oidc-spa 7.1.9 → 7.2.0-rc.1

package/src/core/OidcInitializationError.ts

@@ -1,5 +1,5 @@
 import { getIsValidRemoteJson } from "../tools/getIsValidRemoteJson";
-import { parseKeycloakIssuerUri } from "../tools/parseKeycloakIssuerUri";
+import { isKeycloak } from "../keycloak/isKeycloak";
 
 export class OidcInitializationError extends Error {
     public readonly isAuthServerLikelyDown: boolean;
@@ -26,8 +26,6 @@ export async function createWellKnownOidcConfigurationEndpointUnreachableInitial
 }): Promise<OidcInitializationError> {
     const { issuerUri } = params;
 
-    const issuerUri_parsed = parseKeycloakIssuerUri(issuerUri);
-
     const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
 
     const commonFallbackMessagePart = [
@@ -36,7 +34,7 @@ export async function createWellKnownOidcConfigurationEndpointUnreachableInitial
         `Endpoint that couldn't be reached: ${issuerUri}${WELL_KNOWN_PATH}`
     ].join("\n");
 
-    if (issuerUri_parsed === undefined) {
+    if (!isKeycloak({ issuerUri })) {
         return new OidcInitializationError({
             messageOrCause: [
                 commonFallbackMessagePart,
@@ -49,15 +47,17 @@ export async function createWellKnownOidcConfigurationEndpointUnreachableInitial
         });
     }
 
+    const keycloakUtils = (await import("../keycloak")).createKeycloakUtils({ issuerUri });
+
     const getCandidateIssuerUri = (params: { kcHttpRelativePath: string | undefined }) => {
         const { kcHttpRelativePath } = params;
 
-        return `${issuerUri_parsed.origin}${
-            kcHttpRelativePath === undefined ? "" : kcHttpRelativePath
-        }/realms/${issuerUri_parsed.realm}`;
+        return `${keycloakUtils.issuerUriParsed.origin}${
+            kcHttpRelativePath ?? ""
+        }/realms/${encodeURIComponent(keycloakUtils.issuerUriParsed.realm)}`;
     };
 
-    if (issuerUri_parsed.kcHttpRelativePath === undefined) {
+    if (keycloakUtils.issuerUriParsed.kcHttpRelativePath === undefined) {
         const issuerUri_candidate = getCandidateIssuerUri({ kcHttpRelativePath: "/auth" });
 
         const isValid = await getIsValidRemoteJson(`${issuerUri_candidate}${WELL_KNOWN_PATH}`);
@@ -84,7 +84,7 @@ export async function createWellKnownOidcConfigurationEndpointUnreachableInitial
                     `Your Keycloak server is configured with KC_HTTP_RELATIVE_PATH=/`,
                     `The issuerUri you provided: ${issuerUri}`,
                     `The correct issuerUri is: ${issuerUri_candidate}`,
-                    `(You should remove the ${issuerUri_parsed.kcHttpRelativePath} portion.)`
+                    `(You should remove the ${keycloakUtils.issuerUriParsed.kcHttpRelativePath} portion.)`
                 ].join("\n"),
                 isAuthServerLikelyDown: false
             });
@@ -96,7 +96,7 @@ export async function createWellKnownOidcConfigurationEndpointUnreachableInitial
             commonFallbackMessagePart,
             ``,
             `Given the shape of the issuerUri you provided, it seems that you are using Keycloak.`,
-            `- Make sure the realm '${issuerUri_parsed.realm}' exists.`,
+            `- Make sure the realm '${keycloakUtils.issuerUriParsed.realm}' exists.`,
             `- Check the KC_HTTP_RELATIVE_PATH that you might have configured your keycloak server with.`,
             `  For example if you have KC_HTTP_RELATIVE_PATH=/xxx the issuerUri should be ${getCandidateIssuerUri(
                 { kcHttpRelativePath: "/xxx" }
@@ -107,22 +107,22 @@ export async function createWellKnownOidcConfigurationEndpointUnreachableInitial
 }
 
 export async function createIframeTimeoutInitializationError(params: {
-    callbackUri: string;
+    redirectUri: string;
     issuerUri: string;
     clientId: string;
     noIframe: boolean;
 }): Promise<OidcInitializationError> {
-    const { callbackUri, issuerUri, clientId, noIframe } = params;
+    const { redirectUri, issuerUri, clientId, noIframe } = params;
 
     iframe_blocked: {
         if (noIframe) {
             break iframe_blocked;
         }
 
