oidc-spa 6.4.0 → 6.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/oidc/createOidc.d.ts +0 -2
  2. package/oidc/createOidc.js +307 -355
  3. package/oidc/createOidc.js.map +1 -1
  4. package/oidc/{createIsUserActive.js → isUserActive.js} +1 -1
  5. package/oidc/isUserActive.js.map +1 -0
  6. package/oidc/loginOrGoToAuthServer.d.ts +41 -0
  7. package/oidc/loginOrGoToAuthServer.js +296 -0
  8. package/oidc/loginOrGoToAuthServer.js.map +1 -0
  9. package/oidc/loginSilent.d.ts +2 -2
  10. package/oidc/loginSilent.js +2 -2
  11. package/oidc/loginSilent.js.map +1 -1
  12. package/oidc/oidcClientTsUserToTokens.d.ts +1 -0
  13. package/oidc/oidcClientTsUserToTokens.js +16 -0
  14. package/oidc/oidcClientTsUserToTokens.js.map +1 -1
  15. package/oidc/persistedAuthState.d.ts +9 -0
  16. package/oidc/persistedAuthState.js +28 -0
  17. package/oidc/persistedAuthState.js.map +1 -0
  18. package/package.json +26 -11
  19. package/src/oidc/createOidc.ts +291 -353
  20. package/src/oidc/loginOrGoToAuthServer.ts +267 -0
  21. package/src/oidc/loginSilent.ts +4 -4
  22. package/src/oidc/oidcClientTsUserToTokens.ts +24 -0
  23. package/src/oidc/persistedAuthState.ts +36 -0
  24. package/src/tools/ephemeralSessionStorage.ts +191 -0
  25. package/src/tools/haveSharedParentDomain.ts +13 -0
  26. package/src/tools/parseKeycloakIssuerUri.ts +9 -2
  27. package/tools/ephemeralSessionStorage.d.ts +3 -0
  28. package/tools/ephemeralSessionStorage.js +133 -0
  29. package/tools/ephemeralSessionStorage.js.map +1 -0
  30. package/tools/haveSharedParentDomain.d.ts +4 -0
  31. package/tools/haveSharedParentDomain.js +14 -0
  32. package/tools/haveSharedParentDomain.js.map +1 -0
  33. package/tools/parseKeycloakIssuerUri.d.ts +1 -0
  34. package/tools/parseKeycloakIssuerUri.js +4 -1
  35. package/tools/parseKeycloakIssuerUri.js.map +1 -1
  36. package/vendor/frontend/oidc-client-ts-and-jwt-decode.js +1 -1
  37. package/oidc/createIsUserActive.js.map +0 -1
  38. package/oidc/persistedLogoutState.d.ts +0 -9
  39. package/oidc/persistedLogoutState.js +0 -25
  40. package/oidc/persistedLogoutState.js.map +0 -1
  41. package/src/oidc/persistedLogoutState.ts +0 -29
  42. /package/oidc/{createIsUserActive.d.ts → isUserActive.d.ts} +0 -0
  43. /package/src/oidc/{createIsUserActive.ts → isUserActive.ts} +0 -0
package/oidc/createOidc.js CHANGED
@@ -102,7 +102,7 @@ var tsafe_1 = require("../vendor/frontend/tsafe");
102
102
  var workerTimers_1 = require("../tools/workerTimers");
103
103
  var Deferred_1 = require("../tools/Deferred");
104
104
  var decodeJwt_1 = require("../tools/decodeJwt");
105
- var createIsUserActive_1 = require("./createIsUserActive");
105
+ var isUserActive_1 = require("./isUserActive");
106
106
  var startCountdown_1 = require("../tools/startCountdown");
107
107
  var toHumanReadableDuration_1 = require("../tools/toHumanReadableDuration");
108
108
  var toFullyQualifiedUrl_1 = require("../tools/toFullyQualifiedUrl");
@@ -113,21 +113,23 @@ var configId_1 = require("./configId");
113
113
  var oidcClientTsUserToTokens_1 = require("./oidcClientTsUserToTokens");
114
114
  var loginSilent_1 = require("./loginSilent");
115
115
  var handleOidcCallback_1 = require("./handleOidcCallback");
116
- var persistedLogoutState_1 = require("./persistedLogoutState");
116
+ var persistedAuthState_1 = require("./persistedAuthState");
117
117
  var AwaitableEventEmitter_1 = require("../tools/AwaitableEventEmitter");
118
+ var haveSharedParentDomain_1 = require("../tools/haveSharedParentDomain");
119
+ var loginOrGoToAuthServer_1 = require("./loginOrGoToAuthServer");
120
+ var ephemeralSessionStorage_1 = require("../tools/ephemeralSessionStorage");
118
121
  // NOTE: Replaced at build time
119
- var VERSION = "6.4.0";
122
+ var VERSION = "6.5.1";
120
123
  (0, handleOidcCallback_1.handleOidcCallback)();
121
124
  var GLOBAL_CONTEXT_KEY = "__oidc-spa.createOidc.globalContext";
122
125
  (_a = window[GLOBAL_CONTEXT_KEY]) !== null && _a !== void 0 ? _a : (window[GLOBAL_CONTEXT_KEY] = {
123
126
  prOidcByConfigId: new Map(),
124
127
  evtAuthResponseHandled: (0, AwaitableEventEmitter_1.createAwaitableEventEmitter)(),
125
- URL_real: window.URL,
126
128
  $isUserActive: undefined,
127
- hasLoginBeenCalled: false,
128
129
  hasLogoutBeenCalled: false
129
130
  });
130
131
  var globalContext = window[GLOBAL_CONTEXT_KEY];
132
+ var MIN_RENEW_BEFORE_EXPIRE_MS = 2000;
131
133
  /** @see: https://docs.oidc-spa.dev/v/v6/usage */
132
134
  function createOidc(params) {
133
135
  return __awaiter(this, void 0, void 0, function () {
@@ -213,28 +215,12 @@ function createOidc(params) {
213
215
  }
214
216
  function createOidc_nonMemoized(params, preProcessedParams) {
215
217
  return __awaiter(this, void 0, void 0, function () {
216
- function getMsBeforeExpiration() {
217
- // NOTE: In general the access token is supposed to have a shorter
218
- // lifespan than the refresh token but we don't want to make any
219
- // assumption here.
220
- var tokenExpirationTime = Math.min(currentTokens.accessTokenExpirationTime, currentTokens.refreshTokenExpirationTime);
221
- var msBeforeExpiration = Math.min(tokenExpirationTime - Date.now(),
222
- // NOTE: We want to make sure we do not overflow the setTimeout
223
- // that must be a 32 bit unsigned integer.
224
- // This can happen if the tokenExpirationTime is more than 24.8 days in the future.
