oidc-spa 6.15.1 → 7.0.0

package/src/core/createOidc.ts

@@ -8,7 +8,6 @@ import type { OidcMetadata } from "./OidcMetadata";
 import { id, assert, is, type Equals } from "../vendor/frontend/tsafe";
 import { setTimeout, clearTimeout } from "../tools/workerTimers";
 import { Deferred } from "../tools/Deferred";
-import { decodeJwt } from "../tools/decodeJwt";
 import { createEvtIsUserActive } from "./evtIsUserActive";
 import { createStartCountdown } from "../tools/startCountdown";
 import { toHumanReadableDuration } from "../tools/toHumanReadableDuration";
@@ -23,7 +22,7 @@ import { type StateData, generateStateQueryParamValue, STATE_STORE_KEY_PREFIX }
 import { notifyOtherTabsOfLogout, getPrOtherTabLogout } from "./logoutPropagationToOtherTabs";
 import { notifyOtherTabsOfLogin, getPrOtherTabLogin } from "./loginPropagationToOtherTabs";
 import { getConfigId } from "./configId";
-import { oidcClientTsUserToTokens, getMsBeforeExpiration } from "./oidcClientTsUserToTokens";
+import { oidcClientTsUserToTokens } from "./oidcClientTsUserToTokens";
 import { loginSilent } from "./loginSilent";
 import { authResponseToUrl } from "./AuthResponse";
 import { handleOidcCallback, retrieveRedirectAuthResponseAndStateData } from "./handleOidcCallback";
@@ -60,23 +59,14 @@ export type ParamsOfCreateOidc<
      * (the scope "openid" is added automatically as it's mandatory)
      **/
     scopes?: string[];
-    /**
-     * Transform the url of the authorization endpoint before redirecting to the login pages.
-     */
-    transformUrlBeforeRedirect?: (url: string) => string;
 
     /**
-     * NOTE: Will replace transformUrlBeforeRedirect in the next major version.
-     *
      * Transform the url (authorization endpoint) before redirecting to the login pages.
      *
      * The isSilent parameter is true when the redirect is initiated in the background iframe for silent signin.
      * This can be used to omit ui related query parameters (like `ui_locales`).
      */
-    transformUrlBeforeRedirect_next?: (params: {
-        authorizationUrl: string;
-        isSilent: boolean;
-    }) => string;
+    transformUrlBeforeRedirect?: (params: { authorizationUrl: string; isSilent: boolean }) => string;
 
     /**
      * Extra query params to be added to the authorization endpoint url before redirecting or silent signing in.
@@ -120,30 +110,10 @@ export type ParamsOfCreateOidc<
      */
     homeUrl: string;
 
-    /**
-     * WARNING: If you are deploying on the web, you should not set this parameter.
-     * The callbackUrl is the homeURl.
-     *
-     * This is only useful for when you also shipping your app as a Desktop App with Electron.
-     * NOTE that even in this case, it's not automatic, you still need to handle the response
-     * in the electron node process.
-     *
-     * Example: __callbackUri: "myapp://oidc-callback/"
-     */
-    __callbackUri?: string;
+    decodedIdTokenSchema?: {
+        parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_base) => DecodedIdToken;
+    };
 
-    decodedIdTokenSchema?: { parse: (data: unknown) => DecodedIdToken };
-    /**
-     * @deprecated: Use idleSessionLifetimeInSeconds instead
-     *
-     * This parameter defines after how many seconds of inactivity the user should be
-     * logged out automatically.
-     *
-     * WARNING: It should be configured on the identity server side
-     * as it's the authoritative source for security policies and not the client.
-     * If you don't provide this parameter it will be inferred from the refresh token expiration time.
-     * */
-    __unsafe_ssoSessionIdleSeconds?: number;
     /**
      * This parameter defines after how many seconds of inactivity the user should be
      * logged out automatically.
@@ -154,6 +124,9 @@ export type ParamsOfCreateOidc<
      * */
     idleSessionLifetimeInSeconds?: number;
 
+    /**
+     * Default: { redirectTo: "current page" }
+     */
     autoLogoutParams?: Parameters<Oidc.LoggedIn<any>["logout"]>[0];
     autoLogin?: AutoLogin;
 
@@ -166,6 +139,16 @@ export type ParamsOfCreateOidc<
 
     debugLogs?: boolean;
 
