oidc-spa 7.1.10 → 7.2.0-rc.2

package/vendor/frontend/tsafe.d.ts

@@ -4,3 +4,4 @@ export { typeGuard } from "tsafe/typeGuard";
 export { overwriteReadonlyProp } from "tsafe/lab/overwriteReadonlyProp";
 export { noUndefined } from "tsafe/noUndefined";
 export type { Param0 } from "tsafe";
+export { isAmong } from "tsafe/isAmong";

package/vendor/frontend/tsafe.js

@@ -1,2 +1,2 @@
-(()=>{"use strict";var e={720:function(e,r,t){var n,o=this&&this.__extends||(n=function(e,r){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(e,r){e.__proto__=r}||function(e,r){for(var t in r)Object.prototype.hasOwnProperty.call(r,t)&&(e[t]=r[t])},n(e,r)},function(e,r){if("function"!=typeof r&&null!==r)throw new TypeError("Class extends value "+String(r)+" is not a constructor or null");function t(){this.constructor=e}n(e,r),e.prototype=null===r?Object.create(r):(t.prototype=r.prototype,new t)}),i=this&&this.__read||function(e,r){var t="function"==typeof Symbol&&e[Symbol.iterator];if(!t)return e;var n,o,i=t.call(e),a=[];try{for(;(void 0===r||r-- >0)&&!(n=i.next()).done;)a.push(n.value)}catch(e){o={error:e}}finally{try{n&&!n.done&&(t=i.return)&&t.call(i)}finally{if(o)throw o.error}}return a};Object.defineProperty(r,"__esModule",{value:!0}),r.AssertionError=void 0,r.assert=function(e,r){if(0===arguments.length&&(e=!0),void 0===c){if(!e)throw new u("function"==typeof r?r():r)}else c=void 0},r.is=function(e){var r={};if(void 0!==c)throw c=void 0,new Error(s);return c=r,Promise.resolve().then((function(){if(c===r)throw new Error(s)})),null};var a=t(522),u=function(e){function r(r){var t=this.constructor,n=e.call(this,"Wrong assertion encountered"+(r?': "'.concat(r,'"'):""))||this;if(n.originalMessage=r,Object.setPrototypeOf(n,t.prototype),!n.stack)return n;try{(0,a.overwriteReadonlyProp)(n,"stack",n.stack.split("\n").filter((function(){for(var e=[],r=0;r<arguments.length;r++)e[r]=arguments[r];var t=i(e,2)[1];return 1!==t&&2!==t})).join("\n"))}catch(e){}return n}return o(r,e),r}(Error);r.AssertionError=u;var c=void 0,s="Wrong usage of the `is` function refer to https://docs.tsafe.dev/is"},135:(e,r)=>{Object.defineProperty(r,"__esModule",{value:!0}),r.id=void 0,r.id=function(e){return e}},522:function(e,r){var t=this&&this.__assign||function(){return t=Object.assign||function(e){for(var r,t=1,n=arguments.length;t<n;t++)for(var o in r=arguments[t])Object.prototype.hasOwnProperty.call(r,o)&&(e[o]=r[o]);return e},t.apply(this,arguments)};Object.defineProperty(r,"__esModule",{value:!0}),r.overwriteReadonlyProp=void 0,r.overwriteReadonlyProp=function(e,r,n){try{e[r]=n}catch(e){}if(e[r]===n)return n;var o=void 0,i=Object.getOwnPropertyDescriptor(e,r)||{enumerable:!0,configurable:!0};if(i.get)throw new Error("Probably a wrong ides to overwrite ".concat(String(r)," getter"));try{Object.defineProperty(e,r,t(t({},i),{value:n}))}catch(e){o=e}if(e[r]!==n)throw o||new Error("Can't assign");return n}},505:(e,r)=>{Object.defineProperty(r,"__esModule",{value:!0}),r.noUndefined=function(e){var r={};for(var t in e)void 0!==e[t]&&(r[t]=e[t]);return r}},497:(e,r)=>{Object.defineProperty(r,"__esModule",{value:!0}),r.typeGuard=function(e,r){return r}}},r={};function t(n){var o=r[n];if(void 0!