nuxt-ignis 0.4.0 → 0.5.0-rc.1

package/.output/server/node_modules/oauth4webapi/build/index.js

@@ -0,0 +1,2492 @@
+let USER_AGENT;
+if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
+    const NAME = 'oauth4webapi';
+    const VERSION = 'v3.8.1';
+    USER_AGENT = `${NAME}/${VERSION}`;
+}
+function looseInstanceOf(input, expected) {
+    if (input == null) {
+        return false;
+    }
+    try {
+        return (input instanceof expected ||
+            Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag]);
+    }
+    catch {
+        return false;
+    }
+}
+const ERR_INVALID_ARG_VALUE = 'ERR_INVALID_ARG_VALUE';
+const ERR_INVALID_ARG_TYPE = 'ERR_INVALID_ARG_TYPE';
+function CodedTypeError(message, code, cause) {
+    const err = new TypeError(message, { cause });
+    Object.assign(err, { code });
+    return err;
+}
+export const allowInsecureRequests = Symbol();
+export const clockSkew = Symbol();
+export const clockTolerance = Symbol();
+export const customFetch = Symbol();
+export const modifyAssertion = Symbol();
+export const jweDecrypt = Symbol();
+export const jwksCache = Symbol();
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+function buf(input) {
+    if (typeof input === 'string') {
+        return encoder.encode(input);
+    }
+    return decoder.decode(input);
+}
+let encodeBase64Url;
+if (Uint8Array.prototype.toBase64) {
+    encodeBase64Url = (input) => {
+        if (input instanceof ArrayBuffer) {
+            input = new Uint8Array(input);
+        }
+        return input.toBase64({ alphabet: 'base64url', omitPadding: true });
+    };
+}
+else {
+    const CHUNK_SIZE = 0x8000;
+    encodeBase64Url = (input) => {
+        if (input instanceof ArrayBuffer) {
+            input = new Uint8Array(input);
+        }
+        const arr = [];
+        for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {
+            arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+        }
+        return btoa(arr.join('')).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+    };
+}
+let decodeBase64Url;
+if (Uint8Array.fromBase64) {
+    decodeBase64Url = (input) => {
+        try {
+            return Uint8Array.fromBase64(input, { alphabet: 'base64url' });
+        }
+        catch (cause) {
+            throw CodedTypeError('The input to be decoded is not correctly encoded.', ERR_INVALID_ARG_VALUE, cause);
+        }
+    };
+}
+else {
+    decodeBase64Url = (input) => {
+        try {
+            const binary = atob(input.replace(/-/g, '+').replace(/_/g, '/').replace(/\s/g, ''));
+            const bytes = new Uint8Array(binary.length);
+            for (let i = 0; i < binary.length; i++) {
+                bytes[i] = binary.charCodeAt(i);
+            }
+            return bytes;
+        }
+        catch (cause) {
+            throw CodedTypeError('The input to be decoded is not correctly encoded.', ERR_INVALID_ARG_VALUE, cause);
+        }
+    };
+}
+function b64u(input) {
+    if (typeof input === 'string') {
+        return decodeBase64Url(input);
+    }
+    return encodeBase64Url(input);
+}
+export class UnsupportedOperationError extends Error {
+    code;
+    constructor(message, options) {
+        super(message, options);
+        this.name = this.constructor.name;
+        this.code = UNSUPPORTED_OPERATION;
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+export class OperationProcessingError extends Error {
+    code;
+    constructor(message, options) {
+        super(message, options);
+        this.name = this.constructor.name;
+        if (options?.code) {
+            this.code = options?.code;
+        }
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+function OPE(message, code, cause) {
+    return new OperationProcessingError(message, { code, cause });
+}
+async function calculateJwkThumbprint(jwk) {
+    let components;
+    switch (jwk.kty) {
+        case 'EC':
+            components = {
+                crv: jwk.crv,
+                kty: jwk.kty,
+                x: jwk.x,
+                y: jwk.y,
+            };
+            break;
+        case 'OKP':
+            components = {
+                crv: jwk.crv,
+                kty: jwk.kty,
+                x: jwk.x,
+            };
+            break;
+        case 'AKP':
+            components = {
+                alg: jwk.alg,
+                kty: jwk.kty,
+                pub: jwk.pub,
+            };
+            break;
+        case 'RSA':
+            components = {
+                e: jwk.e,
+                kty: jwk.kty,
+                n: jwk.n,
+            };
+            break;
+        default:
+            throw new UnsupportedOperationError('unsupported JWK key type', { cause: jwk });
+    }
+    return b64u(await crypto.subtle.digest('SHA-256', buf(JSON.stringify(components))));
+}
+function assertCryptoKey(key, it) {
+    if (!(key instanceof CryptoKey)) {
+        throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE);
+    }
+}
+function assertPrivateKey(key, it) {
+    assertCryptoKey(key, it);
+    if (key.type !== 'private') {
+        throw CodedTypeError(`${it} must be a private CryptoKey`, ERR_INVALID_ARG_VALUE);
+    }
+}
+function assertPublicKey(key, it) {
+    assertCryptoKey(key, it);
+    if (key.type !== 'public') {
+        throw CodedTypeError(`${it} must be a public CryptoKey`, ERR_INVALID_ARG_VALUE);
+    }
+}
+function normalizeTyp(value) {
+    return value.toLowerCase().replace(/^application\//, '');
+}
+function isJsonObject(input) {
+    if (input === null || typeof input !== 'object' || Array.isArray(input)) {
+        return false;
+    }
+    return true;
+}
+function prepareHeaders(input) {
+    if (looseInstanceOf(input, Headers)) {
+        input = Object.fromEntries(input.entries());
+    }
+    const headers = new Headers(input ?? {});
+    if (USER_AGENT && !headers.has('user-agent')) {
+        headers.set('user-agent', USER_AGENT);
+    }
+    if (headers.has('authorization')) {
+        throw CodedTypeError('"options.headers" must not include the "authorization" header name', ERR_INVALID_ARG_VALUE);
+    }
+    return headers;
+}
+function signal(url, value) {
+    if (value !== undefined) {
+        if (typeof value === 'function') {
+            value = value(url.href);
+        }
+        if (!(value instanceof AbortSignal)) {
+            throw CodedTypeError('"options.signal" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE);
+        }
+        return value;
+    }
+    return undefined;
+}
+function replaceDoubleSlash(pathname) {
+    if (pathname.includes('//')) {
+        return pathname.replace('//', '/');
+    }
+    return pathname;
+}
+function prependWellKnown(url, wellKnown, allowTerminatingSlash = false) {
+    if (url.pathname === '/') {
+        url.pathname = wellKnown;
+    }
+    else {
+        url.pathname = replaceDoubleSlash(`${wellKnown}/${allowTerminatingSlash ? url.pathname : url.pathname.replace(/(\/)$/, '')}`);
+    }
+    return url;
+}
+function appendWellKnown(url, wellKnown) {
+    url.pathname = replaceDoubleSlash(`${url.pathname}/${wellKnown}`);
+    return url;
+}
+async function performDiscovery(input, urlName, transform, options) {
+    if (!(input instanceof URL)) {
+        throw CodedTypeError(`"${urlName}" must be an instance of URL`, ERR_INVALID_ARG_TYPE);
+    }
+    checkProtocol(input, options?.[allowInsecureRequests] !== true);
+    const url = transform(new URL(input.href));
+    const headers = prepareHeaders(options?.headers);
+    headers.set('accept', 'application/json');
+    return (options?.[customFetch] || fetch)(url.href, {
+        body: undefined,
+        headers: Object.fromEntries(headers.entries()),
+        method: 'GET',
+        redirect: 'manual',
+        signal: signal(url, options?.signal),
+    });
+}
+export async function discoveryRequest(issuerIdentifier, options) {
+    return performDiscovery(issuerIdentifier, 'issuerIdentifier', (url) => {
+        switch (options?.algorithm) {
+            case undefined:
+            case 'oidc':
+                appendWellKnown(url, '.well-known/openid-configuration');
+                break;
+            case 'oauth2':
+                prependWellKnown(url, '.well-known/oauth-authorization-server');
+                break;
+            default:
+                throw CodedTypeError('"options.algorithm" must be "oidc" (default), or "oauth2"', ERR_INVALID_ARG_VALUE);
+        }
+        return url;
+    }, options);
+}
+function assertNumber(input, allow0, it, code, cause) {
+    try {
+        if (typeof input !== 'number' || !Number.isFinite(input)) {
+            throw CodedTypeError(`${it} must be a number`, ERR_INVALID_ARG_TYPE, cause);
+        }
+        if (input > 0)
+            return;
+        if (allow0) {
+            if (input !== 0) {
+                throw CodedTypeError(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE, cause);
+            }
+            return;
+        }
+        throw CodedTypeError(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE, cause);
+    }
+    catch (err) {
+        if (code) {
+            throw OPE(err.message, code, cause);
+        }
+        throw err;
+    }
+}
+function assertString(input, it, code, cause) {
+    try {
+        if (typeof input !== 'string') {
+            throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE, cause);
+        }
+        if (input.length === 0) {
+            throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);
+        }
+    }
+    catch (err) {
+        if (code) {
+            throw OPE(err.message, code, cause);
+        }
+        throw err;
+    }
+}
+export async function processDiscoveryResponse(expectedIssuerIdentifier, response) {
+    const expected = expectedIssuerIdentifier;
+    if (!(expected instanceof URL) && expected !== _nodiscoverycheck) {
+        throw CodedTypeError('"expectedIssuerIdentifier" must be an instance of URL', ERR_INVALID_ARG_TYPE);
+    }
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    if (response.status !== 200) {
+        throw OPE('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);
+    }
+    assertReadableResponse(response);
+    const json = await getResponseJsonBody(response);
+    assertString(json.issuer, '"response" body "issuer" property', INVALID_RESPONSE, { body: json });
+    if (expected !== _nodiscoverycheck && new URL(json.issuer).href !== expected.href) {
+        throw OPE('"response" body "issuer" property does not match the expected value', JSON_ATTRIBUTE_COMPARISON, { expected: expected.href, body: json, attribute: 'issuer' });
