oidc-spa 8.1.15 → 8.2.1

package/core/BASE_URL.d.ts

@@ -0,0 +1,4 @@
+export declare function getBASE_URL(): string | undefined;
+export declare function setBASE_URL(params: {
+    BASE_URL: string;
+}): void;

package/core/BASE_URL.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getBASE_URL = getBASE_URL;
+exports.setBASE_URL = setBASE_URL;
+let BASE_URL = undefined;
+function getBASE_URL() {
+    return BASE_URL;
+}
+function setBASE_URL(params) {
+    BASE_URL = params.BASE_URL;
+}
+//# sourceMappingURL=BASE_URL.js.map

package/core/BASE_URL.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"BASE_URL.js","sourceRoot":"","sources":["../src/core/BASE_URL.ts"],"names":[],"mappings":";;AAEA,kCAEC;AAED,kCAEC;AARD,IAAI,QAAQ,GAAuB,SAAS,CAAC;AAE7C,SAAgB,WAAW;IACvB,OAAO,QAAQ,CAAC;AACpB,CAAC;AAED,SAAgB,WAAW,CAAC,MAA4B;IACpD,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;AAC/B,CAAC"}

package/core/OidcMetadata.d.ts

@@ -1,3 +1,4 @@
+import { type OidcMetadata as OidcClientTsOidcMetadata } from "../vendor/frontend/oidc-client-ts";
 /**
  * OpenID Providers have metadata describing their configuration.
  *
@@ -264,3 +265,7 @@ export type OidcMetadata = {
      */
     code_challenge_methods_supported: string[];
 };
+export declare const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
+export declare function fetchOidcMetadata(params: {
+    issuerUri: string;
+}): Promise<Partial<OidcClientTsOidcMetadata> | undefined>;

package/core/OidcMetadata.js

@@ -1,5 +1,61 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.WELL_KNOWN_PATH = void 0;
+exports.fetchOidcMetadata = fetchOidcMetadata;
 const assert_1 = require("../tools/tsafe/assert");
+const isLikelyDevServer_1 = require("../tools/isLikelyDevServer");
 assert_1.assert;
+exports.WELL_KNOWN_PATH = "/.well-known/openid-configuration";
+function getSessionStorageKey(params) {
+    const { issuerUri } = params;
+    return `oidc-spa:openid-configuration:${issuerUri}`;
+}
+function readSessionStorage(params) {
+    const { issuerUri } = params;
+    const value = sessionStorage.getItem(getSessionStorageKey({ issuerUri }));
+    if (value === null) {
+        return undefined;
+    }
+    return JSON.parse(value);
+}
+function setSessionStorage(params) {
+    const { issuerUri, oidcMetadata } = params;
+    sessionStorage.setItem(getSessionStorageKey({ issuerUri }), JSON.stringify(oidcMetadata));
+}
+async function fetchOidcMetadata(params) {
+    const { issuerUri } = params;
+    from_cache: {
+        const oidcMetadata = readSessionStorage({ issuerUri });
+        if (oidcMetadata === undefined) {
+            break from_cache;
+        }
+        return oidcMetadata;
+    }
+    let oidcMetadata;
+    try {
+        const response = await fetch(`${issuerUri}${exports.WELL_KNOWN_PATH}`, {
+            headers: {
+                Accept: "application/jwk-set+json, application/json"
+            }
+        });
+        if (!response.ok) {
+            throw new Error();
+        }
+        const obj = await response.json();
+        {
+            const { authorization_endpoint } = obj;
+            if (typeof authorization_endpoint !== "string") {
+                throw new Error();
+            }
+        }
+        oidcMetadata = obj;
+    }
+    catch {
+        return undefined;
+    }
+    if (!(0, isLikelyDevServer_1.getIsLikelyDevServer)()) {
+        setSessionStorage({ issuerUri, oidcMetadata });
+    }
+    return oidcMetadata;
+}
 //# sourceMappingURL=OidcMetadata.js.map