==o)return o.exports;var i=r[n]={exports:{}};return e[n].call(i.exports,i,i.exports,t),i.exports}var n={};(()=>{var e=n;Object.defineProperty(e,"__esModule",{value:!0}),e.noUndefined=e.overwriteReadonlyProp=e.typeGuard=e.is=e.assert=e.id=void 0;var r=t(135);Object.defineProperty(e,"id",{enumerable:!0,get:function(){return r.id}});var o=t(720);Object.defineProperty(e,"assert",{enumerable:!0,get:function(){return o.assert}}),Object.defineProperty(e,"is",{enumerable:!0,get:function(){return o.is}});var i=t(497);Object.defineProperty(e,"typeGuard",{enumerable:!0,get:function(){return i.typeGuard}});var a=t(522);Object.defineProperty(e,"overwriteReadonlyProp",{enumerable:!0,get:function(){return a.overwriteReadonlyProp}});var u=t(505);Object.defineProperty(e,"noUndefined",{enumerable:!0,get:function(){return u.noUndefined}})})(),module.exports=n})();
+(()=>{"use strict";var e={720:function(e,r,t){var n,o=this&&this.__extends||(n=function(e,r){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(e,r){e.__proto__=r}||function(e,r){for(var t in r)Object.prototype.hasOwnProperty.call(r,t)&&(e[t]=r[t])},n(e,r)},function(e,r){if("function"!=typeof r&&null!==r)throw new TypeError("Class extends value "+String(r)+" is not a constructor or null");function t(){this.constructor=e}n(e,r),e.prototype=null===r?Object.create(r):(t.prototype=r.prototype,new t)}),i=this&&this.__read||function(e,r){var t="function"==typeof Symbol&&e[Symbol.iterator];if(!t)return e;var n,o,i=t.call(e),u=[];try{for(;(void 0===r||r-- >0)&&!(n=i.next()).done;)u.push(n.value)}catch(e){o={error:e}}finally{try{n&&!n.done&&(t=i.return)&&t.call(i)}finally{if(o)throw o.error}}return u};Object.defineProperty(r,"__esModule",{value:!0}),r.AssertionError=void 0,r.assert=function(e,r){if(0===arguments.length&&(e=!0),void 0===c){if(!e)throw new a("function"==typeof r?r():r)}else c=void 0},r.is=function(e){var r={};if(void 0!==c)throw c=void 0,new Error(f);return c=r,Promise.resolve().then((function(){if(c===r)throw new Error(f)})),null};var u=t(522),a=function(e){function r(r){var t=this.constructor,n=e.call(this,"Wrong assertion encountered"+(r?': "'.concat(r,'"'):""))||this;if(n.originalMessage=r,Object.setPrototypeOf(n,t.prototype),!n.stack)return n;try{(0,u.overwriteReadonlyProp)(n,"stack",n.stack.split("\n").filter((function(){for(var e=[],r=0;r<arguments.length;r++)e[r]=arguments[r];var t=i(e,2)[1];return 1!==t&&2!==t})).join("\n"))}catch(e){}return n}return o(r,e),r}(Error);r.AssertionError=a;var c=void 0,f="Wrong usage of the `is` function refer to https://docs.tsafe.dev/is"},135:(e,r)=>{Object.defineProperty(r,"__esModule",{value:!0}),r.id=void 0,r.id=function(e){return e}},952:function(e,r){var t=this&&this.__values||function(e){var r="function"==typeof Symbol&&Symbol.iterator,t=r&&e[r],n=0;if(t)return t.call(e);if(e&&"number"==typeof e.length)return{next:function(){return e&&n>=e.length&&(e=void 0),{value:e&&e[n++],done:!e}}};throw new TypeError(r?"Object is not iterable.":"Symbol.iterator is not defined.")};Object.defineProperty(r,"__esModule",{value:!0}),r.isAmong=function(e,r){var n,o;try{for(var i=t(e),u=i.next();!u.done;u=i.next())if(u.value===r)return!0}catch(e){n={error:e}}finally{try{u&&!u.done&&(o=i.return)&&o.call(i)}finally{if(n)throw n.error}}return!1}},522:function(e,r){var t=this&&this.