oidc-spa 8.1.15 → 8.2.1

package/esm/core/OidcMetadata.js

@@ -1,3 +1,57 @@
 import { assert } from "../tools/tsafe/assert";
+import { getIsLikelyDevServer } from "../tools/isLikelyDevServer";
 assert;
+export const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
+function getSessionStorageKey(params) {
+    const { issuerUri } = params;
+    return `oidc-spa:openid-configuration:${issuerUri}`;
+}
+function readSessionStorage(params) {
+    const { issuerUri } = params;
+    const value = sessionStorage.getItem(getSessionStorageKey({ issuerUri }));
+    if (value === null) {
+        return undefined;
+    }
+    return JSON.parse(value);
+}
+function setSessionStorage(params) {
+    const { issuerUri, oidcMetadata } = params;
+    sessionStorage.setItem(getSessionStorageKey({ issuerUri }), JSON.stringify(oidcMetadata));
+}
+export async function fetchOidcMetadata(params) {
+    const { issuerUri } = params;
+    from_cache: {
+        const oidcMetadata = readSessionStorage({ issuerUri });
+        if (oidcMetadata === undefined) {
+            break from_cache;
+        }
+        return oidcMetadata;
+    }
+    let oidcMetadata;
+    try {
+        const response = await fetch(`${issuerUri}${WELL_KNOWN_PATH}`, {
+            headers: {
+                Accept: "application/jwk-set+json, application/json"
+            }
+        });
+        if (!response.ok) {
+            throw new Error();
+        }
+        const obj = await response.json();
+        {
+            const { authorization_endpoint } = obj;
+            if (typeof authorization_endpoint !== "string") {
+                throw new Error();
+            }
+        }
+        oidcMetadata = obj;
+    }
+    catch {
+        return undefined;
+    }
+    if (!getIsLikelyDevServer()) {
+        setSessionStorage({ issuerUri, oidcMetadata });
+    }
+    return oidcMetadata;
+}
 //# sourceMappingURL=OidcMetadata.js.map

package/esm/core/OidcMetadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"OidcMetadata.js","sourceRoot":"","sources":["../../src/core/OidcMetadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AA6Q5D,MAAsD,CAAC"}
+{"version":3,"file":"OidcMetadata.js","sourceRoot":"","sources":["../../src/core/OidcMetadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AA6QlE,MAAsD,CAAC;AAEvD,MAAM,CAAC,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAEnE,SAAS,oBAAoB,CAAC,MAA6B;IACvD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,OAAO,iCAAiC,SAAS,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA6B;IACrD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAE1E,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACjB,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAsC,CAAC;AAClE,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAkE;IACzF,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAE3C,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;AAC9F,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAA6B;IACjE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,UAAU,EAAE,CAAC;QACT,MAAM,YAAY,GAAG,kBAAkB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;QAEvD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,UAAU,CAAC;QACrB,CAAC;QAED,OAAO,YAAY,CAAC;IACxB,CAAC;IAED,IAAI,YAAmC,CAAC;IAExC,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,GAAG,eAAe,EAAE,EAAE;YAC3D,OAAO,EAAE;gBACL,MAAM,EAAE,4CAA4C;aACvD;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAElC,CAAC;YACG,MAAM,EAAE,sBAAsB,EAAE,GAAG,GAAG,CAAC;YAEvC,IAAI,OAAO,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,EAAE,CAAC;YACtB,CAAC;QACL,CAAC;QAED,YAAY,GAAG,GAAG,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC1B,iBAAiB,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,YAAY,CAAC;AACxB,CAAC"}

package/esm/core/createOidc.d.ts

@@ -1,13 +1,6 @@
-import type { OidcMetadata } from "./OidcMetadata";
+import { type OidcMetadata } from "./OidcMetadata";
 import type { Oidc } from "./Oidc";
 export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false> = {
-    /**
-     * What should you put in this parameter?
-     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
-     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
-     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
-     */
-    homeUrl: string;
     /**
      * See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
      */
@@ -129,6 +122,20 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
      * or non-standard deployments), and you cannot fix the server-side configuration.
      */
     __metadata?: Partial<OidcMetadata>;
+    /**
+     * NOTE: This parameter is optional if you use the Vite plugin.
+     *
+     * This parameter let's you overwrite the value provided in
+     * oidcEarlyInit({ BASE_URL: xxx });
+     *
+     * What should you put in this parameter?
