) {
+  ue(t), n = new URLSearchParams(n);
+  const { as: r, c: i, auth: a, fetch: s, tlsOnly: c, nonRepudiation: l, timeout: u, decrypt: p } = N(t), h = await (async function(f, m, w, _, k) {
+    Q(f), $(m), D(_, '"refreshToken"');
+    const E = new URLSearchParams(k == null ? void 0 : k.additionalParameters);
+    return E.set("refresh_token", _), at(f, m, w, "refresh_token", E, k);
+  })(r, i, a, e, { [ee]: s, [q]: !c, additionalParameters: n, DPoP: o == null ? void 0 : o.DPoP, headers: new Headers(re), signal: Ce(u) }).catch(z), d = (async function(f, m, w, _) {
+    return Je(f, m, w, void 0, _ == null ? void 0 : _[ce], _ == null ? void 0 : _.recognizedTokenTypes);
+  })(r, i, h, { [ce]: p });
+  let g;
+  try {
+    g = await d;
+  } catch (f) {
+    if (dt(f, o)) return lr(t, e, n, S(S({}, o), {}, { flag: we }));
+    z(f);
+  }
+  return g.id_token && await (l == null ? void 0 : l(h)), lt(g), g;
+}
+async function dr(t, e, n) {
+  ue(t), e = new URLSearchParams(e);
+  const { as: o, c: r, auth: i, fetch: a, tlsOnly: s, timeout: c } = N(t), l = await (async function(h, d, g, f, m) {
+    return Q(h), $(d), at(h, d, g, "client_credentials", new URLSearchParams(f), m);
+  })(o, r, i, e, { [ee]: a, [q]: !s, DPoP: n == null ? void 0 : n.DPoP, headers: new Headers(re), signal: Ce(c) }).catch(z), u = (async function(h, d, g, f) {
+    return Je(h, d, g, void 0, void 0, void 0);
+  })(o, r, l);
+  let p;
+  try {
+    p = await u;
+  } catch (h) {
+    if (dt(h, n)) return dr(t, e, S(S({}, n), {}, { flag: we }));
+    z(h);
+  }
+  return lt(p), p;
+}
+function En(t, e) {
+  ue(t);
+  const { as: n, c: o, tlsOnly: r, hybrid: i, jarm: a, implicit: s } = N(t), c = it(n, "authorization_endpoint", !1, r);
+  if ((e = new URLSearchParams(e)).has("client_id") || e.set("client_id", o.client_id), !e.has("request_uri") && !e.has("request")) {
+    if (e.has("response_type") || e.set("response_type", i ? "code id_token" : s ? "id_token" : "code"), s && !e.has("nonce")) throw ie("response_type=id_token clients must provide a nonce parameter in their authorization request parameters", ct);
+    a && e.set("response_mode", "jwt");
+  }
+  for (const [l, u] of e.entries()) c.searchParams.append(l, u);
+  return c;
+}
+async function hr(t, e, n) {
+  ue(t);
+  const o = En(t, e), { as: r, c: i, auth: a, fetch: s, tlsOnly: c, timeout: l } = N(t), u = await (async function(d, g, f, m, w) {
+    var _;
+    Q(d), $(g);
+    const k = it(d, "pushed_authorization_request_endpoint", g.use_mtls_endpoint_aliases, (w == null ? void 0 : w[q]) !== !0), E = new URLSearchParams(m);
+    E.set("client_id", g.client_id);
+    const y = Lt(w == null ? void 0 : w.headers);
+    y.set("accept", "application/json"), (w == null ? void 0 : w.DPoP) !== void 0 && (Vo(w.DPoP), await w.DPoP.addProof(k, y, "POST"));
+    const P = await Hn(d, g, f, k, E, y, w);
+    return w == null || (_ = w.DPoP) === null || _ === void 0 || _.cacheNonce(P, k), P;
+  })(r, i, a, o.searchParams, { [ee]: s, [q]: !c, DPoP: n == null ? void 0 : n.DPoP, headers: new Headers(re), signal: Ce(l) }).catch(z), p = (async function(d, g, f) {
+    if (Q(d), $(g), !Me(f, Response)) throw R('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+    await Wn(f, 201, "Pushed Authorization Request Endpoint"), st(f);
+    const m = await Nt(f);
+    D(m.request_uri, '"response" body "request_uri" property', T, { body: m });
+    let w = typeof m.expires_in != "number" ? parseFloat(m.expires_in) : m.expires_in;
+    return ge(w, !0, '"response" body "expires_in" property', T, { body: m }), m.expires_in = w, m;
+  })(r, i, u);
+  let h;
+  try {
+    h = await p;
+  } catch (d) {
+    if (dt(d, n)) return hr(t, e, S(S({}, n), {}, { flag: we }));
+    z(d);
+  }
+  return En(t, { request_uri: h.request_uri });
+}
+function ue(t) {
+  if (!(t instanceof jt)) throw ie('"config" must be an instance of Configuration', ut);
+  if (Object.getPrototypeOf(t) !== jt.prototype) throw ie("subclassing Configuration is not allowed", ct);
+}
+function Ce(t) {
+  return t ? AbortSignal.timeout(1e3 * t) : void 0;
+}
+function dt(t, e) {
+  return !(e == null || !e.DPoP || e.flag === we) && (function(n) {
+    if (n instanceof Nn) {
+      const { 0: o, length: r } = n.cause;
+      return r === 1 && o.scheme === "dpop" && o.parameters.error === "use_dpop_nonce";
+    }
+    return n instanceof Ut && n.error === "use_dpop_nonce";
+  })(t);
+}
+Object.freeze(jt.prototype);
+const we = Symbol();
+async function Gn(t, e, n, o) {
+  ue(t);
+  const { as: r, c: i, auth: a, fetch: s, tlsOnly: c, timeout: l, decrypt: u } = N(t), p = await (async function(h, d, g, f, m, w) {
+    return Q(h), $(d), D(f, '"grantType"'), at(h, d, g, f, new URLSearchParams(m), w);
+  })(r, i, a, e, new URLSearchParams(n), { [ee]: s, [q]: !c, DPoP: void 0, headers: new Headers(re), signal: Ce(l) }).then(((h) => {
+    let d;
+    return e === "urn:ietf:params:oauth:grant-type:token-exchange" && (d = { n_a: () => {
+    } }), (async function(g, f, m, w) {
+      return Je(g, f, m, void 0, w == null ? void 0 : w[ce], w == null ? void 0 : w.recognizedTokenTypes);
+    })(r, i, h, { [ce]: u, recognizedTokenTypes: d });
+  })).catch(z);
+  return lt(p), p;
+}
+async function Mi(t, e, n) {
+  if (e instanceof Uint8Array) {
+    if (!t.startsWith("HS")) throw new TypeError((function(o) {
+      for (var r = arguments.length, i = new Array(r > 1 ? r - 1 : 0), a = 1; a < r; a++) i[a - 1] = arguments[a];
+      return nr("Key must be ", o, ...i);
+    })(e, "CryptoKey", "KeyObject", "JSON Web Key"));
+    return crypto.subtle.importKey("raw", e, { hash: "SHA-".concat(t.slice(-3)), name: "HMAC" }, !1, [n]);
+  }
+  return Di(e, t, n), e;
+}
+async function Vi(t, e, n, o) {
+  const r = await Mi(t, e, "verify");
+  (function(a, s) {
+    if (a.startsWith("RS") || a.startsWith("PS")) {
+      const { modulusLength: c } = s.algorithm;
+      if (typeof c != "number" || c < 2048) throw new TypeError("".concat(a, " requires key modulusLength to be 2048 bits or larger"));
+    }
+  })(t, r);
+  const i = (function(a, s) {
+    const c = "SHA-".concat(a.slice(-3));
+    switch (a) {
+      case "HS256":
+      case "HS384":
+      case "HS512":
+        return { hash: c, name: "HMAC" };
+      case "PS256":
+      case "PS384":
+      case "PS512":
+        return { hash: c, name: "RSA-PSS", saltLength: parseInt(a.slice(-3), 10) >> 3 };
+      case "RS256":
+      case "RS384":
+      case "RS512":
+        return { hash: c, name: "RSASSA-PKCS1-v1_5" };
+      case "ES256":
+      case "ES384":
+      case "ES512":
+        return { hash: c, name: "ECDSA", namedCurve: s.namedCurve };
+      case "Ed25519":
+      case "EdDSA":
+        return { name: "Ed25519" };
+      case "ML-DSA-44":
+      case "ML-DSA-65":
+      case "ML-DSA-87":
+        return { name: a };
+      default:
+        throw new V("alg ".concat(a, " is not supported either by JOSE or your javascript runtime"));
+    }
+  })(t, r.algorithm);
+  try {
+    return await crypto.subtle.verify(i, r, n, o);
+  } catch {
+    return !1;
+  }
+}
+async function Gi(t, e, n) {
+  if (!ve(t)) throw new L("Flattened JWS must be an object");
+  if (t.protected === void 0 && t.header === void 0) throw new L('Flattened JWS must have either of the "protected" or "header" members');
+  if (t.protected !== void 0 && typeof t.protected != "string") throw new L("JWS Protected Header incorrect type");
+  if (t.payload === void 0) throw new L("JWS Payload missing");
+  if (typeof t.signature != "string") throw new L("JWS Signature missing or incorrect type");
+  if (t.header !== void 0 && !ve(t.header)) throw new L("JWS Unprotected Header incorrect type");
+  let o = {};
+  if (t.protected) try {
+    const f = $e(t.protected);
+    o = JSON.parse(rt.decode(f));
+  } catch {
+    throw new L("JWS Protected Header is invalid");
+  }
+  if (!(function() {
+    for (var f = arguments.length, m = new Array(f), w = 0; w < f; w++) m[w] = arguments[w];
+    const _ = m.filter(Boolean);
+    if (_.length === 0 || _.length === 1) return !0;
+    let k;
+    for (const E of _) {
+      const y = Object.keys(E);
+      if (k && k.size !== 0) for (const P of y) {
+        if (k.has(P)) return !1;
+        k.add(P);
+      }
+      else k = new Set(y);
+    }
+    return !0;
+  })(o, t.header)) throw new L("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  const r = S(S({}, o), t.header), i = (function(f, m, w, _, k) {
+    if (k.crit !== void 0 && (_ == null ? void 0 : _.crit) === void 0) throw new f('"crit" (Critical) Header Parameter MUST be integrity protected');
+    if (!_ || _.crit === void 0) return /* @__PURE__ */ new Set();
+    if (!Array.isArray(_.crit) || _.crit.length === 0 || _.crit.some(((y) => typeof y != "string" || y.length === 0))) throw new f('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+    let E;
+    E = w !== void 0 ? new Map([...Object.entries(w), ...m.entries()]) : m;
+    for (const y of _.crit) {
+      if (!E.has(y)) throw new V('Extension Header Parameter "'.concat(y, '" is not recognized'));