__assign||function(){return t=Object.assign||function(e){for(var r,t=1,n=arguments.length;t<n;t++)for(var o in r=arguments[t])Object.prototype.hasOwnProperty.call(r,o)&&(e[o]=r[o]);return e},t.apply(this,arguments)};Object.defineProperty(r,"__esModule",{value:!0}),r.overwriteReadonlyProp=void 0,r.overwriteReadonlyProp=function(e,r,n){try{e[r]=n}catch(e){}if(e[r]===n)return n;var o=void 0,i=Object.getOwnPropertyDescriptor(e,r)||{enumerable:!0,configurable:!0};if(i.get)throw new Error("Probably a wrong ides to overwrite ".concat(String(r)," getter"));try{Object.defineProperty(e,r,t(t({},i),{value:n}))}catch(e){o=e}if(e[r]!==n)throw o||new Error("Can't assign");return n}},505:(e,r)=>{Object.defineProperty(r,"__esModule",{value:!0}),r.noUndefined=function(e){var r={};for(var t in e)void 0!==e[t]&&(r[t]=e[t]);return r}},497:(e,r)=>{Object.defineProperty(r,"__esModule",{value:!0}),r.typeGuard=function(e,r){return r}}},r={};function t(n){var o=r[n];if(void 0!==o)return o.exports;var i=r[n]={exports:{}};return e[n].call(i.exports,i,i.exports,t),i.exports}var n={};(()=>{var e=n;Object.defineProperty(e,"__esModule",{value:!0}),e.isAmong=e.noUndefined=e.overwriteReadonlyProp=e.typeGuard=e.is=e.assert=e.id=void 0;var r=t(135);Object.defineProperty(e,"id",{enumerable:!0,get:function(){return r.id}});var o=t(720);Object.defineProperty(e,"assert",{enumerable:!0,get:function(){return o.assert}}),Object.defineProperty(e,"is",{enumerable:!0,get:function(){return o.is}});var i=t(497);Object.defineProperty(e,"typeGuard",{enumerable:!0,get:function(){return i.typeGuard}});var u=t(522);Object.defineProperty(e,"overwriteReadonlyProp",{enumerable:!0,get:function(){return u.overwriteReadonlyProp}});var a=t(505);Object.defineProperty(e,"noUndefined",{enumerable:!0,get:function(){return a.noUndefined}});var c=t(952);Object.defineProperty(e,"isAmong",{enumerable:!0,get:function(){return c.isAmong}})})(),module.exports=n})();
 exports.__oidcSpaBundle = true;

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2020 GitHub user u/garronej
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

package/README.md

@@ -1,185 +0,0 @@
-![oidc-spa](https://github.com/keycloakify/oidc-spa/assets/6702424/3375294c-cc31-4fc1-9fb5-1fcfa00423ba)
-
-<p align="center">
-    <br>
-    <a href="https://github.com/keycloakify/oidc-spa/actions">
-      <img src="https://github.com/keycloakify/oidc-spa/actions/workflows/ci.yaml/badge.svg?branch=main">
-    </a>
-    <a href="https://www.npmjs.com/package/oidc-spa">
-      <img src="https://img.shields.io/npm/dw/oidc-spa">
-    </a>
-    <a href="https://github.com/garronej/oidc-spa/blob/main/LICENSE">
-      <img src="https://img.shields.io/npm/l/oidc-spa">
-    </a>
-</p>
-<p align="center">
-  We're here to help!<br/>
-  <a href="https://discord.gg/mJdYJSdcm4">
-    <img src="https://dcbadge.limes.pink/api/server/kYFZG7fQmn"/>
-  </a>
-</p>
-<p align="center">
-  <a href="https://www.oidc-spa.dev">Home</a>
-  -
-  <a href="https://docs.oidc-spa.dev">Documentation</a>
-</p>
-
-> 🗣️ oidc-spa will be introduced at [KeyConf 2025](https://keyconf.dev/) on the 28 of August.
-
-A full-featured OpenID Connect / OAuth2 client for single-page applications (SPAs).