+    }
+    return json;
+}
+function assertApplicationJson(response) {
+    assertContentType(response, 'application/json');
+}
+function notJson(response, ...types) {
+    let msg = '"response" content-type must be ';
+    if (types.length > 2) {
+        const last = types.pop();
+        msg += `${types.join(', ')}, or ${last}`;
+    }
+    else if (types.length === 2) {
+        msg += `${types[0]} or ${types[1]}`;
+    }
+    else {
+        msg += types[0];
+    }
+    return OPE(msg, RESPONSE_IS_NOT_JSON, response);
+}
+function assertContentTypes(response, ...types) {
+    if (!types.includes(getContentType(response))) {
+        throw notJson(response, ...types);
+    }
+}
+function assertContentType(response, contentType) {
+    if (getContentType(response) !== contentType) {
+        throw notJson(response, contentType);
+    }
+}
+function randomBytes() {
+    return b64u(crypto.getRandomValues(new Uint8Array(32)));
+}
+export function generateRandomCodeVerifier() {
+    return randomBytes();
+}
+export function generateRandomState() {
+    return randomBytes();
+}
+export function generateRandomNonce() {
+    return randomBytes();
+}
+export async function calculatePKCECodeChallenge(codeVerifier) {
+    assertString(codeVerifier, 'codeVerifier');
+    return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));
+}
+function getKeyAndKid(input) {
+    if (input instanceof CryptoKey) {
+        return { key: input };
+    }
+    if (!(input?.key instanceof CryptoKey)) {
+        return {};
+    }
+    if (input.kid !== undefined) {
+        assertString(input.kid, '"kid"');
+    }
+    return {
+        key: input.key,
+        kid: input.kid,
+    };
+}
+function psAlg(key) {
+    switch (key.algorithm.hash.name) {
+        case 'SHA-256':
+            return 'PS256';
+        case 'SHA-384':
+            return 'PS384';
+        case 'SHA-512':
+            return 'PS512';
+        default:
+            throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name', {
+                cause: key,
+            });
+    }
+}
+function rsAlg(key) {
+    switch (key.algorithm.hash.name) {
+        case 'SHA-256':
+            return 'RS256';
+        case 'SHA-384':
+            return 'RS384';
+        case 'SHA-512':
+            return 'RS512';
+        default:
+            throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name', {
+                cause: key,
+            });
+    }
+}
+function esAlg(key) {
+    switch (key.algorithm.namedCurve) {
+        case 'P-256':
+            return 'ES256';
+        case 'P-384':
+            return 'ES384';
+        case 'P-521':
+            return 'ES512';
+        default:
+            throw new UnsupportedOperationError('unsupported EcKeyAlgorithm namedCurve', { cause: key });
+    }
+}
+function keyToJws(key) {
+    switch (key.algorithm.name) {
+        case 'RSA-PSS':
+            return psAlg(key);
+        case 'RSASSA-PKCS1-v1_5':
+            return rsAlg(key);
+        case 'ECDSA':
+            return esAlg(key);
+        case 'Ed25519':
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87':
+            return key.algorithm.name;
+        case 'EdDSA':
+            return 'Ed25519';
+        default:
+            throw new UnsupportedOperationError('unsupported CryptoKey algorithm name', { cause: key });
+    }
+}
+function getClockSkew(client) {
+    const skew = client?.[clockSkew];
+    return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;
+}
+function getClockTolerance(client) {
+    const tolerance = client?.[clockTolerance];
+    return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1
+        ? tolerance
+        : 30;
+}
+function epochTime() {
+    return Math.floor(Date.now() / 1000);
+}
+function assertAs(as) {
+    if (typeof as !== 'object' || as === null) {
+        throw CodedTypeError('"as" must be an object', ERR_INVALID_ARG_TYPE);
+    }
+    assertString(as.issuer, '"as.issuer"');
+}
+function assertClient(client) {
+    if (typeof client !== 'object' || client === null) {
+        throw CodedTypeError('"client" must be an object', ERR_INVALID_ARG_TYPE);
+    }
+    assertString(client.client_id, '"client.client_id"');
+}
+function formUrlEncode(token) {
+    return encodeURIComponent(token).replace(/(?:[-_.!~*'()]|%20)/g, (substring) => {
+        switch (substring) {
+            case '-':
+            case '_':
+            case '.':
+            case '!':
+            case '~':
+            case '*':
+            case "'":
+            case '(':
+            case ')':
+                return `%${substring.charCodeAt(0).toString(16).toUpperCase()}`;
+            case '%20':
+                return '+';
+            default:
+                throw new Error();
+        }
+    });
+}
+export function ClientSecretPost(clientSecret) {
+    assertString(clientSecret, '"clientSecret"');
+    return (_as, client, body, _headers) => {
+        body.set('client_id', client.client_id);
+        body.set('client_secret', clientSecret);
+    };
+}
+export function ClientSecretBasic(clientSecret) {
+    assertString(clientSecret, '"clientSecret"');
+    return (_as, client, _body, headers) => {
+        const username = formUrlEncode(client.client_id);
+        const password = formUrlEncode(clientSecret);
+        const credentials = btoa(`${username}:${password}`);
+        headers.set('authorization', `Basic ${credentials}`);
+    };
+}
+function clientAssertionPayload(as, client) {
+    const now = epochTime() + getClockSkew(client);
+    return {
+        jti: randomBytes(),
+        aud: as.issuer,
+        exp: now + 60,
+        iat: now,
+        nbf: now,
+        iss: client.client_id,
+        sub: client.client_id,
+    };
+}
+export function PrivateKeyJwt(clientPrivateKey, options) {
+    const { key, kid } = getKeyAndKid(clientPrivateKey);
+    assertPrivateKey(key, '"clientPrivateKey.key"');
+    return async (as, client, body, _headers) => {
+        const header = { alg: keyToJws(key), kid };
+        const payload = clientAssertionPayload(as, client);
+        options?.[modifyAssertion]?.(header, payload);
+        body.set('client_id', client.client_id);
+        body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');
+        body.set('client_assertion', await signJwt(header, payload, key));
+    };
+}
+export function ClientSecretJwt(clientSecret, options) {
+    assertString(clientSecret, '"clientSecret"');
+    const modify = options?.[modifyAssertion];
+    let key;
+    return async (as, client, body, _headers) => {
+        key ||= await crypto.subtle.importKey('raw', buf(clientSecret), { hash: 'SHA-256', name: 'HMAC' }, false, ['sign']);
+        const header = { alg: 'HS256' };
+        const payload = clientAssertionPayload(as, client);
+        modify?.(header, payload);
+        const data = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;
+        const hmac = await crypto.subtle.sign(key.algorithm, key, buf(data));
+        body.set('client_id', client.client_id);
+        body.set('client_assertion_type', 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer');
+        body.set('client_assertion', `${data}.${b64u(new Uint8Array(hmac))}`);
+    };
+}
+export function None() {
+    return (_as, client, body, _headers) => {
+        body.set('client_id', client.client_id);
+    };
+}
+export function TlsClientAuth() {
+    return None();
+}
+async function signJwt(header, payload, key) {
+    if (!key.usages.includes('sign')) {
+        throw CodedTypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"', ERR_INVALID_ARG_VALUE);
+    }
+    const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;
+    const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));
+    return `${input}.${signature}`;
+}
+export async function issueRequestObject(as, client, parameters, privateKey, options) {
+    assertAs(as);
+    assertClient(client);
+    parameters = new URLSearchParams(parameters);
+    const { key, kid } = getKeyAndKid(privateKey);
+    assertPrivateKey(key, '"privateKey.key"');
+    parameters.set('client_id', client.client_id);
+    const now = epochTime() + getClockSkew(client);
+    const claims = {
+        ...Object.fromEntries(parameters.entries()),
+        jti: randomBytes(),
+        aud: as.issuer,
+        exp: now + 60,
+        iat: now,
+        nbf: now,
+        iss: client.client_id,
+    };
+    let resource;
+    if (parameters.has('resource') &&
+        (resource = parameters.getAll('resource')) &&
+        resource.length > 1) {
+        claims.resource = resource;
+    }
+    {
+        let value = parameters.get('max_age');
+        if (value !== null) {
+            claims.max_age = parseInt(value, 10);
+            assertNumber(claims.max_age, true, '"max_age" parameter');
+        }
+    }
+    {
+        let value = parameters.get('claims');
+        if (value !== null) {
+            try {
+                claims.claims = JSON.parse(value);
+            }
+            catch (cause) {
+                throw OPE('failed to parse the "claims" parameter as JSON', PARSE_ERROR, cause);
+            }
+            if (!isJsonObject(claims.claims)) {
+                throw CodedTypeError('"claims" parameter must be a JSON with a top level object', ERR_INVALID_ARG_VALUE);
+            }
+        }
+    }
+    {
+        let value = parameters.get('authorization_details');
+        if (value !== null) {
+            try {
+                claims.authorization_details = JSON.parse(value);
+            }
+            catch (cause) {
+                throw OPE('failed to parse the "authorization_details" parameter as JSON', PARSE_ERROR, cause);
+            }
+            if (!Array.isArray(claims.authorization_details)) {
+                throw CodedTypeError('"authorization_details" parameter must be a JSON with a top level array', ERR_INVALID_ARG_VALUE);
+            }
+        }
+    }
+    const header = {
+        alg: keyToJws(key),
+        typ: 'oauth-authz-req+jwt',
+        kid,
+    };
+    options?.[modifyAssertion]?.(header, claims);
+    return signJwt(header, claims, key);
+}
+let jwkCache;
+async function getSetPublicJwkCache(key, alg) {
+    const { kty, e, n, x, y, crv, pub } = await crypto.subtle.exportKey('jwk', key);
+    const jwk = { kty, e, n, x, y, crv, pub };
+    if (kty === 'AKP')
+        jwk.alg = alg;
+    jwkCache.set(key, jwk);
+    return jwk;
+}
+async function publicJwk(key, alg) {
+    jwkCache ||= new WeakMap();
+    return jwkCache.get(key) || getSetPublicJwkCache(key, alg);
+}
+const URLParse = URL.parse
+    ?
