npm - mada-design-system - Versions diffs - 0.9.1 → 1.0.1 - Mend

mada-design-system 0.9.1 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1013) hide show

package/index.es188.js CHANGED Viewed

@@ -1,473 +1,2410 @@
-var W = Symbol.for("immer-nothing"), R = Symbol.for("immer-draftable"), u = Symbol.for("immer-state"), Q = process.env.NODE_ENV !== "production" ? [
-  // All error codes, starting by 0:
-  function(e) {
-    return `The plugin for '${e}' has not been loaded into Immer. To enable the plugin, import and call \`enable${e}()\` when initializing your application.`;
+import { jwtDecode as Te } from "./index.es200.js";
+var Pe = {
+  debug: () => {
   },
-  function(e) {
-    return `produce can only be called on things that are draftable: plain objects, arrays, Map, Set or classes that are marked with '[immerable]: true'. Got '${e}'`;
+  info: () => {
   },
-  "This object has been frozen and should not be mutated",
-  function(e) {
-    return "Cannot use a proxy that has been revoked. Did you pass an object from inside an immer function to an async process? " + e;
+  warn: () => {
   },
-  "An immer producer returned a new value *and* modified its draft. Either return a new value *or* modify the draft.",
-  "Immer forbids circular references",
-  "The first or second argument to `produce` must be a function",
-  "The third argument to `produce` must be a function or undefined",
-  "First argument to `createDraft` must be a plain object, an array, or an immerable object",
-  "First argument to `finishDraft` must be a draft returned by `createDraft`",
-  function(e) {
-    return `'current' expects a draft, got: ${e}`;
-  },
-  "Object.defineProperty() cannot be used on an Immer draft",
-  "Object.setPrototypeOf() cannot be used on an Immer draft",
-  "Immer only supports deleting array indices",
-  "Immer only supports setting array indices and the 'length' property",
-  function(e) {
-    return `'original' expects a draft, got: ${e}`;
-  }
-  // Note: if more errors are added, the errorOffset in Patches.ts should be increased
-  // See Patches.ts for additional errors
-] : [];
-function f(e, ...t) {
-  if (process.env.NODE_ENV !== "production") {
-    const r = Q[e], n = typeof r == "function" ? r.apply(null, t) : r;
-    throw new Error(`[Immer] ${n}`);
-  }
-  throw new Error(
-    `[Immer] minified error nr: ${e}. Full error at: https://bit.ly/3cXEKWf`
-  );
-}
-var m = Object.getPrototypeOf;
-function h(e) {
-  return !!e && !!e[u];
-}
-function _(e) {
-  var t;
-  return e ? U(e) || Array.isArray(e) || !!e[R] || !!((t = e.constructor) != null && t[R]) || O(e) || D(e) : !1;
-}
-var Y = Object.prototype.constructor.toString();
-function U(e) {
-  if (!e || typeof e != "object")
-    return !1;
-  const t = m(e);
-  if (t === null)
-    return !0;
-  const r = Object.hasOwnProperty.call(t, "constructor") && t.constructor;
-  return r === Object ? !0 : typeof r == "function" && Function.toString.call(r) === Y;
-}
-function b(e, t) {
-  z(e) === 0 ? Reflect.ownKeys(e).forEach((r) => {
-    t(r, e[r], e);
-  }) : e.forEach((r, n) => t(n, r, e));
-}
-function z(e) {
-  const t = e[u];
-  return t ? t.type_ : Array.isArray(e) ? 1 : O(e) ? 2 : D(e) ? 3 : 0;
-}
-function A(e, t) {
-  return z(e) === 2 ? e.has(t) : Object.prototype.hasOwnProperty.call(e, t);
-}
-function B(e, t, r) {
-  const n = z(e);
-  n === 2 ? e.set(t, r) : n === 3 ? e.add(r) : e[t] = r;
-}
-function Z(e, t) {
-  return e === t ? e !== 0 || 1 / e === 1 / t : e !== e && t !== t;
-}
-function O(e) {
-  return e instanceof Map;
-}
-function D(e) {
-  return e instanceof Set;
-}
-function d(e) {
-  return e.copy_ || e.base_;
-}
-function N(e, t) {
-  if (O(e))
-    return new Map(e);
-  if (D(e))
-    return new Set(e);
-  if (Array.isArray(e))
-    return Array.prototype.slice.call(e);
-  const r = U(e);
-  if (t === !0 || t === "class_only" && !r) {
-    const n = Object.getOwnPropertyDescriptors(e);
-    delete n[u];
-    let i = Reflect.ownKeys(n);
-    for (let o = 0; o < i.length; o++) {
-      const s = i[o], c = n[s];
-      c.writable === !1 && (c.writable = !0, c.configurable = !0), (c.get || c.set) && (n[s] = {
-        configurable: !0,
-        writable: !0,
-        // could live with !!desc.set as well here...
-        enumerable: c.enumerable,
-        value: e[s]
-      });
+  error: () => {
+  }
+}, b, k, D = /* @__PURE__ */ ((e) => (e[e.NONE = 0] = "NONE", e[e.ERROR = 1] = "ERROR", e[e.WARN = 2] = "WARN", e[e.INFO = 3] = "INFO", e[e.DEBUG = 4] = "DEBUG", e))(D || {});
+((e) => {
+  function t() {
+    b = 3, k = Pe;
+  }
+  e.reset = t;
+  function s(r) {
+    if (!(0 <= r && r <= 4))
+      throw new Error("Invalid log level");
+    b = r;
+  }
+  e.setLevel = s;
+  function i(r) {
+    k = r;
+  }
+  e.setLogger = i;
+})(D || (D = {}));
+var g = class y {
+  constructor(t) {
+    this._name = t;
+  }
+  /* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */
+  debug(...t) {
+    b >= 4 && k.debug(y._format(this._name, this._method), ...t);
+  }
+  info(...t) {
+    b >= 3 && k.info(y._format(this._name, this._method), ...t);
+  }
+  warn(...t) {
+    b >= 2 && k.warn(y._format(this._name, this._method), ...t);
+  }
+  error(...t) {
+    b >= 1 && k.error(y._format(this._name, this._method), ...t);
+  }
+  /* eslint-enable @typescript-eslint/no-unsafe-enum-comparison */
+  throw(t) {
+    throw this.error(t), t;
+  }
+  create(t) {
+    const s = Object.create(this);
+    return s._method = t, s.debug("begin"), s;
+  }
+  static createStatic(t, s) {
+    const i = new y(`${t}.${s}`);
+    return i.debug("begin"), i;
+  }
+  static _format(t, s) {
+    const i = `[${t}]`;
+    return s ? `${i} ${s}:` : i;
+  }
+  /* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */
+  // helpers for static class methods
+  static debug(t, ...s) {
+    b >= 4 && k.debug(y._format(t), ...s);
+  }
+  static info(t, ...s) {
+    b >= 3 && k.info(y._format(t), ...s);
+  }
+  static warn(t, ...s) {
+    b >= 2 && k.warn(y._format(t), ...s);
+  }
+  static error(t, ...s) {
+    b >= 1 && k.error(y._format(t), ...s);
+  }
+  /* eslint-enable @typescript-eslint/no-unsafe-enum-comparison */
+};
+D.reset();
+var H = class {
+  // IMPORTANT: doesn't validate the token
+  static decode(e) {
+    try {
+      return Te(e);
+    } catch (t) {
+      throw g.error("JwtUtils.decode", t), t;
     }
-    return Object.create(m(e), n);
-  } else {
-    const n = m(e);
-    if (n !== null && r)
-      return { ...e };
-    const i = Object.create(n);
-    return Object.assign(i, e);
-  }
-}
-function T(e, t = !1) {
-  return S(e) || h(e) || !_(e) || (z(e) > 1 && (e.set = e.add = e.clear = e.delete = L), Object.freeze(e), t && Object.entries(e).forEach(([r, n]) => T(n, !0))), e;
-}
-function L() {
-  f(2);
-}
-function S(e) {
-  return Object.isFrozen(e);
-}
-var V = {};
-function y(e) {
-  const t = V[e];
-  return t || f(0, e), t;
-}
-var p;
-function G() {
-  return p;
-}
-function ee(e, t) {
-  return {
-    drafts_: [],
-    parent_: e,
-    immer_: t,
-    // Whenever the modified draft contains a draft from another scope, we
-    // need to prevent auto-freezing so the unowned draft can be finalized.
-    canAutoFreeze_: !0,
-    unfinalizedDrafts_: 0
-  };
-}
-function x(e, t) {
-  t && (y("Patches"), e.patches_ = [], e.inversePatches_ = [], e.patchListener_ = t);
-}
-function v(e) {
-  C(e), e.drafts_.forEach(te), e.drafts_ = null;
-}
-function C(e) {
-  e === p && (p = e.parent_);
-}
-function j(e) {
-  return p = ee(p, e);
-}
-function te(e) {
-  const t = e[u];
-  t.type_ === 0 || t.type_ === 1 ? t.revoke_() : t.revoked_ = !0;
-}
-function $(e, t) {
-  t.unfinalizedDrafts_ = t.drafts_.length;
-  const r = t.drafts_[0];
-  return e !== void 0 && e !== r ? (r[u].modified_ && (v(t), f(4)), _(e) && (e = w(t, e), t.parent_ || g(t, e)), t.patches_ && y("Patches").generateReplacementPatches_(
-    r[u].base_,
-    e,
-    t.patches_,
-    t.inversePatches_
-  )) : e = w(t, r, []), v(t), t.patches_ && t.patchListener_(t.patches_, t.inversePatches_), e !== W ? e : void 0;
-}
-function w(e, t, r) {
-  if (S(t))
-    return t;
-  const n = t[u];
-  if (!n)
-    return b(
-      t,
-      (i, o) => K(e, n, t, i, o, r)
-    ), t;
-  if (n.scope_ !== e)
-    return t;
-  if (!n.modified_)
-    return g(e, n.base_, !0), n.base_;
-  if (!n.finalized_) {
-    n.finalized_ = !0, n.scope_.unfinalizedDrafts_--;
-    const i = n.copy_;
-    let o = i, s = !1;
-    n.type_ === 3 && (o = new Set(i), i.clear(), s = !0), b(
-      o,
-      (c, l) => K(e, n, i, c, l, r, s)
-    ), g(e, i, !1), r && e.patches_ && y("Patches").generatePatches_(
-      n,
-      r,
-      e.patches_,
-      e.inversePatches_
+  }
+  static async generateSignedJwt(e, t, s) {
+    const i = _.encodeBase64Url(new TextEncoder().encode(JSON.stringify(e))), r = _.encodeBase64Url(new TextEncoder().encode(JSON.stringify(t))), o = `${i}.${r}`, n = await window.crypto.subtle.sign(
+      {
+        name: "ECDSA",
+        hash: { name: "SHA-256" }
+      },
+      s,
+      new TextEncoder().encode(o)
+    ), a = _.encodeBase64Url(new Uint8Array(n));
+    return `${o}.${a}`;
+  }
+  static async generateSignedJwtWithHmac(e, t, s) {
+    const i = _.encodeBase64Url(new TextEncoder().encode(JSON.stringify(e))), r = _.encodeBase64Url(new TextEncoder().encode(JSON.stringify(t))), o = `${i}.${r}`, n = await window.crypto.subtle.sign(
+      "HMAC",
+      s,
+      new TextEncoder().encode(o)
+    ), a = _.encodeBase64Url(new Uint8Array(n));
+    return `${o}.${a}`;
+  }
+}, Re = "10000000-1000-4000-8000-100000000000", K = (e) => btoa([...new Uint8Array(e)].map((t) => String.fromCharCode(t)).join("")), ie = class m {
+  static _randomWord() {
+    const t = new Uint32Array(1);
+    return crypto.getRandomValues(t), t[0];
+  }
+  /**
+   * Generates RFC4122 version 4 guid
+   */
+  static generateUUIDv4() {
+    return Re.replace(
+      /[018]/g,
+      (s) => (+s ^ m._randomWord() & 15 >> +s / 4).toString(16)
+    ).replace(/-/g, "");
+  }
+  /**
+   * PKCE: Generate a code verifier
+   */
+  static generateCodeVerifier() {
+    return m.generateUUIDv4() + m.generateUUIDv4() + m.generateUUIDv4();
+  }
+  /**
+   * PKCE: Generate a code challenge
+   */
+  static async generateCodeChallenge(t) {
+    if (!crypto.subtle)
+      throw new Error("Crypto.subtle is available only in secure contexts (HTTPS).");
+    try {
+      const i = new TextEncoder().encode(t), r = await crypto.subtle.digest("SHA-256", i);
+      return K(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+    } catch (s) {
+      throw g.error("CryptoUtils.generateCodeChallenge", s), s;
+    }
+  }
+  /**
+   * Generates a base64-encoded string for a basic auth header
+   */
+  static generateBasicAuth(t, s) {
+    const r = new TextEncoder().encode([t, s].join(":"));
+    return K(r);
+  }
+  /**
+   * Generates a hash of a string using a given algorithm
+   * @param alg
+   * @param message
+   */
+  static async hash(t, s) {
+    const i = new TextEncoder().encode(s), r = await crypto.subtle.digest(t, i);
+    return new Uint8Array(r);
+  }
+  /**
+   * Generates a rfc7638 compliant jwk thumbprint
+   * @param jwk
+   */
+  static async customCalculateJwkThumbprint(t) {
+    let s;
+    switch (t.kty) {
+      case "RSA":
+        s = {
+          e: t.e,
+          kty: t.kty,
+          n: t.n
+        };
+        break;
+      case "EC":
+        s = {
+          crv: t.crv,
+          kty: t.kty,
+          x: t.x,
+          y: t.y
+        };
+        break;
+      case "OKP":
+        s = {
+          crv: t.crv,
+          kty: t.kty,
+          x: t.x
+        };
+        break;
+      case "oct":
+        s = {
+          crv: t.k,
+          kty: t.kty
+        };
+        break;
+      default:
+        throw new Error("Unknown jwk type");
+    }
+    const i = await m.hash("SHA-256", JSON.stringify(s));
+    return m.encodeBase64Url(i);
+  }
+  static async generateDPoPProof({
+    url: t,
+    accessToken: s,
+    httpMethod: i,
+    keyPair: r,
+    nonce: o
+  }) {
+    let n, a;
+    const c = {
+      jti: window.crypto.randomUUID(),
+      htm: i ?? "GET",
+      htu: t,
+      iat: Math.floor(Date.now() / 1e3)
+    };
+    s && (n = await m.hash("SHA-256", s), a = m.encodeBase64Url(n), c.ath = a), o && (c.nonce = o);
+    try {
+      const l = await crypto.subtle.exportKey("jwk", r.publicKey), d = {
+        alg: "ES256",
+        typ: "dpop+jwt",
+        jwk: {
+          crv: l.crv,
+          kty: l.kty,
+          x: l.x,
+          y: l.y
+        }
+      };
+      return await H.generateSignedJwt(d, c, r.privateKey);
+    } catch (l) {
+      throw l instanceof TypeError ? new Error(`Error exporting dpop public key: ${l.message}`) : l;
+    }
+  }
+  static async generateDPoPJkt(t) {
+    try {
+      const s = await crypto.subtle.exportKey("jwk", t.publicKey);
+      return await m.customCalculateJwkThumbprint(s);
+    } catch (s) {
+      throw s instanceof TypeError ? new Error(`Could not retrieve dpop keys from storage: ${s.message}`) : s;
+    }
+  }
+  static async generateDPoPKeys() {
+    return await window.crypto.subtle.generateKey(
+      {
+        name: "ECDSA",
+        namedCurve: "P-256"
+      },
+      !1,
+      ["sign", "verify"]
     );
   }
-  return n.copy_;
-}
-function K(e, t, r, n, i, o, s) {
-  if (process.env.NODE_ENV !== "production" && i === r && f(5), h(i)) {
-    const c = o && t && t.type_ !== 3 && // Set objects are atomic since they have no keys.