+    /**
+     * WARNING: This option exists solely as a workaround
+     * for limitations in the Google OAuth API.
+     * See: https://docs.oidc-spa.dev/providers-configuration/google-oauth
+     *
+     * Do not use this for other providers.
+     * If you think you need a client secret in a SPA, you are likely
+     * trying to use a confidential (private) client in the browser,
+     * which is insecure and not supported.
+     */
     __unsafe_clientSecret?: string;
 
     /**
@@ -195,8 +178,6 @@ const globalContext = {
     evtRequestToPersistTokens: createEvt<{ configIdOfInstancePostingTheRequest: string }>()
 };
 
-const MIN_RENEW_BEFORE_EXPIRE_MS = 2_000;
-
 /** @see: https://docs.oidc-spa.dev/v/v6/usage */
 export async function createOidc<
     DecodedIdToken extends Record<string, unknown> = Record<string, unknown>,
@@ -296,15 +277,12 @@ export async function createOidc_nonMemoized<
     }
 ): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>> {
     const {
-        transformUrlBeforeRedirect_next,
         transformUrlBeforeRedirect,
         extraQueryParams: extraQueryParamsOrGetter,
         extraTokenParams: extraTokenParamsOrGetter,
         homeUrl: homeUrl_params,
-        __callbackUri,
         decodedIdTokenSchema,
-        __unsafe_ssoSessionIdleSeconds,
-        idleSessionLifetimeInSeconds = __unsafe_ssoSessionIdleSeconds,
+        idleSessionLifetimeInSeconds,
         autoLogoutParams = { redirectTo: "current page" },
         autoLogin = false,
         postLoginRedirectUrl: postLoginRedirectUrl_default,
@@ -347,7 +325,7 @@ export async function createOidc_nonMemoized<
     });
 
     const callbackUri = toFullyQualifiedUrl({
-        urlish: __callbackUri ?? homeUrl,
+        urlish: homeUrl,
         doAssertNoQueryParams: true,
         doOutputWithTrailingSlash: true
     });
@@ -476,7 +454,6 @@ export async function createOidc_nonMemoized<
         configId,
         oidcClientTsUserManager,
         transformUrlBeforeRedirect,
-        transformUrlBeforeRedirect_next,
         getExtraQueryParams,
         getExtraTokenParams,
         homeUrl,
@@ -675,7 +652,7 @@ export async function createOidc_nonMemoized<
                     oidcClientTsUserManager,
                     stateQueryParamValue_instance,
                     configId,
-                    transformUrlBeforeRedirect_next,
+                    transformUrlBeforeRedirect,
                     getExtraQueryParams,
                     getExtraTokenParams,
                     autoLogin
@@ -966,18 +943,33 @@ export async function createOidc_nonMemoized<
 
     const onTokenChanges = new Set<(tokens: Oidc.Tokens<DecodedIdToken>) => void>();
 
-    const { sid: sessionId, sub: subjectId } = decodeJwt<{ sid?: string; sub?: string }>(
-        currentTokens.idToken
-    );
+    const { sid: sessionId, sub: subjectId } = currentTokens.decodedIdToken_original;
 
     assert(subjectId !== undefined, "The 'sub' claim is missing from the id token");
+    assert(sessionId === undefined || typeof sessionId === "string");
 
     const oidc_loggedIn = id<Oidc.LoggedIn<DecodedIdToken>>({
         ...oidc_common,
         isUserLoggedIn: true,
-        getTokens: () => currentTokens,
-        getTokens_next: async () => {
-            if (getMsBeforeExpiration(currentTokens) <= MIN_RENEW_BEFORE_EXPIRE_MS) {
+        getTokens: async () => {
+            renew_tokens: {
+                {
+                    const msBeforeExpirationOfTheAccessToken =
+                        currentTokens.accessTokenExpirationTime - Date.now();
+
+                    if (msBeforeExpirationOfTheAccessToken > 30_000) {
+                        break renew_tokens;
+                    }
+                }
+
+                {
+                    const msElapsedSinceCurrentTokenWereIssued = Date.now() - currentTokens.issuedAtTime;
+
+                    if (msElapsedSinceCurrentTokenWereIssued < 5_000) {
+                        break renew_tokens;
+                    }
+                }
+
                 await oidc_loggedIn.renewTokens();
             }
 