+        (url, base) => URL.parse(url, base)
+    : (url, base) => {
+        try {
+            return new URL(url, base);
+        }
+        catch {
+            return null;
+        }
+    };
+export function checkProtocol(url, enforceHttps) {
+    if (enforceHttps && url.protocol !== 'https:') {
+        throw OPE('only requests to HTTPS are allowed', HTTP_REQUEST_FORBIDDEN, url);
+    }
+    if (url.protocol !== 'https:' && url.protocol !== 'http:') {
+        throw OPE('only HTTP and HTTPS requests are allowed', REQUEST_PROTOCOL_FORBIDDEN, url);
+    }
+}
+function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
+    let url;
+    if (typeof value !== 'string' || !(url = URLParse(value))) {
+        throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });
+    }
+    checkProtocol(url, enforceHttps);
+    return url;
+}
+export function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
+    if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {
+        return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
+    }
+    return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
+}
+export async function pushedAuthorizationRequest(as, client, clientAuthentication, parameters, options) {
+    assertAs(as);
+    assertClient(client);
+    const url = resolveEndpoint(as, 'pushed_authorization_request_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+    const body = new URLSearchParams(parameters);
+    body.set('client_id', client.client_id);
+    const headers = prepareHeaders(options?.headers);
+    headers.set('accept', 'application/json');
+    if (options?.DPoP !== undefined) {
+        assertDPoP(options.DPoP);
+        await options.DPoP.addProof(url, headers, 'POST');
+    }
+    const response = await authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);
+    options?.DPoP?.cacheNonce(response);
+    return response;
+}
+class DPoPHandler {
+    #header;
+    #privateKey;
+    #publicKey;
+    #clockSkew;
+    #modifyAssertion;
+    #map;
+    #jkt;
+    constructor(client, keyPair, options) {
+        assertPrivateKey(keyPair?.privateKey, '"DPoP.privateKey"');
+        assertPublicKey(keyPair?.publicKey, '"DPoP.publicKey"');
+        if (!keyPair.publicKey.extractable) {
+            throw CodedTypeError('"DPoP.publicKey.extractable" must be true', ERR_INVALID_ARG_VALUE);
+        }
+        this.#modifyAssertion = options?.[modifyAssertion];
+        this.#clockSkew = getClockSkew(client);
+        this.#privateKey = keyPair.privateKey;
+        this.#publicKey = keyPair.publicKey;
+        branded.add(this);
+    }
+    #get(key) {
+        this.#map ||= new Map();
+        let item = this.#map.get(key);
+        if (item) {
+            this.#map.delete(key);
+            this.#map.set(key, item);
+        }
+        return item;
+    }
+    #set(key, val) {
+        this.#map ||= new Map();
+        this.#map.delete(key);
+        if (this.#map.size === 100) {
+            this.#map.delete(this.#map.keys().next().value);
+        }
+        this.#map.set(key, val);
+    }
+    async calculateThumbprint() {
+        if (!this.#jkt) {
+            const jwk = await crypto.subtle.exportKey('jwk', this.#publicKey);
+            this.#jkt ||= await calculateJwkThumbprint(jwk);
+        }
+        return this.#jkt;
+    }
+    async addProof(url, headers, htm, accessToken) {
+        const alg = keyToJws(this.#privateKey);
+        this.#header ||= {
+            alg,
+            typ: 'dpop+jwt',
+            jwk: await publicJwk(this.#publicKey, alg),
+        };
+        const nonce = this.#get(url.origin);
+        const now = epochTime() + this.#clockSkew;
+        const payload = {
+            iat: now,
+            jti: randomBytes(),
+            htm,
+            nonce,
+            htu: `${url.origin}${url.pathname}`,
+            ath: accessToken ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken))) : undefined,
+        };
+        this.#modifyAssertion?.(this.#header, payload);
+        headers.set('dpop', await signJwt(this.#header, payload, this.#privateKey));
+    }
+    cacheNonce(response) {
+        try {
+            const nonce = response.headers.get('dpop-nonce');
+            if (nonce) {
+                this.#set(new URL(response.url).origin, nonce);
+            }
+        }
+        catch { }
+    }
+}
+export function isDPoPNonceError(err) {
+    if (err instanceof WWWAuthenticateChallengeError) {
+        const { 0: challenge, length } = err.cause;
+        return (length === 1 && challenge.scheme === 'dpop' && challenge.parameters.error === 'use_dpop_nonce');
+    }
+    if (err instanceof ResponseBodyError) {
+        return err.error === 'use_dpop_nonce';
+    }
+    return false;
+}
+export function DPoP(client, keyPair, options) {
+    return new DPoPHandler(client, keyPair, options);
+}
+export class ResponseBodyError extends Error {
+    cause;
+    code;
+    error;
+    status;
+    error_description;
+    response;
+    constructor(message, options) {
+        super(message, options);
+        this.name = this.constructor.name;
+        this.code = RESPONSE_BODY_ERROR;
+        this.cause = options.cause;
+        this.error = options.cause.error;
+        this.status = options.response.status;
+        this.error_description = options.cause.error_description;
+        Object.defineProperty(this, 'response', { enumerable: false, value: options.response });
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+export class AuthorizationResponseError extends Error {
+    cause;
+    code;
+    error;
+    error_description;
+    constructor(message, options) {
+        super(message, options);
+        this.name = this.constructor.name;
+        this.code = AUTHORIZATION_RESPONSE_ERROR;
+        this.cause = options.cause;
+        this.error = options.cause.get('error');
+        this.error_description = options.cause.get('error_description') ?? undefined;
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+export class WWWAuthenticateChallengeError extends Error {
+    cause;
+    code;
+    response;
+    status;
+    constructor(message, options) {
+        super(message, options);
+        this.name = this.constructor.name;
+        this.code = WWW_AUTHENTICATE_CHALLENGE;
+        this.cause = options.cause;
+        this.status = options.response.status;
+        this.response = options.response;
+        Object.defineProperty(this, 'response', { enumerable: false });
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+const tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
+const token68Match = '[a-zA-Z0-9\\-\\._\\~\\+\\/]+[=]{0,2}';
+const quotedMatch = '"((?:[^"\\\\]|\\\\.)*)"';
+const quotedParamMatcher = '(' + tokenMatch + ')\\s*=\\s*' + quotedMatch;
+const paramMatcher = '(' + tokenMatch + ')\\s*=\\s*(' + tokenMatch + ')';
+const schemeRE = new RegExp('^[,\\s]*(' + tokenMatch + ')\\s(.*)');
+const quotedParamRE = new RegExp('^[,\\s]*' + quotedParamMatcher + '[,\\s]*(.*)');
+const unquotedParamRE = new RegExp('^[,\\s]*' + paramMatcher + '[,\\s]*(.*)');
+const token68ParamRE = new RegExp('^(' + token68Match + ')(?:$|[,\\s])(.*)');
+function parseWwwAuthenticateChallenges(response) {
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    const header = response.headers.get('www-authenticate');
+    if (header === null) {
+        return undefined;
+    }
+    const challenges = [];
+    let rest = header;
+    while (rest) {
+        let match = rest.match(schemeRE);
+        const scheme = match?.['1'].toLowerCase();
+        rest = match?.['2'];
+        if (!scheme) {
+            return undefined;
+        }
+        const parameters = {};
+        let token68;
+        while (rest) {
+            let key;
+            let value;
+            if ((match = rest.match(quotedParamRE))) {
+                ;
+                [, key, value, rest] = match;
+                if (value.includes('\\')) {
+                    try {
+                        value = JSON.parse(`"${value}"`);
+                    }
+                    catch { }
+                }
+                parameters[key.toLowerCase()] = value;
+                continue;
+            }
+            if ((match = rest.match(unquotedParamRE))) {
+                ;
+                [, key, value, rest] = match;
+                parameters[key.toLowerCase()] = value;
+                continue;
+            }
+            if ((match = rest.match(token68ParamRE))) {
+                if (Object.keys(parameters).length) {
+                    break;
+                }
+                ;
+                [, token68, rest] = match;
+                break;
+            }
+            return undefined;
+        }
+        const challenge = { scheme, parameters };
+        if (token68) {
+            challenge.token68 = token68;
+        }
+        challenges.push(challenge);
+    }
+    if (!challenges.length) {
+        return undefined;
+    }
+    return challenges;
+}
+export async function processPushedAuthorizationResponse(as, client, response) {
+    assertAs(as);
+    assertClient(client);
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    await checkOAuthBodyError(response, 201, 'Pushed Authorization Request Endpoint');
+    assertReadableResponse(response);
+    const json = await getResponseJsonBody(response);
+    assertString(json.request_uri, '"response" body "request_uri" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;
+    assertNumber(expiresIn, true, '"response" body "expires_in" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    json.expires_in = expiresIn;
+    return json;
+}
+async function parseOAuthResponseErrorBody(response) {
+    if (response.status > 399 && response.status < 500) {
+        assertReadableResponse(response);
+        assertApplicationJson(response);
+        try {
+            const json = await response.clone().json();
+            if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) {
+                return json;
+            }
+        }
+        catch { }
+    }
+    return undefined;
+}
+async function checkOAuthBodyError(response, expected, label) {
+    if (response.status !== expected) {
+        checkAuthenticationChallenges(response);
+        let err;
+        if ((err = await parseOAuthResponseErrorBody(response))) {
+            await response.body?.cancel();
+            throw new ResponseBodyError('server responded with an error in the response body', {
+                cause: err,
+                response,
+            });
+        }
+        throw OPE(`"response" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);
+    }
+}
+function assertDPoP(option) {
+    if (!branded.has(option)) {
+        throw CodedTypeError('"options.DPoP" is not a valid DPoPHandle', ERR_INVALID_ARG_VALUE);
+    }
+}
+async function resourceRequest(accessToken, method, url, headers, body, options) {
+    assertString(accessToken, '"accessToken"');
+    if (!(url instanceof URL)) {
+        throw CodedTypeError('"url" must be an instance of URL', ERR_INVALID_ARG_TYPE);
+    }
+    checkProtocol(url, options?.[allowInsecureRequests] !== true);
+    headers = prepareHeaders(headers);
+    if (options?.DPoP) {
+        assertDPoP(options.DPoP);
+        await options.DPoP.addProof(url, headers, method.toUpperCase(), accessToken);
+    }
+    headers.set('authorization', `${headers.has('dpop') ? 'DPoP' : 'Bearer'} ${accessToken}`);
+    const response = await (options?.[customFetch] || fetch)(url.href, {
+        body,
+        headers: Object.fromEntries(headers.entries()),
+        method,
+        redirect: 'manual',
+        signal: signal(url, options?.signal),
+    });
+    options?.DPoP?.cacheNonce(response);
+    return response;
+}
+export async function protectedResourceRequest(accessToken, method, url, headers, body, options) {
+    const response = await resourceRequest(accessToken, method, url, headers, body, options);
+    checkAuthenticationChallenges(response);
+    return response;
+}
+export async function userInfoRequest(as, client, accessToken, options) {
+    assertAs(as);
+    assertClient(client);
+    const url = resolveEndpoint(as, 'userinfo_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+    const headers = prepareHeaders(options?.headers);
+    if (client.userinfo_signed_response_alg) {