-        const headersOrError = await fetch(callbackUri).then(
+        const headersOrError = await fetch(redirectUri).then(
             response => {
                 if (!response.ok) {
-                    return new Error(`${callbackUri} responded with a ${response.status} status code.`);
+                    return new Error(`${redirectUri} responded with a ${response.status} status code.`);
                 }
 
                 return {
@@ -197,7 +197,7 @@ export async function createIframeTimeoutInitializationError(params: {
         return new OidcInitializationError({
             isAuthServerLikelyDown: false,
             messageOrCause: [
-                `${callbackUri} is currently served by your web server with the HTTP header \`${key_problem}: ${headers[key_problem]}\`.\n`,
+                `${redirectUri} is currently served by your web server with the HTTP header \`${key_problem}: ${headers[key_problem]}\`.\n`,
                 "This header prevents the silent sign-in process from working.\n",
                 "Refer to this documentation page to fix this issue: https://docs.oidc-spa.dev/v/v7/resources/iframe-related-issues"
             ].join(" ")
@@ -217,28 +217,28 @@ export async function createIframeTimeoutInitializationError(params: {
             `- Either the client ID "${clientId}" does not exist, or\n`,
             `- You forgot to add the OIDC callback URL to the list of Valid Redirect URIs.\n`,
             `Client ID: "${clientId}"\n`,
-            `Callback URL to add to the list of Valid Redirect URIs: "${callbackUri}"\n\n`,
-            ...(() => {
-                const kc = parseKeycloakIssuerUri(issuerUri);
-
-                if (!kc) {
+            `Callback URL to add to the list of Valid Redirect URIs: "${redirectUri}"\n\n`,
+            ...(await (async () => {
+                if (!isKeycloak({ issuerUri })) {
                     return [
                         "Check the documentation of your OIDC server to learn how to configure the public client (Authorization Code Flow + PKCE) properly."
                     ];
                 }
 
+                const kc = (await import("../keycloak")).createKeycloakUtils({ issuerUri });
+
                 return [
                     `It seems you are using Keycloak. Follow these steps to resolve the issue:\n\n`,
                     `1. Go to the Keycloak admin console: ${kc.adminConsoleUrl_master}\n`,
                     `2. Log in as an admin user.\n`,
-                    `3. In the top left corner select the realm "${kc.realm}".\n`,
+                    `3. In the top left corner select the realm "${kc.issuerUriParsed.realm}".\n`,
                     `4. In the left menu, click on "Clients".\n`,
                     `5. Locate the client "${clientId}" in the list and click on it.\n`,
-                    `6. Find "Valid Redirect URIs" and add "${callbackUri}" to the list.\n`,
+                    `6. Find "Valid Redirect URIs" and add "${redirectUri}" to the list.\n`,
                     `7. Save the changes.\n\n`,
                     `For more information, refer to the documentation: https://docs.oidc-spa.dev/v/v7/providers-configuration/keycloak`
                 ];
-            })(),
+            })()),
             "\n\n",
             "If nothing works, you can try disabling the use of iframe: https://docs.oidc-spa.dev/resources/iframe-related-issues\n",
             "with some OIDC provider it might solve the issue."
@@ -246,7 +246,7 @@ export async function createIframeTimeoutInitializationError(params: {
     });
 }
 
-export function createFailedToFetchTokenEndpointInitializationError(params: {
+export async function createFailedToFetchTokenEndpointInitializationError(params: {
     issuerUri: string;
     clientId: string;
 }) {
@@ -260,27 +260,27 @@ export function createFailedToFetchTokenEndpointInitializationError(params: {
             `Make sure you have added '${window.location.origin}' to the list of Web Origins`,
             `in the '${clientId}' client configuration of your OIDC server.\n`,
             "\n",
-            ...(() => {
-                const kc = parseKeycloakIssuerUri(issuerUri);
-
-                if (kc === undefined) {
+            ...(await (async () => {
+                if (!isKeycloak({ issuerUri })) {
                     return [
                         "Check the documentation of your OIDC server to learn how to configure the public client (Authorization Code Flow + PKCE) properly."
                     ];
                 }
 