package/core/OidcMetadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"OidcMetadata.js","sourceRoot":"","sources":["../src/core/OidcMetadata.ts"],"names":[],"mappings":";;AACA,kDAA4D;AA6Q5D,eAAsD,CAAC"}
+{"version":3,"file":"OidcMetadata.js","sourceRoot":"","sources":["../src/core/OidcMetadata.ts"],"names":[],"mappings":";;;AA2SA,8CA8CC;AAxVD,kDAA4D;AAC5D,kEAAkE;AA6QlE,eAAsD,CAAC;AAE1C,QAAA,eAAe,GAAG,mCAAmC,CAAC;AAEnE,SAAS,oBAAoB,CAAC,MAA6B;IACvD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,OAAO,iCAAiC,SAAS,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA6B;IACrD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAE1E,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACjB,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAsC,CAAC;AAClE,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAkE;IACzF,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAE3C,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;AAC9F,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAA6B;IACjE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,UAAU,EAAE,CAAC;QACT,MAAM,YAAY,GAAG,kBAAkB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;QAEvD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,UAAU,CAAC;QACrB,CAAC;QAED,OAAO,YAAY,CAAC;IACxB,CAAC;IAED,IAAI,YAAmC,CAAC;IAExC,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,GAAG,uBAAe,EAAE,EAAE;YAC3D,OAAO,EAAE;gBACL,MAAM,EAAE,4CAA4C;aACvD;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAElC,CAAC;YACG,MAAM,EAAE,sBAAsB,EAAE,GAAG,GAAG,CAAC;YAEvC,IAAI,OAAO,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,EAAE,CAAC;YACtB,CAAC;QACL,CAAC;QAED,YAAY,GAAG,GAAG,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,IAAI,CAAC,IAAA,wCAAoB,GAAE,EAAE,CAAC;QAC1B,iBAAiB,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,YAAY,CAAC;AACxB,CAAC"}

package/core/createOidc.d.ts

@@ -1,13 +1,6 @@
-import type { OidcMetadata } from "./OidcMetadata";
+import { type OidcMetadata } from "./OidcMetadata";
 import type { Oidc } from "./Oidc";
 export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false> = {
-    /**
-     * What should you put in this parameter?
-     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
-     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
-     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
-     */
-    homeUrl: string;
     /**
      * See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
      */
@@ -129,6 +122,20 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
      * or non-standard deployments), and you cannot fix the server-side configuration.
      */
     __metadata?: Partial<OidcMetadata>;
+    /**
+     * NOTE: This parameter is optional if you use the Vite plugin.
+     *
+     * This parameter let's you overwrite the value provided in
+     * oidcEarlyInit({ BASE_URL: xxx });
+     *
+     * What should you put in this parameter?
+     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
+     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
+     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
+     */
+    BASE_URL?: string;
+    /** @deprecated: Use BASE_URL (same thing, just renamed). */
+    homeUrl?: string;
 };
 /** @see: https://docs.oidc-spa.dev/v/v8/usage */
 export declare function createOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false>(params: ParamsOfCreateOidc<DecodedIdToken, AutoLogin>): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;

