oidc-spa 7.1.10 → 7.2.0-rc.2

package/keycloak/keycloak-js/Keycloak.js

@@ -0,0 +1,778 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Keycloak = void 0;
+const tsafe_1 = require("../../vendor/frontend/tsafe");
+const core_1 = require("../../core");
+const Deferred_1 = require("../../tools/Deferred");
+const decodeJwt_1 = require("../../tools/decodeJwt");
+const keycloakUtils_1 = require("../keycloakUtils");
+const worker_timers_1 = require("../../vendor/frontend/worker-timers");
+const StatefulEvt_1 = require("../../tools/StatefulEvt");
+const readExpirationTimeInJwt_1 = require("../../tools/readExpirationTimeInJwt");
+const internalStateByInstance = new WeakMap();
+/**
+ * This module provides a drop-in replacement for `keycloak-js`,
+ * designed for teams migrating to `oidc-spa` with minimal changes.
+ *
+ * ⚠️ While the import path is `oidc-spa/keycloak-js`, this is *not* a re-export or patch —
+ * it is a full alternative implementation aligned with the `keycloak-js` API.
+ */
+class Keycloak {
+    /**
+     * Creates a new Keycloak client instance.
+     * @param config A configuration object or path to a JSON config file.
+     *
+     * NOTE oidc-spa: Currently not supporting GenericOidcConfig (providing explicitly authorization_endpoint ect)
+     * But we could if with the __metadata parameter of oidc-spa.
+     * I'm not seeing the usecase when ran against keycloak right now so not doing it.
+     */
+    constructor(params) {
+        /**
+         * Response mode passed in init (default value is `'fragment'`).
+         *
+         * NOTE oidc-spa: Can only be fragment.
+         */
+        this.responseMode = "fragment";
+        /**
+         * Response type sent to Keycloak with login requests. This is determined
+         * based on the flow value used during initialization, but can be overridden
+         * by setting this value.
+         *
+         * NOTE oidc-spa: Can only be 'code'
+         */
+        this.responseType = "code";
+        /**
+         * Flow passed in init.
+         *
+         * NOTE oidc-spa: Can only be 'standard'
+         */
+        this.flow = "standard";
+        /**
+         * The estimated time difference between the browser time and the Keycloak
+         * server in seconds. This value is just an estimation, but is accurate
+         * enough when determining if a token is expired or not.
+         *
+         * NOTE oidc-spa: Not supported.
+         */
+        this.timeSkew = null;
+        const issuerUri = `${params.url.replace(/\/$/, "")}/realms/${params.realm}`;
+        internalStateByInstance.set(this, {
+            constructorParams: params,
+            dInitialized: new Deferred_1.Deferred(),
+            initOptions: undefined,
+            oidc: undefined,
+            tokens: undefined,
+            keycloakUtils: (0, keycloakUtils_1.createKeycloakUtils)({ issuerUri }),
+            issuerUri,
+            profile: undefined,
+            userInfo: undefined,
+            $onTokenExpired: (0, StatefulEvt_1.createStatefulEvt)(() => undefined)
+        });
+    }
+    /**
+     * Called to initialize the adapter.
+     * @param initOptions Initialization options.
+     * @returns A promise to set functions to be invoked on success or error.