225
- Math.pow(2, 31) - 1);
226
- if (msBeforeExpiration < 0) {
227
- log === null || log === void 0 ? void 0 : log("Token has already expired");
228
- return 0;
229
- }
230
- return msBeforeExpiration;
231
- }
232
- var transformUrlBeforeRedirect, extraQueryParamsOrGetter, extraTokenParamsOrGetter, homeUrl_params, decodedIdTokenSchema, __unsafe_ssoSessionIdleSeconds, _a, autoLogoutParams, _b, autoLogin, postLoginRedirectUrl, __unsafe_clientSecret, _c, __unsafe_useIdTokenAsAccessToken, issuerUri, clientId, scopes, configId, log, _d, getExtraQueryParams, getExtraTokenParams, homeAndCallbackUrl, isHandled, USER_LOGGED_IN_KEY, stateQueryParamValue_instance, oidcClientTsUserManager, lastPublicUrl, startTrackingLastPublicUrl, loginOrGoToAuthServer, BROWSER_SESSION_NOT_FIRST_INIT_KEY, resultOfLoginProcess, common, error, initializationError, oidc_1, oidc_2, currentTokens, autoLogoutCountdownTickCallbacks, onTokenChanges, oidc, sessionId, prOtherTabLogout, startCountdown_2, stopCountdown_1;
218
+ var transformUrlBeforeRedirect, extraQueryParamsOrGetter, extraTokenParamsOrGetter, homeUrl_params, decodedIdTokenSchema, __unsafe_ssoSessionIdleSeconds, _a, autoLogoutParams, _b, autoLogin, postLoginRedirectUrl_default, __unsafe_clientSecret, _c, __unsafe_useIdTokenAsAccessToken, issuerUri, clientId, scopes, configId, log, _d, getExtraQueryParams, getExtraTokenParams, homeAndCallbackUrl, isHandled, stateQueryParamValue_instance, areThirdPartyCookiesAllowed, url1, url2, isUserStorePersistent, oidcClientTsUserManager, _e, loginOrGoToAuthServer, toCallBeforeReturningOidcLoggedIn, toCallBeforeReturningOidcNotLoggedIn, BROWSER_SESSION_NOT_FIRST_INIT_KEY, resultOfLoginProcess, common, oidc_notLoggedIn, currentTokens, autoLogoutCountdownTickCallbacks, onTokenChanges, oidc_loggedIn, sessionId, prOtherTabLogout, startCountdown_2, stopCountdown_1;
233
219
  var _this = this;
234
- return __generator(this, function (_e) {
235
- switch (_e.label) {
220
+ return __generator(this, function (_f) {
221
+ switch (_f.label) {
236
222
  case 0:
237
- transformUrlBeforeRedirect = params.transformUrlBeforeRedirect, extraQueryParamsOrGetter = params.extraQueryParams, extraTokenParamsOrGetter = params.extraTokenParams, homeUrl_params = params.homeUrl, decodedIdTokenSchema = params.decodedIdTokenSchema, __unsafe_ssoSessionIdleSeconds = params.__unsafe_ssoSessionIdleSeconds, _a = params.autoLogoutParams, autoLogoutParams = _a === void 0 ? { redirectTo: "current page" } : _a, _b = params.autoLogin, autoLogin = _b === void 0 ? false : _b, postLoginRedirectUrl = params.postLoginRedirectUrl, __unsafe_clientSecret = params.__unsafe_clientSecret, _c = params.__unsafe_useIdTokenAsAccessToken, __unsafe_useIdTokenAsAccessToken = _c === void 0 ? false : _c;
223
+ transformUrlBeforeRedirect = params.transformUrlBeforeRedirect, extraQueryParamsOrGetter = params.extraQueryParams, extraTokenParamsOrGetter = params.extraTokenParams, homeUrl_params = params.homeUrl, decodedIdTokenSchema = params.decodedIdTokenSchema, __unsafe_ssoSessionIdleSeconds = params.__unsafe_ssoSessionIdleSeconds, _a = params.autoLogoutParams, autoLogoutParams = _a === void 0 ? { redirectTo: "current page" } : _a, _b = params.autoLogin, autoLogin = _b === void 0 ? false : _b, postLoginRedirectUrl_default = params.postLoginRedirectUrl, __unsafe_clientSecret = params.__unsafe_clientSecret, _c = params.__unsafe_useIdTokenAsAccessToken, __unsafe_useIdTokenAsAccessToken = _c === void 0 ? false : _c;
238
224
  issuerUri = preProcessedParams.issuerUri, clientId = preProcessedParams.clientId, scopes = preProcessedParams.scopes, configId = preProcessedParams.configId, log = preProcessedParams.log;
239
225
  _d = __read([extraQueryParamsOrGetter, extraTokenParamsOrGetter].map(function (valueOrGetter) {
240
226
  if (typeof valueOrGetter === "function") {
@@ -261,12 +247,29 @@ function createOidc_nonMemoized(params, preProcessedParams) {
261
247
  if (!isHandled) return [3 /*break*/, 2];
262
248
  return [4 /*yield*/, new Promise(function () { })];
263
249
  case 1:
264
- _e.sent();
265
- _e.label = 2;
250
+ _f.sent();
251
+ _f.label = 2;
266
252
  case 2:
267
- USER_LOGGED_IN_KEY = "oidc-spa.user-logged-in:".concat(configId);
268
- localStorage.removeItem(USER_LOGGED_IN_KEY);
269
253
  stateQueryParamValue_instance = (0, StateData_1.generateStateQueryParamValue)();
254
+ {
255
+ url1 = window.location.origin;
256
+ url2 = issuerUri;
257
+ areThirdPartyCookiesAllowed = (0, haveSharedParentDomain_1.getHaveSharedParentDomain)({
258
+ url1: url1,
259
+ url2: url2
260
+ });
261
+ if (areThirdPartyCookiesAllowed) {
262
+ log === null || log === void 0 ? void 0 : log("".concat(url1, " and ").concat(url2, " have shared parent domain, third party cookies are allowed"));
263
+ }
264
+ else {
265
+ log === null || log === void 0 ? void 0 : log([
266
+ "".concat(url1, " and ").concat(url2, " don't have shared parent domain, setting third party cookies"),
267
+ "on the auth server domain might not work. Making sure that everything works smoothly regardless",
268
+ "by allowing oidc-spa to store the auth state in the session storage for a limited period of time."
269
+ ].join(" "));
270
+ }
271
+ }
272
+ isUserStorePersistent = !areThirdPartyCookiesAllowed;
270
273
  oidcClientTsUserManager = new oidc_client_ts_and_jwt_decode_1.UserManager({
271
274
  stateQueryParamValue: stateQueryParamValue_instance,
272
275
  authority: issuerUri,
@@ -277,207 +280,29 @@ function createOidc_nonMemoized(params, preProcessedParams) {
277
280
  response_type: "code",
278
281
  scope: Array.from(new Set(__spreadArray(["openid"], __read(scopes), false))).join(" "),
279
282
  automaticSilentRenew: false,
280
- userStore: new oidc_client_ts_and_jwt_decode_1.WebStorageStateStore({ store: new oidc_client_ts_and_jwt_decode_1.InMemoryWebStorage() }),
283
+ userStore: new oidc_client_ts_and_jwt_decode_1.WebStorageStateStore({
284
+ store: areThirdPartyCookiesAllowed
285
+ ? new oidc_client_ts_and_jwt_decode_1.InMemoryWebStorage()
286
+ : (0, ephemeralSessionStorage_1.createEphemeralSessionStorage)({
287
+ sessionStorageTtlMs: 3 * 601000
288
+ })
289
+ }),
281
290
  stateStore: new oidc_client_ts_and_jwt_decode_1.WebStorageStateStore({ store: localStorage, prefix: StateData_1.STATE_STORE_KEY_PREFIX }),
282
291
  client_secret: __unsafe_clientSecret
283
292
  });
284
- lastPublicUrl = undefined;
285
- startTrackingLastPublicUrl = function () {
286
- var realPushState = history.pushState.bind(history);
287
- history.pushState = function pushState() {
288
- var args = [];
289
- for (var _i = 0; _i < arguments.length; _i++) {
290
- args[_i] = arguments[_i];
291
- }
292
- lastPublicUrl = window.location.href;
293
- return realPushState.apply(void 0, __spreadArray([], __read(args), false));
294
- };
295
- };
296
- loginOrGoToAuthServer = function (params) { return __awaiter(_this, void 0, void 0, function () {
297
- var extraQueryParams_fromLoginFn, redirectUrl_params, transformUrlBeforeRedirect_fromLoginFn, rest, callback_1, redirectUrl, URL_real_1, URL_1, redirectMethod, extraQueryParams;
298
- return __generator(this, function (_a) {
299
- switch (_a.label) {
300
- case 0:
301
- extraQueryParams_fromLoginFn = params.extraQueryParams, redirectUrl_params = params.redirectUrl, transformUrlBeforeRedirect_fromLoginFn = params.transformUrlBeforeRedirect, rest = __rest(params, ["extraQueryParams", "redirectUrl", "transformUrlBeforeRedirect"]);
302
- log === null || log === void 0 ? void 0 : log("Calling loginOrGoToAuthServer", { params: params });
303
- // NOTE: This is for handling cases when user press the back button on the login pages.