+      if (k[y] === void 0) throw new f('Extension Header Parameter "'.concat(y, '" is missing'));
+      if (E.get(y) && _[y] === void 0) throw new f('Extension Header Parameter "'.concat(y, '" MUST be integrity protected'));
+    }
+    return new Set(_.crit);
+  })(L, /* @__PURE__ */ new Map([["b64", !0]]), n == null ? void 0 : n.crit, o, r);
+  let a = !0;
+  if (i.has("b64") && (a = o.b64, typeof a != "boolean")) throw new L('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+  const { alg: s } = r;
+  if (typeof s != "string" || !s) throw new L('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  const c = n && (function(f, m) {
+    if (m !== void 0 && (!Array.isArray(m) || m.some(((w) => typeof w != "string")))) throw new TypeError('"'.concat(f, '" option must be an array of strings'));
+    if (m) return new Set(m);
+  })("algorithms", n.algorithms);
+  if (c && !c.has(s)) throw new Qo('"alg" (Algorithm) Header Parameter value not allowed');
+  if (a) {
+    if (typeof t.payload != "string") throw new L("JWS Payload must be a string");
+  } else if (typeof t.payload != "string" && !(t.payload instanceof Uint8Array)) throw new L("JWS Payload must be a string or an Uint8Array instance");
+  let l = !1;
+  typeof e == "function" && (e = await e(o, t), l = !0), Wi(s, e, "verify");
+  const u = (function() {
+    for (var f = arguments.length, m = new Array(f), w = 0; w < f; w++) m[w] = arguments[w];
+    const _ = m.reduce(((y, P) => {
+      let { length: M } = P;
+      return y + M;
+    }), 0), k = new Uint8Array(_);
+    let E = 0;
+    for (const y of m) k.set(y, E), E += y.length;
+    return k;
+  })(t.protected !== void 0 ? Bt(t.protected) : new Uint8Array(), Bt("."), typeof t.payload == "string" ? a ? Bt(t.payload) : ho.encode(t.payload) : t.payload);
+  let p;
+  try {
+    p = $e(t.signature);
+  } catch {
+    throw new L("Failed to base64url decode the signature");
+  }
+  const h = await Ni(e, s);
+  if (!await Vi(s, h, p, u)) throw new tr();
+  let d;
+  if (a) try {
+    d = $e(t.payload);
+  } catch {
+    throw new L("Failed to base64url decode the payload");
+  }
+  else d = typeof t.payload == "string" ? ho.encode(t.payload) : t.payload;
+  const g = { payload: d };
+  return t.protected !== void 0 && (g.protectedHeader = o), t.header !== void 0 && (g.unprotectedHeader = t.header), l ? S(S({}, g), {}, { key: h }) : g;
+}
+const Fi = (t) => Math.floor(t.getTime() / 1e3), Zi = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function _o(t) {
+  const e = Zi.exec(t);
+  if (!e || e[4] && e[1]) throw new TypeError("Invalid time period format");
+  const n = parseFloat(e[2]);
+  let o;
+  switch (e[3].toLowerCase()) {
+    case "sec":
+    case "secs":
+    case "second":
+    case "seconds":
+    case "s":
+      o = Math.round(n);
+      break;
+    case "minute":
+    case "minutes":
+    case "min":
+    case "mins":
+    case "m":
+      o = Math.round(60 * n);
+      break;
+    case "hour":
+    case "hours":
+    case "hr":
+    case "hrs":
+    case "h":
+      o = Math.round(3600 * n);
+      break;
+    case "day":
+    case "days":
+    case "d":
+      o = Math.round(86400 * n);
+      break;
+    case "week":
+    case "weeks":
+    case "w":
+      o = Math.round(604800 * n);
+      break;
+    default:
+      o = Math.round(31557600 * n);
+  }
+  return e[1] === "-" || e[4] === "ago" ? -o : o;
+}
+const ko = (t) => t.includes("/") ? t.toLowerCase() : "application/".concat(t.toLowerCase()), qi = (t, e) => typeof t == "string" ? e.includes(t) : !!Array.isArray(t) && e.some(Set.prototype.has.bind(new Set(t)));
+async function Bi(t, e, n) {
+  var o;
+  const r = await (async function(s, c, l) {
+    if (s instanceof Uint8Array && (s = rt.decode(s)), typeof s != "string") throw new L("Compact JWS must be a string or Uint8Array");
+    const { 0: u, 1: p, 2: h, length: d } = s.split(".");
+    if (d !== 3) throw new L("Invalid Compact JWS");
+    const g = await Gi({ payload: p, protected: u, signature: h }, c, l), f = { payload: g.payload, protectedHeader: g.protectedHeader };
+    return typeof c == "function" ? S(S({}, f), {}, { key: g.key }) : f;
+  })(t, e, n);
+  if ((o = r.protectedHeader.crit) !== null && o !== void 0 && o.includes("b64") && r.protectedHeader.b64 === !1) throw new kn("JWTs MUST NOT use unencoded payload");
+  const i = (function(s, c) {
+    let l, u = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : {};
+    try {
+      l = JSON.parse(rt.decode(c));
+    } catch {
+    }
+    if (!ve(l)) throw new kn("JWT Claims Set must be a top-level JSON object");
+    const { typ: p } = u;
+    if (p && (typeof s.typ != "string" || ko(s.typ) !== ko(p))) throw new B('unexpected "typ" JWT header value', l, "typ", "check_failed");
+    const { requiredClaims: h = [], issuer: d, subject: g, audience: f, maxTokenAge: m } = u, w = [...h];
+    m !== void 0 && w.push("iat"), f !== void 0 && w.push("aud"), g !== void 0 && w.push("sub"), d !== void 0 && w.push("iss");
+    for (const y of new Set(w.reverse())) if (!(y in l)) throw new B('missing required "'.concat(y, '" claim'), l, y, "missing");
+    if (d && !(Array.isArray(d) ? d : [d]).includes(l.iss)) throw new B('unexpected "iss" claim value', l, "iss", "check_failed");
+    if (g && l.sub !== g) throw new B('unexpected "sub" claim value', l, "sub", "check_failed");
+    if (f && !qi(l.aud, typeof f == "string" ? [f] : f)) throw new B('unexpected "aud" claim value', l, "aud", "check_failed");
+    let _;
+    switch (typeof u.clockTolerance) {
+      case "string":
+        _ = _o(u.clockTolerance);
+        break;
+      case "number":
+        _ = u.clockTolerance;
+        break;
+      case "undefined":
+        _ = 0;
+        break;
+      default:
+        throw new TypeError("Invalid clockTolerance option type");
+    }
+    const { currentDate: k } = u, E = Fi(k || /* @__PURE__ */ new Date());
+    if ((l.iat !== void 0 || m) && typeof l.iat != "number") throw new B('"iat" claim must be a number', l, "iat", "invalid");
+    if (l.nbf !== void 0) {
+      if (typeof l.nbf != "number") throw new B('"nbf" claim must be a number', l, "nbf", "invalid");
+      if (l.nbf > E + _) throw new B('"nbf" claim timestamp check failed', l, "nbf", "check_failed");
+    }
+    if (l.exp !== void 0) {
+      if (typeof l.exp != "number") throw new B('"exp" claim must be a number', l, "exp", "invalid");
+      if (l.exp <= E - _) throw new _n('"exp" claim timestamp check failed', l, "exp", "check_failed");
+    }
+    if (m) {
+      const y = E - l.iat;
+      if (y - _ > (typeof m == "number" ? m : _o(m))) throw new _n('"iat" claim timestamp check failed (too far in the past)', l, "iat", "check_failed");
+      if (y < 0 - _) throw new B('"iat" claim timestamp check failed (it should be in the past)', l, "iat", "check_failed");
+    }
+    return l;
+  })(r.protectedHeader, r.payload, n), a = { payload: i, protectedHeader: r.protectedHeader };
+  return typeof e == "function" ? S(S({}, a), {}, { key: r.key }) : a;
+}
+function Xi(t) {
+  return ve(t);
+}
+var wt, en, vt = /* @__PURE__ */ new WeakMap(), tn = /* @__PURE__ */ new WeakMap();
+class Yi {
+  constructor(e) {
+    if (K(this, vt, void 0), K(this, tn, /* @__PURE__ */ new WeakMap()), !(function(n) {
+      return n && typeof n == "object" && Array.isArray(n.keys) && n.keys.every(Xi);
+    })(e)) throw new Mn("JSON Web Key Set malformed");
+    O(vt, this, structuredClone(e));
+  }
+  jwks() {
+    return v(vt, this);
+  }
+  async getKey(e, n) {
+    const { alg: o, kid: r } = S(S({}, e), n == null ? void 0 : n.header), i = (function(l) {
+      switch (typeof l == "string" && l.slice(0, 2)) {
+        case "RS":
+        case "PS":
+          return "RSA";
+        case "ES":
+          return "EC";
+        case "Ed":
+          return "OKP";
+        case "ML":
+          return "AKP";
+        default:
+          throw new V('Unsupported "alg" value for a JSON Web Key Set');
+      }
+    })(o), a = v(vt, this).keys.filter(((l) => {
+      let u = i === l.kty;
+      if (u && typeof r == "string" && (u = r === l.kid), !u || typeof l.alg != "string" && i !== "AKP" || (u = o === l.alg), u && typeof l.use == "string" && (u = l.use === "sig"), u && Array.isArray(l.key_ops) && (u = l.key_ops.includes("verify")), u) switch (o) {
+        case "ES256":
+          u = l.crv === "P-256";
+          break;
+        case "ES384":
+          u = l.crv === "P-384";
+          break;
+        case "ES512":
+          u = l.crv === "P-521";
+          break;
+        case "Ed25519":
+        case "EdDSA":
+          u = l.crv === "Ed25519";
+      }
+      return u;
+    })), { 0: s, length: c } = a;
+    if (c === 0) throw new Vn();
+    if (c !== 1) {
+      const l = new $o(), u = v(tn, this);
+      throw l[Symbol.asyncIterator] = ri((function* () {
+        for (const p of a) try {
+          yield yield oi(So(u, p, o));
+        } catch {
+        }
+      })), l;
+    }
+    return So(v(tn, this), s, o);
+  }
+}
+async function So(t, e, n) {