+                const kc = (await import("../keycloak")).createKeycloakUtils({ issuerUri });
+
                 return [
                     `Since it seems that you are using Keycloak, here are the steps to follow:\n`,
                     `1. Go to the Keycloak admin console: ${kc.adminConsoleUrl_master}\n`,
                     `2. Log in as an admin user.\n`,
-                    `3. In the top left corner select the realm "${kc.realm}".\n`,
+                    `3. In the top left corner select the realm "${kc.issuerUriParsed.realm}".\n`,
                     `4. In the left menu, click on "Clients".\n`,
                     `5. Find '${clientId}' in the list of clients and click on it.\n`,
                     `6. Find 'Web Origins' and add '${window.location.origin}' to the list.\n`,
                     `7. Save the changes.\n\n`,
                     `More info: https://docs.oidc-spa.dev/v/v7/providers-configuration/keycloak`
                 ];
-            })()
+            })())
         ].join(" ")
     });
 }

package/src/core/OidcMetadata.ts

@@ -1,4 +1,4 @@
-import { type OidcMetadata as OidcClientTsOidcMetadata } from "../vendor/frontend/oidc-client-ts-and-jwt-decode";
+import { type OidcMetadata as OidcClientTsOidcMetadata } from "../vendor/frontend/oidc-client-ts";
 import { assert, type Equals } from "../vendor/frontend/tsafe";
 
 /**

package/src/core/StateData.ts

@@ -36,34 +36,34 @@ export namespace StateData {
 const STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX = "b2lkYy1zcGEu";
 const RANDOM_STRING_LENGTH = 32 - STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX.length;
 
-export function generateStateQueryParamValue(): string {
+export function generateStateUrlParamValue(): string {
     return `${STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX}${generateUrlSafeRandom({
         length: RANDOM_STRING_LENGTH
     })}`;
 }
 
-export function getIsStatQueryParamValue(params: { maybeStateQueryParamValue: string }): boolean {
-    const { maybeStateQueryParamValue } = params;
+export function getIsStatQueryParamValue(params: { maybeStateUrlParamValue: string }): boolean {
+    const { maybeStateUrlParamValue } = params;
 
     return (
-        maybeStateQueryParamValue.startsWith(STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX) &&
-        maybeStateQueryParamValue.length ===
+        maybeStateUrlParamValue.startsWith(STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX) &&
+        maybeStateUrlParamValue.length ===
             STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX.length + RANDOM_STRING_LENGTH
     );
 }
 
 export const STATE_STORE_KEY_PREFIX = "oidc.";
 
-function getKey(params: { stateQueryParamValue: string }) {
-    const { stateQueryParamValue } = params;
+function getKey(params: { stateUrlParamValue: string }) {
+    const { stateUrlParamValue } = params;
 
-    return `${STATE_STORE_KEY_PREFIX}${stateQueryParamValue}`;
+    return `${STATE_STORE_KEY_PREFIX}${stateUrlParamValue}`;
 }
 
-function getStateStore(params: { stateQueryParamValue: string }): { data: StateData } | undefined {
-    const { stateQueryParamValue } = params;
+function getStateStore(params: { stateUrlParamValue: string }): { data: StateData } | undefined {
+    const { stateUrlParamValue } = params;
 
-    const item = localStorage.getItem(getKey({ stateQueryParamValue }));
+    const item = localStorage.getItem(getKey({ stateUrlParamValue }));
 
     if (item === null) {
         return undefined;
@@ -81,21 +81,21 @@ function getStateStore(params: { stateQueryParamValue: string }): { data: StateD
     return obj;
 }
 
-function setStateStore(params: { stateQueryParamValue: string; obj: { data: StateData } }) {
-    const { stateQueryParamValue, obj } = params;
+function setStateStore(params: { stateUrlParamValue: string; obj: { data: StateData } }) {
+    const { stateUrlParamValue, obj } = params;
 
-    localStorage.setItem(getKey({ stateQueryParamValue }), JSON.stringify(obj));
+    localStorage.setItem(getKey({ stateUrlParamValue }), JSON.stringify(obj));
 }
 
