hookery 0.0.1 → 1.0.0

package/dist/bridges/auth0.js

@@ -0,0 +1,3015 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to2, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to2, key) && key !== except)
+        __defProp(to2, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to2;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/bridges/auth0/index.ts
+var auth0_exports = {};
+__export(auth0_exports, {
+  useAuth0: () => useAuth0,
+  useAuth0User: () => useAuth0User
+});
+module.exports = __toCommonJS(auth0_exports);
+
+// node_modules/@auth0/auth0-react/dist/auth0-react.esm.js
+var import_react = __toESM(require("react"));
+var extendStatics = function(d2, b) {
+  extendStatics = Object.setPrototypeOf || { __proto__: [] } instanceof Array && function(d3, b2) {
+    d3.__proto__ = b2;
+  } || function(d3, b2) {
+    for (var p2 in b2) if (Object.prototype.hasOwnProperty.call(b2, p2)) d3[p2] = b2[p2];
+  };
+  return extendStatics(d2, b);
+};
+function __extends(d2, b) {
+  if (typeof b !== "function" && b !== null)
+    throw new TypeError("Class extends value " + String(b) + " is not a constructor or null");
+  extendStatics(d2, b);
+  function __() {
+    this.constructor = d2;
+  }
+  d2.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+}
+var __assign = function() {
+  __assign = Object.assign || function __assign2(t2) {
+    for (var s2, i2 = 1, n2 = arguments.length; i2 < n2; i2++) {
+      s2 = arguments[i2];
+      for (var p2 in s2) if (Object.prototype.hasOwnProperty.call(s2, p2)) t2[p2] = s2[p2];
+    }
+    return t2;
+  };
+  return __assign.apply(this, arguments);
+};
+var t = "undefined" != typeof globalThis ? globalThis : "undefined" != typeof window ? window : "undefined" != typeof global ? global : "undefined" != typeof self ? self : {};
+var n = {};
+var o = {};
+Object.defineProperty(o, "__esModule", { value: true });
+var r = (function() {
+  function e2() {
+    var e3 = this;
+    this.locked = /* @__PURE__ */ new Map(), this.addToLocked = function(t2, n2) {
+      var o2 = e3.locked.get(t2);
+      void 0 === o2 ? void 0 === n2 ? e3.locked.set(t2, []) : e3.locked.set(t2, [n2]) : void 0 !== n2 && (o2.unshift(n2), e3.locked.set(t2, o2));
+    }, this.isLocked = function(t2) {
+      return e3.locked.has(t2);
+    }, this.lock = function(t2) {
+      return new Promise((function(n2, o2) {
+        e3.isLocked(t2) ? e3.addToLocked(t2, n2) : (e3.addToLocked(t2), n2());
+      }));
+    }, this.unlock = function(t2) {
+      var n2 = e3.locked.get(t2);
+      if (void 0 !== n2 && 0 !== n2.length) {
+        var o2 = n2.pop();
+        e3.locked.set(t2, n2), void 0 !== o2 && setTimeout(o2, 0);
+      } else e3.locked.delete(t2);
+    };
+  }
+  return e2.getInstance = function() {
+    return void 0 === e2.instance && (e2.instance = new e2()), e2.instance;
+  }, e2;
+})();
+o.default = function() {
+  return r.getInstance();
+};
+var i = t && t.__awaiter || function(e2, t2, n2, o2) {
+  return new (n2 || (n2 = Promise))((function(r2, i2) {
+    function a2(e3) {
+      try {
+        c2(o2.next(e3));
+      } catch (e4) {
+        i2(e4);
+      }
+    }
+    function s2(e3) {
+      try {
+        c2(o2.throw(e3));
+      } catch (e4) {
+        i2(e4);
+      }
+    }
+    function c2(e3) {
+      e3.done ? r2(e3.value) : new n2((function(t3) {
+        t3(e3.value);
+      })).then(a2, s2);
+    }
+    c2((o2 = o2.apply(e2, t2 || [])).next());
+  }));
+};
+var a = t && t.__generator || function(e2, t2) {
+  var n2, o2, r2, i2, a2 = { label: 0, sent: function() {
+    if (1 & r2[0]) throw r2[1];
+    return r2[1];
+  }, trys: [], ops: [] };
+  return i2 = { next: s2(0), throw: s2(1), return: s2(2) }, "function" == typeof Symbol && (i2[Symbol.iterator] = function() {
+    return this;
+  }), i2;
+  function s2(i3) {
+    return function(s3) {
+      return (function(i4) {
+        if (n2) throw new TypeError("Generator is already executing.");
+        for (; a2; ) try {
+          if (n2 = 1, o2 && (r2 = 2 & i4[0] ? o2.return : i4[0] ? o2.throw || ((r2 = o2.return) && r2.call(o2), 0) : o2.next) && !(r2 = r2.call(o2, i4[1])).done) return r2;
+          switch (o2 = 0, r2 && (i4 = [2 & i4[0], r2.value]), i4[0]) {
+            case 0:
+            case 1:
+              r2 = i4;
+              break;
+            case 4:
+              return a2.label++, { value: i4[1], done: false };
+            case 5:
+              a2.label++, o2 = i4[1], i4 = [0];
+              continue;
+            case 7:
+              i4 = a2.ops.pop(), a2.trys.pop();
+              continue;
+            default:
+              if (!(r2 = a2.trys, (r2 = r2.length > 0 && r2[r2.length - 1]) || 6 !== i4[0] && 2 !== i4[0])) {
+                a2 = 0;
+                continue;
+              }
+              if (3 === i4[0] && (!r2 || i4[1] > r2[0] && i4[1] < r2[3])) {
+                a2.label = i4[1];
+                break;
+              }
+              if (6 === i4[0] && a2.label < r2[1]) {
+                a2.label = r2[1], r2 = i4;
+                break;
+              }
+              if (r2 && a2.label < r2[2]) {
+                a2.label = r2[2], a2.ops.push(i4);
+                break;
+              }
+              r2[2] && a2.ops.pop(), a2.trys.pop();
+              continue;
+          }
+          i4 = t2.call(e2, a2);
+        } catch (e3) {
+          i4 = [6, e3], o2 = 0;
+        } finally {
+          n2 = r2 = 0;
+        }
+        if (5 & i4[0]) throw i4[1];
+        return { value: i4[0] ? i4[1] : void 0, done: true };
+      })([i3, s3]);
+    };
+  }
+};
+var s = t;
+Object.defineProperty(n, "__esModule", { value: true });
+var c = o;
+var u = { key: function(e2) {
+  return i(s, void 0, void 0, (function() {
+    return a(this, (function(e3) {
+      throw new Error("Unsupported");
+    }));
+  }));
+}, getItem: function(e2) {
+  return i(s, void 0, void 0, (function() {
+    return a(this, (function(e3) {
+      throw new Error("Unsupported");
+    }));
+  }));
+}, clear: function() {
+  return i(s, void 0, void 0, (function() {
+    return a(this, (function(e2) {
+      return [2, window.localStorage.clear()];
+    }));
+  }));
+}, removeItem: function(e2) {
+  return i(s, void 0, void 0, (function() {
+    return a(this, (function(e3) {
+      throw new Error("Unsupported");
+    }));
+  }));
+}, setItem: function(e2, t2) {
+  return i(s, void 0, void 0, (function() {
+    return a(this, (function(e3) {
+      throw new Error("Unsupported");
+    }));
+  }));
+}, keySync: function(e2) {
+  return window.localStorage.key(e2);
+}, getItemSync: function(e2) {
+  return window.localStorage.getItem(e2);
+}, clearSync: function() {
+  return window.localStorage.clear();
+}, removeItemSync: function(e2) {
+  return window.localStorage.removeItem(e2);
+}, setItemSync: function(e2, t2) {
+  return window.localStorage.setItem(e2, t2);
+} };
+function l(e2) {
+  return new Promise((function(t2) {
+    return setTimeout(t2, e2);
+  }));
+}
+function d(e2) {
+  for (var t2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz", n2 = "", o2 = 0; o2 < e2; o2++) {
+    n2 += t2[Math.floor(Math.random() * t2.length)];
+  }
+  return n2;
+}
+var h = (function() {
+  function e2(t2) {
+    this.acquiredIatSet = /* @__PURE__ */ new Set(), this.storageHandler = void 0, this.id = Date.now().toString() + d(15), this.acquireLock = this.acquireLock.bind(this), this.releaseLock = this.releaseLock.bind(this), this.releaseLock__private__ = this.releaseLock__private__.bind(this), this.waitForSomethingToChange = this.waitForSomethingToChange.bind(this), this.refreshLockWhileAcquired = this.refreshLockWhileAcquired.bind(this), this.storageHandler = t2, void 0 === e2.waiters && (e2.waiters = []);
+  }
+  return e2.prototype.acquireLock = function(t2, n2) {
+    return void 0 === n2 && (n2 = 5e3), i(this, void 0, void 0, (function() {
+      var o2, r2, i2, s2, c2, h2, p2;
+      return a(this, (function(a2) {
+        switch (a2.label) {
+          case 0:
+            o2 = Date.now() + d(4), r2 = Date.now() + n2, i2 = "browser-tabs-lock-key-" + t2, s2 = void 0 === this.storageHandler ? u : this.storageHandler, a2.label = 1;
+          case 1:
+            return Date.now() < r2 ? [4, l(30)] : [3, 8];
+          case 2:
+            return a2.sent(), null !== s2.getItemSync(i2) ? [3, 5] : (c2 = this.id + "-" + t2 + "-" + o2, [4, l(Math.floor(25 * Math.random()))]);
+          case 3:
+            return a2.sent(), s2.setItemSync(i2, JSON.stringify({ id: this.id, iat: o2, timeoutKey: c2, timeAcquired: Date.now(), timeRefreshed: Date.now() })), [4, l(30)];
+          case 4:
+            return a2.sent(), null !== (h2 = s2.getItemSync(i2)) && (p2 = JSON.parse(h2)).id === this.id && p2.iat === o2 ? (this.acquiredIatSet.add(o2), this.refreshLockWhileAcquired(i2, o2), [2, true]) : [3, 7];
+          case 5:
+            return e2.lockCorrector(void 0 === this.storageHandler ? u : this.storageHandler), [4, this.waitForSomethingToChange(r2)];
+          case 6:
+            a2.sent(), a2.label = 7;
+          case 7:
+            return o2 = Date.now() + d(4), [3, 1];
+          case 8:
+            return [2, false];
+        }
+      }));
+    }));
+  }, e2.prototype.refreshLockWhileAcquired = function(e3, t2) {
+    return i(this, void 0, void 0, (function() {
+      var n2 = this;
+      return a(this, (function(o2) {
+        return setTimeout((function() {
+          return i(n2, void 0, void 0, (function() {
+            var n3, o3, r2;
+            return a(this, (function(i2) {
+              switch (i2.label) {
+                case 0:
+                  return [4, c.default().lock(t2)];
+                case 1:
+                  return i2.sent(), this.acquiredIatSet.has(t2) ? (n3 = void 0 === this.storageHandler ? u : this.storageHandler, null === (o3 = n3.getItemSync(e3)) ? (c.default().unlock(t2), [2]) : ((r2 = JSON.parse(o3)).timeRefreshed = Date.now(), n3.setItemSync(e3, JSON.stringify(r2)), c.default().unlock(t2), this.refreshLockWhileAcquired(e3, t2), [2])) : (c.default().unlock(t2), [2]);
+              }
+            }));
+          }));
+        }), 1e3), [2];
+      }));
+    }));
+  }, e2.prototype.waitForSomethingToChange = function(t2) {
+    return i(this, void 0, void 0, (function() {
+      return a(this, (function(n2) {
+        switch (n2.label) {
+          case 0:
+            return [4, new Promise((function(n3) {
+              var o2 = false, r2 = Date.now(), i2 = false;
+              function a2() {
+                if (i2 || (window.removeEventListener("storage", a2), e2.removeFromWaiting(a2), clearTimeout(s2), i2 = true), !o2) {
+                  o2 = true;
+                  var t3 = 50 - (Date.now() - r2);
+                  t3 > 0 ? setTimeout(n3, t3) : n3(null);
+                }
+              }
+              window.addEventListener("storage", a2), e2.addToWaiting(a2);
+              var s2 = setTimeout(a2, Math.max(0, t2 - Date.now()));
+            }))];
+          case 1:
+            return n2.sent(), [2];
+        }
+      }));
+    }));
+  }, e2.addToWaiting = function(t2) {
+    this.removeFromWaiting(t2), void 0 !== e2.waiters && e2.waiters.push(t2);
+  }, e2.removeFromWaiting = function(t2) {
+    void 0 !== e2.waiters && (e2.waiters = e2.waiters.filter((function(e3) {
+      return e3 !== t2;
+    })));
+  }, e2.notifyWaiters = function() {
+    void 0 !== e2.waiters && e2.waiters.slice().forEach((function(e3) {
+      return e3();
+    }));
+  }, e2.prototype.releaseLock = function(e3) {
+    return i(this, void 0, void 0, (function() {
+      return a(this, (function(t2) {
+        switch (t2.label) {
+          case 0:
+            return [4, this.releaseLock__private__(e3)];
+          case 1:
+            return [2, t2.sent()];
+        }
+      }));
+    }));
+  }, e2.prototype.releaseLock__private__ = function(t2) {
+    return i(this, void 0, void 0, (function() {
+      var n2, o2, r2, i2;
+      return a(this, (function(a2) {
+        switch (a2.label) {
+          case 0:
+            return n2 = void 0 === this.storageHandler ? u : this.storageHandler, o2 = "browser-tabs-lock-key-" + t2, null === (r2 = n2.getItemSync(o2)) ? [2] : (i2 = JSON.parse(r2)).id !== this.id ? [3, 2] : [4, c.default().lock(i2.iat)];
+          case 1:
+            a2.sent(), this.acquiredIatSet.delete(i2.iat), n2.removeItemSync(o2), c.default().unlock(i2.iat), e2.notifyWaiters(), a2.label = 2;
+          case 2:
+            return [2];
+        }
+      }));
+    }));
+  }, e2.lockCorrector = function(t2) {
+    for (var n2 = Date.now() - 5e3, o2 = t2, r2 = [], i2 = 0; ; ) {
+      var a2 = o2.keySync(i2);
+      if (null === a2) break;
+      r2.push(a2), i2++;
+    }
+    for (var s2 = false, c2 = 0; c2 < r2.length; c2++) {
+      var u2 = r2[c2];
+      if (u2.includes("browser-tabs-lock-key")) {
+        var l2 = o2.getItemSync(u2);
+        if (null !== l2) {
+          var d2 = JSON.parse(l2);
+          (void 0 === d2.timeRefreshed && d2.timeAcquired < n2 || void 0 !== d2.timeRefreshed && d2.timeRefreshed < n2) && (o2.removeItemSync(u2), s2 = true);
+        }
+      }
+    }
+    s2 && e2.notifyWaiters();
+  }, e2.waiters = void 0, e2;
+})();
+var p = n.default = h;
+var N = new TextEncoder();
+var W = new TextDecoder();
+var M;
+if (Uint8Array.prototype.toBase64) M = (e2) => (e2 instanceof ArrayBuffer && (e2 = new Uint8Array(e2)), e2.toBase64({ alphabet: "base64url", omitPadding: true }));
+else {
+  const e2 = 32768;
+  M = (t2) => {
+    t2 instanceof ArrayBuffer && (t2 = new Uint8Array(t2));
+    const n2 = [];
+    for (let o2 = 0; o2 < t2.byteLength; o2 += e2) n2.push(String.fromCharCode.apply(null, t2.subarray(o2, o2 + e2)));
+    return btoa(n2.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+  };
+}
+var ve = t && t.__assign || function() {
+  return ve = Object.assign || function(e2) {
+    for (var t2, n2 = 1, o2 = arguments.length; n2 < o2; n2++) for (var r2 in t2 = arguments[n2]) Object.prototype.hasOwnProperty.call(t2, r2) && (e2[r2] = t2[r2]);
+    return e2;
+  }, ve.apply(this, arguments);
+};
+var Oe;
+!(function(e2) {
+  e2.Code = "code", e2.ConnectCode = "connect_code";
+})(Oe || (Oe = {}));
+function Ce(e2, t2, n2) {
+  var o2 = void 0 === t2 ? null : t2, r2 = (function(e3, t3) {
+    var n3 = atob(e3);
+    if (t3) {
+      for (var o3 = new Uint8Array(n3.length), r3 = 0, i3 = n3.length; r3 < i3; ++r3) o3[r3] = n3.charCodeAt(r3);
+      return String.fromCharCode.apply(null, new Uint16Array(o3.buffer));
+    }
+    return n3;
+  })(e2, void 0 !== n2 && n2), i2 = r2.indexOf("\n", 10) + 1, a2 = r2.substring(i2) + (o2 ? "//# sourceMappingURL=" + o2 : ""), s2 = new Blob([a2], { type: "application/javascript" });
+  return URL.createObjectURL(s2);
+}
+var je;
+var De;
+var Ke;
+var Le;
+var Ue = (je = "Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwohZnVuY3Rpb24oKXsidXNlIHN0cmljdCI7Y2xhc3MgZSBleHRlbmRzIEVycm9ye2NvbnN0cnVjdG9yKHQscil7c3VwZXIociksdGhpcy5lcnJvcj10LHRoaXMuZXJyb3JfZGVzY3JpcHRpb249cixPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcyxlLnByb3RvdHlwZSl9c3RhdGljIGZyb21QYXlsb2FkKHQpe2xldHtlcnJvcjpyLGVycm9yX2Rlc2NyaXB0aW9uOnN9PXQ7cmV0dXJuIG5ldyBlKHIscyl9fWNsYXNzIHQgZXh0ZW5kcyBle2NvbnN0cnVjdG9yKGUscyl7c3VwZXIoIm1pc3NpbmdfcmVmcmVzaF90b2tlbiIsIk1pc3NpbmcgUmVmcmVzaCBUb2tlbiAoYXVkaWVuY2U6ICciLmNvbmNhdChyKGUsWyJkZWZhdWx0Il0pLCInLCBzY29wZTogJyIpLmNvbmNhdChyKHMpLCInKSIpKSx0aGlzLmF1ZGllbmNlPWUsdGhpcy5zY29wZT1zLE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLHQucHJvdG90eXBlKX19ZnVuY3Rpb24gcihlKXtsZXQgdD1hcmd1bWVudHMubGVuZ3RoPjEmJnZvaWQgMCE9PWFyZ3VtZW50c1sxXT9hcmd1bWVudHNbMV06W107cmV0dXJuIGUmJiF0LmluY2x1ZGVzKGUpP2U6IiJ9ImZ1bmN0aW9uIj09dHlwZW9mIFN1cHByZXNzZWRFcnJvciYmU3VwcHJlc3NlZEVycm9yO2NvbnN0IHM9ZT0+e3ZhcntjbGllbnRJZDp0fT1lLHI9ZnVuY3Rpb24oZSx0KXt2YXIgcj17fTtmb3IodmFyIHMgaW4gZSlPYmplY3QucHJvdG90eXBlLmhhc093blByb3BlcnR5LmNhbGwoZSxzKSYmdC5pbmRleE9mKHMpPDAmJihyW3NdPWVbc10pO2lmKG51bGwhPWUmJiJmdW5jdGlvbiI9PXR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKXt2YXIgbz0wO2ZvcihzPU9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMoZSk7bzxzLmxlbmd0aDtvKyspdC5pbmRleE9mKHNbb10pPDAmJk9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChlLHNbb10pJiYocltzW29dXT1lW3Nbb11dKX1yZXR1cm4gcn0oZSxbImNsaWVudElkIl0pO3JldHVybiBuZXcgVVJMU2VhcmNoUGFyYW1zKChlPT5PYmplY3Qua2V5cyhlKS5maWx0ZXIoKHQ9PnZvaWQgMCE9PWVbdF0pKS5yZWR1Y2UoKCh0LHIpPT5PYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sdCkse1tyXTplW3JdfSkpLHt9KSkoT2JqZWN0LmFzc2lnbih7Y2xpZW50X2lkOnR9LHIpKSkudG9TdHJpbmcoKX07bGV0IG89e307Y29uc3Qgbj0oZSx0KT0+IiIuY29uY2F0KGUsInwiKS5jb25jYXQodCk7YWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsKGFzeW5jIGU9PntsZXQgcixjLHtkYXRhOnt0aW1lb3V0OmksYXV0aDphLGZldGNoVXJsOmYsZmV0Y2hPcHRpb25zOmwsdXNlRm9ybURhdGE6cCx1c2VNcnJ0Omh9LHBvcnRzOlt1XX09ZSxkPXt9O2NvbnN0e2F1ZGllbmNlOmcsc2NvcGU6eX09YXx8e307dHJ5e2NvbnN0IGU9cD8oZT0+e2NvbnN0IHQ9bmV3IFVSTFNlYXJjaFBhcmFtcyhlKSxyPXt9O3JldHVybiB0LmZvckVhY2goKChlLHQpPT57clt0XT1lfSkpLHJ9KShsLmJvZHkpOkpTT04ucGFyc2UobC5ib2R5KTtpZighZS5yZWZyZXNoX3Rva2VuJiYicmVmcmVzaF90b2tlbiI9PT1lLmdyYW50X3R5cGUpe2lmKGM9KChlLHQpPT5vW24oZSx0KV0pKGcseSksIWMmJmgpe2NvbnN0IGU9by5sYXRlc3RfcmVmcmVzaF90b2tlbix0PSgoZSx0KT0+e2NvbnN0IHI9T2JqZWN0LmtleXMobykuZmluZCgocj0+e2lmKCJsYXRlc3RfcmVmcmVzaF90b2tlbiIhPT1yKXtjb25zdCBzPSgoZSx0KT0+dC5zdGFydHNXaXRoKCIiLmNvbmNhdChlLCJ8IikpKSh0LHIpLG89ci5zcGxpdCgifCIpWzFdLnNwbGl0KCIgIiksbj1lLnNwbGl0KCIgIikuZXZlcnkoKGU9Pm8uaW5jbHVkZXMoZSkpKTtyZXR1cm4gcyYmbn19KSk7cmV0dXJuISFyfSkoeSxnKTtlJiYhdCYmKGM9ZSl9aWYoIWMpdGhyb3cgbmV3IHQoZyx5KTtsLmJvZHk9cD9zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpOkpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpfWxldCBhLGs7ImZ1bmN0aW9uIj09dHlwZW9mIEFib3J0Q29udHJvbGxlciYmKGE9bmV3IEFib3J0Q29udHJvbGxlcixsLnNpZ25hbD1hLnNpZ25hbCk7dHJ5e2s9YXdhaXQgUHJvbWlzZS5yYWNlKFsoaj1pLG5ldyBQcm9taXNlKChlPT5zZXRUaW1lb3V0KGUsaikpKSksZmV0Y2goZixPYmplY3QuYXNzaWduKHt9LGwpKV0pfWNhdGNoKGUpe3JldHVybiB2b2lkIHUucG9zdE1lc3NhZ2Uoe2Vycm9yOmUubWVzc2FnZX0pfWlmKCFrKXJldHVybiBhJiZhLmFib3J0KCksdm9pZCB1LnBvc3RNZXNzYWdlKHtlcnJvcjoiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIn0pO189ay5oZWFkZXJzLGQ9Wy4uLl9dLnJlZHVjZSgoKGUsdCk9PntsZXRbcixzXT10O3JldHVybiBlW3JdPXMsZX0pLHt9KSxyPWF3YWl0IGsuanNvbigpLHIucmVmcmVzaF90b2tlbj8oaCYmKG8ubGF0ZXN0X3JlZnJlc2hfdG9rZW49ci5yZWZyZXNoX3Rva2VuLE89YyxiPXIucmVmcmVzaF90b2tlbixPYmplY3QuZW50cmllcyhvKS5mb3JFYWNoKChlPT57bGV0W3Qscl09ZTtyPT09TyYmKG9bdF09Yil9KSkpLCgoZSx0LHIpPT57b1tuKHQscildPWV9KShyLnJlZnJlc2hfdG9rZW4sZyx5KSxkZWxldGUgci5yZWZyZXNoX3Rva2VuKTooKGUsdCk9PntkZWxldGUgb1tuKGUsdCldfSkoZyx5KSx1LnBvc3RNZXNzYWdlKHtvazprLm9rLGpzb246cixoZWFkZXJzOmR9KX1jYXRjaChlKXt1LnBvc3RNZXNzYWdlKHtvazohMSxqc29uOntlcnJvcjplLmVycm9yLGVycm9yX2Rlc2NyaXB0aW9uOmUubWVzc2FnZX0saGVhZGVyczpkfSl9dmFyIE8sYixfLGp9KSl9KCk7Cgo=", De = null, Ke = false, function(e2) {