@@ -1059,17 +1051,42 @@ export async function createOidc_nonMemoized<
             }) {
                 const { extraTokenParams } = params;
 
+                const fallbackToFullPageReload = async (): Promise<never> => {
+                    persistAuthState({ configId, state: undefined });
+
+                    await waitForAllOtherOngoingLoginOrRefreshProcessesToComplete({
+                        prUnlock: new Promise<never>(() => {})
+                    });
+
+                    globalContext.evtRequestToPersistTokens.post({
+                        configIdOfInstancePostingTheRequest: configId
+                    });
+
+                    await loginOrGoToAuthServer({
+                        action: "login",
+                        redirectUrl: window.location.href,
+                        doForceReloadOnBfCache: true,
+                        extraQueryParams_local: undefined,
+                        transformUrlBeforeRedirect_local: undefined,
+                        doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
+                        interaction: "directly redirect if active session show login otherwise"
+                    });
+                    assert(false, "136134");
+                };
+
                 if (!currentTokens.hasRefreshToken && !canUseIframe) {
-                    const message = [
-                        "Unable to refresh tokens without a full app reload,",
-                        "because no refresh token is available",
-                        "and your app setup prevents silent sign-in via iframe.",
-                        "Your only option to refresh tokens is to call `window.location.reload()`"
-                    ].join(" ");
+                    log?.(
+                        [
+                            "Unable to refresh tokens without a full app reload,",
+                            "because no refresh token is available",
+                            "and your app setup prevents silent sign-in via iframe.",
+                            "Your only option to refresh tokens is to call `window.location.reload()`"
+                        ].join(" ")
+                    );
 
-                    log?.(message);
+                    await fallbackToFullPageReload();
 
-                    throw new Error(message);
+                    assert(false, "136135");
                 }
 
                 log?.("Renewing tokens");
@@ -1080,7 +1097,7 @@ export async function createOidc_nonMemoized<
                     oidcClientTsUserManager,
                     stateQueryParamValue_instance,
                     configId,
-                    transformUrlBeforeRedirect_next,
+                    transformUrlBeforeRedirect,
                     getExtraQueryParams,
                     getExtraTokenParams: () => extraTokenParams,
                     autoLogin
@@ -1088,6 +1105,8 @@ export async function createOidc_nonMemoized<
 
                 if (result_loginSilent.outcome === "failure") {
                     completeLoginOrRefreshProcess();
+                    // NOTE: This is a configuration or network error, okay to throw,
+                    // this exception doesn't have to be handle if it fails it fails.
                     throw new Error(result_loginSilent.cause);
                 }
 
@@ -1120,35 +1139,27 @@ export async function createOidc_nonMemoized<
 
                                 if (authResponse_error === undefined) {
                                     completeLoginOrRefreshProcess();
+                                    // Same here, if it fails it fails.
                                     throw error;
                                 }
-
-                                oidcClientTsUser_scope = undefined;
                             }
 
                             if (oidcClientTsUser_scope === undefined) {
-                                persistAuthState({ configId, state: undefined });
+                                // NOTE: Here we got a response but it's an error, session might have been
+                                // deleted or other edge case.
 
                                 completeLoginOrRefreshProcess();
 
-                                await waitForAllOtherOngoingLoginOrRefreshProcessesToComplete({
-                                    prUnlock: new Promise<never>(() => {})
-                                });
+                                log?.(
+                                    [
+                                        "The user is probably not logged in anymore,",
+                                        "need to redirect to login pages"
+                                    ].join(" ")
+                                );
 
-                                globalContext.evtRequestToPersistTokens.post({
-                                    configIdOfInstancePostingTheRequest: configId
-                                });
+                                await fallbackToFullPageReload();
 
-                                await loginOrGoToAuthServer({
-                                    action: "login",
-                                    redirectUrl: window.location.href,
-                                    doForceReloadOnBfCache: true,
-                                    extraQueryParams_local: undefined,
-                                    transformUrlBeforeRedirect_local: undefined,
-                                    doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
-                                    interaction: "ensure no interaction"
-                                });
-                                assert(false, "136134");
+                                assert(false, "136135");
                             }
 
                             oidcClientTsUser = oidcClientTsUser_scope;
@@ -1298,64 +1309,55 @@ export async function createOidc_nonMemoized<
     }
 