-
-With `oidc-spa`, you can seamlessly integrate authentication providers like [Keycloak](https://www.keycloak.org/), [Auth0](https://auth0.com/), or [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) into your application, purely on the client side,
-[without involving your backend in the token exchange](https://docs.oidc-spa.dev/resources/why-no-client-secret).
-
-In **simple terms**, `oidc-spa` is a library that makes it easy to **add authentication** to your Vite or Create-React-App project.  
-There are many authentication and user management platforms out there: Okta, Auth0, Entra ID...  
-There are also plenty of self-hosted options like Keycloak, Ory Hydra, and Dex.  
-What all of these have in common is that they implement the OpenID Connect/OAuth2 standard.
-
-This library provides a **unified way** to connect with these different providers instead of having to use
-their specific SDKs.
-
-`oidc-spa` implement the [**Authorization Code Flow with PKCE**](https://docs.oidc-spa.dev/resources/why-no-client-secret), this means that **you do not need a backend and a database** to handle the authentication process.  
-The authentication process is handled entirely in the browser. And no need for `/login` or `/logout` routes.
-
-## Why `oidc-spa`?
-
-Most OIDC providers push their own client libraries:
-
--   **Auth0** → `auth0-spa-js`
--   **Microsoft Entra ID** → `MSAL.js`
--   **Keycloak** → `keycloak-js` (no longer actively promoted, planned for deprecation)
--   **... and so on.**
-
-These libraries are **tied to a specific provider**. But what if you need to:
-
-✅ Switch OIDC providers without modifying your authentication logic?  
-✅ Build a self-hostable solution that works with any provider (e.g., you're developing a dashboard app that you sell to enterprises and need to integrate with their existing IAM system)?  
-✅ Stop re-learning authentication implementation every time you change providers?
-
-And besides, not all SDKs are equal in terms of setup simplicity, performance, and API quality.
-
-We wanted a **universal solution**, one that is as good or better than all existing SDKs in every aspect.
-
-## Features
-
--   🎓 **No OIDC/OAuth2 expertise required**: Easy to setup and use. We're here to help [on Discord](https://discord.gg/mJdYJSdcm4)!
--   🛠️ **Simple setup**: No need to define `/login` or `/logout` routes, token refreshing is automatic, it just works.
--   ✨ **React integration**: Expose a framework agnostic API but also a React adapter `oidc-spa/react`.
--   🔥 **No limitation**- For example, everything you could do with `keycloak-js`, you can do with `oidc-spa`.
--   💬 **Detailed debug messages**: If your OIDC server is not properly configured, it tells you precisely what’s wrong and what you need to do to fix it.
--   🕣 **Auto logout with countdown**: "You will be logged out in 10... 9... 8...", users see exactly when their session expires.
--   🚪 **Logout propagation**: Logging out in one tab logs out all others.
--   📖 **Comprehensive documentation**: Guides and examples for common scenarios.
--   ✅ **Type safety**: Strong TypeScript support with optional [Zod](https://zod.dev/) integration validating the expected shape of the ID token.
--   🔒 **Security-first**: Uses [**Authorization Code Flow + PKCE**](https://docs.oidc-spa.dev/resources/why-no-client-secret#id-2.-authorization-code-flow--pkce-used-by-oidc-spa), No token persistence in `localStorage` or `sessionStorage`.
--   🖥️ **Optional backend utilities**: Provides tools for token validation in JavaScript backends (Node.js, Deno, Web Workers).
--   🍪 **No third-party cookie issues**: Third-party cookies blocked? No problem, `oidc-spa` works around it automatically with no special measures needed on your side.
--   🔗 **Multi-instance support**: Run multiple `oidc-spa` instances in the same app without conflict.
-
-## Comparison with Existing Libraries
-
-### [oidc-client-ts](https://github.com/authts/oidc-client-ts)
-
-While `oidc-client-ts` is a comprehensive toolkit designed for various applications, `oidc-spa` is specifically built for SPAs with an easy-to-set-up API.  
-But **ease of use** isn't the only difference, `oidc-spa` also provides **out-of-the-box** solutions for features that `oidc-client-ts` leaves up to you to implement, such as:
-
--   **Login/logout propagation** across tabs
--   **Graceful fallback when third-party cookies are blocked**
--   **Seamless browser back/forward cache (bfcache) management**
--   **Auto logout countdown** so users can be automatically logged out after a set period of inactivity.