+  return Le = Le || Ce(je, De, Ke), new Worker(Le, e2);
+});
+var qe;
+var Be;
+var Xe;
+!(function(e2) {
+  e2.Bearer = "Bearer", e2.DPoP = "DPoP";
+})(qe || (qe = {}));
+function et(e2, t2) {
+  this.v = e2, this.k = t2;
+}
+function tt(e2, t2, n2) {
+  if ("function" == typeof e2 ? e2 === t2 : e2.has(t2)) return arguments.length < 3 ? t2 : n2;
+  throw new TypeError("Private element is not present on this object");
+}
+function nt(e2) {
+  return new et(e2, 0);
+}
+function ot(e2, t2) {
+  if (t2.has(e2)) throw new TypeError("Cannot initialize the same private elements twice on an object");
+}
+function rt(e2, t2) {
+  return e2.get(tt(e2, t2));
+}
+function it(e2, t2, n2) {
+  ot(e2, t2), t2.set(e2, n2);
+}
+function at(e2, t2, n2) {
+  return e2.set(tt(e2, t2), n2), n2;
+}
+function st(e2, t2, n2) {
+  return (t2 = (function(e3) {
+    var t3 = (function(e4, t4) {
+      if ("object" != typeof e4 || !e4) return e4;
+      var n3 = e4[Symbol.toPrimitive];
+      if (void 0 !== n3) {
+        var o2 = n3.call(e4, t4 || "default");
+        if ("object" != typeof o2) return o2;
+        throw new TypeError("@@toPrimitive must return a primitive value.");
+      }
+      return ("string" === t4 ? String : Number)(e4);
+    })(e3, "string");
+    return "symbol" == typeof t3 ? t3 : t3 + "";
+  })(t2)) in e2 ? Object.defineProperty(e2, t2, { value: n2, enumerable: true, configurable: true, writable: true }) : e2[t2] = n2, e2;
+}
+function ct(e2, t2) {
+  var n2 = Object.keys(e2);
+  if (Object.getOwnPropertySymbols) {
+    var o2 = Object.getOwnPropertySymbols(e2);
+    t2 && (o2 = o2.filter((function(t3) {
+      return Object.getOwnPropertyDescriptor(e2, t3).enumerable;
+    }))), n2.push.apply(n2, o2);
+  }
+  return n2;
+}
+function ut(e2) {
+  for (var t2 = 1; t2 < arguments.length; t2++) {
+    var n2 = null != arguments[t2] ? arguments[t2] : {};
+    t2 % 2 ? ct(Object(n2), true).forEach((function(t3) {
+      st(e2, t3, n2[t3]);
+    })) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e2, Object.getOwnPropertyDescriptors(n2)) : ct(Object(n2)).forEach((function(t3) {
+      Object.defineProperty(e2, t3, Object.getOwnPropertyDescriptor(n2, t3));
+    }));
+  }
+  return e2;
+}
+function lt(e2, t2) {
+  if (null == e2) return {};
+  var n2, o2, r2 = (function(e3, t3) {
+    if (null == e3) return {};
+    var n3 = {};
+    for (var o3 in e3) if ({}.hasOwnProperty.call(e3, o3)) {
+      if (-1 !== t3.indexOf(o3)) continue;
+      n3[o3] = e3[o3];
+    }
+    return n3;
+  })(e2, t2);
+  if (Object.getOwnPropertySymbols) {
+    var i2 = Object.getOwnPropertySymbols(e2);
+    for (o2 = 0; o2 < i2.length; o2++) n2 = i2[o2], -1 === t2.indexOf(n2) && {}.propertyIsEnumerable.call(e2, n2) && (r2[n2] = e2[n2]);
+  }
+  return r2;
+}
+function dt(e2) {
+  return function() {
+    return new ht(e2.apply(this, arguments));
+  };
+}
+function ht(e2) {
+  var t2, n2;
+  function o2(t3, n3) {
+    try {
+      var i2 = e2[t3](n3), a2 = i2.value, s2 = a2 instanceof et;
+      Promise.resolve(s2 ? a2.v : a2).then((function(n4) {
+        if (s2) {
+          var c2 = "return" === t3 ? "return" : "next";
+          if (!a2.k || n4.done) return o2(c2, n4);
+          n4 = e2[c2](n4).value;
+        }
+        r2(i2.done ? "return" : "normal", n4);
+      }), (function(e3) {
+        o2("throw", e3);
+      }));
+    } catch (e3) {
+      r2("throw", e3);
+    }
+  }
+  function r2(e3, r3) {
+    switch (e3) {
+      case "return":
+        t2.resolve({ value: r3, done: true });
+        break;
+      case "throw":
+        t2.reject(r3);
+        break;
+      default:
+        t2.resolve({ value: r3, done: false });
+    }
+    (t2 = t2.next) ? o2(t2.key, t2.arg) : n2 = null;
+  }
+  this._invoke = function(e3, r3) {
+    return new Promise((function(i2, a2) {
+      var s2 = { key: e3, arg: r3, resolve: i2, reject: a2, next: null };
+      n2 ? n2 = n2.next = s2 : (t2 = n2 = s2, o2(e3, r3));
+    }));
+  }, "function" != typeof e2.return && (this.return = void 0);
+}
+var pt;
+if (ht.prototype["function" == typeof Symbol && Symbol.asyncIterator || "@@asyncIterator"] = function() {
+  return this;
+}, ht.prototype.next = function(e2) {
+  return this._invoke("next", e2);
+}, ht.prototype.throw = function(e2) {
+  return this._invoke("throw", e2);
+}, ht.prototype.return = function(e2) {
+  return this._invoke("return", e2);
+}, "undefined" == typeof navigator || null === (Be = navigator.userAgent) || void 0 === Be || null === (Xe = Be.startsWith) || void 0 === Xe || !Xe.call(Be, "Mozilla/5.0 ")) {
+  const e2 = "v3.8.3";
+  pt = "".concat("oauth4webapi", "/").concat(e2);
+}
+function ft(e2, t2) {
+  if (null == e2) return false;
+  try {
+    return e2 instanceof t2 || Object.getPrototypeOf(e2)[Symbol.toStringTag] === t2.prototype[Symbol.toStringTag];
+  } catch (e3) {
+    return false;
+  }
+}
+function mt(e2, t2, n2) {
+  const o2 = new TypeError(e2, { cause: n2 });
+  return Object.assign(o2, { code: t2 }), o2;
+}
+var yt = /* @__PURE__ */ Symbol();
+var wt = /* @__PURE__ */ Symbol();
+var gt = /* @__PURE__ */ Symbol();
+var vt = /* @__PURE__ */ Symbol();
+var bt = /* @__PURE__ */ Symbol();
+var _t = /* @__PURE__ */ Symbol();
+var kt = new TextEncoder();
+var St = new TextDecoder();
+function Et(e2) {
+  return "string" == typeof e2 ? kt.encode(e2) : St.decode(e2);
+}
+var At;
+var Tt;
+if (Uint8Array.prototype.toBase64) At = (e2) => (e2 instanceof ArrayBuffer && (e2 = new Uint8Array(e2)), e2.toBase64({ alphabet: "base64url", omitPadding: true }));
+else {
+  const e2 = 32768;
+  At = (t2) => {
+    t2 instanceof ArrayBuffer && (t2 = new Uint8Array(t2));
+    const n2 = [];
+    for (let o2 = 0; o2 < t2.byteLength; o2 += e2) n2.push(String.fromCharCode.apply(null, t2.subarray(o2, o2 + e2)));
+    return btoa(n2.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+  };
+}
+function Pt(e2) {
+  return "string" == typeof e2 ? Tt(e2) : At(e2);
+}
+Tt = Uint8Array.fromBase64 ? (e2) => {
+  try {
+    return Uint8Array.fromBase64(e2, { alphabet: "base64url" });
+  } catch (e3) {
+    throw mt("The input to be decoded is not correctly encoded.", "ERR_INVALID_ARG_VALUE", e3);
+  }
+} : (e2) => {
+  try {
+    const t2 = atob(e2.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n2 = new Uint8Array(t2.length);
+    for (let e3 = 0; e3 < t2.length; e3++) n2[e3] = t2.charCodeAt(e3);
+    return n2;
+  } catch (e3) {
+    throw mt("The input to be decoded is not correctly encoded.", "ERR_INVALID_ARG_VALUE", e3);
+  }
+};
+var Rt = class extends Error {
+  constructor(e2, t2) {
+    var n2;
+    super(e2, t2), st(this, "code", void 0), this.name = this.constructor.name, this.code = Rn, null === (n2 = Error.captureStackTrace) || void 0 === n2 || n2.call(Error, this, this.constructor);
+  }
+};
+var It = class extends Error {
+  constructor(e2, t2) {
+    var n2;
+    super(e2, t2), st(this, "code", void 0), this.name = this.constructor.name, null != t2 && t2.code && (this.code = null == t2 ? void 0 : t2.code), null === (n2 = Error.captureStackTrace) || void 0 === n2 || n2.call(Error, this, this.constructor);
+  }
+};
+function Ot(e2, t2, n2) {
+  return new It(e2, { code: t2, cause: n2 });
+}
+function xt(e2, t2) {
+  if ((function(e3, t3) {
+    if (!(e3 instanceof CryptoKey)) throw mt("".concat(t3, " must be a CryptoKey"), "ERR_INVALID_ARG_TYPE");
+  })(e2, t2), "private" !== e2.type) throw mt("".concat(t2, " must be a private CryptoKey"), "ERR_INVALID_ARG_VALUE");
+}
+function Ct(e2) {
+  return null !== e2 && "object" == typeof e2 && !Array.isArray(e2);
+}
+function jt(e2) {
+  ft(e2, Headers) && (e2 = Object.fromEntries(e2.entries()));
+  const t2 = new Headers(null != e2 ? e2 : {});
+  if (pt && !t2.has("user-agent") && t2.set("user-agent", pt), t2.has("authorization")) throw mt('"options.headers" must not include the "authorization" header name', "ERR_INVALID_ARG_VALUE");
+  return t2;
+}
+function Dt(e2, t2) {
+  if (void 0 !== t2) {
+    if ("function" == typeof t2 && (t2 = t2(e2.href)), !(t2 instanceof AbortSignal)) throw mt('"options.signal" must return or be an instance of AbortSignal', "ERR_INVALID_ARG_TYPE");
+    return t2;
+  }
+}
+function Kt(e2) {
+  return e2.includes("//") ? e2.replace("//", "/") : e2;
+}
+async function Lt(e2, t2) {
+  return (async function(e3, t3, n2, o2) {
+    if (!(e3 instanceof URL)) throw mt('"'.concat(t3, '" must be an instance of URL'), "ERR_INVALID_ARG_TYPE");
+    Xt(e3, true !== (null == o2 ? void 0 : o2[yt]));
+    const r2 = n2(new URL(e3.href)), i2 = jt(null == o2 ? void 0 : o2.headers);
+    return i2.set("accept", "application/json"), ((null == o2 ? void 0 : o2[vt]) || fetch)(r2.href, { body: void 0, headers: Object.fromEntries(i2.entries()), method: "GET", redirect: "manual", signal: Dt(r2, null == o2 ? void 0 : o2.signal) });
+  })(e2, "issuerIdentifier", ((e3) => {
+    switch (null == t2 ? void 0 : t2.algorithm) {
+      case void 0:
+      case "oidc":
+        !(function(e4, t3) {
+          e4.pathname = Kt("".concat(e4.pathname, "/").concat(t3));
+        })(e3, ".well-known/openid-configuration");
+        break;
+      case "oauth2":
+        !(function(e4, t3) {
+          let n2 = arguments.length > 2 && void 0 !== arguments[2] && arguments[2];
+          "/" === e4.pathname ? e4.pathname = t3 : e4.pathname = Kt("".concat(t3, "/").concat(n2 ? e4.pathname : e4.pathname.replace(/(\/)$/, "")));
+        })(e3, ".well-known/oauth-authorization-server");
+        break;
+      default:
+        throw mt('"options.algorithm" must be "oidc" (default), or "oauth2"', "ERR_INVALID_ARG_VALUE");
+    }
+    return e3;
+  }), t2);
+}
+function Ut(e2, t2, n2, o2, r2) {
+  try {
+    if ("number" != typeof e2 || !Number.isFinite(e2)) throw mt("".concat(n2, " must be a number"), "ERR_INVALID_ARG_TYPE", r2);
+    if (e2 > 0) return;
+    if (t2) {
+      if (0 !== e2) throw mt("".concat(n2, " must be a non-negative number"), "ERR_INVALID_ARG_VALUE", r2);
+      return;
+    }
+    throw mt("".concat(n2, " must be a positive number"), "ERR_INVALID_ARG_VALUE", r2);
+  } catch (e3) {
+    if (o2) throw Ot(e3.message, o2, r2);
+    throw e3;
+  }
+}
+function Nt(e2, t2, n2, o2) {
+  try {
+    if ("string" != typeof e2) throw mt("".concat(t2, " must be a string"), "ERR_INVALID_ARG_TYPE", o2);
+    if (0 === e2.length) throw mt("".concat(t2, " must not be empty"), "ERR_INVALID_ARG_VALUE", o2);
+  } catch (e3) {
+    if (n2) throw Ot(e3.message, n2, o2);
+    throw e3;
+  }
+}
+function Wt(e2) {
+  !(function(e3, t2) {
+    if (ln(e3) !== t2) throw (function(e4) {
+      let t3 = '"response" content-type must be ';
+      for (var n2 = arguments.length, o2 = new Array(n2 > 1 ? n2 - 1 : 0), r2 = 1; r2 < n2; r2++) o2[r2 - 1] = arguments[r2];
+      if (o2.length > 2) {
+        const e5 = o2.pop();
+        t3 += "".concat(o2.join(", "), ", or ").concat(e5);
+      } else 2 === o2.length ? t3 += "".concat(o2[0], " or ").concat(o2[1]) : t3 += o2[0];
+      return Ot(t3, Cn, e4);
+    })(e3, t2);
+  })(e2, "application/json");
+}
+function Ht() {
+  return Pt(crypto.getRandomValues(new Uint8Array(32)));
+}
+function zt(e2) {
+  switch (e2.algorithm.name) {
+    case "RSA-PSS":
+      return (function(e3) {
+        switch (e3.algorithm.hash.name) {
+          case "SHA-256":
+            return "PS256";
+          case "SHA-384":
+            return "PS384";
+          case "SHA-512":
+            return "PS512";
+          default:
+            throw new Rt("unsupported RsaHashedKeyAlgorithm hash name", { cause: e3 });
+        }
+      })(e2);
+    case "RSASSA-PKCS1-v1_5":
+      return (function(e3) {
+        switch (e3.algorithm.hash.name) {
+          case "SHA-256":
+            return "RS256";
+          case "SHA-384":
+            return "RS384";
+          case "SHA-512":
+            return "RS512";
+          default:
+            throw new Rt("unsupported RsaHashedKeyAlgorithm hash name", { cause: e3 });
+        }
+      })(e2);
+    case "ECDSA":
+      return (function(e3) {
+        switch (e3.algorithm.namedCurve) {
+          case "P-256":
+            return "ES256";
+          case "P-384":
+            return "ES384";
+          case "P-521":
+            return "ES512";
+          default:
+            throw new Rt("unsupported EcKeyAlgorithm namedCurve", { cause: e3 });
+        }
+      })(e2);
+    case "Ed25519":
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return e2.algorithm.name;
+    case "EdDSA":
+      return "Ed25519";
+    default:
+      throw new Rt("unsupported CryptoKey algorithm name", { cause: e2 });
+  }
+}
+function Jt(e2) {
+  const t2 = null == e2 ? void 0 : e2[wt];
+  return "number" == typeof t2 && Number.isFinite(t2) ? t2 : 0;
+}
+function Mt(e2) {
+  const t2 = null == e2 ? void 0 : e2[gt];
+  return "number" == typeof t2 && Number.isFinite(t2) && -1 !== Math.sign(t2) ? t2 : 30;
+}
+function Vt() {
+  return Math.floor(Date.now() / 1e3);
+}
+function Gt(e2) {
+  if ("object" != typeof e2 || null === e2) throw mt('"as" must be an object', "ERR_INVALID_ARG_TYPE");
+  Nt(e2.issuer, '"as.issuer"');
+}
+function Ft(e2) {
+  if ("object" != typeof e2 || null === e2) throw mt('"client" must be an object', "ERR_INVALID_ARG_TYPE");
+  Nt(e2.client_id, '"client.client_id"');
+}
+function Zt(e2) {
+  return Nt(e2, '"clientSecret"'), (t2, n2, o2, r2) => {
+    o2.set("client_id", n2.client_id), o2.set("client_secret", e2);
+  };
+}
+function qt(e2, t2) {
+  const { key: n2, kid: o2 } = (r2 = e2) instanceof CryptoKey ? { key: r2 } : (null == r2 ? void 0 : r2.key) instanceof CryptoKey ? (void 0 !== r2.kid && Nt(r2.kid, '"kid"'), { key: r2.key, kid: r2.kid }) : {};
+  var r2;
+  return xt(n2, '"clientPrivateKey.key"'), async (e3, r3, i2, a2) => {
+    var s2;
+    const c2 = { alg: zt(n2), kid: o2 }, u2 = (function(e4, t3) {
+      const n3 = Vt() + Jt(t3);
+      return { jti: Ht(), aud: e4.issuer, exp: n3 + 60, iat: n3, nbf: n3, iss: t3.client_id, sub: t3.client_id };
+    })(e3, r3);
+    null == t2 || null === (s2 = t2[bt]) || void 0 === s2 || s2.call(t2, c2, u2), i2.set("client_id", r3.client_id), i2.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), i2.set("client_assertion", await (async function(e4, t3, n3) {
+      if (!n3.usages.includes("sign")) throw mt('CryptoKey instances used for signing assertions must include "sign" in their "usages"', "ERR_INVALID_ARG_VALUE");
+      const o3 = "".concat(Pt(Et(JSON.stringify(e4))), ".").concat(Pt(Et(JSON.stringify(t3)))), r4 = Pt(await crypto.subtle.sign((function(e5) {
+        switch (e5.algorithm.name) {
+          case "ECDSA":
+            return { name: e5.algorithm.name, hash: Mn(e5) };
+          case "RSA-PSS":
+            switch (Jn(e5), e5.algorithm.hash.name) {
+              case "SHA-256":
+              case "SHA-384":
+              case "SHA-512":
+                return { name: e5.algorithm.name, saltLength: parseInt(e5.algorithm.hash.name.slice(-3), 10) >> 3 };
+              default:
+                throw new Rt("unsupported RSA-PSS hash name", { cause: e5 });
+            }
+          case "RSASSA-PKCS1-v1_5":
+            return Jn(e5), e5.algorithm.name;
+          case "ML-DSA-44":
+          case "ML-DSA-65":
+          case "ML-DSA-87":
+          case "Ed25519":
+            return e5.algorithm.name;
+        }
+        throw new Rt("unsupported CryptoKey algorithm name", { cause: e5 });
+      })(n3), n3, Et(o3)));
+      return "".concat(o3, ".").concat(r4);
+    })(c2, u2, n2));
+  };
+}
+var Bt = URL.parse ? (e2, t2) => URL.parse(e2, t2) : (e2, t2) => {
+  try {
+    return new URL(e2, t2);
+  } catch (e3) {
+    return null;
+  }
+};
+function Xt(e2, t2) {
+  if (t2 && "https:" !== e2.protocol) throw Ot("only requests to HTTPS are allowed", Dn, e2);
+  if ("https:" !== e2.protocol && "http:" !== e2.protocol) throw Ot("only HTTP and HTTPS requests are allowed", Kn, e2);
+}
+function Yt(e2, t2, n2, o2) {
+  let r2;
+  if ("string" != typeof e2 || !(r2 = Bt(e2))) throw Ot("authorization server metadata does not contain a valid ".concat(n2 ? '"as.mtls_endpoint_aliases.'.concat(t2, '"') : '"as.'.concat(t2, '"')), void 0 === e2 ? Wn : Hn, { attribute: n2 ? "mtls_endpoint_aliases.".concat(t2) : t2 });
+  return Xt(r2, o2), r2;
+}
+function Qt(e2, t2, n2, o2) {
+  return n2 && e2.mtls_endpoint_aliases && t2 in e2.mtls_endpoint_aliases ? Yt(e2.mtls_endpoint_aliases[t2], t2, n2, o2) : Yt(e2[t2], t2, n2, o2);
+}
+var $t = class extends Error {
+  constructor(e2, t2) {
+    var n2;
+    super(e2, t2), st(this, "cause", void 0), st(this, "code", void 0), st(this, "error", void 0), st(this, "status", void 0), st(this, "error_description", void 0), st(this, "response", void 0), this.name = this.constructor.name, this.code = Pn, this.cause = t2.cause, this.error = t2.cause.error, this.status = t2.response.status, this.error_description = t2.cause.error_description, Object.defineProperty(this, "response", { enumerable: false, value: t2.response }), null === (n2 = Error.captureStackTrace) || void 0 === n2 || n2.call(Error, this, this.constructor);