     (function scheduleRenew() {
-        const login_dueToExpiration = async () => {
-            await waitForAllOtherOngoingLoginOrRefreshProcessesToComplete({
-                prUnlock: new Promise<never>(() => {})
-            });
-
-            persistAuthState({ configId, state: undefined });
+        if (!currentTokens.hasRefreshToken && !canUseIframe) {
+            log?.(
+                "Disabling token auto refresh mechanism because we have no way to do it without reloading the page"
+            );
+            return;
+        }
 
-            return loginOrGoToAuthServer({
-                action: "login",
-                redirectUrl: window.location.href,
-                doForceReloadOnBfCache: true,
-                extraQueryParams_local: undefined,
-                transformUrlBeforeRedirect_local: undefined,
-                // NOTE: Wether or not it's the preferred behavior, pushing to history
-                // only works on user interaction so it have to be false
-                doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
-                interaction: "ensure no interaction"
-            });
-        };
+        const msBeforeExpiration =
+            (currentTokens.refreshTokenExpirationTime ?? currentTokens.accessTokenExpirationTime) -
+            Date.now();
 
-        const msBeforeExpiration = getMsBeforeExpiration(currentTokens);
+        const RENEW_MS_BEFORE_EXPIRES = 30_000;
 
-        if (msBeforeExpiration <= MIN_RENEW_BEFORE_EXPIRE_MS) {
+        if (msBeforeExpiration <= RENEW_MS_BEFORE_EXPIRES) {
             // NOTE: We just got a new token that is about to expire. This means that
             // the refresh token has reached it's max SSO time.
-            login_dueToExpiration();
+            // ...or that the refresh token have a very short lifespan...
+            // anyway, no need to keep alive, it will probably redirect on the next getTokens() or refreshTokens() call
             return;
         }
 
-        // NOTE: We refresh the token 25 seconds before it expires.
-        // If the token expiration time is less than 25 seconds we refresh the token when
-        // only 1/10 of the token time is left.
-        const renewMsBeforeExpires = Math.max(
-            Math.min(25_000, msBeforeExpiration * 0.1),
-            MIN_RENEW_BEFORE_EXPIRE_MS
-        );
-
         log?.(
             [
                 toHumanReadableDuration(msBeforeExpiration),
                 `before expiration of the access token.`,
-                `Scheduling renewal ${toHumanReadableDuration(renewMsBeforeExpires)} before expiration`
+                `Scheduling renewal ${toHumanReadableDuration(
+                    RENEW_MS_BEFORE_EXPIRES
+                )} before expiration`
             ].join(" ")
         );
 
-        const timer = setTimeout(async () => {
-            log?.(
-                `Renewing the access token now as it will expires in ${toHumanReadableDuration(
-                    renewMsBeforeExpires
-                )}`
-            );
+        const timer = setTimeout(
+            async () => {
+                log?.(
+                    `Renewing the access token now as it will expires in ${toHumanReadableDuration(
+                        RENEW_MS_BEFORE_EXPIRES
+                    )}`
+                );
 
-            try {
                 await oidc_loggedIn.renewTokens();
-            } catch {
-                await login_dueToExpiration();
-            }
-        }, msBeforeExpiration - renewMsBeforeExpires);
+            },
+            Math.min(
+                msBeforeExpiration - RENEW_MS_BEFORE_EXPIRES,
+                // NOTE: We want to make sure we do not overflow the setTimeout
+                // that must be a 32 bit unsigned integer.
+                // This can happen if the tokenExpirationTime is more than 24.8 days in the future.
+                Math.pow(2, 31) - 1
+            )
+        );
 
         const { unsubscribe: tokenChangeUnsubscribe } = oidc_loggedIn.subscribeToTokensChange(() => {
             clearTimeout(timer);

package/src/core/handleOidcCallback.ts

@@ -8,7 +8,6 @@ import { assert, id } from "../vendor/frontend/tsafe";
 import type { AuthResponse } from "./AuthResponse";
 import { initialLocationHref } from "./initialLocationHref";
 import { captureFetch } from "./trustedFetch";
-import { debug966975 } from "./debug966975";
 
 captureFetch();
 
@@ -16,19 +15,8 @@ const globalContext = {
     previousCall: id<{ isHandled: boolean } | undefined>(undefined)
 };
 