+     */
+    async init(initOptions = {}) {
+        const { onLoad = "check-sso", redirectUri, enableLogging, scope, locale } = initOptions;
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (internalState.initOptions !== undefined) {
+            if (JSON.stringify(internalState.initOptions) !== JSON.stringify(initOptions)) {
+                throw new Error("Can't call init() multiple time with different params");
+            }
+            await internalState.dInitialized.pr;
+            const { oidc } = internalState;
+            (0, tsafe_1.assert)(oidc !== undefined);
+            return oidc.isUserLoggedIn;
+        }
+        internalState.initOptions = initOptions;
+        const { constructorParams, issuerUri } = internalState;
+        const autoLogin = onLoad === "login-required";
+        let hasCreateResolved = false;
+        const oidcOrError = await (0, core_1.createOidc)({
+            homeUrl: constructorParams.homeUrl,
+            issuerUri,
+            clientId: internalState.constructorParams.clientId,
+            autoLogin,
+            postLoginRedirectUrl: redirectUri,
+            debugLogs: enableLogging,
+            scopes: scope?.split(" "),
+            extraQueryParams: !autoLogin || locale === undefined
+                ? undefined
+                : () => {
+                    if (hasCreateResolved) {
+                        return {};
+                    }
+                    return {
+                        ui_locales: locale
+                    };
+                }
+        })
+            // NOTE: This can only happen when autoLogin is true, otherwise the error
+            // is in oidc.initializationError
+            .catch((error) => error);
+        hasCreateResolved = true;
+        if (oidcOrError instanceof core_1.OidcInitializationError) {
+            this.onAuthError?.({
+                error: oidcOrError.name,
+                error_description: oidcOrError.message
+            });
+            await new Promise(() => { });
+            (0, tsafe_1.assert)(false);
+        }
+        const oidc = oidcOrError;
+        internalState.oidc = oidc;
+        if (oidc.isUserLoggedIn) {
+            {
+                const tokens = await oidc.getTokens();
+                const onNewToken = (tokens_new) => {
+                    internalState.tokens = tokens_new;
+                    this.onAuthRefreshSuccess?.();
+                };
+                onNewToken(tokens);
+                oidc.subscribeToTokensChange(onNewToken);
+            }
+            {
+                const { $onTokenExpired } = internalState;
+                let clear = undefined;
+                $onTokenExpired.subscribe(onTokenExpired => {
+                    clear?.();
+                    if (onTokenExpired === undefined) {
+                        return;
+                    }
+                    let timer = undefined;
+                    const onNewToken = () => {
+                        if (timer !== undefined) {
+                            worker_timers_1.workerTimers.clearTimeout(timer);
+                        }
+                        const { tokens } = internalState;
+                        (0, tsafe_1.assert)(tokens !== undefined);
+                        timer = worker_timers_1.workerTimers.setTimeout(() => {
+                            onTokenExpired.call(this);
+                        }, Math.max(tokens.accessTokenExpirationTime - Date.now() - 3000, 0));
+                    };
+                    onNewToken();
+                    const { unsubscribe } = oidc.subscribeToTokensChange(onNewToken);
+                    clear = () => {
+                        if (timer !== undefined) {
+                            worker_timers_1.workerTimers.clearTimeout(timer);
+                        }
+                        unsubscribe();
+                    };
+                });
+            }
+            onActionUpdate_call: {
+                if (this.onActionUpdate === undefined) {
+                    break onActionUpdate_call;
+                }
+                const { backFromAuthServer } = oidc;
+                if (backFromAuthServer === undefined) {
+                    break onActionUpdate_call;
+                }
+                const status = backFromAuthServer.result.kc_action_status;
+                if (!(0, tsafe_1.isAmong)(["success", "cancelled", "error"], status)) {
+                    break onActionUpdate_call;
+                }
+                const action = backFromAuthServer.extraQueryParams.kc_action;
+                if (action === undefined) {
+                    break onActionUpdate_call;
+                }
+                this.onActionUpdate(status, action);
+            }
+        }
+        if (!oidc.isUserLoggedIn && oidc.initializationError !== undefined) {
+            this.onAuthError?.({
+                error: oidc.initializationError.name,
+                error_description: oidc.initializationError.message
+            });
+        }
+        internalState.dInitialized.resolve();
+        this.onReady?.(oidc.isUserLoggedIn);
+        if (oidc.isUserLoggedIn) {
+            this.onAuthSuccess?.();
+        }
+        return oidc.isUserLoggedIn;
+    }
+    /**
+     * Is true if the user is authenticated, false otherwise.
+     */
+    get authenticated() {
+        if (!this.didInitialize) {
+            return false;
+        }
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { oidc } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        return oidc.isUserLoggedIn;
+    }
+    /**
+     * The user id.
+     */
+    get subject() {
+        if (!this.didInitialize) {
+            return undefined;
+        }
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.subject when keycloak.authenticated is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        return tokens.decodedIdToken_original.sub;
+    }
+    /**
+     * The realm roles associated with the token.
+     */
+    get realmAccess() {
+        if (!this.didInitialize) {
+            return undefined;
+        }
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.realAccess when keycloak.realmAccess is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        (0, tsafe_1.assert)((0, tsafe_1.is)(tokens.decodedIdToken_original));
+        return tokens.decodedIdToken_original.realm_access;
+    }
+    /**
+     * The resource roles associated with the token.
+     */
+    get resourceAccess() {
+        if (!this.didInitialize) {
+            return undefined;
+        }
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.resourceAccess when keycloak.authenticated is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        (0, tsafe_1.assert)((0, tsafe_1.is)(tokens.decodedIdToken_original));
+        return tokens.decodedIdToken_original.resource_access;
+    }
+    /**
+     * The base64 encoded token that can be sent in the Authorization header in
+     * requests to services.