+  }
+};
+var en = class extends Error {
+  constructor(e2, t2) {
+    var n2, o2;
+    super(e2, t2), st(this, "cause", void 0), st(this, "code", void 0), st(this, "error", void 0), st(this, "error_description", void 0), this.name = this.constructor.name, this.code = In, this.cause = t2.cause, this.error = t2.cause.get("error"), this.error_description = null !== (n2 = t2.cause.get("error_description")) && void 0 !== n2 ? n2 : void 0, null === (o2 = Error.captureStackTrace) || void 0 === o2 || o2.call(Error, this, this.constructor);
+  }
+};
+var tn = class extends Error {
+  constructor(e2, t2) {
+    var n2;
+    super(e2, t2), st(this, "cause", void 0), st(this, "code", void 0), st(this, "response", void 0), st(this, "status", void 0), this.name = this.constructor.name, this.code = Tn, this.cause = t2.cause, this.status = t2.response.status, this.response = t2.response, Object.defineProperty(this, "response", { enumerable: false }), null === (n2 = Error.captureStackTrace) || void 0 === n2 || n2.call(Error, this, this.constructor);
+  }
+};
+var nn = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
+var on = new RegExp("^[,\\s]*(" + nn + ")");
+var rn = new RegExp('^[,\\s]*([a-zA-Z0-9!#$%&\\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*"((?:[^"\\\\]|\\\\[\\s\\S])*)"[,\\s]*(.*)');
+var an = new RegExp("^[,\\s]*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)[,\\s]*(.*)");
+var sn = new RegExp("^([a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2})(?:$|[,\\s])(.*)");
+async function cn(e2, t2, n2) {
+  if (e2.status !== t2) {
+    let t3;
+    var o2;
+    if ((function(e3) {
+      let t4;
+      if (t4 = (function(e4) {
+        if (!ft(e4, Response)) throw mt('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+        const t5 = e4.headers.get("www-authenticate");
+        if (null === t5) return;
+        const n3 = [];
+        let o3 = t5;
+        for (; o3; ) {
+          var r2;
+          let e5 = o3.match(on);
+          const t6 = null === (r2 = e5) || void 0 === r2 ? void 0 : r2[1].toLowerCase();
+          if (!t6) return;
+          const i2 = o3.substring(e5[0].length);
+          if (i2 && !i2.match(/^[\s,]/)) return;
+          const a2 = i2.match(/^\s+(.*)$/), s2 = !!a2;
+          o3 = a2 ? a2[1] : void 0;
+          const c2 = {};
+          let u2;
+          if (s2) for (; o3; ) {
+            let t7, n4;
+            if (e5 = o3.match(rn)) {
+              if ([, t7, n4, o3] = e5, n4.includes("\\")) try {
+                n4 = JSON.parse('"'.concat(n4, '"'));
+              } catch (e6) {
+              }
+              c2[t7.toLowerCase()] = n4;
+            } else {
+              if (!(e5 = o3.match(an))) {
+                if (e5 = o3.match(sn)) {
+                  if (Object.keys(c2).length) break;
+                  [, u2, o3] = e5;
+                  break;
+                }
+                return;
+              }
+              [, t7, n4, o3] = e5, c2[t7.toLowerCase()] = n4;
+            }
+          }
+          else o3 = i2 || void 0;
+          const l2 = { scheme: t6, parameters: c2 };
+          u2 && (l2.token68 = u2), n3.push(l2);
+        }
+        return n3.length ? n3 : void 0;
+      })(e3)) throw new tn("server responded with a challenge in the WWW-Authenticate HTTP Header", { cause: t4, response: e3 });
+    })(e2), t3 = await (async function(e3) {
+      if (e3.status > 399 && e3.status < 500) {
+        zn(e3), Wt(e3);
+        try {
+          const t4 = await e3.clone().json();
+          if (Ct(t4) && "string" == typeof t4.error && t4.error.length) return t4;
+        } catch (e4) {
+        }
+      }
+    })(e2)) throw await (null === (o2 = e2.body) || void 0 === o2 ? void 0 : o2.cancel()), new $t("server responded with an error in the response body", { cause: t3, response: e2 });
+    throw Ot('"response" is not a conform '.concat(n2, " response (unexpected HTTP status code)"), jn, e2);
+  }
+}
+function un(e2) {
+  if (!vn.has(e2)) throw mt('"options.DPoP" is not a valid DPoPHandle', "ERR_INVALID_ARG_VALUE");
+}
+function ln(e2) {
+  var t2;
+  return null === (t2 = e2.headers.get("content-type")) || void 0 === t2 ? void 0 : t2.split(";")[0];
+}
+async function dn(e2, t2, n2, o2, r2, i2, a2) {
+  return await n2(e2, t2, r2, i2), i2.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((null == a2 ? void 0 : a2[vt]) || fetch)(o2.href, { body: r2, headers: Object.fromEntries(i2.entries()), method: "POST", redirect: "manual", signal: Dt(o2, null == a2 ? void 0 : a2.signal) });
+}
+async function hn(e2, t2, n2, o2, r2, i2) {
+  var a2;
+  const s2 = Qt(e2, "token_endpoint", t2.use_mtls_endpoint_aliases, true !== (null == i2 ? void 0 : i2[yt]));
+  r2.set("grant_type", o2);
+  const c2 = jt(null == i2 ? void 0 : i2.headers);
+  c2.set("accept", "application/json"), void 0 !== (null == i2 ? void 0 : i2.DPoP) && (un(i2.DPoP), await i2.DPoP.addProof(s2, c2, "POST"));
+  const u2 = await dn(e2, t2, n2, s2, r2, c2, i2);
+  return null == i2 || null === (a2 = i2.DPoP) || void 0 === a2 || a2.cacheNonce(u2, s2), u2;
+}
+var pn = /* @__PURE__ */ new WeakMap();
+var fn = /* @__PURE__ */ new WeakMap();
+function mn(e2) {
+  if (!e2.id_token) return;
+  const t2 = pn.get(e2);
+  if (!t2) throw mt('"ref" was already garbage collected or did not resolve from the proper sources', "ERR_INVALID_ARG_VALUE");
+  return t2;
+}
+async function yn(e2, t2, n2, o2, r2, i2) {
+  if (Gt(e2), Ft(t2), !ft(n2, Response)) throw mt('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+  await cn(n2, 200, "Token Endpoint"), zn(n2);
+  const a2 = await Xn(n2);
+  if (Nt(a2.access_token, '"response" body "access_token" property', xn, { body: a2 }), Nt(a2.token_type, '"response" body "token_type" property', xn, { body: a2 }), a2.token_type = a2.token_type.toLowerCase(), void 0 !== a2.expires_in) {
+    let e3 = "number" != typeof a2.expires_in ? parseFloat(a2.expires_in) : a2.expires_in;
+    Ut(e3, true, '"response" body "expires_in" property', xn, { body: a2 }), a2.expires_in = e3;
+  }
+  if (void 0 !== a2.refresh_token && Nt(a2.refresh_token, '"response" body "refresh_token" property', xn, { body: a2 }), void 0 !== a2.scope && "string" != typeof a2.scope) throw Ot('"response" body "scope" property must be a string', xn, { body: a2 });
+  if (void 0 !== a2.id_token) {
+    Nt(a2.id_token, '"response" body "id_token" property', xn, { body: a2 });
+    const i3 = ["aud", "exp", "iat", "iss", "sub"];
+    true === t2.require_auth_time && i3.push("auth_time"), void 0 !== t2.default_max_age && (Ut(t2.default_max_age, true, '"client.default_max_age"'), i3.push("auth_time")), null != o2 && o2.length && i3.push(...o2);
+    const { claims: s2, jwt: c2 } = await (async function(e3, t3, n3, o3, r3) {
+      let i4, a3, { 0: s3, 1: c3, length: u2 } = e3.split(".");
+      if (5 === u2) {
+        if (void 0 === r3) throw new Rt("JWE decryption is not configured", { cause: e3 });
+        e3 = await r3(e3), { 0: s3, 1: c3, length: u2 } = e3.split(".");
+      }
+      if (3 !== u2) throw Ot("Invalid JWT", xn, e3);
+      try {
+        i4 = JSON.parse(Et(Pt(s3)));
+      } catch (e4) {
+        throw Ot("failed to parse JWT Header body as base64url encoded JSON", On, e4);
+      }
+      if (!Ct(i4)) throw Ot("JWT Header must be a top level object", xn, e3);
+      if (t3(i4), void 0 !== i4.crit) throw new Rt('no JWT "crit" header parameter extensions are supported', { cause: { header: i4 } });
+      try {
+        a3 = JSON.parse(Et(Pt(c3)));
+      } catch (e4) {
+        throw Ot("failed to parse JWT Payload body as base64url encoded JSON", On, e4);
+      }
+      if (!Ct(a3)) throw Ot("JWT Payload must be a top level object", xn, e3);
+      const l2 = Vt() + n3;
+      if (void 0 !== a3.exp) {
+        if ("number" != typeof a3.exp) throw Ot('unexpected JWT "exp" (expiration time) claim type', xn, { claims: a3 });
+        if (a3.exp <= l2 - o3) throw Ot('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', Ln, { claims: a3, now: l2, tolerance: o3, claim: "exp" });
+      }
+      if (void 0 !== a3.iat && "number" != typeof a3.iat) throw Ot('unexpected JWT "iat" (issued at) claim type', xn, { claims: a3 });
+      if (void 0 !== a3.iss && "string" != typeof a3.iss) throw Ot('unexpected JWT "iss" (issuer) claim type', xn, { claims: a3 });
+      if (void 0 !== a3.nbf) {
+        if ("number" != typeof a3.nbf) throw Ot('unexpected JWT "nbf" (not before) claim type', xn, { claims: a3 });
+        if (a3.nbf > l2 + o3) throw Ot('unexpected JWT "nbf" (not before) claim value', Ln, { claims: a3, now: l2, tolerance: o3, claim: "nbf" });
+      }
+      if (void 0 !== a3.aud && "string" != typeof a3.aud && !Array.isArray(a3.aud)) throw Ot('unexpected JWT "aud" (audience) claim type', xn, { claims: a3 });
+      return { header: i4, claims: a3, jwt: e3 };
+    })(a2.id_token, Gn.bind(void 0, t2.id_token_signed_response_alg, e2.id_token_signing_alg_values_supported, "RS256"), Jt(t2), Mt(t2), r2).then(kn.bind(void 0, i3)).then(gn.bind(void 0, e2)).then(wn.bind(void 0, t2.client_id));
+    if (Array.isArray(s2.aud) && 1 !== s2.aud.length) {
+      if (void 0 === s2.azp) throw Ot('ID Token "aud" (audience) claim includes additional untrusted audiences', Un, { claims: s2, claim: "aud" });
+      if (s2.azp !== t2.client_id) throw Ot('unexpected ID Token "azp" (authorized party) claim value', Un, { expected: t2.client_id, claims: s2, claim: "azp" });
+    }
+    void 0 !== s2.auth_time && Ut(s2.auth_time, true, 'ID Token "auth_time" (authentication time)', xn, { claims: s2 }), fn.set(n2, c2), pn.set(a2, s2);
+  }
+  if (void 0 !== (null == i2 ? void 0 : i2[a2.token_type])) i2[a2.token_type](n2, a2);
+  else if ("dpop" !== a2.token_type && "bearer" !== a2.token_type) throw new Rt("unsupported `token_type` value", { cause: { body: a2 } });
+  return a2;
+}
+function wn(e2, t2) {
+  if (Array.isArray(t2.claims.aud)) {
+    if (!t2.claims.aud.includes(e2)) throw Ot('unexpected JWT "aud" (audience) claim value', Un, { expected: e2, claims: t2.claims, claim: "aud" });
+  } else if (t2.claims.aud !== e2) throw Ot('unexpected JWT "aud" (audience) claim value', Un, { expected: e2, claims: t2.claims, claim: "aud" });
+  return t2;
+}
+function gn(e2, t2) {
+  var n2, o2;
+  const r2 = null !== (n2 = null === (o2 = e2[Qn]) || void 0 === o2 ? void 0 : o2.call(e2, t2)) && void 0 !== n2 ? n2 : e2.issuer;
+  if (t2.claims.iss !== r2) throw Ot('unexpected JWT "iss" (issuer) claim value', Un, { expected: r2, claims: t2.claims, claim: "iss" });
+  return t2;
+}
+var vn = /* @__PURE__ */ new WeakSet();
+var bn = /* @__PURE__ */ Symbol();
+var _n = { aud: "audience", c_hash: "code hash", client_id: "client id", exp: "expiration time", iat: "issued at", iss: "issuer", jti: "jwt id", nonce: "nonce", s_hash: "state hash", sub: "subject", ath: "access token hash", htm: "http method", htu: "http uri", cnf: "confirmation", auth_time: "authentication time" };
+function kn(e2, t2) {
+  for (const n2 of e2) if (void 0 === t2.claims[n2]) throw Ot('JWT "'.concat(n2, '" (').concat(_n[n2], ") claim missing"), xn, { claims: t2.claims });
+  return t2;
+}
+var Sn = /* @__PURE__ */ Symbol();
+var En = /* @__PURE__ */ Symbol();
+async function An(e2, t2, n2, o2) {
+  return "string" == typeof (null == o2 ? void 0 : o2.expectedNonce) || "number" == typeof (null == o2 ? void 0 : o2.maxAge) || null != o2 && o2.requireIdToken ? (async function(e3, t3, n3, o3, r2, i2, a2) {
+    const s2 = [];
+    switch (o3) {
+      case void 0:
+        o3 = Sn;
+        break;
+      case Sn:
+        break;
+      default:
+        Nt(o3, '"expectedNonce" argument'), s2.push("nonce");
+    }
+    switch (null != r2 || (r2 = t3.default_max_age), r2) {
+      case void 0:
+        r2 = En;
+        break;
+      case En:
+        break;
+      default:
+        Ut(r2, true, '"maxAge" argument'), s2.push("auth_time");
+    }
+    const c2 = await yn(e3, t3, n3, s2, i2, a2);
+    Nt(c2.id_token, '"response" body "id_token" property', xn, { body: c2 });
+    const u2 = mn(c2);
+    if (r2 !== En) {
+      const e4 = Vt() + Jt(t3), n4 = Mt(t3);
+      if (u2.auth_time + r2 < e4 - n4) throw Ot("too much time has elapsed since the last End-User authentication", Ln, { claims: u2, now: e4, tolerance: n4, claim: "auth_time" });
+    }
+    if (o3 === Sn) {
+      if (void 0 !== u2.nonce) throw Ot('unexpected ID Token "nonce" claim value', Un, { expected: void 0, claims: u2, claim: "nonce" });
+    } else if (u2.nonce !== o3) throw Ot('unexpected ID Token "nonce" claim value', Un, { expected: o3, claims: u2, claim: "nonce" });
+    return c2;
+  })(e2, t2, n2, o2.expectedNonce, o2.maxAge, o2[_t], o2.recognizedTokenTypes) : (async function(e3, t3, n3, o3, r2) {
+    const i2 = await yn(e3, t3, n3, void 0, o3, r2), a2 = mn(i2);
+    if (a2) {
+      if (void 0 !== t3.default_max_age) {
+        Ut(t3.default_max_age, true, '"client.default_max_age"');
+        const e4 = Vt() + Jt(t3), n4 = Mt(t3);
+        if (a2.auth_time + t3.default_max_age < e4 - n4) throw Ot("too much time has elapsed since the last End-User authentication", Ln, { claims: a2, now: e4, tolerance: n4, claim: "auth_time" });
+      }
+      if (void 0 !== a2.nonce) throw Ot('unexpected ID Token "nonce" claim value', Un, { expected: void 0, claims: a2, claim: "nonce" });
+    }
+    return i2;
+  })(e2, t2, n2, null == o2 ? void 0 : o2[_t], null == o2 ? void 0 : o2.recognizedTokenTypes);
+}
+var Tn = "OAUTH_WWW_AUTHENTICATE_CHALLENGE";
+var Pn = "OAUTH_RESPONSE_BODY_ERROR";
+var Rn = "OAUTH_UNSUPPORTED_OPERATION";
+var In = "OAUTH_AUTHORIZATION_RESPONSE_ERROR";
+var On = "OAUTH_PARSE_ERROR";
+var xn = "OAUTH_INVALID_RESPONSE";
+var Cn = "OAUTH_RESPONSE_IS_NOT_JSON";
+var jn = "OAUTH_RESPONSE_IS_NOT_CONFORM";
+var Dn = "OAUTH_HTTP_REQUEST_FORBIDDEN";
+var Kn = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN";
+var Ln = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED";
+var Un = "OAUTH_JWT_CLAIM_COMPARISON_FAILED";
+var Nn = "OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED";
+var Wn = "OAUTH_MISSING_SERVER_METADATA";
+var Hn = "OAUTH_INVALID_SERVER_METADATA";
+function zn(e2) {
+  if (e2.bodyUsed) throw mt('"response" body has been used already', "ERR_INVALID_ARG_VALUE");
+}
+function Jn(e2) {
+  const { algorithm: t2 } = e2;
+  if ("number" != typeof t2.modulusLength || t2.modulusLength < 2048) throw new Rt("unsupported ".concat(t2.name, " modulusLength"), { cause: e2 });
+}
+function Mn(e2) {
+  const { algorithm: t2 } = e2;
+  switch (t2.namedCurve) {
+    case "P-256":
+      return "SHA-256";
+    case "P-384":
+      return "SHA-384";
+    case "P-521":
+      return "SHA-512";
+    default:
+      throw new Rt("unsupported ECDSA namedCurve", { cause: e2 });
+  }
+}
+async function Vn(e2) {
+  if ("POST" !== e2.method) throw mt("form_post responses are expected to use the POST method", "ERR_INVALID_ARG_VALUE", { cause: e2 });
+  if ("application/x-www-form-urlencoded" !== ln(e2)) throw mt("form_post responses are expected to use the application/x-www-form-urlencoded content-type", "ERR_INVALID_ARG_VALUE", { cause: e2 });
+  return (async function(e3) {
+    if (e3.bodyUsed) throw mt("form_post Request instances must contain a readable body", "ERR_INVALID_ARG_VALUE", { cause: e3 });
+    return e3.text();
+  })(e2);
+}
+function Gn(e2, t2, n2, o2) {
+  if (void 0 === e2) if (Array.isArray(t2)) {
+    if (!t2.includes(o2.alg)) throw Ot('unexpected JWT "alg" header parameter', xn, { header: o2, expected: t2, reason: "authorization server metadata" });
+  } else {
+    if (void 0 === n2) throw Ot('missing client or server configuration to verify used JWT "alg" header parameter', void 0, { client: e2, issuer: t2, fallback: n2 });
+    if ("string" == typeof n2 ? o2.alg !== n2 : "function" == typeof n2 ? !n2(o2.alg) : !n2.includes(o2.alg)) throw Ot('unexpected JWT "alg" header parameter', xn, { header: o2, expected: n2, reason: "default value" });
+  }
+  else if ("string" == typeof e2 ? o2.alg !== e2 : !e2.includes(o2.alg)) throw Ot('unexpected JWT "alg" header parameter', xn, { header: o2, expected: e2, reason: "client configuration" });
+}
+function Fn(e2, t2) {
+  const { 0: n2, length: o2 } = e2.getAll(t2);
+  if (o2 > 1) throw Ot('"'.concat(t2, '" parameter must be provided only once'), xn);
+  return n2;
+}
+var Zn = /* @__PURE__ */ Symbol();
+var qn = /* @__PURE__ */ Symbol();
+function Bn(e2, t2, n2, o2) {
+  if (Gt(e2), Ft(t2), n2 instanceof URL && (n2 = n2.searchParams), !(n2 instanceof URLSearchParams)) throw mt('"parameters" must be an instance of URLSearchParams, or URL', "ERR_INVALID_ARG_TYPE");
+  if (Fn(n2, "response")) throw Ot('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()', xn, { parameters: n2 });
+  const r2 = Fn(n2, "iss"), i2 = Fn(n2, "state");
+  if (!r2 && e2.authorization_response_iss_parameter_supported) throw Ot('response parameter "iss" (issuer) missing', xn, { parameters: n2 });
+  if (r2 && r2 !== e2.issuer) throw Ot('unexpected "iss" (issuer) response parameter value', xn, { expected: e2.issuer, parameters: n2 });
+  switch (o2) {
+    case void 0:
+    case qn:
+      if (void 0 !== i2) throw Ot('unexpected "state" response parameter encountered', xn, { expected: void 0, parameters: n2 });
+      break;
+    case Zn:
+      break;
+    default:
+      if (Nt(o2, '"expectedState" argument'), i2 !== o2) throw Ot(void 0 === i2 ? 'response parameter "state" missing' : 'unexpected "state" response parameter value', xn, { expected: o2, parameters: n2 });
+  }
+  if (Fn(n2, "error")) throw new en("authorization response from the server is an error", { cause: n2 });
