npm - oidc-spa - Versions diffs - 7.2.4 → 7.3.0 - Mend

oidc-spa 7.2.4 → 7.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

package/core/Oidc.d.ts +4 -1
package/core/createOidc.js +69 -19
package/core/createOidc.js.map +1 -1
package/core/handleOidcCallback.js +2 -4
package/core/handleOidcCallback.js.map +1 -1
package/core/loginOrGoToAuthServer.js +8 -2
package/core/loginOrGoToAuthServer.js.map +1 -1
package/core/oidcClientTsUserToTokens.js +7 -2
package/core/oidcClientTsUserToTokens.js.map +1 -1
package/esm/core/Oidc.d.ts +4 -1
package/esm/core/createOidc.js +69 -19
package/esm/core/createOidc.js.map +1 -1
package/esm/core/handleOidcCallback.js +2 -4
package/esm/core/handleOidcCallback.js.map +1 -1
package/esm/core/loginOrGoToAuthServer.js +8 -2
package/esm/core/loginOrGoToAuthServer.js.map +1 -1
package/esm/core/oidcClientTsUserToTokens.js +7 -2
package/esm/core/oidcClientTsUserToTokens.js.map +1 -1
package/esm/keycloak/keycloak-js/Keycloak.d.ts +1 -3
package/esm/keycloak/keycloak-js/Keycloak.js +31 -15
package/esm/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/esm/keycloak/keycloak-js/types.d.ts +1 -3
package/esm/mock/oidc.js +2 -1
package/esm/mock/oidc.js.map +1 -1
package/esm/tools/workerTimers.js +1 -1
package/esm/tools/workerTimers.js.map +1 -1
package/esm/vendor/frontend/oidc-client-ts.js +46 -8
package/keycloak/keycloak-js/Keycloak.d.ts +1 -3
package/keycloak/keycloak-js/Keycloak.js +31 -15
package/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/keycloak/keycloak-js/types.d.ts +1 -3
package/mock/oidc.js +2 -1
package/mock/oidc.js.map +1 -1
package/package.json +1 -1
package/src/core/Oidc.ts +5 -1
package/src/core/createOidc.ts +85 -17
package/src/core/handleOidcCallback.ts +2 -5
package/src/core/loginOrGoToAuthServer.ts +9 -2
package/src/core/oidcClientTsUserToTokens.ts +7 -2
package/src/keycloak/keycloak-js/Keycloak.ts +37 -10
package/src/keycloak/keycloak-js/types.ts +1 -4
package/src/mock/oidc.ts +2 -1
package/src/tools/workerTimers.ts +1 -1
package/tools/workerTimers.js +1 -1
package/tools/workerTimers.js.map +1 -1
package/vendor/frontend/oidc-client-ts.js +46 -8