package/core/createOidc.js

@@ -36,6 +36,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createOidc = createOidc;
 exports.createOidc_nonMemoized = createOidc_nonMemoized;
 const oidc_client_ts_1 = require("../vendor/frontend/oidc-client-ts");
+const OidcMetadata_1 = require("./OidcMetadata");
 const assert_1 = require("../tools/tsafe/assert");
 const id_1 = require("../tools/tsafe/id");
 const workerTimers_1 = require("../tools/workerTimers");
@@ -63,9 +64,12 @@ const isNewBrowserSession_1 = require("./isNewBrowserSession");
 const getIsOnline_1 = require("../tools/getIsOnline");
 const isKeycloak_1 = require("../keycloak/isKeycloak");
 const INFINITY_TIME_1 = require("../tools/INFINITY_TIME");
-const getIsValidRemoteJson_1 = require("../tools/getIsValidRemoteJson");
+const prShouldLoadApp_1 = require("./prShouldLoadApp");
+const BASE_URL_1 = require("./BASE_URL");
+const isLikelyDevServer_1 = require("../tools/isLikelyDevServer");
+const createObjectThatThrowsIfAccessed_1 = require("../tools/createObjectThatThrowsIfAccessed");
 // NOTE: Replaced at build time
-const VERSION = "8.1.15";
+const VERSION = "8.2.1";
 const globalContext = {
     prOidcByConfigId: new Map(),
     hasLogoutBeenCalled: (0, id_1.id)(false),
@@ -139,7 +143,23 @@ async function createOidc(params) {
     return oidc;
 }
 async function createOidc_nonMemoized(params, preProcessedParams) {
-    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, homeUrl: homeUrl_params, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false } = params;
+    {
+        const timer = window.setTimeout(() => {
+            console.warn([
+                "oidc-spa: Setup error.",
+                "oidcEarlyInit() wasn't called.",
+                "This is supposed to be handled by the oidc-spa Vite plugin",
+                "or manually in other environments."
+            ].join(" "));
+        }, 3000);
+        const shouldLoadApp = await prShouldLoadApp_1.prShouldLoadApp;
+        window.clearTimeout(timer);
+        if (!shouldLoadApp) {
+            return new Promise(() => { });
+        }
+    }
+    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false } = params;
+    const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
     const { issuerUri, clientId, scopes, configId, log } = preProcessedParams;
     const getExtraQueryParams = (() => {
         if (extraQueryParamsOrGetter === undefined) {
@@ -160,7 +180,24 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
         return extraTokenParamsOrGetter;
     })();
     const homeUrlAndRedirectUri = (0, toFullyQualifiedUrl_1.toFullyQualifiedUrl)({
-        urlish: homeUrl_params,
+        urlish: (() => {
+            if (BASE_URL_params !== undefined) {
+                return BASE_URL_params;
+            }
+            const BASE_URL = (0, BASE_URL_1.getBASE_URL)();
+            if (BASE_URL === undefined) {
+                throw new Error([
+                    "oidc-spa: If you do not use the oidc-spa Vite plugin",
+                    "you must provide the BASE_URL to the earlyInit() examples:",
+                    "oidcSpaEarlyInit({ BASE_URL: import.meta.env.BASE_URL })",
+                    "oidcSpaEarlyInit({ BASE_URL: '/' })",
+                    "",
+                    "You can also pass this parameter to createOidc({ BASE_URL: '...' })",
+                    "or bootstrapOidc({ BASE_URL: '...' })"
+                ].join("\n"));
+            }
+            return BASE_URL;
+        })(),
         doAssertNoQueryParams: true,
         doOutputWithTrailingSlash: true
     });
@@ -172,71 +209,168 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
         homeUrlAndRedirectUri
     }, null, 2)}`);
     const stateUrlParamValue_instance = (0, StateData_1.generateStateUrlParamValue)();
+    const oidcMetadata = __metadata ?? (await (0, OidcMetadata_1.fetchOidcMetadata)({ issuerUri }));
     const canUseIframe = (() => {
         if (noIframe) {
             return false;
         }
         third_party_cookies: {
-            const isOidcServerThirdPartyRelativeToApp = (0, haveSharedParentDomain_1.getHaveSharedParentDomain)({
+            if (oidcMetadata === undefined) {
+                return false;
+            }
+            const { authorization_endpoint } = oidcMetadata;
+            (0, assert_1.assert)(authorization_endpoint !== undefined, "Missing authorization_endpoint on the provided __metadata");
+            const isOidcServerThirdPartyRelativeToApp = !(0, haveSharedParentDomain_1.getHaveSharedParentDomain)({
                 url1: window.location.origin,
-                url2: issuerUri
-            }) === false;
+                // TODO: No, here we should test against the authorization endpoint!
+                url2: authorization_endpoint
+            });
             if (!isOidcServerThirdPartyRelativeToApp) {
                 break third_party_cookies;
             }
-            const isGoogleChrome = (() => {
-                const ua = navigator.userAgent;
-                const vendor = navigator.vendor;
-                return (/Chrome/.test(ua) && /Google Inc/.test(vendor) && !/Edg/.test(ua) && !/OPR/.test(ua));
+            const isLikelyDevServer = (0, isLikelyDevServer_1.getIsLikelyDevServer)();
+            const domain_auth = new URL(authorization_endpoint).origin.split("//")[1];
+            (0, assert_1.assert)(domain_auth !== undefined, "33921384");
+            const domain_here = window.location.origin.split("//")[1];
+            let isWellKnownProviderDomain = false;
+            let isIp = false;
+            const suggestedDeployments = (() => {
+                if (/^(?:\d{1,3}\.){3}\d{1,3}$|^\[?[A-Fa-f0-9:]+\]?$/.test(domain_auth)) {
