oidc-spa 8.1.14 → 8.2.0

package/react-spa/types.d.ts

@@ -0,0 +1,279 @@
+import type { ReactNode, ComponentType } from "react";
+import type { Oidc as Oidc_core, OidcInitializationError } from "../core";
+import type { OidcMetadata } from "../core/OidcMetadata";
+export type UseOidc<DecodedIdToken> = {
+    (params?: {
+        assert?: undefined;
+    }): UseOidc.Oidc<DecodedIdToken>;
+    (params: {
+        assert: "user logged in";
+    }): UseOidc.Oidc.LoggedIn<DecodedIdToken>;
+    (params: {
+        assert: "user not logged in";
+    }): UseOidc.Oidc.NotLoggedIn;
+};
+export declare namespace UseOidc {
+    type WithAutoLogin<DecodedIdToken> = (params?: {
+        assert: "user logged in";
+    }) => Oidc.LoggedIn<DecodedIdToken>;
+    type Oidc<DecodedIdToken> = (Oidc.NotLoggedIn & {
+        decodedIdToken?: never;
+        logout?: never;
+        renewTokens?: never;
+        goToAuthServer?: never;
+        backFromAuthServer?: never;
+        isNewBrowserSession?: never;
+    }) | (Oidc.LoggedIn<DecodedIdToken> & {
+        login?: never;
+        initializationError?: never;
+    });
+    namespace Oidc {
+        type Common = {
+            issuerUri: string;
+            clientId: string;
+        };
+        export type NotLoggedIn = Common & {
+            login: (params?: {
+                extraQueryParams?: Record<string, string | undefined>;
+                redirectUrl?: string;
+                transformUrlBeforeRedirect?: (url: string) => string;
+            }) => Promise<never>;
+            autoLogoutState: {
+                shouldDisplayWarning: false;
+            };
+            isUserLoggedIn: false;
+            initializationError: OidcInitializationError | undefined;
+        };
+        export type LoggedIn<DecodedIdToken> = Common & {
+            isUserLoggedIn: true;
+            decodedIdToken: DecodedIdToken;
+            logout: Oidc_core.LoggedIn["logout"];
+            renewTokens: Oidc_core.LoggedIn["renewTokens"];
+            goToAuthServer: Oidc_core.LoggedIn["goToAuthServer"];
+            backFromAuthServer: Oidc_core.LoggedIn["backFromAuthServer"];
+            isNewBrowserSession: boolean;
+            autoLogoutState: {
+                shouldDisplayWarning: true;
+                secondsLeftBeforeAutoLogout: number;
+            } | {
+                shouldDisplayWarning: false;
+            };
+        };
+        export {};
+    }
+}
+export type GetOidc<DecodedIdToken> = {
+    (params?: {
+        assert?: undefined;
+    }): Promise<GetOidc.Oidc<DecodedIdToken>>;
+    (params: {
+        assert: "user logged in";
+    }): Promise<GetOidc.Oidc.LoggedIn<DecodedIdToken>>;
+    (params: {
+        assert: "user not logged in";
+    }): Promise<GetOidc.Oidc.NotLoggedIn>;
+};
+export declare namespace GetOidc {
+    type WithAutoLogin<DecodedIdToken> = (params?: {
+        assert: "user logged in";
+    }) => Promise<Oidc.LoggedIn<DecodedIdToken>>;
+    type Oidc<DecodedIdToken> = (Oidc.NotLoggedIn & {
+        getAccessToken?: never;
+        getDecodedIdToken?: never;
+        logout?: never;
+        renewTokens?: never;
+        goToAuthServer?: never;
+        backFromAuthServer?: never;
+        isNewBrowserSession?: never;
+        subscribeToAutoLogoutState?: never;
+    }) | (Oidc.LoggedIn<DecodedIdToken> & {
+        initializationError?: never;
+        login?: never;
+    });
+    namespace Oidc {
+        type Common = {
+            issuerUri: string;
+            clientId: string;
+        };
+        export type NotLoggedIn = Common & {
+            isUserLoggedIn: false;
+            initializationError: OidcInitializationError | undefined;
+            login: Oidc_core.NotLoggedIn["login"];
+        };
+        export type LoggedIn<DecodedIdToken> = Common & {
+            isUserLoggedIn: true;
+            getAccessToken: () => Promise<string>;
+            getDecodedIdToken: () => DecodedIdToken;
+            logout: Oidc_core.LoggedIn["logout"];
+            renewTokens: Oidc_core.LoggedIn["renewTokens"];
+            goToAuthServer: Oidc_core.LoggedIn["goToAuthServer"];
+            backFromAuthServer: Oidc_core.LoggedIn["backFromAuthServer"];
+            isNewBrowserSession: boolean;
+            subscribeToAutoLogoutState: (next: (autoLogoutState: {
+                shouldDisplayWarning: true;
+                secondsLeftBeforeAutoLogout: number;
+            } | {
+                shouldDisplayWarning: false;
+            }) => void) => {
+                unsubscribeFromAutoLogoutState: () => void;
+            };
+        };
+        export {};
+    }
+}
+export type ParamsOfBootstrap<AutoLogin, DecodedIdToken> = ParamsOfBootstrap.Real<AutoLogin> | ParamsOfBootstrap.Mock<AutoLogin, DecodedIdToken>;
+export declare namespace ParamsOfBootstrap {
+    type Real<AutoLogin> = {
+        implementation: "real";
+        /**
+         * See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
+         */
+        issuerUri: string;
+        /**
+         * See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
+         */
+        clientId: string;
+        /**
+         * Default: 45 second.
+         * It defines how long before the auto logout we should start
+         * displaying an overlay message to the user alerting them
+         * like: "Are you still there? You'll be disconnected in 45...44..."
+         * NOTE: This parameter is only UI related! It does not defines
+         * after how much time of inactivity the user should be auto logged out.
+         * This is a server policy (that can be overwrote by idleSessionLifetimeInSeconds)
+         * See: https://docs.oidc-spa.dev/v/v8/auto-logout
+         */
+        startCountdownSecondsBeforeAutoLogout?: number;
+        /**
+         * This parameter defines after how many seconds of inactivity the user should be