package/src/core/createOidc.ts CHANGED Viewed

@@ -970,6 +970,8 @@ export async function createOidc_nonMemoized<
     let wouldHaveAutoLoggedOutIfBrowserWasOnline = false;
+    let prOngoingTokenRenewal: Promise<void> | undefined = undefined;
     const oidc_loggedIn = id<Oidc.LoggedIn<DecodedIdToken>>({
         ...oidc_common,
         isUserLoggedIn: true,
@@ -979,10 +981,19 @@ export async function createOidc_nonMemoized<
                 assert(false);
             }
+            if (prOngoingTokenRenewal === undefined) {
+                // NOTE: Give a chance to renewOnLocalTimeShift to do it's job
+                await new Promise<void>(resolve => setTimeout(resolve, 0));
+            }
+            if (prOngoingTokenRenewal !== undefined) {
+                await prOngoingTokenRenewal;
+            }
             renew_tokens: {
                 {
                     const msBeforeExpirationOfTheAccessToken =
-                        currentTokens.accessTokenExpirationTime - Date.now();
+                        currentTokens.accessTokenExpirationTime - currentTokens.getServerDateNow();
                     if (msBeforeExpirationOfTheAccessToken > 30_000) {
                         break renew_tokens;
@@ -990,7 +1001,8 @@ export async function createOidc_nonMemoized<
                 }
                 {
-                    const msElapsedSinceCurrentTokenWereIssued = Date.now() - currentTokens.issuedAtTime;
+                    const msElapsedSinceCurrentTokenWereIssued =
+                        currentTokens.getServerDateNow() - currentTokens.issuedAtTime;
                     if (msElapsedSinceCurrentTokenWereIssued < 5_000) {
                         break renew_tokens;
@@ -1029,7 +1041,10 @@ export async function createOidc_nonMemoized<
                 prUnlock: new Promise<never>(() => {})
             });
-            window.addEventListener("pageshow", () => {
+            window.addEventListener("pageshow", event => {
+                if (!event.persisted) {
+                    return;
+                }
                 location.reload();
             });
@@ -1073,6 +1088,7 @@ export async function createOidc_nonMemoized<
             return new Promise<never>(() => {});
         },
         renewTokens: (() => {
+            // NOTE: Cannot throw (or if it does it's our fault)
             async function renewTokens_nonMutexed(params: {
                 extraTokenParams: Record<string, string | undefined>;
             }) {
@@ -1228,12 +1244,12 @@ export async function createOidc_nonMemoized<
                   }
                 | undefined = undefined;
-            function handleFinally() {
+            function handleThen() {
                 assert(ongoingCall !== undefined, "131276");
                 const { pr } = ongoingCall;
-                pr.finally(() => {
+                pr.then(() => {
                     assert(ongoingCall !== undefined, "549462");
                     if (ongoingCall.pr !== pr) {
@@ -1244,8 +1260,10 @@ export async function createOidc_nonMemoized<
                 });
             }
-            return async params => {
-                const { extraTokenParams: extraTokenParams_local } = params ?? {};
+            async function renewTokens_mutexed(params: {
+                extraTokenParams?: Record<string, string | undefined>;
+            }) {
+                const { extraTokenParams: extraTokenParams_local } = params;
                 const extraTokenParams = {
                     ...getExtraTokenParams?.(),
@@ -1258,7 +1276,7 @@ export async function createOidc_nonMemoized<
                         extraTokenParams
                     };
-                    handleFinally();
+                    handleThen();
                     return ongoingCall.pr;
                 }
@@ -1269,18 +1287,28 @@ export async function createOidc_nonMemoized<
                 ongoingCall = {
                     pr: (async () => {
-                        try {
-                            await ongoingCall.pr;
-                        } catch {}
+                        await ongoingCall.pr;
                         return renewTokens_nonMutexed({ extraTokenParams });
                     })(),
                     extraTokenParams
                 };
-                handleFinally();
+                handleThen();
                 return ongoingCall.pr;
+            }
+            return params => {
+                const { extraTokenParams } = params ?? {};
+                prOngoingTokenRenewal = renewTokens_mutexed({ extraTokenParams });
+                prOngoingTokenRenewal.then(() => {
+                    prOngoingTokenRenewal = undefined;
+                });
+                return prOngoingTokenRenewal;
             };
         })(),
         subscribeToTokensChange: onTokenChange => {
@@ -1335,6 +1363,50 @@ export async function createOidc_nonMemoized<
         });
     }
+    // NOTE: Pessimistic renewal of token on potential clock adjustment.
+    (function renewOnLocalTimeShift() {
+        // NOTE: If we can't confidently silently refresh tokens we won't risk reloading
+        // the page just to cover the local time drift edge case.
+        if (!currentTokens.hasRefreshToken && !canUseIframe) {
+            return;
+        }
+        let timer: ReturnType<typeof setTimeout> | undefined = undefined;
+        const DELAY = 5_000;
+        (async () => {
+            while (true) {
+                const before = Date.now();
+                await new Promise<void>(resolve => {
+                    timer = setTimeout(resolve, DELAY);
+                });
+                const after = Date.now();
+                const elapsed_measured = after - before;
+                const elapsed_theoretical = DELAY;
+                if (Math.abs(elapsed_measured - elapsed_theoretical) > 1_000) {
+                    log?.("Renewing token now as local time might have shifted");
+                    // NOTE: This **will** happen, even if there is no local time drift.
+                    // For example when the computer wakes up after sleep.
+                    // But it doesn't matter, we'll just make a token renewal that was probably
+                    // not necessary. It's best than risking to deem expired token as valid.
+                    oidc_loggedIn.renewTokens();
+                    return;
+                }
+            }
+        })();
+        const { unsubscribe: tokenChangeUnsubscribe } = oidc_loggedIn.subscribeToTokensChange(() => {
+            if (timer !== undefined) {
+                clearTimeout(timer);
+            }
+            tokenChangeUnsubscribe();
+            renewOnLocalTimeShift();
+        });
+    })();
     (function scheduleRenew() {
         if (!currentTokens.hasRefreshToken && !canUseIframe) {
             log?.(
@@ -1348,7 +1420,7 @@ export async function createOidc_nonMemoized<
         const msBeforeExpiration =
             (currentTokens.refreshTokenExpirationTime ?? currentTokens.accessTokenExpirationTime) -
-            Date.now();
+            currentTokens.getServerDateNow();
         const typeOfTheTokenWeGotTheTtlFrom =
             currentTokens.refreshTokenExpirationTime !== undefined ? "refresh" : "access";
@@ -1356,10 +1428,6 @@ export async function createOidc_nonMemoized<
         const RENEW_MS_BEFORE_EXPIRES = 30_000;
         if (msBeforeExpiration <= RENEW_MS_BEFORE_EXPIRES) {
-            // NOTE: We just got a new token that is about to expire. This means that
-            // the refresh token has reached it's max SSO time.
-            // ...or that the refresh token have a very short lifespan...
-            // anyway, no need to keep alive, it will probably redirect on the next getTokens() or refreshTokens() call
             log?.(
                 [
                     "Disabling auto renew mechanism. We just got fresh tokens",