+  const a2 = Fn(n2, "id_token"), s2 = Fn(n2, "token");
+  if (void 0 !== a2 || void 0 !== s2) throw new Rt("implicit and hybrid flows are not supported");
+  return c2 = new URLSearchParams(n2), vn.add(c2), c2;
+  var c2;
+}
+async function Xn(e2) {
+  let t2, n2 = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : Wt;
+  try {
+    t2 = await e2.json();
+  } catch (t3) {
+    throw n2(e2), Ot('failed to parse "response" body as JSON', On, t3);
+  }
+  if (!Ct(t2)) throw Ot('"response" body must be a top level object', xn, { body: t2 });
+  return t2;
+}
+var Yn = /* @__PURE__ */ Symbol();
+var Qn = /* @__PURE__ */ Symbol();
+var $n = new TextEncoder();
+var eo = new TextDecoder();
+function to(e2) {
+  const t2 = new Uint8Array(e2.length);
+  for (let n2 = 0; n2 < e2.length; n2++) {
+    const o2 = e2.charCodeAt(n2);
+    if (o2 > 127) throw new TypeError("non-ASCII string encountered in encode()");
+    t2[n2] = o2;
+  }
+  return t2;
+}
+function no(e2) {
+  if (Uint8Array.fromBase64) return Uint8Array.fromBase64(e2);
+  const t2 = atob(e2), n2 = new Uint8Array(t2.length);
+  for (let e3 = 0; e3 < t2.length; e3++) n2[e3] = t2.charCodeAt(e3);
+  return n2;
+}
+function oo(e2) {
+  if (Uint8Array.fromBase64) return Uint8Array.fromBase64("string" == typeof e2 ? e2 : eo.decode(e2), { alphabet: "base64url" });
+  let t2 = e2;
+  t2 instanceof Uint8Array && (t2 = eo.decode(t2)), t2 = t2.replace(/-/g, "+").replace(/_/g, "/");
+  try {
+    return no(t2);
+  } catch (e3) {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+}
+var ro = class extends Error {
+  constructor(e2, t2) {
+    var n2;
+    super(e2, t2), st(this, "code", "ERR_JOSE_GENERIC"), this.name = this.constructor.name, null === (n2 = Error.captureStackTrace) || void 0 === n2 || n2.call(Error, this, this.constructor);
+  }
+};
+st(ro, "code", "ERR_JOSE_GENERIC");
+var io = class extends ro {
+  constructor(e2, t2) {
+    let n2 = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : "unspecified", o2 = arguments.length > 3 && void 0 !== arguments[3] ? arguments[3] : "unspecified";
+    super(e2, { cause: { claim: n2, reason: o2, payload: t2 } }), st(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED"), st(this, "claim", void 0), st(this, "reason", void 0), st(this, "payload", void 0), this.claim = n2, this.reason = o2, this.payload = t2;
+  }
+};
+st(io, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
+var ao = class extends ro {
+  constructor(e2, t2) {
+    let n2 = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : "unspecified", o2 = arguments.length > 3 && void 0 !== arguments[3] ? arguments[3] : "unspecified";
+    super(e2, { cause: { claim: n2, reason: o2, payload: t2 } }), st(this, "code", "ERR_JWT_EXPIRED"), st(this, "claim", void 0), st(this, "reason", void 0), st(this, "payload", void 0), this.claim = n2, this.reason = o2, this.payload = t2;
+  }
+};
+st(ao, "code", "ERR_JWT_EXPIRED");
+var so = class extends ro {
+  constructor() {
+    super(...arguments), st(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+  }
+};
+st(so, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+var co = class extends ro {
+  constructor() {
+    super(...arguments), st(this, "code", "ERR_JOSE_NOT_SUPPORTED");
+  }
+};
+st(co, "code", "ERR_JOSE_NOT_SUPPORTED");
+st(class extends ro {
+  constructor() {
+    super(arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "decryption operation failed", arguments.length > 1 ? arguments[1] : void 0), st(this, "code", "ERR_JWE_DECRYPTION_FAILED");
+  }
+}, "code", "ERR_JWE_DECRYPTION_FAILED");
+st(class extends ro {
+  constructor() {
+    super(...arguments), st(this, "code", "ERR_JWE_INVALID");
+  }
+}, "code", "ERR_JWE_INVALID");
+var uo = class extends ro {
+  constructor() {
+    super(...arguments), st(this, "code", "ERR_JWS_INVALID");
+  }
+};
+st(uo, "code", "ERR_JWS_INVALID");
+var lo = class extends ro {
+  constructor() {
+    super(...arguments), st(this, "code", "ERR_JWT_INVALID");
+  }
+};
+st(lo, "code", "ERR_JWT_INVALID");
+st(class extends ro {
+  constructor() {
+    super(...arguments), st(this, "code", "ERR_JWK_INVALID");
+  }
+}, "code", "ERR_JWK_INVALID");
+var ho = class extends ro {
+  constructor() {
+    super(...arguments), st(this, "code", "ERR_JWKS_INVALID");
+  }
+};
+st(ho, "code", "ERR_JWKS_INVALID");
+var po = class extends ro {
+  constructor() {
+    super(arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "no applicable key found in the JSON Web Key Set", arguments.length > 1 ? arguments[1] : void 0), st(this, "code", "ERR_JWKS_NO_MATCHING_KEY");
+  }
+};
+st(po, "code", "ERR_JWKS_NO_MATCHING_KEY");
+var fo = class extends ro {
+  constructor() {
+    super(arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "multiple matching keys found in the JSON Web Key Set", arguments.length > 1 ? arguments[1] : void 0), st(this, Symbol.asyncIterator, void 0), st(this, "code", "ERR_JWKS_MULTIPLE_MATCHING_KEYS");
+  }
+};
+st(fo, "code", "ERR_JWKS_MULTIPLE_MATCHING_KEYS");
+var mo = class extends ro {
+  constructor() {
+    super(arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "request timed out", arguments.length > 1 ? arguments[1] : void 0), st(this, "code", "ERR_JWKS_TIMEOUT");
+  }
+};
+st(mo, "code", "ERR_JWKS_TIMEOUT");
+var yo = class extends ro {
+  constructor() {
+    super(arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "signature verification failed", arguments.length > 1 ? arguments[1] : void 0), st(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+  }
+};
+st(yo, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+var wo = function(e2) {
+  let t2 = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : "algorithm.name";
+  return new TypeError("CryptoKey does not support this operation, its ".concat(t2, " must be ").concat(e2));
+};
+var go = (e2, t2) => e2.name === t2;
+function vo(e2) {
+  return parseInt(e2.name.slice(4), 10);
+}
+function bo(e2, t2, n2) {
+  switch (t2) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!go(e2.algorithm, "HMAC")) throw wo("HMAC");
+      const n3 = parseInt(t2.slice(2), 10);
+      if (vo(e2.algorithm.hash) !== n3) throw wo("SHA-".concat(n3), "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!go(e2.algorithm, "RSASSA-PKCS1-v1_5")) throw wo("RSASSA-PKCS1-v1_5");
+      const n3 = parseInt(t2.slice(2), 10);
+      if (vo(e2.algorithm.hash) !== n3) throw wo("SHA-".concat(n3), "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!go(e2.algorithm, "RSA-PSS")) throw wo("RSA-PSS");
+      const n3 = parseInt(t2.slice(2), 10);
+      if (vo(e2.algorithm.hash) !== n3) throw wo("SHA-".concat(n3), "algorithm.hash");
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA":
+      if (!go(e2.algorithm, "Ed25519")) throw wo("Ed25519");
+      break;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      if (!go(e2.algorithm, t2)) throw wo(t2);
+      break;
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!go(e2.algorithm, "ECDSA")) throw wo("ECDSA");
+      const n3 = (function(e3) {
+        switch (e3) {
+          case "ES256":
+            return "P-256";
+          case "ES384":
+            return "P-384";
+          case "ES512":
+            return "P-521";
+          default:
+            throw new Error("unreachable");
+        }
+      })(t2);
+      if (e2.algorithm.namedCurve !== n3) throw wo(n3, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  !(function(e3, t3) {
+    if (t3 && !e3.usages.includes(t3)) throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(t3, "."));
+  })(e2, n2);
+}
+function _o(e2, t2) {
+  for (var n2 = arguments.length, o2 = new Array(n2 > 2 ? n2 - 2 : 0), r2 = 2; r2 < n2; r2++) o2[r2 - 2] = arguments[r2];
+  if ((o2 = o2.filter(Boolean)).length > 2) {
+    const t3 = o2.pop();
+    e2 += "one of type ".concat(o2.join(", "), ", or ").concat(t3, ".");
+  } else 2 === o2.length ? e2 += "one of type ".concat(o2[0], " or ").concat(o2[1], ".") : e2 += "of type ".concat(o2[0], ".");
+  if (null == t2) e2 += " Received ".concat(t2);
+  else if ("function" == typeof t2 && t2.name) e2 += " Received function ".concat(t2.name);
+  else if ("object" == typeof t2 && null != t2) {
+    var i2;
+    null !== (i2 = t2.constructor) && void 0 !== i2 && i2.name && (e2 += " Received an instance of ".concat(t2.constructor.name));
+  }
+  return e2;
+}
+var ko = function(e2, t2) {
+  for (var n2 = arguments.length, o2 = new Array(n2 > 2 ? n2 - 2 : 0), r2 = 2; r2 < n2; r2++) o2[r2 - 2] = arguments[r2];
+  return _o("Key for the ".concat(e2, " algorithm must be "), t2, ...o2);
+};
+var So = (e2) => {
+  if ("CryptoKey" === (null == e2 ? void 0 : e2[Symbol.toStringTag])) return true;
+  try {
+    return e2 instanceof CryptoKey;
+  } catch (e3) {
+    return false;
+  }
+};
+var Eo = (e2) => "KeyObject" === (null == e2 ? void 0 : e2[Symbol.toStringTag]);
+var Ao = (e2) => So(e2) || Eo(e2);
+function To(e2) {
+  if ("object" != typeof (t2 = e2) || null === t2 || "[object Object]" !== Object.prototype.toString.call(e2)) return false;
+  var t2;
+  if (null === Object.getPrototypeOf(e2)) return true;
+  let n2 = e2;
+  for (; null !== Object.getPrototypeOf(n2); ) n2 = Object.getPrototypeOf(n2);
+  return Object.getPrototypeOf(e2) === n2;
+}
+var Po = (e2, t2) => {
+  if (e2.byteLength !== t2.length) return false;
+  for (let n2 = 0; n2 < e2.byteLength; n2++) if (e2[n2] !== t2[n2]) return false;
+  return true;
+};
+var Ro = (e2) => {
+  const t2 = e2.data[e2.pos++];
+  if (128 & t2) {
+    const n2 = 127 & t2;
+    let o2 = 0;
+    for (let t3 = 0; t3 < n2; t3++) o2 = o2 << 8 | e2.data[e2.pos++];
+    return o2;
+  }
+  return t2;
+};
+var Io = (e2, t2, n2) => {
+  if (e2.data[e2.pos++] !== t2) throw new Error(n2);
+};
+var Oo = (e2, t2) => {
+  const n2 = e2.data.subarray(e2.pos, e2.pos + t2);
+  return e2.pos += t2, n2;
+};
+var xo = (e2) => {
+  const t2 = ((e3) => {
+    Io(e3, 6, "Expected algorithm OID");
+    const t3 = Ro(e3);
+    return Oo(e3, t3);
+  })(e2);
+  if (Po(t2, [43, 101, 110])) return "X25519";
+  if (!Po(t2, [42, 134, 72, 206, 61, 2, 1])) throw new Error("Unsupported key algorithm");
+  Io(e2, 6, "Expected curve OID");
+  const n2 = Ro(e2), o2 = Oo(e2, n2);
+  for (const { name: e3, oid: t3 } of [{ name: "P-256", oid: [42, 134, 72, 206, 61, 3, 1, 7] }, { name: "P-384", oid: [43, 129, 4, 0, 34] }, { name: "P-521", oid: [43, 129, 4, 0, 35] }]) if (Po(o2, t3)) return e3;
+  throw new Error("Unsupported named curve");
+};
+var Co = async (e2, t2, n2, o2) => {
+  var r2;
+  let i2, a2;
+  const s2 = "spki" === e2, c2 = () => s2 ? ["verify"] : ["sign"];
+  switch (n2) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      i2 = { name: "RSA-PSS", hash: "SHA-".concat(n2.slice(-3)) }, a2 = c2();
+      break;
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      i2 = { name: "RSASSA-PKCS1-v1_5", hash: "SHA-".concat(n2.slice(-3)) }, a2 = c2();
+      break;
+    case "RSA-OAEP":
+    case "RSA-OAEP-256":
+    case "RSA-OAEP-384":
+    case "RSA-OAEP-512":
+      i2 = { name: "RSA-OAEP", hash: "SHA-".concat(parseInt(n2.slice(-3), 10) || 1) }, a2 = s2 ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
+      break;
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      i2 = { name: "ECDSA", namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[n2] }, a2 = c2();
+      break;
+    case "ECDH-ES":
+    case "ECDH-ES+A128KW":
+    case "ECDH-ES+A192KW":
+    case "ECDH-ES+A256KW":
+      try {
+        const e3 = o2.getNamedCurve(t2);
+        i2 = "X25519" === e3 ? { name: "X25519" } : { name: "ECDH", namedCurve: e3 };
+      } catch (e3) {
+        throw new co("Invalid or unsupported key format");
+      }
+      a2 = s2 ? [] : ["deriveBits"];
+      break;
+    case "Ed25519":
+    case "EdDSA":
+      i2 = { name: "Ed25519" }, a2 = c2();
+      break;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      i2 = { name: n2 }, a2 = c2();
+      break;
+    default:
+      throw new co('Invalid or unsupported "alg" (Algorithm) value');
+  }
+  return crypto.subtle.importKey(e2, t2, i2, null !== (r2 = null == o2 ? void 0 : o2.extractable) && void 0 !== r2 ? r2 : !!s2, a2);
+};
+var jo = (e2, t2, n2) => {
+  var o2;
+  const r2 = ((e3, t3) => no(e3.replace(t3, "")))(e2, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
+  let i2 = n2;
+  return null != t2 && null !== (o2 = t2.startsWith) && void 0 !== o2 && o2.call(t2, "ECDH-ES") && (i2 || (i2 = {}), i2.getNamedCurve = (e3) => {
+    const t3 = { data: e3, pos: 0 };
+    return (function(e4) {
+      Io(e4, 48, "Invalid PKCS#8 structure"), Ro(e4), Io(e4, 2, "Expected version field");
+      const t4 = Ro(e4);
+      e4.pos += t4, Io(e4, 48, "Expected algorithm identifier");
+      Ro(e4);
+      e4.pos;
+    })(t3), xo(t3);
+  }), Co("pkcs8", r2, t2, i2);
+};
+async function Do(e2) {
+  var t2, n2;
+  if (!e2.alg) throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  const { algorithm: o2, keyUsages: r2 } = (function(e3) {
+    let t3, n3;
+    switch (e3.kty) {
+      case "AKP":
+        switch (e3.alg) {
+          case "ML-DSA-44":
+          case "ML-DSA-65":
+          case "ML-DSA-87":
+            t3 = { name: e3.alg }, n3 = e3.priv ? ["sign"] : ["verify"];
+            break;
+          default:
+            throw new co('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+        }
+        break;
+      case "RSA":
+        switch (e3.alg) {
+          case "PS256":
+          case "PS384":
+          case "PS512":
+            t3 = { name: "RSA-PSS", hash: "SHA-".concat(e3.alg.slice(-3)) }, n3 = e3.d ? ["sign"] : ["verify"];
+            break;
+          case "RS256":
+          case "RS384":
+          case "RS512":
+            t3 = { name: "RSASSA-PKCS1-v1_5", hash: "SHA-".concat(e3.alg.slice(-3)) }, n3 = e3.d ? ["sign"] : ["verify"];
+            break;
+          case "RSA-OAEP":
+          case "RSA-OAEP-256":
+          case "RSA-OAEP-384":
+          case "RSA-OAEP-512":
+            t3 = { name: "RSA-OAEP", hash: "SHA-".concat(parseInt(e3.alg.slice(-3), 10) || 1) }, n3 = e3.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+            break;
+          default:
+            throw new co('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+        }
+        break;
+      case "EC":
+        switch (e3.alg) {
+          case "ES256":
+            t3 = { name: "ECDSA", namedCurve: "P-256" }, n3 = e3.d ? ["sign"] : ["verify"];
+            break;
+          case "ES384":
+            t3 = { name: "ECDSA", namedCurve: "P-384" }, n3 = e3.d ? ["sign"] : ["verify"];
+            break;
+          case "ES512":
+            t3 = { name: "ECDSA", namedCurve: "P-521" }, n3 = e3.d ? ["sign"] : ["verify"];
+            break;
+          case "ECDH-ES":
+          case "ECDH-ES+A128KW":
+          case "ECDH-ES+A192KW":
+          case "ECDH-ES+A256KW":
+            t3 = { name: "ECDH", namedCurve: e3.crv }, n3 = e3.d ? ["deriveBits"] : [];
+            break;
+          default:
+            throw new co('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+        }
+        break;
+      case "OKP":
+        switch (e3.alg) {
+          case "Ed25519":
+          case "EdDSA":
+            t3 = { name: "Ed25519" }, n3 = e3.d ? ["sign"] : ["verify"];
+            break;
+          case "ECDH-ES":
+          case "ECDH-ES+A128KW":
+          case "ECDH-ES+A192KW":
+          case "ECDH-ES+A256KW":
+            t3 = { name: e3.crv }, n3 = e3.d ? ["deriveBits"] : [];
+            break;
+          default:
+            throw new co('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+        }
+        break;
+      default:
+        throw new co('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+    }
+    return { algorithm: t3, keyUsages: n3 };
+  })(e2), i2 = ut({}, e2);
+  return "AKP" !== i2.kty && delete i2.alg, delete i2.use, crypto.subtle.importKey("jwk", i2, o2, null !== (t2 = e2.ext) && void 0 !== t2 ? t2 : !e2.d && !e2.priv, null !== (n2 = e2.key_ops) && void 0 !== n2 ? n2 : r2);
+}
+var Ko = (e2) => To(e2) && "string" == typeof e2.kty;
+var Lo;
+var Uo = async function(e2, t2, n2) {
+  let o2 = arguments.length > 3 && void 0 !== arguments[3] && arguments[3];
+  Lo || (Lo = /* @__PURE__ */ new WeakMap());
+  let r2 = Lo.get(e2);
+  if (null != r2 && r2[n2]) return r2[n2];
+  const i2 = await Do(ut(ut({}, t2), {}, { alg: n2 }));
+  return o2 && Object.freeze(e2), r2 ? r2[n2] = i2 : Lo.set(e2, { [n2]: i2 }), i2;
+};
+async function No(e2, t2) {
+  if (e2 instanceof Uint8Array) return e2;
+  if (So(e2)) return e2;
+  if (Eo(e2)) {
+    if ("secret" === e2.type) return e2.export();
+    if ("toCryptoKey" in e2 && "function" == typeof e2.toCryptoKey) try {
+      return ((e3, t3) => {
+        Lo || (Lo = /* @__PURE__ */ new WeakMap());
+        let n3 = Lo.get(e3);
+        if (null != n3 && n3[t3]) return n3[t3];
+        const o2 = "public" === e3.type, r2 = !!o2;
+        let i2;
+        if ("x25519" === e3.asymmetricKeyType) {
+          switch (t3) {
+            case "ECDH-ES":
+            case "ECDH-ES+A128KW":
+            case "ECDH-ES+A192KW":
+            case "ECDH-ES+A256KW":
+              break;
+            default:
+              throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+          }
+          i2 = e3.toCryptoKey(e3.asymmetricKeyType, r2, o2 ? [] : ["deriveBits"]);
+        }
+        if ("ed25519" === e3.asymmetricKeyType) {
+          if ("EdDSA" !== t3 && "Ed25519" !== t3) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+          i2 = e3.toCryptoKey(e3.asymmetricKeyType, r2, [o2 ? "verify" : "sign"]);
+        }
+        switch (e3.asymmetricKeyType) {
+          case "ml-dsa-44":
+          case "ml-dsa-65":
+          case "ml-dsa-87":