304
- // When the app is hosted on https (so not in dev mode) the browser will restore the state of the app
305
- // instead of reloading the page.
306
- if (rest.action === "login") {
307
- if (globalContext.hasLoginBeenCalled) {
308
- log === null || log === void 0 ? void 0 : log("login() has already been called, ignoring the call");
309
- return [2 /*return*/, new Promise(function () { })];
310
- }
311
- globalContext.hasLoginBeenCalled = true;
312
- callback_1 = function () {
313
- if (document.visibilityState === "visible") {
314
- document.removeEventListener("visibilitychange", callback_1);
315
- log === null || log === void 0 ? void 0 : log("We came back from the login pages and the state of the app has been restored");
316
- if (rest.doesCurrentHrefRequiresAuth) {
317
- if (lastPublicUrl !== undefined) {
318
- log === null || log === void 0 ? void 0 : log("Loading last public route: ".concat(lastPublicUrl));
319
- window.location.href = lastPublicUrl;
320
- }
321
- else {
322
- log === null || log === void 0 ? void 0 : log("We don't know the last public route, navigating back in history");
323
- window.history.back();
324
- }
325
- }
326
- else {
327
- log === null || log === void 0 ? void 0 : log("The current page doesn't require auth...");
328
- if (localStorage.getItem(USER_LOGGED_IN_KEY)) {
329
- log === null || log === void 0 ? void 0 : log("but the user is now authenticated, reloading the page");
330
- location.reload();
331
- }
332
- else {
333
- log === null || log === void 0 ? void 0 : log("and the user doesn't seem to be authenticated, avoiding a reload");
334
- globalContext.hasLoginBeenCalled = false;
335
- }
336
- }
337
- }
338
- };
339
- log === null || log === void 0 ? void 0 : log("Start listening to visibility change event");
340
- document.addEventListener("visibilitychange", callback_1);
341
- }
342
- redirectUrl = redirectUrl_params === undefined
343
- ? window.location.href
344
- : (0, toFullyQualifiedUrl_1.toFullyQualifiedUrl)({
345
- urlish: redirectUrl_params,
346
- doAssertNoQueryParams: false
347
- });
348
- log === null || log === void 0 ? void 0 : log("redirectUrl: ".concat(redirectUrl));
349
- //NOTE: We know there is a extraQueryParameter option but it doesn't allow
350
- // to control the encoding so we have to highjack global URL Class that is
351
- // used internally by oidc-client-ts. It's save to do so since this is the
352
- // last thing that will be done before the redirect.
353
- {
354
- URL_real_1 = globalContext.URL_real;
355
- URL_1 = function () {
356
- var args = [];
357
- for (var _i = 0; _i < arguments.length; _i++) {
358
- args[_i] = arguments[_i];
359
- }
360
- var urlInstance = new (URL_real_1.bind.apply(URL_real_1, __spreadArray([void 0], __read(args), false)))();
361
- return new Proxy(urlInstance, {
362
- get: function (target, prop) {
363
- if (prop === "href") {
364
- Object.defineProperty(window, "URL", { value: URL_real_1 });
365
- var url_1 = urlInstance.href;
366
- [
367
- [getExtraQueryParams === null || getExtraQueryParams === void 0 ? void 0 : getExtraQueryParams(), transformUrlBeforeRedirect],
368
- [
369
- extraQueryParams_fromLoginFn,
370
- transformUrlBeforeRedirect_fromLoginFn
371
- ]
372
- ].forEach(function (_a) {
373
- var e_2, _b;
374
- var _c = __read(_a, 2), extraQueryParams = _c[0], transformUrlBeforeRedirect = _c[1];
375
- add_extra_query_params: {
376
- if (extraQueryParams === undefined) {
377
- break add_extra_query_params;
378
- }
379
- var url_obj = new URL_real_1(url_1);
380
- try {
381
- for (var _d = __values(Object.entries(extraQueryParams)), _e = _d.next(); !_e.done; _e = _d.next()) {
382
- var _f = __read(_e.value, 2), name_2 = _f[0], value = _f[1];
383
- url_obj.searchParams.set(name_2, value);
384
- }
385
- }
386
- catch (e_2_1) { e_2 = { error: e_2_1 }; }
387
- finally {
388
- try {
389
- if (_e && !_e.done && (_b = _d.return)) _b.call(_d);
390
- }
391
- finally { if (e_2) throw e_2.error; }
392
- }
393
- url_1 = url_obj.href;
394
- }
395
- apply_transform_before_redirect: {
396
- if (transformUrlBeforeRedirect === undefined) {
397
- break apply_transform_before_redirect;
398
- }
399
- url_1 = transformUrlBeforeRedirect(url_1);
400
- }
401
- });
402
- return url_1;
403
- }
404
- //@ts-expect-error
405
- return target[prop];
406
- }
407
- });
408
- };
409
- Object.defineProperty(window, "URL", { value: URL_1 });
410
- }
411
- redirectMethod = (function () {
412
- switch (rest.action) {
413
- case "login":
414
- return rest.doesCurrentHrefRequiresAuth ? "replace" : "assign";
415
- case "go to auth server":
416
- return "assign";
417
- }
418
- })();
419
- log === null || log === void 0 ? void 0 : log("redirectMethod: ".concat(redirectMethod));
420
- extraQueryParams = (function () {
421
- var e_3, _a;
422
- var extraQueryParams = extraQueryParams_fromLoginFn !== null && extraQueryParams_fromLoginFn !== void 0 ? extraQueryParams_fromLoginFn : {};
423
- read_query_params_added_by_transform_before_redirect: {
424
- if (transformUrlBeforeRedirect_fromLoginFn === undefined) {
425
- break read_query_params_added_by_transform_before_redirect;
426
- }
427
- var url_afterTransform = void 0;
428
- try {
429
- url_afterTransform = transformUrlBeforeRedirect_fromLoginFn("https://dummy.com");
430
- }
431
- catch (_b) {
432
- break read_query_params_added_by_transform_before_redirect;
433
- }
434
- try {
435
- for (var _c = __values(new URL(url_afterTransform).searchParams), _d = _c.next(); !_d.done; _d = _c.next()) {
436
- var _e = __read(_d.value, 2), name_3 = _e[0], value = _e[1];
437
- extraQueryParams[name_3] = value;
438
- }
439
- }
440
- catch (e_3_1) { e_3 = { error: e_3_1 }; }