+     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
+     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
+     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
+     */
+    BASE_URL?: string;
+    /** @deprecated: Use BASE_URL (same thing, just renamed). */
+    homeUrl?: string;
 };
 /** @see: https://docs.oidc-spa.dev/v/v8/usage */
 export declare function createOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false>(params: ParamsOfCreateOidc<DecodedIdToken, AutoLogin>): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;

package/esm/core/createOidc.js

@@ -1,4 +1,5 @@
 import { UserManager as OidcClientTsUserManager, WebStorageStateStore, InMemoryWebStorage } from "../vendor/frontend/oidc-client-ts";
+import { fetchOidcMetadata } from "./OidcMetadata";
 import { assert, is } from "../tools/tsafe/assert";
 import { id } from "../tools/tsafe/id";
 import { setTimeout, clearTimeout } from "../tools/workerTimers";
@@ -26,9 +27,12 @@ import { createGetIsNewBrowserSession } from "./isNewBrowserSession";
 import { getIsOnline } from "../tools/getIsOnline";
 import { isKeycloak } from "../keycloak/isKeycloak";
 import { INFINITY_TIME } from "../tools/INFINITY_TIME";
-import { getIsValidRemoteJson } from "../tools/getIsValidRemoteJson";
+import { prShouldLoadApp } from "./prShouldLoadApp";
+import { getBASE_URL } from "./BASE_URL";
+import { getIsLikelyDevServer } from "../tools/isLikelyDevServer";
+import { createObjectThatThrowsIfAccessed } from "../tools/createObjectThatThrowsIfAccessed";
 // NOTE: Replaced at build time
-const VERSION = "8.1.15";
+const VERSION = "8.2.1";
 const globalContext = {
     prOidcByConfigId: new Map(),
     hasLogoutBeenCalled: id(false),
@@ -102,7 +106,23 @@ export async function createOidc(params) {
     return oidc;
 }
 export async function createOidc_nonMemoized(params, preProcessedParams) {
-    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, homeUrl: homeUrl_params, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false } = params;
+    {
+        const timer = window.setTimeout(() => {
+            console.warn([
+                "oidc-spa: Setup error.",
+                "oidcEarlyInit() wasn't called.",
+                "This is supposed to be handled by the oidc-spa Vite plugin",
+                "or manually in other environments."
+            ].join(" "));
+        }, 3000);
+        const shouldLoadApp = await prShouldLoadApp;
+        window.clearTimeout(timer);
+        if (!shouldLoadApp) {
+            return new Promise(() => { });
+        }
+    }
+    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false } = params;
+    const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
     const { issuerUri, clientId, scopes, configId, log } = preProcessedParams;
     const getExtraQueryParams = (() => {
         if (extraQueryParamsOrGetter === undefined) {
@@ -123,7 +143,24 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
         return extraTokenParamsOrGetter;
     })();
     const homeUrlAndRedirectUri = toFullyQualifiedUrl({
-        urlish: homeUrl_params,
+        urlish: (() => {
+            if (BASE_URL_params !== undefined) {
+                return BASE_URL_params;
+            }
+            const BASE_URL = getBASE_URL();
+            if (BASE_URL === undefined) {
+                throw new Error([
+                    "oidc-spa: If you do not use the oidc-spa Vite plugin",
+                    "you must provide the BASE_URL to the earlyInit() examples:",
+                    "oidcSpaEarlyInit({ BASE_URL: import.meta.env.BASE_URL })",
+                    "oidcSpaEarlyInit({ BASE_URL: '/' })",
+                    "",
+                    "You can also pass this parameter to createOidc({ BASE_URL: '...' })",
+                    "or bootstrapOidc({ BASE_URL: '...' })"
+                ].join("\n"));
+            }
+            return BASE_URL;
+        })(),
         doAssertNoQueryParams: true,
         doOutputWithTrailingSlash: true
     });
@@ -135,71 +172,168 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
         homeUrlAndRedirectUri
     }, null, 2)}`);
     const stateUrlParamValue_instance = generateStateUrlParamValue();
+    const oidcMetadata = __metadata ?? (await fetchOidcMetadata({ issuerUri }));
     const canUseIframe = (() => {
         if (noIframe) {
             return false;
         }
         third_party_cookies: {
-            const isOidcServerThirdPartyRelativeToApp = getHaveSharedParentDomain({
+            if (oidcMetadata === undefined) {
+                return false;
+            }
+            const { authorization_endpoint } = oidcMetadata;
+            assert(authorization_endpoint !== undefined, "Missing authorization_endpoint on the provided __metadata");
+            const isOidcServerThirdPartyRelativeToApp = !getHaveSharedParentDomain({
                 url1: window.location.origin,
-                url2: issuerUri
-            }) === false;
+                // TODO: No, here we should test against the authorization endpoint!