-export function clearStateStore(params: { stateQueryParamValue: string }) {
-    const { stateQueryParamValue } = params;
-    localStorage.removeItem(getKey({ stateQueryParamValue }));
+export function clearStateStore(params: { stateUrlParamValue: string }) {
+    const { stateUrlParamValue } = params;
+    localStorage.removeItem(getKey({ stateUrlParamValue }));
 }
 
-export function getStateData(params: { stateQueryParamValue: string }): StateData | undefined {
-    const { stateQueryParamValue } = params;
+export function getStateData(params: { stateUrlParamValue: string }): StateData | undefined {
+    const { stateUrlParamValue } = params;
 
-    const stateStore = getStateStore({ stateQueryParamValue });
+    const stateStore = getStateStore({ stateUrlParamValue });
 
     if (stateStore === undefined) {
         return undefined;
@@ -104,15 +104,15 @@ export function getStateData(params: { stateQueryParamValue: string }): StateDat
     return stateStore.data;
 }
 
-export function markStateDataAsProcessedByCallback(params: { stateQueryParamValue: string }) {
-    const { stateQueryParamValue } = params;
+export function markStateDataAsProcessedByCallback(params: { stateUrlParamValue: string }) {
+    const { stateUrlParamValue } = params;
 
-    const obj = getStateStore({ stateQueryParamValue });
+    const obj = getStateStore({ stateUrlParamValue });
 
     assert(obj !== undefined, "180465");
     assert(obj.data.context === "redirect", "649531");
 
     obj.data.hasBeenProcessedByCallback = true;
 
-    setStateStore({ stateQueryParamValue, obj });
+    setStateStore({ stateUrlParamValue, obj });
 }

package/src/core/createOidc.ts

@@ -3,7 +3,7 @@ import {
     WebStorageStateStore,
     type User as OidcClientTsUser,
     InMemoryWebStorage
-} from "../vendor/frontend/oidc-client-ts-and-jwt-decode";
+} from "../vendor/frontend/oidc-client-ts";
 import type { OidcMetadata } from "./OidcMetadata";
 import { id, assert, is, type Equals } from "../vendor/frontend/tsafe";
 import { setTimeout, clearTimeout } from "../tools/workerTimers";
@@ -18,7 +18,7 @@ import {
     createIframeTimeoutInitializationError,
     createWellKnownOidcConfigurationEndpointUnreachableInitializationError
 } from "./OidcInitializationError";
-import { type StateData, generateStateQueryParamValue, STATE_STORE_KEY_PREFIX } from "./StateData";
+import { type StateData, generateStateUrlParamValue, STATE_STORE_KEY_PREFIX } from "./StateData";
 import { notifyOtherTabsOfLogout, getPrOtherTabLogout } from "./logoutPropagationToOtherTabs";
 import { notifyOtherTabsOfLogin, getPrOtherTabLogin } from "./loginPropagationToOtherTabs";
 import { getConfigId } from "./configId";
@@ -41,10 +41,8 @@ import {
 } from "./ongoingLoginOrRefreshProcesses";
 import { initialLocationHref } from "./initialLocationHref";
 import { createGetIsNewBrowserSession } from "./isNewBrowserSession";
-import { trustedFetch } from "./trustedFetch";
 import { getIsOnline } from "../tools/getIsOnline";
-
-handleOidcCallback();
+import { isKeycloak } from "../keycloak/isKeycloak";
 
 // NOTE: Replaced at build time
 const VERSION = "{{OIDC_SPA_VERSION}}";
@@ -94,6 +92,10 @@ export type ParamsOfCreateOidc<
      */
     extraTokenParams?: Record<string, string | undefined> | (() => Record<string, string | undefined>);
     /**
+     * Usage discouraged, it's here because we don't want to assume too much on your
+     * usecase but I can't think of a scenario where you would want anything
+     * other than the current page.
+     *
      * Where to redirect after successful login.
      * Default: window.location.href (here)
      *
@@ -126,6 +128,10 @@ export type ParamsOfCreateOidc<
     idleSessionLifetimeInSeconds?: number;
 