--   **Ensuring you never get an expired access token error**, even after the computer wakes up from sleep.
--   **Gracefully handles scenarios where the provider does not issue a refresh token or lacks a logout endpoint** (e.g., Google OAuth)
-
-### [react-oidc-context](https://github.com/authts/react-oidc-context)
-
-`react-oidc-context` is a React wrapper around `oidc-client-ts`.  
-`oidc-spa` also feature a carefully crafted React API that comes with [working examples that you can test locally](https://docs.oidc-spa.dev/example-setups/example-setups).
-
-### [keycloak-js](https://www.npmjs.com/package/keycloak-js)
-
-The official OIDC Client for Keycloak. It only works with Keycloak and [will eventually be deprecated](https://www.keycloak.org/2023/03/adapter-deprecation-update).  
-Beyond that, achieving the same seamless user experience as `oidc-spa` with `keycloak-js` requires writing a lot of custom code, code that really **shouldn’t** be handled at the application level.
-
-### [NextAuth.js](https://next-auth.js.org/)
-
-Since oidc-spa is built for true SPAs, Next.js applications should use NextAuth.js instead.
-
-> _NOTE: We might create in the future a `oidc-mpa` library for Multi Page Applications that would aim at supporting Next.js projects._
-
-## 🚀 Quick start
-
-Head over to [the documentation website](https://docs.oidc-spa.dev) 📘!
-
-## Sponsors
-
-Project backers, we trust and recommend their services.
-
-<br/>
-
-<div align="center">
-
-
-
-</div>
-
-<div align="center">
-
-![Logo Light](https://github.com/user-attachments/assets/20736d6f-f22d-4a9d-9dfe-93be209a8191#gh-light-mode-only)
-
-</div>
-
-<br/>
-
-<p align="center">
-    <i><a href="https://phasetwo.io/?utm_source=keycloakify"><strong>Keycloak as a Service</strong></a> - Keycloak community contributors of popular <a href="https://github.com/p2-inc#our-extensions-?utm_source=keycloakify">extensions</a> providing free and dedicated <a href="https://phasetwo.io/hosting/?utm_source=keycloakify">Keycloak hosting</a> and enterprise <a href="https://phasetwo.io/support/?utm_source=keycloakify">Keycloak support</a> to businesses of all sizes.</i>
-</p>
-
-<br/>
-<br/>
-<br/>
-
-<div align="center">
-
-
-
-</div>
-
-<div align="center">
-
-![Logo Light](https://github.com/user-attachments/assets/6c00c201-eed7-485a-a887-70891559d69b#gh-light-mode-only)
-
-</div>
-
-<br/>
-
-<p align="center">
-  <a href="https://www.zone2.tech/services/keycloak-consulting">
-    <i><strong>Keycloak Consulting Services</strong> - Your partner in Keycloak deployment, configuration, and extension development for optimized identity management solutions.</i>
-  </a>
-</p>
-
-## We built it because we needed it.
-
-This library isn't a theoretical exercise or a tool for hobby projects.  
-We developed it to solve real-world problems we faced ourselves.  
-Today, it powers authentication for [Onyxia](https://onyxia.sh),  
-a data science platform deployed across multiple large organizations.