+         * logged out automatically.
+         *
+         * WARNING: It should be configured on the identity server side
+         * as it's the authoritative source for security policies and not the client.
+         * If you don't provide this parameter it will be inferred from the refresh token expiration time.
+         * Some provider however don't issue a refresh token or do not correctly set the
+         * expiration time. This parameter enable you to hard code the value to compensate
+         * the shortcoming of your auth server.
+         * */
+        idleSessionLifetimeInSeconds?: number;
+        /**
+         * The scopes being requested from the OIDC/OAuth2 provider (default: `["profile"]`
+         * (the scope "openid" is added automatically as it's mandatory)
+         **/
+        scopes?: string[];
+        /**
+         * Transform the url (authorization endpoint) before redirecting to the login pages.
+         *
+         * The isSilent parameter is true when the redirect is initiated in the background iframe for silent signin.
+         * This can be used to omit ui related query parameters (like `ui_locales`).
+         */
+        transformUrlBeforeRedirect?: (params: {
+            authorizationUrl: string;
+            isSilent: boolean;
+        }) => string;
+        /**
+         * Extra query params to be added to the authorization endpoint url before redirecting or silent signing in.
+         * You can provide a function that returns those extra query params, it will be called
+         * when login() is called.
+         *
+         * Example: extraQueryParams: ()=> ({ ui_locales: "fr" })
+         *
+         * This parameter can also be passed to login() directly.
+         */
+        extraQueryParams?: Record<string, string | undefined> | ((params: {
+            isSilent: boolean;
+            url: string;
+        }) => Record<string, string | undefined>);
+        /**
+         * Extra body params to be added to the /token POST request.
+         *
+         * It will be used when for the initial request, whenever the token is getting refreshed and if you call `renewTokens()`.
+         * You can also provide this parameter directly to the `renewTokens()` method.
+         *
+         * It can be either a string to string record or a function that returns a string to string record.
+         *
+         * Example: extraTokenParams: ()=> ({ selectedCustomer: "xxx" })
+         *          extraTokenParams: { selectedCustomer: "xxx" }
+         */
+        extraTokenParams?: Record<string, string | undefined> | (() => Record<string, string | undefined>);
+        /**
+         * Default: false
+         *
+         * See: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues
+         */
+        noIframe?: boolean;
+        debugLogs?: boolean;
+        /**
+         * WARNING: This option exists solely as a workaround
+         * for limitations in the Google OAuth API.
+         * See: https://docs.oidc-spa.dev/providers-configuration/google-oauth
+         *
+         * Do not use this for other providers.
+         * If you think you need a client secret in a SPA, you are likely
+         * trying to use a confidential (private) client in the browser,
+         * which is insecure and not supported.
+         */
+        __unsafe_clientSecret?: string;
+        /**
+         * This option should only be used as a last resort.
+         *
+         * If your OIDC provider is correctly configured, this should not be necessary.
+         *
+         * The metadata is normally retrieved automatically from:
+         * `${issuerUri}/.well-known/openid-configuration`
+         *
+         * Use this only if that endpoint is not accessible (e.g. due to missing CORS headers
+         * or non-standard deployments), and you cannot fix the server-side configuration.
+         */
+        __metadata?: Partial<OidcMetadata>;
+        /**
+         *  WARNING: Setting this to true is a workaround for provider
+         *  like Google OAuth that don't support JWT access token.
+         *  Use at your own risk, this is a hack.
+         */
+        __unsafe_useIdTokenAsAccessToken?: boolean;
+        /**
+         * Let's you override the params passed to
+         * (if you weren't able to provide it)
+         */
+        BASE_URL?: string;
+    } & (AutoLogin extends true ? {} : {});
+    type Mock<AutoLogin, DecodedIdToken> = {
+        implementation: "mock";
+        issuerUri_mock?: string;
+        clientId_mock?: string;
+        decodedIdToken_mock?: DecodedIdToken;
+        /**
+         * Let's you override the params passed to
+         * (if you weren't able to provide it)
+         */
+        BASE_URL?: string;
+    } & (AutoLogin extends true ? {
+        isUserInitiallyLoggedIn?: true;
+    } : {
+        isUserInitiallyLoggedIn: boolean;
+    });
+}
+export type OidcSpaApi<AutoLogin, DecodedIdToken> = {
+    bootstrapOidc: (params: ParamsOfBootstrap<AutoLogin, DecodedIdToken>) => void;
+    useOidc: AutoLogin extends true ? UseOidc.WithAutoLogin<DecodedIdToken> : UseOidc<DecodedIdToken>;
+    getOidc: AutoLogin extends true ? GetOidc.WithAutoLogin<DecodedIdToken> : GetOidc<DecodedIdToken>;
+} & (AutoLogin extends true ? {
+    OidcInitializationErrorGate: (props: {
+        errorComponent: ComponentType<{
+            oidcInitializationError: OidcInitializationError;
+        }>;
+        children: ReactNode;
+    }) => ReactNode;
+} : {
+    enforceLogin: (loaderContext: {
+        request?: {
+            url?: string;
+        };
+        cause?: "preload" | string;
+        location?: {
+            href?: string;
+        };
+    }) => Promise<void | never>;
+    withLoginEnforced: <Props extends Record<string, unknown>>(component: ComponentType<Props>) => (props: Props) => ReactNode;
+});