+                    isIp = true;
+                    return [];
+                }
+                const baseDomain = (() => {
+                    const segments = domain_auth.split(".");
+                    if (segments.length >= 3) {
+                        segments.shift();
+                    }
+                    return segments.join(".");
+                })();
+                {
+                    const baseDomain_low = baseDomain.toLowerCase();
+                    if (baseDomain_low.includes("auth0") ||
+                        baseDomain_low.includes("clerk") ||
+                        baseDomain_low.includes("microsoft") ||
+                        baseDomain_low.includes("okta") ||
+                        baseDomain_low.includes("aws")) {
+                        isWellKnownProviderDomain = true;
+                        return [];
+                    }
+                }
+                const baseUrl = new URL(homeUrlAndRedirectUri).pathname;
+                return [
+                    `myapp.${baseDomain}`,
+                    baseDomain === domain_auth ? undefined : baseDomain,
+                    `${baseDomain}/${baseUrl === "/" ? "dashboard" : baseUrl}`
+                ].filter(x => x !== undefined);
             })();
-            if (window.location.origin.startsWith("http://localhost") && isGoogleChrome) {
-                break third_party_cookies;
+            if (isLikelyDevServer) {
+                log?.([
+                    "Detected localhost environment.",
+                    "\nWhen reloading while logged in, you may briefly see",
+                    "some URL params appear in the address bar.",
+                    "\nThis happens because session restore via iframe is disabled,",
+                    "the browser treats your auth server as a third party.",
+                    `\nAuth server: ${domain_auth}`,
+                    `\nApp domain:  ${domain_here}`,
+                    ...(() => {
+                        if (isIp) {
+                            return [];
+                        }
+                        if (isWellKnownProviderDomain) {
+                            return [
+                                "\nYou seem to be using a well-known auth provider.",
+                                "Check your provider's docs, some allow configuring",
+                                `a your custom domain at least for the authorization endpoint.`,
+                                "\nIf configured, oidc-spa will restore sessions silently",
+                                "and improve the user experience."
+                            ];
+                        }
+                        return [
+                            "\nOnce deployed under the same root domain as your auth server,",
+                            "oidc-spa will use iframes to restore sessions silently.",
+                            "\nSuggested deployments:",
+                            ...suggestedDeployments.map(d => `\n  • ${d}`)
+                        ];
+                    })(),
+                    "\n\nMore info:",
+                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                ].join(" "));
+            }
+            else {
+                log?.([
+                    "Silent session restore via iframe is disabled.",
+                    `\nAuth server: ${domain_auth}`,
+                    `App domain:  ${domain_here}`,
+                    "\nThey do not share a common root domain.",
+                    ...(() => {
+                        if (isIp) {
+                            return [];
+                        }
+                        if (isWellKnownProviderDomain) {
+                            return [
+                                "\nYou seem to be using a well-known auth provider.",
+                                "Check if you can configure a custom auth domain.",
+                                "\nIf so, oidc-spa can restore sessions silently",
+                                "and improve the user experience."
+                            ];
+                        }
+                        return [
+                            "\nTo improve the experience, here are some examples of deployment for your app:",
+                            ...suggestedDeployments.map(d => `\n  • ${d}`)
+                        ];
+                    })(),
+                    "\nMore info:",
+                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                ].join(" "));
             }
-            log?.([
-                "Can't use iframe because your auth server is on a third party domain relative",
-                "to the domain of your app and third party cookies are blocked by navigators."
-            ].join(" "));
             return false;
         }
-        // NOTE: Maybe not, it depend if the app can iframe itself.
         return true;
     })();
-    let isUserStoreInMemoryOnly;
-    const oidcClientTsUserManager = new oidc_client_ts_1.UserManager({
-        stateUrlParamValue: stateUrlParamValue_instance,
-        authority: issuerUri,
-        client_id: clientId,
-        redirect_uri: homeUrlAndRedirectUri,
-        silent_redirect_uri: homeUrlAndRedirectUri,
-        post_logout_redirect_uri: homeUrlAndRedirectUri,
-        response_mode: (0, isKeycloak_1.isKeycloak)({ issuerUri }) ? "fragment" : "query",
-        response_type: "code",
-        scope: Array.from(new Set(["openid", ...scopes])).join(" "),
-        automaticSilentRenew: false,
-        userStore: new oidc_client_ts_1.WebStorageStateStore({
-            store: (() => {
-                if (canUseIframe) {