441
- finally {
442
- try {
443
- if (_d && !_d.done && (_a = _c.return)) _a.call(_c);
444
- }
445
- finally { if (e_3) throw e_3.error; }
446
- }
447
- }
448
- return { extraQueryParams: extraQueryParams };
449
- })().extraQueryParams;
450
- return [4 /*yield*/, oidcClientTsUserManager.signinRedirect({
451
- state: (0, tsafe_1.id)({
452
- context: "redirect",
453
- redirectUrl: redirectUrl,
454
- extraQueryParams: extraQueryParams,
455
- hasBeenProcessedByCallback: false,
456
- configId: configId,
457
- action: "login",
458
- redirectUrl_consentRequiredCase: (function () {
459
- switch (rest.action) {
460
- case "login":
461
- return lastPublicUrl !== null && lastPublicUrl !== void 0 ? lastPublicUrl : homeAndCallbackUrl;
462
- case "go to auth server":
463
- return redirectUrl;
464
- }
465
- })()
466
- }),
467
- redirectMethod: redirectMethod,
468
- prompt: (0, persistedLogoutState_1.getIsPersistedLogoutState)({ configId: configId }) ? "consent" : undefined
469
- })];
470
- case 1:
471
- _a.sent();
472
- return [2 /*return*/, new Promise(function () { })];
473
- }
474
- });
475
- }); };
293
+ _e = (0, loginOrGoToAuthServer_1.createLoginOrGoToAuthServer)({
294
+ configId: configId,
295
+ oidcClientTsUserManager: oidcClientTsUserManager,
296
+ getExtraQueryParams: getExtraQueryParams,
297
+ transformUrlBeforeRedirect: transformUrlBeforeRedirect,
298
+ homeAndCallbackUrl: homeAndCallbackUrl,
299
+ log: log
300
+ }), loginOrGoToAuthServer = _e.loginOrGoToAuthServer, toCallBeforeReturningOidcLoggedIn = _e.toCallBeforeReturningOidcLoggedIn, toCallBeforeReturningOidcNotLoggedIn = _e.toCallBeforeReturningOidcNotLoggedIn;
476
301
  BROWSER_SESSION_NOT_FIRST_INIT_KEY = "oidc-spa.browser-session-not-first-init:".concat(configId);
477
302
  return [4 /*yield*/, (function () { return __awaiter(_this, void 0, void 0, function () {
478
- var authResponse, stateData, evtAuthResponseHandled_1, prHandled, _a, authResponseUrl, oidcClientTsUser, error_1, error_3, authResponseUrl, _b, result_loginSilent, authResponse, oidcClientTsUser, error_2, error_4;
479
- return __generator(this, function (_c) {
480
- switch (_c.label) {
303
+ var authResponse, stateData, evtAuthResponseHandled_1, prHandled, _a, authResponseUrl, oidcClientTsUser, error_1, error_3, authResponseUrl, _b, oidcClientTsUser, _c, _d, persistedAuthState, result_loginSilent, authResponse, authResponse_error, oidcClientTsUser, error_2;
304
+ return __generator(this, function (_e) {
305
+ switch (_e.label) {
481
306
  case 0:
482
307
  authResponse = (function () {
483
308
  var value = sessionStorage.getItem(handleOidcCallback_1.AUTH_RESPONSE_KEY);
@@ -507,12 +332,12 @@ function createOidc_nonMemoized(params, preProcessedParams) {
507
332
  prHandled = evtAuthResponseHandled_1.waitFor();
508
333
  return [4 /*yield*/, Promise.resolve()];
509
334
  case 1:
510
- _c.sent();
335
+ _e.sent();
511
336
  if (!(sessionStorage.getItem(handleOidcCallback_1.AUTH_RESPONSE_KEY) === null)) return [3 /*break*/, 3];
512
337
  return [4 /*yield*/, prHandled];
513
338
  case 2:
514
- _c.sent();
515
- _c.label = 3;
339
+ _e.sent();
340
+ _e.label = 3;
516
341
  case 3: return [3 /*break*/, 15];
517
342
  case 4:
518
343
  sessionStorage.removeItem(handleOidcCallback_1.AUTH_RESPONSE_KEY);
@@ -526,19 +351,19 @@ function createOidc_nonMemoized(params, preProcessedParams) {
526
351
  log === null || log === void 0 ? void 0 : log("Handling login redirect auth response", authResponse);
527
352
  authResponseUrl = (0, loginSilent_1.authResponseToUrl)(authResponse);
528
353
  oidcClientTsUser = undefined;
529
- _c.label = 6;
354
+ _e.label = 6;
530
355
  case 6:
531
- _c.trys.push([6, 8, , 9]);
356
+ _e.trys.push([6, 8, , 9]);
532
357
  return [4 /*yield*/, oidcClientTsUserManager
533
358
  .signinRedirectCallback(authResponseUrl)
534
359
  .finally(function () {
535
360
  evtAuthResponseHandled_1.post();
536
361
  })];
537
362
  case 7:
538
- oidcClientTsUser = _c.sent();
363
+ oidcClientTsUser = _e.sent();
539
364
  return [3 /*break*/, 9];
540
365
  case 8:
541
- error_1 = _c.sent();
366
+ error_1 = _e.sent();
542
367
  (0, tsafe_1.assert)(error_1 instanceof Error);
543
368
  if (error_1.message === "Failed to fetch") {
544
369
  return [2 /*return*/, (0, OidcInitializationError_1.createFailedToFetchTokenEndpointInitializationError)({
@@ -556,7 +381,6 @@ function createOidc_nonMemoized(params, preProcessedParams) {
556
381
  return [2 /*return*/, error_1];
557
382
  case 9:
558
383
  sessionStorage.removeItem(BROWSER_SESSION_NOT_FIRST_INIT_KEY);
559
- (0, persistedLogoutState_1.clearPersistedLogoutState)({ configId: configId });
560
384
  return [2 /*return*/, {
561
385
  oidcClientTsUser: oidcClientTsUser,
562
386
  backFromAuthServer: {
@@ -573,15 +397,15 @@ function createOidc_nonMemoized(params, preProcessedParams) {
573
397
  case 10:
574
398
  log === null || log === void 0 ? void 0 : log("Handling logout redirect auth response", authResponse);
575
399
  authResponseUrl = (0, loginSilent_1.authResponseToUrl)(authResponse);
576
- _c.label = 11;
400
+ _e.label = 11;
577
401
  case 11:
578
- _c.trys.push([11, 13, , 14]);
402
+ _e.trys.push([11, 13, , 14]);
579
403
  return [4 /*yield*/, oidcClientTsUserManager.signoutRedirectCallback(authResponseUrl)];
580
404
  case 12:
581
- _c.sent();
405
+ _e.sent();
582
406
  return [3 /*break*/, 14];
583
407
  case 13:
584
- _b = _c.sent();
408
+ _b = _e.sent();
585
409
  return [3 /*break*/, 14];
586
410
  case 14:
587
411
  evtAuthResponseHandled_1.post();
@@ -593,10 +417,47 @@ function createOidc_nonMemoized(params, preProcessedParams) {
593
417
  // NOTE: The user is no longer logged in.
