oidc-spa 7.2.0 → 7.2.2

package/src/core/Oidc.ts

@@ -0,0 +1,140 @@
+import type { OidcInitializationError } from "./OidcInitializationError";
+
+export declare type Oidc<
+    DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_base
+> = Oidc.LoggedIn<DecodedIdToken> | Oidc.NotLoggedIn;
+
+export declare namespace Oidc {
+    export type Common = {
+        params: {
+            issuerUri: string;
+            clientId: string;
+        };
+    };
+
+    export type NotLoggedIn = Common & {
+        isUserLoggedIn: false;
+        login: (params: {
+            doesCurrentHrefRequiresAuth: boolean;
+            /**
+             * Add extra query parameters to the url before redirecting to the login pages.
+             */
+            extraQueryParams?: Record<string, string | undefined>;
+            /**
+             * Where to redirect after successful login.
+             * Default: window.location.href (here)
+             *
+             * It does not need to include the origin, eg: "/dashboard"
+             */
+            redirectUrl?: string;
+
+            /**
+             * Transform the url before redirecting to the login pages.
+             * Prefer using the extraQueryParams parameter if you're only adding query parameters.
+             */
+            transformUrlBeforeRedirect?: (url: string) => string;
+        }) => Promise<never>;
+        initializationError: OidcInitializationError | undefined;
+    };
+
+    export type LoggedIn<DecodedIdToken extends Record<string, unknown> = Record<string, unknown>> =
+        Common & {
+            isUserLoggedIn: true;
+            renewTokens(params?: {
+                extraTokenParams?: Record<string, string | undefined>;
+            }): Promise<void>;
+            getTokens: () => Promise<Tokens<DecodedIdToken>>;
+            subscribeToTokensChange: (onTokenChange: (tokens: Tokens<DecodedIdToken>) => void) => {
+                unsubscribe: () => void;
+            };
+            getDecodedIdToken: () => DecodedIdToken;
+            logout: (
+                params:
+                    | { redirectTo: "home" | "current page" }
+                    | { redirectTo: "specific url"; url: string }
+            ) => Promise<never>;
+            goToAuthServer: (params: {
+                extraQueryParams?: Record<string, string | undefined>;
+                redirectUrl?: string;
+                transformUrlBeforeRedirect?: (url: string) => string;
+            }) => Promise<never>;
+            subscribeToAutoLogoutCountdown: (
+                tickCallback: (params: { secondsLeft: number | undefined }) => void
+            ) => { unsubscribeFromAutoLogoutCountdown: () => void };
+            /**
+             * If you called `goToAuthServer` or `login` with extraQueryParams, this object let you know the outcome of the
+             * of the action that was intended.
+             *
+             * For example, on a Keycloak server, if you called `goToAuthServer({ extraQueryParams: { kc_action: "UPDATE_PASSWORD" } })`
+             * you'll get back: `{ extraQueryParams: { kc_action: "UPDATE_PASSWORD" }, result: { kc_action_status: "success" } }` (or "cancelled")
+             */
+            backFromAuthServer:
+                | {
+                      extraQueryParams: Record<string, string>;
+                      result: Record<string, string>;
+                  }
+                | undefined;
+            /**
+             * This is true when the user has just returned from the login pages.
+             * This is also true when the user navigate to your app and was able to be silently signed in because there was still a valid session.
+             * This false however when the use just reload the page.
+             *
+             * This can be used to perform some action related to session initialization
+             * but avoiding doing it repeatedly every time the user reload the page.
+             *
+             * Note that this is referring to the browser session and not the OIDC session
+             * on the server side.
+             *
+             * If you want to perform an action only when a new OIDC session is created
+             * you can test oidc.isNewBrowserSession && oidc.backFromAuthServer !== undefined
+             */
+            isNewBrowserSession: boolean;
+        };
+
+    export type Tokens<DecodedIdToken extends Record<string, unknown> = Tokens.DecodedIdToken_base> =
+        | Tokens.WithRefreshToken<DecodedIdToken>
+        | Tokens.WithoutRefreshToken<DecodedIdToken>;
+
+    export namespace Tokens {
+        export type Common<DecodedIdToken> = {
+            accessToken: string;
+            accessTokenExpirationTime: number;
+            idToken: string;
+            decodedIdToken: DecodedIdToken;
+            /**
+             * decodedIdToken_original = decodeJwt(idToken);
+             * decodedIdToken = decodedIdTokenSchema.parse(decodedIdToken_original)
+             *
+             * The idea here is that if you have provided a zod schema as `decodedIdTokenSchema`
+             * it will strip out every claim that you haven't specified.
+             * You might even be applying some transformation.
+             *
+             * `decodedIdToken_original` is the actual decoded payload of the  id_token, untransformed.
+             * */
+            decodedIdToken_original: DecodedIdToken_base;
+            /** Read from id_token's JWT, iat claim value, it's a JavaScript timestamp (millisecond epoch) */
+            issuedAtTime: number;
+        };
+
+        export type WithRefreshToken<DecodedIdToken> = Common<DecodedIdToken> & {
+            hasRefreshToken: true;
+            refreshToken: string;
+            refreshTokenExpirationTime: number | undefined;
+        };
+
+        export type WithoutRefreshToken<DecodedIdToken> = Common<DecodedIdToken> & {
+            hasRefreshToken: false;
+            refreshToken?: never;
+            refreshTokenExpirationTime?: never;
+        };
+
+        export type DecodedIdToken_base = {
+            iss: string;
+            sub: string;
+            aud: string | string[];
+            exp: number;
+            iat: number;
+            [claimName: string]: unknown;
+        };
+    }
+}