-    !A(t.assigned_, n) ? o.concat(n) : void 0, l = w(e, i, c);
-    if (B(r, n, l), h(l))
-      e.canAutoFreeze_ = !1;
-    else
+  /**
+   * Generates a client assertion JWT for client_secret_jwt authentication
+   * @param client_id The client identifier
+   * @param client_secret The client secret
+   * @param audience The token endpoint URL (audience)
+   * @param algorithm The HMAC algorithm to use (HS256, HS384, HS512). Defaults to HS256
+   */
+  static async generateClientAssertionJwt(t, s, i, r = "HS256") {
+    const o = Math.floor(Date.now() / 1e3), n = {
+      alg: r,
+      typ: "JWT"
+    }, a = {
+      iss: t,
+      sub: t,
+      aud: i,
+      jti: m.generateUUIDv4(),
+      exp: o + 300,
+      // 5 minutes
+      iat: o
+    }, l = {
+      HS256: "SHA-256",
+      HS384: "SHA-384",
+      HS512: "SHA-512"
+    }[r];
+    if (!l)
+      throw new Error(`Unsupported algorithm: ${r}. Supported algorithms are: HS256, HS384, HS512`);
+    const d = new TextEncoder(), h = await crypto.subtle.importKey(
+      "raw",
+      d.encode(s),
+      { name: "HMAC", hash: l },
+      !1,
+      ["sign"]
+    );
+    return await H.generateSignedJwtWithHmac(n, a, h);
+  }
+};
+ie.encodeBase64Url = (e) => K(e).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+var _ = ie, I = class {
+  constructor(e) {
+    this._name = e, this._callbacks = [], this._logger = new g(`Event('${this._name}')`);
+  }
+  addHandler(e) {
+    return this._callbacks.push(e), () => this.removeHandler(e);
+  }
+  removeHandler(e) {
+    const t = this._callbacks.lastIndexOf(e);
+    t >= 0 && this._callbacks.splice(t, 1);
+  }
+  async raise(...e) {
+    this._logger.debug("raise:", ...e);
+    for (const t of this._callbacks)
+      await t(...e);
+  }
+}, Z = class {
+  /**
+   * Populates a map of window features with a placement centered in front of
+   * the current window. If no explicit width is given, a default value is
+   * binned into [800, 720, 600, 480, 360] based on the current window's width.
+   */
+  static center({ ...e }) {
+    var t, s, i;
+    return e.width == null && (e.width = (t = [800, 720, 600, 480].find((r) => r <= window.outerWidth / 1.618)) != null ? t : 360), (s = e.left) != null || (e.left = Math.max(0, Math.round(window.screenX + (window.outerWidth - e.width) / 2))), e.height != null && ((i = e.top) != null || (e.top = Math.max(0, Math.round(window.screenY + (window.outerHeight - e.height) / 2)))), e;
+  }
+  static serialize(e) {
+    return Object.entries(e).filter(([, t]) => t != null).map(([t, s]) => `${t}=${typeof s != "boolean" ? s : s ? "yes" : "no"}`).join(",");
+  }
+}, T = class j extends I {
+  constructor() {
+    super(...arguments), this._logger = new g(`Timer('${this._name}')`), this._timerHandle = null, this._expiration = 0, this._callback = () => {
+      const t = this._expiration - j.getEpochTime();
+      this._logger.debug("timer completes in", t), this._expiration <= j.getEpochTime() && (this.cancel(), super.raise());
+    };
+  }
+  // get the time
+  static getEpochTime() {
+    return Math.floor(Date.now() / 1e3);
+  }
+  init(t) {
+    const s = this._logger.create("init");
+    t = Math.max(Math.floor(t), 1);
+    const i = j.getEpochTime() + t;
+    if (this.expiration === i && this._timerHandle) {
+      s.debug("skipping since already initialized for expiration at", this.expiration);
       return;
-  } else
-    s && r.add(i);
-  if (_(i) && !S(i)) {
-    if (!e.immer_.autoFreeze_ && e.unfinalizedDrafts_ < 1)
+    }
+    this.cancel(), s.debug("using duration", t), this._expiration = i;
+    const r = Math.min(t, 5);
+    this._timerHandle = setInterval(this._callback, r * 1e3);
+  }
+  get expiration() {
+    return this._expiration;
+  }
+  cancel() {
+    this._logger.create("cancel"), this._timerHandle && (clearInterval(this._timerHandle), this._timerHandle = null);
+  }
+}, L = class {
+  static readParams(e, t = "query") {
+    if (!e) throw new TypeError("Invalid URL");
+    const i = new URL(e, "http://127.0.0.1")[t === "fragment" ? "hash" : "search"];
+    return new URLSearchParams(i.slice(1));
+  }
+}, N = ";", q = class extends Error {
+  constructor(e, t) {
+    var s, i, r;
+    if (super(e.error_description || e.error || ""), this.form = t, this.name = "ErrorResponse", !e.error)
+      throw g.error("ErrorResponse", "No error passed"), new Error("No error passed");
+    this.error = e.error, this.error_description = (s = e.error_description) != null ? s : null, this.error_uri = (i = e.error_uri) != null ? i : null, this.state = e.userState, this.session_state = (r = e.session_state) != null ? r : null, this.url_state = e.url_state;
+  }
+}, G = class extends Error {
+  constructor(e) {
+    super(e), this.name = "ErrorTimeout";
+  }
+}, Ie = class {
+  constructor(e) {
+    this._logger = new g("AccessTokenEvents"), this._expiringTimer = new T("Access token expiring"), this._expiredTimer = new T("Access token expired"), this._expiringNotificationTimeInSeconds = e.expiringNotificationTimeInSeconds;
+  }
+  async load(e) {
+    const t = this._logger.create("load");
+    if (e.access_token && e.expires_in !== void 0) {
+      const s = e.expires_in;
+      if (t.debug("access token present, remaining duration:", s), s > 0) {
+        let r = s - this._expiringNotificationTimeInSeconds;
+        r <= 0 && (r = 1), t.debug("registering expiring timer, raising in", r, "seconds"), this._expiringTimer.init(r);
+      } else
+        t.debug("canceling existing expiring timer because we're past expiration."), this._expiringTimer.cancel();
+      const i = s + 1;
+      t.debug("registering expired timer, raising in", i, "seconds"), this._expiredTimer.init(i);
+    } else
+      this._expiringTimer.cancel(), this._expiredTimer.cancel();
+  }
+  async unload() {
+    this._logger.debug("unload: canceling existing access token timers"), this._expiringTimer.cancel(), this._expiredTimer.cancel();
+  }
+  /**
+   * Add callback: Raised prior to the access token expiring.
+   */
+  addAccessTokenExpiring(e) {
+    return this._expiringTimer.addHandler(e);
+  }
+  /**
+   * Remove callback: Raised prior to the access token expiring.
+   */
+  removeAccessTokenExpiring(e) {
+    this._expiringTimer.removeHandler(e);
+  }
+  /**
+   * Add callback: Raised after the access token has expired.
+   */
+  addAccessTokenExpired(e) {
+    return this._expiredTimer.addHandler(e);
+  }
+  /**
+   * Remove callback: Raised after the access token has expired.
+   */
+  removeAccessTokenExpired(e) {
+    this._expiredTimer.removeHandler(e);
+  }
+}, Ce = class {
+  constructor(e, t, s, i, r) {
+    this._callback = e, this._client_id = t, this._intervalInSeconds = i, this._stopOnError = r, this._logger = new g("CheckSessionIFrame"), this._timer = null, this._session_state = null, this._message = (n) => {
+      n.origin === this._frame_origin && n.source === this._frame.contentWindow && (n.data === "error" ? (this._logger.error("error message from check session op iframe"), this._stopOnError && this.stop()) : n.data === "changed" ? (this._logger.debug("changed message from check session op iframe"), this.stop(), this._callback()) : this._logger.debug(n.data + " message from check session op iframe"));
+    };
+    const o = new URL(s);
+    this._frame_origin = o.origin, this._frame = window.document.createElement("iframe"), this._frame.style.visibility = "hidden", this._frame.style.position = "fixed", this._frame.style.left = "-1000px", this._frame.style.top = "0", this._frame.width = "0", this._frame.height = "0", this._frame.src = o.href;
+  }
+  load() {
+    return new Promise((e) => {
+      this._frame.onload = () => {
+        e();
+      }, window.document.body.appendChild(this._frame), window.addEventListener("message", this._message, !1);
+    });
+  }
+  start(e) {
+    if (this._session_state === e)
       return;
-    w(e, i), (!t || !t.scope_.parent_) && typeof n != "symbol" && Object.prototype.propertyIsEnumerable.call(r, n) && g(e, i);
-  }
-}
-function g(e, t, r = !1) {
-  !e.parent_ && e.immer_.autoFreeze_ && e.canAutoFreeze_ && T(t, r);
-}
-function re(e, t) {
-  const r = Array.isArray(e), n = {
-    type_: r ? 1 : 0,
-    // Track which produce call this is associated with.
-    scope_: t ? t.scope_ : G(),
-    // True for both shallow and deep changes.
-    modified_: !1,
-    // Used during finalization.
-    finalized_: !1,
-    // Track which properties have been assigned (true) or deleted (false).
-    assigned_: {},
-    // The parent draft state.
-    parent_: t,
-    // The base state.
-    base_: e,
-    // The base proxy.
-    draft_: null,
-    // set below
-    // The base copy with any updated values.
-    copy_: null,
-    // Called by the `produce` function.
-    revoke_: null,
-    isManual_: !1
-  };
-  let i = n, o = M;
-  r && (i = [n], o = P);
-  const { revoke: s, proxy: c } = Proxy.revocable(i, o);
-  return n.draft_ = c, n.revoke_ = s, c;
-}
-var M = {
-  get(e, t) {
-    if (t === u)
-      return e;
-    const r = d(e);
-    if (!A(r, t))
-      return ne(e, r, t);
-    const n = r[t];
-    return e.finalized_ || !_(n) ? n : n === F(e.base_, t) ? (E(e), e.copy_[t] = k(n, e)) : n;
-  },
-  has(e, t) {
-    return t in d(e);
-  },
-  ownKeys(e) {
-    return Reflect.ownKeys(d(e));
-  },
-  set(e, t, r) {
-    const n = H(d(e), t);
-    if (n != null && n.set)
-      return n.set.call(e.draft_, r), !0;
-    if (!e.modified_) {
-      const i = F(d(e), t), o = i == null ? void 0 : i[u];
-      if (o && o.base_ === r)
-        return e.copy_[t] = r, e.assigned_[t] = !1, !0;
-      if (Z(r, i) && (r !== void 0 || A(e.base_, t)))
-        return !0;
-      E(e), I(e);
-    }
-    return e.copy_[t] === r && // special case: handle new props with value 'undefined'
-    (r !== void 0 || t in e.copy_) || // special case: NaN
-    Number.isNaN(r) && Number.isNaN(e.copy_[t]) || (e.copy_[t] = r, e.assigned_[t] = !0), !0;
-  },
-  deleteProperty(e, t) {
-    return F(e.base_, t) !== void 0 || t in e.base_ ? (e.assigned_[t] = !1, E(e), I(e)) : delete e.assigned_[t], e.copy_ && delete e.copy_[t], !0;
-  },
-  // Note: We never coerce `desc.value` into an Immer draft, because we can't make
-  // the same guarantee in ES5 mode.