+     */
+    get token() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            return internalState.initOptions?.token;
+        }
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.token when keycloak.token is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        return tokens.accessToken;
+    }
+    /**
+     * The parsed token as a JavaScript object.
+     */
+    get tokenParsed() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            const { token } = internalState.initOptions ?? {};
+            if (token === undefined) {
+                return undefined;
+            }
+            return (0, decodeJwt_1.decodeJwt)(token);
+        }
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.token when keycloak.tokenParsed is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        return (0, decodeJwt_1.decodeJwt)(tokens.accessToken);
+    }
+    /**
+     * The base64 encoded refresh token that can be used to retrieve a new token.
+     */
+    get refreshToken() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            return internalState.initOptions?.refreshToken;
+        }
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.token when keycloak.refreshToken is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        return tokens.refreshToken;
+    }
+    /**
+     * The parsed refresh token as a JavaScript object.
+     */
+    get refreshTokenParsed() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            const { refreshToken } = internalState.initOptions ?? {};
+            if (refreshToken === undefined) {
+                return undefined;
+            }
+            return (0, decodeJwt_1.decodeJwt)(refreshToken);
+        }
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.token when keycloak.refreshTokenParsed is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        if (tokens.refreshToken === undefined) {
+            return undefined;
+        }
+        return (0, decodeJwt_1.decodeJwt)(tokens.refreshToken);
+    }
+    /**
+     * The base64 encoded ID token.
+     */
+    get idToken() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            return internalState.initOptions?.idToken;
+        }
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.token when keycloak.token is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        return tokens.idToken;
+    }
+    /**
+     * The parsed id token as a JavaScript object.
+     */
+    get idTokenParsed() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            const { idToken } = internalState.initOptions ?? {};
+            if (idToken === undefined) {
+                return undefined;
+            }
+            return (0, decodeJwt_1.decodeJwt)(idToken);
+        }
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.token when keycloak.refreshTokenParsed is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        (0, tsafe_1.assert)((0, tsafe_1.is)(tokens.decodedIdToken_original));
+        return tokens.decodedIdToken_original;
+    }
+    /**
+     * Whether the instance has been initialized by calling `.init()`.
+     */
+    get didInitialize() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        return internalState.oidc !== undefined;
+    }
+    /**
+     * @private Undocumented.
+     */
+    get loginRequired() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { initOptions } = internalState;
+        if (initOptions === undefined) {
+            return false;
+        }
+        return initOptions.onLoad === "login-required";
+    }
+    /**
+     * @private Undocumented.
+     */
+    get authServerUrl() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { keycloakUtils: { issuerUriParsed } } = internalState;
+        return `${issuerUriParsed.origin}${issuerUriParsed.kcHttpRelativePath}`;
+    }
+    /**
+     * @private Undocumented.
+     */
+    get realm() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { keycloakUtils: { issuerUriParsed } } = internalState;
+        return issuerUriParsed.realm;
+    }
+    /**
+     * @private Undocumented.
+     */
+    get clientId() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { constructorParams } = internalState;
+        return constructorParams.clientId;
+    }
+    /**
+     * @private Undocumented.
+     */
+    get redirectUri() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { initOptions } = internalState;
+        if (initOptions === undefined) {
+            return undefined;
+        }
+        return initOptions.redirectUri;
+    }
+    /**
+     * @private Undocumented.
+     */
+    get sessionId() {
+        if (!this.didInitialize) {
+            return undefined;
+        }
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { oidc, tokens } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn("Trying to read keycloak.sessionId when keycloak.authenticated is false is a logical error in your application");
+            return undefined;
+        }
+        (0, tsafe_1.assert)(tokens !== undefined);
+        const { sid } = tokens.decodedIdToken_original;
+        (0, tsafe_1.assert)(typeof sid === "string");
+        return sid;
+    }
+    /**
+     * @private Undocumented.
+     */
+    get profile() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { profile } = internalState;
+        return profile;
+    }
+    /**
+     * @private Undocumented.
+     */
+    get userInfo() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { userInfo } = internalState;
+        return userInfo;
+    }
+    /**
+     * Called if there was an error while trying to refresh the token.
+     *
+     * NOTE oidc-spa: In oidc-spa an auth refresh error always triggers a page refresh.
+     */
+    //onAuthRefreshError?(): void;
+    /**
+     * Called if the user is logged out (will only be called if the session
+     * status iframe is enabled, or in Cordova mode).
+     *
+     * NOTE oidc-spa: In oidc-spa a logout always triggers a page refresh.