+        headers.set('accept', 'application/jwt');
+    }
+    else {
+        headers.set('accept', 'application/json');
+        headers.append('accept', 'application/jwt');
+    }
+    return resourceRequest(accessToken, 'GET', url, headers, null, {
+        ...options,
+        [clockSkew]: getClockSkew(client),
+    });
+}
+let jwksMap;
+function setJwksCache(as, jwks, uat, cache) {
+    jwksMap ||= new WeakMap();
+    jwksMap.set(as, {
+        jwks,
+        uat,
+        get age() {
+            return epochTime() - this.uat;
+        },
+    });
+    if (cache) {
+        Object.assign(cache, { jwks: structuredClone(jwks), uat });
+    }
+}
+function isFreshJwksCache(input) {
+    if (typeof input !== 'object' || input === null) {
+        return false;
+    }
+    if (!('uat' in input) || typeof input.uat !== 'number' || epochTime() - input.uat >= 300) {
+        return false;
+    }
+    if (!('jwks' in input) ||
+        !isJsonObject(input.jwks) ||
+        !Array.isArray(input.jwks.keys) ||
+        !Array.prototype.every.call(input.jwks.keys, isJsonObject)) {
+        return false;
+    }
+    return true;
+}
+function clearJwksCache(as, cache) {
+    jwksMap?.delete(as);
+    delete cache?.jwks;
+    delete cache?.uat;
+}
+async function getPublicSigKeyFromIssuerJwksUri(as, options, header) {
+    const { alg, kid } = header;
+    checkSupportedJwsAlg(header);
+    if (!jwksMap?.has(as) && isFreshJwksCache(options?.[jwksCache])) {
+        setJwksCache(as, options?.[jwksCache].jwks, options?.[jwksCache].uat);
+    }
+    let jwks;
+    let age;
+    if (jwksMap?.has(as)) {
+        ;
+        ({ jwks, age } = jwksMap.get(as));
+        if (age >= 300) {
+            clearJwksCache(as, options?.[jwksCache]);
+            return getPublicSigKeyFromIssuerJwksUri(as, options, header);
+        }
+    }
+    else {
+        jwks = await jwksRequest(as, options).then(processJwksResponse);
+        age = 0;
+        setJwksCache(as, jwks, epochTime(), options?.[jwksCache]);
+    }
+    let kty;
+    switch (alg.slice(0, 2)) {
+        case 'RS':
+        case 'PS':
+            kty = 'RSA';
+            break;
+        case 'ES':
+            kty = 'EC';
+            break;
+        case 'Ed':
+            kty = 'OKP';
+            break;
+        case 'ML':
+            kty = 'AKP';
+            break;
+        default:
+            throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } });
+    }
+    const candidates = jwks.keys.filter((jwk) => {
+        if (jwk.kty !== kty) {
+            return false;
+        }
+        if (kid !== undefined && kid !== jwk.kid) {
+            return false;
+        }
+        if (jwk.alg !== undefined && alg !== jwk.alg) {
+            return false;
+        }
+        if (jwk.use !== undefined && jwk.use !== 'sig') {
+            return false;
+        }
+        if (jwk.key_ops?.includes('verify') === false) {
+            return false;
+        }
+        switch (true) {
+            case alg === 'ES256' && jwk.crv !== 'P-256':
+            case alg === 'ES384' && jwk.crv !== 'P-384':
+            case alg === 'ES512' && jwk.crv !== 'P-521':
+            case alg === 'Ed25519' && jwk.crv !== 'Ed25519':
+            case alg === 'EdDSA' && jwk.crv !== 'Ed25519':
+                return false;
+        }
+        return true;
+    });
+    const { 0: jwk, length } = candidates;
+    if (!length) {
+        if (age >= 60) {
+            clearJwksCache(as, options?.[jwksCache]);
+            return getPublicSigKeyFromIssuerJwksUri(as, options, header);
+        }
+        throw OPE('error when selecting a JWT verification key, no applicable keys found', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });
+    }
+    if (length !== 1) {
+        throw OPE('error when selecting a JWT verification key, multiple applicable keys found, a "kid" JWT Header Parameter is required', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });
+    }
+    return importJwk(alg, jwk);
+}
+export const skipSubjectCheck = Symbol();
+export function getContentType(input) {
+    return input.headers.get('content-type')?.split(';')[0];
+}
+export async function processUserInfoResponse(as, client, expectedSubject, response, options) {
+    assertAs(as);
+    assertClient(client);
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    checkAuthenticationChallenges(response);
+    if (response.status !== 200) {
+        throw OPE('"response" is not a conform UserInfo Endpoint response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);
+    }
+    assertReadableResponse(response);
+    let json;
+    if (getContentType(response) === 'application/jwt') {
+        const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported, undefined), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])
+            .then(validateOptionalAudience.bind(undefined, client.client_id))
+            .then(validateOptionalIssuer.bind(undefined, as));
+        jwtRefs.set(response, jwt);
+        json = claims;
+    }
+    else {
+        if (client.userinfo_signed_response_alg) {
+            throw OPE('JWT UserInfo Response expected', JWT_USERINFO_EXPECTED, response);
+        }
+        json = await getResponseJsonBody(response);
+    }
+    assertString(json.sub, '"response" body "sub" property', INVALID_RESPONSE, { body: json });
+    switch (expectedSubject) {
+        case skipSubjectCheck:
+            break;
+        default:
+            assertString(expectedSubject, '"expectedSubject"');
+            if (json.sub !== expectedSubject) {
+                throw OPE('unexpected "response" body "sub" property value', JSON_ATTRIBUTE_COMPARISON, {
+                    expected: expectedSubject,
+                    body: json,
+                    attribute: 'sub',
+                });
+            }
+    }
+    return json;
+}
+async function authenticatedRequest(as, client, clientAuthentication, url, body, headers, options) {
+    await clientAuthentication(as, client, body, headers);
+    headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');
+    return (options?.[customFetch] || fetch)(url.href, {
+        body,
+        headers: Object.fromEntries(headers.entries()),
+        method: 'POST',
+        redirect: 'manual',
+        signal: signal(url, options?.signal),
+    });
+}
+async function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
+    const url = resolveEndpoint(as, 'token_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+    parameters.set('grant_type', grantType);
+    const headers = prepareHeaders(options?.headers);
+    headers.set('accept', 'application/json');
+    if (options?.DPoP !== undefined) {
+        assertDPoP(options.DPoP);
+        await options.DPoP.addProof(url, headers, 'POST');
+    }
+    const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers, options);
+    options?.DPoP?.cacheNonce(response);
+    return response;
+}
+export async function refreshTokenGrantRequest(as, client, clientAuthentication, refreshToken, options) {
+    assertAs(as);
+    assertClient(client);
+    assertString(refreshToken, '"refreshToken"');
+    const parameters = new URLSearchParams(options?.additionalParameters);
+    parameters.set('refresh_token', refreshToken);
+    return tokenEndpointRequest(as, client, clientAuthentication, 'refresh_token', parameters, options);
+}
+const idTokenClaims = new WeakMap();
+const jwtRefs = new WeakMap();
+export function getValidatedIdTokenClaims(ref) {
+    if (!ref.id_token) {
+        return undefined;
+    }
+    const claims = idTokenClaims.get(ref);
+    if (!claims) {
+        throw CodedTypeError('"ref" was already garbage collected or did not resolve from the proper sources', ERR_INVALID_ARG_VALUE);
+    }
+    return claims;
+}
+export async function validateApplicationLevelSignature(as, ref, options) {
+    assertAs(as);
+    if (!jwtRefs.has(ref)) {
+        throw CodedTypeError('"ref" does not contain a processed JWT Response to verify the signature of', ERR_INVALID_ARG_VALUE);
+    }
+    const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwtRefs.get(ref).split('.');
+    const header = JSON.parse(buf(b64u(protectedHeader)));
+    if (header.alg.startsWith('HS')) {
+        throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg: header.alg } });
+    }
+    let key;
+    key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    await validateJwsSignature(protectedHeader, payload, key, b64u(encodedSignature));
+}
+async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
+    assertAs(as);
+    assertClient(client);
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    await checkOAuthBodyError(response, 200, 'Token Endpoint');
+    assertReadableResponse(response);
+    const json = await getResponseJsonBody(response);
+    assertString(json.access_token, '"response" body "access_token" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    assertString(json.token_type, '"response" body "token_type" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    json.token_type = json.token_type.toLowerCase();
+    if (json.expires_in !== undefined) {
+        let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;
+        assertNumber(expiresIn, true, '"response" body "expires_in" property', INVALID_RESPONSE, {
+            body: json,
+        });
+        json.expires_in = expiresIn;
+    }
+    if (json.refresh_token !== undefined) {
+        assertString(json.refresh_token, '"response" body "refresh_token" property', INVALID_RESPONSE, {
+            body: json,
+        });
+    }
+    if (json.scope !== undefined && typeof json.scope !== 'string') {
+        throw OPE('"response" body "scope" property must be a string', INVALID_RESPONSE, { body: json });
+    }
+    if (json.id_token !== undefined) {
+        assertString(json.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
+            body: json,
+        });
+        const requiredClaims = ['aud', 'exp', 'iat', 'iss', 'sub'];
+        if (client.require_auth_time === true) {
+            requiredClaims.push('auth_time');
+        }
+        if (client.default_max_age !== undefined) {
+            assertNumber(client.default_max_age, true, '"client.default_max_age"');
+            requiredClaims.push('auth_time');
+        }
+        if (additionalRequiredIdTokenClaims?.length) {
+            requiredClaims.push(...additionalRequiredIdTokenClaims);
+        }
+        const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), decryptFn)
+            .then(validatePresence.bind(undefined, requiredClaims))
+            .then(validateIssuer.bind(undefined, as))
+            .then(validateAudience.bind(undefined, client.client_id));
+        if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
+            if (claims.azp === undefined) {
+                throw OPE('ID Token "aud" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: 'aud' });
+            }
+            if (claims.azp !== client.client_id) {
+                throw OPE('unexpected ID Token "azp" (authorized party) claim value', JWT_CLAIM_COMPARISON, { expected: client.client_id, claims, claim: 'azp' });
+            }
+        }
+        if (claims.auth_time !== undefined) {
+            assertNumber(claims.auth_time, true, 'ID Token "auth_time" (authentication time)', INVALID_RESPONSE, { claims });
+        }
+        jwtRefs.set(response, jwt);
+        idTokenClaims.set(json, claims);
+    }
+    if (recognizedTokenTypes?.[json.token_type] !== undefined) {
+        recognizedTokenTypes[json.token_type](response, json);
+    }
+    else if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {
+        throw new UnsupportedOperationError('unsupported `token_type` value', { cause: { body: json } });
+    }
+    return json;
+}
+function checkAuthenticationChallenges(response) {
+    let challenges;
+    if ((challenges = parseWwwAuthenticateChallenges(response))) {
+        throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', { cause: challenges, response });
+    }
+}
+export async function processRefreshTokenResponse(as, client, response, options) {
+    return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+function validateOptionalAudience(expected, result) {
+    if (result.claims.aud !== undefined) {