-                    isUserStoreInMemoryOnly = true;
-                    return new oidc_client_ts_1.InMemoryWebStorage();
-                }
-                isUserStoreInMemoryOnly = false;
-                const storage = (0, EphemeralSessionStorage_1.createEphemeralSessionStorage)({
-                    sessionStorageTtlMs: 3 * 60000
-                });
-                const { evtRequestToPersistTokens } = globalContext;
-                evtRequestToPersistTokens.subscribe(({ configIdOfInstancePostingTheRequest }) => {
-                    if (configIdOfInstancePostingTheRequest === configId) {
-                        return;
+    let isUserStoreInMemoryOnly = undefined;
+    const oidcClientTsUserManager = oidcMetadata === undefined
+        ? (0, createObjectThatThrowsIfAccessed_1.createObjectThatThrowsIfAccessed)({
+            debugMessage: "oidc-spa: Wrong assertion 43943"
+        })
+        : new oidc_client_ts_1.UserManager({
+            stateUrlParamValue: stateUrlParamValue_instance,
+            authority: issuerUri,
+            client_id: clientId,
+            redirect_uri: homeUrlAndRedirectUri,
+            silent_redirect_uri: homeUrlAndRedirectUri,
+            post_logout_redirect_uri: homeUrlAndRedirectUri,
+            response_mode: (0, isKeycloak_1.isKeycloak)({ issuerUri }) ? "fragment" : "query",
+            response_type: "code",
+            scope: Array.from(new Set(["openid", ...scopes])).join(" "),
+            automaticSilentRenew: false,
+            userStore: new oidc_client_ts_1.WebStorageStateStore({
+                store: (() => {
+                    if (canUseIframe) {
+                        isUserStoreInMemoryOnly = true;
+                        return new oidc_client_ts_1.InMemoryWebStorage();
                     }
-                    storage.persistCurrentStateAndSubsequentChanges();
-                });
-                return storage;
-            })()
-        }),
-        stateStore: new oidc_client_ts_1.WebStorageStateStore({ store: localStorage, prefix: StateData_1.STATE_STORE_KEY_PREFIX }),
-        client_secret: __unsafe_clientSecret,
-        metadata: __metadata
-    });
+                    isUserStoreInMemoryOnly = false;
+                    const storage = (0, EphemeralSessionStorage_1.createEphemeralSessionStorage)({
+                        sessionStorageTtlMs: 3 * 60000
+                    });
+                    const { evtRequestToPersistTokens } = globalContext;
+                    evtRequestToPersistTokens.subscribe(({ configIdOfInstancePostingTheRequest }) => {
+                        if (configIdOfInstancePostingTheRequest === configId) {
+                            return;
+                        }
+                        storage.persistCurrentStateAndSubsequentChanges();
+                    });
+                    return storage;
+                })()
+            }),
+            stateStore: new oidc_client_ts_1.WebStorageStateStore({
+                store: localStorage,
+                prefix: StateData_1.STATE_STORE_KEY_PREFIX
+            }),
+            client_secret: __unsafe_clientSecret,
+            metadata: oidcMetadata
+        });
     const evtInitializationOutcomeUserNotLoggedIn = (0, Evt_1.createEvt)();
     const { loginOrGoToAuthServer } = (0, loginOrGoToAuthServer_1.createLoginOrGoToAuthServer)({
         configId,
@@ -254,6 +388,11 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
     });
     const { completeLoginOrRefreshProcess } = await (0, ongoingLoginOrRefreshProcesses_1.startLoginOrRefreshProcess)();
     const resultOfLoginProcess = await (async () => {
+        if (oidcMetadata === undefined) {
+            return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
+                issuerUri
+            });
+        }
         handle_redirect_auth_response: {
             let stateDataAndAuthResponse = undefined;
             get_stateData_and_authResponse: {
@@ -383,6 +522,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
         // NOTE: We almost never persist tokens, we have to only to support edge case
         // of multiple oidc instance in a single App with no iframe support.
         restore_from_session_storage: {
+            (0, assert_1.assert)(isUserStoreInMemoryOnly !== undefined, "3392204");
             if (isUserStoreInMemoryOnly) {
                 break restore_from_session_storage;
             }
@@ -440,11 +580,6 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                     break actual_silent_signin;
                 }
                 if (!canUseIframe) {
-                    if (!(await (0, getIsValidRemoteJson_1.getIsValidRemoteJson)(`${issuerUri}${(0, id_1.id)("/.well-known/openid-configuration")}`))) {
-                        return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
-                            issuerUri
-                        });
-                    }
                     break actual_silent_signin;
                 }
                 log?.("Trying to restore the auth from the http only cookie (silent signin with iframe)");
@@ -459,21 +594,13 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                     log
                 });
                 (0, assert_1.assert)(result_loginSilent.outcome !== "token refreshed using refresh token", "876995");
-                if (result_loginSilent.outcome === "failure") {
-                    switch (result_loginSilent.cause) {
-                        case "can't reach well-known oidc endpoint":
-                            return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
-                                issuerUri
-                            });
-                        case "timeout":