-  getOwnPropertyDescriptor(e, t) {
-    const r = d(e), n = Reflect.getOwnPropertyDescriptor(r, t);
-    return n && {
-      writable: !0,
-      configurable: e.type_ !== 1 || t !== "length",
-      enumerable: n.enumerable,
-      value: r[t]
+    this._logger.create("start"), this.stop(), this._session_state = e;
+    const t = () => {
+      !this._frame.contentWindow || !this._session_state || this._frame.contentWindow.postMessage(this._client_id + " " + this._session_state, this._frame_origin);
     };
-  },
-  defineProperty() {
-    f(11);
-  },
-  getPrototypeOf(e) {
-    return m(e.base_);
-  },
-  setPrototypeOf() {
-    f(12);
-  }
-}, P = {};
-b(M, (e, t) => {
-  P[e] = function() {
-    return arguments[0] = arguments[0][0], t.apply(this, arguments);
-  };
-});
-P.deleteProperty = function(e, t) {
-  return process.env.NODE_ENV !== "production" && isNaN(parseInt(t)) && f(13), P.set.call(this, e, t, void 0);
-};
-P.set = function(e, t, r) {
-  return process.env.NODE_ENV !== "production" && t !== "length" && isNaN(parseInt(t)) && f(14), M.set.call(this, e[0], t, r, e[0]);
+    t(), this._timer = setInterval(t, this._intervalInSeconds * 1e3);
+  }
+  stop() {
+    this._logger.create("stop"), this._session_state = null, this._timer && (clearInterval(this._timer), this._timer = null);
+  }
+}, re = class {
+  constructor() {
+    this._logger = new g("InMemoryWebStorage"), this._data = {};
+  }
+  clear() {
+    this._logger.create("clear"), this._data = {};
+  }
+  getItem(e) {
+    return this._logger.create(`getItem('${e}')`), this._data[e];
+  }
+  setItem(e, t) {
+    this._logger.create(`setItem('${e}')`), this._data[e] = t;
+  }
+  removeItem(e) {
+    this._logger.create(`removeItem('${e}')`), delete this._data[e];
+  }
+  get length() {
+    return Object.getOwnPropertyNames(this._data).length;
+  }
+  key(e) {
+    return Object.getOwnPropertyNames(this._data)[e];
+  }
+}, F = class extends Error {
+  constructor(e, t) {
+    super(t), this.name = "ErrorDPoPNonce", this.nonce = e;
+  }
+}, Q = class {
+  constructor(e = [], t = null, s = {}) {
+    this._jwtHandler = t, this._extraHeaders = s, this._logger = new g("JsonService"), this._contentTypes = [], this._contentTypes.push(...e, "application/json"), t && this._contentTypes.push("application/jwt");
+  }
+  async fetchWithTimeout(e, t = {}) {
+    const { timeoutInSeconds: s, ...i } = t;
+    if (!s)
+      return await fetch(e, i);
+    const r = new AbortController(), o = setTimeout(() => r.abort(), s * 1e3);
+    try {
+      return await fetch(e, {
+        ...t,
+        signal: r.signal
+      });
+    } catch (n) {
+      throw n instanceof DOMException && n.name === "AbortError" ? new G("Network timed out") : n;
+    } finally {
+      clearTimeout(o);
+    }
+  }
+  async getJson(e, {
+    token: t,
+    credentials: s,
+    timeoutInSeconds: i
+  } = {}) {
+    const r = this._logger.create("getJson"), o = {
+      Accept: this._contentTypes.join(", ")
+    };
+    t && (r.debug("token passed, setting Authorization header"), o.Authorization = "Bearer " + t), this._appendExtraHeaders(o);
+    let n;
+    try {
+      r.debug("url:", e), n = await this.fetchWithTimeout(e, { method: "GET", headers: o, timeoutInSeconds: i, credentials: s });
+    } catch (l) {
+      throw r.error("Network Error"), l;
+    }
+    r.debug("HTTP response received, status", n.status);
+    const a = n.headers.get("Content-Type");
+    if (a && !this._contentTypes.find((l) => a.startsWith(l)) && r.throw(new Error(`Invalid response Content-Type: ${a ?? "undefined"}, from URL: ${e}`)), n.ok && this._jwtHandler && (a != null && a.startsWith("application/jwt")))
+      return await this._jwtHandler(await n.text());
+    let c;
+    try {
+      c = await n.json();
+    } catch (l) {
+      throw r.error("Error parsing JSON response", l), n.ok ? l : new Error(`${n.statusText} (${n.status})`);
+    }
+    if (!n.ok)
+      throw r.error("Error from server:", c), c.error ? new q(c) : new Error(`${n.statusText} (${n.status}): ${JSON.stringify(c)}`);
+    return c;
+  }
+  async postForm(e, {
+    body: t,
+    basicAuth: s,
+    timeoutInSeconds: i,
+    initCredentials: r,
+    extraHeaders: o
+  }) {
+    const n = this._logger.create("postForm"), a = {
+      Accept: this._contentTypes.join(", "),
+      "Content-Type": "application/x-www-form-urlencoded",
+      ...o
+    };
+    s !== void 0 && (a.Authorization = "Basic " + s), this._appendExtraHeaders(a);
+    let c;
+    try {
+      n.debug("url:", e), c = await this.fetchWithTimeout(e, { method: "POST", headers: a, body: t, timeoutInSeconds: i, credentials: r });
+    } catch (u) {
+      throw n.error("Network error"), u;
+    }
+    n.debug("HTTP response received, status", c.status);
+    const l = c.headers.get("Content-Type");
+    if (l && !this._contentTypes.find((u) => l.startsWith(u)))
+      throw new Error(`Invalid response Content-Type: ${l ?? "undefined"}, from URL: ${e}`);
+    const d = await c.text();
+    let h = {};
+    if (d)
+      try {
+        h = JSON.parse(d);
+      } catch (u) {
+        throw n.error("Error parsing JSON response", u), c.ok ? u : new Error(`${c.statusText} (${c.status})`);
+      }
+    if (!c.ok) {
+      if (n.error("Error from server:", h), c.headers.has("dpop-nonce")) {
+        const u = c.headers.get("dpop-nonce");
+        throw new F(u, `${JSON.stringify(h)}`);
+      }
+      throw h.error ? new q(h, t) : new Error(`${c.statusText} (${c.status}): ${JSON.stringify(h)}`);
+    }
+    return h;
+  }
+  _appendExtraHeaders(e) {
+    const t = this._logger.create("appendExtraHeaders"), s = Object.keys(this._extraHeaders), i = [
+      "accept",
+      "content-type"
+    ], r = [
+      "authorization"
+    ];
+    s.length !== 0 && s.forEach((o) => {
+      if (i.includes(o.toLocaleLowerCase())) {
+        t.warn("Protected header could not be set", o, i);
+        return;
+      }
+      if (r.includes(o.toLocaleLowerCase()) && Object.keys(e).includes(o)) {
+        t.warn("Header could not be overridden", o, r);
+        return;
+      }
+      const n = typeof this._extraHeaders[o] == "function" ? this._extraHeaders[o]() : this._extraHeaders[o];
+      n && n !== "" && (e[o] = n);
+    });
+  }
+}, xe = class {
+  constructor(e) {
+    this._settings = e, this._logger = new g("MetadataService"), this._signingKeys = null, this._metadata = null, this._metadataUrl = this._settings.metadataUrl, this._jsonService = new Q(
+      ["application/jwk-set+json"],
+      null,
+      this._settings.extraHeaders
+    ), this._settings.signingKeys && (this._logger.debug("using signingKeys from settings"), this._signingKeys = this._settings.signingKeys), this._settings.metadata && (this._logger.debug("using metadata from settings"), this._metadata = this._settings.metadata), this._settings.fetchRequestCredentials && (this._logger.debug("using fetchRequestCredentials from settings"), this._fetchRequestCredentials = this._settings.fetchRequestCredentials);
+  }
+  resetSigningKeys() {
+    this._signingKeys = null;
+  }
+  async getMetadata() {
+    const e = this._logger.create("getMetadata");
+    if (this._metadata)
+      return e.debug("using cached values"), this._metadata;
+    if (!this._metadataUrl)
+      throw e.throw(new Error("No authority or metadataUrl configured on settings")), null;
+    e.debug("getting metadata from", this._metadataUrl);
+    const t = await this._jsonService.getJson(this._metadataUrl, { credentials: this._fetchRequestCredentials, timeoutInSeconds: this._settings.requestTimeoutInSeconds });
+    return e.debug("merging remote JSON with seed metadata"), this._metadata = Object.assign({}, t, this._settings.metadataSeed), this._metadata;
+  }
+  getIssuer() {
+    return this._getMetadataProperty("issuer");
+  }
+  getAuthorizationEndpoint() {
+    return this._getMetadataProperty("authorization_endpoint");
+  }
+  getUserInfoEndpoint() {
+    return this._getMetadataProperty("userinfo_endpoint");
+  }
+  getTokenEndpoint(e = !0) {
+    return this._getMetadataProperty("token_endpoint", e);
+  }
+  getCheckSessionIframe() {
+    return this._getMetadataProperty("check_session_iframe", !0);
+  }
+  getEndSessionEndpoint() {
+    return this._getMetadataProperty("end_session_endpoint", !0);
+  }
+  getRevocationEndpoint(e = !0) {
+    return this._getMetadataProperty("revocation_endpoint", e);
+  }
+  getKeysEndpoint(e = !0) {
+    return this._getMetadataProperty("jwks_uri", e);
+  }
+  async _getMetadataProperty(e, t = !1) {
+    const s = this._logger.create(`_getMetadataProperty('${e}')`), i = await this.getMetadata();
+    if (s.debug("resolved"), i[e] === void 0) {
+      if (t === !0) {
+        s.warn("Metadata does not contain optional property");
+        return;
+      }
+      s.throw(new Error("Metadata does not contain property " + e));
+    }
+    return i[e];
+  }
+  async getSigningKeys() {
+    const e = this._logger.create("getSigningKeys");
+    if (this._signingKeys)
+      return e.debug("returning signingKeys from cache"), this._signingKeys;
+    const t = await this.getKeysEndpoint(!1);
+    e.debug("got jwks_uri", t);
+    const s = await this._jsonService.getJson(t, { timeoutInSeconds: this._settings.requestTimeoutInSeconds });
+    if (e.debug("got key set", s), !Array.isArray(s.keys))
+      throw e.throw(new Error("Missing keys on keyset")), null;
+    return this._signingKeys = s.keys, this._signingKeys;
+  }
+}, ne = class {
+  constructor({
+    prefix: e = "oidc.",
+    store: t = localStorage
+  } = {}) {
+    this._logger = new g("WebStorageStateStore"), this._store = t, this._prefix = e;
+  }
+  async set(e, t) {
+    this._logger.create(`set('${e}')`), e = this._prefix + e, await this._store.setItem(e, t);
+  }
+  async get(e) {
+    return this._logger.create(`get('${e}')`), e = this._prefix + e, await this._store.getItem(e);
+  }
+  async remove(e) {
+    this._logger.create(`remove('${e}')`), e = this._prefix + e;
+    const t = await this._store.getItem(e);
+    return await this._store.removeItem(e), t;
+  }
+  async getAllKeys() {
+    this._logger.create("getAllKeys");
+    const e = await this._store.length, t = [];
+    for (let s = 0; s < e; s++) {
+      const i = await this._store.key(s);
+      i && i.indexOf(this._prefix) === 0 && t.push(i.substr(this._prefix.length));
+    }
+    return t;
+  }
+}, Ue = "code", Ae = "openid", Oe = "client_secret_post", qe = 900, z = class {
+  constructor({
+    // metadata related
+    authority: e,
+    metadataUrl: t,
+    metadata: s,
+    signingKeys: i,
+    metadataSeed: r,
+    // client related
+    client_id: o,
+    client_secret: n,
+    response_type: a = Ue,
+    scope: c = Ae,
+    redirect_uri: l,
+    post_logout_redirect_uri: d,
+    client_authentication: h = Oe,
+    token_endpoint_auth_signing_alg: u = "HS256",
+    // optional protocol
+    prompt: w,
+    display: C,
+    max_age: x,
+    ui_locales: U,
+    acr_values: A,
+    resource: P,
+    response_mode: O,
+    // behavior flags
+    filterProtocolClaims: R = !0,
+    loadUserInfo: S = !1,
+    requestTimeoutInSeconds: p,
+    staleStateAgeInSeconds: E = qe,
+    mergeClaimsStrategy: v = { array: "replace" },
+    disablePKCE: f = !1,
+    // other behavior
+    stateStore: M,
+    revokeTokenAdditionalContentTypes: fe,
+    fetchRequestCredentials: X,
+    refreshTokenAllowedScope: me,
+    // extra
+    extraQueryParams: Se = {},
+    extraTokenParams: ve = {},
+    extraHeaders: ye = {},
+    dpop: be,
+    omitScopeWhenRequesting: ke = !1
+  }) {
+    var Y;
+    if (this.authority = e, t ? this.metadataUrl = t : (this.metadataUrl = e, e && (this.metadataUrl.endsWith("/") || (this.metadataUrl += "/"), this.metadataUrl += ".well-known/openid-configuration")), this.metadata = s, this.metadataSeed = r, this.signingKeys = i, this.client_id = o, this.client_secret = n, this.response_type = a, this.scope = c, this.redirect_uri = l, this.post_logout_redirect_uri = d, this.client_authentication = h, this.token_endpoint_auth_signing_alg = u, this.prompt = w, this.display = C, this.max_age = x, this.ui_locales = U, this.acr_values = A, this.resource = P, this.response_mode = O, this.filterProtocolClaims = R ?? !0, this.loadUserInfo = !!S, this.staleStateAgeInSeconds = E, this.mergeClaimsStrategy = v, this.omitScopeWhenRequesting = ke, this.disablePKCE = !!f, this.revokeTokenAdditionalContentTypes = fe, this.fetchRequestCredentials = X || "same-origin", this.requestTimeoutInSeconds = p, M)
+      this.stateStore = M;
+    else {
+      const Ee = typeof window < "u" ? window.localStorage : new re();
+      this.stateStore = new ne({ store: Ee });
+    }
+    if (this.refreshTokenAllowedScope = me, this.extraQueryParams = Se, this.extraTokenParams = ve, this.extraHeaders = ye, this.dpop = be, this.dpop && !((Y = this.dpop) != null && Y.store))
+      throw new Error("A DPoPStore is required when dpop is enabled");
+  }
+}, Ne = class {
+  constructor(e, t) {
+    this._settings = e, this._metadataService = t, this._logger = new g("UserInfoService"), this._getClaimsFromJwt = async (s) => {
+      const i = this._logger.create("_getClaimsFromJwt");
+      try {
+        const r = H.decode(s);
+        return i.debug("JWT decoding successful"), r;
+      } catch (r) {
+        throw i.error("Error parsing JWT response"), r;
+      }
+    }, this._jsonService = new Q(
+      void 0,
+      this._getClaimsFromJwt,
+      this._settings.extraHeaders
+    );
+  }
+  async getClaims(e) {
+    const t = this._logger.create("getClaims");
+    e || this._logger.throw(new Error("No token passed"));
+    const s = await this._metadataService.getUserInfoEndpoint();
+    t.debug("got userinfo url", s);
+    const i = await this._jsonService.getJson(s, {
+      token: e,
+      credentials: this._settings.fetchRequestCredentials,
+      timeoutInSeconds: this._settings.requestTimeoutInSeconds
+    });
+    return t.debug("got claims", i), i;
+  }
+}, oe = class {
+  constructor(e, t) {
+    this._settings = e, this._metadataService = t, this._logger = new g("TokenClient"), this._jsonService = new Q(
+      this._settings.revokeTokenAdditionalContentTypes,
+      null,
+      this._settings.extraHeaders
+    );
+  }
+  /**
+   * Exchange code.
+   *
+   * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
+   */
+  async exchangeCode({
+    grant_type: e = "authorization_code",
+    redirect_uri: t = this._settings.redirect_uri,
+    client_id: s = this._settings.client_id,
+    client_secret: i = this._settings.client_secret,
+    extraHeaders: r,
+    ...o
+  }) {
+    const n = this._logger.create("exchangeCode");
+    s || n.throw(new Error("A client_id is required")), t || n.throw(new Error("A redirect_uri is required")), o.code || n.throw(new Error("A code is required"));
+    const a = new URLSearchParams({ grant_type: e, redirect_uri: t });
+    for (const [h, u] of Object.entries(o))
+      u != null && a.set(h, u);
+    if ((this._settings.client_authentication === "client_secret_basic" || this._settings.client_authentication === "client_secret_jwt") && i == null)
+      throw n.throw(new Error("A client_secret is required")), null;
+    let c;
+    const l = await this._metadataService.getTokenEndpoint(!1);
+    switch (this._settings.client_authentication) {
+      case "client_secret_basic":
+        c = _.generateBasicAuth(s, i);
+        break;
+      case "client_secret_post":
+        a.append("client_id", s), i && a.append("client_secret", i);
+        break;
+      case "client_secret_jwt": {
+        const h = await _.generateClientAssertionJwt(s, i, l, this._settings.token_endpoint_auth_signing_alg);
+        a.append("client_id", s), a.append("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), a.append("client_assertion", h);
+        break;
+      }
+    }
+    n.debug("got token endpoint");
+    const d = await this._jsonService.postForm(l, {
+      body: a,
+      basicAuth: c,
+      timeoutInSeconds: this._settings.requestTimeoutInSeconds,
+      initCredentials: this._settings.fetchRequestCredentials,
+      extraHeaders: r
+    });
+    return n.debug("got response"), d;
+  }
+  /**
+   * Exchange credentials.