+            if (t3 !== e3.asymmetricKeyType.toUpperCase()) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+            i2 = e3.toCryptoKey(e3.asymmetricKeyType, r2, [o2 ? "verify" : "sign"]);
+        }
+        if ("rsa" === e3.asymmetricKeyType) {
+          let n4;
+          switch (t3) {
+            case "RSA-OAEP":
+              n4 = "SHA-1";
+              break;
+            case "RS256":
+            case "PS256":
+            case "RSA-OAEP-256":
+              n4 = "SHA-256";
+              break;
+            case "RS384":
+            case "PS384":
+            case "RSA-OAEP-384":
+              n4 = "SHA-384";
+              break;
+            case "RS512":
+            case "PS512":
+            case "RSA-OAEP-512":
+              n4 = "SHA-512";
+              break;
+            default:
+              throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+          }
+          if (t3.startsWith("RSA-OAEP")) return e3.toCryptoKey({ name: "RSA-OAEP", hash: n4 }, r2, o2 ? ["encrypt"] : ["decrypt"]);
+          i2 = e3.toCryptoKey({ name: t3.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5", hash: n4 }, r2, [o2 ? "verify" : "sign"]);
+        }
+        if ("ec" === e3.asymmetricKeyType) {
+          var a2;
+          const n4 = (/* @__PURE__ */ new Map([["prime256v1", "P-256"], ["secp384r1", "P-384"], ["secp521r1", "P-521"]])).get(null === (a2 = e3.asymmetricKeyDetails) || void 0 === a2 ? void 0 : a2.namedCurve);
+          if (!n4) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+          "ES256" === t3 && "P-256" === n4 && (i2 = e3.toCryptoKey({ name: "ECDSA", namedCurve: n4 }, r2, [o2 ? "verify" : "sign"])), "ES384" === t3 && "P-384" === n4 && (i2 = e3.toCryptoKey({ name: "ECDSA", namedCurve: n4 }, r2, [o2 ? "verify" : "sign"])), "ES512" === t3 && "P-521" === n4 && (i2 = e3.toCryptoKey({ name: "ECDSA", namedCurve: n4 }, r2, [o2 ? "verify" : "sign"])), t3.startsWith("ECDH-ES") && (i2 = e3.toCryptoKey({ name: "ECDH", namedCurve: n4 }, r2, o2 ? [] : ["deriveBits"]));
+        }
+        if (!i2) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+        return n3 ? n3[t3] = i2 : Lo.set(e3, { [t3]: i2 }), i2;
+      })(e2, t2);
+    } catch (e3) {
+      if (e3 instanceof TypeError) throw e3;
+    }
+    let n2 = e2.export({ format: "jwk" });
+    return Uo(e2, n2, t2);
+  }
+  if (Ko(e2)) return e2.k ? oo(e2.k) : Uo(e2, e2, t2, true);
+  throw new Error("unreachable");
+}
+var Wo = (e2) => null == e2 ? void 0 : e2[Symbol.toStringTag];
+var Ho = (e2, t2, n2) => {
+  if (void 0 !== t2.use) {
+    let e3;
+    switch (n2) {
+      case "sign":
+      case "verify":
+        e3 = "sig";
+        break;
+      case "encrypt":
+      case "decrypt":
+        e3 = "enc";
+    }
+    if (t2.use !== e3) throw new TypeError('Invalid key for this operation, its "use" must be "'.concat(e3, '" when present'));
+  }
+  if (void 0 !== t2.alg && t2.alg !== e2) throw new TypeError('Invalid key for this operation, its "alg" must be "'.concat(e2, '" when present'));
+  if (Array.isArray(t2.key_ops)) {
+    var o2, r2;
+    let i2;
+    switch (true) {
+      case ("sign" === n2 || "verify" === n2):
+      case "dir" === e2:
+      case e2.includes("CBC-HS"):
+        i2 = n2;
+        break;
+      case e2.startsWith("PBES2"):
+        i2 = "deriveBits";
+        break;
+      case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e2):
+        i2 = !e2.includes("GCM") && e2.endsWith("KW") ? "encrypt" === n2 ? "wrapKey" : "unwrapKey" : n2;
+        break;
+      case ("encrypt" === n2 && e2.startsWith("RSA")):
+        i2 = "wrapKey";
+        break;
+      case "decrypt" === n2:
+        i2 = e2.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+    }
+    if (i2 && false === (null === (o2 = t2.key_ops) || void 0 === o2 || null === (r2 = o2.includes) || void 0 === r2 ? void 0 : r2.call(o2, i2))) throw new TypeError('Invalid key for this operation, its "key_ops" must include "'.concat(i2, '" when present'));
+  }
+  return true;
+};
+function zo(e2, t2, n2) {
+  switch (e2.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      ((e3, t3, n3) => {
+        if (!(t3 instanceof Uint8Array)) {
+          if (Ko(t3)) {
+            if (((e4) => "oct" === e4.kty && "string" == typeof e4.k)(t3) && Ho(e3, t3, n3)) return;
+            throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
+          }
+          if (!Ao(t3)) throw new TypeError(ko(e3, t3, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+          if ("secret" !== t3.type) throw new TypeError("".concat(Wo(t3), ' instances for symmetric algorithms must be of type "secret"'));
+        }
+      })(e2, t2, n2);
+      break;
+    default:
+      ((e3, t3, n3) => {
+        if (Ko(t3)) switch (n3) {
+          case "decrypt":
+          case "sign":
+            if (((e4) => "oct" !== e4.kty && ("AKP" === e4.kty && "string" == typeof e4.priv || "string" == typeof e4.d))(t3) && Ho(e3, t3, n3)) return;
+            throw new TypeError("JSON Web Key for this operation must be a private JWK");
+          case "encrypt":
+          case "verify":
+            if (((e4) => "oct" !== e4.kty && void 0 === e4.d && void 0 === e4.priv)(t3) && Ho(e3, t3, n3)) return;
+            throw new TypeError("JSON Web Key for this operation must be a public JWK");
+        }
+        if (!Ao(t3)) throw new TypeError(ko(e3, t3, "CryptoKey", "KeyObject", "JSON Web Key"));
+        if ("secret" === t3.type) throw new TypeError("".concat(Wo(t3), ' instances for asymmetric algorithms must not be of type "secret"'));
+        if ("public" === t3.type) switch (n3) {
+          case "sign":
+            throw new TypeError("".concat(Wo(t3), ' instances for asymmetric algorithm signing must be of type "private"'));
+          case "decrypt":
+            throw new TypeError("".concat(Wo(t3), ' instances for asymmetric algorithm decryption must be of type "private"'));
+        }
+        if ("private" === t3.type) switch (n3) {
+          case "verify":
+            throw new TypeError("".concat(Wo(t3), ' instances for asymmetric algorithm verifying must be of type "public"'));
+          case "encrypt":
+            throw new TypeError("".concat(Wo(t3), ' instances for asymmetric algorithm encryption must be of type "public"'));
+        }
+      })(e2, t2, n2);
+  }
+}
+var Jo;
+var Mo;
+var Vo;
+var Go;
+if ("undefined" == typeof navigator || null === (Jo = navigator.userAgent) || void 0 === Jo || null === (Mo = Jo.startsWith) || void 0 === Mo || !Mo.call(Jo, "Mozilla/5.0 ")) {
+  const e2 = "v6.8.1";
+  Go = "".concat("openid-client", "/").concat(e2), Vo = { "user-agent": Go };
+}
+var Fo = (e2) => Zo.get(e2);
+var Zo;
+var qo;
+function Bo(e2) {
+  return void 0 !== e2 ? Zt(e2) : (qo || (qo = /* @__PURE__ */ new WeakMap()), (e3, t2, n2, o2) => {
+    let r2;
+    return (r2 = qo.get(t2)) || (!(function(e4, t3) {
+      if ("string" != typeof e4) throw $o("".concat(t3, " must be a string"), Qo);
+      if (0 === e4.length) throw $o("".concat(t3, " must not be empty"), Yo);
+    })(t2.client_secret, '"metadata.client_secret"'), r2 = Zt(t2.client_secret), qo.set(t2, r2)), r2(e3, t2, n2, o2);
+  });
+}
+var Xo = vt;
+var Yo = "ERR_INVALID_ARG_VALUE";
+var Qo = "ERR_INVALID_ARG_TYPE";
+function $o(e2, t2, n2) {
+  const o2 = new TypeError(e2, { cause: n2 });
+  return Object.assign(o2, { code: t2 }), o2;
+}
+function er(e2) {
+  return (async function(e3) {
+    return Nt(e3, "codeVerifier"), Pt(await crypto.subtle.digest("SHA-256", Et(e3)));
+  })(e2);
+}
+function tr() {
+  return Ht();
+}
+var nr = class extends Error {
+  constructor(e2, t2) {
+    var n2;
+    super(e2, t2), st(this, "code", void 0), this.name = this.constructor.name, this.code = null == t2 ? void 0 : t2.code, null === (n2 = Error.captureStackTrace) || void 0 === n2 || n2.call(Error, this, this.constructor);
+  }
+};
+function or(e2, t2, n2) {
+  return new nr(e2, { cause: t2, code: n2 });
+}
+function rr(e2) {
+  if (e2 instanceof TypeError || e2 instanceof nr || e2 instanceof $t || e2 instanceof en || e2 instanceof tn) throw e2;
+  if (e2 instanceof It) switch (e2.code) {
+    case Dn:
+      throw or("only requests to HTTPS are allowed", e2, e2.code);
+    case Kn:
+      throw or("only requests to HTTP or HTTPS are allowed", e2, e2.code);
+    case jn:
+      throw or("unexpected HTTP response status code", e2.cause, e2.code);
+    case Cn:
+      throw or("unexpected response content-type", e2.cause, e2.code);
+    case On:
+      throw or("parsing error occured", e2, e2.code);
+    case xn:
+      throw or("invalid response encountered", e2, e2.code);
+    case Un:
+      throw or("unexpected JWT claim value encountered", e2, e2.code);
+    case Nn:
+      throw or("unexpected JSON attribute value encountered", e2, e2.code);
+    case Ln:
+      throw or("JWT timestamp claim value failed validation", e2, e2.code);
+    default:
+      throw or(e2.message, e2, e2.code);
+  }
+  if (e2 instanceof Rt) throw or("unsupported operation", e2, e2.code);
+  if (e2 instanceof DOMException) switch (e2.name) {
+    case "OperationError":
+      throw or("runtime operation error", e2, Rn);
+    case "NotSupportedError":
+      throw or("runtime unsupported operation", e2, Rn);
+    case "TimeoutError":
+      throw or("operation timed out", e2, "OAUTH_TIMEOUT");
+    case "AbortError":
+      throw or("operation aborted", e2, "OAUTH_ABORT");
+  }
+  throw new nr("something went wrong", { cause: e2 });
+}
+async function ir(e2, t2, n2, o2, r2) {
+  const i2 = await (async function(e3, t3) {
+    var n3, o3;
+    if (!(e3 instanceof URL)) throw $o('"server" must be an instance of URL', Qo);
+    const r3 = !e3.href.includes("/.well-known/"), i3 = null !== (n3 = null == t3 ? void 0 : t3.timeout) && void 0 !== n3 ? n3 : 30, a3 = AbortSignal.timeout(1e3 * i3), s3 = await (r3 ? Lt(e3, { algorithm: null == t3 ? void 0 : t3.algorithm, [vt]: null == t3 ? void 0 : t3[Xo], [yt]: null == t3 || null === (o3 = t3.execute) || void 0 === o3 ? void 0 : o3.includes(pr), signal: a3, headers: new Headers(Vo) }) : ((null == t3 ? void 0 : t3[Xo]) || fetch)((Xt(e3, null == t3 || null === (c2 = t3.execute) || void 0 === c2 || !c2.includes(pr)), e3.href), { headers: Object.fromEntries(new Headers(ut({ accept: "application/json" }, Vo)).entries()), body: void 0, method: "GET", redirect: "manual", signal: a3 })).then(((e4) => (async function(e5, t4) {
+      const n4 = e5;
+      if (!(n4 instanceof URL) && n4 !== Yn) throw mt('"expectedIssuerIdentifier" must be an instance of URL', "ERR_INVALID_ARG_TYPE");
+      if (!ft(t4, Response)) throw mt('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+      if (200 !== t4.status) throw Ot('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)', jn, t4);
+      zn(t4);
+      const o4 = await Xn(t4);
+      if (Nt(o4.issuer, '"response" body "issuer" property', xn, { body: o4 }), n4 !== Yn && new URL(o4.issuer).href !== n4.href) throw Ot('"response" body "issuer" property does not match the expected value', Nn, { expected: n4.href, body: o4, attribute: "issuer" });
+      return o4;
+    })(Yn, e4))).catch(rr);
+    var c2;
+    r3 && new URL(s3.issuer).href !== e3.href && ((function(e4, t4, n4) {
+      return !("https://login.microsoftonline.com" !== e4.origin || null != n4 && n4.algorithm && "oidc" !== n4.algorithm || (t4[ar] = true, 0));
+    })(e3, s3, t3) || (function(e4, t4) {
+      return !(!e4.hostname.endsWith(".b2clogin.com") || null != t4 && t4.algorithm && "oidc" !== t4.algorithm);
+    })(e3, t3) || (() => {
+      throw new nr("discovered metadata issuer does not match the expected issuer", { code: Nn, cause: { expected: e3.href, body: s3, attribute: "issuer" } });
+    })());
+    return s3;
+  })(e2, r2), a2 = new sr(i2, t2, n2, o2);
+  let s2 = Fo(a2);
+  if (null != r2 && r2[Xo] && (s2.fetch = r2[Xo]), null != r2 && r2.timeout && (s2.timeout = r2.timeout), null != r2 && r2.execute) for (const e3 of r2.execute) e3(a2);
+  return a2;
+}
+new TextDecoder();
+var ar = /* @__PURE__ */ Symbol();
+var sr = class {
+  constructor(e2, t2, n2, o2) {
+    var r2, i2, a2, s2, c2;
+    if ("string" != typeof t2 || !t2.length) throw $o('"clientId" must be a non-empty string', Qo);
+    if ("string" == typeof n2 && (n2 = { client_secret: n2 }), void 0 !== (null === (r2 = n2) || void 0 === r2 ? void 0 : r2.client_id) && t2 !== n2.client_id) throw $o('"clientId" and "metadata.client_id" must be the same', Yo);
+    const u2 = ut(ut({}, structuredClone(n2)), {}, { client_id: t2 });
+    let l2;
+    u2[wt] = null !== (i2 = null === (a2 = n2) || void 0 === a2 ? void 0 : a2[wt]) && void 0 !== i2 ? i2 : 0, u2[gt] = null !== (s2 = null === (c2 = n2) || void 0 === c2 ? void 0 : c2[gt]) && void 0 !== s2 ? s2 : 30, l2 = o2 || ("string" == typeof u2.client_secret && u2.client_secret.length ? Bo(u2.client_secret) : (e3, t3, n3, o3) => {
+      n3.set("client_id", t3.client_id);
+    });
+    let d2 = Object.freeze(u2);
+    const h2 = structuredClone(e2);
+    ar in e2 && (h2[Qn] = (t3) => {
+      let { claims: { tid: n3 } } = t3;
+      return e2.issuer.replace("{tenantid}", n3);
+    });
+    let p2 = Object.freeze(h2);
+    Zo || (Zo = /* @__PURE__ */ new WeakMap()), Zo.set(this, { __proto__: null, as: p2, c: d2, auth: l2, tlsOnly: true, jwksCache: {} });
+  }
+  serverMetadata() {
+    const e2 = structuredClone(Fo(this).as);
+    return (function(e3) {
+      Object.defineProperties(e3, /* @__PURE__ */ (function(e4) {
+        return { supportsPKCE: { __proto__: null, value() {
+          var t2;
+          let n2 = arguments.length > 0 && void 0 !== arguments[0] ? arguments[0] : "S256";
+          return true === (null === (t2 = e4.code_challenge_methods_supported) || void 0 === t2 ? void 0 : t2.includes(n2));
+        } } };
+      })(e3));
+    })(e2), e2;
+  }
+  clientMetadata() {
+    return structuredClone(Fo(this).c);
+  }
+  get timeout() {
+    return Fo(this).timeout;
+  }
+  set timeout(e2) {
+    Fo(this).timeout = e2;
+  }
+  get [Xo]() {
+    return Fo(this).fetch;
+  }
+  set [Xo](e2) {
+    Fo(this).fetch = e2;
+  }
+};
+function cr(e2) {
+  Object.defineProperties(e2, (function(e3) {
+    let t2;
+    if (void 0 !== e3.expires_in) {
+      const n2 = /* @__PURE__ */ new Date();
+      n2.setSeconds(n2.getSeconds() + e3.expires_in), t2 = n2.getTime();
+    }
+    return { expiresIn: { __proto__: null, value() {
+      if (t2) {
+        const e4 = Date.now();
+        return t2 > e4 ? Math.floor((t2 - e4) / 1e3) : 0;
+      }
+    } }, claims: { __proto__: null, value() {
+      try {
+        return mn(this);
+      } catch (e4) {
+        return;
+      }
+    } } };
+  })(e2));
+}
+async function ur(e2, t2, n2) {
+  var o2;
+  let r2 = arguments.length > 3 && void 0 !== arguments[3] && arguments[3];
+  const i2 = null === (o2 = e2.headers.get("retry-after")) || void 0 === o2 ? void 0 : o2.trim();
+  if (void 0 === i2) return;
+  let a2;
+  if (/^\d+$/.test(i2)) a2 = parseInt(i2, 10);
+  else {
+    const e3 = new Date(i2);
+    if (Number.isFinite(e3.getTime())) {
+      const t3 = /* @__PURE__ */ new Date(), n3 = e3.getTime() - t3.getTime();
+      n3 > 0 && (a2 = Math.ceil(n3 / 1e3));
+    }
+  }
+  if (r2 && !Number.isFinite(a2)) throw new It("invalid Retry-After header value", { cause: e2 });
+  a2 > t2 && await lr(a2 - t2, n2);
+}
+function lr(e2, t2) {
+  return new Promise(((n2, o2) => {
+    const r2 = (e3) => {
+      try {
+        t2.throwIfAborted();
+      } catch (e4) {
+        return void o2(e4);
+      }
+      if (e3 <= 0) return void n2();
+      const i2 = Math.min(e3, 5);
+      setTimeout((() => r2(e3 - i2)), 1e3 * i2);
+    };
+    r2(e2);
+  }));
+}
+async function dr(e2, t2) {
+  vr(e2);
+  const { as: n2, c: o2, auth: r2, fetch: i2, tlsOnly: a2, timeout: s2 } = Fo(e2);
+  return (async function(e3, t3, n3, o3, r3) {
+    Gt(e3), Ft(t3);
+    const i3 = Qt(e3, "backchannel_authentication_endpoint", t3.use_mtls_endpoint_aliases, true !== (null == r3 ? void 0 : r3[yt])), a3 = new URLSearchParams(o3);
+    a3.set("client_id", t3.client_id);
+    const s3 = jt(null == r3 ? void 0 : r3.headers);
+    return s3.set("accept", "application/json"), dn(e3, t3, n3, i3, a3, s3, r3);
+  })(n2, o2, r2, t2, { [vt]: i2, [yt]: !a2, headers: new Headers(Vo), signal: br(s2) }).then(((e3) => (async function(e4, t3, n3) {
+    if (Gt(e4), Ft(t3), !ft(n3, Response)) throw mt('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+    await cn(n3, 200, "Backchannel Authentication Endpoint"), zn(n3);
+    const o3 = await Xn(n3);
+    Nt(o3.auth_req_id, '"response" body "auth_req_id" property', xn, { body: o3 });
+    let r3 = "number" != typeof o3.expires_in ? parseFloat(o3.expires_in) : o3.expires_in;
+    return Ut(r3, true, '"response" body "expires_in" property', xn, { body: o3 }), o3.expires_in = r3, void 0 !== o3.interval && Ut(o3.interval, false, '"response" body "interval" property', xn, { body: o3 }), o3;
+  })(n2, o2, e3))).catch(rr);
+}
+async function hr(e2, t2, n2, o2) {
+  var r2, i2;
+  vr(e2), n2 = new URLSearchParams(n2);
+  let a2 = null !== (r2 = t2.interval) && void 0 !== r2 ? r2 : 5;
+  const s2 = null !== (i2 = null == o2 ? void 0 : o2.signal) && void 0 !== i2 ? i2 : AbortSignal.timeout(1e3 * t2.expires_in);
+  try {
+    await lr(a2, s2);
+  } catch (e3) {
+    rr(e3);
+  }
+  const { as: c2, c: u2, auth: l2, fetch: d2, tlsOnly: h2, nonRepudiation: p2, timeout: f, decrypt: m } = Fo(e2), y = (r3, i3) => hr(e2, ut(ut({}, t2), {}, { interval: r3 }), n2, ut(ut({}, o2), {}, { signal: s2, flag: i3 })), w = await (async function(e3, t3, n3, o3, r3) {
+    Gt(e3), Ft(t3), Nt(o3, '"authReqId"');
+    const i3 = new URLSearchParams(null == r3 ? void 0 : r3.additionalParameters);
+    return i3.set("auth_req_id", o3), hn(e3, t3, n3, "urn:openid:params:grant-type:ciba", i3, r3);