+  const o = t.get(e) || t.set(e, {}).get(e);
+  if (o[n] === void 0) {
+    const r = await (async function(i, a, s) {
+      var c;
+      if (!ve(i)) throw new TypeError("JWK must be an object");
+      let l;
+      switch (a != null || (a = i.alg), l != null || (l = (c = void 0) !== null && c !== void 0 ? c : i.ext), i.kty) {
+        case "oct":
+          if (typeof i.k != "string" || !i.k) throw new TypeError('missing "k" (Key Value) Parameter value');
+          return $e(i.k);
+        case "RSA":
+          if ("oth" in i && i.oth !== void 0) throw new V('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+          return St(S(S({}, i), {}, { alg: a, ext: l }));
+        case "AKP":
+          if (typeof i.alg != "string" || !i.alg) throw new TypeError('missing "alg" (Algorithm) Parameter value');
+          if (a !== void 0 && a !== i.alg) throw new TypeError("JWK alg and alg option value mismatch");
+          return St(S(S({}, i), {}, { ext: l }));
+        case "EC":
+        case "OKP":
+          return St(S(S({}, i), {}, { alg: a, ext: l }));
+        default:
+          throw new V('Unsupported "kty" (Key Type) Parameter value');
+      }
+    })(S(S({}, e), {}, { ext: !0 }), n);
+    if (r instanceof Uint8Array || r.type !== "public") throw new Mn("JSON Web Key Set members must be public keys");
+    o[n] = r;
+  }
+  return o[n];
+}
+function Eo(t) {
+  const e = new Yi(t), n = async (o, r) => e.getKey(o, r);
+  return Object.defineProperties(n, { jwks: { value: () => structuredClone(e.jwks()), enumerable: !1, configurable: !1, writable: !1 } }), n;
+}
+let An;
+(typeof navigator > "u" || (wt = navigator.userAgent) === null || wt === void 0 || (en = wt.startsWith) === null || en === void 0 || !en.call(wt, "Mozilla/5.0 ")) && (An = "".concat("jose", "/").concat("v6.1.3"));
+const pr = Symbol(), nn = Symbol();
+var on = /* @__PURE__ */ new WeakMap(), rn = /* @__PURE__ */ new WeakMap(), an = /* @__PURE__ */ new WeakMap(), bt = /* @__PURE__ */ new WeakMap(), _e = /* @__PURE__ */ new WeakMap(), ae = /* @__PURE__ */ new WeakMap(), he = /* @__PURE__ */ new WeakMap(), sn = /* @__PURE__ */ new WeakMap(), ke = /* @__PURE__ */ new WeakMap(), Se = /* @__PURE__ */ new WeakMap();
+class Qi {
+  constructor(e, n) {
+    if (K(this, on, void 0), K(this, rn, void 0), K(this, an, void 0), K(this, bt, void 0), K(this, _e, void 0), K(this, ae, void 0), K(this, he, void 0), K(this, sn, void 0), K(this, ke, void 0), K(this, Se, void 0), !(e instanceof URL)) throw new TypeError("url must be an instance of URL");
+    var o, r;
+    O(on, this, new URL(e.href)), O(rn, this, typeof (n == null ? void 0 : n.timeoutDuration) == "number" ? n == null ? void 0 : n.timeoutDuration : 5e3), O(an, this, typeof (n == null ? void 0 : n.cooldownDuration) == "number" ? n == null ? void 0 : n.cooldownDuration : 3e4), O(bt, this, typeof (n == null ? void 0 : n.cacheMaxAge) == "number" ? n == null ? void 0 : n.cacheMaxAge : 6e5), O(he, this, new Headers(n == null ? void 0 : n.headers)), An && !v(he, this).has("User-Agent") && v(he, this).set("User-Agent", An), v(he, this).has("accept") || (v(he, this).set("accept", "application/json"), v(he, this).append("accept", "application/jwk-set+json")), O(sn, this, n == null ? void 0 : n[pr]), (n == null ? void 0 : n[nn]) !== void 0 && (O(Se, this, n == null ? void 0 : n[nn]), o = n == null ? void 0 : n[nn], r = v(bt, this), typeof o == "object" && o !== null && "uat" in o && typeof o.uat == "number" && !(Date.now() - o.uat >= r) && "jwks" in o && ve(o.jwks) && Array.isArray(o.jwks.keys) && Array.prototype.every.call(o.jwks.keys, ve) && (O(_e, this, v(Se, this).uat), O(ke, this, Eo(v(Se, this).jwks))));
+  }
+  pendingFetch() {
+    return !!v(ae, this);
+  }
+  coolingDown() {
+    return typeof v(_e, this) == "number" && Date.now() < v(_e, this) + v(an, this);
+  }
+  fresh() {
+    return typeof v(_e, this) == "number" && Date.now() < v(_e, this) + v(bt, this);
+  }
+  jwks() {
+    var e;
+    return (e = v(ke, this)) === null || e === void 0 ? void 0 : e.jwks();
+  }
+  async getKey(e, n) {
+    v(ke, this) && this.fresh() || await this.reload();
+    try {
+      return await v(ke, this).call(this, e, n);
+    } catch (o) {
+      if (o instanceof Vn && this.coolingDown() === !1) return await this.reload(), v(ke, this).call(this, e, n);
+      throw o;
+    }
+  }
+  async reload() {
+    v(ae, this) && (typeof WebSocketPair < "u" || typeof navigator < "u" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime < "u" && EdgeRuntime === "vercel") && O(ae, this, void 0), v(ae, this) || O(ae, this, (async function(e, n, o) {
+      const i = await (arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : fetch)(e, { method: "GET", signal: o, redirect: "manual", headers: n }).catch(((a) => {
+        throw a.name === "TimeoutError" ? new er() : a;
+      }));
+      if (i.status !== 200) throw new W("Expected 200 OK from the JSON Web Key Set HTTP response");
+      try {
+        return await i.json();
+      } catch {
+        throw new W("Failed to parse the JSON Web Key Set HTTP response as JSON");
+      }
+    })(v(on, this).href, v(he, this), AbortSignal.timeout(v(rn, this)), v(sn, this)).then(((e) => {
+      O(ke, this, Eo(e)), v(Se, this) && (v(Se, this).uat = Date.now(), v(Se, this).jwks = e), O(_e, this, Date.now()), O(ae, this, void 0);
+    })).catch(((e) => {
+      throw O(ae, this, void 0), e;
+    }))), await v(ae, this);
+  }
+}
+const $i = ["mfaToken"], ea = ["mfaToken"];
+var Ee, _t, Ae, me, We, I, qe, C, Ao = class extends Error {
+  constructor(t, e) {
+    super(e), b(this, "code", void 0), this.name = "NotSupportedError", this.code = t;
+  }
+}, le = class extends Error {
+  constructor(t, e, n) {
+    super(e), b(this, "cause", void 0), b(this, "code", void 0), this.code = t, this.cause = n && { error: n.error, error_description: n.error_description, message: n.message };
+  }
+}, ta = class extends le {
+  constructor(t, e) {
+    super("token_by_code_error", t, e), this.name = "TokenByCodeError";
+  }
+}, na = class extends le {
+  constructor(t, e) {
+    super("token_by_client_credentials_error", t, e), this.name = "TokenByClientCredentialsError";
+  }
+}, oa = class extends le {
+  constructor(t, e) {
+    super("token_by_refresh_token_error", t, e), this.name = "TokenByRefreshTokenError";
+  }
+}, cn = class extends le {
+  constructor(t, e) {
+    super("token_for_connection_error", t, e), this.name = "TokenForConnectionErrorCode";
+  }
+}, oe = class extends le {
+  constructor(t, e) {
+    super("token_exchange_error", t, e), this.name = "TokenExchangeError";
+  }
+}, pe = class extends Error {
+  constructor(t) {
+    super(t), b(this, "code", "verify_logout_token_error"), this.name = "VerifyLogoutTokenError";
+  }
+}, un = class extends le {
+  constructor(t) {
+    super("backchannel_authentication_error", "There was an error when trying to use Client-Initiated Backchannel Authentication.", t), b(this, "code", "backchannel_authentication_error"), this.name = "BackchannelAuthenticationError";
+  }
+}, ra = class extends le {
+  constructor(t) {
+    super("build_authorization_url_error", "There was an error when trying to build the authorization URL.", t), this.name = "BuildAuthorizationUrlError";
+  }
+}, ia = class extends le {
+  constructor(t) {
+    super("build_link_user_url_error", "There was an error when trying to build the Link User URL.", t), this.name = "BuildLinkUserUrlError";
+  }
+}, aa = class extends le {
+  constructor(t) {
+    super("build_unlink_user_url_error", "There was an error when trying to build the Unlink User URL.", t), this.name = "BuildUnlinkUserUrlError";
+  }
+}, sa = class extends Error {
+  constructor() {
+    super("The client secret or client assertion signing key must be provided."), b(this, "code", "missing_client_auth_error"), this.name = "MissingClientAuthError";
+  }
+};
+function Tn(t) {
+  return Object.entries(t).filter(((e) => {
+    let [, n] = e;
+    return n !== void 0;
+  })).reduce(((e, n) => S(S({}, e), {}, { [n[0]]: n[1] })), {});
+}
+var Wt = class extends Error {
+  constructor(t, e, n) {
+    super(e), b(this, "cause", void 0), b(this, "code", void 0), this.code = t, this.cause = n && { error: n.error, error_description: n.error_description, message: n.message };
+  }
+}, ca = class extends Wt {
+  constructor(t, e) {
+    super("mfa_list_authenticators_error", t, e), this.name = "MfaListAuthenticatorsError";
+  }
+}, ua = class extends Wt {
+  constructor(t, e) {
+    super("mfa_enrollment_error", t, e), this.name = "MfaEnrollmentError";
+  }
+}, la = class extends Wt {
+  constructor(t, e) {
+    super("mfa_delete_authenticator_error", t, e), this.name = "MfaDeleteAuthenticatorError";
+  }
+}, da = class extends Wt {
+  constructor(t, e) {
+    super("mfa_challenge_error", t, e), this.name = "MfaChallengeError";
+  }
+};
+function ha(t) {
+  return { id: t.id, authenticatorType: t.authenticator_type, active: t.active, name: t.name, oobChannels: t.oob_channels, type: t.type };
+}