-debug966975.log(
-    `=================== Evaluating the handleOidcCallback file, isInIframe: ${
-        window.self !== window.top ? "true" : "false"
-    }, location.href: ${initialLocationHref}`
-);
-
 export function handleOidcCallback(): { isHandled: boolean } {
     if (globalContext.previousCall !== undefined) {
-        debug966975.log(
-            `handleOidcCallback() call, it has been called previously ${JSON.stringify(
-                globalContext.previousCall
-            )}`
-        );
         return globalContext.previousCall;
     }
 
@@ -36,20 +24,16 @@ export function handleOidcCallback(): { isHandled: boolean } {
 }
 
 function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
-    debug966975.log(`In handleOidcCallback_nonMemoized()`);
-
     const location_urlObj = new URL(initialLocationHref);
 
     const stateQueryParamValue = (() => {
         const stateQueryParamValue = location_urlObj.searchParams.get("state");
 
         if (stateQueryParamValue === null) {
-            debug966975.log("No state in url");
             return undefined;
         }
 
         if (!getIsStatQueryParamValue({ maybeStateQueryParamValue: stateQueryParamValue })) {
-            debug966975.log(`State query param value ${stateQueryParamValue} is malformed`);
             return undefined;
         }
 
@@ -58,9 +42,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             location_urlObj.searchParams.get("response_type") !== null &&
             location_urlObj.searchParams.get("redirect_uri") !== null
         ) {
-            debug966975.log(
-                "NOTE: We are probably in a Keycloakify theme and oidc-spa was loaded by mistake."
-            );
             // NOTE: We are probably in a Keycloakify theme and oidc-spa was loaded by mistake.
             return undefined;
         }
@@ -68,13 +49,9 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
         return stateQueryParamValue;
     })();
 
-    debug966975.log(`state query param value ${stateQueryParamValue ?? "undefined"}`);
-
     if (stateQueryParamValue === undefined) {
         const backForwardTracker = readBackForwardTracker();
 
-        debug966975.log(`backForwardTracker: ${JSON.stringify(backForwardTracker)}`);
-
         if (backForwardTracker !== undefined) {
             writeBackForwardTracker({
                 backForwardTracker: {
@@ -84,8 +61,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             });
         }
 
-        debug966975.log("returning isHandled false");
-
         return { isHandled: false };
     }
 
@@ -98,8 +73,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
 
     const stateData = getStateData({ stateQueryParamValue });
 
-    debug966975.log(`stateData: ${JSON.stringify(stateData)}`);
-
     if (
         stateData === undefined ||
         (stateData.context === "redirect" && stateData.hasBeenProcessedByCallback)
@@ -123,8 +96,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             }
         })();
 
-        debug966975.log(`historyMethod: ${historyMethod}`);
-
         writeBackForwardTracker({
             backForwardTracker: {
                 previousHistoryMethod: historyMethod,
@@ -133,8 +104,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
         });
 
         setTimeout(() => {
-            debug966975.log(`(callback 0) Calling window.history.${historyMethod}()`);
-
             reloadOnBfCacheNavigation();
 
             window.history[historyMethod]();
@@ -149,8 +118,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             }, 350);
         }, 0);
 
-        debug966975.log(`returning isHandled: ${isHandled ? "true" : "false"}`);
-
         return { isHandled };
     }
 
@@ -162,12 +129,9 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
 
     assert(authResponse.state !== "", "063965");
 
-    debug966975.log(`authResponse: ${JSON.stringify(authResponse)}`);
-
     switch (stateData.context) {
         case "iframe":
             setTimeout(() => {
-                debug966975.log(`(callback 0) posting message to parent`);
                 parent.postMessage(authResponse, location.origin);
             }, 0);
             break;
@@ -187,15 +151,11 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
                     return stateData.redirectUrl;
                 })();
 
-                debug966975.log(`(callback 0) location.href = "${href}";`);
-
                 location.href = href;
             }, 0);
             break;
     }
 
-    debug966975.log(`Returning isHandled: ${isHandled ? "true" : "false"}`);
-
     return { isHandled };
 }
 
@@ -229,28 +189,18 @@ export function retrieveRedirectAuthResponseAndStateData(params: {
 }): { authResponse: AuthResponse; stateData: StateData.Redirect } | undefined {
     const { configId } = params;
 