package/src/core/handleOidcCallback.ts CHANGED Viewed

@@ -278,11 +278,8 @@ export function retrieveRedirectAuthResponseAndStateData(params: {
 }
 function reloadOnBfCacheNavigation() {
-    const start = Date.now();
-    window.addEventListener("pageshow", () => {
-        const elapsed = Date.now() - start;
-        if (elapsed < 100) {
+    window.addEventListener("pageshow", event => {
+        if (!event.persisted) {
             return;
         }
         location.reload();

package/src/core/loginOrGoToAuthServer.ts CHANGED Viewed

@@ -124,7 +124,10 @@ export function createLoginOrGoToAuthServer(params: {
             bf_cache_handling: {
                 if (rest.doForceReloadOnBfCache) {
-                    window.removeEventListener("pageshow", () => {
+                    window.removeEventListener("pageshow", event => {
+                        if (!event.persisted) {
+                            return;
+                        }
                         location.reload();
                     });
                     break bf_cache_handling;
@@ -132,7 +135,11 @@ export function createLoginOrGoToAuthServer(params: {
                 localStorage.setItem(LOCAL_STORAGE_KEY_TO_CLEAR_WHEN_USER_LOGGED_IN, "true");
-                const callback = () => {
+                const callback = (event: { persisted: boolean }) => {
+                    if (!event.persisted) {
+                        return;
+                    }
                     window.removeEventListener("pageshow", callback);
                     log?.(

package/src/core/oidcClientTsUserToTokens.ts CHANGED Viewed

@@ -75,7 +75,8 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
     const issuedAtTime = (() => {
         // NOTE: The id_token is always a JWT as per the protocol.
-        // We don't use Date.now() due to network latency.
+        // We don't use Date.now() due to network latency or if the
+        // local clock is inaccurate.
         const id_token_iat = (() => {
             let iat: number | undefined;
@@ -159,7 +160,11 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
         idToken,
         decodedIdToken,
         decodedIdToken_original,
-        issuedAtTime
+        issuedAtTime,
+        getServerDateNow: (() => {
+            const issuedAtTime_local = oidcClientTsUser.__oidc_spa_localTimeWhenTokenIssued;
+            return () => Date.now() + (issuedAtTime - issuedAtTime_local);
+        })()
     };
     const tokens: Oidc.Tokens<DecodedIdToken> =