package/react-spa/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/react-spa/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/react-spa/types.tsx"],"names":[],"mappings":""}

package/src/angular.ts

@@ -150,7 +150,7 @@ export type ParamsOfProvide = {
 assert<
     Equals<
         Omit<ParamsOfProvide, "autoLogoutWarningDurationSeconds">,
-        Omit<ParamsOfCreateOidc<any, boolean>, "homeUrl" | "decodedIdTokenSchema">
+        Omit<ParamsOfCreateOidc<any, boolean>, "homeUrl" | "BASE_URL" | "decodedIdTokenSchema">
     >
 >;
 

package/src/core/BASE_URL.ts

@@ -0,0 +1,9 @@
+let BASE_URL: string | undefined = undefined;
+
+export function getBASE_URL() {
+    return BASE_URL;
+}
+
+export function setBASE_URL(params: { BASE_URL: string }) {
+    BASE_URL = params.BASE_URL;
+}

package/src/core/createOidc.ts

@@ -51,6 +51,8 @@ import { isKeycloak } from "../keycloak/isKeycloak";
 import { INFINITY_TIME } from "../tools/INFINITY_TIME";
 import type { WELL_KNOWN_PATH } from "./diagnostic";
 import { getIsValidRemoteJson } from "../tools/getIsValidRemoteJson";
+import { prShouldLoadApp } from "./prShouldLoadApp";
+import { getBASE_URL } from "./BASE_URL";
 