package/src/core/OidcInitializationError.ts

@@ -0,0 +1,19 @@
+export class OidcInitializationError extends Error {
+    public readonly isAuthServerLikelyDown: boolean;
+
+    constructor(params: { messageOrCause: string | Error; isAuthServerLikelyDown: boolean }) {
+        super(
+            (() => {
+                if (typeof params.messageOrCause === "string") {
+                    return params.messageOrCause;
+                } else {
+                    return `Unknown initialization error: ${params.messageOrCause.message}`;
+                }
+            })(),
+            // @ts-expect-error
+            { cause: typeof params.messageOrCause === "string" ? undefined : params.messageOrCause }
+        );
+        this.isAuthServerLikelyDown = params.isAuthServerLikelyDown;
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}

package/src/core/OidcMetadata.ts

@@ -0,0 +1,271 @@
+import { type OidcMetadata as OidcClientTsOidcMetadata } from "../vendor/frontend/oidc-client-ts";
+import { assert, type Equals } from "../vendor/frontend/tsafe";
+
+/**
+ * OpenID Providers have metadata describing their configuration.
+ *
+ * @public
+ */
+export type OidcMetadata = {
+    /**
+     * REQUIRED. URL using the `https` scheme with no query or fragment component that the OP asserts as its Issuer
+     * Identifier. If Issuer discovery is supported
+     * (see [Section 2](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery)),
+     * this value MUST be identical to the issuer value
+     * returned by WebFinger. This also MUST be identical to the `iss` Claim value in ID Tokens issued from this Issuer.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    issuer: string;
+    /**
+     * REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint
+     * [[OpenID.Core](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core)].
+     * This URL MUST use the `https` scheme and MAY contain port, path, and query parameter components.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    authorization_endpoint: string;
+    /**
+     * URL of the OP's OAuth 2.0 Token Endpoint
+     * [[OpenID.Core](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core)].
+     * This is REQUIRED unless only the Implicit Flow is used. This URL MUST use the `https` scheme and MAY contain
+     * port, path, and query parameter components.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    token_endpoint: string;
+    /**
+     * OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
+     * The options are `client_secret_post`, `client_secret_basic`, `client_secret_jwt`, and `private_key_jwt`, as
+     * described in Section 9 of
+     * [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core)
+     * [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is
+     * `client_secret_basic` -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of
+     * [OAuth 2.0](https://openid.net/specs/openid-connect-discovery-1_0.html#RFC6749) [RFC6749].
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    token_endpoint_auth_methods_supported: string[];
+    /**
+     * OPTIONAL. JSON array containing a list of the JWS signing algorithms (`alg` values) supported by the
+     * Token Endpoint for the signature on the JWT
+     * [[JWT](https://openid.net/specs/openid-connect-discovery-1_0.html#JWT)]
+     * used to authenticate the Client at the Token Endpoint for the `private_key_jwt` and `client_secret_jwt`
+     * authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    token_endpoint_auth_signing_alg_values_supported: string[];
+    /**
+     * RECOMMENDED. URL of the OP's UserInfo Endpoint
+     * [[OpenID.Core](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core)].
+     * This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    userinfo_endpoint: string;
+    /**
+     * REQUIRED. URL of an OP iframe that supports cross-origin communications for session state information with the
+     * RP Client, using the HTML5 postMessage API. This URL MUST use the `https` scheme and MAY contain port, path, and
+     * query parameter components. The page is loaded from an invisible iframe embedded in an RP page so that it can run
+     * in the OP's security context. It accepts postMessage requests from the relevant RP iframe and uses postMessage to
+     * post back the login status of the End-User at the OP.
+     *
+     * @see https://openid.net/specs/openid-connect-session-1_0.html#OPMetadata