     /**
+     * Usage discouraged, this parameter exists because we don't want to assume
+     * too much about your usecase but I can't think of a scenario where you would
+     * want anything other than the current page.
+     *
      * Default: { redirectTo: "current page" }
      */
     autoLogoutParams?: Parameters<Oidc.LoggedIn<any>["logout"]>[0];
@@ -319,18 +325,12 @@ export async function createOidc_nonMemoized<
         return extraTokenParamsOrGetter;
     })();
 
-    const homeUrl = toFullyQualifiedUrl({
+    const homeUrlAndRedirectUri = toFullyQualifiedUrl({
         urlish: homeUrl_params,
         doAssertNoQueryParams: true,
         doOutputWithTrailingSlash: true
     });
 
-    const callbackUri = toFullyQualifiedUrl({
-        urlish: homeUrl,
-        doAssertNoQueryParams: true,
-        doOutputWithTrailingSlash: true
-    });
-
     log?.(
         `Calling createOidc v${VERSION} ${JSON.stringify(
             {
@@ -338,8 +338,7 @@ export async function createOidc_nonMemoized<
                 clientId,
                 scopes,
                 configId,
-                homeUrl,
-                callbackUri
+                homeUrlAndRedirectUri
             },
             null,
             2
@@ -354,19 +353,13 @@ export async function createOidc_nonMemoized<
         }
     }
 
-    const stateQueryParamValue_instance = generateStateQueryParamValue();
+    const stateUrlParamValue_instance = generateStateUrlParamValue();
 
     const canUseIframe = (() => {
         if (noIframe) {
             return false;
         }
 
-        // NOTE: Electron
-        if (!/https?:\/\//.test(callbackUri)) {
-            log?.("We won't use iframe, callbackUri uses a custom protocol.");
-            return false;
-        }
-
         third_party_cookies: {
             const isOidcServerThirdPartyRelativeToApp =
                 getHaveSharedParentDomain({
@@ -408,12 +401,13 @@ export async function createOidc_nonMemoized<
     let isUserStoreInMemoryOnly: boolean;
 
     const oidcClientTsUserManager = new OidcClientTsUserManager({
-        stateQueryParamValue: stateQueryParamValue_instance,
+        stateUrlParamValue: stateUrlParamValue_instance,
         authority: issuerUri,
         client_id: clientId,
-        redirect_uri: callbackUri,
-        silent_redirect_uri: callbackUri,
-        post_logout_redirect_uri: callbackUri,
+        redirect_uri: homeUrlAndRedirectUri,
+        silent_redirect_uri: homeUrlAndRedirectUri,
+        post_logout_redirect_uri: homeUrlAndRedirectUri,
+        response_mode: isKeycloak({ issuerUri }) ? "fragment" : "query",
         response_type: "code",
         scope: Array.from(new Set(["openid", ...scopes])).join(" "),
         automaticSilentRenew: false,
@@ -445,7 +439,6 @@ export async function createOidc_nonMemoized<
         }),
         stateStore: new WebStorageStateStore({ store: localStorage, prefix: STATE_STORE_KEY_PREFIX }),
         client_secret: __unsafe_clientSecret,
-        fetch: trustedFetch,
         metadata: __metadata
     });
 
@@ -457,7 +450,7 @@ export async function createOidc_nonMemoized<
         transformUrlBeforeRedirect,
         getExtraQueryParams,
         getExtraTokenParams,
-        homeUrl,
+        homeUrl: homeUrlAndRedirectUri,
         evtIsUserLoggedIn,
         log
     });
@@ -676,7 +669,7 @@ export async function createOidc_nonMemoized<
 
                 const result_loginSilent = await loginSilent({
                     oidcClientTsUserManager,
-                    stateQueryParamValue_instance,
+                    stateUrlParamValue_instance,
                     configId,
                     transformUrlBeforeRedirect,
                     getExtraQueryParams,
@@ -696,7 +689,7 @@ export async function createOidc_nonMemoized<
                             );
                         case "timeout":
                             return createIframeTimeoutInitializationError({
-                                callbackUri,
+                                redirectUri: homeUrlAndRedirectUri,
                                 clientId,
                                 issuerUri,
                                 noIframe
@@ -1022,7 +1015,7 @@ export async function createOidc_nonMemoized<
                     case "current page":
                         return window.location.href;
                     case "home":
-                        return homeUrl;
+                        return homeUrlAndRedirectUri;
                     case "specific url":
                         return toFullyQualifiedUrl({
                             urlish: params.url,
@@ -1128,7 +1121,7 @@ export async function createOidc_nonMemoized<
 