594
418
  return [2 /*return*/, undefined];
595
419
  case 15:
420
+ if (!isUserStorePersistent) {
421
+ return [3 /*break*/, 24];
422
+ }
423
+ oidcClientTsUser = void 0;
424
+ _e.label = 16;
425
+ case 16:
426
+ _e.trys.push([16, 18, , 23]);
427
+ return [4 /*yield*/, oidcClientTsUserManager.getUser()];
428
+ case 17:
429
+ oidcClientTsUser = _e.sent();
430
+ return [3 /*break*/, 23];
431
+ case 18:
432
+ _c = _e.sent();
433
+ // NOTE: Not sure if it can throw, but let's be safe.
434
+ oidcClientTsUser = null;
435
+ _e.label = 19;
436
+ case 19:
437
+ _e.trys.push([19, 21, , 22]);
438
+ return [4 /*yield*/, oidcClientTsUserManager.removeUser()];
439
+ case 20:
440
+ _e.sent();
441
+ return [3 /*break*/, 22];
442
+ case 21:
443
+ _d = _e.sent();
444
+ return [3 /*break*/, 22];
445
+ case 22: return [3 /*break*/, 23];
446
+ case 23:
447
+ if (oidcClientTsUser === null) {
448
+ return [3 /*break*/, 24];
449
+ }
450
+ log === null || log === void 0 ? void 0 : log("Restored the auth from ephemeral session storage");
451
+ return [2 /*return*/, {
452
+ oidcClientTsUser: oidcClientTsUser,
453
+ backFromAuthServer: undefined
454
+ }];
455
+ case 24:
596
456
  log === null || log === void 0 ? void 0 : log("Trying to restore the auth from the http only cookie (silent signin with iframe)");
597
- if ((0, persistedLogoutState_1.getIsPersistedLogoutState)({ configId: configId })) {
457
+ persistedAuthState = (0, persistedAuthState_1.getPersistedAuthState)({ configId: configId });
458
+ if (persistedAuthState === "explicitly logged out") {
598
459
  log === null || log === void 0 ? void 0 : log("Skipping silent signin with iframe, the user has logged out");
599
- return [3 /*break*/, 21];
460
+ return [3 /*break*/, 33];
600
461
  }
601
462
  return [4 /*yield*/, (0, loginSilent_1.loginSilent)({
602
463
  oidcClientTsUserManager: oidcClientTsUserManager,
@@ -604,9 +465,9 @@ function createOidc_nonMemoized(params, preProcessedParams) {
604
465
  configId: configId,
605
466
  getExtraTokenParams: getExtraTokenParams
606
467
  })];
607
- case 16:
608
- result_loginSilent = _c.sent();
609
- (0, tsafe_1.assert)(result_loginSilent.outcome !== "refresh token used");
468
+ case 25:
469
+ result_loginSilent = _e.sent();
470
+ (0, tsafe_1.assert)(result_loginSilent.outcome !== "token refreshed using refresh token");
610
471
  if (result_loginSilent.outcome === "failure") {
611
472
  switch (result_loginSilent.cause) {
612
473
  case "can't reach well-known oidc endpoint":
@@ -625,16 +486,17 @@ function createOidc_nonMemoized(params, preProcessedParams) {
625
486
  (0, tsafe_1.assert)();
626
487
  authResponse = result_loginSilent.authResponse;
627
488
  log === null || log === void 0 ? void 0 : log("Silent signin auth response", authResponse);
489
+ authResponse_error = authResponse["error"];
628
490
  oidcClientTsUser = undefined;
629
- _c.label = 17;
630
- case 17:
631
- _c.trys.push([17, 19, , 20]);
491
+ _e.label = 26;
492
+ case 26:
493
+ _e.trys.push([26, 28, , 29]);
632
494
  return [4 /*yield*/, oidcClientTsUserManager.signinRedirectCallback((0, loginSilent_1.authResponseToUrl)(authResponse))];
633
- case 18:
634
- oidcClientTsUser = _c.sent();
635
- return [3 /*break*/, 20];
636
- case 19:
637
- error_2 = _c.sent();
495
+ case 27:
496
+ oidcClientTsUser = _e.sent();
497
+ return [3 /*break*/, 29];
498
+ case 28:
499
+ error_2 = _e.sent();
638
500
  (0, tsafe_1.assert)(error_2 instanceof Error);
639
501
  if (error_2.message === "Failed to fetch") {
640
502
  return [2 /*return*/, (0, OidcInitializationError_1.createFailedToFetchTokenEndpointInitializationError)({
@@ -642,27 +504,46 @@ function createOidc_nonMemoized(params, preProcessedParams) {
642
504
  issuerUri: issuerUri
643
505
  })];
644
506
  }
645
- {
646
- error_4 = authResponse["error"];
647
- if (error_4 !== undefined) {
648
- // NOTE: This is a very expected case, it happens each time there's no active session.
649
- log === null || log === void 0 ? void 0 : log([
650
- "The auth server responded with: ".concat(error_4, " "),
651
- "login_required" === error_4
652
- ? "(authentication_required just means that there's no active session for the user)"
653
- : ""
654
- ].join(""));
655
- return [3 /*break*/, 21];
656
- }
507
+ if (authResponse_error === undefined) {
508
+ return [2 /*return*/, error_2];
657
509
  }
658
- return [2 /*return*/, error_2];
659
- case 20:
510
+ return [3 /*break*/, 29];
511
+ case 29:
512
+ if (!(oidcClientTsUser === undefined)) return [3 /*break*/, 32];
513
+ if (!(autoLogin ||
514
+ (persistedAuthState === "logged in" &&
515
+ (authResponse_error === "interaction_required" ||
516
+ authResponse_error === "login_required" ||
517
+ authResponse_error === "consent_required" ||
518
+ authResponse_error === "account_selection_required")))) return [3 /*break*/, 31];
519
+ (0, persistedAuthState_1.persistAuthState)({ configId: configId, state: undefined });
520
+ return [4 /*yield*/, loginOrGoToAuthServer({
521
+ action: "login",
522
+ doForceReloadOnBfCache: true,
523
+ redirectUrl: window.location.href,
524
+ doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: autoLogin,
525
+ extraQueryParams_local: undefined,
526
+ transformUrlBeforeRedirect_local: undefined,
527
+ doForceInteraction: false
528
+ })];
529
+ case 30:
530
+ _e.sent();
531
+ _e.label = 31;
532
+ case 31:
533
+ log === null || log === void 0 ? void 0 : log([
534
+ "The auth server responded with: ".concat(authResponse_error, " "),
535
+ "login_required" === authResponse_error
536
+ ? "(login_required just means that there's no active session for the user)"
537
+ : ""
538
+ ].join(""));
539
+ return [3 /*break*/, 33];
540
+ case 32:
660
541
  log === null || log === void 0 ? void 0 : log("Successful silent signed in");
661
542
  return [2 /*return*/, {
662
543
  oidcClientTsUser: oidcClientTsUser,
663
544
  backFromAuthServer: undefined
664
545
  }];
665
- case 21:
546
+ case 33:
666
547
  // NOTE: The user is not logged in.