+                url2: authorization_endpoint
+            });
             if (!isOidcServerThirdPartyRelativeToApp) {
                 break third_party_cookies;
             }
-            const isGoogleChrome = (() => {
-                const ua = navigator.userAgent;
-                const vendor = navigator.vendor;
-                return (/Chrome/.test(ua) && /Google Inc/.test(vendor) && !/Edg/.test(ua) && !/OPR/.test(ua));
+            const isLikelyDevServer = getIsLikelyDevServer();
+            const domain_auth = new URL(authorization_endpoint).origin.split("//")[1];
+            assert(domain_auth !== undefined, "33921384");
+            const domain_here = window.location.origin.split("//")[1];
+            let isWellKnownProviderDomain = false;
+            let isIp = false;
+            const suggestedDeployments = (() => {
+                if (/^(?:\d{1,3}\.){3}\d{1,3}$|^\[?[A-Fa-f0-9:]+\]?$/.test(domain_auth)) {
+                    isIp = true;
+                    return [];
+                }
+                const baseDomain = (() => {
+                    const segments = domain_auth.split(".");
+                    if (segments.length >= 3) {
+                        segments.shift();
+                    }
+                    return segments.join(".");
+                })();
+                {
+                    const baseDomain_low = baseDomain.toLowerCase();
+                    if (baseDomain_low.includes("auth0") ||
+                        baseDomain_low.includes("clerk") ||
+                        baseDomain_low.includes("microsoft") ||
+                        baseDomain_low.includes("okta") ||
+                        baseDomain_low.includes("aws")) {
+                        isWellKnownProviderDomain = true;
+                        return [];
+                    }
+                }
+                const baseUrl = new URL(homeUrlAndRedirectUri).pathname;
+                return [
+                    `myapp.${baseDomain}`,
+                    baseDomain === domain_auth ? undefined : baseDomain,
+                    `${baseDomain}/${baseUrl === "/" ? "dashboard" : baseUrl}`
+                ].filter(x => x !== undefined);
             })();
-            if (window.location.origin.startsWith("http://localhost") && isGoogleChrome) {
-                break third_party_cookies;
+            if (isLikelyDevServer) {
+                log?.([
+                    "Detected localhost environment.",
+                    "\nWhen reloading while logged in, you may briefly see",
+                    "some URL params appear in the address bar.",
+                    "\nThis happens because session restore via iframe is disabled,",
+                    "the browser treats your auth server as a third party.",
+                    `\nAuth server: ${domain_auth}`,
+                    `\nApp domain:  ${domain_here}`,
+                    ...(() => {
+                        if (isIp) {
+                            return [];
+                        }
+                        if (isWellKnownProviderDomain) {
+                            return [
+                                "\nYou seem to be using a well-known auth provider.",
+                                "Check your provider's docs, some allow configuring",
+                                `a your custom domain at least for the authorization endpoint.`,
+                                "\nIf configured, oidc-spa will restore sessions silently",
+                                "and improve the user experience."
+                            ];
+                        }
+                        return [
+                            "\nOnce deployed under the same root domain as your auth server,",
+                            "oidc-spa will use iframes to restore sessions silently.",
+                            "\nSuggested deployments:",
+                            ...suggestedDeployments.map(d => `\n  • ${d}`)
+                        ];
+                    })(),
+                    "\n\nMore info:",
+                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                ].join(" "));
+            }
+            else {
+                log?.([
+                    "Silent session restore via iframe is disabled.",
+                    `\nAuth server: ${domain_auth}`,
+                    `App domain:  ${domain_here}`,
+                    "\nThey do not share a common root domain.",
+                    ...(() => {
+                        if (isIp) {
+                            return [];
+                        }
+                        if (isWellKnownProviderDomain) {
+                            return [
+                                "\nYou seem to be using a well-known auth provider.",
+                                "Check if you can configure a custom auth domain.",
+                                "\nIf so, oidc-spa can restore sessions silently",
+                                "and improve the user experience."
+                            ];
+                        }
+                        return [
+                            "\nTo improve the experience, here are some examples of deployment for your app:",
+                            ...suggestedDeployments.map(d => `\n  • ${d}`)
+                        ];
+                    })(),
+                    "\nMore info:",
+                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                ].join(" "));
             }
-            log?.([
-                "Can't use iframe because your auth server is on a third party domain relative",
-                "to the domain of your app and third party cookies are blocked by navigators."