+     */
+    check_session_iframe: string;
+    /**
+     * REQUIRED. URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
+     *
+     * @see https://openid.net/specs/openid-connect-session-1_0-17.html#OPMetadata
+     */
+    end_session_endpoint: string;
+    /**
+     * REQUIRED. URL of the OP's JWK Set
+     * [[JWK](https://openid.net/specs/openid-connect-discovery-1_0.html#JWK)]
+     * document, which MUST use the `https` scheme. This contains the signing key(s) the RP uses to validate signatures from
+     * the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server.
+     * When both signing and encryption keys are made available, a `use` (public key use) parameter value is REQUIRED for all keys
+     * in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for
+     * both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK `x5c` parameter MAY be used to provide
+     * X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the
+     * certificate. The JWK Set MUST NOT contain private or symmetric key values.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    jwks_uri: string;
+    /**
+     * RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint
+     * [[OpenID.Registration](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Registration)],
+     * which MUST use the `https` scheme.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    registration_endpoint: string;
+    /**
+     * RECOMMENDED. JSON array containing a list of the
+     * [OAuth 2.0](https://openid.net/specs/openid-connect-discovery-1_0.html#RFC6749)
+     * [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not
+     * to advertise some supported scope values even when this parameter is used, although those defined in
+     * [[OpenID.Core](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core)]
+     * SHOULD be listed, if supported.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    scopes_supported: string[];
+    /**
+     * REQUIRED. JSON array containing a list of the OAuth 2.0 `response_type` values that this OP supports. Dynamic OpenID
+     * Providers MUST support the `code`, `id_token`, and the `id_token token` Response Type values.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    response_types_supported: string[];
+    /**
+     * OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    acr_values_supported: string[];
+    /**
+     * REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include `pairwise`
+     * and `public`.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    subject_types_supported: string[];
+    /**
+     * OPTIONAL. JSON array containing a list of the JWS signing algorithms (`alg` values) supported by the OP for Request Objects,
+     * which are described in Section 6.1 of
+     * [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core)
+     * [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the `request` parameter) and
+     * when it is passed by reference (using the `request_uri` parameter). Servers SHOULD support `none` and `RS256`.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    request_object_signing_alg_values_supported: string[];
+    /**
+     * OPTIONAL. JSON array containing a list of the `display` parameter values that the OpenID Provider supports. These values are
+     * described in Section 3.1.2.1 of
+     * [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core)
+     * [OpenID.Core].
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    display_values_supported: string[];
+    /**
+     * OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are described
+     * in Section 5.6 of
+     * [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core)
+     * [OpenID.Core]. Values defined by this specification are `normal`, `aggregated`, and `distributed`. If omitted, the
+     * implementation supports only normal Claims.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    claim_types_supported: string[];
+    /**
+     * RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
+     * values for. Note that for privacy or other reasons, this might not be an exhaustive list.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    claims_supported: string[];
+    /**
+     * OPTIONAL. Boolean value specifying whether the OP supports use of the `claims` parameter, with `true` indicating support. If
+     * omitted, the default value is `false`.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    claims_parameter_supported: boolean;