667
548
  return [2 /*return*/, undefined];
668
549
  }
@@ -714,70 +595,78 @@ function createOidc_nonMemoized(params, preProcessedParams) {
714
595
  return { tokens: tokens, backFromAuthServer: backFromAuthServer };
715
596
  })];
716
597
  case 3:
717
- resultOfLoginProcess = _e.sent();
598
+ resultOfLoginProcess = _f.sent();
718
599
  common = {
719
600
  params: {
720
601
  issuerUri: issuerUri,
721
602
  clientId: clientId
722
603
  }
723
604
  };
724
- if (resultOfLoginProcess instanceof Error) {
725
- log === null || log === void 0 ? void 0 : log("User not logged in and there was an initialization error");
726
- error = resultOfLoginProcess;
727
- initializationError = error instanceof OidcInitializationError_1.OidcInitializationError
728
- ? error
729
- : new OidcInitializationError_1.OidcInitializationError({
730
- isAuthServerLikelyDown: false,
731
- messageOrCause: error
732
- });
733
- if (autoLogin) {
734
- throw initializationError;
605
+ not_loggedIn_case: {
606
+ if (!(resultOfLoginProcess instanceof Error) && resultOfLoginProcess !== undefined) {
607
+ break not_loggedIn_case;
735
608
  }
736
- console.error([
737
- "oidc-spa Initialization Error: ",
738
- "isAuthServerLikelyDown: ".concat(initializationError.isAuthServerLikelyDown),
739
- "",
740
- initializationError.message
741
- ].join("\n"));
742
- startTrackingLastPublicUrl();
743
- oidc_1 = (0, tsafe_1.id)(__assign(__assign({}, common), { isUserLoggedIn: false, login: function () { return __awaiter(_this, void 0, void 0, function () {
744
- return __generator(this, function (_a) {
745
- alert("Authentication is currently unavailable. Please try again later.");
746
- return [2 /*return*/, new Promise(function () { })];
747
- });
748
- }); }, initializationError: initializationError }));
749
- // @ts-expect-error: We know what we are doing.
750
- return [2 /*return*/, oidc_1];
609
+ oidc_notLoggedIn = (function () {
610
+ if (resultOfLoginProcess instanceof Error) {
611
+ log === null || log === void 0 ? void 0 : log("User not logged in and there was an initialization error");
612
+ var error = resultOfLoginProcess;
613
+ var initializationError = error instanceof OidcInitializationError_1.OidcInitializationError
614
+ ? error
615
+ : new OidcInitializationError_1.OidcInitializationError({
616
+ isAuthServerLikelyDown: false,
617
+ messageOrCause: error
618
+ });
619
+ if (autoLogin) {
620
+ throw initializationError;
621
+ }
622
+ console.error([
623
+ "oidc-spa Initialization Error: ",
624
+ "isAuthServerLikelyDown: ".concat(initializationError.isAuthServerLikelyDown),
625
+ "",
626
+ initializationError.message
627
+ ].join("\n"));
628
+ return (0, tsafe_1.id)(__assign(__assign({}, common), { isUserLoggedIn: false, login: function () { return __awaiter(_this, void 0, void 0, function () {
629
+ return __generator(this, function (_a) {
630
+ alert("Authentication is currently unavailable. Please try again later.");
631
+ return [2 /*return*/, new Promise(function () { })];
632
+ });
633
+ }); }, initializationError: initializationError }));
634
+ }
635
+ if (resultOfLoginProcess === undefined) {
636
+ log === null || log === void 0 ? void 0 : log("User not logged in");
637
+ return (0, tsafe_1.id)(__assign(__assign({}, common), { isUserLoggedIn: false, login: function (_a) {
638
+ var _b;
639
+ var doesCurrentHrefRequiresAuth = _a.doesCurrentHrefRequiresAuth, extraQueryParams = _a.extraQueryParams, redirectUrl = _a.redirectUrl, transformUrlBeforeRedirect = _a.transformUrlBeforeRedirect;
640
+ return loginOrGoToAuthServer({
641
+ action: "login",
642
+ doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: doesCurrentHrefRequiresAuth,
643
+ doForceReloadOnBfCache: false,
644
+ redirectUrl: (_b = redirectUrl !== null && redirectUrl !== void 0 ? redirectUrl : postLoginRedirectUrl_default) !== null && _b !== void 0 ? _b : window.location.href,
645
+ extraQueryParams_local: extraQueryParams,
646
+ transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
647
+ doForceInteraction: (0, persistedAuthState_1.getPersistedAuthState)({ configId: configId }) === "explicitly logged out"
648
+ });
649
+ }, initializationError: undefined }));
650
+ }
651
+ (0, tsafe_1.assert)(false);
652
+ })();
653
+ if ((0, persistedAuthState_1.getPersistedAuthState)({ configId: configId }) !== "explicitly logged out") {
654
+ (0, persistedAuthState_1.persistAuthState)({ configId: configId, state: undefined });
655
+ }
656
+ toCallBeforeReturningOidcNotLoggedIn();
657
+ // @ts-expect-error: We know what we're doing
658
+ return [2 /*return*/, oidc_notLoggedIn];
751
659
  }
752
- if (!(resultOfLoginProcess === undefined)) return [3 /*break*/, 6];
753
- log === null || log === void 0 ? void 0 : log("User not logged in");
754
- if (!autoLogin) return [3 /*break*/, 5];
755
- log === null || log === void 0 ? void 0 : log("Authentication is required everywhere on this app, redirecting to the login page");
756
- return [4 /*yield*/, loginOrGoToAuthServer({
757
- action: "login",
758
- doesCurrentHrefRequiresAuth: true,
759
- redirectUrl: postLoginRedirectUrl
760
- })];
761
- case 4:
762
- _e.sent();
763
- _e.label = 5;
764
- case 5:
765
- startTrackingLastPublicUrl();
766
- oidc_2 = (0, tsafe_1.id)(__assign(__assign({}, common), { isUserLoggedIn: false, login: function (params) { return loginOrGoToAuthServer(__assign({ action: "login" }, params)); }, initializationError: undefined }));
767
- // @ts-expect-error: We know what we are doing.