package/src/keycloak/keycloak-js/Keycloak.ts CHANGED Viewed

@@ -330,7 +330,7 @@ export class Keycloak {
         if (!oidc.isUserLoggedIn) {
             console.warn(
-                "Trying to read keycloak.realAccess when keycloak.realmAccess is false is a logical error in your application"
+                "Trying to read keycloak.realAccess when keycloak.authenticated is false is a logical error in your application"
             );
             return undefined;
         }
@@ -389,7 +389,7 @@ export class Keycloak {
         if (!oidc.isUserLoggedIn) {
             console.warn(
-                "Trying to read keycloak.token when keycloak.token is false is a logical error in your application"
+                "Trying to read keycloak.token when keycloak.authenticated is false is a logical error in your application"
             );
             return undefined;
         }
@@ -423,7 +423,7 @@ export class Keycloak {
         if (!oidc.isUserLoggedIn) {
             console.warn(
-                "Trying to read keycloak.token when keycloak.tokenParsed is false is a logical error in your application"
+                "Trying to read keycloak.tokenParsed when keycloak.authenticated is false is a logical error in your application"
             );
             return undefined;
         }
@@ -451,7 +451,7 @@ export class Keycloak {
         if (!oidc.isUserLoggedIn) {
             console.warn(
-                "Trying to read keycloak.token when keycloak.refreshToken is false is a logical error in your application"
+                "Trying to read keycloak.refreshToken when keycloak.authenticated is false is a logical error in your application"
             );
             return undefined;
         }
@@ -485,7 +485,7 @@ export class Keycloak {
         if (!oidc.isUserLoggedIn) {
             console.warn(
-                "Trying to read keycloak.token when keycloak.refreshTokenParsed is false is a logical error in your application"
+                "Trying to read keycloak.refreshTokenParsed when keycloak.authenticated is false is a logical error in your application"
             );
             return undefined;
         }
@@ -517,7 +517,7 @@ export class Keycloak {
         if (!oidc.isUserLoggedIn) {
             console.warn(
-                "Trying to read keycloak.token when keycloak.token is false is a logical error in your application"
+                "Trying to read keycloak.idToken when keycloak.authenticated is false is a logical error in your application"
             );
             return undefined;
         }
@@ -551,7 +551,7 @@ export class Keycloak {
         if (!oidc.isUserLoggedIn) {
             console.warn(
-                "Trying to read keycloak.token when keycloak.refreshTokenParsed is false is a logical error in your application"
+                "Trying to read keycloak.idTokenParsed when keycloak.authenticated is false is a logical error in your application"
             );
             return undefined;
         }
@@ -566,10 +566,37 @@ export class Keycloak {
      * The estimated time difference between the browser time and the Keycloak
      * server in seconds. This value is just an estimation, but is accurate
      * enough when determining if a token is expired or not.
-     *
-     * NOTE oidc-spa: Not supported.
      */
-    timeSkew = null;
+    get timeSkew(): number | null {
+        const internalState = internalStateByInstance.get(this);
+        assert(internalState !== undefined);
+        if (!this.didInitialize) {
+            const { timeSkew } = internalState.initOptions ?? {};
+            if (timeSkew === undefined) {
+                return null;
+            }
+            return timeSkew;
+        }
+        const { oidc, tokens } = internalState;
+        assert(oidc !== undefined);
+        if (!oidc.isUserLoggedIn) {
+            console.warn(
+                "Trying to read keycloak.timeSkew when keycloak.authenticated is false is a logical error in your application"
+            );
+            return null;
+        }
+        assert(tokens !== undefined);
+        return Math.ceil((tokens.getServerDateNow() - Date.now()) / 1000);
+    }
     /**
      * Whether the instance has been initialized by calling `.init()`.

package/src/keycloak/keycloak-js/types.ts CHANGED Viewed

@@ -139,11 +139,8 @@ export interface KeycloakInitOptions {
     /**
      * Set an initial value for skew between local time and Keycloak server in
      * seconds (only together with `token` or `refreshToken`).
-     *
-     * NOTE oidc-spa: Not supported
      */
-    //timeSkew?: number;
-    timeSkew?: undefined;
+    timeSkew?: number;
     /**
      * Set to enable/disable monitoring login state.