 // NOTE: Replaced at build time
 const VERSION = "{{OIDC_SPA_VERSION}}";
@@ -59,14 +61,6 @@ export type ParamsOfCreateOidc<
     DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec,
     AutoLogin extends boolean = false
 > = {
-    /**
-     * What should you put in this parameter?
-     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
-     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
-     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
-     */
-    homeUrl: string;
-
     /**
      * See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
      */
@@ -194,6 +188,22 @@ export type ParamsOfCreateOidc<
      * or non-standard deployments), and you cannot fix the server-side configuration.
      */
     __metadata?: Partial<OidcMetadata>;
+
+    /**
+     * NOTE: This parameter is optional if you use the Vite plugin.
+     *
+     * This parameter let's you overwrite the value provided in
+     * oidcEarlyInit({ BASE_URL: xxx });
+     *
+     * What should you put in this parameter?
+     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
+     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
+     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
+     */
+    BASE_URL?: string;
+
+    /** @deprecated: Use BASE_URL (same thing, just renamed). */
+    homeUrl?: string;
 };
 
 const globalContext = {
@@ -314,11 +324,31 @@ export async function createOidc_nonMemoized<
         log: typeof console.log | undefined;
     }
 ): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>> {
+    {
+        const timer = window.setTimeout(() => {
+            console.warn(
+                [
+                    "oidc-spa: Setup error.",
+                    "oidcEarlyInit() wasn't called.",
+                    "This is supposed to be handled by the oidc-spa Vite plugin",
+                    "or manually in other environments."
+                ].join(" ")
+            );
+        }, 3_000);
+
+        const shouldLoadApp = await prShouldLoadApp;
+
+        window.clearTimeout(timer);
+
+        if (!shouldLoadApp) {
+            return new Promise<never>(() => {});
+        }
+    }
+
     const {
         transformUrlBeforeRedirect,
         extraQueryParams: extraQueryParamsOrGetter,
         extraTokenParams: extraTokenParamsOrGetter,
-        homeUrl: homeUrl_params,
         decodedIdTokenSchema,
         idleSessionLifetimeInSeconds,
         autoLogoutParams = { redirectTo: "current page" },
@@ -330,6 +360,8 @@ export async function createOidc_nonMemoized<
         noIframe = false
     } = params;
 
+    const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
+
     const { issuerUri, clientId, scopes, configId, log } = preProcessedParams;
 
     const getExtraQueryParams = (() => {
@@ -357,7 +389,29 @@ export async function createOidc_nonMemoized<
     })();
 
     const homeUrlAndRedirectUri = toFullyQualifiedUrl({
-        urlish: homeUrl_params,
+        urlish: (() => {
+            if (BASE_URL_params !== undefined) {
+                return BASE_URL_params;
+            }
+
+            const BASE_URL = getBASE_URL();
+
+            if (BASE_URL === undefined) {
+                throw new Error(
+                    [
+                        "oidc-spa: If you do not use the oidc-spa Vite plugin",
+                        "you must provide the BASE_URL to the earlyInit() examples:",
+                        "oidcSpaEarlyInit({ BASE_URL: import.meta.env.BASE_URL })",
+                        "oidcSpaEarlyInit({ BASE_URL: '/' })",
+                        "",
+                        "You can also pass this parameter to createOidc({ BASE_URL: '...' })",
+                        "or bootstrapOidc({ BASE_URL: '...' })"
+                    ].join("\n")
+                );
+            }
+
+            return BASE_URL;
+        })(),
         doAssertNoQueryParams: true,
         doOutputWithTrailingSlash: true
     });

package/src/core/earlyInit.ts

@@ -7,6 +7,8 @@ import {
     preventSessionStorageSetItemOfPublicKeyByThirdParty
 } from "./iframeMessageProtection";
 import { setOidcRequiredPostHydrationReplaceNavigationUrl } from "./requiredPostHydrationReplaceNavigationUrl";
+import { setBASE_URL } from "./BASE_URL";
+import { resolvePrShouldLoadApp } from "./prShouldLoadApp";
 import { isBrowser } from "../tools/isBrowser";
 