-
-### Onyxia
-
--   [Source code](https://github.com/InseeFrLab/onyxia)
--   [Public instance](https://datalab.sspcloud.fr)
-
-<a href="https://youtu.be/FvpNfVrxBFM">
-  <img width="1712" alt="image" src="https://user-images.githubusercontent.com/6702424/231314534-2eeb1ab5-5460-4caa-b78d-55afd400c9fc.png">
-</a>
-
-### The French Interministerial Base of Free Software
-
--   [Source code](https://github.com/codegouvfr/sill-web/)
--   [Deployment of the website](https://sill-preprod.lab.sspcloud.fr/)
-
-<a href="https://youtu.be/AT3CvmY_Y7M?si=Edkf0vRNjosGLA3R">
-  <img width="1712" alt="image" src="https://github.com/garronej/i18nifty/assets/6702424/aa06cc30-b2bd-4c8b-b435-2f875f53175b">
-</a>

package/core/trustedFetch.d.ts

@@ -1,2 +0,0 @@
-export declare const trustedFetch: ((input: RequestInfo | URL, init?: RequestInit) => Promise<Response>) & typeof fetch;
-export declare function captureFetch(): void;

package/core/trustedFetch.js

@@ -1,12 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.trustedFetch = void 0;
-exports.captureFetch = captureFetch;
-var globalContext = {
-    trustedFetch: window.fetch
-};
-exports.trustedFetch = globalContext.trustedFetch;
-function captureFetch() {
-    /** noop */
-}
-//# sourceMappingURL=trustedFetch.js.map

package/core/trustedFetch.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"trustedFetch.js","sourceRoot":"","sources":["../src/core/trustedFetch.ts"],"names":[],"mappings":";;;AAMA,oCAEC;AARD,IAAM,aAAa,GAAG;IAClB,YAAY,EAAE,MAAM,CAAC,KAAK;CAC7B,CAAC;AAEa,QAAA,YAAY,GAAK,aAAa,cAAC;AAE9C,SAAgB,YAAY;IACxB,WAAW;AACf,CAAC"}

package/src/backend.ts

@@ -1,391 +0,0 @@
-import { fetch } from "./vendor/backend/node-fetch";
-import { assert, isAmong, id, type Equals, is, exclude } from "./vendor/backend/tsafe";
-import { JWK } from "./vendor/backend/node-jose";
-import * as jwt from "./vendor/backend/jsonwebtoken";
-import { z } from "./vendor/backend/zod";
-import { Evt } from "./vendor/backend/evt";
-import { throttleTime } from "./vendor/backend/evt";
-
-export type ParamsOfCreateOidcBackend<DecodedAccessToken extends Record<string, unknown>> = {
-    issuerUri: string;
-    decodedAccessTokenSchema?: { parse: (data: unknown) => DecodedAccessToken };
-};
-
-export type OidcBackend<DecodedAccessToken extends Record<string, unknown>> = {
-    verifyAndDecodeAccessToken(params: {
-        accessToken: string;
-    }): ResultOfAccessTokenVerify<DecodedAccessToken>;
-};
-
-export type ResultOfAccessTokenVerify<DecodedAccessToken> =
-    | ResultOfAccessTokenVerify.Valid<DecodedAccessToken>
-    | ResultOfAccessTokenVerify.Invalid;
-
-export namespace ResultOfAccessTokenVerify {
-    export type Valid<DecodedAccessToken> = {
-        isValid: true;
-        decodedAccessToken: DecodedAccessToken;
-
-        errorCase?: never;
-        errorMessage?: never;
-    };
-
-    export type Invalid = {
-        isValid: false;
-        errorCase: "expired" | "invalid signature" | "does not respect schema";
-        errorMessage: string;
-
-        decodedAccessToken?: never;
-    };
-}
-
-export async function createOidcBackend<DecodedAccessToken extends Record<string, unknown>>(
-    params: ParamsOfCreateOidcBackend<DecodedAccessToken>
-): Promise<OidcBackend<DecodedAccessToken>> {
-    const { issuerUri, decodedAccessTokenSchema = z.record(z.unknown()) } = params;
-
-    let publicSigningKeys = await fetchPublicSigningKeys({ issuerUri });
-
-    const evtInvalidSignature = Evt.create<void>();
-
-    evtInvalidSignature.pipe(throttleTime(3600_000)).attach(async () => {
-        const publicSigningKeys_new = await (async function callee(
-            count: number
-        ): Promise<PublicSigningKey[] | undefined> {
-            let wrap;
-
-            try {
-                wrap = await fetchPublicSigningKeys({ issuerUri });
-            } catch (error) {
-                if (count === 9) {
-                    console.warn(
-                        `Failed to refresh public key and signing algorithm after ${count + 1} attempts`
-                    );
-
-                    return undefined;
-                }
-
-                const delayMs = 1000 * Math.pow(2, count);
-
-                console.warn(
-                    `Failed to refresh public key and signing algorithm: ${String(
-                        error
-                    )}, retrying in ${delayMs}ms`
-                );
-
-                await new Promise(resolve => setTimeout(resolve, delayMs));
-
-                return callee(count + 1);
-            }
-
-            return wrap;
-        })(0);
-
-        if (publicSigningKeys_new === undefined) {
-            return;