768
- return [2 /*return*/, oidc_2];
769
- case 6:
770
660
  log === null || log === void 0 ? void 0 : log("User is logged in");
771
- localStorage.setItem(USER_LOGGED_IN_KEY, "true");
772
661
  currentTokens = resultOfLoginProcess.tokens;
773
662
  autoLogoutCountdownTickCallbacks = new Set();
774
663
  onTokenChanges = new Set();
775
- oidc = (0, tsafe_1.id)(__assign(__assign({}, common), { isUserLoggedIn: true, getTokens: function () { return currentTokens; }, getTokens_next: function () { return __awaiter(_this, void 0, void 0, function () {
664
+ oidc_loggedIn = (0, tsafe_1.id)(__assign(__assign({}, common), { isUserLoggedIn: true, getTokens: function () { return currentTokens; }, getTokens_next: function () { return __awaiter(_this, void 0, void 0, function () {
776
665
  return __generator(this, function (_a) {
777
666
  switch (_a.label) {
778
667
  case 0:
779
- if (!(getMsBeforeExpiration() <= 5000)) return [3 /*break*/, 2];
780
- return [4 /*yield*/, oidc.renewTokens()];
668
+ if (!((0, oidcClientTsUserToTokens_1.getMsBeforeExpiration)(currentTokens) <= MIN_RENEW_BEFORE_EXPIRE_MS)) return [3 /*break*/, 2];
669
+ return [4 /*yield*/, oidc_loggedIn.renewTokens()];
781
670
  case 1:
782
671
  _a.sent();
783
672
  _a.label = 2;
@@ -785,9 +674,9 @@ function createOidc_nonMemoized(params, preProcessedParams) {
785
674
  }
786
675
  });
787
676
  }); }, getDecodedIdToken: function () { return currentTokens.decodedIdToken; }, logout: function (params) { return __awaiter(_this, void 0, void 0, function () {
788
- var postLogoutRedirectUrl, error_5;
789
- return __generator(this, function (_a) {
790
- switch (_a.label) {
677
+ var postLogoutRedirectUrl, error_4, _a;
678
+ return __generator(this, function (_b) {
679
+ switch (_b.label) {
791
680
  case 0:
792
681
  if (globalContext.hasLogoutBeenCalled) {
793
682
  log === null || log === void 0 ? void 0 : log("logout() has already been called, ignoring the call");
@@ -812,9 +701,9 @@ function createOidc_nonMemoized(params, preProcessedParams) {
812
701
  });
813
702
  }
814
703
  })();
815
- _a.label = 1;
704
+ _b.label = 1;
816
705
  case 1:
817
- _a.trys.push([1, 3, , 4]);
706
+ _b.trys.push([1, 3, , 10]);
818
707
  return [4 /*yield*/, oidcClientTsUserManager.signoutRedirect({
819
708
  state: (0, tsafe_1.id)({
820
709
  configId: configId,
@@ -827,25 +716,36 @@ function createOidc_nonMemoized(params, preProcessedParams) {
827
716
  redirectMethod: "assign"
828
717
  })];
829
718
  case 2:
830
- _a.sent();
831
- return [3 /*break*/, 4];
719
+ _b.sent();
720
+ return [3 /*break*/, 10];
832
721
  case 3:
833
- error_5 = _a.sent();
834
- (0, tsafe_1.assert)((0, tsafe_1.is)(error_5));
835
- if (error_5.message !== "No end session endpoint") {
836
- throw error_5;
837
- }
722
+ error_4 = _b.sent();
723
+ (0, tsafe_1.assert)((0, tsafe_1.is)(error_4));
724
+ if (!(error_4.message === "No end session endpoint")) return [3 /*break*/, 8];
838
725
  log === null || log === void 0 ? void 0 : log("No end session endpoint, managing logging state locally");
839
- (0, persistedLogoutState_1.persistLogoutState)({ configId: configId });
726
+ (0, persistedAuthState_1.persistAuthState)({ configId: configId, state: "explicitly logged out" });
727
+ _b.label = 4;
728
+ case 4:
729
+ _b.trys.push([4, 6, , 7]);
730
+ return [4 /*yield*/, oidcClientTsUserManager.removeUser()];
731
+ case 5:
732
+ _b.sent();
733
+ return [3 /*break*/, 7];
734
+ case 6:
735
+ _a = _b.sent();
736
+ return [3 /*break*/, 7];
737
+ case 7:
840
738
  window.location.href = postLogoutRedirectUrl;
841
- return [3 /*break*/, 4];
842
- case 4: return [2 /*return*/, new Promise(function () { })];
739
+ return [3 /*break*/, 9];
740
+ case 8: throw error_4;
741
+ case 9: return [3 /*break*/, 10];
742
+ case 10: return [2 /*return*/, new Promise(function () { })];
843
743
  }
844
744
  });
845
745
  }); }, renewTokens: (function () {
846
746
  function renewTokens_nonMutexed(params) {
847
747
  return __awaiter(this, void 0, void 0, function () {
848
- var extraTokenParams, result_loginSilent, oidcClientTsUser, _a, authResponse;
748
+ var extraTokenParams, result_loginSilent, oidcClientTsUser, _a, authResponse, authResponse_error, oidcClientTsUser_scope, error_5;
849
749
  return __generator(this, function (_b) {
850
750
  switch (_b.label) {
851
751
  case 0:
@@ -864,27 +764,60 @@ function createOidc_nonMemoized(params, preProcessedParams) {
864
764
  }
865
765
  _a = result_loginSilent.outcome;
866
766
  switch (_a) {
867
- case "refresh token used": return [3 /*break*/, 2];
868
- case "success iframe": return [3 /*break*/, 3];
767
+ case "token refreshed using refresh token": return [3 /*break*/, 2];
768
+ case "got auth response from iframe": return [3 /*break*/, 3];
869
769
  }
870
- return [3 /*break*/, 5];
770
+ return [3 /*break*/, 10];
871
771
  case 2:
872
772
  {
873
773
  log === null || log === void 0 ? void 0 : log("Refresh token used");
874
774
  oidcClientTsUser = result_loginSilent.oidcClientTsUser;
875
775
  }
876
- return [3 /*break*/, 6];
776
+ return [3 /*break*/, 11];
877
777
  case 3:
878
778
  authResponse = result_loginSilent.authResponse;
879
779
  log === null || log === void 0 ? void 0 : log("Tokens refresh using iframe", authResponse);
880
- return [4 /*yield*/, oidcClientTsUserManager.signinRedirectCallback((0, loginSilent_1.authResponseToUrl)(authResponse))];
780
+ authResponse_error = authResponse["error"];
781
+ oidcClientTsUser_scope = undefined;
782
+ _b.label = 4;
881
783
  case 4:
882
- oidcClientTsUser = _b.sent();
883
- return [3 /*break*/, 6];
784
+ _b.trys.push([4, 6, , 7]);
785
+ return [4 /*yield*/, oidcClientTsUserManager.signinRedirectCallback((0, loginSilent_1.authResponseToUrl)(authResponse))];
884
786
  case 5:
885
- (0, tsafe_1.assert)(false);
886
- return [3 /*break*/, 6];
787
+ oidcClientTsUser_scope =
788
+ _b.sent();
789
+ return [3 /*break*/, 7];
887
790
  case 6:
791
+ error_5 = _b.sent();
792
+ (0, tsafe_1.assert)(error_5 instanceof Error);
793
+ if (authResponse_error === undefined) {
794
+ throw error_5;
795
+ }
796
+ oidcClientTsUser_scope = undefined;
797
+ return [3 /*break*/, 7];
798
+ case 7:
799
+ if (!(oidcClientTsUser_scope === undefined)) return [3 /*break*/, 9];
800
+ (0, persistedAuthState_1.persistAuthState)({ configId: configId, state: undefined });
801
+ return [4 /*yield*/, loginOrGoToAuthServer({
802
+ action: "login",
803
+ redirectUrl: window.location.href,
804
+ doForceReloadOnBfCache: true,
805