 let hasEarlyInitBeenCalled = false;
@@ -18,6 +20,7 @@ export function oidcEarlyInit(params: {
     // Will be made mandatory next major.
     freezeWebSocket?: boolean;
     isPostLoginRedirectManual?: boolean;
+    BASE_URL?: string;
 }) {
     if (hasEarlyInitBeenCalled) {
         throw new Error("oidc-spa: oidcEarlyInit() Should be called only once");
@@ -35,8 +38,9 @@ export function oidcEarlyInit(params: {
         freezeFetch,
         freezeXMLHttpRequest,
         freezeWebSocket = false,
-        isPostLoginRedirectManual = false
-    } = params ?? {};
+        isPostLoginRedirectManual = false,
+        BASE_URL
+    } = params;
 
     const { shouldLoadApp } = handleOidcCallback({ isPostLoginRedirectManual });
 
@@ -83,8 +87,14 @@ export function oidcEarlyInit(params: {
         }
 
         preventSessionStorageSetItemOfPublicKeyByThirdParty();
+
+        if (BASE_URL !== undefined) {
+            setBASE_URL({ BASE_URL });
+        }
     }
 
+    resolvePrShouldLoadApp({ shouldLoadApp });
+
     return { shouldLoadApp };
 }
 
@@ -93,15 +103,8 @@ let redirectAuthResponse: AuthResponse | undefined = undefined;
 export function getRedirectAuthResponse():
     | { authResponse: AuthResponse; clearAuthResponse: () => void }
     | { authResponse: undefined; clearAuthResponse?: never } {
-    if (!hasEarlyInitBeenCalled) {
-        throw new Error(
-            [
-                "oidc-spa setup error.",
-                "oidcEarlyInit() wasn't called.",
-                "In newer version, using oidc-spa/entrypoint is no longer optional."
-            ].join(" ")
-        );
-    }
+    assert(hasEarlyInitBeenCalled, "34933395");
+
     return redirectAuthResponse === undefined
         ? { authResponse: undefined }
         : {

package/src/core/prShouldLoadApp.ts

@@ -0,0 +1,11 @@
+import { assert } from "../tools/tsafe/assert";
+
+let prShouldLoadApp_resolve: (shouldLoadApp: boolean) => void | undefined;
+
+export const prShouldLoadApp = new Promise<boolean>(resolve => (prShouldLoadApp_resolve = resolve));
+
+export function resolvePrShouldLoadApp(params: { shouldLoadApp: boolean }) {
+    const { shouldLoadApp } = params;
+    assert(prShouldLoadApp_resolve !== undefined);
+    prShouldLoadApp_resolve(shouldLoadApp);
+}

package/src/keycloak/keycloak-js/Keycloak.ts

@@ -23,7 +23,7 @@ import { type StatefulEvt, createStatefulEvt } from "../../tools/StatefulEvt";
 import { readExpirationTimeInJwt } from "../../tools/readExpirationTimeInJwt";
 
 type ConstructorParams = KeycloakServerConfig & {
-    homeUrl: string;
+    BASE_URL?: string;
 };
 
 /**
@@ -99,7 +99,7 @@ export class Keycloak {
         let hasCreateResolved = false;
 
         const oidcOrError = await createOidc({
-            homeUrl: constructorParams.homeUrl,
+            homeUrl: constructorParams.BASE_URL,
             issuerUri,
             clientId: this.#state.constructorParams.clientId,
             autoLogin,

package/src/mock/oidc.ts

@@ -5,6 +5,7 @@ import { toFullyQualifiedUrl } from "../tools/toFullyQualifiedUrl";
 import { getSearchParam, addOrUpdateSearchParam } from "../tools/urlSearchParams";
 import { getRootRelativeOriginalLocationHref } from "../core/earlyInit";
 import { INFINITY_TIME } from "../tools/INFINITY_TIME";
+import { getBASE_URL } from "../core/BASE_URL";
 
 export type ParamsOfCreateMockOidc<
     DecodedIdToken extends Record<string, unknown> = Record<string, unknown>,
@@ -18,7 +19,11 @@ export type ParamsOfCreateMockOidc<
      * In the majority of cases it should be `homeUrl: "/"` but it could aso be something like `homeUrl: "/dashboard"`
      * if your web app isn't hosted at the root of the domain.
      */
-    homeUrl: string;
+    BASE_URL?: string;
+
+    /** @deprecated: Use BASE_URL (same thing, just renamed). */
+    homeUrl?: string;
+
     autoLogin?: AutoLogin;
     postLoginRedirectUrl?: string;
 } & (AutoLogin extends true
@@ -41,11 +46,12 @@ export async function createMockOidc<
         isUserInitiallyLoggedIn = true,
         mockedParams = {},
         mockedTokens = {},
-        homeUrl: homeUrl_params,
         autoLogin = false,
         postLoginRedirectUrl
     } = params;
 