+   *
+   * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2
+   */
+  async exchangeCredentials({
+    grant_type: e = "password",
+    client_id: t = this._settings.client_id,
+    client_secret: s = this._settings.client_secret,
+    scope: i = this._settings.scope,
+    ...r
+  }) {
+    const o = this._logger.create("exchangeCredentials");
+    t || o.throw(new Error("A client_id is required"));
+    const n = new URLSearchParams({ grant_type: e });
+    this._settings.omitScopeWhenRequesting || n.set("scope", i);
+    for (const [d, h] of Object.entries(r))
+      h != null && n.set(d, h);
+    if ((this._settings.client_authentication === "client_secret_basic" || this._settings.client_authentication === "client_secret_jwt") && s == null)
+      throw o.throw(new Error("A client_secret is required")), null;
+    let a;
+    const c = await this._metadataService.getTokenEndpoint(!1);
+    switch (this._settings.client_authentication) {
+      case "client_secret_basic":
+        a = _.generateBasicAuth(t, s);
+        break;
+      case "client_secret_post":
+        n.append("client_id", t), s && n.append("client_secret", s);
+        break;
+      case "client_secret_jwt": {
+        const d = await _.generateClientAssertionJwt(t, s, c, this._settings.token_endpoint_auth_signing_alg);
+        n.append("client_id", t), n.append("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), n.append("client_assertion", d);
+        break;
+      }
+    }
+    o.debug("got token endpoint");
+    const l = await this._jsonService.postForm(c, { body: n, basicAuth: a, timeoutInSeconds: this._settings.requestTimeoutInSeconds, initCredentials: this._settings.fetchRequestCredentials });
+    return o.debug("got response"), l;
+  }
+  /**
+   * Exchange a refresh token.
+   *
+   * @see https://www.rfc-editor.org/rfc/rfc6749#section-6
+   */
+  async exchangeRefreshToken({
+    grant_type: e = "refresh_token",
+    client_id: t = this._settings.client_id,
+    client_secret: s = this._settings.client_secret,
+    timeoutInSeconds: i,
+    extraHeaders: r,
+    ...o
+  }) {
+    const n = this._logger.create("exchangeRefreshToken");
+    t || n.throw(new Error("A client_id is required")), o.refresh_token || n.throw(new Error("A refresh_token is required"));
+    const a = new URLSearchParams({ grant_type: e });
+    for (const [h, u] of Object.entries(o))
+      Array.isArray(u) ? u.forEach((w) => a.append(h, w)) : u != null && a.set(h, u);
+    if ((this._settings.client_authentication === "client_secret_basic" || this._settings.client_authentication === "client_secret_jwt") && s == null)
+      throw n.throw(new Error("A client_secret is required")), null;
+    let c;
+    const l = await this._metadataService.getTokenEndpoint(!1);
+    switch (this._settings.client_authentication) {
+      case "client_secret_basic":
+        c = _.generateBasicAuth(t, s);
+        break;
+      case "client_secret_post":
+        a.append("client_id", t), s && a.append("client_secret", s);
+        break;
+      case "client_secret_jwt": {
+        const h = await _.generateClientAssertionJwt(t, s, l, this._settings.token_endpoint_auth_signing_alg);
+        a.append("client_id", t), a.append("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), a.append("client_assertion", h);
+        break;
+      }
+    }
+    n.debug("got token endpoint");
+    const d = await this._jsonService.postForm(l, { body: a, basicAuth: c, timeoutInSeconds: i, initCredentials: this._settings.fetchRequestCredentials, extraHeaders: r });
+    return n.debug("got response"), d;
+  }
+  /**
+   * Revoke an access or refresh token.
+   *
+   * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
+   */
+  async revoke(e) {
+    var t;
+    const s = this._logger.create("revoke");
+    e.token || s.throw(new Error("A token is required"));
+    const i = await this._metadataService.getRevocationEndpoint(!1);
+    s.debug(`got revocation endpoint, revoking ${(t = e.token_type_hint) != null ? t : "default token type"}`);
+    const r = new URLSearchParams();
+    for (const [o, n] of Object.entries(e))
+      n != null && r.set(o, n);
+    r.set("client_id", this._settings.client_id), this._settings.client_secret && r.set("client_secret", this._settings.client_secret), await this._jsonService.postForm(i, { body: r, timeoutInSeconds: this._settings.requestTimeoutInSeconds }), s.debug("got response");
+  }
+}, Me = class {
+  constructor(e, t, s) {
+    this._settings = e, this._metadataService = t, this._claimsService = s, this._logger = new g("ResponseValidator"), this._userInfoService = new Ne(this._settings, this._metadataService), this._tokenClient = new oe(this._settings, this._metadataService);
+  }
+  async validateSigninResponse(e, t, s) {
+    const i = this._logger.create("validateSigninResponse");
+    this._processSigninState(e, t), i.debug("state processed"), await this._processCode(e, t, s), i.debug("code processed"), e.isOpenId && this._validateIdTokenAttributes(e), i.debug("tokens validated"), await this._processClaims(e, t == null ? void 0 : t.skipUserInfo, e.isOpenId), i.debug("claims processed");
+  }
+  async validateCredentialsResponse(e, t) {
+    const s = this._logger.create("validateCredentialsResponse"), i = e.isOpenId && !!e.id_token;
+    i && this._validateIdTokenAttributes(e), s.debug("tokens validated"), await this._processClaims(e, t, i), s.debug("claims processed");
+  }
+  async validateRefreshResponse(e, t) {
+    var s, i;
+    const r = this._logger.create("validateRefreshResponse");
+    e.userState = t.data, (s = e.session_state) != null || (e.session_state = t.session_state), (i = e.scope) != null || (e.scope = t.scope), e.isOpenId && e.id_token && (this._validateIdTokenAttributes(e, t.id_token), r.debug("ID Token validated")), e.id_token || (e.id_token = t.id_token, e.profile = t.profile);
+    const o = e.isOpenId && !!e.id_token;
+    await this._processClaims(e, !1, o), r.debug("claims processed");
+  }
+  validateSignoutResponse(e, t) {
+    const s = this._logger.create("validateSignoutResponse");
+    if (t.id !== e.state && s.throw(new Error("State does not match")), s.debug("state validated"), e.userState = t.data, e.error)
+      throw s.warn("Response was error", e.error), new q(e);
+  }
+  _processSigninState(e, t) {
+    var s;
+    const i = this._logger.create("_processSigninState");
+    if (t.id !== e.state && i.throw(new Error("State does not match")), t.client_id || i.throw(new Error("No client_id on state")), t.authority || i.throw(new Error("No authority on state")), this._settings.authority !== t.authority && i.throw(new Error("authority mismatch on settings vs. signin state")), this._settings.client_id && this._settings.client_id !== t.client_id && i.throw(new Error("client_id mismatch on settings vs. signin state")), i.debug("state validated"), e.userState = t.data, e.url_state = t.url_state, (s = e.scope) != null || (e.scope = t.scope), e.error)
+      throw i.warn("Response was error", e.error), new q(e);
+    t.code_verifier && !e.code && i.throw(new Error("Expected code in response"));
+  }
+  async _processClaims(e, t = !1, s = !0) {
+    const i = this._logger.create("_processClaims");
+    if (e.profile = this._claimsService.filterProtocolClaims(e.profile), t || !this._settings.loadUserInfo || !e.access_token) {
+      i.debug("not loading user info");
+      return;
+    }
+    i.debug("loading user info");
+    const r = await this._userInfoService.getClaims(e.access_token);
+    i.debug("user info claims received from user info endpoint"), s && r.sub !== e.profile.sub && i.throw(new Error("subject from UserInfo response does not match subject in ID Token")), e.profile = this._claimsService.mergeClaims(e.profile, this._claimsService.filterProtocolClaims(r)), i.debug("user info claims received, updated profile:", e.profile);
+  }
+  async _processCode(e, t, s) {
+    const i = this._logger.create("_processCode");
+    if (e.code) {
+      i.debug("Validating code");
+      const r = await this._tokenClient.exchangeCode({
+        client_id: t.client_id,
+        client_secret: t.client_secret,
+        code: e.code,
+        redirect_uri: t.redirect_uri,
+        code_verifier: t.code_verifier,
+        extraHeaders: s,
+        ...t.extraTokenParams
+      });
+      Object.assign(e, r);
+    } else
+      i.debug("No code to process");
+  }
+  _validateIdTokenAttributes(e, t) {
+    var s;
+    const i = this._logger.create("_validateIdTokenAttributes");
+    i.debug("decoding ID Token JWT");
+    const r = H.decode((s = e.id_token) != null ? s : "");
+    if (r.sub || i.throw(new Error("ID Token is missing a subject claim")), t) {
+      const o = H.decode(t);
+      r.sub !== o.sub && i.throw(new Error("sub in id_token does not match current sub")), r.auth_time && r.auth_time !== o.auth_time && i.throw(new Error("auth_time in id_token does not match original auth_time")), r.azp && r.azp !== o.azp && i.throw(new Error("azp in id_token does not match original azp")), !r.azp && o.azp && i.throw(new Error("azp not in id_token, but present in original id_token"));
+    }
+    e.profile = r;
+  }
+}, $ = class B {
+  constructor(t) {
+    this.id = t.id || _.generateUUIDv4(), this.data = t.data, t.created && t.created > 0 ? this.created = t.created : this.created = T.getEpochTime(), this.request_type = t.request_type, this.url_state = t.url_state;
+  }
+  toStorageString() {
+    return new g("State").create("toStorageString"), JSON.stringify({
+      id: this.id,
+      data: this.data,
+      created: this.created,
+      request_type: this.request_type,
+      url_state: this.url_state
+    });
+  }
+  static fromStorageString(t) {
+    return g.createStatic("State", "fromStorageString"), Promise.resolve(new B(JSON.parse(t)));
+  }
+  static async clearStaleState(t, s) {
+    const i = g.createStatic("State", "clearStaleState"), r = T.getEpochTime() - s, o = await t.getAllKeys();
+    i.debug("got keys", o);
+    for (let n = 0; n < o.length; n++) {
+      const a = o[n], c = await t.get(a);
+      let l = !1;
+      if (c)
+        try {
+          const d = await B.fromStorageString(c);
+          i.debug("got item from key:", a, d.created), d.created <= r && (l = !0);
+        } catch (d) {
+          i.error("Error parsing state for key:", a, d), l = !0;
+        }
+      else
+        i.debug("no item in storage for key:", a), l = !0;
+      l && (i.debug("removed item for key:", a), t.remove(a));
+    }
+  }
+}, ae = class V extends $ {
+  constructor(t) {
+    super(t), this.code_verifier = t.code_verifier, this.code_challenge = t.code_challenge, this.authority = t.authority, this.client_id = t.client_id, this.redirect_uri = t.redirect_uri, this.scope = t.scope, this.client_secret = t.client_secret, this.extraTokenParams = t.extraTokenParams, this.response_mode = t.response_mode, this.skipUserInfo = t.skipUserInfo;
+  }
+  static async create(t) {
+    const s = t.code_verifier === !0 ? _.generateCodeVerifier() : t.code_verifier || void 0, i = s ? await _.generateCodeChallenge(s) : void 0;
+    return new V({
+      ...t,
+      code_verifier: s,
+      code_challenge: i
+    });
+  }
+  toStorageString() {
+    return new g("SigninState").create("toStorageString"), JSON.stringify({
+      id: this.id,
+      data: this.data,
+      created: this.created,
+      request_type: this.request_type,
+      url_state: this.url_state,
+      code_verifier: this.code_verifier,
+      authority: this.authority,
+      client_id: this.client_id,
+      redirect_uri: this.redirect_uri,
+      scope: this.scope,
+      client_secret: this.client_secret,
+      extraTokenParams: this.extraTokenParams,
+      response_mode: this.response_mode,
+      skipUserInfo: this.skipUserInfo
+    });
+  }
+  static fromStorageString(t) {
+    g.createStatic("SigninState", "fromStorageString");
+    const s = JSON.parse(t);
+    return V.create(s);
+  }
+}, ce = class le {
+  constructor(t) {
+    this.url = t.url, this.state = t.state;
+  }
+  static async create({
+    // mandatory
+    url: t,
+    authority: s,
+    client_id: i,
+    redirect_uri: r,
+    response_type: o,
+    scope: n,
+    // optional
+    state_data: a,
+    response_mode: c,
+    request_type: l,
+    client_secret: d,
+    nonce: h,
+    url_state: u,
+    resource: w,
+    skipUserInfo: C,
+    extraQueryParams: x,
+    extraTokenParams: U,
+    disablePKCE: A,
+    dpopJkt: P,
+    omitScopeWhenRequesting: O,
+    ...R
+  }) {
+    if (!t)
+      throw this._logger.error("create: No url passed"), new Error("url");
+    if (!i)
+      throw this._logger.error("create: No client_id passed"), new Error("client_id");
+    if (!r)
+      throw this._logger.error("create: No redirect_uri passed"), new Error("redirect_uri");
+    if (!o)
+      throw this._logger.error("create: No response_type passed"), new Error("response_type");
+    if (!n)
+      throw this._logger.error("create: No scope passed"), new Error("scope");
+    if (!s)
+      throw this._logger.error("create: No authority passed"), new Error("authority");
+    const S = await ae.create({
+      data: a,
+      request_type: l,
+      url_state: u,
+      code_verifier: !A,
+      client_id: i,
+      authority: s,
+      redirect_uri: r,
+      response_mode: c,
+      client_secret: d,
+      scope: n,
+      extraTokenParams: U,
+      skipUserInfo: C
+    }), p = new URL(t);
+    p.searchParams.append("client_id", i), p.searchParams.append("redirect_uri", r), p.searchParams.append("response_type", o), O || p.searchParams.append("scope", n), h && p.searchParams.append("nonce", h), P && p.searchParams.append("dpop_jkt", P);
+    let E = S.id;
+    u && (E = `${E}${N}${u}`), p.searchParams.append("state", E), S.code_challenge && (p.searchParams.append("code_challenge", S.code_challenge), p.searchParams.append("code_challenge_method", "S256")), w && (Array.isArray(w) ? w : [w]).forEach((f) => p.searchParams.append("resource", f));
+    for (const [v, f] of Object.entries({ response_mode: c, ...R, ...x }))
+      f != null && p.searchParams.append(v, f.toString());
+    return new le({
+      url: p.href,
+      state: S
+    });
+  }
 };
-function F(e, t) {
-  const r = e[u];
-  return (r ? d(r) : e)[t];
-}
-function ne(e, t, r) {
-  var i;
-  const n = H(t, r);
-  return n ? "value" in n ? n.value : (
-    // This is a very special case, if the prop is a getter defined by the
-    // prototype, we should invoke it with the draft as context!