+        return validateAudience(expected, result);
+    }
+    return result;
+}
+function validateAudience(expected, result) {
+    if (Array.isArray(result.claims.aud)) {
+        if (!result.claims.aud.includes(expected)) {
+            throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+                expected,
+                claims: result.claims,
+                claim: 'aud',
+            });
+        }
+    }
+    else if (result.claims.aud !== expected) {
+        throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+            expected,
+            claims: result.claims,
+            claim: 'aud',
+        });
+    }
+    return result;
+}
+function validateOptionalIssuer(as, result) {
+    if (result.claims.iss !== undefined) {
+        return validateIssuer(as, result);
+    }
+    return result;
+}
+function validateIssuer(as, result) {
+    const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
+    if (result.claims.iss !== expected) {
+        throw OPE('unexpected JWT "iss" (issuer) claim value', JWT_CLAIM_COMPARISON, {
+            expected,
+            claims: result.claims,
+            claim: 'iss',
+        });
+    }
+    return result;
+}
+const branded = new WeakSet();
+function brand(searchParams) {
+    branded.add(searchParams);
+    return searchParams;
+}
+export const nopkce = Symbol();
+export async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {
+    assertAs(as);
+    assertClient(client);
+    if (!branded.has(callbackParameters)) {
+        throw CodedTypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()', ERR_INVALID_ARG_VALUE);
+    }
+    assertString(redirectUri, '"redirectUri"');
+    const code = getURLSearchParameter(callbackParameters, 'code');
+    if (!code) {
+        throw OPE('no authorization code in "callbackParameters"', INVALID_RESPONSE);
+    }
+    const parameters = new URLSearchParams(options?.additionalParameters);
+    parameters.set('redirect_uri', redirectUri);
+    parameters.set('code', code);
+    if (codeVerifier !== nopkce) {
+        assertString(codeVerifier, '"codeVerifier"');
+        parameters.set('code_verifier', codeVerifier);
+    }
+    return tokenEndpointRequest(as, client, clientAuthentication, 'authorization_code', parameters, options);
+}
+const jwtClaimNames = {
+    aud: 'audience',
+    c_hash: 'code hash',
+    client_id: 'client id',
+    exp: 'expiration time',
+    iat: 'issued at',
+    iss: 'issuer',
+    jti: 'jwt id',
+    nonce: 'nonce',
+    s_hash: 'state hash',
+    sub: 'subject',
+    ath: 'access token hash',
+    htm: 'http method',
+    htu: 'http uri',
+    cnf: 'confirmation',
+    auth_time: 'authentication time',
+};
+function validatePresence(required, result) {
+    for (const claim of required) {
+        if (result.claims[claim] === undefined) {
+            throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, {
+                claims: result.claims,
+            });
+        }
+    }
+    return result;
+}
+export const expectNoNonce = Symbol();
+export const skipAuthTimeCheck = Symbol();
+export async function processAuthorizationCodeResponse(as, client, response, options) {
+    if (typeof options?.expectedNonce === 'string' ||
+        typeof options?.maxAge === 'number' ||
+        options?.requireIdToken) {
+        return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);
+    }
+    return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {
+    const additionalRequiredClaims = [];
+    switch (expectedNonce) {
+        case undefined:
+            expectedNonce = expectNoNonce;
+            break;
+        case expectNoNonce:
+            break;
+        default:
+            assertString(expectedNonce, '"expectedNonce" argument');
+            additionalRequiredClaims.push('nonce');
+    }
+    maxAge ??= client.default_max_age;
+    switch (maxAge) {
+        case undefined:
+            maxAge = skipAuthTimeCheck;
+            break;
+        case skipAuthTimeCheck:
+            break;
+        default:
+            assertNumber(maxAge, true, '"maxAge" argument');
+            additionalRequiredClaims.push('auth_time');
+    }
+    const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);
+    assertString(result.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
+        body: result,
+    });
+    const claims = getValidatedIdTokenClaims(result);
+    if (maxAge !== skipAuthTimeCheck) {
+        const now = epochTime() + getClockSkew(client);
+        const tolerance = getClockTolerance(client);
+        if (claims.auth_time + maxAge < now - tolerance) {
+            throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' });
+        }
+    }
+    if (expectedNonce === expectNoNonce) {
+        if (claims.nonce !== undefined) {
+            throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+                expected: undefined,
+                claims,
+                claim: 'nonce',
+            });
+        }
+    }
+    else if (claims.nonce !== expectedNonce) {
+        throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+            expected: expectedNonce,
+            claims,
+            claim: 'nonce',
+        });
+    }
+    return result;
+}
+async function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {
+    const result = await processGenericAccessTokenResponse(as, client, response, undefined, decryptFn, recognizedTokenTypes);
+    const claims = getValidatedIdTokenClaims(result);
+    if (claims) {
+        if (client.default_max_age !== undefined) {
+            assertNumber(client.default_max_age, true, '"client.default_max_age"');
+            const now = epochTime() + getClockSkew(client);
+            const tolerance = getClockTolerance(client);
+            if (claims.auth_time + client.default_max_age < now - tolerance) {
+                throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' });
+            }
+        }
+        if (claims.nonce !== undefined) {
+            throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+                expected: undefined,
+                claims,
+                claim: 'nonce',
+            });
+        }
+    }
+    return result;
+}
+export const WWW_AUTHENTICATE_CHALLENGE = 'OAUTH_WWW_AUTHENTICATE_CHALLENGE';
+export const RESPONSE_BODY_ERROR = 'OAUTH_RESPONSE_BODY_ERROR';
+export const UNSUPPORTED_OPERATION = 'OAUTH_UNSUPPORTED_OPERATION';
+export const AUTHORIZATION_RESPONSE_ERROR = 'OAUTH_AUTHORIZATION_RESPONSE_ERROR';
+export const JWT_USERINFO_EXPECTED = 'OAUTH_JWT_USERINFO_EXPECTED';
+export const PARSE_ERROR = 'OAUTH_PARSE_ERROR';
+export const INVALID_RESPONSE = 'OAUTH_INVALID_RESPONSE';
+export const INVALID_REQUEST = 'OAUTH_INVALID_REQUEST';
+export const RESPONSE_IS_NOT_JSON = 'OAUTH_RESPONSE_IS_NOT_JSON';
+export const RESPONSE_IS_NOT_CONFORM = 'OAUTH_RESPONSE_IS_NOT_CONFORM';
+export const HTTP_REQUEST_FORBIDDEN = 'OAUTH_HTTP_REQUEST_FORBIDDEN';
+export const REQUEST_PROTOCOL_FORBIDDEN = 'OAUTH_REQUEST_PROTOCOL_FORBIDDEN';
+export const JWT_TIMESTAMP_CHECK = 'OAUTH_JWT_TIMESTAMP_CHECK_FAILED';
+export const JWT_CLAIM_COMPARISON = 'OAUTH_JWT_CLAIM_COMPARISON_FAILED';
+export const JSON_ATTRIBUTE_COMPARISON = 'OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED';
+export const KEY_SELECTION = 'OAUTH_KEY_SELECTION_FAILED';
+export const MISSING_SERVER_METADATA = 'OAUTH_MISSING_SERVER_METADATA';
+export const INVALID_SERVER_METADATA = 'OAUTH_INVALID_SERVER_METADATA';
+function checkJwtType(expected, result) {
+    if (typeof result.header.typ !== 'string' || normalizeTyp(result.header.typ) !== expected) {
+        throw OPE('unexpected JWT "typ" header parameter value', INVALID_RESPONSE, {
+            header: result.header,
+        });
+    }
+    return result;
+}
+export async function clientCredentialsGrantRequest(as, client, clientAuthentication, parameters, options) {
+    assertAs(as);
+    assertClient(client);
+    return tokenEndpointRequest(as, client, clientAuthentication, 'client_credentials', new URLSearchParams(parameters), options);
+}
+export async function genericTokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
+    assertAs(as);
+    assertClient(client);
+    assertString(grantType, '"grantType"');
+    return tokenEndpointRequest(as, client, clientAuthentication, grantType, new URLSearchParams(parameters), options);
+}
+export async function processGenericTokenEndpointResponse(as, client, response, options) {
+    return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+export async function processClientCredentialsResponse(as, client, response, options) {
+    return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+export async function revocationRequest(as, client, clientAuthentication, token, options) {
+    assertAs(as);
+    assertClient(client);
+    assertString(token, '"token"');
+    const url = resolveEndpoint(as, 'revocation_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+    const body = new URLSearchParams(options?.additionalParameters);
+    body.set('token', token);
+    const headers = prepareHeaders(options?.headers);
+    headers.delete('accept');
+    return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);
+}
+export async function processRevocationResponse(response) {
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    await checkOAuthBodyError(response, 200, 'Revocation Endpoint');
+    return undefined;
+}
+function assertReadableResponse(response) {
+    if (response.bodyUsed) {
+        throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE);
+    }
+}
+export async function introspectionRequest(as, client, clientAuthentication, token, options) {
+    assertAs(as);
+    assertClient(client);
+    assertString(token, '"token"');
+    const url = resolveEndpoint(as, 'introspection_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+    const body = new URLSearchParams(options?.additionalParameters);
+    body.set('token', token);
+    const headers = prepareHeaders(options?.headers);
+    if (options?.requestJwtResponse ?? client.introspection_signed_response_alg) {
+        headers.set('accept', 'application/token-introspection+jwt');
+    }
+    else {
+        headers.set('accept', 'application/json');
+    }
+    return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);
+}
+export async function processIntrospectionResponse(as, client, response, options) {
+    assertAs(as);
+    assertClient(client);
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    await checkOAuthBodyError(response, 200, 'Introspection Endpoint');
+    let json;
+    if (getContentType(response) === 'application/token-introspection+jwt') {
+        assertReadableResponse(response);
+        const { claims, jwt } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])
+            .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))
+            .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))
+            .then(validateIssuer.bind(undefined, as))
+            .then(validateAudience.bind(undefined, client.client_id));
+        jwtRefs.set(response, jwt);
+        if (!isJsonObject(claims.token_introspection)) {
+            throw OPE('JWT "token_introspection" claim must be a JSON object', INVALID_RESPONSE, {
+                claims,
+            });
+        }
+        json = claims.token_introspection;
+    }
+    else {
+        assertReadableResponse(response);
+        json = await getResponseJsonBody(response);
+    }
+    if (typeof json.active !== 'boolean') {
+        throw OPE('"response" body "active" property must be a boolean', INVALID_RESPONSE, {
+            body: json,
+        });
+    }
+    return json;
+}
+async function jwksRequest(as, options) {
+    assertAs(as);
+    const url = resolveEndpoint(as, 'jwks_uri', false, options?.[allowInsecureRequests] !== true);
+    const headers = prepareHeaders(options?.headers);
+    headers.set('accept', 'application/json');
+    headers.append('accept', 'application/jwk-set+json');
+    return (options?.[customFetch] || fetch)(url.href, {
+        body: undefined,
+        headers: Object.fromEntries(headers.entries()),
+        method: 'GET',
+        redirect: 'manual',
+        signal: signal(url, options?.signal),
+    });
+}
+async function processJwksResponse(response) {