+var pa = (Ee = /* @__PURE__ */ new WeakMap(), _t = /* @__PURE__ */ new WeakMap(), Ae = /* @__PURE__ */ new WeakMap(), class {
+  constructor(t) {
+    var e;
+    K(this, Ee, void 0), K(this, _t, void 0), K(this, Ae, void 0), O(Ee, this, "https://".concat(t.domain)), O(_t, this, t.clientId), O(Ae, this, (e = t.customFetch) !== null && e !== void 0 ? e : function() {
+      return fetch(...arguments);
+    });
+  }
+  async listAuthenticators(t) {
+    const e = "".concat(v(Ee, this), "/mfa/authenticators"), { mfaToken: n } = t, o = await v(Ae, this).call(this, e, { method: "GET", headers: { Authorization: "Bearer ".concat(n), "Content-Type": "application/json" } });
+    if (!o.ok) {
+      const r = await o.json();
+      throw new ca(r.error_description || "Failed to list authenticators", r);
+    }
+    return (await o.json()).map(ha);
+  }
+  async enrollAuthenticator(t) {
+    const e = "".concat(v(Ee, this), "/mfa/associate"), { mfaToken: n } = t, o = io(t, $i), r = { authenticator_types: o.authenticatorTypes };
+    "oobChannels" in o && (r.oob_channels = o.oobChannels), "phoneNumber" in o && o.phoneNumber && (r.phone_number = o.phoneNumber), "email" in o && o.email && (r.email = o.email);
+    const i = await v(Ae, this).call(this, e, { method: "POST", headers: { Authorization: "Bearer ".concat(n), "Content-Type": "application/json" }, body: JSON.stringify(r) });
+    if (!i.ok) {
+      const a = await i.json();
+      throw new ua(a.error_description || "Failed to enroll authenticator", a);
+    }
+    return (function(a) {
+      if (a.authenticator_type === "otp") return { authenticatorType: "otp", secret: a.secret, barcodeUri: a.barcode_uri, recoveryCodes: a.recovery_codes, id: a.id };
+      if (a.authenticator_type === "oob") return { authenticatorType: "oob", oobChannel: a.oob_channel, oobCode: a.oob_code, bindingMethod: a.binding_method, id: a.id };
+      throw new Error("Unexpected authenticator type: ".concat(a.authenticator_type));
+    })(await i.json());
+  }
+  async deleteAuthenticator(t) {
+    const { authenticatorId: e, mfaToken: n } = t, o = "".concat(v(Ee, this), "/mfa/authenticators/").concat(encodeURIComponent(e)), r = await v(Ae, this).call(this, o, { method: "DELETE", headers: { Authorization: "Bearer ".concat(n), "Content-Type": "application/json" } });
+    if (!r.ok) {
+      const i = await r.json();
+      throw new la(i.error_description || "Failed to delete authenticator", i);
+    }
+  }
+  async challengeAuthenticator(t) {
+    const e = "".concat(v(Ee, this), "/mfa/challenge"), { mfaToken: n } = t, o = io(t, ea), r = { mfa_token: n, client_id: v(_t, this), challenge_type: o.challengeType };
+    o.authenticatorId && (r.authenticator_id = o.authenticatorId);
+    const i = await v(Ae, this).call(this, e, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(r) });
+    if (!i.ok) {
+      const a = await i.json();
+      throw new da(a.error_description || "Failed to challenge authenticator", a);
+    }
+    return (function(a) {
+      const s = { challengeType: a.challenge_type };
+      return a.oob_code !== void 0 && (s.oobCode = a.oob_code), a.binding_method !== void 0 && (s.bindingMethod = a.binding_method), s;
+    })(await i.json());
+  }
+}), Re = class mr {
+  constructor(e, n, o, r, i, a, s) {
+    b(this, "accessToken", void 0), b(this, "idToken", void 0), b(this, "refreshToken", void 0), b(this, "expiresAt", void 0), b(this, "scope", void 0), b(this, "claims", void 0), b(this, "authorizationDetails", void 0), b(this, "tokenType", void 0), b(this, "issuedTokenType", void 0), this.accessToken = e, this.idToken = o, this.refreshToken = r, this.expiresAt = n, this.scope = i, this.claims = a, this.authorizationDetails = s;
+  }
+  static fromTokenEndpointResponse(e) {
+    const n = e.id_token ? e.claims() : void 0, o = new mr(e.access_token, Math.floor(Date.now() / 1e3) + Number(e.expires_in), e.id_token, e.refresh_token, e.scope, n, e.authorization_details);
+    return o.tokenType = e.token_type, o.issuedTokenType = e.issued_token_type, o;
+  }
+}, Pn = "openid profile email offline_access", ma = Object.freeze(/* @__PURE__ */ new Set(["grant_type", "client_id", "client_secret", "client_assertion", "client_assertion_type", "subject_token", "subject_token_type", "requested_token_type", "actor_token", "actor_token_type", "audience", "aud", "resource", "resources", "resource_indicator", "scope", "connection", "login_hint", "organization", "assertion"]));
+function fr(t) {
+  if (t == null) throw new oe("subject_token is required");
+  if (typeof t != "string") throw new oe("subject_token must be a string");
+  if (t.trim().length === 0) throw new oe("subject_token cannot be blank or whitespace");
+  if (t !== t.trim()) throw new oe("subject_token must not include leading or trailing whitespace");
+  if (/^bearer\s+/i.test(t)) throw new oe("subject_token must not include the 'Bearer ' prefix");
+}
+function yr(t, e) {
+  if (e) {
+    for (const [n, o] of Object.entries(e)) if (!ma.has(n)) if (Array.isArray(o)) {
+      if (o.length > 20) throw new oe("Parameter '".concat(n, "' exceeds maximum array size of ").concat(20));
+      o.forEach(((r) => {
+        t.append(n, r);
+      }));
+    } else t.append(n, o);
+  }
+}
+var fa = (me = /* @__PURE__ */ new WeakMap(), We = /* @__PURE__ */ new WeakMap(), I = /* @__PURE__ */ new WeakMap(), qe = /* @__PURE__ */ new WeakMap(), C = /* @__PURE__ */ new WeakSet(), class {
+  constructor(t) {
+    if ((function(e, n) {
+      No(e, n), n.add(e);
+    })(this, C), K(this, me, void 0), K(this, We, void 0), K(this, I, void 0), K(this, qe, void 0), b(this, "mfa", void 0), O(I, this, t), t.useMtls && !t.customFetch) throw new Ao("mtls_without_custom_fetch_not_supported", "Using mTLS without a custom fetch implementation is not supported");
+    this.mfa = new pa({ domain: v(I, this).domain, clientId: v(I, this).clientId, customFetch: v(I, this).customFetch });
+  }
+  async buildAuthorizationUrl(t) {
+    const { serverMetadata: e } = await j(C, this, F).call(this);
+    if (t != null && t.pushedAuthorizationRequests && !e.pushed_authorization_request_endpoint) throw new Ao("par_not_supported_error", "The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");
+    try {
+      return await j(C, this, ln).call(this, t);
+    } catch (n) {
+      throw new ra(n);
+    }
+  }
+  async buildLinkUserUrl(t) {
+    try {
+      const e = await j(C, this, ln).call(this, { authorizationParams: S(S({}, t.authorizationParams), {}, { requested_connection: t.connection, requested_connection_scope: t.connectionScope, scope: "openid link_account offline_access", id_token_hint: t.idToken }) });
+      return { linkUserUrl: e.authorizationUrl, codeVerifier: e.codeVerifier };
+    } catch (e) {
+      throw new ia(e);
+    }
+  }
+  async buildUnlinkUserUrl(t) {
+    try {
+      const e = await j(C, this, ln).call(this, { authorizationParams: S(S({}, t.authorizationParams), {}, { requested_connection: t.connection, scope: "openid unlink_account", id_token_hint: t.idToken }) });
+      return { unlinkUserUrl: e.authorizationUrl, codeVerifier: e.codeVerifier };
+    } catch (e) {
+      throw new aa(e);
+    }
+  }
+  async backchannelAuthentication(t) {
+    const { configuration: e, serverMetadata: n } = await j(C, this, F).call(this), o = Tn(S(S({}, v(I, this).authorizationParams), t == null ? void 0 : t.authorizationParams)), r = new URLSearchParams(S(S({ scope: Pn }, o), {}, { client_id: v(I, this).clientId, binding_message: t.bindingMessage, login_hint: JSON.stringify({ format: "iss_sub", iss: n.issuer, sub: t.loginHint.sub }) }));
+    t.requestedExpiry && r.append("requested_expiry", t.requestedExpiry.toString()), t.authorizationDetails && r.append("authorization_details", JSON.stringify(t.authorizationDetails));
+    try {
+      const i = await vo(e, r), a = await cr(e, i);
+      return Re.fromTokenEndpointResponse(a);
+    } catch (i) {
+      throw new un(i);
+    }
+  }
+  async initiateBackchannelAuthentication(t) {
+    const { configuration: e, serverMetadata: n } = await j(C, this, F).call(this), o = Tn(S(S({}, v(I, this).authorizationParams), t == null ? void 0 : t.authorizationParams)), r = new URLSearchParams(S(S({ scope: Pn }, o), {}, { client_id: v(I, this).clientId, binding_message: t.bindingMessage, login_hint: JSON.stringify({ format: "iss_sub", iss: n.issuer, sub: t.loginHint.sub }) }));
+    t.requestedExpiry && r.append("requested_expiry", t.requestedExpiry.toString()), t.authorizationDetails && r.append("authorization_details", JSON.stringify(t.authorizationDetails));
+    try {
+      const i = await vo(e, r);
+      return { authReqId: i.auth_req_id, expiresIn: i.expires_in, interval: i.interval };
+    } catch (i) {
+      throw new un(i);
+    }
+  }
+  async backchannelAuthenticationGrant(t) {
+    let { authReqId: e } = t;
+    const { configuration: n } = await j(C, this, F).call(this), o = new URLSearchParams({ auth_req_id: e });
+    try {
+      const r = await Gn(n, "urn:openid:params:grant-type:ciba", o);