+    const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
+
     const isUserLoggedIn = (() => {
         const { wasPresent, value } = getSearchParam({
             url: toFullyQualifiedUrl({
@@ -82,7 +88,7 @@ export async function createMockOidc<
     })();
 
     const homeUrl = toFullyQualifiedUrl({
-        urlish: homeUrl_params,
+        urlish: BASE_URL_params ?? getBASE_URL() ?? "/",
         doAssertNoQueryParams: true,
         doOutputWithTrailingSlash: true
     });

package/src/react-spa/apiBuilder.ts

@@ -0,0 +1,70 @@
+import type { OidcSpaApi } from "./types";
+import type { Oidc as Oidc_core } from "../core";
+import type { ZodSchemaLike } from "../tools/ZodSchemaLike";
+import { createOidcSpaApi } from "./createOidcSpaApi";
+
+export type OidcSpaApiBuilder<
+    AutoLogin extends boolean = false,
+    DecodedIdToken extends Record<string, unknown> = Oidc_core.Tokens.DecodedIdToken_OidcCoreSpec,
+    ExcludedMethod extends
+        | "withAutoLogin"
+        | "withExpectedDecodedIdTokenShape"
+        | "withAccessTokenValidation"
+        | "finalize" = never
+> = Omit<
+    {
+        withAutoLogin: () => OidcSpaApiBuilder<true, DecodedIdToken, ExcludedMethod | "withAutoLogin">;
+        withExpectedDecodedIdTokenShape: <DecodedIdToken extends Record<string, unknown>>(params: {
+            decodedIdTokenSchema: ZodSchemaLike<
+                Oidc_core.Tokens.DecodedIdToken_OidcCoreSpec,
+                DecodedIdToken
+            >;
+            decodedIdToken_mock?: NoInfer<DecodedIdToken>;
+        }) => OidcSpaApiBuilder<
+            AutoLogin,
+            DecodedIdToken,
+            ExcludedMethod | "withExpectedDecodedIdTokenShape"
+        >;
+
+        finalize: () => OidcSpaApi<AutoLogin, DecodedIdToken>;
+    },
+    ExcludedMethod
+>;
+
+function createOidcSpaApiBuilder<
+    AutoLogin extends boolean = false,
+    DecodedIdToken extends Record<string, unknown> = Oidc_core.Tokens.DecodedIdToken_OidcCoreSpec
+>(params: {
+    autoLogin: AutoLogin;
+    decodedIdTokenSchema:
+        | ZodSchemaLike<Oidc_core.Tokens.DecodedIdToken_OidcCoreSpec, DecodedIdToken>
+        | undefined;
+    decodedIdToken_mock: DecodedIdToken | undefined;
+}): OidcSpaApiBuilder<AutoLogin, DecodedIdToken> {
+    return {
+        withAutoLogin: () =>
+            createOidcSpaApiBuilder({
+                autoLogin: true,
+                decodedIdTokenSchema: params.decodedIdTokenSchema,
+                decodedIdToken_mock: params.decodedIdToken_mock
+            }),
+        withExpectedDecodedIdTokenShape: ({ decodedIdTokenSchema, decodedIdToken_mock }) =>
+            createOidcSpaApiBuilder({
+                autoLogin: params.autoLogin,
+                decodedIdTokenSchema,
+                decodedIdToken_mock: decodedIdToken_mock
+            }),
+        finalize: () =>
+            createOidcSpaApi<AutoLogin, DecodedIdToken>({
+                autoLogin: params.autoLogin,
+                decodedIdTokenSchema: params.decodedIdTokenSchema,
+                decodedIdToken_mock: params.decodedIdToken_mock
+            })
+    };
+}
+
+export const oidcSpaApiBuilder = createOidcSpaApiBuilder({
+    autoLogin: false,
+    decodedIdToken_mock: undefined,
+    decodedIdTokenSchema: undefined
+});