                 const result_loginSilent = await loginSilent({
                     oidcClientTsUserManager,
-                    stateQueryParamValue_instance,
+                    stateUrlParamValue_instance,
                     configId,
                     transformUrlBeforeRedirect,
                     getExtraQueryParams,

package/src/core/handleOidcCallback.ts

@@ -7,11 +7,8 @@ import {
 import { assert, id } from "../vendor/frontend/tsafe";
 import type { AuthResponse } from "./AuthResponse";
 import { initialLocationHref } from "./initialLocationHref";
-import { captureFetch } from "./trustedFetch";
 import { encryptAuthResponse } from "./iframeMessageProtection";
 
-captureFetch();
-
 const globalContext = {
     previousCall: id<{ isHandled: boolean } | undefined>(undefined)
 };
@@ -27,30 +24,50 @@ export function handleOidcCallback(): { isHandled: boolean } {
 function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
     const location_urlObj = new URL(initialLocationHref);
 
-    const stateQueryParamValue = (() => {
-        const stateQueryParamValue = location_urlObj.searchParams.get("state");
+    const stateUrlParamValue_wrap = (() => {
+        fragment: {
+            const stateUrlParamValue = new URLSearchParams(location_urlObj.hash.replace(/^#/, "")).get(
+                "state"
+            );
 
-        if (stateQueryParamValue === null) {
-            return undefined;
-        }
+            if (stateUrlParamValue === null) {
+                break fragment;
+            }
 
-        if (!getIsStatQueryParamValue({ maybeStateQueryParamValue: stateQueryParamValue })) {
-            return undefined;
+            if (!getIsStatQueryParamValue({ maybeStateUrlParamValue: stateUrlParamValue })) {
+                break fragment;
+            }
+
+            return { stateUrlParamValue, isFragment: true };
         }
 
-        if (
-            location_urlObj.searchParams.get("client_id") !== null &&
-            location_urlObj.searchParams.get("response_type") !== null &&
-            location_urlObj.searchParams.get("redirect_uri") !== null
-        ) {
-            // NOTE: We are probably in a Keycloakify theme and oidc-spa was loaded by mistake.
-            return undefined;
+        query: {
+            const stateUrlParamValue = location_urlObj.searchParams.get("state");
+
+            if (stateUrlParamValue === null) {
+                break query;
+            }
+
+            if (!getIsStatQueryParamValue({ maybeStateUrlParamValue: stateUrlParamValue })) {
+                break query;
+            }
+
+            if (
+                location_urlObj.searchParams.get("client_id") !== null &&
+                location_urlObj.searchParams.get("response_type") !== null &&
+                location_urlObj.searchParams.get("redirect_uri") !== null
+            ) {
+                // NOTE: We are probably in a Keycloakify theme and oidc-spa was loaded by mistake.
+                break query;
+            }
+
+            return { stateUrlParamValue, isFragment: false };
         }
 
-        return stateQueryParamValue;
+        return undefined;
     })();
 
-    if (stateQueryParamValue === undefined) {
+    if (stateUrlParamValue_wrap === undefined) {
         const backForwardTracker = readBackForwardTracker();
 
         if (backForwardTracker !== undefined) {
@@ -67,12 +84,14 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
 
     const isHandled = true;
 
+    const { stateUrlParamValue, isFragment } = stateUrlParamValue_wrap;
+
     console.log = () => {};
     console.warn = () => {};
     console.error = () => {};
     console.debug = () => {};
 
-    const stateData = getStateData({ stateQueryParamValue });
+    const stateData = getStateData({ stateUrlParamValue });
 
     if (
         stateData === undefined ||
@@ -125,7 +144,9 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
 
     const authResponse: AuthResponse = { state: "" };
 
-    for (const [key, value] of location_urlObj.searchParams) {
+    for (const [key, value] of isFragment
+        ? new URLSearchParams(location_urlObj.hash.replace(/^#/, ""))
+        : location_urlObj.searchParams) {
         authResponse[key] = value;
     }
 