-    debug966975.log(`>>> In retrieveRedirectAuthResponseAndStateData(${JSON.stringify({ configId })})`);
-
     const authResponses = readRedirectAuthResponses();
 
-    debug966975.log(`authResponses: ${JSON.stringify(authResponses)}`);
-
     let authResponseAndStateData:
         | { authResponse: AuthResponse; stateData: StateData.Redirect }
         | undefined = undefined;
 
     for (const authResponse of [...authResponses]) {
-        debug966975.log(`authResponse: ${JSON.stringify(authResponse)}`);
-
         const stateData = getStateData({ stateQueryParamValue: authResponse.state });
 
-        debug966975.log(`stateDate: ${JSON.stringify(stateData)}`);
-
-        try {
-            assert(stateData !== undefined, "966975");
-        } catch {
+        if (stateData === undefined) {
+            // NOTE: We do not understand how this can happen but it can.
             authResponses.splice(authResponses.indexOf(authResponse), 1);
-            debug966975.report();
             continue;
         }
 
@@ -266,12 +216,9 @@ export function retrieveRedirectAuthResponseAndStateData(params: {
     }
 
     if (authResponseAndStateData !== undefined) {
-        debug966975.log(`writeRedirectAuthResponses(${JSON.stringify({ authResponses })})`);
         writeRedirectAuthResponses({ authResponses });
     }
 
-    debug966975.log(`Returning ${JSON.stringify({ authResponseAndStateData })} <<<<<<<<<`);
-
     return authResponseAndStateData;
 }
 

package/src/core/loginOrGoToAuthServer.ts

@@ -51,8 +51,7 @@ export function getPrSafelyRestoredFromBfCacheAfterLoginBackNavigation() {
 export function createLoginOrGoToAuthServer(params: {
     configId: string;
     oidcClientTsUserManager: OidcClientTsUserManager;
-    transformUrlBeforeRedirect: ((url: string) => string) | undefined;
-    transformUrlBeforeRedirect_next:
+    transformUrlBeforeRedirect:
         | ((params: { authorizationUrl: string; isSilent: boolean }) => string)
         | undefined;
 
@@ -71,7 +70,6 @@ export function createLoginOrGoToAuthServer(params: {
         oidcClientTsUserManager,
 
         transformUrlBeforeRedirect,
-        transformUrlBeforeRedirect_next,
         getExtraQueryParams,
 
         getExtraTokenParams,
@@ -89,7 +87,7 @@ export function createLoginOrGoToAuthServer(params: {
         const {
             redirectUrl: redirectUrl_params,
             extraQueryParams_local,
-            transformUrlBeforeRedirect_local: transformUrl,
+            transformUrlBeforeRedirect_local,
             ...rest
         } = params;
 
@@ -108,6 +106,8 @@ export function createLoginOrGoToAuthServer(params: {
             globalContext.evtHasLoginBeenCalled.current = true;
 
             if (document.visibilityState !== "visible") {
+                rest.interaction === "ensure no interaction";
+
                 const dVisible = new Deferred<void>();
 
                 const onVisible = () => {
@@ -196,20 +196,19 @@ export function createLoginOrGoToAuthServer(params: {
             (
                 [
                     [
-                        undefined,
-                        transformUrlBeforeRedirect_next === undefined
+                        getExtraQueryParams,
+                        transformUrlBeforeRedirect === undefined
                             ? undefined
                             : (url: string) =>
-                                  transformUrlBeforeRedirect_next({
+                                  transformUrlBeforeRedirect({
                                       isSilent,
                                       authorizationUrl: url
                                   })
                     ],
-                    [getExtraQueryParams, transformUrlBeforeRedirect],
-                    [extraQueryParams_local, transformUrl]
+                    [extraQueryParams_local, transformUrlBeforeRedirect_local]
                 ] as const
-            ).forEach(([extraQueryParamsMaybeGetter, transformUrlBeforeRedirect], i) => {
-                const url_before = i !== 2 ? undefined : url;
+            ).forEach(([extraQueryParamsMaybeGetter, transformUrlBeforeRedirect], i, arr) => {
+                const url_before = i !== arr.length - 1 ? undefined : url;
 
                 add_extra_query_params: {
                     if (extraQueryParamsMaybeGetter === undefined) {