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    if (response.status !== 200) {
+        throw OPE('"response" is not a conform JSON Web Key Set response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);
+    }
+    assertReadableResponse(response);
+    const json = await getResponseJsonBody(response, (response) => assertContentTypes(response, 'application/json', 'application/jwk-set+json'));
+    if (!Array.isArray(json.keys)) {
+        throw OPE('"response" body "keys" property must be an array', INVALID_RESPONSE, { body: json });
+    }
+    if (!Array.prototype.every.call(json.keys, isJsonObject)) {
+        throw OPE('"response" body "keys" property members must be JWK formatted objects', INVALID_RESPONSE, { body: json });
+    }
+    return json;
+}
+function supported(alg) {
+    switch (alg) {
+        case 'PS256':
+        case 'ES256':
+        case 'RS256':
+        case 'PS384':
+        case 'ES384':
+        case 'RS384':
+        case 'PS512':
+        case 'ES512':
+        case 'RS512':
+        case 'Ed25519':
+        case 'EdDSA':
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87':
+            return true;
+        default:
+            return false;
+    }
+}
+function checkSupportedJwsAlg(header) {
+    if (!supported(header.alg)) {
+        throw new UnsupportedOperationError('unsupported JWS "alg" identifier', {
+            cause: { alg: header.alg },
+        });
+    }
+}
+function checkRsaKeyAlgorithm(key) {
+    const { algorithm } = key;
+    if (typeof algorithm.modulusLength !== 'number' || algorithm.modulusLength < 2048) {
+        throw new UnsupportedOperationError(`unsupported ${algorithm.name} modulusLength`, {
+            cause: key,
+        });
+    }
+}
+function ecdsaHashName(key) {
+    const { algorithm } = key;
+    switch (algorithm.namedCurve) {
+        case 'P-256':
+            return 'SHA-256';
+        case 'P-384':
+            return 'SHA-384';
+        case 'P-521':
+            return 'SHA-512';
+        default:
+            throw new UnsupportedOperationError('unsupported ECDSA namedCurve', { cause: key });
+    }
+}
+function keyToSubtle(key) {
+    switch (key.algorithm.name) {
+        case 'ECDSA':
+            return {
+                name: key.algorithm.name,
+                hash: ecdsaHashName(key),
+            };
+        case 'RSA-PSS': {
+            checkRsaKeyAlgorithm(key);
+            switch (key.algorithm.hash.name) {
+                case 'SHA-256':
+                case 'SHA-384':
+                case 'SHA-512':
+                    return {
+                        name: key.algorithm.name,
+                        saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3,
+                    };
+                default:
+                    throw new UnsupportedOperationError('unsupported RSA-PSS hash name', { cause: key });
+            }
+        }
+        case 'RSASSA-PKCS1-v1_5':
+            checkRsaKeyAlgorithm(key);
+            return key.algorithm.name;
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87':
+        case 'Ed25519':
+            return key.algorithm.name;
+    }
+    throw new UnsupportedOperationError('unsupported CryptoKey algorithm name', { cause: key });
+}
+async function validateJwsSignature(protectedHeader, payload, key, signature) {
+    const data = buf(`${protectedHeader}.${payload}`);
+    const algorithm = keyToSubtle(key);
+    const verified = await crypto.subtle.verify(algorithm, key, signature, data);
+    if (!verified) {
+        throw OPE('JWT signature verification failed', INVALID_RESPONSE, {
+            key,
+            data,
+            signature,
+            algorithm,
+        });
+    }
+}
+async function validateJwt(jws, checkAlg, clockSkew, clockTolerance, decryptJwt) {
+    let { 0: protectedHeader, 1: payload, length } = jws.split('.');
+    if (length === 5) {
+        if (decryptJwt !== undefined) {
+            jws = await decryptJwt(jws);
+            ({ 0: protectedHeader, 1: payload, length } = jws.split('.'));
+        }
+        else {
+            throw new UnsupportedOperationError('JWE decryption is not configured', { cause: jws });
+        }
+    }
+    if (length !== 3) {
+        throw OPE('Invalid JWT', INVALID_RESPONSE, jws);
+    }
+    let header;
+    try {
+        header = JSON.parse(buf(b64u(protectedHeader)));
+    }
+    catch (cause) {
+        throw OPE('failed to parse JWT Header body as base64url encoded JSON', PARSE_ERROR, cause);
+    }
+    if (!isJsonObject(header)) {
+        throw OPE('JWT Header must be a top level object', INVALID_RESPONSE, jws);
+    }
+    checkAlg(header);
+    if (header.crit !== undefined) {
+        throw new UnsupportedOperationError('no JWT "crit" header parameter extensions are supported', {
+            cause: { header },
+        });
+    }
+    let claims;
+    try {
+        claims = JSON.parse(buf(b64u(payload)));
+    }
+    catch (cause) {
+        throw OPE('failed to parse JWT Payload body as base64url encoded JSON', PARSE_ERROR, cause);
+    }
+    if (!isJsonObject(claims)) {
+        throw OPE('JWT Payload must be a top level object', INVALID_RESPONSE, jws);
+    }
+    const now = epochTime() + clockSkew;
+    if (claims.exp !== undefined) {
+        if (typeof claims.exp !== 'number') {
+            throw OPE('unexpected JWT "exp" (expiration time) claim type', INVALID_RESPONSE, { claims });
+        }
+        if (claims.exp <= now - clockTolerance) {
+            throw OPE('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, { claims, now, tolerance: clockTolerance, claim: 'exp' });
+        }
+    }
+    if (claims.iat !== undefined) {
+        if (typeof claims.iat !== 'number') {
+            throw OPE('unexpected JWT "iat" (issued at) claim type', INVALID_RESPONSE, { claims });
+        }
+    }
+    if (claims.iss !== undefined) {
+        if (typeof claims.iss !== 'string') {
+            throw OPE('unexpected JWT "iss" (issuer) claim type', INVALID_RESPONSE, { claims });
+        }
+    }
+    if (claims.nbf !== undefined) {
+        if (typeof claims.nbf !== 'number') {
+            throw OPE('unexpected JWT "nbf" (not before) claim type', INVALID_RESPONSE, { claims });
+        }
+        if (claims.nbf > now + clockTolerance) {
+            throw OPE('unexpected JWT "nbf" (not before) claim value', JWT_TIMESTAMP_CHECK, {
+                claims,
+                now,
+                tolerance: clockTolerance,
+                claim: 'nbf',
+            });
+        }
+    }
+    if (claims.aud !== undefined) {
+        if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) {
+            throw OPE('unexpected JWT "aud" (audience) claim type', INVALID_RESPONSE, { claims });
+        }
+    }
+    return { header, claims, jwt: jws };
+}
+export async function validateJwtAuthResponse(as, client, parameters, expectedState, options) {
+    assertAs(as);
+    assertClient(client);
+    if (parameters instanceof URL) {
+        parameters = parameters.searchParams;
+    }
+    if (!(parameters instanceof URLSearchParams)) {
+        throw CodedTypeError('"parameters" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE);
+    }
+    const response = getURLSearchParameter(parameters, 'response');
+    if (!response) {
+        throw OPE('"parameters" does not contain a JARM response', INVALID_RESPONSE);
+    }
+    const { claims, header, jwt } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])
+        .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))
+        .then(validateIssuer.bind(undefined, as))
+        .then(validateAudience.bind(undefined, client.client_id));
+    const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwt.split('.');
+    const signature = b64u(encodedSignature);
+    const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    await validateJwsSignature(protectedHeader, payload, key, signature);
+    const result = new URLSearchParams();
+    for (const [key, value] of Object.entries(claims)) {
+        if (typeof value === 'string' && key !== 'aud') {
+            result.set(key, value);
+        }
+    }
+    return validateAuthResponse(as, client, result, expectedState);
+}
+async function idTokenHash(data, header, claimName) {
+    let algorithm;
+    switch (header.alg) {
+        case 'RS256':
+        case 'PS256':
+        case 'ES256':
+            algorithm = 'SHA-256';
+            break;
+        case 'RS384':
+        case 'PS384':
+        case 'ES384':
+            algorithm = 'SHA-384';
+            break;
+        case 'RS512':
+        case 'PS512':
+        case 'ES512':
+        case 'Ed25519':
+        case 'EdDSA':
+            algorithm = 'SHA-512';
+            break;
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87':
+            algorithm = { name: 'cSHAKE256', length: 512 };
+            break;
+        default:
+            throw new UnsupportedOperationError(`unsupported JWS algorithm for ${claimName} calculation`, { cause: { alg: header.alg } });
+    }
+    const digest = await crypto.subtle.digest(algorithm, buf(data));
+    return b64u(digest.slice(0, digest.byteLength / 2));
+}
+async function idTokenHashMatches(data, actual, header, claimName) {
+    const expected = await idTokenHash(data, header, claimName);
+    return actual === expected;
+}
+export async function validateDetachedSignatureResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {
+    return validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, true);
+}
+export async function validateCodeIdTokenResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options) {
+    return validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, false);
+}
+async function consumeStream(request) {
+    if (request.bodyUsed) {
+        throw CodedTypeError('form_post Request instances must contain a readable body', ERR_INVALID_ARG_VALUE, { cause: request });
+    }
+    return request.text();
+}
+export async function formPostResponse(request) {
+    if (request.method !== 'POST') {
+        throw CodedTypeError('form_post responses are expected to use the POST method', ERR_INVALID_ARG_VALUE, { cause: request });
+    }
+    if (getContentType(request) !== 'application/x-www-form-urlencoded') {
+        throw CodedTypeError('form_post responses are expected to use the application/x-www-form-urlencoded content-type', ERR_INVALID_ARG_VALUE, { cause: request });
+    }
+    return consumeStream(request);
+}
+async function validateHybridResponse(as, client, parameters, expectedNonce, expectedState, maxAge, options, fapi) {
+    assertAs(as);
+    assertClient(client);
+    if (parameters instanceof URL) {
+        if (!parameters.hash.length) {
+            throw CodedTypeError('"parameters" as an instance of URL must contain a hash (fragment) with the Authorization Response parameters', ERR_INVALID_ARG_VALUE);
+        }
+        parameters = new URLSearchParams(parameters.hash.slice(1));
+    }
+    else if (looseInstanceOf(parameters, Request)) {
+        parameters = new URLSearchParams(await formPostResponse(parameters));
+    }
+    else if (parameters instanceof URLSearchParams) {
+        parameters = new URLSearchParams(parameters);
+    }
+    else {
+        throw CodedTypeError('"parameters" must be an instance of URLSearchParams, URL, or Response', ERR_INVALID_ARG_TYPE);
+    }
+    const id_token = getURLSearchParameter(parameters, 'id_token');
+    parameters.delete('id_token');
+    switch (expectedState) {
+        case undefined:
+        case expectNoState:
+            break;
+        default:
+            assertString(expectedState, '"expectedState" argument');
+    }
+    const result = validateAuthResponse({
+        ...as,
+        authorization_response_iss_parameter_supported: false,
+    }, client, parameters, expectedState);
+    if (!id_token) {
+        throw OPE('"parameters" does not contain an ID Token', INVALID_RESPONSE);
+    }
+    const code = getURLSearchParameter(parameters, 'code');
+    if (!code) {
+        throw OPE('"parameters" does not contain an Authorization Code', INVALID_RESPONSE);
+    }
+    const requiredClaims = [
+        'aud',
+        'exp',
+        'iat',
+        'iss',
+        'sub',
+        'nonce',
+        'c_hash',
+    ];
+    const state = parameters.get('state');