+    /**
+     * OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the
+     * OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on
+     * how to register Clients needs to be provided in this documentation.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    service_documentation: string;
+    /**
+     * OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of
+     * [BCP47](https://openid.net/specs/openid-connect-discovery-1_0.html#RFC5646)
+     * [RFC5646] language tag values.
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    ui_locales_supported: string[];
+    /**
+     * The fully qualified URL of the server's revocation endpoint defined by
+     * [OAuth 2.0 Token Revocation](https://openid.net/specs/openid-heart-oauth2-2015-12-07.html#RFC7009)
+     * [RFC7009].
+     *
+     * @see https://openid.net/specs/openid-heart-oauth2-2015-12-07.html#rfc.section.4.1
+     */
+    revocation_endpoint: string;
+    /**
+     * The fully qualified URL of the server's introspection endpoint defined by
+     * [OAuth Token Introspection](https://openid.net/specs/openid-heart-oauth2-2015-12-07.html#RFC7662)
+     * [RFC7662].
+     *
+     * @see https://openid.net/specs/openid-heart-oauth2-2015-12-07.html#rfc.section.4.1
+     */
+    introspection_endpoint: string;
+    /**
+     * OPTIONAL. Boolean value specifying whether the OP supports HTTP-based logout, with `true` indicating support. If omitted,
+     * the default value is `false`.
+     *
+     * @see https://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout
+     */
+    frontchannel_logout_supported: boolean;
+    /**
+     * OPTIONAL. Boolean value specifying whether the OP can pass iss (issuer) and `sid` (session ID) query parameters to identify
+     * the RP session with the OP when the `frontchannel_logout_uri` is used. If supported, the `sid` Claim is also included in
+     * ID Tokens issued by the OP. If omitted, the default value is `false`.
+     *
+     * @see https://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout
+     */
+    frontchannel_logout_session_supported: boolean;
+    /**
+     * OPTIONAL. Boolean value specifying whether the OP supports back-channel logout, with `true` indicating support. If omitted,
+     * the default value is `false`.
+     *
+     * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#BCSupport
+     */
+    backchannel_logout_supported: boolean;
+    /**
+     * OPTIONAL. Boolean value specifying whether the OP can pass a `sid` (session ID) Claim in the Logout Token to identify the
+     * RP session with the OP. If supported, the `sid` Claim is also included in ID Tokens issued by the OP. If omitted, the default
+     * value is `false`.
+     *
+     * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#BCSupport
+     */
+    backchannel_logout_session_supported: boolean;
+    /**
+     * OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers
+     * MUST support the `authorization_code` and `implicit` Grant Type values and MAY support other Grant Types. If omitted, the
+     * default value is [`"authorization_code"`, `"implicit"`].
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    grant_types_supported: string[];
+    /**
+     * OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
+     * [OAuth 2.0 Multiple Response Type Encoding Practices](https://openid.net/specs/openid-connect-discovery-1_0.html#OAuth.Responses)
+     * [OAuth.Responses]. If omitted, the default for Dynamic OpenID Providers is [`"query"`, `"fragment"`].
+     *
+     * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+     */
+    response_modes_supported: string[];
+    /**
+     * OPTIONAL. JSON array containing a list of
+     * [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636)
+     * [RFC7636] code challenge methods supported by this authorization server.  Code challenge method values are used in
+     * the "code_challenge_method" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are
+     * those registered in the
+     * [IANA "PKCE Code Challenge Methods" registry](https://datatracker.ietf.org/doc/html/rfc8414#ref-IANA.OAuth.Parameters)
+     * [IANA.OAuth.Parameters]. If omitted, the authorization server does not support PKCE.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc8414
+     */
+    code_challenge_methods_supported: string[];
+};
+
+assert<Equals<OidcMetadata, OidcClientTsOidcMetadata>>;