-    (i = n.get) == null ? void 0 : i.call(e.draft_)
-  ) : void 0;
-}
-function H(e, t) {
-  if (!(t in e))
-    return;
-  let r = m(e);
-  for (; r; ) {
-    const n = Object.getOwnPropertyDescriptor(r, t);
-    if (n)
-      return n;
-    r = m(r);
-  }
-}
-function I(e) {
-  e.modified_ || (e.modified_ = !0, e.parent_ && I(e.parent_));
-}
-function E(e) {
-  e.copy_ || (e.copy_ = N(
-    e.base_,
-    e.scope_.immer_.useStrictShallowCopy_
-  ));
-}
-var ie = class {
+ce._logger = new g("SigninRequest");
+var He = ce, je = "openid", J = class {
+  constructor(e) {
+    if (this.access_token = "", this.token_type = "", this.profile = {}, this.state = e.get("state"), this.session_state = e.get("session_state"), this.state) {
+      const t = decodeURIComponent(this.state).split(N);
+      this.state = t[0], t.length > 1 && (this.url_state = t.slice(1).join(N));
+    }
+    this.error = e.get("error"), this.error_description = e.get("error_description"), this.error_uri = e.get("error_uri"), this.code = e.get("code");
+  }
+  get expires_in() {
+    if (this.expires_at !== void 0)
+      return this.expires_at - T.getEpochTime();
+  }
+  set expires_in(e) {
+    typeof e == "string" && (e = Number(e)), e !== void 0 && e >= 0 && (this.expires_at = Math.floor(e) + T.getEpochTime());
+  }
+  get isOpenId() {
+    var e;
+    return ((e = this.scope) == null ? void 0 : e.split(" ").includes(je)) || !!this.id_token;
+  }
+}, De = class {
+  constructor({
+    url: e,
+    state_data: t,
+    id_token_hint: s,
+    post_logout_redirect_uri: i,
+    extraQueryParams: r,
+    request_type: o,
+    client_id: n,
+    url_state: a
+  }) {
+    if (this._logger = new g("SignoutRequest"), !e)
+      throw this._logger.error("ctor: No url passed"), new Error("url");
+    const c = new URL(e);
+    if (s && c.searchParams.append("id_token_hint", s), n && c.searchParams.append("client_id", n), i && (c.searchParams.append("post_logout_redirect_uri", i), t || a)) {
+      this.state = new $({ data: t, request_type: o, url_state: a });
+      let l = this.state.id;
+      a && (l = `${l}${N}${a}`), c.searchParams.append("state", l);
+    }
+    for (const [l, d] of Object.entries({ ...r }))
+      d != null && c.searchParams.append(l, d.toString());
+    this.url = c.href;
+  }
+}, $e = class {
+  constructor(e) {
+    if (this.state = e.get("state"), this.state) {
+      const t = decodeURIComponent(this.state).split(N);
+      this.state = t[0], t.length > 1 && (this.url_state = t.slice(1).join(N));
+    }
+    this.error = e.get("error"), this.error_description = e.get("error_description"), this.error_uri = e.get("error_uri");
+  }
+}, Je = [
+  "nbf",
+  "jti",
+  "auth_time",
+  "nonce",
+  "acr",
+  "amr",
+  "azp",
+  "at_hash"
+  // https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
+], We = ["sub", "iss", "aud", "exp", "iat"], Ke = class {
+  constructor(e) {
+    this._settings = e, this._logger = new g("ClaimsService");
+  }
+  filterProtocolClaims(e) {
+    const t = { ...e };
+    if (this._settings.filterProtocolClaims) {
+      let s;
+      Array.isArray(this._settings.filterProtocolClaims) ? s = this._settings.filterProtocolClaims : s = Je;
+      for (const i of s)
+        We.includes(i) || delete t[i];
+    }
+    return t;
+  }
+  mergeClaims(e, t) {
+    const s = { ...e };
+    for (const [i, r] of Object.entries(t))
+      if (s[i] !== r)
+        if (Array.isArray(s[i]) || Array.isArray(r))
+          if (this._settings.mergeClaimsStrategy.array == "replace")
+            s[i] = r;
+          else {
+            const o = Array.isArray(s[i]) ? s[i] : [s[i]];
+            for (const n of Array.isArray(r) ? r : [r])
+              o.includes(n) || o.push(n);
+            s[i] = o;
+          }
+        else typeof s[i] == "object" && typeof r == "object" ? s[i] = this.mergeClaims(s[i], r) : s[i] = r;
+    return s;
+  }
+}, de = class {
+  constructor(e, t) {
+    this.keys = e, this.nonce = t;
+  }
+}, Le = class {
+  constructor(e, t) {
+    this._logger = new g("OidcClient"), this.settings = e instanceof z ? e : new z(e), this.metadataService = t ?? new xe(this.settings), this._claimsService = new Ke(this.settings), this._validator = new Me(this.settings, this.metadataService, this._claimsService), this._tokenClient = new oe(this.settings, this.metadataService);
+  }
+  async createSigninRequest({
+    state: e,
+    request: t,
+    request_uri: s,
+    request_type: i,
+    id_token_hint: r,
+    login_hint: o,
+    skipUserInfo: n,
+    nonce: a,
+    url_state: c,
+    response_type: l = this.settings.response_type,
+    scope: d = this.settings.scope,
+    redirect_uri: h = this.settings.redirect_uri,
+    prompt: u = this.settings.prompt,
+    display: w = this.settings.display,
+    max_age: C = this.settings.max_age,
+    ui_locales: x = this.settings.ui_locales,
+    acr_values: U = this.settings.acr_values,
+    resource: A = this.settings.resource,
+    response_mode: P = this.settings.response_mode,
+    extraQueryParams: O = this.settings.extraQueryParams,
+    extraTokenParams: R = this.settings.extraTokenParams,
+    dpopJkt: S,
+    omitScopeWhenRequesting: p = this.settings.omitScopeWhenRequesting
+  }) {
+    const E = this._logger.create("createSigninRequest");
+    if (l !== "code")
+      throw new Error("Only the Authorization Code flow (with PKCE) is supported");
+    const v = await this.metadataService.getAuthorizationEndpoint();
+    E.debug("Received authorization endpoint", v);
+    const f = await He.create({
+      url: v,
+      authority: this.settings.authority,
+      client_id: this.settings.client_id,
+      redirect_uri: h,
+      response_type: l,
+      scope: d,
+      state_data: e,
+      url_state: c,
+      prompt: u,
+      display: w,
+      max_age: C,
+      ui_locales: x,
+      id_token_hint: r,
+      login_hint: o,
+      acr_values: U,
+      dpopJkt: S,
+      resource: A,
+      request: t,
+      request_uri: s,
+      extraQueryParams: O,
+      extraTokenParams: R,
+      request_type: i,
+      response_mode: P,
+      client_secret: this.settings.client_secret,
+      skipUserInfo: n,
+      nonce: a,
+      disablePKCE: this.settings.disablePKCE,
+      omitScopeWhenRequesting: p
+    });
+    await this.clearStaleState();
+    const M = f.state;
+    return await this.settings.stateStore.set(M.id, M.toStorageString()), f;
+  }
+  async readSigninResponseState(e, t = !1) {
+    const s = this._logger.create("readSigninResponseState"), i = new J(L.readParams(e, this.settings.response_mode));
+    if (!i.state)
+      throw s.throw(new Error("No state in response")), null;
+    const r = await this.settings.stateStore[t ? "remove" : "get"](i.state);
+    if (!r)
+      throw s.throw(new Error("No matching state found in storage")), null;
+    return { state: await ae.fromStorageString(r), response: i };
+  }
+  async processSigninResponse(e, t, s = !0) {
+    const i = this._logger.create("processSigninResponse"), { state: r, response: o } = await this.readSigninResponseState(e, s);
+    if (i.debug("received state from storage; validating response"), this.settings.dpop && this.settings.dpop.store) {
+      const n = await this.getDpopProof(this.settings.dpop.store);
+      t = { ...t, DPoP: n };
+    }
+    try {
+      await this._validator.validateSigninResponse(o, r, t);
+    } catch (n) {
+      if (n instanceof F && this.settings.dpop) {
+        const a = await this.getDpopProof(this.settings.dpop.store, n.nonce);
+        t.DPoP = a, await this._validator.validateSigninResponse(o, r, t);
+      } else
+        throw n;
+    }
+    return o;
+  }
+  async getDpopProof(e, t) {
+    let s, i;
+    return (await e.getAllKeys()).includes(this.settings.client_id) ? (i = await e.get(this.settings.client_id), i.nonce !== t && t && (i.nonce = t, await e.set(this.settings.client_id, i))) : (s = await _.generateDPoPKeys(), i = new de(s, t), await e.set(this.settings.client_id, i)), await _.generateDPoPProof({
+      url: await this.metadataService.getTokenEndpoint(!1),
+      httpMethod: "POST",
+      keyPair: i.keys,
+      nonce: i.nonce
+    });
+  }
+  async processResourceOwnerPasswordCredentials({
+    username: e,
+    password: t,
+    skipUserInfo: s = !1,
+    extraTokenParams: i = {}
+  }) {
+    const r = await this._tokenClient.exchangeCredentials({ username: e, password: t, ...i }), o = new J(new URLSearchParams());
+    return Object.assign(o, r), await this._validator.validateCredentialsResponse(o, s), o;
+  }
+  async useRefreshToken({
+    state: e,
+    redirect_uri: t,
+    resource: s,
+    timeoutInSeconds: i,
+    extraHeaders: r,
+    extraTokenParams: o
+  }) {
+    var n;
+    const a = this._logger.create("useRefreshToken");
+    let c;
+    if (this.settings.refreshTokenAllowedScope === void 0)
+      c = e.scope;
+    else {
+      const h = this.settings.refreshTokenAllowedScope.split(" ");
+      c = (((n = e.scope) == null ? void 0 : n.split(" ")) || []).filter((w) => h.includes(w)).join(" ");
+    }
+    if (this.settings.dpop && this.settings.dpop.store) {
+      const h = await this.getDpopProof(this.settings.dpop.store);
+      r = { ...r, DPoP: h };
+    }
+    let l;
+    try {
+      l = await this._tokenClient.exchangeRefreshToken({
+        refresh_token: e.refresh_token,
+        // provide the (possible filtered) scope list
+        scope: c,
+        redirect_uri: t,
+        resource: s,
+        timeoutInSeconds: i,
+        extraHeaders: r,
+        ...o
+      });
+    } catch (h) {
+      if (h instanceof F && this.settings.dpop)
+        r.DPoP = await this.getDpopProof(this.settings.dpop.store, h.nonce), l = await this._tokenClient.exchangeRefreshToken({
+          refresh_token: e.refresh_token,
+          // provide the (possible filtered) scope list
+          scope: c,
+          redirect_uri: t,
+          resource: s,
+          timeoutInSeconds: i,
+          extraHeaders: r,
+          ...o
+        });
+      else
+        throw h;
+    }
+    const d = new J(new URLSearchParams());
+    return Object.assign(d, l), a.debug("validating response", d), await this._validator.validateRefreshResponse(d, {
+      ...e,
+      // override the scope in the state handed over to the validator
+      // so it can set the granted scope to the requested scope in case none is included in the response
+      scope: c
+    }), d;
+  }
+  async createSignoutRequest({
+    state: e,
+    id_token_hint: t,
+    client_id: s,
+    request_type: i,
+    url_state: r,
+    post_logout_redirect_uri: o = this.settings.post_logout_redirect_uri,
+    extraQueryParams: n = this.settings.extraQueryParams
+  } = {}) {
+    const a = this._logger.create("createSignoutRequest"), c = await this.metadataService.getEndSessionEndpoint();
+    if (!c)
+      throw a.throw(new Error("No end session endpoint")), null;
+    a.debug("Received end session endpoint", c), !s && o && !t && (s = this.settings.client_id);
+    const l = new De({
+      url: c,
+      id_token_hint: t,
+      client_id: s,
+      post_logout_redirect_uri: o,
+      state_data: e,
+      extraQueryParams: n,
+      request_type: i,
+      url_state: r
+    });
+    await this.clearStaleState();
+    const d = l.state;
+    return d && (a.debug("Signout request has state to persist"), await this.settings.stateStore.set(d.id, d.toStorageString())), l;
+  }
+  async readSignoutResponseState(e, t = !1) {
+    const s = this._logger.create("readSignoutResponseState"), i = new $e(L.readParams(e, this.settings.response_mode));
+    if (!i.state) {
+      if (s.debug("No state in response"), i.error)
+        throw s.warn("Response was error:", i.error), new q(i);
+      return { state: void 0, response: i };
+    }
+    const r = await this.settings.stateStore[t ? "remove" : "get"](i.state);
+    if (!r)
+      throw s.throw(new Error("No matching state found in storage")), null;
+    return { state: await $.fromStorageString(r), response: i };
+  }
+  async processSignoutResponse(e) {
+    const t = this._logger.create("processSignoutResponse"), { state: s, response: i } = await this.readSignoutResponseState(e, !0);
+    return s ? (t.debug("Received state from storage; validating response"), this._validator.validateSignoutResponse(i, s)) : t.debug("No state from storage; skipping response validation"), i;
+  }
+  clearStaleState() {
+    return this._logger.create("clearStaleState"), $.clearStaleState(this.settings.stateStore, this.settings.staleStateAgeInSeconds);
+  }
+  async revokeToken(e, t) {
+    return this._logger.create("revokeToken"), await this._tokenClient.revoke({
+      token: e,
+      token_type_hint: t
+    });
+  }
+}, Fe = class {
   constructor(e) {
-    this.autoFreeze_ = !0, this.useStrictShallowCopy_ = !1, this.produce = (t, r, n) => {
-      if (typeof t == "function" && typeof r != "function") {
-        const o = r;
-        r = t;
-        const s = this;
-        return function(l = o, ...q) {
-          return s.produce(l, (J) => r.call(this, J, ...q));
+    this._userManager = e, this._logger = new g("SessionMonitor"), this._start = async (t) => {
+      const s = t.session_state;
+      if (!s)
+        return;
+      const i = this._logger.create("_start");
+      if (t.profile ? (this._sub = t.profile.sub, i.debug("session_state", s, ", sub", this._sub)) : (this._sub = void 0, i.debug("session_state", s, ", anonymous user")), this._checkSessionIFrame) {
+        this._checkSessionIFrame.start(s);
+        return;
+      }
+      try {
+        const r = await this._userManager.metadataService.getCheckSessionIframe();
+        if (r) {
+          i.debug("initializing check session iframe");
+          const o = this._userManager.settings.client_id, n = this._userManager.settings.checkSessionIntervalInSeconds, a = this._userManager.settings.stopCheckSessionOnError, c = new Ce(this._callback, o, r, n, a);
+          await c.load(), this._checkSessionIFrame = c, c.start(s);
+        } else
+          i.warn("no check session iframe found in the metadata");
+      } catch (r) {
+        i.error("Error from getCheckSessionIframe:", r instanceof Error ? r.message : r);
+      }
+    }, this._stop = () => {
+      const t = this._logger.create("_stop");
+      if (this._sub = void 0, this._checkSessionIFrame && this._checkSessionIFrame.stop(), this._userManager.settings.monitorAnonymousSession) {