+     */
+    //onAuthLogout?(): void;
+    /**
+     * Called when the access token is expired. If a refresh token is available
+     * the token can be refreshed with Keycloak#updateToken, or in cases where
+     * it's not (ie. with implicit flow) you can redirect to login screen to
+     * obtain a new access token.
+     */
+    set onTokenExpired(value) {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { $onTokenExpired } = internalState;
+        $onTokenExpired.current = value;
+    }
+    get onTokenExpired() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { $onTokenExpired } = internalState;
+        return $onTokenExpired.current;
+    }
+    /**
+     * Redirects to login form.
+     * @param options Login options.
+     */
+    async login(options) {
+        const { redirectUri, action, loginHint, acr, acrValues, idpHint, locale, doesCurrentHrefRequiresAuth } = options ?? {};
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            await internalState.dInitialized.pr;
+        }
+        const { oidc, keycloakUtils } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        const extraQueryParams_commons = {
+            claims: acr === undefined
+                ? undefined
+                : JSON.stringify({
+                    id_token: {
+                        acr
+                    }
+                }),
+            acr_values: acrValues,
+            ui_locales: locale
+        };
+        if (oidc.isUserLoggedIn) {
+            (0, tsafe_1.assert)(action !== "register");
+            (0, tsafe_1.assert)(loginHint === undefined);
+            (0, tsafe_1.assert)(idpHint === undefined);
+            (0, tsafe_1.assert)(doesCurrentHrefRequiresAuth === undefined);
+            await oidc.goToAuthServer({
+                redirectUrl: redirectUri,
+                extraQueryParams: {
+                    ...extraQueryParams_commons,
+                    kc_action: action,
+                    ui_locales: locale
+                }
+            });
+            (0, tsafe_1.assert)(false);
+        }
+        (0, tsafe_1.assert)(action === undefined || action === "register");
+        await oidc.login({
+            redirectUrl: redirectUri,
+            doesCurrentHrefRequiresAuth: doesCurrentHrefRequiresAuth ?? false,
+            extraQueryParams: {
+                ...extraQueryParams_commons,
+                login_hint: loginHint,
+                kc_idp_hint: idpHint
+            },
+            transformUrlBeforeRedirect: action !== "register" ? undefined : keycloakUtils.transformUrlBeforeRedirectForRegister
+        });
+        (0, tsafe_1.assert)(false);
+    }
+    /**
+     * Redirects to logout.
+     * @param options Logout options.
+     */
+    async logout(options) {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            await internalState.dInitialized.pr;
+        }
+        const { oidc, initOptions } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        (0, tsafe_1.assert)(initOptions !== undefined);
+        (0, tsafe_1.assert)(oidc.isUserLoggedIn, "The user is not currently logged in");
+        const redirectUri = options?.redirectUri ?? initOptions.redirectUri;
+        await oidc.logout({
+            ...(redirectUri === undefined
+                ? { redirectTo: "current page" }
+                : { redirectTo: "specific url", url: redirectUri })
+        });
+        (0, tsafe_1.assert)(false);
+    }
+    /**
+     * Redirects to registration form.
+     * @param options The options used for the registration.
+     */
+    async register(options) {
+        return this.login({
+            ...options,
+            action: "register"
+        });
+    }
+    /**
+     * Redirects to the Account Management Console.
+     */
+    async accountManagement(options) {
+        const { redirectUri, locale } = options ?? {};
+        window.location.href = this.createAccountUrl({
+            redirectUri,
+            locale
+        });
+        return new Promise(() => { });
+    }
+    /**
+     * Returns the URL to login form.
+     * @param options Supports same options as Keycloak#login.
+     *
+     * NOTE oidc-spa: Not supported, please use login() method.
+     */
+    //createLoginUrl(options?: KeycloakLoginOptions): Promise<string>;
+    /**
+     * Returns the URL to logout the user.
+     * @param options Logout options.
+     *
+     * NOTE oidc-spa: Not supported, please use logout() method.
+     */
+    //createLogoutUrl(options?: KeycloakLogoutOptions): string;
+    /**
+     * Returns the URL to registration page.
+     * @param options The options used for creating the registration URL.
+     *
+     * NOTE oidc-spa: Not supported please user login({ action: "register" })
+     */
+    //createRegisterUrl(options?: KeycloakRegisterOptions): Promise<string>;
+    /**
+     * Returns the URL to the Account Management Console.
+     * @param options The options used for creating the account URL.
+     */
+    createAccountUrl(options) {
+        const { locale, redirectUri } = options ?? {};
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        const { keycloakUtils } = internalState;
+        return keycloakUtils.getAccountUrl({
+            clientId: this.clientId,
+            backToAppFromAccountUrl: redirectUri ?? location.href,
+            locale
+        });
+    }
+    /**
+     * Returns true if the token has less than `minValidity` seconds left before
+     * it expires.