package/src/mock/oidc.ts CHANGED Viewed

@@ -151,7 +151,8 @@ export async function createMockOidc<
                             "See https://docs.oidc-spa.dev/v/v7/mock"
                         ].join("\n")
                     }),
-                issuedAtTime: Date.now()
+                issuedAtTime: Date.now(),
+                getServerDateNow: () => Date.now()
             };
             const tokens: Oidc.Tokens<DecodedIdToken> =

package/src/tools/workerTimers.ts CHANGED Viewed

@@ -34,7 +34,7 @@ export function setTimeout(callback: () => void, delay: number): TimerHandle {
         const elapsed = Date.now() - start;
-        if (elapsed < delay) {
+        if (0 <= elapsed && elapsed < delay) {
             timerHandle_n = workerTimers.setTimeout(callback_actual, delay - elapsed);
         } else {
             callback_actual();

package/tools/workerTimers.js CHANGED Viewed

@@ -21,7 +21,7 @@ function setTimeout(callback, delay) {
     const onPageshow = () => {
         worker_timers_1.workerTimers.clearTimeout(timerHandle_n);
         const elapsed = Date.now() - start;
-        if (elapsed < delay) {
+        if (0 <= elapsed && elapsed < delay) {
             timerHandle_n = worker_timers_1.workerTimers.setTimeout(callback_actual, delay - elapsed);
         }
         else {

package/tools/workerTimers.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"workerTimers.js","sourceRoot":"","sources":["../src/tools/workerTimers.ts"],"names":[],"mappings":";;AAQA,gCAsCC;AAED,oCAQC;AAxDD,oEAAgE;AAMhE,MAAM,kBAAkB,GAAG,IAAI,OAAO,EAA2B,CAAC;AAElE,SAAgB,UAAU,CAAC,QAAoB,EAAE,KAAa;IAC1D,MAAM,eAAe,GAAG,GAAG,EAAE;QACzB,MAAM,CAAC,mBAAmB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QAEnD,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvC,QAAQ,EAAE,CAAC;IACf,CAAC,CAAC;IAEF,IAAI,aAAa,GAAG,4BAAY,CAAC,UAAU,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;IAEpE,MAAM,WAAW,GAAgB,EAAS,CAAC;IAE3C,kBAAkB,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,EAAE;QACrC,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvC,4BAAY,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAEzC,MAAM,CAAC,mBAAmB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,MAAM,UAAU,GAAG,GAAG,EAAE;QACpB,4BAAY,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QAEnC,IAAI,OAAO,GAAG,KAAK,EAAE,CAAC;~~YAClB~~,aAAa,GAAG,4BAAY,CAAC,UAAU,CAAC,eAAe,EAAE,KAAK,GAAG,OAAO,CAAC,CAAC;QAC9E,CAAC;aAAM,CAAC;YACJ,eAAe,EAAE,CAAC;QACtB,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,CAAC,gBAAgB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAEhD,OAAO,WAAW,CAAC;AACvB,CAAC;AAED,SAAgB,YAAY,CAAC,MAAmB;IAC5C,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAE7C,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACtB,OAAO;IACX,CAAC;IAED,KAAK,EAAE,CAAC;AACZ,CAAC"}
1	+ {"version":3,"file":"workerTimers.js","sourceRoot":"","sources":["../src/tools/workerTimers.ts"],"names":[],"mappings":";;AAQA,gCAsCC;AAED,oCAQC;AAxDD,oEAAgE;AAMhE,MAAM,kBAAkB,GAAG,IAAI,OAAO,EAA2B,CAAC;AAElE,SAAgB,UAAU,CAAC,QAAoB,EAAE,KAAa;IAC1D,MAAM,eAAe,GAAG,GAAG,EAAE;QACzB,MAAM,CAAC,mBAAmB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QAEnD,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvC,QAAQ,EAAE,CAAC;IACf,CAAC,CAAC;IAEF,IAAI,aAAa,GAAG,4BAAY,CAAC,UAAU,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;IAEpE,MAAM,WAAW,GAAgB,EAAS,CAAC;IAE3C,kBAAkB,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,EAAE;QACrC,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvC,4BAAY,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAEzC,MAAM,CAAC,mBAAmB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,MAAM,UAAU,GAAG,GAAG,EAAE;QACpB,4BAAY,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QAEnC,IAAI,CAAC,IAAI,OAAO,IAAI,OAAO,GAAG,KAAK,EAAE,CAAC;YAClC,aAAa,GAAG,4BAAY,CAAC,UAAU,CAAC,eAAe,EAAE,KAAK,GAAG,OAAO,CAAC,CAAC;QAC9E,CAAC;aAAM,CAAC;YACJ,eAAe,EAAE,CAAC;QACtB,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,CAAC,gBAAgB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAEhD,OAAO,WAAW,CAAC;AACvB,CAAC;AAED,SAAgB,YAAY,CAAC,MAAmB;IAC5C,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAE7C,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACtB,OAAO;IACX,CAAC;IAED,KAAK,EAAE,CAAC;AACZ,CAAC"}