+        const s = setInterval(async () => {
+          clearInterval(s);
+          try {
+            const i = await this._userManager.querySessionStatus();
+            if (i) {
+              const r = {
+                session_state: i.session_state,
+                profile: i.sub ? {
+                  sub: i.sub
+                } : null
+              };
+              this._start(r);
+            }
+          } catch (i) {
+            t.error("error from querySessionStatus", i instanceof Error ? i.message : i);
+          }
+        }, 1e3);
+      }
+    }, this._callback = async () => {
+      const t = this._logger.create("_callback");
+      try {
+        const s = await this._userManager.querySessionStatus();
+        let i = !0;
+        s && this._checkSessionIFrame ? s.sub === this._sub ? (i = !1, this._checkSessionIFrame.start(s.session_state), t.debug("same sub still logged in at OP, session state has changed, restarting check session iframe; session_state", s.session_state), await this._userManager.events._raiseUserSessionChanged()) : t.debug("different subject signed into OP", s.sub) : t.debug("subject no longer signed into OP"), i ? this._sub ? await this._userManager.events._raiseUserSignedOut() : await this._userManager.events._raiseUserSignedIn() : t.debug("no change in session detected, no event to raise");
+      } catch (s) {
+        this._sub && (t.debug("Error calling queryCurrentSigninSession; raising signed out event", s), await this._userManager.events._raiseUserSignedOut());
+      }
+    }, e || this._logger.throw(new Error("No user manager passed")), this._userManager.events.addUserLoaded(this._start), this._userManager.events.addUserUnloaded(this._stop), this._init().catch((t) => {
+      this._logger.error(t);
+    });
+  }
+  async _init() {
+    this._logger.create("_init");
+    const e = await this._userManager.getUser();
+    if (e)
+      this._start(e);
+    else if (this._userManager.settings.monitorAnonymousSession) {
+      const t = await this._userManager.querySessionStatus();
+      if (t) {
+        const s = {
+          session_state: t.session_state,
+          profile: t.sub ? {
+            sub: t.sub
+          } : null
         };
+        this._start(s);
       }
-      typeof r != "function" && f(6), n !== void 0 && typeof n != "function" && f(7);
-      let i;
-      if (_(t)) {
-        const o = j(this), s = k(t, void 0);
-        let c = !0;
-        try {
-          i = r(s), c = !1;
-        } finally {
-          c ? v(o) : C(o);
+    }
+  }
+}, W = class he {
+  constructor(t) {
+    var s;
+    this.id_token = t.id_token, this.session_state = (s = t.session_state) != null ? s : null, this.access_token = t.access_token, this.refresh_token = t.refresh_token, this.token_type = t.token_type, this.scope = t.scope, this.profile = t.profile, this.expires_at = t.expires_at, this.state = t.userState, this.url_state = t.url_state;
+  }
+  /** Computed number of seconds the access token has remaining. */
+  get expires_in() {
+    if (this.expires_at !== void 0)
+      return this.expires_at - T.getEpochTime();
+  }
+  set expires_in(t) {
+    t !== void 0 && (this.expires_at = Math.floor(t) + T.getEpochTime());
+  }
+  /** Computed value indicating if the access token is expired. */
+  get expired() {
+    const t = this.expires_in;
+    if (t !== void 0)
+      return t <= 0;
+  }
+  /** Array representing the parsed values from the `scope`. */
+  get scopes() {
+    var t, s;
+    return (s = (t = this.scope) == null ? void 0 : t.split(" ")) != null ? s : [];
+  }
+  toStorageString() {
+    return new g("User").create("toStorageString"), JSON.stringify({
+      id_token: this.id_token,
+      session_state: this.session_state,
+      access_token: this.access_token,
+      refresh_token: this.refresh_token,
+      token_type: this.token_type,
+      scope: this.scope,
+      profile: this.profile,
+      expires_at: this.expires_at
+    });
+  }
+  static fromStorageString(t) {
+    return g.createStatic("User", "fromStorageString"), new he(JSON.parse(t));
+  }
+}, ee = "oidc-client", ge = class {
+  constructor() {
+    this._abort = new I("Window navigation aborted"), this._disposeHandlers = /* @__PURE__ */ new Set(), this._window = null;
+  }
+  async navigate(e) {
+    const t = this._logger.create("navigate");
+    if (!this._window)
+      throw new Error("Attempted to navigate on a disposed window");
+    t.debug("setting URL in window"), this._window.location.replace(e.url);
+    const { url: s, keepOpen: i } = await new Promise((r, o) => {
+      const n = (c) => {
+        var l;
+        const d = c.data, h = (l = e.scriptOrigin) != null ? l : window.location.origin;
+        if (!(c.origin !== h || (d == null ? void 0 : d.source) !== ee)) {
+          try {
+            const u = L.readParams(d.url, e.response_mode).get("state");
+            if (u || t.warn("no state found in response url"), c.source !== this._window && u !== e.state)
+              return;
+          } catch {
+            this._dispose(), o(new Error("Invalid response from window"));
+          }
+          r(d);
         }
-        return x(o, n), $(i, o);
-      } else if (!t || typeof t != "object") {
-        if (i = r(t), i === void 0 && (i = t), i === W && (i = void 0), this.autoFreeze_ && T(i, !0), n) {
-          const o = [], s = [];
-          y("Patches").generateReplacementPatches_(t, i, o, s), n(o, s);
+      };
+      window.addEventListener("message", n, !1), this._disposeHandlers.add(() => window.removeEventListener("message", n, !1));
+      const a = new BroadcastChannel(`oidc-client-popup-${e.state}`);
+      a.addEventListener("message", n, !1), this._disposeHandlers.add(() => a.close()), this._disposeHandlers.add(this._abort.addHandler((c) => {
+        this._dispose(), o(c);
+      }));
+    });
+    return t.debug("got response from window"), this._dispose(), i || this.close(), { url: s };
+  }
+  _dispose() {
+    this._logger.create("_dispose");
+    for (const e of this._disposeHandlers)
+      e();
+    this._disposeHandlers.clear();
+  }
+  static _notifyParent(e, t, s = !1, i = window.location.origin) {
+    const r = {
+      source: ee,
+      url: t,
+      keepOpen: s
+    }, o = new g("_notifyParent");
+    if (e)
+      o.debug("With parent. Using parent.postMessage."), e.postMessage(r, i);
+    else {
+      o.debug("No parent. Using BroadcastChannel.");
+      const n = new URL(t).searchParams.get("state");
+      if (!n)
+        throw new Error("No parent and no state in URL. Can't complete notification.");
+      const a = new BroadcastChannel(`oidc-client-popup-${n}`);
+      a.postMessage(r), a.close();
+    }
+  }
+}, ue = {
+  location: !1,
+  toolbar: !1,
+  height: 640,
+  closePopupWindowAfterInSeconds: -1
+}, _e = "_blank", ze = 60, Be = 2, pe = 10, Ve = class extends z {
+  constructor(e) {
+    const {
+      popup_redirect_uri: t = e.redirect_uri,
+      popup_post_logout_redirect_uri: s = e.post_logout_redirect_uri,
+      popupWindowFeatures: i = ue,
+      popupWindowTarget: r = _e,
+      redirectMethod: o = "assign",
+      redirectTarget: n = "self",
+      iframeNotifyParentOrigin: a = e.iframeNotifyParentOrigin,
+      iframeScriptOrigin: c = e.iframeScriptOrigin,
+      requestTimeoutInSeconds: l,
+      silent_redirect_uri: d = e.redirect_uri,
+      silentRequestTimeoutInSeconds: h,
+      automaticSilentRenew: u = !0,
+      validateSubOnSilentRenew: w = !0,
+      includeIdTokenInSilentRenew: C = !1,
+      monitorSession: x = !1,
+      monitorAnonymousSession: U = !1,
+      checkSessionIntervalInSeconds: A = Be,
+      query_status_response_type: P = "code",
+      stopCheckSessionOnError: O = !0,
+      revokeTokenTypes: R = ["access_token", "refresh_token"],
+      revokeTokensOnSignout: S = !1,
+      includeIdTokenInSilentSignout: p = !1,
+      accessTokenExpiringNotificationTimeInSeconds: E = ze,
+      userStore: v
+    } = e;
+    if (super(e), this.popup_redirect_uri = t, this.popup_post_logout_redirect_uri = s, this.popupWindowFeatures = i, this.popupWindowTarget = r, this.redirectMethod = o, this.redirectTarget = n, this.iframeNotifyParentOrigin = a, this.iframeScriptOrigin = c, this.silent_redirect_uri = d, this.silentRequestTimeoutInSeconds = h || l || pe, this.automaticSilentRenew = u, this.validateSubOnSilentRenew = w, this.includeIdTokenInSilentRenew = C, this.monitorSession = x, this.monitorAnonymousSession = U, this.checkSessionIntervalInSeconds = A, this.stopCheckSessionOnError = O, this.query_status_response_type = P, this.revokeTokenTypes = R, this.revokeTokensOnSignout = S, this.includeIdTokenInSilentSignout = p, this.accessTokenExpiringNotificationTimeInSeconds = E, v)
+      this.userStore = v;
+    else {
+      const f = typeof window < "u" ? window.sessionStorage : new re();
+      this.userStore = new ne({ store: f });
+    }
+  }
+}, te = class we extends ge {
+  constructor({
+    silentRequestTimeoutInSeconds: t = pe
+  }) {
+    super(), this._logger = new g("IFrameWindow"), this._timeoutInSeconds = t, this._frame = we.createHiddenIframe(), this._window = this._frame.contentWindow;
+  }
+  static createHiddenIframe() {
+    const t = window.document.createElement("iframe");
+    return t.style.visibility = "hidden", t.style.position = "fixed", t.style.left = "-1000px", t.style.top = "0", t.width = "0", t.height = "0", window.document.body.appendChild(t), t;
+  }
+  async navigate(t) {
+    this._logger.debug("navigate: Using timeout of:", this._timeoutInSeconds);
+    const s = setTimeout(() => void this._abort.raise(new G("IFrame timed out without a response")), this._timeoutInSeconds * 1e3);
+    return this._disposeHandlers.add(() => clearTimeout(s)), await super.navigate(t);
+  }
+  close() {
+    var t;
+    this._frame && (this._frame.parentNode && (this._frame.addEventListener("load", (s) => {
+      var i;
+      const r = s.target;
+      (i = r.parentNode) == null || i.removeChild(r), this._abort.raise(new Error("IFrame removed from DOM"));
+    }, !0), (t = this._frame.contentWindow) == null || t.location.replace("about:blank")), this._frame = null), this._window = null;
+  }
+  static notifyParent(t, s) {
+    return super._notifyParent(window.parent, t, !1, s);
+  }
+}, Ge = class {
+  constructor(e) {
+    this._settings = e, this._logger = new g("IFrameNavigator");
+  }
+  async prepare({
+    silentRequestTimeoutInSeconds: e = this._settings.silentRequestTimeoutInSeconds
+  }) {
+    return new te({ silentRequestTimeoutInSeconds: e });
+  }
+  async callback(e) {
+    this._logger.create("callback"), te.notifyParent(e, this._settings.iframeNotifyParentOrigin);
+  }
+}, Qe = 500, Xe = 1e3, se = class extends ge {
+  constructor({
+    popupWindowTarget: e = _e,
+    popupWindowFeatures: t = {},
+    popupSignal: s,
+    popupAbortOnClose: i
+  }) {
+    super(), this._logger = new g("PopupWindow");
+    const r = Z.center({ ...ue, ...t });
+    this._window = window.open(void 0, e, Z.serialize(r)), this.abortOnClose = !!i, s && s.addEventListener("abort", () => {
+      var o;
+      this._abort.raise(new Error((o = s.reason) != null ? o : "Popup aborted"));
+    }), t.closePopupWindowAfterInSeconds && t.closePopupWindowAfterInSeconds > 0 && setTimeout(() => {
+      if (!this._window || typeof this._window.closed != "boolean" || this._window.closed) {
+        this._abort.raise(new Error("Popup blocked by user"));
+        return;
+      }
+      this.close();
+    }, t.closePopupWindowAfterInSeconds * Xe);
+  }
+  async navigate(e) {
+    var t;
+    (t = this._window) == null || t.focus();
+    const s = setInterval(() => {
+      (!this._window || this._window.closed) && (this._logger.debug("Popup closed by user or isolated by redirect"), i(), this._disposeHandlers.delete(i), this.abortOnClose && this._abort.raise(new Error("Popup closed by user")));
+    }, Qe), i = () => clearInterval(s);
+    return this._disposeHandlers.add(i), await super.navigate(e);
+  }
+  close() {
+    this._window && (this._window.closed || (this._window.close(), this._abort.raise(new Error("Popup closed")))), this._window = null;
+  }
+  static notifyOpener(e, t) {
+    super._notifyParent(window.opener, e, t), !t && !window.opener && window.close();
+  }
+}, Ye = class {
+  constructor(e) {
+    this._settings = e, this._logger = new g("PopupNavigator");
+  }
+  async prepare({
+    popupWindowFeatures: e = this._settings.popupWindowFeatures,
+    popupWindowTarget: t = this._settings.popupWindowTarget,
+    popupSignal: s,
+    popupAbortOnClose: i
+  }) {
+    return new se({
+      popupWindowFeatures: e,
+      popupWindowTarget: t,
+      popupSignal: s,
+      popupAbortOnClose: i
+    });
+  }
+  async callback(e, { keepOpen: t = !1 }) {
+    this._logger.create("callback"), se.notifyOpener(e, t);
+  }
+}, Ze = class {
+  constructor(e) {
+    this._settings = e, this._logger = new g("RedirectNavigator");
+  }
+  async prepare({
+    redirectMethod: e = this._settings.redirectMethod,
+    redirectTarget: t = this._settings.redirectTarget
+  }) {
+    var s;
+    this._logger.create("prepare");
+    let i = window.self;
+    t === "top" && (i = (s = window.top) != null ? s : window.self);
+    const r = i.location[e].bind(i.location);
+    let o;
+    return {
+      navigate: async (n) => (this._logger.create("navigate"), await new Promise((c, l) => {
+        o = l, window.addEventListener("pageshow", () => c(window.location.href)), r(n.url);
+      })),
+      close: () => {
+        this._logger.create("close"), o == null || o(new Error("Redirect aborted")), i.stop();
+      }
+    };
+  }
+  async callback() {
+  }
+}, et = class extends Ie {
+  constructor(e) {
+    super({ expiringNotificationTimeInSeconds: e.accessTokenExpiringNotificationTimeInSeconds }), this._logger = new g("UserManagerEvents"), this._userLoaded = new I("User loaded"), this._userUnloaded = new I("User unloaded"), this._silentRenewError = new I("Silent renew error"), this._userSignedIn = new I("User signed in"), this._userSignedOut = new I("User signed out"), this._userSessionChanged = new I("User session changed");
+  }
+  async load(e, t = !0) {
+    await super.load(e), t && await this._userLoaded.raise(e);
+  }
+  async unload() {
+    await super.unload(), await this._userUnloaded.raise();
+  }
+  /**
+   * Add callback: Raised when a user session has been established (or re-established).