+    if (fapi && (typeof expectedState === 'string' || state !== null)) {
+        requiredClaims.push('s_hash');
+    }
+    if (maxAge !== undefined) {
+        assertNumber(maxAge, true, '"maxAge" argument');
+    }
+    else if (client.default_max_age !== undefined) {
+        assertNumber(client.default_max_age, true, '"client.default_max_age"');
+    }
+    maxAge ??= client.default_max_age ?? skipAuthTimeCheck;
+    if (client.require_auth_time || maxAge !== skipAuthTimeCheck) {
+        requiredClaims.push('auth_time');
+    }
+    const { claims, header, jwt } = await validateJwt(id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), options?.[jweDecrypt])
+        .then(validatePresence.bind(undefined, requiredClaims))
+        .then(validateIssuer.bind(undefined, as))
+        .then(validateAudience.bind(undefined, client.client_id));
+    const clockSkew = getClockSkew(client);
+    const now = epochTime() + clockSkew;
+    if (claims.iat < now - 3600) {
+        throw OPE('unexpected JWT "iat" (issued at) claim value, it is too far in the past', JWT_TIMESTAMP_CHECK, { now, claims, claim: 'iat' });
+    }
+    assertString(claims.c_hash, 'ID Token "c_hash" (code hash) claim value', INVALID_RESPONSE, {
+        claims,
+    });
+    if (claims.auth_time !== undefined) {
+        assertNumber(claims.auth_time, true, 'ID Token "auth_time" (authentication time)', INVALID_RESPONSE, { claims });
+    }
+    if (maxAge !== skipAuthTimeCheck) {
+        const now = epochTime() + getClockSkew(client);
+        const tolerance = getClockTolerance(client);
+        if (claims.auth_time + maxAge < now - tolerance) {
+            throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: 'auth_time' });
+        }
+    }
+    assertString(expectedNonce, '"expectedNonce" argument');
+    if (claims.nonce !== expectedNonce) {
+        throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+            expected: expectedNonce,
+            claims,
+            claim: 'nonce',
+        });
+    }
+    if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
+        if (claims.azp === undefined) {
+            throw OPE('ID Token "aud" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: 'aud' });
+        }
+        if (claims.azp !== client.client_id) {
+            throw OPE('unexpected ID Token "azp" (authorized party) claim value', JWT_CLAIM_COMPARISON, {
+                expected: client.client_id,
+                claims,
+                claim: 'azp',
+            });
+        }
+    }
+    const { 0: protectedHeader, 1: payload, 2: encodedSignature } = jwt.split('.');
+    const signature = b64u(encodedSignature);
+    const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    await validateJwsSignature(protectedHeader, payload, key, signature);
+    if ((await idTokenHashMatches(code, claims.c_hash, header, 'c_hash')) !== true) {
+        throw OPE('invalid ID Token "c_hash" (code hash) claim value', JWT_CLAIM_COMPARISON, {
+            code,
+            alg: header.alg,
+            claim: 'c_hash',
+            claims,
+        });
+    }
+    if ((fapi && state !== null) || claims.s_hash !== undefined) {
+        assertString(claims.s_hash, 'ID Token "s_hash" (state hash) claim value', INVALID_RESPONSE, {
+            claims,
+        });
+        assertString(state, '"state" response parameter', INVALID_RESPONSE, { parameters });
+        if ((await idTokenHashMatches(state, claims.s_hash, header, 's_hash')) !== true) {
+            throw OPE('invalid ID Token "s_hash" (state hash) claim value', JWT_CLAIM_COMPARISON, {
+                state,
+                alg: header.alg,
+                claim: 's_hash',
+                claims,
+            });
+        }
+    }
+    return result;
+}
+function checkSigningAlgorithm(client, issuer, fallback, header) {
+    if (client !== undefined) {
+        if (typeof client === 'string' ? header.alg !== client : !client.includes(header.alg)) {
+            throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+                header,
+                expected: client,
+                reason: 'client configuration',
+            });
+        }
+        return;
+    }
+    if (Array.isArray(issuer)) {
+        if (!issuer.includes(header.alg)) {
+            throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+                header,
+                expected: issuer,
+                reason: 'authorization server metadata',
+            });
+        }
+        return;
+    }
+    if (fallback !== undefined) {
+        if (typeof fallback === 'string'
+            ? header.alg !== fallback
+            : typeof fallback === 'function'
+                ? !fallback(header.alg)
+                : !fallback.includes(header.alg)) {
+            throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+                header,
+                expected: fallback,
+                reason: 'default value',
+            });
+        }
+        return;
+    }
+    throw OPE('missing client or server configuration to verify used JWT "alg" header parameter', undefined, { client, issuer, fallback });
+}
+function getURLSearchParameter(parameters, name) {
+    const { 0: value, length } = parameters.getAll(name);
+    if (length > 1) {
+        throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE);
+    }
+    return value;
+}
+export const skipStateCheck = Symbol();
+export const expectNoState = Symbol();
+export function validateAuthResponse(as, client, parameters, expectedState) {
+    assertAs(as);
+    assertClient(client);
+    if (parameters instanceof URL) {
+        parameters = parameters.searchParams;
+    }
+    if (!(parameters instanceof URLSearchParams)) {
+        throw CodedTypeError('"parameters" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE);
+    }
+    if (getURLSearchParameter(parameters, 'response')) {
+        throw OPE('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()', INVALID_RESPONSE, { parameters });
+    }
+    const iss = getURLSearchParameter(parameters, 'iss');
+    const state = getURLSearchParameter(parameters, 'state');
+    if (!iss && as.authorization_response_iss_parameter_supported) {
+        throw OPE('response parameter "iss" (issuer) missing', INVALID_RESPONSE, { parameters });
+    }
+    if (iss && iss !== as.issuer) {
+        throw OPE('unexpected "iss" (issuer) response parameter value', INVALID_RESPONSE, {
+            expected: as.issuer,
+            parameters,
+        });
+    }
+    switch (expectedState) {
+        case undefined:
+        case expectNoState:
+            if (state !== undefined) {
+                throw OPE('unexpected "state" response parameter encountered', INVALID_RESPONSE, {
+                    expected: undefined,
+                    parameters,
+                });
+            }
+            break;
+        case skipStateCheck:
+            break;
+        default:
+            assertString(expectedState, '"expectedState" argument');
+            if (state !== expectedState) {
+                throw OPE(state === undefined
+                    ? 'response parameter "state" missing'
+                    : 'unexpected "state" response parameter value', INVALID_RESPONSE, { expected: expectedState, parameters });
+            }
+    }
+    const error = getURLSearchParameter(parameters, 'error');
+    if (error) {
+        throw new AuthorizationResponseError('authorization response from the server is an error', {
+            cause: parameters,
+        });
+    }
+    const id_token = getURLSearchParameter(parameters, 'id_token');
+    const token = getURLSearchParameter(parameters, 'token');
+    if (id_token !== undefined || token !== undefined) {
+        throw new UnsupportedOperationError('implicit and hybrid flows are not supported');
+    }
+    return brand(new URLSearchParams(parameters));
+}
+function algToSubtle(alg) {
+    switch (alg) {
+        case 'PS256':
+        case 'PS384':
+        case 'PS512':
+            return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };
+        case 'RS256':
+        case 'RS384':
+        case 'RS512':
+            return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };
+        case 'ES256':
+        case 'ES384':
+            return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };
+        case 'ES512':
+            return { name: 'ECDSA', namedCurve: 'P-521' };
+        case 'EdDSA':
+            return 'Ed25519';
+        case 'Ed25519':
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87':
+            return alg;
+        default:
+            throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } });
+    }
+}
+async function importJwk(alg, jwk) {
+    const { ext, key_ops, use, ...key } = jwk;
+    return crypto.subtle.importKey('jwk', key, algToSubtle(alg), true, ['verify']);
+}
+export async function deviceAuthorizationRequest(as, client, clientAuthentication, parameters, options) {
+    assertAs(as);
+    assertClient(client);
+    const url = resolveEndpoint(as, 'device_authorization_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+    const body = new URLSearchParams(parameters);
+    body.set('client_id', client.client_id);
+    const headers = prepareHeaders(options?.headers);
+    headers.set('accept', 'application/json');
+    return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);
+}
+export async function processDeviceAuthorizationResponse(as, client, response) {
+    assertAs(as);
+    assertClient(client);
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    await checkOAuthBodyError(response, 200, 'Device Authorization Endpoint');
+    assertReadableResponse(response);
+    const json = await getResponseJsonBody(response);
+    assertString(json.device_code, '"response" body "device_code" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    assertString(json.user_code, '"response" body "user_code" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    assertString(json.verification_uri, '"response" body "verification_uri" property', INVALID_RESPONSE, { body: json });
+    let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;
+    assertNumber(expiresIn, true, '"response" body "expires_in" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    json.expires_in = expiresIn;
+    if (json.verification_uri_complete !== undefined) {
+        assertString(json.verification_uri_complete, '"response" body "verification_uri_complete" property', INVALID_RESPONSE, { body: json });
+    }
+    if (json.interval !== undefined) {
+        assertNumber(json.interval, false, '"response" body "interval" property', INVALID_RESPONSE, {
+            body: json,
+        });
+    }
+    return json;
+}
+export async function deviceCodeGrantRequest(as, client, clientAuthentication, deviceCode, options) {
+    assertAs(as);
+    assertClient(client);
+    assertString(deviceCode, '"deviceCode"');
+    const parameters = new URLSearchParams(options?.additionalParameters);
+    parameters.set('device_code', deviceCode);
+    return tokenEndpointRequest(as, client, clientAuthentication, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options);
+}
+export async function processDeviceCodeResponse(as, client, response, options) {
+    return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+export async function generateKeyPair(alg, options) {
+    assertString(alg, '"alg"');
+    const algorithm = algToSubtle(alg);
+    if (alg.startsWith('PS') || alg.startsWith('RS')) {
+        Object.assign(algorithm, {
+            modulusLength: options?.modulusLength ?? 2048,
+            publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+        });
+    }
+    return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, [
+        'sign',
+        'verify',
+    ]);
+}
+function normalizeHtu(htu) {
+    const url = new URL(htu);
+    url.search = '';
+    url.hash = '';
+    return url.href;
+}
+async function validateDPoP(request, accessToken, accessTokenClaims, options) {
+    const headerValue = request.headers.get('dpop');
+    if (headerValue === null) {
+        throw OPE('operation indicated DPoP use but the request has no DPoP HTTP Header', INVALID_REQUEST, { headers: request.headers });
+    }
+    if (request.headers.get('authorization')?.toLowerCase().startsWith('dpop ') === false) {