+     * @param minValidity If not specified, `0` is used.
+     */
+    isTokenExpired(minValidity = 0) {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        let accessTokenExpirationTime;
+        if (!this.didInitialize) {
+            const fakeAccessToken = this.token;
+            if (fakeAccessToken === undefined) {
+                throw new Error("isTokenExpired was called too early");
+            }
+            const time = (0, readExpirationTimeInJwt_1.readExpirationTimeInJwt)(fakeAccessToken);
+            (0, tsafe_1.assert)(time !== undefined, "The initial token is not a JWT");
+            accessTokenExpirationTime = time;
+        }
+        else {
+            const { tokens } = internalState;
+            (0, tsafe_1.assert)(tokens !== undefined);
+            accessTokenExpirationTime = tokens.accessTokenExpirationTime;
+        }
+        if (accessTokenExpirationTime > Date.now() + minValidity * 1000) {
+            return false;
+        }
+        return true;
+    }
+    /**
+     * If the token expires within `minValidity` seconds, the token is refreshed.
+     * If the session status iframe is enabled, the session status is also
+     * checked.
+     * @param minValidity If not specified, `5` is used.
+     * @returns A promise to set functions that can be invoked if the token is
+     *          still valid, or if the token is no longer valid.
+     * @example
+     * ```js
+     * keycloak.updateToken(5).then(function(refreshed) {
+     *   if (refreshed) {
+     *     alert('Token was successfully refreshed');
+     *   } else {
+     *     alert('Token is still valid');
+     *   }
+     * }).catch(function() {
+     *   alert('Failed to refresh the token, or the session has expired');
+     * });
+     */
+    async updateToken(minValidity = 5) {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            await internalState.dInitialized.pr;
+        }
+        const { oidc } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        (0, tsafe_1.assert)(oidc.isUserLoggedIn, "updateToken called too early");
+        if (!this.isTokenExpired(minValidity)) {
+            return false;
+        }
+        await oidc.renewTokens();
+        return true;
+    }
+    /**
+     * Clears authentication state, including tokens. This can be useful if
+     * the application has detected the session was expired, for example if
+     * updating token fails. Invoking this results in Keycloak#onAuthLogout
+     * callback listener being invoked.
+     *
+     * NOTE oidc-spa: In this implementation we never end up in the kind of
+     * state where calling this makes sense.
+     * oidc-spa take more control and exposes less complexity to the user of the
+     * adapter.
+     */
+    //clearToken(): void;
+    /**
+     * Returns true if the token has the given realm role.
+     * @param role A realm role name.
+     */
+    hasRealmRole(role) {
+        const access = this.realmAccess;
+        return access !== undefined && access.roles.indexOf(role) >= 0;
+    }
+    /**
+     * Returns true if the token has the given role for the resource.
+     * @param role A role name.
+     * @param resource If not specified, `clientId` is used.
+     */
+    hasResourceRole(role, resource) {
+        if (this.resourceAccess === undefined) {
+            return false;
+        }
+        const access = this.resourceAccess[resource || this.clientId];
+        return access !== undefined && access.roles.indexOf(role) >= 0;
+    }
+    /**
+     * Loads the user's profile.
+     * @returns A promise to set functions to be invoked on success or error.
+     */
+    async loadUserProfile() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            await internalState.dInitialized.pr;
+        }
+        const { oidc, keycloakUtils } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        (0, tsafe_1.assert)(oidc.isUserLoggedIn, "Can't load userProfile if user not authenticated");
+        const { accessToken } = await oidc.getTokens();
+        return (internalState.profile = await keycloakUtils.fetchUserProfile({ accessToken }));
+    }
+    /**
+     * @private Undocumented.
+     */
+    async loadUserInfo() {
+        const internalState = internalStateByInstance.get(this);
+        (0, tsafe_1.assert)(internalState !== undefined);
+        if (!this.didInitialize) {
+            await internalState.dInitialized.pr;
+        }
+        const { oidc, keycloakUtils } = internalState;
+        (0, tsafe_1.assert)(oidc !== undefined);
+        (0, tsafe_1.assert)(oidc.isUserLoggedIn, "Can't load userInfo if user not authenticated");
+        const { accessToken } = await oidc.getTokens();
+        return (internalState.userInfo = await keycloakUtils.fetchUserInfo({ accessToken }));
+    }
+}
+exports.Keycloak = Keycloak;
+//# sourceMappingURL=Keycloak.js.map