+   */
+  addUserLoaded(e) {
+    return this._userLoaded.addHandler(e);
+  }
+  /**
+   * Remove callback: Raised when a user session has been established (or re-established).
+   */
+  removeUserLoaded(e) {
+    return this._userLoaded.removeHandler(e);
+  }
+  /**
+   * Add callback: Raised when a user session has been terminated.
+   */
+  addUserUnloaded(e) {
+    return this._userUnloaded.addHandler(e);
+  }
+  /**
+   * Remove callback: Raised when a user session has been terminated.
+   */
+  removeUserUnloaded(e) {
+    return this._userUnloaded.removeHandler(e);
+  }
+  /**
+   * Add callback: Raised when the automatic silent renew has failed.
+   */
+  addSilentRenewError(e) {
+    return this._silentRenewError.addHandler(e);
+  }
+  /**
+   * Remove callback: Raised when the automatic silent renew has failed.
+   */
+  removeSilentRenewError(e) {
+    return this._silentRenewError.removeHandler(e);
+  }
+  /**
+   * @internal
+   */
+  async _raiseSilentRenewError(e) {
+    await this._silentRenewError.raise(e);
+  }
+  /**
+   * Add callback: Raised when the user is signed in (when `monitorSession` is set).
+   * @see {@link UserManagerSettings.monitorSession}
+   */
+  addUserSignedIn(e) {
+    return this._userSignedIn.addHandler(e);
+  }
+  /**
+   * Remove callback: Raised when the user is signed in (when `monitorSession` is set).
+   */
+  removeUserSignedIn(e) {
+    this._userSignedIn.removeHandler(e);
+  }
+  /**
+   * @internal
+   */
+  async _raiseUserSignedIn() {
+    await this._userSignedIn.raise();
+  }
+  /**
+   * Add callback: Raised when the user's sign-in status at the OP has changed (when `monitorSession` is set).
+   * @see {@link UserManagerSettings.monitorSession}
+   */
+  addUserSignedOut(e) {
+    return this._userSignedOut.addHandler(e);
+  }
+  /**
+   * Remove callback: Raised when the user's sign-in status at the OP has changed (when `monitorSession` is set).
+   */
+  removeUserSignedOut(e) {
+    this._userSignedOut.removeHandler(e);
+  }
+  /**
+   * @internal
+   */
+  async _raiseUserSignedOut() {
+    await this._userSignedOut.raise();
+  }
+  /**
+   * Add callback: Raised when the user session changed (when `monitorSession` is set).
+   * @see {@link UserManagerSettings.monitorSession}
+   */
+  addUserSessionChanged(e) {
+    return this._userSessionChanged.addHandler(e);
+  }
+  /**
+   * Remove callback: Raised when the user session changed (when `monitorSession` is set).
+   */
+  removeUserSessionChanged(e) {
+    this._userSessionChanged.removeHandler(e);
+  }
+  /**
+   * @internal
+   */
+  async _raiseUserSessionChanged() {
+    await this._userSessionChanged.raise();
+  }
+}, tt = class {
+  constructor(e) {
+    this._userManager = e, this._logger = new g("SilentRenewService"), this._isStarted = !1, this._retryTimer = new T("Retry Silent Renew"), this._tokenExpiring = async () => {
+      const t = this._logger.create("_tokenExpiring");
+      try {
+        await this._userManager.signinSilent(), t.debug("silent token renewal successful");
+      } catch (s) {
+        if (s instanceof G) {
+          t.warn("ErrorTimeout from signinSilent:", s, "retry in 5s"), this._retryTimer.init(5);
+          return;
         }
-        return i;
-      } else
-        f(1, t);
-    }, this.produceWithPatches = (t, r) => {
-      if (typeof t == "function")
-        return (s, ...c) => this.produceWithPatches(s, (l) => t(l, ...c));
-      let n, i;
-      return [this.produce(t, r, (s, c) => {
-        n = s, i = c;
-      }), n, i];
-    }, typeof (e == null ? void 0 : e.autoFreeze) == "boolean" && this.setAutoFreeze(e.autoFreeze), typeof (e == null ? void 0 : e.useStrictShallowCopy) == "boolean" && this.setUseStrictShallowCopy(e.useStrictShallowCopy);
-  }
-  createDraft(e) {
-    _(e) || f(8), h(e) && (e = oe(e));
-    const t = j(this), r = k(e, void 0);
-    return r[u].isManual_ = !0, C(t), r;
-  }
-  finishDraft(e, t) {
-    const r = e && e[u];
-    (!r || !r.isManual_) && f(9);
-    const { scope_: n } = r;
-    return x(n, t), $(void 0, n);
-  }
-  /**
-   * Pass true to automatically freeze all copies created by Immer.
+        t.error("Error from signinSilent:", s), await this._userManager.events._raiseSilentRenewError(s);
+      }
+    };
+  }
+  async start() {
+    const e = this._logger.create("start");
+    if (!this._isStarted) {
+      this._isStarted = !0, this._userManager.events.addAccessTokenExpiring(this._tokenExpiring), this._retryTimer.addHandler(this._tokenExpiring);
+      try {
+        await this._userManager.getUser();
+      } catch (t) {
+        e.error("getUser error", t);
+      }
+    }
+  }
+  stop() {
+    this._isStarted && (this._retryTimer.cancel(), this._retryTimer.removeHandler(this._tokenExpiring), this._userManager.events.removeAccessTokenExpiring(this._tokenExpiring), this._isStarted = !1);
+  }
+}, st = class {
+  constructor(e) {
+    this.refresh_token = e.refresh_token, this.id_token = e.id_token, this.session_state = e.session_state, this.scope = e.scope, this.profile = e.profile, this.data = e.state;
+  }
+}, rt = class {
+  constructor(e, t, s, i) {
+    this._logger = new g("UserManager"), this.settings = new Ve(e), this._client = new Le(e), this._redirectNavigator = t ?? new Ze(this.settings), this._popupNavigator = s ?? new Ye(this.settings), this._iframeNavigator = i ?? new Ge(this.settings), this._events = new et(this.settings), this._silentRenewService = new tt(this), this.settings.automaticSilentRenew && this.startSilentRenew(), this._sessionMonitor = null, this.settings.monitorSession && (this._sessionMonitor = new Fe(this));
+  }
+  /**
+   * Get object used to register for events raised by the `UserManager`.
+   */
+  get events() {
+    return this._events;
+  }
+  /**
+   * Get object used to access the metadata configuration of the identity provider.
+   */
+  get metadataService() {
+    return this._client.metadataService;
+  }
+  /**
+   * Load the `User` object for the currently authenticated user.
    *
-   * By default, auto-freezing is enabled.
+   * @param raiseEvent - If `true`, the `UserLoaded` event will be raised. Defaults to false.
+   * @returns A promise
    */
-  setAutoFreeze(e) {
-    this.autoFreeze_ = e;
+  async getUser(e = !1) {
+    const t = this._logger.create("getUser"), s = await this._loadUser();
+    return s ? (t.info("user loaded"), await this._events.load(s, e), s) : (t.info("user not found in storage"), null);
   }
   /**
-   * Pass true to enable strict shallow copy.
+   * Remove from any storage the currently authenticated user.
    *
-   * By default, immer does not copy the object descriptors such as getter, setter and non-enumrable properties.
+   * @returns A promise
    */
-  setUseStrictShallowCopy(e) {
-    this.useStrictShallowCopy_ = e;
+  async removeUser() {
+    const e = this._logger.create("removeUser");
+    await this.storeUser(null), e.info("user removed from storage"), await this._events.unload();
   }
-  applyPatches(e, t) {
+  /**
+   * Trigger a redirect of the current window to the authorization endpoint.
+   *
+   * @returns A promise
+   *
+   * @throws `Error` In cases of wrong authentication.
+   */
+  async signinRedirect(e = {}) {
+    var t;
+    this._logger.create("signinRedirect");
+    const {
+      redirectMethod: s,
+      ...i
+    } = e;
     let r;
-    for (r = t.length - 1; r >= 0; r--) {
-      const i = t[r];
-      if (i.path.length === 0 && i.op === "replace") {
-        e = i.value;
+    (t = this.settings.dpop) != null && t.bind_authorization_code && (r = await this.generateDPoPJkt(this.settings.dpop));
+    const o = await this._redirectNavigator.prepare({ redirectMethod: s });
+    await this._signinStart({
+      request_type: "si:r",
+      dpopJkt: r,
+      ...i
+    }, o);
+  }
+  /**
+   * Process the response (callback) from the authorization endpoint.
+   * It is recommended to use {@link UserManager.signinCallback} instead.
+   *
+   * @returns A promise containing the authenticated `User`.
+   *
+   * @see {@link UserManager.signinCallback}
+   */
+  async signinRedirectCallback(e = window.location.href) {
+    const t = this._logger.create("signinRedirectCallback"), s = await this._signinEnd(e);
+    return s.profile && s.profile.sub ? t.info("success, signed in subject", s.profile.sub) : t.info("no subject"), s;
+  }
+  /**
+   * Trigger the signin with user/password.
+   *
+   * @returns A promise containing the authenticated `User`.
+   * @throws {@link ErrorResponse} In cases of wrong authentication.
+   */
+  async signinResourceOwnerCredentials({
+    username: e,
+    password: t,
+    skipUserInfo: s = !1
+  }) {
+    const i = this._logger.create("signinResourceOwnerCredential"), r = await this._client.processResourceOwnerPasswordCredentials({
+      username: e,
+      password: t,
+      skipUserInfo: s,
+      extraTokenParams: this.settings.extraTokenParams
+    });
+    i.debug("got signin response");
+    const o = await this._buildUser(r);
+    return o.profile && o.profile.sub ? i.info("success, signed in subject", o.profile.sub) : i.info("no subject"), o;
+  }
+  /**
+   * Trigger a request (via a popup window) to the authorization endpoint.
+   *
+   * @returns A promise containing the authenticated `User`.
+   * @throws `Error` In cases of wrong authentication.
+   */
+  async signinPopup(e = {}) {
+    var t;
+    const s = this._logger.create("signinPopup");
+    let i;
+    (t = this.settings.dpop) != null && t.bind_authorization_code && (i = await this.generateDPoPJkt(this.settings.dpop));
+    const {
+      popupWindowFeatures: r,
+      popupWindowTarget: o,
+      popupSignal: n,
+      popupAbortOnClose: a,
+      ...c
+    } = e, l = this.settings.popup_redirect_uri;
+    l || s.throw(new Error("No popup_redirect_uri configured"));
+    const d = await this._popupNavigator.prepare({ popupWindowFeatures: r, popupWindowTarget: o, popupSignal: n, popupAbortOnClose: a }), h = await this._signin({
+      request_type: "si:p",
+      redirect_uri: l,
+      display: "popup",
+      dpopJkt: i,
+      ...c
+    }, d);
+    return h && (h.profile && h.profile.sub ? s.info("success, signed in subject", h.profile.sub) : s.info("no subject")), h;
+  }
+  /**
+   * Notify the opening window of response (callback) from the authorization endpoint.
+   * It is recommended to use {@link UserManager.signinCallback} instead.
+   *
+   * @returns A promise
+   *
+   * @see {@link UserManager.signinCallback}
+   */
+  async signinPopupCallback(e = window.location.href, t = !1) {
+    const s = this._logger.create("signinPopupCallback");
+    await this._popupNavigator.callback(e, { keepOpen: t }), s.info("success");
+  }
+  /**
+   * Trigger a silent request (via refresh token or an iframe) to the authorization endpoint.
+   *
+   * @returns A promise that contains the authenticated `User`.
+   */
+  async signinSilent(e = {}) {
+    var t, s;
+    const i = this._logger.create("signinSilent"), {
+      silentRequestTimeoutInSeconds: r,
+      ...o
+    } = e;
+    let n = await this._loadUser();
+    if (!e.forceIframeAuth && (n != null && n.refresh_token)) {
+      i.debug("using refresh token");
+      const h = new st(n);
+      return await this._useRefreshToken({
+        state: h,
+        redirect_uri: o.redirect_uri,
+        resource: o.resource,
+        extraTokenParams: o.extraTokenParams,
+        timeoutInSeconds: r
+      });
+    }
+    let a;
+    (t = this.settings.dpop) != null && t.bind_authorization_code && (a = await this.generateDPoPJkt(this.settings.dpop));
+    const c = this.settings.silent_redirect_uri;
+    c || i.throw(new Error("No silent_redirect_uri configured"));
+    let l;
+    n && this.settings.validateSubOnSilentRenew && (i.debug("subject prior to silent renew:", n.profile.sub), l = n.profile.sub);
+    const d = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds: r });
+    return n = await this._signin({
+      request_type: "si:s",
+      redirect_uri: c,
+      prompt: "none",
+      id_token_hint: this.settings.includeIdTokenInSilentRenew ? n == null ? void 0 : n.id_token : void 0,
+      dpopJkt: a,
+      ...o
+    }, d, l), n && ((s = n.profile) != null && s.sub ? i.info("success, signed in subject", n.profile.sub) : i.info("no subject")), n;
+  }
+  async _useRefreshToken(e) {
+    const t = await this._client.useRefreshToken({
+      timeoutInSeconds: this.settings.silentRequestTimeoutInSeconds,
+      ...e
+    }), s = new W({ ...e.state, ...t });
+    return await this.storeUser(s), await this._events.load(s), s;
+  }
+  /**
+   *
+   * Notify the parent window of response (callback) from the authorization endpoint.
+   * It is recommended to use {@link UserManager.signinCallback} instead.