package/vendor/frontend/oidc-client-ts.js CHANGED Viewed

@@ -1182,6 +1182,7 @@ var UserInfoService = class {
 };
 // src/TokenClient.ts
+var localTimeByResponse = /* @__PURE__ */ new WeakMap();
 var TokenClient = class {
   constructor(_settings, _metadataService) {
     this._settings = _settings;
@@ -1240,6 +1241,7 @@ var TokenClient = class {
     }
     const url = await this._metadataService.getTokenEndpoint(false);
     logger2.debug("got token endpoint");
+    const timeBefore = Date.now();
     const response = await this._jsonService.postForm(url, {
       body: params,
       basicAuth,
@@ -1247,6 +1249,8 @@ var TokenClient = class {
       initCredentials: this._settings.fetchRequestCredentials,
       extraHeaders
     });
+    const timeAfter = Date.now();
+    localTimeByResponse.set(response, Math.floor((timeBefore + timeAfter) / 2));
     logger2.debug("got response");
     return response;
   }
@@ -1293,7 +1297,10 @@ var TokenClient = class {
     }
     const url = await this._metadataService.getTokenEndpoint(false);
     logger2.debug("got token endpoint");
+    const timeBefore = Date.now();
     const response = await this._jsonService.postForm(url, { body: params, basicAuth, timeoutInSeconds: this._settings.requestTimeoutInSeconds, initCredentials: this._settings.fetchRequestCredentials });
+    const timeAfter = Date.now();
+    localTimeByResponse.set(response, Math.floor((timeBefore + timeAfter) / 2));
     logger2.debug("got response");
     return response;
   }
@@ -1343,7 +1350,10 @@ var TokenClient = class {
     }
     const url = await this._metadataService.getTokenEndpoint(false);
     logger2.debug("got token endpoint");
+    const timeBefore = Date.now();
     const response = await this._jsonService.postForm(url, { body: params, basicAuth, timeoutInSeconds, initCredentials: this._settings.fetchRequestCredentials, extraHeaders });
+    const timeAfter = Date.now();
+    localTimeByResponse.set(response, Math.floor((timeBefore + timeAfter) / 2));
     logger2.debug("got response");
     return response;
   }
@@ -1498,6 +1508,13 @@ var ResponseValidator = class {
       });
       Object.assign(response, tokenResponse);
       response.__oidc_spa_tokenResponse = tokenResponse;
+      response.__oidc_spa_localTimeWhenTokenIssued = (() => {
+        const time = localTimeByResponse.get(tokenResponse);
+        if (time === void 0) {
+          throw new Error("oidc-spa error in oidc-client-ts");
+        }
+        return time;
+      })();
     } else {
       logger2.debug("No code to process");
     }
@@ -1782,6 +1799,7 @@ var SigninResponse = class {
     this.error_uri = params.get("error_uri");
     this.code = params.get("code");
     this.__oidc_spa_tokenResponse = void 0;
+    this.__oidc_spa_localTimeWhenTokenIssued = void 0;
   }
   get expires_in() {
     if (this.expires_at === void 0) {
@@ -2068,6 +2086,13 @@ var OidcClient = class {
     const signinResponse = new SigninResponse(new URLSearchParams());
     Object.assign(signinResponse, tokenResponse);
     signinResponse.__oidc_spa_tokenResponse = tokenResponse;
+    signinResponse.__oidc_spa_localTimeWhenTokenIssued = (() => {
+      const time = localTimeByResponse.get(tokenResponse);
+      if (time === void 0) {
+        throw new Error("oidc-spa error in oidc-client-ts");
+      }