+      return Re.fromTokenEndpointResponse(r);
+    } catch (r) {
+      throw new un(r);
+    }
+  }
+  async getTokenForConnection(t) {
+    var e;
+    if (t.refreshToken && t.accessToken) throw new cn("Either a refresh or access token should be specified, but not both.");
+    const n = (e = t.accessToken) !== null && e !== void 0 ? e : t.refreshToken;
+    if (!n) throw new cn("Either a refresh or access token must be specified.");
+    try {
+      return await this.exchangeToken({ connection: t.connection, subjectToken: n, subjectTokenType: t.accessToken ? "urn:ietf:params:oauth:token-type:access_token" : "urn:ietf:params:oauth:token-type:refresh_token", loginHint: t.loginHint });
+    } catch (o) {
+      throw o instanceof oe ? new cn(o.message, o.cause) : o;
+    }
+  }
+  async exchangeToken(t) {
+    return "connection" in t ? j(C, this, ya).call(this, t) : j(C, this, ga).call(this, t);
+  }
+  async getTokenByCode(t, e) {
+    const { configuration: n } = await j(C, this, F).call(this);
+    try {
+      const o = await ur(n, t, { pkceCodeVerifier: e.codeVerifier });
+      return Re.fromTokenEndpointResponse(o);
+    } catch (o) {
+      throw new ta("There was an error while trying to request a token.", o);
+    }
+  }
+  async getTokenByRefreshToken(t) {
+    const { configuration: e } = await j(C, this, F).call(this);
+    try {
+      const n = await lr(e, t.refreshToken);
+      return Re.fromTokenEndpointResponse(n);
+    } catch (n) {
+      throw new oa("The access token has expired and there was an error while trying to refresh it.", n);
+    }
+  }
+  async getTokenByClientCredentials(t) {
+    const { configuration: e } = await j(C, this, F).call(this);
+    try {
+      const n = new URLSearchParams({ audience: t.audience });
+      t.organization && n.append("organization", t.organization);
+      const o = await dr(e, n);
+      return Re.fromTokenEndpointResponse(o);
+    } catch (n) {
+      throw new na("There was an error while trying to request a token.", n);
+    }
+  }
+  async buildLogoutUrl(t) {
+    const { configuration: e, serverMetadata: n } = await j(C, this, F).call(this);
+    if (!n.end_session_endpoint) {
+      const o = new URL("https://".concat(v(I, this).domain, "/v2/logout"));
+      return o.searchParams.set("returnTo", t.returnTo), o.searchParams.set("client_id", v(I, this).clientId), o;
+    }
+    return (function(o, r) {
+      ue(o);
+      const { as: i, c: a, tlsOnly: s } = N(o), c = it(i, "end_session_endpoint", !1, s);
+      (r = new URLSearchParams(r)).has("client_id") || r.set("client_id", a.client_id);
+      for (const [l, u] of r.entries()) c.searchParams.append(l, u);
+      return c;
+    })(e, { post_logout_redirect_uri: t.returnTo });
+  }
+  async verifyLogoutToken(t) {
+    const { serverMetadata: e } = await j(C, this, F).call(this);
+    v(qe, this) || O(qe, this, (function(o, r) {
+      const i = new Qi(o, r), a = async (s, c) => i.getKey(s, c);
+      return Object.defineProperties(a, { coolingDown: { get: () => i.coolingDown(), enumerable: !0, configurable: !1 }, fresh: { get: () => i.fresh(), enumerable: !0, configurable: !1 }, reload: { value: () => i.reload(), enumerable: !0, configurable: !1, writable: !1 }, reloading: { get: () => i.pendingFetch(), enumerable: !0, configurable: !1 }, jwks: { value: () => i.jwks(), enumerable: !0, configurable: !1, writable: !1 } }), a;
+    })(new URL(e.jwks_uri), { [pr]: v(I, this).customFetch }));
+    const { payload: n } = await Bi(t.logoutToken, v(qe, this), { issuer: e.issuer, audience: v(I, this).clientId, algorithms: ["RS256"], requiredClaims: ["iat"] });
+    if (!("sid" in n) && !("sub" in n)) throw new pe('either "sid" or "sub" (or both) claims must be present');
+    if ("sid" in n && typeof n.sid != "string") throw new pe('"sid" claim must be a string');
+    if ("sub" in n && typeof n.sub != "string") throw new pe('"sub" claim must be a string');
+    if ("nonce" in n) throw new pe('"nonce" claim is prohibited');
+    if (!("events" in n)) throw new pe('"events" claim is missing');
+    if (typeof n.events != "object" || n.events === null) throw new pe('"events" claim must be an object');
+    if (!("http://schemas.openid.net/event/backchannel-logout" in n.events)) throw new pe('"http://schemas.openid.net/event/backchannel-logout" member is missing in the "events" claim');
+    if (typeof n.events["http://schemas.openid.net/event/backchannel-logout"] != "object") throw new pe('"http://schemas.openid.net/event/backchannel-logout" member in the "events" claim must be an object');
+    return { sid: n.sid, sub: n.sub };
+  }
+});
+async function F() {
+  if (v(me, this) && v(We, this)) return { configuration: v(me, this), serverMetadata: v(We, this) };
+  const t = await j(C, this, wa).call(this);
+  return O(me, this, await Ji(new URL("https://".concat(v(I, this).domain)), v(I, this).clientId, { use_mtls_endpoint_aliases: v(I, this).useMtls }, t, { [ye]: v(I, this).customFetch })), O(We, this, v(me, this).serverMetadata()), v(me, this)[ye] = v(I, this).customFetch || fetch, { configuration: v(me, this), serverMetadata: v(We, this) };
+}
+async function ya(t) {
+  var e, n;
+  const { configuration: o } = await j(C, this, F).call(this);
+  if ("audience" in t || "resource" in t) throw new oe("audience and resource parameters are not supported for Token Vault exchanges");
+  fr(t.subjectToken);
+  const r = new URLSearchParams({ connection: t.connection, subject_token: t.subjectToken, subject_token_type: (e = t.subjectTokenType) !== null && e !== void 0 ? e : "urn:ietf:params:oauth:token-type:access_token", requested_token_type: (n = t.requestedTokenType) !== null && n !== void 0 ? n : "http://auth0.com/oauth/token-type/federated-connection-access-token" });
+  t.loginHint && r.append("login_hint", t.loginHint), t.scope && r.append("scope", t.scope), yr(r, t.extra);
+  try {
+    const i = await Gn(o, "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token", r);
+    return Re.fromTokenEndpointResponse(i);
+  } catch (i) {
+    throw new oe("Failed to exchange token for connection '".concat(t.connection, "'."), i);
+  }
+}
+async function ga(t) {
+  const { configuration: e } = await j(C, this, F).call(this);
+  fr(t.subjectToken);
+  const n = new URLSearchParams({ subject_token_type: t.subjectTokenType, subject_token: t.subjectToken });
+  t.audience && n.append("audience", t.audience), t.scope && n.append("scope", t.scope), t.requestedTokenType && n.append("requested_token_type", t.requestedTokenType), t.organization && n.append("organization", t.organization), yr(n, t.extra);
+  try {
+    const o = await Gn(e, "urn:ietf:params:oauth:grant-type:token-exchange", n);
+    return Re.fromTokenEndpointResponse(o);
+  } catch (o) {
+    throw new oe("Failed to exchange token of type '".concat(t.subjectTokenType, "'").concat(t.audience ? " for audience '".concat(t.audience, "'") : "", "."), o);
+  }
+}
+async function wa() {
+  if (!v(I, this).clientSecret && !v(I, this).clientAssertionSigningKey && !v(I, this).useMtls) throw new sa();
+  if (v(I, this).useMtls) return (e, n, o, r) => {
+    o.set("client_id", n.client_id);
+  };
+  let t = v(I, this).clientAssertionSigningKey;
+  return !t || t instanceof CryptoKey || (t = await (async function(e, n, o) {
+    if (typeof e != "string" || e.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
+    return Ui(e, n, o);
+  })(t, v(I, this).clientAssertionSigningAlg || "RS256")), t ? (function(e, n) {
+    return li(e);
+  })(t) : ir(v(I, this).clientSecret);
+}
+async function ln(t) {
+  const { configuration: e } = await j(C, this, F).call(this), n = zi(), o = await Hi(n), r = Tn(S(S({}, v(I, this).authorizationParams), t == null ? void 0 : t.authorizationParams)), i = new URLSearchParams(S(S({ scope: Pn }, r), {}, { client_id: v(I, this).clientId, code_challenge: o, code_challenge_method: "S256" }));
+  return { authorizationUrl: t != null && t.pushedAuthorizationRequests ? await hr(e, i) : await En(e, i), codeVerifier: n };
+}
+const Be = new vr();
+class va {
+  constructor(e) {
+    let n, o;
+    if (this.userCache = new jo().enclosedCache, this.activeLockKeys = /* @__PURE__ */ new Set(), this.defaultOptions = { authorizationParams: { scope: "openid profile email" }, useRefreshTokensFallback: !1, useFormData: !0 }, this._releaseLockOnPageHide = async () => {
+      const l = Array.from(this.activeLockKeys);
+      for (const u of l) await Be.releaseLock(u);
+      this.activeLockKeys.clear(), window.removeEventListener("pagehide", this._releaseLockOnPageHide);
+    }, this.options = Object.assign(Object.assign(Object.assign({}, this.defaultOptions), e), { authorizationParams: Object.assign(Object.assign({}, this.defaultOptions.authorizationParams), e.authorizationParams) }), typeof window < "u" && (() => {
+      if (!Tt()) throw new Error("For security reasons, `window.crypto` is required to run `auth0-spa-js`.");
+      if (Tt().subtle === void 0) throw new Error(`
+      auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information.