-        }
-
-        publicSigningKeys = publicSigningKeys_new;
-    });
-
-    return {
-        verifyAndDecodeAccessToken: ({ accessToken }) => {
-            let kid: string;
-            let alg: jwt.Algorithm;
-
-            {
-                const jwtHeader_b64 = accessToken.split(".")[0];
-
-                let jwtHeader: string;
-
-                try {
-                    jwtHeader = Buffer.from(jwtHeader_b64, "base64").toString("utf8");
-                } catch {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: "Failed to decode the JWT header as a base64 string"
-                    };
-                }
-
-                let decodedHeader: unknown;
-
-                try {
-                    decodedHeader = JSON.parse(jwtHeader);
-                } catch {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: "Failed to parse the JWT header as a JSON"
-                    };
-                }
-
-                type DecodedHeader = {
-                    kid: string;
-                    alg: string;
-                };
-
-                const zDecodedHeader = z.object({
-                    kid: z.string(),
-                    alg: z.string()
-                });
-
-                assert<Equals<DecodedHeader, z.infer<typeof zDecodedHeader>>>();
-
-                try {
-                    zDecodedHeader.parse(decodedHeader);
-                } catch {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: "The decoded JWT header does not have a kid property"
-                    };
-                }
-
-                assert(is<DecodedHeader>(decodedHeader));
-
-                {
-                    const supportedAlgs = [
-                        "RS256",
-                        "RS384",
-                        "RS512",
-                        "ES256",
-                        "ES384",
-                        "ES512",
-                        "PS256",
-                        "PS384",
-                        "PS512"
-                    ] as const;
-
-                    assert<
-                        Equals<
-                            (typeof supportedAlgs)[number] | "none" | "HS256" | "HS384" | "HS512",
-                            jwt.Algorithm
-                        >
-                    >();
-
-                    if (!isAmong(supportedAlgs, decodedHeader.alg)) {
-                        return {
-                            isValid: false,
-                            errorCase: "invalid signature",
-                            errorMessage: `Unsupported or too week algorithm ${decodedHeader.alg}`
-                        };
-                    }
-                }
-
-                kid = decodedHeader.kid;
-                alg = decodedHeader.alg;
-            }
-
-            const publicSigningKey = publicSigningKeys.find(
-                publicSigningKey => publicSigningKey.kid === kid
-            );
-
-            if (publicSigningKey === undefined) {
-                return {
-                    isValid: false,
-                    errorCase: "invalid signature",
-                    errorMessage: `No public signing key found with kid ${kid}`
-                };
-            }
-
-            let result = id<ResultOfAccessTokenVerify<DecodedAccessToken> | undefined>(undefined);
-
-            jwt.verify(
-                accessToken,
-                publicSigningKey.publicKey,
-                { algorithms: [alg] },
-                (err, decoded) => {
-                    invalid: {
-                        if (!err) {
-                            break invalid;
-                        }
-
-                        if (err.name === "TokenExpiredError") {
-                            result = id<ResultOfAccessTokenVerify.Invalid>({
-                                isValid: false,
-                                errorCase: "expired",
-                                errorMessage: err.message
-                            });
-                            return;
-                        }
-
-                        evtInvalidSignature.post();
-
-                        result = id<ResultOfAccessTokenVerify.Invalid>({
-                            isValid: false,
-                            errorCase: "invalid signature",
-                            errorMessage: err.message
-                        });
-
-                        return;
-                    }
-
-                    let decodedAccessToken: DecodedAccessToken;
-
-                    try {
-                        decodedAccessToken = decodedAccessTokenSchema.parse(
-                            decoded
-                        ) as DecodedAccessToken;