-                            return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createIframeTimeoutInitializationError({
-                                redirectUri: homeUrlAndRedirectUri,
-                                clientId,
-                                issuerUri,
-                                noIframe
-                            });
-                    }
-                    (0, assert_1.assert)(false);
+                if (result_loginSilent.outcome === "timeout") {
+                    return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createIframeTimeoutInitializationError({
+                        redirectUri: homeUrlAndRedirectUri,
+                        clientId,
+                        issuerUri,
+                        noIframe
+                    });
                 }
                 (0, assert_1.assert)();
                 const { authResponse } = result_loginSilent;
@@ -517,8 +644,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                             configIdOfInstancePostingTheRequest: configId
                         });
                     }
-                    const dCantFetchWellKnownEndpointOrNever = new Deferred_1.Deferred();
-                    loginOrGoToAuthServer({
+                    await loginOrGoToAuthServer({
                         action: "login",
                         doForceReloadOnBfCache: true,
                         redirectUrl: (0, earlyInit_1.getRootRelativeOriginalLocationHref)(),
@@ -535,15 +661,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                                 return "directly redirect if active session show login otherwise";
                             }
                             return "ensure no interaction";
-                        })(),
-                        onCantFetchWellKnownEndpointError: () => {
-                            dCantFetchWellKnownEndpointOrNever.resolve();
-                        }
-                    });
-                    await dCantFetchWellKnownEndpointOrNever.pr;
-                    return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createFailedToFetchTokenEndpointInitializationError({
-                        clientId,
-                        issuerUri
+                        })()
                     });
                 }
                 if (authResponse_error !== undefined) {
@@ -630,11 +748,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                             transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
                             interaction: (0, persistedAuthState_1.getPersistedAuthState)({ configId }) === "explicitly logged out"
                                 ? "ensure interaction"
-                                : "directly redirect if active session show login otherwise",
-                            onCantFetchWellKnownEndpointError: () => {
-                                log?.("Login called but the auth server seems to be down..");
-                                alert("Authentication unavailable please try again later.");
-                            }
+                                : "directly redirect if active session show login otherwise"
                         });
                     },
                     initializationError: undefined
@@ -818,14 +932,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                         extraQueryParams_local: undefined,
                         transformUrlBeforeRedirect_local: undefined,
                         doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
-                        interaction: "directly redirect if active session show login otherwise",
-                        onCantFetchWellKnownEndpointError: () => {
-                            log?.([
-                                "The auth server seems to be down while we needed to refresh the token",
-                                "with a full page redirect. Reloading the page"
-                            ].join(" "));
-                            window.location.reload();
-                        }
+                        interaction: "directly redirect if active session show login otherwise"
                     });
                     (0, assert_1.assert)(false, "136134");
                 };
@@ -851,9 +958,9 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                     autoLogin,
                     log
                 });
-                if (result_loginSilent.outcome === "failure") {
+                if (result_loginSilent.outcome === "timeout") {
                     log?.([
-                        `Silent refresh of the token failed with ${result_loginSilent.cause}.`,
+                        `Silent refresh of the token failed the iframe didn't post a response (timeout).`,
                         `This isn't recoverable, reloading the page.`
                     ].join(" "));
                     window.location.reload();
@@ -991,11 +1098,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
             action: "go to auth server",
             redirectUrl: redirectUrl ?? window.location.href,
             extraQueryParams_local: extraQueryParams,
-            transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
-            onCantFetchWellKnownEndpointError: () => {
-                log?.("goToAuthServer called but the auth server seems to be down..");
-                alert("Authentication unavailable please try again later.");
-            }
+            transformUrlBeforeRedirect_local: transformUrlBeforeRedirect
         }),
         backFromAuthServer: resultOfLoginProcess.backFromAuthServer,
         isNewBrowserSession: (() => {