+    `);
+    })(), e.cache && e.cacheLocation && console.warn("Both `cache` and `cacheLocation` options have been specified in the Auth0Client configuration; ignoring `cacheLocation` and using `cache`."), e.cache) o = e.cache;
+    else {
+      if (n = e.cacheLocation || "memory", !to(n)) throw new Error('Invalid cache location "'.concat(n, '"'));
+      o = to(n)();
+    }
+    var r;
+    this.httpTimeoutMs = e.httpTimeoutInSeconds ? 1e3 * e.httpTimeoutInSeconds : 1e4, this.cookieStorage = e.legacySameSiteCookie === !1 ? Ue : Zr, this.orgHintCookieName = (r = this.options.clientId, "auth0.".concat(r, ".organization_hint")), this.isAuthenticatedCookieName = ((l) => "auth0.".concat(l, ".is.authenticated"))(this.options.clientId), this.sessionCheckExpiryDays = e.sessionCheckExpiryDays || 1;
+    const i = e.useCookiesForTransactions ? this.cookieStorage : qr;
+    var a;
+    this.scope = (function(l, u) {
+      for (var p = arguments.length, h = new Array(p > 2 ? p - 2 : 0), d = 2; d < p; d++) h[d - 2] = arguments[d];
+      if (typeof l != "object") return { default: kt(u, l, ...h) };
+      let g = { default: kt(u, ...h) };
+      return Object.keys(l).forEach(((f) => {
+        const m = l[f];
+        g[f] = kt(u, m, ...h);
+      })), g;
+    })(this.options.authorizationParams.scope, "openid", this.options.useRefreshTokens ? "offline_access" : ""), this.transactionManager = new zr(i, this.options.clientId, this.options.cookieDomain), this.nowProvider = this.options.nowProvider || Ro, this.cacheManager = new Hr(o, o.allKeys ? void 0 : new Yr(o, this.options.clientId), this.nowProvider), this.dpop = this.options.useDpop ? new ei(this.options.clientId) : void 0, this.domainUrl = (a = this.options.domain, /^https?:\/\//.test(a) ? a : "https://".concat(a)), this.tokenIssuer = ((l, u) => l ? l.startsWith("https://") ? l : "https://".concat(l, "/") : "".concat(u, "/"))(this.options.issuer, this.domainUrl);
+    const s = "".concat(this.domainUrl, "/me/"), c = this.createFetcher(Object.assign(Object.assign({}, this.options.useDpop && { dpopNonceId: "__auth0_my_account_api__" }), { getAccessToken: () => this.getTokenSilently({ authorizationParams: { scope: "create:me:connected_accounts", audience: s }, detailedResponse: !0 }) }));
+    this.myAccountApi = new ni(c, s), this.authJsClient = new fa({ domain: this.options.domain, clientId: this.options.clientId }), typeof window < "u" && window.Worker && this.options.useRefreshTokens && n === "memory" && (this.options.workerUrl ? this.worker = new Worker(this.options.workerUrl) : this.worker = new Xr());
+  }
+  getConfiguration() {
+    return Object.freeze({ domain: this.options.domain, clientId: this.options.clientId });
+  }
+  _url(e) {
+    const n = encodeURIComponent(btoa(JSON.stringify(this.options.auth0Client || Po)));
+    return "".concat(this.domainUrl).concat(e, "&auth0Client=").concat(n);
+  }
+  _authorizeUrl(e) {
+    return this._url("/authorize?".concat(dn(e)));
+  }
+  async _verifyIdToken(e, n, o) {
+    const r = await this.nowProvider();
+    return Mr({ iss: this.tokenIssuer, aud: this.options.clientId, id_token: e, nonce: n, organization: o, leeway: this.options.leeway, max_age: (i = this.options.authorizationParams.max_age, typeof i != "string" ? i : parseInt(i, 10) || void 0), now: r });
+    var i;
+  }
+  _processOrgHint(e) {
+    e ? this.cookieStorage.save(this.orgHintCookieName, e, { daysUntilExpire: this.sessionCheckExpiryDays, cookieDomain: this.options.cookieDomain }) : this.cookieStorage.remove(this.orgHintCookieName, { cookieDomain: this.options.cookieDomain });
+  }
+  async _prepareAuthorizeUrl(e, n, o) {
+    var r;
+    const i = Jt(Ge()), a = Jt(Ge()), s = Ge(), c = await Zn(s), l = Bn(c), u = await ((r = this.dpop) === null || r === void 0 ? void 0 : r.calculateThumbprint()), p = ((d, g, f, m, w, _, k, E, y) => Object.assign(Object.assign(Object.assign({ client_id: d.clientId }, d.authorizationParams), f), { scope: mt(g, f.scope, f.audience), response_type: "code", response_mode: E || "query", state: m, nonce: w, redirect_uri: k || d.authorizationParams.redirect_uri, code_challenge: _, code_challenge_method: "S256", dpop_jkt: y }))(this.options, this.scope, e, i, a, l, e.redirect_uri || this.options.authorizationParams.redirect_uri || o, n == null ? void 0 : n.response_mode, u), h = this._authorizeUrl(p);
+    return { nonce: a, code_verifier: s, scope: p.scope, audience: p.audience || "default", redirect_uri: p.redirect_uri, state: i, url: h };
+  }
+  async loginWithPopup(e, n) {
+    var o;
+    if (e = e || {}, !(n = n || {}).popup && (n.popup = ((s) => {
+      const c = window.screenX + (window.innerWidth - 400) / 2, l = window.screenY + (window.innerHeight - 600) / 2;
+      return window.open(s, "auth0:authorize:popup", "left=".concat(c, ",top=").concat(l, ",width=").concat(400, ",height=").concat(600, ",resizable,scrollbars=yes,status=1"));
+    })(""), !n.popup)) throw new jn();
+    const r = await this._prepareAuthorizeUrl(e.authorizationParams || {}, { response_mode: "web_message" }, window.location.origin);
+    n.popup.location.href = r.url;
+    const i = await ((s) => new Promise(((c, l) => {
+      let u;
+      const p = setInterval((() => {
+        s.popup && s.popup.closed && (clearInterval(p), clearTimeout(h), window.removeEventListener("message", u, !1), l(new Cn(s.popup)));
+      }), 1e3), h = setTimeout((() => {
+        clearInterval(p), l(new xn(s.popup)), window.removeEventListener("message", u, !1);
+      }), 1e3 * (s.timeoutInSeconds || 60));
+      u = function(d) {
+        if (d.data && d.data.type === "authorization_response") {
+          if (clearTimeout(h), clearInterval(p), window.removeEventListener("message", u, !1), s.closePopup !== !1 && s.popup.close(), d.data.response.error) return l(x.fromPayload(d.data.response));
+          c(d.data.response);
+        }
+      }, window.addEventListener("message", u);
+    })))(Object.assign(Object.assign({}, n), { timeoutInSeconds: n.timeoutInSeconds || this.options.authorizeTimeoutInSeconds || 60 }));
+    if (r.state !== i.state) throw new x("state_mismatch", "Invalid state");
+    const a = ((o = e.authorizationParams) === null || o === void 0 ? void 0 : o.organization) || this.options.authorizationParams.organization;
+    await this._requestToken({ audience: r.audience, scope: r.scope, code_verifier: r.code_verifier, grant_type: "authorization_code", code: i.code, redirect_uri: r.redirect_uri }, { nonceIn: r.nonce, organization: a });
+  }
+  async getUser() {
+    var e;
+    const n = await this._getIdTokenFromCache();
+    return (e = n == null ? void 0 : n.decodedToken) === null || e === void 0 ? void 0 : e.user;
+  }
+  async getIdTokenClaims() {
+    var e;
+    const n = await this._getIdTokenFromCache();
+    return (e = n == null ? void 0 : n.decodedToken) === null || e === void 0 ? void 0 : e.claims;
+  }
+  async loginWithRedirect() {
+    var e;
+    const n = no(arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : {}), { openUrl: o, fragment: r, appState: i } = n, a = ne(n, ["openUrl", "fragment", "appState"]), s = ((e = a.authorizationParams) === null || e === void 0 ? void 0 : e.organization) || this.options.authorizationParams.organization, c = await this._prepareAuthorizeUrl(a.authorizationParams || {}), { url: l } = c, u = ne(c, ["url"]);
+    this.transactionManager.create(Object.assign(Object.assign(Object.assign({}, u), { appState: i, response_type: Pe.Code }), s && { organization: s }));
+    const p = r ? "".concat(l, "#").concat(r) : l;
+    o ? await o(p) : window.location.assign(p);
+  }
+  async handleRedirectCallback() {
+    const e = (arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : window.location.href).split("?").slice(1);
+    if (e.length === 0) throw new Error("There are no query params available for parsing.");
+    const n = this.transactionManager.get();
+    if (!n) throw new x("missing_transaction", "Invalid state");
+    this.transactionManager.remove();
+    const o = ((r) => {
+      r.indexOf("#") > -1 && (r = r.substring(0, r.indexOf("#")));
+      const i = new URLSearchParams(r);
+      return { state: i.get("state"), code: i.get("code") || void 0, connect_code: i.get("connect_code") || void 0, error: i.get("error") || void 0, error_description: i.get("error_description") || void 0 };
+    })(e.join(""));
+    return n.response_type === Pe.ConnectCode ? this._handleConnectAccountRedirectCallback(o, n) : this._handleLoginRedirectCallback(o, n);
+  }
+  async _handleLoginRedirectCallback(e, n) {