+  })(c2, u2, l2, t2.auth_req_id, { [vt]: d2, [yt]: !h2, additionalParameters: n2, DPoP: null == o2 ? void 0 : o2.DPoP, headers: new Headers(Vo), signal: s2.aborted ? s2 : br(f) }).catch(rr);
+  var g;
+  if (503 === w.status && w.headers.has("retry-after")) return await ur(w, a2, s2, true), await (null === (g = w.body) || void 0 === g ? void 0 : g.cancel()), y(a2);
+  const v = (async function(e3, t3, n3, o3) {
+    return yn(e3, t3, n3, void 0, null == o3 ? void 0 : o3[_t], null == o3 ? void 0 : o3.recognizedTokenTypes);
+  })(c2, u2, w, { [_t]: m });
+  let b;
+  try {
+    b = await v;
+  } catch (e3) {
+    if (_r(e3, o2)) return y(a2, kr);
+    if (e3 instanceof $t) switch (e3.error) {
+      case "slow_down":
+        a2 += 5;
+      case "authorization_pending":
+        return await ur(e3.response, a2, s2), y(a2);
+    }
+    rr(e3);
+  }
+  return b.id_token && await (null == p2 ? void 0 : p2(w)), cr(b), b;
+}
+function pr(e2) {
+  Fo(e2).tlsOnly = false;
+}
+async function fr(e2, t2, n2, o2, r2) {
+  if (vr(e2), !((null == r2 ? void 0 : r2.flag) === kr || t2 instanceof URL || (function(e3, t3) {
+    try {
+      return Object.getPrototypeOf(e3)[Symbol.toStringTag] === t3;
+    } catch (e4) {
+      return false;
+    }
+  })(t2, "Request"))) throw $o('"currentUrl" must be an instance of URL, or Request', Qo);
+  let i2, a2;
+  const { as: s2, c: c2, auth: u2, fetch: l2, tlsOnly: d2, jarm: h2, hybrid: p2, nonRepudiation: f, timeout: m, decrypt: y, implicit: w } = Fo(e2);
+  if ((null == r2 ? void 0 : r2.flag) === kr) i2 = r2.authResponse, a2 = r2.redirectUri;
+  else {
+    if (!(t2 instanceof URL)) {
+      const e3 = t2;
+      switch (t2 = new URL(t2.url), e3.method) {
+        case "GET":
+          break;
+        case "POST":
+          const n3 = new URLSearchParams(await Vn(e3));
+          if (p2) t2.hash = n3.toString();
+          else for (const [e4, o3] of n3.entries()) t2.searchParams.append(e4, o3);
+          break;
+        default:
+          throw $o("unexpected Request HTTP method", Yo);
+      }
+    }
+    switch (a2 = (function(e3) {
+      return (e3 = new URL(e3)).search = "", e3.hash = "", e3.href;
+    })(t2), true) {
+      case !!h2:
+        i2 = await h2(t2, null == n2 ? void 0 : n2.expectedState);
+        break;
+      case !!p2:
+        i2 = await p2(t2, null == n2 ? void 0 : n2.expectedNonce, null == n2 ? void 0 : n2.expectedState, null == n2 ? void 0 : n2.maxAge);
+        break;
+      case !!w:
+        throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");
+      default:
+        try {
+          i2 = Bn(s2, c2, t2.searchParams, null == n2 ? void 0 : n2.expectedState);
+        } catch (e3) {
+          rr(e3);
+        }
+    }
+  }
+  const g = await (async function(e3, t3, n3, o3, r3, i3, a3) {
+    if (Gt(e3), Ft(t3), !vn.has(o3)) throw mt('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()', "ERR_INVALID_ARG_VALUE");
+    Nt(r3, '"redirectUri"');
+    const s3 = Fn(o3, "code");
+    if (!s3) throw Ot('no authorization code in "callbackParameters"', xn);
+    const c3 = new URLSearchParams(null == a3 ? void 0 : a3.additionalParameters);
+    return c3.set("redirect_uri", r3), c3.set("code", s3), i3 !== bn && (Nt(i3, '"codeVerifier"'), c3.set("code_verifier", i3)), hn(e3, t3, n3, "authorization_code", c3, a3);
+  })(s2, c2, u2, i2, a2, (null == n2 ? void 0 : n2.pkceCodeVerifier) || bn, { additionalParameters: o2, [vt]: l2, [yt]: !d2, DPoP: null == r2 ? void 0 : r2.DPoP, headers: new Headers(Vo), signal: br(m) }).catch(rr);
+  "string" != typeof (null == n2 ? void 0 : n2.expectedNonce) && "number" != typeof (null == n2 ? void 0 : n2.maxAge) || (n2.idTokenExpected = true);
+  const v = An(s2, c2, g, { expectedNonce: null == n2 ? void 0 : n2.expectedNonce, maxAge: null == n2 ? void 0 : n2.maxAge, requireIdToken: null == n2 ? void 0 : n2.idTokenExpected, [_t]: y });
+  let b;
+  try {
+    b = await v;
+  } catch (t3) {
+    if (_r(t3, r2)) return fr(e2, void 0, n2, o2, ut(ut({}, r2), {}, { flag: kr, authResponse: i2, redirectUri: a2 }));
+    rr(t3);
+  }
+  return b.id_token && await (null == f ? void 0 : f(g)), cr(b), b;
+}
+async function mr(e2, t2, n2, o2) {
+  vr(e2), n2 = new URLSearchParams(n2);
+  const { as: r2, c: i2, auth: a2, fetch: s2, tlsOnly: c2, nonRepudiation: u2, timeout: l2, decrypt: d2 } = Fo(e2), h2 = await (async function(e3, t3, n3, o3, r3) {
+    Gt(e3), Ft(t3), Nt(o3, '"refreshToken"');
+    const i3 = new URLSearchParams(null == r3 ? void 0 : r3.additionalParameters);
+    return i3.set("refresh_token", o3), hn(e3, t3, n3, "refresh_token", i3, r3);
+  })(r2, i2, a2, t2, { [vt]: s2, [yt]: !c2, additionalParameters: n2, DPoP: null == o2 ? void 0 : o2.DPoP, headers: new Headers(Vo), signal: br(l2) }).catch(rr), p2 = (async function(e3, t3, n3, o3) {
+    return yn(e3, t3, n3, void 0, null == o3 ? void 0 : o3[_t], null == o3 ? void 0 : o3.recognizedTokenTypes);
+  })(r2, i2, h2, { [_t]: d2 });
+  let f;
+  try {
+    f = await p2;
+  } catch (r3) {
+    if (_r(r3, o2)) return mr(e2, t2, n2, ut(ut({}, o2), {}, { flag: kr }));
+    rr(r3);
+  }
+  return f.id_token && await (null == u2 ? void 0 : u2(h2)), cr(f), f;
+}
+async function yr(e2, t2, n2) {
+  vr(e2), t2 = new URLSearchParams(t2);
+  const { as: o2, c: r2, auth: i2, fetch: a2, tlsOnly: s2, timeout: c2 } = Fo(e2), u2 = await (async function(e3, t3, n3, o3, r3) {
+    return Gt(e3), Ft(t3), hn(e3, t3, n3, "client_credentials", new URLSearchParams(o3), r3);
+  })(o2, r2, i2, t2, { [vt]: a2, [yt]: !s2, DPoP: null == n2 ? void 0 : n2.DPoP, headers: new Headers(Vo), signal: br(c2) }).catch(rr), l2 = (async function(e3, t3, n3, o3) {
+    return yn(e3, t3, n3, void 0, null == o3 ? void 0 : o3[_t], null == o3 ? void 0 : o3.recognizedTokenTypes);
+  })(o2, r2, u2);
+  let d2;
+  try {
+    d2 = await l2;
+  } catch (o3) {
+    if (_r(o3, n2)) return yr(e2, t2, ut(ut({}, n2), {}, { flag: kr }));
+    rr(o3);
+  }
+  return cr(d2), d2;
+}
+function wr(e2, t2) {
+  vr(e2);
+  const { as: n2, c: o2, tlsOnly: r2, hybrid: i2, jarm: a2, implicit: s2 } = Fo(e2), c2 = Qt(n2, "authorization_endpoint", false, r2);
+  if ((t2 = new URLSearchParams(t2)).has("client_id") || t2.set("client_id", o2.client_id), !t2.has("request_uri") && !t2.has("request")) {
+    if (t2.has("response_type") || t2.set("response_type", i2 ? "code id_token" : s2 ? "id_token" : "code"), s2 && !t2.has("nonce")) throw $o("response_type=id_token clients must provide a nonce parameter in their authorization request parameters", Yo);
+    a2 && t2.set("response_mode", "jwt");
+  }
+  for (const [e3, n3] of t2.entries()) c2.searchParams.append(e3, n3);
+  return c2;
+}
+async function gr(e2, t2, n2) {
+  vr(e2);
+  const o2 = wr(e2, t2), { as: r2, c: i2, auth: a2, fetch: s2, tlsOnly: c2, timeout: u2 } = Fo(e2), l2 = await (async function(e3, t3, n3, o3, r3) {
+    var i3;
+    Gt(e3), Ft(t3);
+    const a3 = Qt(e3, "pushed_authorization_request_endpoint", t3.use_mtls_endpoint_aliases, true !== (null == r3 ? void 0 : r3[yt])), s3 = new URLSearchParams(o3);
+    s3.set("client_id", t3.client_id);
+    const c3 = jt(null == r3 ? void 0 : r3.headers);
+    c3.set("accept", "application/json"), void 0 !== (null == r3 ? void 0 : r3.DPoP) && (un(r3.DPoP), await r3.DPoP.addProof(a3, c3, "POST"));
+    const u3 = await dn(e3, t3, n3, a3, s3, c3, r3);
+    return null == r3 || null === (i3 = r3.DPoP) || void 0 === i3 || i3.cacheNonce(u3, a3), u3;
+  })(r2, i2, a2, o2.searchParams, { [vt]: s2, [yt]: !c2, DPoP: null == n2 ? void 0 : n2.DPoP, headers: new Headers(Vo), signal: br(u2) }).catch(rr), d2 = (async function(e3, t3, n3) {
+    if (Gt(e3), Ft(t3), !ft(n3, Response)) throw mt('"response" must be an instance of Response', "ERR_INVALID_ARG_TYPE");
+    await cn(n3, 201, "Pushed Authorization Request Endpoint"), zn(n3);
+    const o3 = await Xn(n3);
+    Nt(o3.request_uri, '"response" body "request_uri" property', xn, { body: o3 });
+    let r3 = "number" != typeof o3.expires_in ? parseFloat(o3.expires_in) : o3.expires_in;
+    return Ut(r3, true, '"response" body "expires_in" property', xn, { body: o3 }), o3.expires_in = r3, o3;
+  })(r2, i2, l2);
+  let h2;
+  try {
+    h2 = await d2;
+  } catch (o3) {
+    if (_r(o3, n2)) return gr(e2, t2, ut(ut({}, n2), {}, { flag: kr }));
+    rr(o3);
+  }
+  return wr(e2, { request_uri: h2.request_uri });
+}
+function vr(e2) {
+  if (!(e2 instanceof sr)) throw $o('"config" must be an instance of Configuration', Qo);
+  if (Object.getPrototypeOf(e2) !== sr.prototype) throw $o("subclassing Configuration is not allowed", Yo);
+}
+function br(e2) {
+  return e2 ? AbortSignal.timeout(1e3 * e2) : void 0;
+}
+function _r(e2, t2) {
+  return !(null == t2 || !t2.DPoP || t2.flag === kr) && (function(e3) {
+    if (e3 instanceof tn) {
+      const { 0: t3, length: n2 } = e3.cause;
+      return 1 === n2 && "dpop" === t3.scheme && "use_dpop_nonce" === t3.parameters.error;
+    }
+    return e3 instanceof $t && "use_dpop_nonce" === e3.error;
+  })(e2);
+}
+Object.freeze(sr.prototype);
+var kr = /* @__PURE__ */ Symbol();
+async function Sr(e2, t2, n2, o2) {
+  vr(e2);
+  const { as: r2, c: i2, auth: a2, fetch: s2, tlsOnly: c2, timeout: u2, decrypt: l2 } = Fo(e2), d2 = await (async function(e3, t3, n3, o3, r3, i3) {
+    return Gt(e3), Ft(t3), Nt(o3, '"grantType"'), hn(e3, t3, n3, o3, new URLSearchParams(r3), i3);
+  })(r2, i2, a2, t2, new URLSearchParams(n2), { [vt]: s2, [yt]: !c2, DPoP: null == o2 ? void 0 : o2.DPoP, headers: new Headers(Vo), signal: br(u2) }).then(((e3) => {
+    let n3;
+    return "urn:ietf:params:oauth:grant-type:token-exchange" === t2 && (n3 = { n_a: () => {
+    } }), (async function(e4, t3, n4, o3) {
+      return yn(e4, t3, n4, void 0, null == o3 ? void 0 : o3[_t], null == o3 ? void 0 : o3.recognizedTokenTypes);
+    })(r2, i2, e3, { [_t]: l2, recognizedTokenTypes: n3 });
+  })).catch(rr);
+  return cr(d2), d2;
+}
+async function Er(e2, t2, n2) {
+  if (t2 instanceof Uint8Array) {
+    if (!e2.startsWith("HS")) throw new TypeError((function(e3) {
+      for (var t3 = arguments.length, n3 = new Array(t3 > 1 ? t3 - 1 : 0), o2 = 1; o2 < t3; o2++) n3[o2 - 1] = arguments[o2];
+      return _o("Key must be ", e3, ...n3);
+    })(t2, "CryptoKey", "KeyObject", "JSON Web Key"));
+    return crypto.subtle.importKey("raw", t2, { hash: "SHA-".concat(e2.slice(-3)), name: "HMAC" }, false, [n2]);
+  }
+  return bo(t2, e2, n2), t2;
+}
+async function Ar(e2, t2, n2, o2) {
+  const r2 = await Er(e2, t2, "verify");
+  !(function(e3, t3) {
+    if (e3.startsWith("RS") || e3.startsWith("PS")) {
+      const { modulusLength: n3 } = t3.algorithm;
+      if ("number" != typeof n3 || n3 < 2048) throw new TypeError("".concat(e3, " requires key modulusLength to be 2048 bits or larger"));
+    }
+  })(e2, r2);
+  const i2 = (function(e3, t3) {
+    const n3 = "SHA-".concat(e3.slice(-3));
+    switch (e3) {
+      case "HS256":
+      case "HS384":
+      case "HS512":
+        return { hash: n3, name: "HMAC" };
+      case "PS256":
+      case "PS384":
+      case "PS512":
+        return { hash: n3, name: "RSA-PSS", saltLength: parseInt(e3.slice(-3), 10) >> 3 };
+      case "RS256":
+      case "RS384":
+      case "RS512":
+        return { hash: n3, name: "RSASSA-PKCS1-v1_5" };
+      case "ES256":
+      case "ES384":
+      case "ES512":
+        return { hash: n3, name: "ECDSA", namedCurve: t3.namedCurve };
+      case "Ed25519":
+      case "EdDSA":
+        return { name: "Ed25519" };
+      case "ML-DSA-44":
+      case "ML-DSA-65":
+      case "ML-DSA-87":
+        return { name: e3 };
+      default:
+        throw new co("alg ".concat(e3, " is not supported either by JOSE or your javascript runtime"));
+    }
+  })(e2, r2.algorithm);
+  try {
+    return await crypto.subtle.verify(i2, r2, n2, o2);
+  } catch (e3) {
+    return false;
+  }
+}
+async function Tr(e2, t2, n2) {
+  if (!To(e2)) throw new uo("Flattened JWS must be an object");
+  if (void 0 === e2.protected && void 0 === e2.header) throw new uo('Flattened JWS must have either of the "protected" or "header" members');
+  if (void 0 !== e2.protected && "string" != typeof e2.protected) throw new uo("JWS Protected Header incorrect type");
+  if (void 0 === e2.payload) throw new uo("JWS Payload missing");
+  if ("string" != typeof e2.signature) throw new uo("JWS Signature missing or incorrect type");
+  if (void 0 !== e2.header && !To(e2.header)) throw new uo("JWS Unprotected Header incorrect type");
+  let o2 = {};
+  if (e2.protected) try {
+    const t3 = oo(e2.protected);
+    o2 = JSON.parse(eo.decode(t3));
+  } catch (e3) {
+    throw new uo("JWS Protected Header is invalid");
+  }
+  if (!(function() {
+    for (var e3 = arguments.length, t3 = new Array(e3), n3 = 0; n3 < e3; n3++) t3[n3] = arguments[n3];
+    const o3 = t3.filter(Boolean);
+    if (0 === o3.length || 1 === o3.length) return true;
+    let r3;
+    for (const e4 of o3) {
+      const t4 = Object.keys(e4);
+      if (r3 && 0 !== r3.size) for (const e5 of t4) {
+        if (r3.has(e5)) return false;
+        r3.add(e5);
+      }
+      else r3 = new Set(t4);
+    }
+    return true;
+  })(o2, e2.header)) throw new uo("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  const r2 = ut(ut({}, o2), e2.header), i2 = (function(e3, t3, n3, o3, r3) {
+    if (void 0 !== r3.crit && void 0 === (null == o3 ? void 0 : o3.crit)) throw new e3('"crit" (Critical) Header Parameter MUST be integrity protected');
+    if (!o3 || void 0 === o3.crit) return /* @__PURE__ */ new Set();
+    if (!Array.isArray(o3.crit) || 0 === o3.crit.length || o3.crit.some(((e4) => "string" != typeof e4 || 0 === e4.length))) throw new e3('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+    let i3;
+    i3 = void 0 !== n3 ? new Map([...Object.entries(n3), ...t3.entries()]) : t3;
+    for (const t4 of o3.crit) {
+      if (!i3.has(t4)) throw new co('Extension Header Parameter "'.concat(t4, '" is not recognized'));
+      if (void 0 === r3[t4]) throw new e3('Extension Header Parameter "'.concat(t4, '" is missing'));
+      if (i3.get(t4) && void 0 === o3[t4]) throw new e3('Extension Header Parameter "'.concat(t4, '" MUST be integrity protected'));
+    }
+    return new Set(o3.crit);
+  })(uo, /* @__PURE__ */ new Map([["b64", true]]), null == n2 ? void 0 : n2.crit, o2, r2);
+  let a2 = true;
+  if (i2.has("b64") && (a2 = o2.b64, "boolean" != typeof a2)) throw new uo('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+  const { alg: s2 } = r2;
+  if ("string" != typeof s2 || !s2) throw new uo('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  const c2 = n2 && (function(e3, t3) {
+    if (void 0 !== t3 && (!Array.isArray(t3) || t3.some(((e4) => "string" != typeof e4)))) throw new TypeError('"'.concat(e3, '" option must be an array of strings'));
+    if (t3) return new Set(t3);
+  })("algorithms", n2.algorithms);
+  if (c2 && !c2.has(s2)) throw new so('"alg" (Algorithm) Header Parameter value not allowed');
+  if (a2) {
+    if ("string" != typeof e2.payload) throw new uo("JWS Payload must be a string");
+  } else if ("string" != typeof e2.payload && !(e2.payload instanceof Uint8Array)) throw new uo("JWS Payload must be a string or an Uint8Array instance");
+  let u2 = false;
+  "function" == typeof t2 && (t2 = await t2(o2, e2), u2 = true), zo(s2, t2, "verify");
+  const l2 = (function() {
+    for (var e3 = arguments.length, t3 = new Array(e3), n3 = 0; n3 < e3; n3++) t3[n3] = arguments[n3];
+    const o3 = t3.reduce(((e4, t4) => {
+      let { length: n4 } = t4;
+      return e4 + n4;
+    }), 0), r3 = new Uint8Array(o3);
+    let i3 = 0;
+    for (const e4 of t3) r3.set(e4, i3), i3 += e4.length;
+    return r3;
+  })(void 0 !== e2.protected ? to(e2.protected) : new Uint8Array(), to("."), "string" == typeof e2.payload ? a2 ? to(e2.payload) : $n.encode(e2.payload) : e2.payload);
+  let d2;
+  try {
+    d2 = oo(e2.signature);
+  } catch (e3) {
+    throw new uo("Failed to base64url decode the signature");
+  }
+  const h2 = await No(t2, s2);
+  if (!await Ar(s2, h2, d2, l2)) throw new yo();
+  let p2;
+  if (a2) try {
+    p2 = oo(e2.payload);
+  } catch (e3) {
+    throw new uo("Failed to base64url decode the payload");
+  }
+  else p2 = "string" == typeof e2.payload ? $n.encode(e2.payload) : e2.payload;
+  const f = { payload: p2 };
+  return void 0 !== e2.protected && (f.protectedHeader = o2), void 0 !== e2.header && (f.unprotectedHeader = e2.header), u2 ? ut(ut({}, f), {}, { key: h2 }) : f;
+}
+var Pr = (e2) => Math.floor(e2.getTime() / 1e3);
+var Rr = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function Ir(e2) {
+  const t2 = Rr.exec(e2);
+  if (!t2 || t2[4] && t2[1]) throw new TypeError("Invalid time period format");
+  const n2 = parseFloat(t2[2]);
+  let o2;
+  switch (t2[3].toLowerCase()) {
+    case "sec":
+    case "secs":
+    case "second":
+    case "seconds":
+    case "s":
+      o2 = Math.round(n2);
+      break;
+    case "minute":
+    case "minutes":
+    case "min":
+    case "mins":
+    case "m":
+      o2 = Math.round(60 * n2);
+      break;
+    case "hour":
+    case "hours":
+    case "hr":
+    case "hrs":
+    case "h":
+      o2 = Math.round(3600 * n2);
+      break;
+    case "day":
+    case "days":
+    case "d":
+      o2 = Math.round(86400 * n2);
+      break;
+    case "week":
+    case "weeks":
+    case "w":
+      o2 = Math.round(604800 * n2);
+      break;
+    default:
+      o2 = Math.round(31557600 * n2);
+  }
+  return "-" === t2[1] || "ago" === t2[4] ? -o2 : o2;
+}
+var Or = (e2) => e2.includes("/") ? e2.toLowerCase() : "application/".concat(e2.toLowerCase());
+var xr = (e2, t2) => "string" == typeof e2 ? t2.includes(e2) : !!Array.isArray(e2) && t2.some(Set.prototype.has.bind(new Set(e2)));
+async function Cr(e2, t2, n2) {
+  var o2;