@@ -138,7 +159,7 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             }).then(({ encryptedMessage }) => parent.postMessage(encryptedMessage, location.origin));
             break;
         case "redirect":
-            markStateDataAsProcessedByCallback({ stateQueryParamValue });
+            markStateDataAsProcessedByCallback({ stateUrlParamValue });
             clearBackForwardTracker();
             writeRedirectAuthResponses({
                 authResponses: [...readRedirectAuthResponses(), authResponse]
@@ -232,7 +253,7 @@ export function retrieveRedirectAuthResponseAndStateData(params: {
         | undefined = undefined;
 
     for (const authResponse of [...authResponses]) {
-        const stateData = getStateData({ stateQueryParamValue: authResponse.state });
+        const stateData = getStateData({ stateUrlParamValue: authResponse.state });
 
         if (stateData === undefined) {
             // NOTE: We do not understand how this can happen but it can.

package/src/core/iframeMessageProtection.ts

@@ -1,14 +1,15 @@
-import { assert } from "tsafe/assert";
+import { assert } from "../vendor/frontend/tsafe";
 import { asymmetricEncrypt, asymmetricDecrypt, generateKeys } from "../tools/asymmetricEncryption";
 import { type AuthResponse } from "./AuthResponse";
 
+const sessionStorage_original = window.sessionStorage;
 const setItem_real = Storage.prototype.setItem;
 
 const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
 
 export function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
     const setItem_protected = function setItem(this: any, key: string, value: string): void {
-        if (this !== sessionStorage) {
+        if (this !== sessionStorage_original) {
             return setItem_real.call(this, key, value);
         }
 
@@ -18,7 +19,7 @@ export function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
             );
         }
 
-        return setItem_real.call(sessionStorage, key, value);
+        return setItem_real.call(sessionStorage_original, key, value);
     };
 
     {
@@ -36,18 +37,18 @@ export function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
 
 const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
 
-function getSessionStorageKey(params: { stateQueryParamValue: string }) {
-    const { stateQueryParamValue } = params;
+function getSessionStorageKey(params: { stateUrlParamValue: string }) {
+    const { stateUrlParamValue } = params;
 
-    return `${SESSION_STORAGE_PREFIX}${stateQueryParamValue}`;
+    return `${SESSION_STORAGE_PREFIX}${stateUrlParamValue}`;
 }
 
-export async function initIframeMessageProtection(params: { stateQueryParamValue: string }) {
-    const { stateQueryParamValue } = params;
+export async function initIframeMessageProtection(params: { stateUrlParamValue: string }) {
+    const { stateUrlParamValue } = params;
 
     const { publicKey, privateKey } = await generateKeys();
 
-    const sessionStorageKey = getSessionStorageKey({ stateQueryParamValue });
+    const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
 
     setItem_real.call(sessionStorage, sessionStorageKey, publicKey);
 
@@ -83,7 +84,7 @@ export async function encryptAuthResponse(params: { authResponse: AuthResponse }
     const { authResponse } = params;
 
     const publicKey = sessionStorage.getItem(
-        getSessionStorageKey({ stateQueryParamValue: authResponse.state })
+        getSessionStorageKey({ stateUrlParamValue: authResponse.state })
     );
 
     assert(publicKey !== null, "2293302");

package/src/core/index.ts

@@ -1,4 +1,4 @@
 export type { Oidc } from "./Oidc";
 export { createOidc, type ParamsOfCreateOidc } from "./createOidc";
 export { OidcInitializationError } from "./OidcInitializationError";
-export { trustedFetch } from "./trustedFetch";
+export { handleOidcCallback } from "./handleOidcCallback";

package/src/core/loginOrGoToAuthServer.ts

@@ -1,4 +1,4 @@
-import type { UserManager as OidcClientTsUserManager } from "../vendor/frontend/oidc-client-ts-and-jwt-decode";
+import type { UserManager as OidcClientTsUserManager } from "../vendor/frontend/oidc-client-ts";
 import { toFullyQualifiedUrl } from "../tools/toFullyQualifiedUrl";
 import { assert, type Equals, noUndefined } from "../vendor/frontend/tsafe";
 import type { StateData } from "./StateData";