+    const { code: o, state: r, error: i, error_description: a } = e;
+    if (i) throw new In(i, a || i, r, n.appState);
+    if (!n.code_verifier || n.state && n.state !== r) throw new x("state_mismatch", "Invalid state");
+    const s = n.organization, c = n.nonce, l = n.redirect_uri;
+    return await this._requestToken(Object.assign({ audience: n.audience, scope: n.scope, code_verifier: n.code_verifier, grant_type: "authorization_code", code: o }, l ? { redirect_uri: l } : {}), { nonceIn: c, organization: s }), { appState: n.appState, response_type: Pe.Code };
+  }
+  async _handleConnectAccountRedirectCallback(e, n) {
+    const { connect_code: o, state: r, error: i, error_description: a } = e;
+    if (i) throw new On(i, a || i, n.connection, r, n.appState);
+    if (!o) throw new x("missing_connect_code", "Missing connect code");
+    if (!(n.code_verifier && n.state && n.auth_session && n.redirect_uri && n.state === r)) throw new x("state_mismatch", "Invalid state");
+    const s = await this.myAccountApi.completeAccount({ auth_session: n.auth_session, connect_code: o, redirect_uri: n.redirect_uri, code_verifier: n.code_verifier });
+    return Object.assign(Object.assign({}, s), { appState: n.appState, response_type: Pe.ConnectCode });
+  }
+  async checkSession(e) {
+    if (!this.cookieStorage.get(this.isAuthenticatedCookieName)) {
+      if (!this.cookieStorage.get("auth0.is.authenticated")) return;
+      this.cookieStorage.save(this.isAuthenticatedCookieName, !0, { daysUntilExpire: this.sessionCheckExpiryDays, cookieDomain: this.options.cookieDomain }), this.cookieStorage.remove("auth0.is.authenticated");
+    }
+    try {
+      await this.getTokenSilently(e);
+    } catch {
+    }
+  }
+  async getTokenSilently() {
+    let e = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : {};
+    var n, o;
+    const r = Object.assign(Object.assign({ cacheMode: "on" }, e), { authorizationParams: Object.assign(Object.assign(Object.assign({}, this.options.authorizationParams), e.authorizationParams), { scope: mt(this.scope, (n = e.authorizationParams) === null || n === void 0 ? void 0 : n.scope, ((o = e.authorizationParams) === null || o === void 0 ? void 0 : o.audience) || this.options.authorizationParams.audience) }) }), i = await ((a, s) => {
+      let c = Vt[s];
+      return c || (c = a().finally((() => {
+        delete Vt[s], c = null;
+      })), Vt[s] = c), c;
+    })((() => this._getTokenSilently(r)), "".concat(this.options.clientId, "::").concat(r.authorizationParams.audience, "::").concat(r.authorizationParams.scope));
+    return e.detailedResponse ? i : i == null ? void 0 : i.access_token;
+  }
+  async _getTokenSilently(e) {
+    const { cacheMode: n } = e, o = ne(e, ["cacheMode"]);
+    if (n !== "off") {
+      const s = await this._getEntryFromCache({ scope: o.authorizationParams.scope, audience: o.authorizationParams.audience || "default", clientId: this.options.clientId, cacheMode: n });
+      if (s) return s;
+    }
+    if (n === "cache-only") return;
+    const r = (i = this.options.clientId, a = o.authorizationParams.audience || "default", "".concat("auth0.lock.getTokenSilently", ".").concat(i, ".").concat(a));
+    var i, a;
+    if (!await eo((() => Be.acquireLock(r, 5e3)), 10)) throw new He();
+    this.activeLockKeys.add(r), this.activeLockKeys.size === 1 && window.addEventListener("pagehide", this._releaseLockOnPageHide);
+    try {
+      if (n !== "off") {
+        const d = await this._getEntryFromCache({ scope: o.authorizationParams.scope, audience: o.authorizationParams.audience || "default", clientId: this.options.clientId });
+        if (d) return d;
+      }
+      const s = this.options.useRefreshTokens ? await this._getTokenUsingRefreshToken(o) : await this._getTokenFromIFrame(o), { id_token: c, token_type: l, access_token: u, oauthTokenScope: p, expires_in: h } = s;
+      return Object.assign(Object.assign({ id_token: c, token_type: l, access_token: u }, p ? { scope: p } : null), { expires_in: h });
+    } finally {
+      await Be.releaseLock(r), this.activeLockKeys.delete(r), this.activeLockKeys.size === 0 && window.removeEventListener("pagehide", this._releaseLockOnPageHide);
+    }
+  }
+  async getTokenWithPopup() {
+    let e = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : {}, n = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : {};
+    var o, r;
+    const i = Object.assign(Object.assign({}, e), { authorizationParams: Object.assign(Object.assign(Object.assign({}, this.options.authorizationParams), e.authorizationParams), { scope: mt(this.scope, (o = e.authorizationParams) === null || o === void 0 ? void 0 : o.scope, ((r = e.authorizationParams) === null || r === void 0 ? void 0 : r.audience) || this.options.authorizationParams.audience) }) });
+    return n = Object.assign(Object.assign({}, br), n), await this.loginWithPopup(i, n), (await this.cacheManager.get(new Z({ scope: i.authorizationParams.scope, audience: i.authorizationParams.audience || "default", clientId: this.options.clientId }), void 0, this.options.useMrrt)).access_token;
+  }
+  async isAuthenticated() {
+    return !!await this.getUser();
+  }
+  _buildLogoutUrl(e) {
+    e.clientId !== null ? e.clientId = e.clientId || this.options.clientId : delete e.clientId;
+    const n = e.logoutParams || {}, { federated: o } = n, r = ne(n, ["federated"]), i = o ? "&federated" : "";
+    return this._url("/v2/logout?".concat(dn(Object.assign({ clientId: e.clientId }, r)))) + i;
+  }
+  async logout() {
+    let e = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : {};
+    var n;
+    const o = no(e), { openUrl: r } = o, i = ne(o, ["openUrl"]);
+    e.clientId === null ? await this.cacheManager.clear() : await this.cacheManager.clear(e.clientId || this.options.clientId), this.cookieStorage.remove(this.orgHintCookieName, { cookieDomain: this.options.cookieDomain }), this.cookieStorage.remove(this.isAuthenticatedCookieName, { cookieDomain: this.options.cookieDomain }), this.userCache.remove("@@user@@"), await ((n = this.dpop) === null || n === void 0 ? void 0 : n.clear());
+    const a = this._buildLogoutUrl(i);
+    r ? await r(a) : r !== !1 && window.location.assign(a);
+  }
+  async _getTokenFromIFrame(e) {
+    const n = (o = this.options.clientId, "".concat("auth0.lock.getTokenFromIFrame", ".").concat(o));
+    var o;
+    if (!await eo((() => Be.acquireLock(n, 5e3)), 10)) throw new He();
+    try {
+      const r = Object.assign(Object.assign({}, e.authorizationParams), { prompt: "none" }), i = this.cookieStorage.get(this.orgHintCookieName);
+      i && !r.organization && (r.organization = i);
+      const { url: a, state: s, nonce: c, code_verifier: l, redirect_uri: u, scope: p, audience: h } = await this._prepareAuthorizeUrl(r, { response_mode: "web_message" }, window.location.origin);
+      if (window.crossOriginIsolated) throw new x("login_required", "The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.");
+      const d = e.timeoutInSeconds || this.options.authorizeTimeoutInSeconds;
+      let g;
+      try {
+        g = new URL(this.domainUrl).origin;
+      } catch {
+        g = this.domainUrl;
+      }
+      const f = await (function(w, _) {
+        let k = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : 60;
+        return new Promise(((E, y) => {
+          const P = window.document.createElement("iframe");
+          P.setAttribute("width", "0"), P.setAttribute("height", "0"), P.style.display = "none";
+          const M = () => {
+            window.document.body.contains(P) && (window.document.body.removeChild(P), window.removeEventListener("message", U, !1));
+          };
+          let U;
+          const de = setTimeout((() => {
+            y(new He()), M();
+          }), 1e3 * k);
+          U = function(J) {
+            if (J.origin != _ || !J.data || J.data.type !== "authorization_response") return;
+            const je = J.source;
+            je && je.close(), J.data.response.error ? y(x.fromPayload(J.data.response)) : E(J.data.response), clearTimeout(de), window.removeEventListener("message", U, !1), setTimeout(M, 2e3);
+          }, window.addEventListener("message", U, !1), window.document.body.appendChild(P), P.setAttribute("src", w);
+        }));
+      })(a, g, d);
+      if (s !== f.state) throw new x("state_mismatch", "Invalid state");
+      const m = await this._requestToken(Object.assign(Object.assign({}, e.authorizationParams), { code_verifier: l, code: f.code, grant_type: "authorization_code", redirect_uri: u, timeout: e.authorizationParams.timeout || this.httpTimeoutMs }), { nonceIn: c, organization: r.organization });