+        throw OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`, INVALID_REQUEST, { headers: request.headers });
+    }
+    if (typeof accessTokenClaims.cnf?.jkt !== 'string') {
+        throw OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim', INVALID_REQUEST, { claims: accessTokenClaims });
+    }
+    const clockSkew = getClockSkew(options);
+    const proof = await validateJwt(headerValue, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), clockSkew, getClockTolerance(options), undefined)
+        .then(checkJwtType.bind(undefined, 'dpop+jwt'))
+        .then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']));
+    const now = epochTime() + clockSkew;
+    const diff = Math.abs(now - proof.claims.iat);
+    if (diff > 300) {
+        throw OPE('DPoP Proof iat is not recent enough', JWT_TIMESTAMP_CHECK, {
+            now,
+            claims: proof.claims,
+            claim: 'iat',
+        });
+    }
+    if (proof.claims.htm !== request.method) {
+        throw OPE('DPoP Proof htm mismatch', JWT_CLAIM_COMPARISON, {
+            expected: request.method,
+            claims: proof.claims,
+            claim: 'htm',
+        });
+    }
+    if (typeof proof.claims.htu !== 'string' ||
+        normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) {
+        throw OPE('DPoP Proof htu mismatch', JWT_CLAIM_COMPARISON, {
+            expected: normalizeHtu(request.url),
+            claims: proof.claims,
+            claim: 'htu',
+        });
+    }
+    {
+        const expected = b64u(await crypto.subtle.digest('SHA-256', buf(accessToken)));
+        if (proof.claims.ath !== expected) {
+            throw OPE('DPoP Proof ath mismatch', JWT_CLAIM_COMPARISON, {
+                expected,
+                claims: proof.claims,
+                claim: 'ath',
+            });
+        }
+    }
+    {
+        const expected = await calculateJwkThumbprint(proof.header.jwk);
+        if (accessTokenClaims.cnf.jkt !== expected) {
+            throw OPE('JWT Access Token confirmation mismatch', JWT_CLAIM_COMPARISON, {
+                expected,
+                claims: accessTokenClaims,
+                claim: 'cnf.jkt',
+            });
+        }
+    }
+    const { 0: protectedHeader, 1: payload, 2: encodedSignature } = headerValue.split('.');
+    const signature = b64u(encodedSignature);
+    const { jwk, alg } = proof.header;
+    if (!jwk) {
+        throw OPE('DPoP Proof is missing the jwk header parameter', INVALID_REQUEST, {
+            header: proof.header,
+        });
+    }
+    const key = await importJwk(alg, jwk);
+    if (key.type !== 'public') {
+        throw OPE('DPoP Proof jwk header parameter must contain a public key', INVALID_REQUEST, {
+            header: proof.header,
+        });
+    }
+    await validateJwsSignature(protectedHeader, payload, key, signature);
+}
+export async function validateJwtAccessToken(as, request, expectedAudience, options) {
+    assertAs(as);
+    if (!looseInstanceOf(request, Request)) {
+        throw CodedTypeError('"request" must be an instance of Request', ERR_INVALID_ARG_TYPE);
+    }
+    assertString(expectedAudience, '"expectedAudience"');
+    const authorization = request.headers.get('authorization');
+    if (authorization === null) {
+        throw OPE('"request" is missing an Authorization HTTP Header', INVALID_REQUEST, {
+            headers: request.headers,
+        });
+    }
+    let { 0: scheme, 1: accessToken, length } = authorization.split(' ');
+    scheme = scheme.toLowerCase();
+    switch (scheme) {
+        case 'dpop':
+        case 'bearer':
+            break;
+        default:
+            throw new UnsupportedOperationError('unsupported Authorization HTTP Header scheme', {
+                cause: { headers: request.headers },
+            });
+    }
+    if (length !== 2) {
+        throw OPE('invalid Authorization HTTP Header format', INVALID_REQUEST, {
+            headers: request.headers,
+        });
+    }
+    const requiredClaims = [
+        'iss',
+        'exp',
+        'aud',
+        'sub',
+        'iat',
+        'jti',
+        'client_id',
+    ];
+    if (options?.requireDPoP || scheme === 'dpop' || request.headers.has('dpop')) {
+        requiredClaims.push('cnf');
+    }
+    const { claims, header } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), getClockSkew(options), getClockTolerance(options), undefined)
+        .then(checkJwtType.bind(undefined, 'at+jwt'))
+        .then(validatePresence.bind(undefined, requiredClaims))
+        .then(validateIssuer.bind(undefined, as))
+        .then(validateAudience.bind(undefined, expectedAudience))
+        .catch(reassignRSCode);
+    for (const claim of ['client_id', 'jti', 'sub']) {
+        if (typeof claims[claim] !== 'string') {
+            throw OPE(`unexpected JWT "${claim}" claim type`, INVALID_REQUEST, { claims });
+        }
+    }
+    if ('cnf' in claims) {
+        if (!isJsonObject(claims.cnf)) {
+            throw OPE('unexpected JWT "cnf" (confirmation) claim value', INVALID_REQUEST, { claims });
+        }
+        const { 0: cnf, length } = Object.keys(claims.cnf);
+        if (length) {
+            if (length !== 1) {
+                throw new UnsupportedOperationError('multiple confirmation claims are not supported', {
+                    cause: { claims },
+                });
+            }
+            if (cnf !== 'jkt') {
+                throw new UnsupportedOperationError('unsupported JWT Confirmation method', {
+                    cause: { claims },
+                });
+            }
+        }
+    }
+    const { 0: protectedHeader, 1: payload, 2: encodedSignature } = accessToken.split('.');
+    const signature = b64u(encodedSignature);
+    const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    await validateJwsSignature(protectedHeader, payload, key, signature);
+    if (options?.requireDPoP ||
+        scheme === 'dpop' ||
+        claims.cnf?.jkt !== undefined ||
+        request.headers.has('dpop')) {
+        await validateDPoP(request, accessToken, claims, options).catch(reassignRSCode);
+    }
+    return claims;
+}
+function reassignRSCode(err) {
+    if (err instanceof OperationProcessingError && err?.code === INVALID_REQUEST) {
+        err.code = INVALID_RESPONSE;
+    }
+    throw err;
+}
+export async function backchannelAuthenticationRequest(as, client, clientAuthentication, parameters, options) {
+    assertAs(as);
+    assertClient(client);
+    const url = resolveEndpoint(as, 'backchannel_authentication_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+    const body = new URLSearchParams(parameters);
+    body.set('client_id', client.client_id);
+    const headers = prepareHeaders(options?.headers);
+    headers.set('accept', 'application/json');
+    return authenticatedRequest(as, client, clientAuthentication, url, body, headers, options);
+}
+export async function processBackchannelAuthenticationResponse(as, client, response) {
+    assertAs(as);
+    assertClient(client);
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    await checkOAuthBodyError(response, 200, 'Backchannel Authentication Endpoint');
+    assertReadableResponse(response);
+    const json = await getResponseJsonBody(response);
+    assertString(json.auth_req_id, '"response" body "auth_req_id" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;
+    assertNumber(expiresIn, true, '"response" body "expires_in" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    json.expires_in = expiresIn;
+    if (json.interval !== undefined) {
+        assertNumber(json.interval, false, '"response" body "interval" property', INVALID_RESPONSE, {
+            body: json,
+        });
+    }
+    return json;
+}
+export async function backchannelAuthenticationGrantRequest(as, client, clientAuthentication, authReqId, options) {
+    assertAs(as);
+    assertClient(client);
+    assertString(authReqId, '"authReqId"');
+    const parameters = new URLSearchParams(options?.additionalParameters);
+    parameters.set('auth_req_id', authReqId);
+    return tokenEndpointRequest(as, client, clientAuthentication, 'urn:openid:params:grant-type:ciba', parameters, options);
+}
+export async function processBackchannelAuthenticationGrantResponse(as, client, response, options) {
+    return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+export async function dynamicClientRegistrationRequest(as, metadata, options) {
+    assertAs(as);
+    const url = resolveEndpoint(as, 'registration_endpoint', metadata.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+    const headers = prepareHeaders(options?.headers);
+    headers.set('accept', 'application/json');
+    headers.set('content-type', 'application/json');
+    const method = 'POST';
+    if (options?.DPoP) {
+        assertDPoP(options.DPoP);
+        await options.DPoP.addProof(url, headers, method, options.initialAccessToken);
+    }
+    if (options?.initialAccessToken) {
+        headers.set('authorization', `${headers.has('dpop') ? 'DPoP' : 'Bearer'} ${options.initialAccessToken}`);
+    }
+    const response = await (options?.[customFetch] || fetch)(url.href, {
+        body: JSON.stringify(metadata),
+        headers: Object.fromEntries(headers.entries()),
+        method,
+        redirect: 'manual',
+        signal: signal(url, options?.signal),
+    });
+    options?.DPoP?.cacheNonce(response);
+    return response;
+}
+export async function processDynamicClientRegistrationResponse(response) {
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    await checkOAuthBodyError(response, 201, 'Dynamic Client Registration Endpoint');
+    assertReadableResponse(response);
+    const json = await getResponseJsonBody(response);
+    assertString(json.client_id, '"response" body "client_id" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    if (json.client_secret !== undefined) {
+        assertString(json.client_secret, '"response" body "client_secret" property', INVALID_RESPONSE, {
+            body: json,
+        });
+    }
+    if (json.client_secret) {
+        assertNumber(json.client_secret_expires_at, true, '"response" body "client_secret_expires_at" property', INVALID_RESPONSE, {
+            body: json,
+        });
+    }
+    return json;
+}
+export async function resourceDiscoveryRequest(resourceIdentifier, options) {
+    return performDiscovery(resourceIdentifier, 'resourceIdentifier', (url) => {
+        prependWellKnown(url, '.well-known/oauth-protected-resource', true);
+        return url;
+    }, options);
+}
+export async function processResourceDiscoveryResponse(expectedResourceIdentifier, response) {
+    const expected = expectedResourceIdentifier;
+    if (!(expected instanceof URL) && expected !== _nodiscoverycheck) {
+        throw CodedTypeError('"expectedResourceIdentifier" must be an instance of URL', ERR_INVALID_ARG_TYPE);
+    }
+    if (!looseInstanceOf(response, Response)) {
+        throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+    }
+    if (response.status !== 200) {
+        throw OPE('"response" is not a conform Resource Server Metadata response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);
+    }
+    assertReadableResponse(response);
+    const json = await getResponseJsonBody(response);
+    assertString(json.resource, '"response" body "resource" property', INVALID_RESPONSE, {
+        body: json,
+    });
+    if (expected !== _nodiscoverycheck && new URL(json.resource).href !== expected.href) {
+        throw OPE('"response" body "resource" property does not match the expected value', JSON_ATTRIBUTE_COMPARISON, { expected: expected.href, body: json, attribute: 'resource' });
+    }
+    return json;
+}
+async function getResponseJsonBody(response, check = assertApplicationJson) {
+    let json;
+    try {
+        json = await response.json();
+    }
+    catch (cause) {
+        check(response);
+        throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause);
+    }
+    if (!isJsonObject(json)) {
+        throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json });
+    }
+    return json;
+}
+export const _nopkce = nopkce;
+export const _nodiscoverycheck = Symbol();
+export const _expectedIssuer = Symbol();
+//# sourceMappingURL=index.js.map