-            ].join(" "));
             return false;
         }
-        // NOTE: Maybe not, it depend if the app can iframe itself.
         return true;
     })();
-    let isUserStoreInMemoryOnly;
-    const oidcClientTsUserManager = new OidcClientTsUserManager({
-        stateUrlParamValue: stateUrlParamValue_instance,
-        authority: issuerUri,
-        client_id: clientId,
-        redirect_uri: homeUrlAndRedirectUri,
-        silent_redirect_uri: homeUrlAndRedirectUri,
-        post_logout_redirect_uri: homeUrlAndRedirectUri,
-        response_mode: isKeycloak({ issuerUri }) ? "fragment" : "query",
-        response_type: "code",
-        scope: Array.from(new Set(["openid", ...scopes])).join(" "),
-        automaticSilentRenew: false,
-        userStore: new WebStorageStateStore({
-            store: (() => {
-                if (canUseIframe) {
-                    isUserStoreInMemoryOnly = true;
-                    return new InMemoryWebStorage();
-                }
-                isUserStoreInMemoryOnly = false;
-                const storage = createEphemeralSessionStorage({
-                    sessionStorageTtlMs: 3 * 60000
-                });
-                const { evtRequestToPersistTokens } = globalContext;
-                evtRequestToPersistTokens.subscribe(({ configIdOfInstancePostingTheRequest }) => {
-                    if (configIdOfInstancePostingTheRequest === configId) {
-                        return;
+    let isUserStoreInMemoryOnly = undefined;
+    const oidcClientTsUserManager = oidcMetadata === undefined
+        ? createObjectThatThrowsIfAccessed({
+            debugMessage: "oidc-spa: Wrong assertion 43943"
+        })
+        : new OidcClientTsUserManager({
+            stateUrlParamValue: stateUrlParamValue_instance,
+            authority: issuerUri,
+            client_id: clientId,
+            redirect_uri: homeUrlAndRedirectUri,
+            silent_redirect_uri: homeUrlAndRedirectUri,
+            post_logout_redirect_uri: homeUrlAndRedirectUri,
+            response_mode: isKeycloak({ issuerUri }) ? "fragment" : "query",
+            response_type: "code",
+            scope: Array.from(new Set(["openid", ...scopes])).join(" "),
+            automaticSilentRenew: false,
+            userStore: new WebStorageStateStore({
+                store: (() => {
+                    if (canUseIframe) {
+                        isUserStoreInMemoryOnly = true;
+                        return new InMemoryWebStorage();
                     }
-                    storage.persistCurrentStateAndSubsequentChanges();
-                });
-                return storage;
-            })()
-        }),
-        stateStore: new WebStorageStateStore({ store: localStorage, prefix: STATE_STORE_KEY_PREFIX }),
-        client_secret: __unsafe_clientSecret,
-        metadata: __metadata
-    });
+                    isUserStoreInMemoryOnly = false;
+                    const storage = createEphemeralSessionStorage({
+                        sessionStorageTtlMs: 3 * 60000
+                    });
+                    const { evtRequestToPersistTokens } = globalContext;
+                    evtRequestToPersistTokens.subscribe(({ configIdOfInstancePostingTheRequest }) => {
+                        if (configIdOfInstancePostingTheRequest === configId) {
+                            return;
+                        }
+                        storage.persistCurrentStateAndSubsequentChanges();
+                    });
+                    return storage;
+                })()
+            }),
+            stateStore: new WebStorageStateStore({
+                store: localStorage,
+                prefix: STATE_STORE_KEY_PREFIX
+            }),
+            client_secret: __unsafe_clientSecret,
+            metadata: oidcMetadata
+        });
     const evtInitializationOutcomeUserNotLoggedIn = createEvt();
     const { loginOrGoToAuthServer } = createLoginOrGoToAuthServer({
         configId,
@@ -217,6 +351,11 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
     });
     const { completeLoginOrRefreshProcess } = await startLoginOrRefreshProcess();
     const resultOfLoginProcess = await (async () => {
+        if (oidcMetadata === undefined) {
+            return (await import("./diagnostic")).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
+                issuerUri
+            });
+        }
         handle_redirect_auth_response: {
             let stateDataAndAuthResponse = undefined;
             get_stateData_and_authResponse: {
@@ -346,6 +485,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
         // NOTE: We almost never persist tokens, we have to only to support edge case
         // of multiple oidc instance in a single App with no iframe support.