+  const r2 = await (async function(e3, t3, n3) {
+    if (e3 instanceof Uint8Array && (e3 = eo.decode(e3)), "string" != typeof e3) throw new uo("Compact JWS must be a string or Uint8Array");
+    const { 0: o3, 1: r3, 2: i3, length: a3 } = e3.split(".");
+    if (3 !== a3) throw new uo("Invalid Compact JWS");
+    const s2 = await Tr({ payload: r3, protected: o3, signature: i3 }, t3, n3), c2 = { payload: s2.payload, protectedHeader: s2.protectedHeader };
+    return "function" == typeof t3 ? ut(ut({}, c2), {}, { key: s2.key }) : c2;
+  })(e2, t2, n2);
+  if (null !== (o2 = r2.protectedHeader.crit) && void 0 !== o2 && o2.includes("b64") && false === r2.protectedHeader.b64) throw new lo("JWTs MUST NOT use unencoded payload");
+  const i2 = (function(e3, t3) {
+    let n3, o3 = arguments.length > 2 && void 0 !== arguments[2] ? arguments[2] : {};
+    try {
+      n3 = JSON.parse(eo.decode(t3));
+    } catch (e4) {
+    }
+    if (!To(n3)) throw new lo("JWT Claims Set must be a top-level JSON object");
+    const { typ: r3 } = o3;
+    if (r3 && ("string" != typeof e3.typ || Or(e3.typ) !== Or(r3))) throw new io('unexpected "typ" JWT header value', n3, "typ", "check_failed");
+    const { requiredClaims: i3 = [], issuer: a3, subject: s2, audience: c2, maxTokenAge: u2 } = o3, l2 = [...i3];
+    void 0 !== u2 && l2.push("iat"), void 0 !== c2 && l2.push("aud"), void 0 !== s2 && l2.push("sub"), void 0 !== a3 && l2.push("iss");
+    for (const e4 of new Set(l2.reverse())) if (!(e4 in n3)) throw new io('missing required "'.concat(e4, '" claim'), n3, e4, "missing");
+    if (a3 && !(Array.isArray(a3) ? a3 : [a3]).includes(n3.iss)) throw new io('unexpected "iss" claim value', n3, "iss", "check_failed");
+    if (s2 && n3.sub !== s2) throw new io('unexpected "sub" claim value', n3, "sub", "check_failed");
+    if (c2 && !xr(n3.aud, "string" == typeof c2 ? [c2] : c2)) throw new io('unexpected "aud" claim value', n3, "aud", "check_failed");
+    let d2;
+    switch (typeof o3.clockTolerance) {
+      case "string":
+        d2 = Ir(o3.clockTolerance);
+        break;
+      case "number":
+        d2 = o3.clockTolerance;
+        break;
+      case "undefined":
+        d2 = 0;
+        break;
+      default:
+        throw new TypeError("Invalid clockTolerance option type");
+    }
+    const { currentDate: h2 } = o3, p2 = Pr(h2 || /* @__PURE__ */ new Date());
+    if ((void 0 !== n3.iat || u2) && "number" != typeof n3.iat) throw new io('"iat" claim must be a number', n3, "iat", "invalid");
+    if (void 0 !== n3.nbf) {
+      if ("number" != typeof n3.nbf) throw new io('"nbf" claim must be a number', n3, "nbf", "invalid");
+      if (n3.nbf > p2 + d2) throw new io('"nbf" claim timestamp check failed', n3, "nbf", "check_failed");
+    }
+    if (void 0 !== n3.exp) {
+      if ("number" != typeof n3.exp) throw new io('"exp" claim must be a number', n3, "exp", "invalid");
+      if (n3.exp <= p2 - d2) throw new ao('"exp" claim timestamp check failed', n3, "exp", "check_failed");
+    }
+    if (u2) {
+      const e4 = p2 - n3.iat;
+      if (e4 - d2 > ("number" == typeof u2 ? u2 : Ir(u2))) throw new ao('"iat" claim timestamp check failed (too far in the past)', n3, "iat", "check_failed");
+      if (e4 < 0 - d2) throw new io('"iat" claim timestamp check failed (it should be in the past)', n3, "iat", "check_failed");
+    }
+    return n3;
+  })(r2.protectedHeader, r2.payload, n2), a2 = { payload: i2, protectedHeader: r2.protectedHeader };
+  return "function" == typeof t2 ? ut(ut({}, a2), {}, { key: r2.key }) : a2;
+}
+function jr(e2) {
+  return To(e2);
+}
+var Dr;
+var Kr;
+var Lr = /* @__PURE__ */ new WeakMap();
+var Ur = /* @__PURE__ */ new WeakMap();
+var Nr = class {
+  constructor(e2) {
+    if (it(this, Lr, void 0), it(this, Ur, /* @__PURE__ */ new WeakMap()), !(function(e3) {
+      return e3 && "object" == typeof e3 && Array.isArray(e3.keys) && e3.keys.every(jr);
+    })(e2)) throw new ho("JSON Web Key Set malformed");
+    at(Lr, this, structuredClone(e2));
+  }
+  jwks() {
+    return rt(Lr, this);
+  }
+  async getKey(e2, t2) {
+    const { alg: n2, kid: o2 } = ut(ut({}, e2), null == t2 ? void 0 : t2.header), r2 = (function(e3) {
+      switch ("string" == typeof e3 && e3.slice(0, 2)) {
+        case "RS":
+        case "PS":
+          return "RSA";
+        case "ES":
+          return "EC";
+        case "Ed":
+          return "OKP";
+        case "ML":
+          return "AKP";
+        default:
+          throw new co('Unsupported "alg" value for a JSON Web Key Set');
+      }
+    })(n2), i2 = rt(Lr, this).keys.filter(((e3) => {
+      let t3 = r2 === e3.kty;
+      if (t3 && "string" == typeof o2 && (t3 = o2 === e3.kid), !t3 || "string" != typeof e3.alg && "AKP" !== r2 || (t3 = n2 === e3.alg), t3 && "string" == typeof e3.use && (t3 = "sig" === e3.use), t3 && Array.isArray(e3.key_ops) && (t3 = e3.key_ops.includes("verify")), t3) switch (n2) {
+        case "ES256":
+          t3 = "P-256" === e3.crv;
+          break;
+        case "ES384":
+          t3 = "P-384" === e3.crv;
+          break;
+        case "ES512":
+          t3 = "P-521" === e3.crv;
+          break;
+        case "Ed25519":
+        case "EdDSA":
+          t3 = "Ed25519" === e3.crv;
+      }
+      return t3;
+    })), { 0: a2, length: s2 } = i2;
+    if (0 === s2) throw new po();
+    if (1 !== s2) {
+      const e3 = new fo(), t3 = rt(Ur, this);
+      throw e3[Symbol.asyncIterator] = dt((function* () {
+        for (const e4 of i2) try {
+          yield yield nt(Wr(t3, e4, n2));
+        } catch (e5) {
+        }
+      })), e3;
+    }
+    return Wr(rt(Ur, this), a2, n2);
+  }
+};
+async function Wr(e2, t2, n2) {
+  const o2 = e2.get(t2) || e2.set(t2, {}).get(t2);
+  if (void 0 === o2[n2]) {
+    const e3 = await (async function(e4, t3, n3) {
+      var o3;
+      if (!To(e4)) throw new TypeError("JWK must be an object");
+      let r2;
+      switch (null != t3 || (t3 = e4.alg), null != r2 || (r2 = null !== (o3 = null == n3 ? void 0 : n3.extractable) && void 0 !== o3 ? o3 : e4.ext), e4.kty) {
+        case "oct":
+          if ("string" != typeof e4.k || !e4.k) throw new TypeError('missing "k" (Key Value) Parameter value');
+          return oo(e4.k);
+        case "RSA":
+          if ("oth" in e4 && void 0 !== e4.oth) throw new co('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+          return Do(ut(ut({}, e4), {}, { alg: t3, ext: r2 }));
+        case "AKP":
+          if ("string" != typeof e4.alg || !e4.alg) throw new TypeError('missing "alg" (Algorithm) Parameter value');
+          if (void 0 !== t3 && t3 !== e4.alg) throw new TypeError("JWK alg and alg option value mismatch");
+          return Do(ut(ut({}, e4), {}, { ext: r2 }));
+        case "EC":
+        case "OKP":
+          return Do(ut(ut({}, e4), {}, { alg: t3, ext: r2 }));
+        default:
+          throw new co('Unsupported "kty" (Key Type) Parameter value');
+      }
+    })(ut(ut({}, t2), {}, { ext: true }), n2);
+    if (e3 instanceof Uint8Array || "public" !== e3.type) throw new ho("JSON Web Key Set members must be public keys");
+    o2[n2] = e3;
+  }
+  return o2[n2];
+}
+function Hr(e2) {
+  const t2 = new Nr(e2), n2 = async (e3, n3) => t2.getKey(e3, n3);
+  return Object.defineProperties(n2, { jwks: { value: () => structuredClone(t2.jwks()), enumerable: false, configurable: false, writable: false } }), n2;
+}
+var zr;
+if ("undefined" == typeof navigator || null === (Dr = navigator.userAgent) || void 0 === Dr || null === (Kr = Dr.startsWith) || void 0 === Kr || !Kr.call(Dr, "Mozilla/5.0 ")) {
+  const e2 = "v6.1.3";
+  zr = "".concat("jose", "/").concat(e2);
+}
+var Jr = /* @__PURE__ */ Symbol();
+var Mr = /* @__PURE__ */ Symbol();
+var Vr = /* @__PURE__ */ new WeakMap();
+var Gr = /* @__PURE__ */ new WeakMap();
+var Fr = /* @__PURE__ */ new WeakMap();
+var Zr = /* @__PURE__ */ new WeakMap();
+var qr = /* @__PURE__ */ new WeakMap();
+var Br = /* @__PURE__ */ new WeakMap();
+var Xr = /* @__PURE__ */ new WeakMap();
+var Yr = /* @__PURE__ */ new WeakMap();
+var Qr = /* @__PURE__ */ new WeakMap();
+var $r = /* @__PURE__ */ new WeakMap();
+var ei = class {
+  constructor(e2, t2) {
+    if (it(this, Vr, void 0), it(this, Gr, void 0), it(this, Fr, void 0), it(this, Zr, void 0), it(this, qr, void 0), it(this, Br, void 0), it(this, Xr, void 0), it(this, Yr, void 0), it(this, Qr, void 0), it(this, $r, void 0), !(e2 instanceof URL)) throw new TypeError("url must be an instance of URL");
+    var n2, o2;
+    at(Vr, this, new URL(e2.href)), at(Gr, this, "number" == typeof (null == t2 ? void 0 : t2.timeoutDuration) ? null == t2 ? void 0 : t2.timeoutDuration : 5e3), at(Fr, this, "number" == typeof (null == t2 ? void 0 : t2.cooldownDuration) ? null == t2 ? void 0 : t2.cooldownDuration : 3e4), at(Zr, this, "number" == typeof (null == t2 ? void 0 : t2.cacheMaxAge) ? null == t2 ? void 0 : t2.cacheMaxAge : 6e5), at(Xr, this, new Headers(null == t2 ? void 0 : t2.headers)), zr && !rt(Xr, this).has("User-Agent") && rt(Xr, this).set("User-Agent", zr), rt(Xr, this).has("accept") || (rt(Xr, this).set("accept", "application/json"), rt(Xr, this).append("accept", "application/jwk-set+json")), at(Yr, this, null == t2 ? void 0 : t2[Jr]), void 0 !== (null == t2 ? void 0 : t2[Mr]) && (at($r, this, null == t2 ? void 0 : t2[Mr]), n2 = null == t2 ? void 0 : t2[Mr], o2 = rt(Zr, this), "object" == typeof n2 && null !== n2 && "uat" in n2 && "number" == typeof n2.uat && !(Date.now() - n2.uat >= o2) && "jwks" in n2 && To(n2.jwks) && Array.isArray(n2.jwks.keys) && Array.prototype.every.call(n2.jwks.keys, To) && (at(qr, this, rt($r, this).uat), at(Qr, this, Hr(rt($r, this).jwks))));
+  }
+  pendingFetch() {
+    return !!rt(Br, this);
+  }
+  coolingDown() {
+    return "number" == typeof rt(qr, this) && Date.now() < rt(qr, this) + rt(Fr, this);
+  }
+  fresh() {
+    return "number" == typeof rt(qr, this) && Date.now() < rt(qr, this) + rt(Zr, this);
+  }
+  jwks() {
+    var e2;
+    return null === (e2 = rt(Qr, this)) || void 0 === e2 ? void 0 : e2.jwks();
+  }
+  async getKey(e2, t2) {
+    rt(Qr, this) && this.fresh() || await this.reload();
+    try {
+      return await rt(Qr, this).call(this, e2, t2);
+    } catch (n2) {
+      if (n2 instanceof po && false === this.coolingDown()) return await this.reload(), rt(Qr, this).call(this, e2, t2);
+      throw n2;
+    }
+  }
+  async reload() {
+    rt(Br, this) && ("undefined" != typeof WebSocketPair || "undefined" != typeof navigator && "Cloudflare-Workers" === navigator.userAgent || "undefined" != typeof EdgeRuntime && "vercel" === EdgeRuntime) && at(Br, this, void 0), rt(Br, this) || at(Br, this, (async function(e2, t2, n2) {
+      let o2 = arguments.length > 3 && void 0 !== arguments[3] ? arguments[3] : fetch;
+      const r2 = await o2(e2, { method: "GET", signal: n2, redirect: "manual", headers: t2 }).catch(((e3) => {
+        if ("TimeoutError" === e3.name) throw new mo();
+        throw e3;
+      }));
+      if (200 !== r2.status) throw new ro("Expected 200 OK from the JSON Web Key Set HTTP response");
+      try {
+        return await r2.json();
+      } catch (e3) {
+        throw new ro("Failed to parse the JSON Web Key Set HTTP response as JSON");
+      }
+    })(rt(Vr, this).href, rt(Xr, this), AbortSignal.timeout(rt(Gr, this)), rt(Yr, this)).then(((e2) => {
+      at(Qr, this, Hr(e2)), rt($r, this) && (rt($r, this).uat = Date.now(), rt($r, this).jwks = e2), at(qr, this, Date.now()), at(Br, this, void 0);
+    })).catch(((e2) => {
+      throw at(Br, this, void 0), e2;
+    }))), await rt(Br, this);
+  }
+};
+var ti = ["mfaToken"];
+var ni = ["mfaToken"];
+var oi;
+var ri;
+var ii;
+var ai;
+var si;
+var ci;
+var ui;
+var li;
+var di = class extends Error {
+  constructor(e2, t2) {
+    super(t2), st(this, "code", void 0), this.name = "NotSupportedError", this.code = e2;
+  }
+};
+var hi = class extends Error {
+  constructor(e2, t2, n2) {
+    super(t2), st(this, "cause", void 0), st(this, "code", void 0), this.code = e2, this.cause = n2 && { error: n2.error, error_description: n2.error_description, message: n2.message };
+  }
+};
+var pi = class extends hi {
+  constructor(e2, t2) {
+    super("token_by_code_error", e2, t2), this.name = "TokenByCodeError";
+  }
+};
+var fi = class extends hi {
+  constructor(e2, t2) {
+    super("token_by_client_credentials_error", e2, t2), this.name = "TokenByClientCredentialsError";
+  }
+};
+var mi = class extends hi {
+  constructor(e2, t2) {
+    super("token_by_refresh_token_error", e2, t2), this.name = "TokenByRefreshTokenError";
+  }
+};
+var yi = class extends hi {
+  constructor(e2, t2) {
+    super("token_for_connection_error", e2, t2), this.name = "TokenForConnectionErrorCode";
+  }
+};
+var wi = class extends hi {
+  constructor(e2, t2) {
+    super("token_exchange_error", e2, t2), this.name = "TokenExchangeError";
+  }
+};
+var gi = class extends Error {
+  constructor(e2) {
+    super(e2), st(this, "code", "verify_logout_token_error"), this.name = "VerifyLogoutTokenError";
+  }
+};
+var vi = class extends hi {
+  constructor(e2) {
+    super("backchannel_authentication_error", "There was an error when trying to use Client-Initiated Backchannel Authentication.", e2), st(this, "code", "backchannel_authentication_error"), this.name = "BackchannelAuthenticationError";
+  }
+};
+var bi = class extends hi {
+  constructor(e2) {
+    super("build_authorization_url_error", "There was an error when trying to build the authorization URL.", e2), this.name = "BuildAuthorizationUrlError";
+  }
+};
+var _i = class extends hi {
+  constructor(e2) {
+    super("build_link_user_url_error", "There was an error when trying to build the Link User URL.", e2), this.name = "BuildLinkUserUrlError";
+  }
+};
+var ki = class extends hi {
+  constructor(e2) {
+    super("build_unlink_user_url_error", "There was an error when trying to build the Unlink User URL.", e2), this.name = "BuildUnlinkUserUrlError";
+  }
+};
+var Si = class extends Error {
+  constructor() {
+    super("The client secret or client assertion signing key must be provided."), st(this, "code", "missing_client_auth_error"), this.name = "MissingClientAuthError";
+  }
+};
+function Ei(e2) {
+  return Object.entries(e2).filter(((e3) => {
+    let [, t2] = e3;
+    return void 0 !== t2;
+  })).reduce(((e3, t2) => ut(ut({}, e3), {}, { [t2[0]]: t2[1] })), {});
+}
+var Ai = class extends Error {
+  constructor(e2, t2, n2) {
+    super(t2), st(this, "cause", void 0), st(this, "code", void 0), this.code = e2, this.cause = n2 && { error: n2.error, error_description: n2.error_description, message: n2.message };
+  }
+};
+var Ti = class extends Ai {
+  constructor(e2, t2) {
+    super("mfa_list_authenticators_error", e2, t2), this.name = "MfaListAuthenticatorsError";
+  }
+};
+var Pi = class extends Ai {
+  constructor(e2, t2) {
+    super("mfa_enrollment_error", e2, t2), this.name = "MfaEnrollmentError";
+  }
+};
+var Ri = class extends Ai {
+  constructor(e2, t2) {
+    super("mfa_delete_authenticator_error", e2, t2), this.name = "MfaDeleteAuthenticatorError";
+  }
+};
+var Ii = class extends Ai {
+  constructor(e2, t2) {
+    super("mfa_challenge_error", e2, t2), this.name = "MfaChallengeError";
+  }
+};
+function Oi(e2) {
+  return { id: e2.id, authenticatorType: e2.authenticator_type, active: e2.active, name: e2.name, oobChannels: e2.oob_channels, type: e2.type };
+}
+var xi = (oi = /* @__PURE__ */ new WeakMap(), ri = /* @__PURE__ */ new WeakMap(), ii = /* @__PURE__ */ new WeakMap(), class {
+  constructor(e2) {
+    var t2;
+    it(this, oi, void 0), it(this, ri, void 0), it(this, ii, void 0), at(oi, this, "https://".concat(e2.domain)), at(ri, this, e2.clientId), at(ii, this, null !== (t2 = e2.customFetch) && void 0 !== t2 ? t2 : function() {
+      return fetch(...arguments);
+    });
+  }
+  async listAuthenticators(e2) {
+    const t2 = "".concat(rt(oi, this), "/mfa/authenticators"), { mfaToken: n2 } = e2, o2 = await rt(ii, this).call(this, t2, { method: "GET", headers: { Authorization: "Bearer ".concat(n2), "Content-Type": "application/json" } });
+    if (!o2.ok) {
+      const e3 = await o2.json();
+      throw new Ti(e3.error_description || "Failed to list authenticators", e3);
+    }
+    return (await o2.json()).map(Oi);
+  }
+  async enrollAuthenticator(e2) {
+    const t2 = "".concat(rt(oi, this), "/mfa/associate"), { mfaToken: n2 } = e2, o2 = lt(e2, ti), r2 = { authenticator_types: o2.authenticatorTypes };
+    "oobChannels" in o2 && (r2.oob_channels = o2.oobChannels), "phoneNumber" in o2 && o2.phoneNumber && (r2.phone_number = o2.phoneNumber), "email" in o2 && o2.email && (r2.email = o2.email);
+    const i2 = await rt(ii, this).call(this, t2, { method: "POST", headers: { Authorization: "Bearer ".concat(n2), "Content-Type": "application/json" }, body: JSON.stringify(r2) });
+    if (!i2.ok) {
+      const e3 = await i2.json();
+      throw new Pi(e3.error_description || "Failed to enroll authenticator", e3);
+    }
+    return (function(e3) {
+      if ("otp" === e3.authenticator_type) return { authenticatorType: "otp", secret: e3.secret, barcodeUri: e3.barcode_uri, recoveryCodes: e3.recovery_codes, id: e3.id };
+      if ("oob" === e3.authenticator_type) return { authenticatorType: "oob", oobChannel: e3.oob_channel, oobCode: e3.oob_code, bindingMethod: e3.binding_method, id: e3.id };
+      throw new Error("Unexpected authenticator type: ".concat(e3.authenticator_type));
+    })(await i2.json());
+  }
+  async deleteAuthenticator(e2) {
+    const { authenticatorId: t2, mfaToken: n2 } = e2, o2 = "".concat(rt(oi, this), "/mfa/authenticators/").concat(encodeURIComponent(t2)), r2 = await rt(ii, this).call(this, o2, { method: "DELETE", headers: { Authorization: "Bearer ".concat(n2), "Content-Type": "application/json" } });
+    if (!r2.ok) {