+      return Object.assign(Object.assign({}, m), { scope: p, oauthTokenScope: m.scope, audience: h });
+    } catch (r) {
+      throw r.error === "login_required" && this.logout({ openUrl: !1 }), r;
+    } finally {
+      await Be.releaseLock(n);
+    }
+  }
+  async _getTokenUsingRefreshToken(e) {
+    const n = await this.cacheManager.get(new Z({ scope: e.authorizationParams.scope, audience: e.authorizationParams.audience || "default", clientId: this.options.clientId }), void 0, this.options.useMrrt);
+    if (!(n && n.refresh_token || this.worker)) {
+      if (this.options.useRefreshTokensFallback) return await this._getTokenFromIFrame(e);
+      throw new Dt(e.authorizationParams.audience || "default", e.authorizationParams.scope);
+    }
+    const o = e.authorizationParams.redirect_uri || this.options.authorizationParams.redirect_uri || window.location.origin, r = typeof e.timeoutInSeconds == "number" ? 1e3 * e.timeoutInSeconds : null, i = ((u, p, h, d) => {
+      var g;
+      if (u && h && d) {
+        if (p.audience !== h) return p.scope;
+        const f = d.split(" "), m = ((g = p.scope) === null || g === void 0 ? void 0 : g.split(" ")) || [], w = m.every(((_) => f.includes(_)));
+        return f.length >= m.length && w ? d : p.scope;
+      }
+      return p.scope;
+    })(this.options.useMrrt, e.authorizationParams, n == null ? void 0 : n.audience, n == null ? void 0 : n.scope);
+    try {
+      const u = await this._requestToken(Object.assign(Object.assign(Object.assign({}, e.authorizationParams), { grant_type: "refresh_token", refresh_token: n && n.refresh_token, redirect_uri: o }), r && { timeout: r }), { scopesToRequest: i });
+      if (u.refresh_token && (n != null && n.refresh_token) && await this.cacheManager.updateEntry(n.refresh_token, u.refresh_token), this.options.useMrrt && (a = n == null ? void 0 : n.audience, s = n == null ? void 0 : n.scope, c = e.authorizationParams.audience, l = e.authorizationParams.scope, (a !== c || !oo(l, s)) && !oo(i, u.scope))) {
+        if (this.options.useRefreshTokensFallback) return await this._getTokenFromIFrame(e);
+        await this.cacheManager.remove(this.options.clientId, e.authorizationParams.audience, e.authorizationParams.scope);
+        const p = ((h, d) => {
+          const g = (h == null ? void 0 : h.split(" ")) || [], f = (d == null ? void 0 : d.split(" ")) || [];
+          return g.filter(((m) => f.indexOf(m) == -1)).join(",");
+        })(i, u.scope);
+        throw new Kn(e.authorizationParams.audience || "default", p);
+      }
+      return Object.assign(Object.assign({}, u), { scope: e.authorizationParams.scope, oauthTokenScope: u.scope, audience: e.authorizationParams.audience || "default" });
+    } catch (u) {
+      if ((u.message.indexOf("Missing Refresh Token") > -1 || u.message && u.message.indexOf("invalid refresh token") > -1) && this.options.useRefreshTokensFallback) return await this._getTokenFromIFrame(e);
+      throw u;
+    }
+    var a, s, c, l;
+  }
+  async _saveEntryInCache(e) {
+    const { id_token: n, decodedToken: o } = e, r = ne(e, ["id_token", "decodedToken"]);
+    this.userCache.set("@@user@@", { id_token: n, decodedToken: o }), await this.cacheManager.setIdToken(this.options.clientId, e.id_token, e.decodedToken), await this.cacheManager.set(r);
+  }
+  async _getIdTokenFromCache() {
+    const e = this.options.authorizationParams.audience || "default", n = this.scope[e], o = await this.cacheManager.getIdToken(new Z({ clientId: this.options.clientId, audience: e, scope: n })), r = this.userCache.get("@@user@@");
+    return o && o.id_token === (r == null ? void 0 : r.id_token) ? r : (this.userCache.set("@@user@@", o), o);
+  }
+  async _getEntryFromCache(e) {
+    let { scope: n, audience: o, clientId: r, cacheMode: i } = e;
+    const a = await this.cacheManager.get(new Z({ scope: n, audience: o, clientId: r }), 60, this.options.useMrrt, i);
+    if (a && a.access_token) {
+      const { token_type: s, access_token: c, oauthTokenScope: l, expires_in: u } = a, p = await this._getIdTokenFromCache();
+      return p && Object.assign(Object.assign({ id_token: p.id_token, token_type: s || "Bearer", access_token: c }, l ? { scope: l } : null), { expires_in: u });
+    }
+  }
+  async _requestToken(e, n) {
+    var o, r;
+    const { nonceIn: i, organization: a, scopesToRequest: s } = n || {}, c = await Ur(Object.assign(Object.assign({ baseUrl: this.domainUrl, client_id: this.options.clientId, auth0Client: this.options.auth0Client, useFormData: this.options.useFormData, timeout: this.httpTimeoutMs, useMrrt: this.options.useMrrt, dpop: this.dpop }, e), { scope: s || e.scope }), this.worker), l = await this._verifyIdToken(c.id_token, i, a);
+    if (e.grant_type === "authorization_code") {
+      const u = await this._getIdTokenFromCache();
+      !((r = (o = u == null ? void 0 : u.decodedToken) === null || o === void 0 ? void 0 : o.claims) === null || r === void 0) && r.sub && u.decodedToken.claims.sub !== l.claims.sub && (await this.cacheManager.clear(this.options.clientId), this.userCache.remove("@@user@@"));
+    }
+    return await this._saveEntryInCache(Object.assign(Object.assign(Object.assign(Object.assign({}, c), { decodedToken: l, scope: e.scope, audience: e.audience || "default" }), c.scope ? { oauthTokenScope: c.scope } : null), { client_id: this.options.clientId })), this.cookieStorage.save(this.isAuthenticatedCookieName, !0, { daysUntilExpire: this.sessionCheckExpiryDays, cookieDomain: this.options.cookieDomain }), this._processOrgHint(a || l.claims.org_id), Object.assign(Object.assign({}, c), { decodedToken: l });
+  }
+  async exchangeToken(e) {
+    return this._requestToken({ grant_type: "urn:ietf:params:oauth:grant-type:token-exchange", subject_token: e.subject_token, subject_token_type: e.subject_token_type, scope: mt(this.scope, e.scope, e.audience || this.options.authorizationParams.audience), audience: e.audience || this.options.authorizationParams.audience, organization: e.organization || this.options.authorizationParams.organization });
+  }
+  _assertDpop(e) {
+    if (!e) throw new Error("`useDpop` option must be enabled before using DPoP.");
+  }
+  getDpopNonce(e) {
+    return this._assertDpop(this.dpop), this.dpop.getNonce(e);
+  }
+  setDpopNonce(e, n) {
+    return this._assertDpop(this.dpop), this.dpop.setNonce(e, n);
+  }
+  generateDpopProof(e) {
+    return this._assertDpop(this.dpop), this.dpop.generateProof(e);
+  }
+  createFetcher() {
+    let e = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : {};
+    return new ti(e, { isDpopEnabled: () => !!this.options.useDpop, getAccessToken: (n) => {
+      var o;
+      return this.getTokenSilently({ authorizationParams: { scope: (o = n == null ? void 0 : n.scope) === null || o === void 0 ? void 0 : o.join(" "), audience: n == null ? void 0 : n.audience }, detailedResponse: !0 });
+    }, getDpopNonce: () => this.getDpopNonce(e.dpopNonceId), setDpopNonce: (n) => this.setDpopNonce(n, e.dpopNonceId), generateDpopProof: (n) => this.generateDpopProof(n) });
+  }
+  async connectAccountWithRedirect(e) {
+    const { openUrl: n, appState: o, connection: r, scopes: i, authorization_params: a, redirectUri: s = this.options.authorizationParams.redirect_uri || window.location.origin } = e;
+    if (!r) throw new Error("connection is required");
+    const c = Jt(Ge()), l = Ge(), u = await Zn(l), p = Bn(u), { connect_uri: h, connect_params: d, auth_session: g } = await this.myAccountApi.connectAccount({ connection: r, scopes: i, redirect_uri: s, state: c, code_challenge: p, code_challenge_method: "S256", authorization_params: a });
+    this.transactionManager.create({ state: c, code_verifier: l, auth_session: g, redirect_uri: s, appState: o, connection: r, response_type: Pe.ConnectCode });
+    const f = new URL(h);
+    f.searchParams.set("ticket", d.ticket), n ? await n(f.toString()) : window.location.assign(f);
+  }
+}
+export {
+  va as Auth0Client,
+  In as AuthenticationError,
+  Z as CacheKey,
+  On as ConnectError,
+  x as GenericError,
+  jo as InMemoryCache,
+  Wr as LocalStorageCache,
+  Dn as MfaRequiredError,
+  Dt as MissingRefreshTokenError,
+  Pt as MyAccountApiError,
+  Cn as PopupCancelledError,
+  jn as PopupOpenError,
+  xn as PopupTimeoutError,
+  Pe as ResponseType,
+  He as TimeoutError,
+  Kt as UseDpopNonceError
+};
+//# sourceMappingURL=auth0-spa-js.production.esm-BMSlxZC5.js.map