package/src/core/StateData.ts

@@ -0,0 +1,118 @@
+import { typeGuard, assert } from "../vendor/frontend/tsafe";
+import { generateUrlSafeRandom } from "../tools/generateUrlSafeRandom";
+
+export type StateData = StateData.IFrame | StateData.Redirect;
+
+export namespace StateData {
+    type Common = {
+        configId: string;
+    };
+
+    export type IFrame = Common & {
+        context: "iframe";
+    };
+
+    export type Redirect = Redirect.Login | Redirect.Logout;
+    export namespace Redirect {
+        type Common_Redirect = Common & {
+            context: "redirect";
+            redirectUrl: string;
+            hasBeenProcessedByCallback: boolean;
+        };
+
+        export type Login = Common_Redirect & {
+            action: "login";
+            redirectUrl_consentRequiredCase: string;
+            extraQueryParams: Record<string, string>;
+        };
+
+        export type Logout = Common_Redirect & {
+            action: "logout";
+            sessionId: string | undefined;
+        };
+    }
+}
+
+const STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX = "b2lkYy1zcGEu";
+const RANDOM_STRING_LENGTH = 32 - STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX.length;
+
+export function generateStateUrlParamValue(): string {
+    return `${STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX}${generateUrlSafeRandom({
+        length: RANDOM_STRING_LENGTH
+    })}`;
+}
+
+export function getIsStatQueryParamValue(params: { maybeStateUrlParamValue: string }): boolean {
+    const { maybeStateUrlParamValue } = params;
+
+    return (
+        maybeStateUrlParamValue.startsWith(STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX) &&
+        maybeStateUrlParamValue.length ===
+            STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX.length + RANDOM_STRING_LENGTH
+    );
+}
+
+export const STATE_STORE_KEY_PREFIX = "oidc.";
+
+function getKey(params: { stateUrlParamValue: string }) {
+    const { stateUrlParamValue } = params;
+
+    return `${STATE_STORE_KEY_PREFIX}${stateUrlParamValue}`;
+}
+
+function getStateStore(params: { stateUrlParamValue: string }): { data: StateData } | undefined {
+    const { stateUrlParamValue } = params;
+
+    const item = localStorage.getItem(getKey({ stateUrlParamValue }));
+
+    if (item === null) {
+        return undefined;
+    }
+
+    const obj = JSON.parse(item);
+
+    assert(
+        typeGuard<{ data: StateData }>(
+            obj,
+            obj instanceof Object && obj.data instanceof Object && typeof obj.data.context === "string"
+        )
+    );
+
+    return obj;
+}
+
+function setStateStore(params: { stateUrlParamValue: string; obj: { data: StateData } }) {
+    const { stateUrlParamValue, obj } = params;
+
+    localStorage.setItem(getKey({ stateUrlParamValue }), JSON.stringify(obj));
+}
+
+export function clearStateStore(params: { stateUrlParamValue: string }) {
+    const { stateUrlParamValue } = params;
+    localStorage.removeItem(getKey({ stateUrlParamValue }));
+}
+
+export function getStateData(params: { stateUrlParamValue: string }): StateData | undefined {
+    const { stateUrlParamValue } = params;
+
+    const stateStore = getStateStore({ stateUrlParamValue });
+
+    if (stateStore === undefined) {
+        return undefined;
+    }
+
+    return stateStore.data;
+}
+
+export function markStateDataAsProcessedByCallback(params: { stateUrlParamValue: string }) {
+    const { stateUrlParamValue } = params;
+
+    const obj = getStateStore({ stateUrlParamValue });
+
+    assert(obj !== undefined, "180465");
+    assert(obj.data.context === "redirect", "649531");
+
+    obj.data.hasBeenProcessedByCallback = true;
+
+    setStateStore({ stateUrlParamValue, obj });
+}

package/src/core/configId.ts

@@ -0,0 +1,3 @@
+export function getConfigId(params: { issuerUri: string; clientId: string }) {
+    return `${params.issuerUri}:${params.clientId}`;
+}