         restore_from_session_storage: {
+            assert(isUserStoreInMemoryOnly !== undefined, "3392204");
             if (isUserStoreInMemoryOnly) {
                 break restore_from_session_storage;
             }
@@ -403,11 +543,6 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     break actual_silent_signin;
                 }
                 if (!canUseIframe) {
-                    if (!(await getIsValidRemoteJson(`${issuerUri}${id("/.well-known/openid-configuration")}`))) {
-                        return (await import("./diagnostic")).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
-                            issuerUri
-                        });
-                    }
                     break actual_silent_signin;
                 }
                 log?.("Trying to restore the auth from the http only cookie (silent signin with iframe)");
@@ -422,21 +557,13 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     log
                 });
                 assert(result_loginSilent.outcome !== "token refreshed using refresh token", "876995");
-                if (result_loginSilent.outcome === "failure") {
-                    switch (result_loginSilent.cause) {
-                        case "can't reach well-known oidc endpoint":
-                            return (await import("./diagnostic")).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
-                                issuerUri
-                            });
-                        case "timeout":
-                            return (await import("./diagnostic")).createIframeTimeoutInitializationError({
-                                redirectUri: homeUrlAndRedirectUri,
-                                clientId,
-                                issuerUri,
-                                noIframe
-                            });
-                    }
-                    assert(false);
+                if (result_loginSilent.outcome === "timeout") {
+                    return (await import("./diagnostic")).createIframeTimeoutInitializationError({
+                        redirectUri: homeUrlAndRedirectUri,
+                        clientId,
+                        issuerUri,
+                        noIframe
+                    });
                 }
                 assert();
                 const { authResponse } = result_loginSilent;
@@ -480,8 +607,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                             configIdOfInstancePostingTheRequest: configId
                         });
                     }
-                    const dCantFetchWellKnownEndpointOrNever = new Deferred();
-                    loginOrGoToAuthServer({
+                    await loginOrGoToAuthServer({
                         action: "login",
                         doForceReloadOnBfCache: true,
                         redirectUrl: getRootRelativeOriginalLocationHref(),
@@ -498,15 +624,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                                 return "directly redirect if active session show login otherwise";
                             }
                             return "ensure no interaction";
-                        })(),
-                        onCantFetchWellKnownEndpointError: () => {
-                            dCantFetchWellKnownEndpointOrNever.resolve();
-                        }
-                    });
-                    await dCantFetchWellKnownEndpointOrNever.pr;
-                    return (await import("./diagnostic")).createFailedToFetchTokenEndpointInitializationError({
-                        clientId,
-                        issuerUri
+                        })()
                     });
                 }
                 if (authResponse_error !== undefined) {
@@ -593,11 +711,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                             transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
                             interaction: getPersistedAuthState({ configId }) === "explicitly logged out"
                                 ? "ensure interaction"
-                                : "directly redirect if active session show login otherwise",
-                            onCantFetchWellKnownEndpointError: () => {
-                                log?.("Login called but the auth server seems to be down..");
-                                alert("Authentication unavailable please try again later.");
-                            }
+                                : "directly redirect if active session show login otherwise"
                         });
                     },
                     initializationError: undefined
@@ -781,14 +895,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                         extraQueryParams_local: undefined,
                         transformUrlBeforeRedirect_local: undefined,
                         doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
-                        interaction: "directly redirect if active session show login otherwise",
-                        onCantFetchWellKnownEndpointError: () => {
-                            log?.([
-                                "The auth server seems to be down while we needed to refresh the token",
-                                "with a full page redirect. Reloading the page"
-                            ].join(" "));
-                            window.location.reload();
-                        }
+                        interaction: "directly redirect if active session show login otherwise"
                     });
                     assert(false, "136134");
                 };
@@ -814,9 +921,9 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     autoLogin,
                     log
                 });
-                if (result_loginSilent.outcome === "failure") {
+                if (result_loginSilent.outcome === "timeout") {
                     log?.([
-                        `Silent refresh of the token failed with ${result_loginSilent.cause}.`,
+                        `Silent refresh of the token failed the iframe didn't post a response (timeout).`,
                         `This isn't recoverable, reloading the page.`
                     ].join(" "));
                     window.location.reload();
@@ -954,11 +1061,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
             action: "go to auth server",
             redirectUrl: redirectUrl ?? window.location.href,
             extraQueryParams_local: extraQueryParams,
-            transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
-            onCantFetchWellKnownEndpointError: () => {
-                log?.("goToAuthServer called but the auth server seems to be down..");
-                alert("Authentication unavailable please try again later.");
-            }
+            transformUrlBeforeRedirect_local: transformUrlBeforeRedirect
         }),
         backFromAuthServer: resultOfLoginProcess.backFromAuthServer,
         isNewBrowserSession: (() => {