+      const e3 = await r2.json();
+      throw new Ri(e3.error_description || "Failed to delete authenticator", e3);
+    }
+  }
+  async challengeAuthenticator(e2) {
+    const t2 = "".concat(rt(oi, this), "/mfa/challenge"), { mfaToken: n2 } = e2, o2 = lt(e2, ni), r2 = { mfa_token: n2, client_id: rt(ri, this), challenge_type: o2.challengeType };
+    o2.authenticatorId && (r2.authenticator_id = o2.authenticatorId);
+    const i2 = await rt(ii, this).call(this, t2, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(r2) });
+    if (!i2.ok) {
+      const e3 = await i2.json();
+      throw new Ii(e3.error_description || "Failed to challenge authenticator", e3);
+    }
+    return (function(e3) {
+      const t3 = { challengeType: e3.challenge_type };
+      return void 0 !== e3.oob_code && (t3.oobCode = e3.oob_code), void 0 !== e3.binding_method && (t3.bindingMethod = e3.binding_method), t3;
+    })(await i2.json());
+  }
+});
+var Ci = class e {
+  constructor(e2, t2, n2, o2, r2, i2, a2) {
+    st(this, "accessToken", void 0), st(this, "idToken", void 0), st(this, "refreshToken", void 0), st(this, "expiresAt", void 0), st(this, "scope", void 0), st(this, "claims", void 0), st(this, "authorizationDetails", void 0), st(this, "tokenType", void 0), st(this, "issuedTokenType", void 0), this.accessToken = e2, this.idToken = n2, this.refreshToken = o2, this.expiresAt = t2, this.scope = r2, this.claims = i2, this.authorizationDetails = a2;
+  }
+  static fromTokenEndpointResponse(t2) {
+    const n2 = t2.id_token ? t2.claims() : void 0, o2 = new e(t2.access_token, Math.floor(Date.now() / 1e3) + Number(t2.expires_in), t2.id_token, t2.refresh_token, t2.scope, n2, t2.authorization_details);
+    return o2.tokenType = t2.token_type, o2.issuedTokenType = t2.issued_token_type, o2;
+  }
+};
+var ji = "openid profile email offline_access";
+var Di = Object.freeze(/* @__PURE__ */ new Set(["grant_type", "client_id", "client_secret", "client_assertion", "client_assertion_type", "subject_token", "subject_token_type", "requested_token_type", "actor_token", "actor_token_type", "audience", "aud", "resource", "resources", "resource_indicator", "scope", "connection", "login_hint", "organization", "assertion"]));
+function Ki(e2) {
+  if (null == e2) throw new wi("subject_token is required");
+  if ("string" != typeof e2) throw new wi("subject_token must be a string");
+  if (0 === e2.trim().length) throw new wi("subject_token cannot be blank or whitespace");
+  if (e2 !== e2.trim()) throw new wi("subject_token must not include leading or trailing whitespace");
+  if (/^bearer\s+/i.test(e2)) throw new wi("subject_token must not include the 'Bearer ' prefix");
+}
+function Li(e2, t2) {
+  if (t2) {
+    for (const [n2, o2] of Object.entries(t2)) if (!Di.has(n2)) if (Array.isArray(o2)) {
+      if (o2.length > 20) throw new wi("Parameter '".concat(n2, "' exceeds maximum array size of ").concat(20));
+      o2.forEach(((t3) => {
+        e2.append(n2, t3);
+      }));
+    } else e2.append(n2, o2);
+  }
+}
+var Ui = (ai = /* @__PURE__ */ new WeakMap(), si = /* @__PURE__ */ new WeakMap(), ci = /* @__PURE__ */ new WeakMap(), ui = /* @__PURE__ */ new WeakMap(), li = /* @__PURE__ */ new WeakSet(), class {
+  constructor(e2) {
+    if ((function(e3, t2) {
+      ot(e3, t2), t2.add(e3);
+    })(this, li), it(this, ai, void 0), it(this, si, void 0), it(this, ci, void 0), it(this, ui, void 0), st(this, "mfa", void 0), at(ci, this, e2), e2.useMtls && !e2.customFetch) throw new di("mtls_without_custom_fetch_not_supported", "Using mTLS without a custom fetch implementation is not supported");
+    this.mfa = new xi({ domain: rt(ci, this).domain, clientId: rt(ci, this).clientId, customFetch: rt(ci, this).customFetch });
+  }
+  async buildAuthorizationUrl(e2) {
+    const { serverMetadata: t2 } = await tt(li, this, Ni).call(this);
+    if (null != e2 && e2.pushedAuthorizationRequests && !t2.pushed_authorization_request_endpoint) throw new di("par_not_supported_error", "The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");
+    try {
+      return await tt(li, this, Ji).call(this, e2);
+    } catch (e3) {
+      throw new bi(e3);
+    }
+  }
+  async buildLinkUserUrl(e2) {
+    try {
+      const t2 = await tt(li, this, Ji).call(this, { authorizationParams: ut(ut({}, e2.authorizationParams), {}, { requested_connection: e2.connection, requested_connection_scope: e2.connectionScope, scope: "openid link_account offline_access", id_token_hint: e2.idToken }) });
+      return { linkUserUrl: t2.authorizationUrl, codeVerifier: t2.codeVerifier };
+    } catch (e3) {
+      throw new _i(e3);
+    }
+  }
+  async buildUnlinkUserUrl(e2) {
+    try {
+      const t2 = await tt(li, this, Ji).call(this, { authorizationParams: ut(ut({}, e2.authorizationParams), {}, { requested_connection: e2.connection, scope: "openid unlink_account", id_token_hint: e2.idToken }) });
+      return { unlinkUserUrl: t2.authorizationUrl, codeVerifier: t2.codeVerifier };
+    } catch (e3) {
+      throw new ki(e3);
+    }
+  }
+  async backchannelAuthentication(e2) {
+    const { configuration: t2, serverMetadata: n2 } = await tt(li, this, Ni).call(this), o2 = Ei(ut(ut({}, rt(ci, this).authorizationParams), null == e2 ? void 0 : e2.authorizationParams)), r2 = new URLSearchParams(ut(ut({ scope: ji }, o2), {}, { client_id: rt(ci, this).clientId, binding_message: e2.bindingMessage, login_hint: JSON.stringify({ format: "iss_sub", iss: n2.issuer, sub: e2.loginHint.sub }) }));
+    e2.requestedExpiry && r2.append("requested_expiry", e2.requestedExpiry.toString()), e2.authorizationDetails && r2.append("authorization_details", JSON.stringify(e2.authorizationDetails));
+    try {
+      const e3 = await dr(t2, r2), n3 = await hr(t2, e3);
+      return Ci.fromTokenEndpointResponse(n3);
+    } catch (e3) {
+      throw new vi(e3);
+    }
+  }
+  async initiateBackchannelAuthentication(e2) {
+    const { configuration: t2, serverMetadata: n2 } = await tt(li, this, Ni).call(this), o2 = Ei(ut(ut({}, rt(ci, this).authorizationParams), null == e2 ? void 0 : e2.authorizationParams)), r2 = new URLSearchParams(ut(ut({ scope: ji }, o2), {}, { client_id: rt(ci, this).clientId, binding_message: e2.bindingMessage, login_hint: JSON.stringify({ format: "iss_sub", iss: n2.issuer, sub: e2.loginHint.sub }) }));
+    e2.requestedExpiry && r2.append("requested_expiry", e2.requestedExpiry.toString()), e2.authorizationDetails && r2.append("authorization_details", JSON.stringify(e2.authorizationDetails));
+    try {
+      const e3 = await dr(t2, r2);
+      return { authReqId: e3.auth_req_id, expiresIn: e3.expires_in, interval: e3.interval };
+    } catch (e3) {
+      throw new vi(e3);
+    }
+  }
+  async backchannelAuthenticationGrant(e2) {
+    let { authReqId: t2 } = e2;
+    const { configuration: n2 } = await tt(li, this, Ni).call(this), o2 = new URLSearchParams({ auth_req_id: t2 });
+    try {
+      const e3 = await Sr(n2, "urn:openid:params:grant-type:ciba", o2);
+      return Ci.fromTokenEndpointResponse(e3);
+    } catch (e3) {
+      throw new vi(e3);
+    }
+  }
+  async getTokenForConnection(e2) {
+    var t2;
+    if (e2.refreshToken && e2.accessToken) throw new yi("Either a refresh or access token should be specified, but not both.");
+    const n2 = null !== (t2 = e2.accessToken) && void 0 !== t2 ? t2 : e2.refreshToken;
+    if (!n2) throw new yi("Either a refresh or access token must be specified.");
+    try {
+      return await this.exchangeToken({ connection: e2.connection, subjectToken: n2, subjectTokenType: e2.accessToken ? "urn:ietf:params:oauth:token-type:access_token" : "urn:ietf:params:oauth:token-type:refresh_token", loginHint: e2.loginHint });
+    } catch (e3) {
+      if (e3 instanceof wi) throw new yi(e3.message, e3.cause);
+      throw e3;
+    }
+  }
+  async exchangeToken(e2) {
+    return "connection" in e2 ? tt(li, this, Wi).call(this, e2) : tt(li, this, Hi).call(this, e2);
+  }
+  async getTokenByCode(e2, t2) {
+    const { configuration: n2 } = await tt(li, this, Ni).call(this);
+    try {
+      const o2 = await fr(n2, e2, { pkceCodeVerifier: t2.codeVerifier });
+      return Ci.fromTokenEndpointResponse(o2);
+    } catch (e3) {
+      throw new pi("There was an error while trying to request a token.", e3);
+    }
+  }
+  async getTokenByRefreshToken(e2) {
+    const { configuration: t2 } = await tt(li, this, Ni).call(this);
+    try {
+      const n2 = await mr(t2, e2.refreshToken);
+      return Ci.fromTokenEndpointResponse(n2);
+    } catch (e3) {
+      throw new mi("The access token has expired and there was an error while trying to refresh it.", e3);
+    }
+  }
+  async getTokenByClientCredentials(e2) {
+    const { configuration: t2 } = await tt(li, this, Ni).call(this);
+    try {
+      const n2 = new URLSearchParams({ audience: e2.audience });
+      e2.organization && n2.append("organization", e2.organization);
+      const o2 = await yr(t2, n2);
+      return Ci.fromTokenEndpointResponse(o2);
+    } catch (e3) {
+      throw new fi("There was an error while trying to request a token.", e3);
+    }
+  }
+  async buildLogoutUrl(e2) {
+    const { configuration: t2, serverMetadata: n2 } = await tt(li, this, Ni).call(this);
+    if (!n2.end_session_endpoint) {
+      const t3 = new URL("https://".concat(rt(ci, this).domain, "/v2/logout"));
+      return t3.searchParams.set("returnTo", e2.returnTo), t3.searchParams.set("client_id", rt(ci, this).clientId), t3;
+    }
+    return (function(e3, t3) {
+      vr(e3);
+      const { as: n3, c: o2, tlsOnly: r2 } = Fo(e3), i2 = Qt(n3, "end_session_endpoint", false, r2);
+      (t3 = new URLSearchParams(t3)).has("client_id") || t3.set("client_id", o2.client_id);
+      for (const [e4, n4] of t3.entries()) i2.searchParams.append(e4, n4);
+      return i2;
+    })(t2, { post_logout_redirect_uri: e2.returnTo });
+  }
+  async verifyLogoutToken(e2) {
+    const { serverMetadata: t2 } = await tt(li, this, Ni).call(this);
+    rt(ui, this) || at(ui, this, (function(e3, t3) {
+      const n3 = new ei(e3, t3), o2 = async (e4, t4) => n3.getKey(e4, t4);
+      return Object.defineProperties(o2, { coolingDown: { get: () => n3.coolingDown(), enumerable: true, configurable: false }, fresh: { get: () => n3.fresh(), enumerable: true, configurable: false }, reload: { value: () => n3.reload(), enumerable: true, configurable: false, writable: false }, reloading: { get: () => n3.pendingFetch(), enumerable: true, configurable: false }, jwks: { value: () => n3.jwks(), enumerable: true, configurable: false, writable: false } }), o2;
+    })(new URL(t2.jwks_uri), { [Jr]: rt(ci, this).customFetch }));
+    const { payload: n2 } = await Cr(e2.logoutToken, rt(ui, this), { issuer: t2.issuer, audience: rt(ci, this).clientId, algorithms: ["RS256"], requiredClaims: ["iat"] });
+    if (!("sid" in n2) && !("sub" in n2)) throw new gi('either "sid" or "sub" (or both) claims must be present');
+    if ("sid" in n2 && "string" != typeof n2.sid) throw new gi('"sid" claim must be a string');
+    if ("sub" in n2 && "string" != typeof n2.sub) throw new gi('"sub" claim must be a string');
+    if ("nonce" in n2) throw new gi('"nonce" claim is prohibited');
+    if (!("events" in n2)) throw new gi('"events" claim is missing');
+    if ("object" != typeof n2.events || null === n2.events) throw new gi('"events" claim must be an object');
+    if (!("http://schemas.openid.net/event/backchannel-logout" in n2.events)) throw new gi('"http://schemas.openid.net/event/backchannel-logout" member is missing in the "events" claim');
+    if ("object" != typeof n2.events["http://schemas.openid.net/event/backchannel-logout"]) throw new gi('"http://schemas.openid.net/event/backchannel-logout" member in the "events" claim must be an object');
+    return { sid: n2.sid, sub: n2.sub };
+  }
+});
+async function Ni() {
+  if (rt(ai, this) && rt(si, this)) return { configuration: rt(ai, this), serverMetadata: rt(si, this) };
+  const e2 = await tt(li, this, zi).call(this);
+  return at(ai, this, await ir(new URL("https://".concat(rt(ci, this).domain)), rt(ci, this).clientId, { use_mtls_endpoint_aliases: rt(ci, this).useMtls }, e2, { [Xo]: rt(ci, this).customFetch })), at(si, this, rt(ai, this).serverMetadata()), rt(ai, this)[Xo] = rt(ci, this).customFetch || fetch, { configuration: rt(ai, this), serverMetadata: rt(si, this) };
+}
+async function Wi(e2) {
+  var t2, n2;
+  const { configuration: o2 } = await tt(li, this, Ni).call(this);
+  if ("audience" in e2 || "resource" in e2) throw new wi("audience and resource parameters are not supported for Token Vault exchanges");
+  Ki(e2.subjectToken);
+  const r2 = new URLSearchParams({ connection: e2.connection, subject_token: e2.subjectToken, subject_token_type: null !== (t2 = e2.subjectTokenType) && void 0 !== t2 ? t2 : "urn:ietf:params:oauth:token-type:access_token", requested_token_type: null !== (n2 = e2.requestedTokenType) && void 0 !== n2 ? n2 : "http://auth0.com/oauth/token-type/federated-connection-access-token" });
+  e2.loginHint && r2.append("login_hint", e2.loginHint), e2.scope && r2.append("scope", e2.scope), Li(r2, e2.extra);
+  try {
+    const e3 = await Sr(o2, "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token", r2);
+    return Ci.fromTokenEndpointResponse(e3);
+  } catch (t3) {
+    throw new wi("Failed to exchange token for connection '".concat(e2.connection, "'."), t3);
+  }
+}
+async function Hi(e2) {
+  const { configuration: t2 } = await tt(li, this, Ni).call(this);
+  Ki(e2.subjectToken);
+  const n2 = new URLSearchParams({ subject_token_type: e2.subjectTokenType, subject_token: e2.subjectToken });
+  e2.audience && n2.append("audience", e2.audience), e2.scope && n2.append("scope", e2.scope), e2.requestedTokenType && n2.append("requested_token_type", e2.requestedTokenType), e2.organization && n2.append("organization", e2.organization), Li(n2, e2.extra);
+  try {
+    const e3 = await Sr(t2, "urn:ietf:params:oauth:grant-type:token-exchange", n2);
+    return Ci.fromTokenEndpointResponse(e3);
+  } catch (t3) {
+    throw new wi("Failed to exchange token of type '".concat(e2.subjectTokenType, "'").concat(e2.audience ? " for audience '".concat(e2.audience, "'") : "", "."), t3);
+  }
+}
+async function zi() {
+  if (!rt(ci, this).clientSecret && !rt(ci, this).clientAssertionSigningKey && !rt(ci, this).useMtls) throw new Si();
+  if (rt(ci, this).useMtls) return (e3, t2, n2, o2) => {
+    n2.set("client_id", t2.client_id);
+  };
+  let e2 = rt(ci, this).clientAssertionSigningKey;
+  return !e2 || e2 instanceof CryptoKey || (e2 = await (async function(e3, t2, n2) {
+    if ("string" != typeof e3 || 0 !== e3.indexOf("-----BEGIN PRIVATE KEY-----")) throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
+    return jo(e3, t2, n2);
+  })(e2, rt(ci, this).clientAssertionSigningAlg || "RS256")), e2 ? (function(e3, t2) {
+    return qt(e3, t2);
+  })(e2) : Bo(rt(ci, this).clientSecret);
+}
+async function Ji(e2) {
+  const { configuration: t2 } = await tt(li, this, Ni).call(this), n2 = tr(), o2 = await er(n2), r2 = Ei(ut(ut({}, rt(ci, this).authorizationParams), null == e2 ? void 0 : e2.authorizationParams)), i2 = new URLSearchParams(ut(ut({ scope: ji }, r2), {}, { client_id: rt(ci, this).clientId, code_challenge: o2, code_challenge_method: "S256" }));
+  return { authorizationUrl: null != e2 && e2.pushedAuthorizationRequests ? await gr(t2, i2) : await wr(t2, i2), codeVerifier: n2 };
+}
+var Mi = new p();
+var initialAuthState = {
+  isAuthenticated: false,
+  isLoading: true,
+  error: void 0,
+  user: void 0
+};
+var stub = function() {
+  throw new Error("You forgot to wrap your component in <Auth0Provider>.");
+};
+var initialContext = __assign(__assign({}, initialAuthState), { buildAuthorizeUrl: stub, buildLogoutUrl: stub, getAccessTokenSilently: stub, getAccessTokenWithPopup: stub, getIdTokenClaims: stub, exchangeToken: stub, loginWithRedirect: stub, loginWithPopup: stub, connectAccountWithRedirect: stub, logout: stub, handleRedirectCallback: stub, getDpopNonce: stub, setDpopNonce: stub, generateDpopProof: stub, createFetcher: stub, getConfiguration: stub });
+var Auth0Context = (0, import_react.createContext)(initialContext);
+var OAuthError = (
+  /** @class */
+  (function(_super) {
+    __extends(OAuthError2, _super);
+    function OAuthError2(error, error_description) {
+      var _this = _super.call(this, error_description !== null && error_description !== void 0 ? error_description : error) || this;
+      _this.error = error;
+      _this.error_description = error_description;
+      Object.setPrototypeOf(_this, OAuthError2.prototype);
+      return _this;
+    }
+    return OAuthError2;
+  })(Error)
+);
+var normalizeErrorFn = function(fallbackMessage) {
+  return function(error) {
+    if (error instanceof Error) {
+      return error;
+    }
+    if (error !== null && typeof error === "object" && "error" in error && typeof error.error === "string") {
+      if ("error_description" in error && typeof error.error_description === "string") {
+        var e_1 = error;
+        return new OAuthError(e_1.error, e_1.error_description);
+      }
+      var e2 = error;
+      return new OAuthError(e2.error);
+    }
+    return new Error(fallbackMessage);
+  };
+};
+var loginError = normalizeErrorFn("Login failed");
+var tokenError = normalizeErrorFn("Get access token failed");
+var useAuth0 = function(context) {
+  if (context === void 0) {
+    context = Auth0Context;
+  }
+  return (0, import_react.useContext)(context);
+};
+
+// src/bridges/auth0/index.ts
+function useAuth0User() {
+  const { user, isAuthenticated, isLoading, error } = useAuth0();
+  return { user, isAuthenticated, isLoading, error };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  useAuth0,
+  useAuth0User
+});
+//# sourceMappingURL=auth0.js.map