+      return time;
+    })();
     await this._validator.validateCredentialsResponse(signinResponse, skipUserInfo);
     return signinResponse;
   }
@@ -2125,6 +2150,13 @@ var OidcClient = class {
     const response = new SigninResponse(new URLSearchParams());
     Object.assign(response, result);
     response.__oidc_spa_tokenResponse = result;
+    response.__oidc_spa_localTimeWhenTokenIssued = (() => {
+      const time = localTimeByResponse.get(result);
+      if (time === void 0) {
+        throw new Error("oidc-spa error in oidc-client-ts");
+      }
+      return time;
+    })();
     logger2.debug("validating response", response);
     await this._validator.validateRefreshResponse(response, {
       ...state,
@@ -2356,6 +2388,7 @@ var User = class _User {
     this.state = args.userState;
     this.url_state = args.url_state;
     this.__oidc_spa_tokenResponse = args.__oidc_spa_tokenResponse;
+    this.__oidc_spa_localTimeWhenTokenIssued = args.__oidc_spa_localTimeWhenTokenIssued;
   }
   /** Computed number of seconds the access token has remaining. */
   get expires_in() {
@@ -2393,7 +2426,8 @@ var User = class _User {
       scope: this.scope,
       profile: this.profile,
       expires_at: this.expires_at,
-      __oidc_spa_tokenResponse: this.__oidc_spa_tokenResponse
+      __oidc_spa_tokenResponse: this.__oidc_spa_tokenResponse,
+      __oidc_spa_localTimeWhenTokenIssued: this.__oidc_spa_localTimeWhenTokenIssued
     });
   }
   static fromStorageString(storageString) {
@@ -3150,12 +3184,15 @@ var UserManager = class {
       timeoutInSeconds: this.settings.silentRequestTimeoutInSeconds,
       ...args
     });
-    if (response.__oidc_spa_tokenResponse === void 0) {
-      throw new Error(
-        "Wrong Assertion Encountered: Error in oidc-spa mod of oidc-client-ts"
-      );
+    if (response.__oidc_spa_tokenResponse === void 0 || response.__oidc_spa_localTimeWhenTokenIssued === void 0) {
+      throw new Error("Wrong Assertion Encountered: Error in oidc-spa mod of oidc-client-ts");
     }
-    const user = new User({ ...args.state, ...response, __oidc_spa_tokenResponse: response.__oidc_spa_tokenResponse });
+    const user = new User({
+      ...args.state,
+      ...response,
+      __oidc_spa_tokenResponse: response.__oidc_spa_tokenResponse,
+      __oidc_spa_localTimeWhenTokenIssued: response.__oidc_spa_localTimeWhenTokenIssued
+    });
     await this.storeUser(user);
     await this._events.load(user);
     return user;
@@ -3318,14 +3355,15 @@ var UserManager = class {
   }
   async _buildUser(signinResponse, verifySub) {
     const logger2 = this._logger.create("_buildUser");
-    if (signinResponse.__oidc_spa_tokenResponse === void 0) {
+    if (signinResponse.__oidc_spa_tokenResponse === void 0 || signinResponse.__oidc_spa_localTimeWhenTokenIssued === void 0) {
       throw new Error(
         "Wrong Assertion Encountered: Error in oidc-spa mod of oidc-client-ts"
       );
     }
     const user = new User({
       ...signinResponse,
-      __oidc_spa_tokenResponse: signinResponse.__oidc_spa_tokenResponse
+      __oidc_spa_tokenResponse: signinResponse.__oidc_spa_tokenResponse,
+      __oidc_spa_localTimeWhenTokenIssued: signinResponse.__oidc_spa_localTimeWhenTokenIssued
     });
     if (verifySub) {
       if (verifySub !== user.profile.sub) {