+   *
+   * @returns A promise
+   *
+   * @see {@link UserManager.signinCallback}
+   */
+  async signinSilentCallback(e = window.location.href) {
+    const t = this._logger.create("signinSilentCallback");
+    await this._iframeNavigator.callback(e), t.info("success");
+  }
+  /**
+   * Process any response (callback) from the authorization endpoint, by dispatching the request_type
+   * and executing one of the following functions:
+   * - {@link UserManager.signinRedirectCallback}
+   * - {@link UserManager.signinPopupCallback}
+   * - {@link UserManager.signinSilentCallback}
+   *
+   * @throws `Error` If request_type is unknown or signin cannot be processed.
+   */
+  async signinCallback(e = window.location.href) {
+    const { state: t } = await this._client.readSigninResponseState(e);
+    switch (t.request_type) {
+      case "si:r":
+        return await this.signinRedirectCallback(e);
+      case "si:p":
+        await this.signinPopupCallback(e);
         break;
+      case "si:s":
+        await this.signinSilentCallback(e);
+        break;
+      default:
+        throw new Error("invalid response_type in state");
+    }
+  }
+  /**
+   * Process any response (callback) from the end session endpoint, by dispatching the request_type
+   * and executing one of the following functions:
+   * - {@link UserManager.signoutRedirectCallback}
+   * - {@link UserManager.signoutPopupCallback}
+   * - {@link UserManager.signoutSilentCallback}
+   *
+   * @throws `Error` If request_type is unknown or signout cannot be processed.
+   */
+  async signoutCallback(e = window.location.href, t = !1) {
+    const { state: s } = await this._client.readSignoutResponseState(e);
+    if (s)
+      switch (s.request_type) {
+        case "so:r":
+          return await this.signoutRedirectCallback(e);
+        case "so:p":
+          await this.signoutPopupCallback(e, t);
+          break;
+        case "so:s":
+          await this.signoutSilentCallback(e);
+          break;
+        default:
+          throw new Error("invalid response_type in state");
       }
+  }
+  /**
+   * Query OP for user's current signin status.
+   *
+   * @returns A promise object with session_state and subject identifier.
+   */
+  async querySessionStatus(e = {}) {
+    const t = this._logger.create("querySessionStatus"), {
+      silentRequestTimeoutInSeconds: s,
+      ...i
+    } = e, r = this.settings.silent_redirect_uri;
+    r || t.throw(new Error("No silent_redirect_uri configured"));
+    const o = await this._loadUser(), n = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds: s }), a = await this._signinStart({
+      request_type: "si:s",
+      // this acts like a signin silent
+      redirect_uri: r,
+      prompt: "none",
+      id_token_hint: this.settings.includeIdTokenInSilentRenew ? o == null ? void 0 : o.id_token : void 0,
+      response_type: this.settings.query_status_response_type,
+      scope: "openid",
+      skipUserInfo: !0,
+      ...i
+    }, n);
+    try {
+      const c = {}, l = await this._client.processSigninResponse(a.url, c);
+      return t.debug("got signin response"), l.session_state && l.profile.sub ? (t.info("success for subject", l.profile.sub), {
+        session_state: l.session_state,
+        sub: l.profile.sub
+      }) : (t.info("success, user not authenticated"), null);
+    } catch (c) {
+      if (this.settings.monitorAnonymousSession && c instanceof q)
+        switch (c.error) {
+          case "login_required":
+          case "consent_required":
+          case "interaction_required":
+          case "account_selection_required":
+            return t.info("success for anonymous user"), {
+              session_state: c.session_state
+            };
+        }
+      throw c;
     }
-    r > -1 && (t = t.slice(r + 1));
-    const n = y("Patches").applyPatches_;
-    return h(e) ? n(e, t) : this.produce(
-      e,
-      (i) => n(i, t)
-    );
+  }
+  async _signin(e, t, s) {
+    const i = await this._signinStart(e, t);
+    return await this._signinEnd(i.url, s);
+  }
+  async _signinStart(e, t) {
+    const s = this._logger.create("_signinStart");
+    try {
+      const i = await this._client.createSigninRequest(e);
+      return s.debug("got signin request"), await t.navigate({
+        url: i.url,
+        state: i.state.id,
+        response_mode: i.state.response_mode,
+        scriptOrigin: this.settings.iframeScriptOrigin
+      });
+    } catch (i) {
+      throw s.debug("error after preparing navigator, closing navigator window"), t.close(), i;
+    }
+  }
+  async _signinEnd(e, t) {
+    const s = this._logger.create("_signinEnd"), i = {}, r = await this._client.processSigninResponse(e, i);
+    return s.debug("got signin response"), await this._buildUser(r, t);
+  }
+  async _buildUser(e, t) {
+    const s = this._logger.create("_buildUser"), i = new W(e);
+    if (t) {
+      if (t !== i.profile.sub)
+        throw s.debug("current user does not match user returned from signin. sub from signin:", i.profile.sub), new q({ ...e, error: "login_required" });
+      s.debug("current user matches user returned from signin");
+    }
+    return await this.storeUser(i), s.debug("user stored"), await this._events.load(i), i;
+  }
+  /**
+   * Trigger a redirect of the current window to the end session endpoint.
+   *
+   * @returns A promise
+   */
+  async signoutRedirect(e = {}) {
+    const t = this._logger.create("signoutRedirect"), {
+      redirectMethod: s,
+      ...i
+    } = e, r = await this._redirectNavigator.prepare({ redirectMethod: s });
+    await this._signoutStart({
+      request_type: "so:r",
+      post_logout_redirect_uri: this.settings.post_logout_redirect_uri,
+      ...i
+    }, r), t.info("success");
+  }
+  /**
+   * Process response (callback) from the end session endpoint.
+   * It is recommended to use {@link UserManager.signoutCallback} instead.
+   *
+   * @returns A promise containing signout response
+   *
+   * @see {@link UserManager.signoutCallback}
+   */
+  async signoutRedirectCallback(e = window.location.href) {
+    const t = this._logger.create("signoutRedirectCallback"), s = await this._signoutEnd(e);
+    return t.info("success"), s;
+  }
+  /**
+   * Trigger a redirect of a popup window to the end session endpoint.
+   *
+   * @returns A promise
+   */
+  async signoutPopup(e = {}) {
+    const t = this._logger.create("signoutPopup"), {
+      popupWindowFeatures: s,
+      popupWindowTarget: i,
+      popupSignal: r,
+      ...o
+    } = e, n = this.settings.popup_post_logout_redirect_uri, a = await this._popupNavigator.prepare({ popupWindowFeatures: s, popupWindowTarget: i, popupSignal: r });
+    await this._signout({
+      request_type: "so:p",
+      post_logout_redirect_uri: n,
+      // we're putting a dummy entry in here because we
+      // need a unique id from the state for notification
+      // to the parent window, which is necessary if we
+      // plan to return back to the client after signout
+      // and so we can close the popup after signout
+      state: n == null ? void 0 : {},
+      ...o
+    }, a), t.info("success");
+  }
+  /**
+   * Process response (callback) from the end session endpoint from a popup window.
+   * It is recommended to use {@link UserManager.signoutCallback} instead.
+   *
+   * @returns A promise
+   *
+   * @see {@link UserManager.signoutCallback}
+   */
+  async signoutPopupCallback(e = window.location.href, t = !1) {
+    const s = this._logger.create("signoutPopupCallback");
+    await this._popupNavigator.callback(e, { keepOpen: t }), s.info("success");
+  }
+  async _signout(e, t) {
+    const s = await this._signoutStart(e, t);
+    return await this._signoutEnd(s.url);
+  }
+  async _signoutStart(e = {}, t) {
+    var s;
+    const i = this._logger.create("_signoutStart");
+    try {
+      const r = await this._loadUser();
+      i.debug("loaded current user from storage"), this.settings.revokeTokensOnSignout && await this._revokeInternal(r);
+      const o = e.id_token_hint || r && r.id_token;
+      o && (i.debug("setting id_token_hint in signout request"), e.id_token_hint = o), await this.removeUser(), i.debug("user removed, creating signout request");
+      const n = await this._client.createSignoutRequest(e);
+      return i.debug("got signout request"), await t.navigate({
+        url: n.url,
+        state: (s = n.state) == null ? void 0 : s.id,
+        scriptOrigin: this.settings.iframeScriptOrigin
+      });
+    } catch (r) {
+      throw i.debug("error after preparing navigator, closing navigator window"), t.close(), r;
+    }
+  }
+  async _signoutEnd(e) {
+    const t = this._logger.create("_signoutEnd"), s = await this._client.processSignoutResponse(e);
+    return t.debug("got signout response"), s;
+  }
+  /**
+   * Trigger a silent request (via an iframe) to the end session endpoint.
+   *
+   * @returns A promise
+   */
+  async signoutSilent(e = {}) {
+    var t;
+    const s = this._logger.create("signoutSilent"), {
+      silentRequestTimeoutInSeconds: i,
+      ...r
+    } = e, o = this.settings.includeIdTokenInSilentSignout ? (t = await this._loadUser()) == null ? void 0 : t.id_token : void 0, n = this.settings.popup_post_logout_redirect_uri, a = await this._iframeNavigator.prepare({ silentRequestTimeoutInSeconds: i });
+    await this._signout({
+      request_type: "so:s",
+      post_logout_redirect_uri: n,
+      id_token_hint: o,
+      ...r
+    }, a), s.info("success");
+  }
+  /**
+   * Notify the parent window of response (callback) from the end session endpoint.
+   * It is recommended to use {@link UserManager.signoutCallback} instead.
+   *
+   * @returns A promise
+   *
+   * @see {@link UserManager.signoutCallback}
+   */
+  async signoutSilentCallback(e = window.location.href) {
+    const t = this._logger.create("signoutSilentCallback");
+    await this._iframeNavigator.callback(e), t.info("success");
+  }
+  async revokeTokens(e) {
+    const t = await this._loadUser();
+    await this._revokeInternal(t, e);
+  }
+  async _revokeInternal(e, t = this.settings.revokeTokenTypes) {
+    const s = this._logger.create("_revokeInternal");
+    if (!e) return;
+    const i = t.filter((r) => typeof e[r] == "string");
+    if (!i.length) {
+      s.debug("no need to revoke due to no token(s)");
+      return;
+    }
+    for (const r of i)
+      await this._client.revokeToken(
+        e[r],
+        r
+      ), s.info(`${r} revoked successfully`), r !== "access_token" && (e[r] = null);
+    await this.storeUser(e), s.debug("user stored"), await this._events.load(e);
+  }
+  /**
+   * Enables silent renew for the `UserManager`.
+   */
+  startSilentRenew() {
+    this._logger.create("startSilentRenew"), this._silentRenewService.start();
+  }
+  /**
+   * Disables silent renew for the `UserManager`.
+   */
+  stopSilentRenew() {
+    this._silentRenewService.stop();
+  }
+  get _userStoreKey() {
+    return `user:${this.settings.authority}:${this.settings.client_id}`;
+  }
+  async _loadUser() {
+    const e = this._logger.create("_loadUser"), t = await this.settings.userStore.get(this._userStoreKey);
+    return t ? (e.debug("user storageString loaded"), W.fromStorageString(t)) : (e.debug("no user storageString"), null);
+  }
+  async storeUser(e) {
+    const t = this._logger.create("storeUser");
+    if (e) {
+      t.debug("storing user");
+      const s = e.toStorageString();
+      await this.settings.userStore.set(this._userStoreKey, s);
+    } else
+      this._logger.debug("removing user"), await this.settings.userStore.remove(this._userStoreKey), this.settings.dpop && await this.settings.dpop.store.remove(this.settings.client_id);
+  }
+  /**
+   * Removes stale state entries in storage for incomplete authorize requests.
+   */
+  async clearStaleState() {
+    await this._client.clearStaleState();
+  }
+  /**
+   * Dynamically generates a DPoP proof for a given user, URL and optional Http method.
+   * This method is useful when you need to make a request to a resource server
+   * with fetch or similar, and you need to include a DPoP proof in a DPoP header.
+   * @param url - The URL to generate the DPoP proof for
+   * @param user - The user to generate the DPoP proof for
+   * @param httpMethod - Optional, defaults to "GET"
+   * @param nonce - Optional nonce provided by the resource server
+   *
+   * @returns A promise containing the DPoP proof or undefined if DPoP is not enabled/no user is found.
+   */
+  async dpopProof(e, t, s, i) {
+    var r, o;
+    const n = await ((o = (r = this.settings.dpop) == null ? void 0 : r.store) == null ? void 0 : o.get(this.settings.client_id));
+    if (n)
+      return await _.generateDPoPProof({
+        url: e,
+        accessToken: t == null ? void 0 : t.access_token,
+        httpMethod: s,
+        keyPair: n.keys,
+        nonce: i
+      });
+  }
+  async generateDPoPJkt(e) {
+    let t = await e.store.get(this.settings.client_id);
+    if (!t) {
+      const s = await _.generateDPoPKeys();
+      t = new de(s), await e.store.set(this.settings.client_id, t);
+    }
+    return await _.generateDPoPJkt(t.keys);
   }
 };
-function k(e, t) {
-  const r = O(e) ? y("MapSet").proxyMap_(e, t) : D(e) ? y("MapSet").proxySet_(e, t) : re(e, t);
-  return (t ? t.scope_ : G()).drafts_.push(r), r;
-}
-function oe(e) {
-  return h(e) || f(10, e), X(e);
-}
-function X(e) {
-  if (!_(e) || S(e))
-    return e;
-  const t = e[u];
-  let r;
-  if (t) {
-    if (!t.modified_)
-      return t.base_;
-    t.finalized_ = !0, r = N(e, t.scope_.immer_.useStrictShallowCopy_);
-  } else
-    r = N(e, !0);
-  return b(r, (n, i) => {
-    B(r, n, X(i));
-  }), t && (t.finalized_ = !1), r;
-}
-var a = new ie(), se = a.produce;
-a.produceWithPatches.bind(
-  a
-);
-a.setAutoFreeze.bind(a);
-a.setUseStrictShallowCopy.bind(a);
-a.applyPatches.bind(a);
-a.createDraft.bind(a);
-a.finishDraft.bind(a);
 export {
-  ie as Immer,
-  oe as current,
-  T as freeze,
-  R as immerable,
-  h as isDraft,
-  _ as isDraftable,
-  W as nothing,
-  se as produce
+  Ie as AccessTokenEvents,
+  Ce as CheckSessionIFrame,
+  de as DPoPState,
+  q as ErrorResponse,
+  G as ErrorTimeout,
+  re as InMemoryWebStorage,
+  D as Log,
+  g as Logger,
+  xe as MetadataService,
+  Le as OidcClient,
+  z as OidcClientSettingsStore,
+  Fe as SessionMonitor,
+  J as SigninResponse,
+  ae as SigninState,
+  $e as SignoutResponse,
+  $ as State,
+  W as User,
+  rt as UserManager,
+  Ve as UserManagerSettingsStore,
+  ne as WebStorageStateStore
 };