+ extraQueryParams_local: undefined,
806
+ transformUrlBeforeRedirect_local: undefined,
807
+ doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
808
+ doForceInteraction: false
809
+ })];
810
+ case 8:
811
+ _b.sent();
812
+ (0, tsafe_1.assert)(false);
813
+ _b.label = 9;
814
+ case 9:
815
+ oidcClientTsUser = oidcClientTsUser_scope;
816
+ return [3 /*break*/, 11];
817
+ case 10:
818
+ (0, tsafe_1.assert)(false);
819
+ return [3 /*break*/, 11];
820
+ case 11:
888
821
  currentTokens = (0, oidcClientTsUserToTokens_1.oidcClientTsUserToTokens)({
889
822
  oidcClientTsUser: oidcClientTsUser,
890
823
  decodedIdTokenSchema: decodedIdTokenSchema,
@@ -964,7 +897,15 @@ function createOidc_nonMemoized(params, preProcessedParams) {
964
897
  autoLogoutCountdownTickCallbacks.delete(tickCallback);
965
898
  };
966
899
  return { unsubscribeFromAutoLogoutCountdown: unsubscribeFromAutoLogoutCountdown };
967
- }, goToAuthServer: function (params) { return loginOrGoToAuthServer(__assign({ action: "go to auth server" }, params)); }, backFromAuthServer: resultOfLoginProcess.backFromAuthServer, isNewBrowserSession: (function () {
900
+ }, goToAuthServer: function (_a) {
901
+ var extraQueryParams = _a.extraQueryParams, redirectUrl = _a.redirectUrl, transformUrlBeforeRedirect = _a.transformUrlBeforeRedirect;
902
+ return loginOrGoToAuthServer({
903
+ action: "go to auth server",
904
+ redirectUrl: redirectUrl !== null && redirectUrl !== void 0 ? redirectUrl : window.location.href,
905
+ extraQueryParams_local: extraQueryParams,
906
+ transformUrlBeforeRedirect_local: transformUrlBeforeRedirect
907
+ });
908
+ }, backFromAuthServer: resultOfLoginProcess.backFromAuthServer, isNewBrowserSession: (function () {
968
909
  if (sessionStorage.getItem(BROWSER_SESSION_NOT_FIRST_INIT_KEY) === null) {
969
910
  sessionStorage.setItem(BROWSER_SESSION_NOT_FIRST_INIT_KEY, "true");
970
911
  log === null || log === void 0 ? void 0 : log("This is a new browser session");
@@ -988,20 +929,22 @@ function createOidc_nonMemoized(params, preProcessedParams) {
988
929
  }
989
930
  (function scheduleRenew() {
990
931
  var _this = this;
991
- var msBeforeExpiration = getMsBeforeExpiration();
992
- // NOTE: Here semantically `"doesCurrentHrefRequiresAuth": false` is wrong.
993
- // The user may very well be on a page that require auth.
994
- // However there's no way to enforce the browser to redirect back to
995
- // the last public route if the user press back on the login page.
996
- // This is due to the fact that pushing to history only works if it's
997
- // triggered by a user interaction.
998
932
  var login_dueToExpiration = function () {
933
+ (0, persistedAuthState_1.persistAuthState)({ configId: configId, state: undefined });
999
934
  return loginOrGoToAuthServer({
1000
935
  action: "login",
1001
- doesCurrentHrefRequiresAuth: false
936
+ redirectUrl: window.location.href,
937
+ doForceReloadOnBfCache: true,
938
+ extraQueryParams_local: undefined,
939
+ transformUrlBeforeRedirect_local: undefined,
940
+ // NOTE: Wether or not it's the preferred behavior, pushing to history
941
+ // only works on user interaction so it have to be false
942
+ doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
943
+ doForceInteraction: true
1002
944
  });
1003
945
  };
1004
- if (msBeforeExpiration <= 2000) {
946
+ var msBeforeExpiration = (0, oidcClientTsUserToTokens_1.getMsBeforeExpiration)(currentTokens);
947
+ if (msBeforeExpiration <= MIN_RENEW_BEFORE_EXPIRE_MS) {
1005
948
  // NOTE: We just got a new token that is about to expire. This means that
1006
949
  // the refresh token has reached it's max SSO time.
1007
950
  login_dueToExpiration();
@@ -1010,7 +953,7 @@ function createOidc_nonMemoized(params, preProcessedParams) {
1010
953
  // NOTE: We refresh the token 25 seconds before it expires.
1011
954
  // If the token expiration time is less than 25 seconds we refresh the token when
1012
955
  // only 1/10 of the token time is left.
1013
- var renewMsBeforeExpires = Math.min(25000, msBeforeExpiration * 0.1);
956
+ var renewMsBeforeExpires = Math.max(Math.min(25000, msBeforeExpiration * 0.1), MIN_RENEW_BEFORE_EXPIRE_MS);
1014
957
  log === null || log === void 0 ? void 0 : log([
1015
958
  (0, toHumanReadableDuration_1.toHumanReadableDuration)(msBeforeExpiration),
1016
959
  "before expiration of the access token.",
@@ -1025,7 +968,7 @@ function createOidc_nonMemoized(params, preProcessedParams) {
1025
968
  _b.label = 1;
1026
969
  case 1:
1027
970
  _b.trys.push([1, 3, , 5]);
1028
- return [4 /*yield*/, oidc.renewTokens()];
971
+ return [4 /*yield*/, oidc_loggedIn.renewTokens()];
1029
972
  case 2:
1030
973
  _b.sent();
1031
974
  return [3 /*break*/, 5];
@@ -1039,7 +982,7 @@ function createOidc_nonMemoized(params, preProcessedParams) {
1039
982
  }
1040
983
  });
1041
984
  }); }, msBeforeExpiration - renewMsBeforeExpires);
1042
- var tokenChangeUnsubscribe = oidc.subscribeToTokensChange(function () {
985
+ var tokenChangeUnsubscribe = oidc_loggedIn.subscribeToTokensChange(function () {
1043
986
  (0, workerTimers_1.clearTimeout)(timer);
1044
987
  tokenChangeUnsubscribe();
1045
988
  scheduleRenew();
@@ -1074,13 +1017,13 @@ function createOidc_nonMemoized(params, preProcessedParams) {
1074
1017
  return tickCallback({ secondsLeft: secondsLeft });
1075
1018
  });
1076
1019
  if (secondsLeft === 0) {
1077
- oidc.logout(autoLogoutParams);
1020
+ oidc_loggedIn.logout(autoLogoutParams);
1078
1021
  }
1079
1022
  }
1080
1023
  }).startCountdown;
1081
1024
  stopCountdown_1 = undefined;
1082
1025
  if (globalContext.$isUserActive === undefined) {
1083
- globalContext.$isUserActive = (0, createIsUserActive_1.create$isUserActive)({
1026
+ globalContext.$isUserActive = (0, isUserActive_1.create$isUserActive)({
1084
1027
  configId: configId,
1085
1028
  sessionId: sessionId
1086
1029
  });
@@ -1098,7 +1041,16 @@ function createOidc_nonMemoized(params, preProcessedParams) {
1098
1041
  }
1099
1042
  });
1100
1043
  }
1101
- return [2 /*return*/, oidc];
1044
+ {
1045
+ if ((0, persistedAuthState_1.getPersistedAuthState)({ configId: configId }) !== undefined) {
1046
+ (0, persistedAuthState_1.persistAuthState)({ configId: configId, state: undefined });
1047
+ }
1048
+ if (!areThirdPartyCookiesAllowed) {
1049
+ (0, persistedAuthState_1.persistAuthState)({ configId: configId, state: "logged in" });
1050
+ }
1051
+ }
1052
+ toCallBeforeReturningOidcLoggedIn();
1053
+ return [2 /*return*/, oidc_loggedIn];
1102
1054
  }
1103
1055
  });
1104
1056
  });