-                    } catch (error) {
-                        result = id<ResultOfAccessTokenVerify.Invalid>({
-                            isValid: false,
-                            errorCase: "does not respect schema",
-                            errorMessage: String(error)
-                        });
-
-                        return;
-                    }
-
-                    result = id<ResultOfAccessTokenVerify.Valid<DecodedAccessToken>>({
-                        isValid: true,
-                        decodedAccessToken: decodedAccessToken
-                    });
-                }
-            );
-
-            assert(result !== undefined, "0522e6");
-
-            return result;
-        }
-    };
-}
-
-type PublicSigningKey = {
-    kid: string;
-    publicKey: string;
-};
-
-async function fetchPublicSigningKeys(params: { issuerUri: string }): Promise<PublicSigningKey[]> {
-    const { issuerUri } = params;
-
-    const { jwks_uri } = await (async () => {
-        const url = `${issuerUri.replace(/\/$/, "")}/.well-known/openid-configuration`;
-
-        const response = await fetch(url);
-
-        if (!response.ok) {
-            throw new Error(
-                `Failed to fetch openid configuration of the issuerUri: ${issuerUri} (${url}): ${response.statusText}`
-            );
-        }
-
-        let data: unknown;
-
-        try {
-            data = await response.json();
-        } catch (error) {
-            throw new Error(`Failed to parse json from ${url}: ${String(error)}`);
-        }
-
-        {
-            type WellKnownConfiguration = {
-                jwks_uri: string;
-            };
-
-            const zWellKnownConfiguration = z.object({
-                jwks_uri: z.string()
-            });
-
-            assert<Equals<WellKnownConfiguration, z.infer<typeof zWellKnownConfiguration>>>();
-
-            try {
-                zWellKnownConfiguration.parse(data);
-            } catch {
-                throw new Error(`${url} does not have a jwks_uri property`);
-            }
-
-            assert(is<WellKnownConfiguration>(data));
-        }
-
-        const { jwks_uri } = data;
-
-        return { jwks_uri };
-    })();
-
-    const { jwks } = await (async () => {
-        const response = await fetch(jwks_uri);
-
-        if (!response.ok) {
-            throw new Error(
-                `Failed to fetch public key and algorithm from ${jwks_uri}: ${response.statusText}`
-            );
-        }
-
-        let jwks: unknown;
-
-        try {
-            jwks = await response.json();
-        } catch (error) {
-            throw new Error(`Failed to parse json from ${jwks_uri}: ${String(error)}`);
-        }
-
-        {
-            type Jwks = {
-                keys: {
-                    kid: string;
-                    kty: string;
-                    e?: string;
-                    n?: string;
-                    use: string;
-                }[];
-            };
-
-            const zJwks = z.object({
-                keys: z.array(
-                    z.object({
-                        kid: z.string(),
-                        kty: z.string(),
-                        e: z.string().optional(),
-                        n: z.string().optional(),
-                        use: z.string()
-                    })
-                )
-            });
-
-            assert<Equals<Jwks, z.infer<typeof zJwks>>>();
-
-            try {
-                zJwks.parse(jwks);
-            } catch {
-                throw new Error(`${jwks_uri} does not have the expected shape`);
-            }
-
-            assert(is<Jwks>(jwks));
-        }
-
-        return { jwks };
-    })();
-
-    const publicSigningKeys: PublicSigningKey[] = await Promise.all(
-        jwks.keys
-            .filter(({ use }) => use === "sig")
-            .map(({ kid, kty, e, n }) => {
-                if (kty !== "RSA") {
-                    return undefined;
-                }
-
-                assert(e !== undefined, "e is undefined");
-                assert(n !== undefined, "n is undefined");
-
-                return { kid, e, n };
-            })
-            .filter(exclude(undefined))
-            .map(async ({ kid, e, n }) => {
-                const key = await JWK.asKey({ kty: "RSA", e, n });
-                const publicKey = key.toPEM(false);
-
-                return {
-                    kid,
-                    publicKey
-                };
-            })
-    );
-
-    assert(
-        publicSigningKeys.length !== 0,
-        `No public signing key found at ${jwks_uri}, ${JSON.stringify(jwks, null, 2)}`
-    );
-
-    return publicSigningKeys;
-}