oidc-spa 8.1.15 → 8.2.1

package/src/core/createOidc.ts

@@ -4,7 +4,7 @@ import {
     type User as OidcClientTsUser,
     InMemoryWebStorage
 } from "../vendor/frontend/oidc-client-ts";
-import type { OidcMetadata } from "./OidcMetadata";
+import { type OidcMetadata, fetchOidcMetadata } from "./OidcMetadata";
 import { assert, is, type Equals } from "../tools/tsafe/assert";
 import { id } from "../tools/tsafe/id";
 import { setTimeout, clearTimeout } from "../tools/workerTimers";
@@ -49,8 +49,10 @@ import { createGetIsNewBrowserSession } from "./isNewBrowserSession";
 import { getIsOnline } from "../tools/getIsOnline";
 import { isKeycloak } from "../keycloak/isKeycloak";
 import { INFINITY_TIME } from "../tools/INFINITY_TIME";
-import type { WELL_KNOWN_PATH } from "./diagnostic";
-import { getIsValidRemoteJson } from "../tools/getIsValidRemoteJson";
+import { prShouldLoadApp } from "./prShouldLoadApp";
+import { getBASE_URL } from "./BASE_URL";
+import { getIsLikelyDevServer } from "../tools/isLikelyDevServer";
+import { createObjectThatThrowsIfAccessed } from "../tools/createObjectThatThrowsIfAccessed";
 
 // NOTE: Replaced at build time
 const VERSION = "{{OIDC_SPA_VERSION}}";
@@ -59,14 +61,6 @@ export type ParamsOfCreateOidc<
     DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec,
     AutoLogin extends boolean = false
 > = {
-    /**
-     * What should you put in this parameter?
-     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
-     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
-     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
-     */
-    homeUrl: string;
-
     /**
      * See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
      */
@@ -194,6 +188,22 @@ export type ParamsOfCreateOidc<
      * or non-standard deployments), and you cannot fix the server-side configuration.
      */
     __metadata?: Partial<OidcMetadata>;
+
+    /**
+     * NOTE: This parameter is optional if you use the Vite plugin.
+     *
+     * This parameter let's you overwrite the value provided in
+     * oidcEarlyInit({ BASE_URL: xxx });
+     *
+     * What should you put in this parameter?
+     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
+     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
+     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
+     */
+    BASE_URL?: string;
+
+    /** @deprecated: Use BASE_URL (same thing, just renamed). */
+    homeUrl?: string;
 };
 
 const globalContext = {
@@ -314,11 +324,31 @@ export async function createOidc_nonMemoized<
         log: typeof console.log | undefined;
     }
 ): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>> {
+    {
+        const timer = window.setTimeout(() => {
+            console.warn(
+                [
+                    "oidc-spa: Setup error.",
+                    "oidcEarlyInit() wasn't called.",
+                    "This is supposed to be handled by the oidc-spa Vite plugin",
+                    "or manually in other environments."
+                ].join(" ")
+            );
+        }, 3_000);
+
+        const shouldLoadApp = await prShouldLoadApp;
+
+        window.clearTimeout(timer);
+
+        if (!shouldLoadApp) {
+            return new Promise<never>(() => {});
+        }
+    }
+
     const {
         transformUrlBeforeRedirect,
         extraQueryParams: extraQueryParamsOrGetter,
         extraTokenParams: extraTokenParamsOrGetter,
-        homeUrl: homeUrl_params,
         decodedIdTokenSchema,
         idleSessionLifetimeInSeconds,
         autoLogoutParams = { redirectTo: "current page" },
@@ -330,6 +360,8 @@ export async function createOidc_nonMemoized<
         noIframe = false
     } = params;
 
+    const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
+
     const { issuerUri, clientId, scopes, configId, log } = preProcessedParams;
 
     const getExtraQueryParams = (() => {
@@ -357,7 +389,29 @@ export async function createOidc_nonMemoized<
     })();
 
     const homeUrlAndRedirectUri = toFullyQualifiedUrl({
-        urlish: homeUrl_params,
+        urlish: (() => {
+            if (BASE_URL_params !== undefined) {
+                return BASE_URL_params;
+            }
+
+            const BASE_URL = getBASE_URL();
+
+            if (BASE_URL === undefined) {
+                throw new Error(
+                    [
+                        "oidc-spa: If you do not use the oidc-spa Vite plugin",
+                        "you must provide the BASE_URL to the earlyInit() examples:",
+                        "oidcSpaEarlyInit({ BASE_URL: import.meta.env.BASE_URL })",
+                        "oidcSpaEarlyInit({ BASE_URL: '/' })",
+                        "",
+                        "You can also pass this parameter to createOidc({ BASE_URL: '...' })",
+                        "or bootstrapOidc({ BASE_URL: '...' })"
+                    ].join("\n")
+                );
+            }
+
+            return BASE_URL;
+        })(),
         doAssertNoQueryParams: true,
         doOutputWithTrailingSlash: true
     });
@@ -378,92 +432,212 @@ export async function createOidc_nonMemoized<
 
     const stateUrlParamValue_instance = generateStateUrlParamValue();
 
+    const oidcMetadata = __metadata ?? (await fetchOidcMetadata({ issuerUri }));
+
     const canUseIframe = (() => {
         if (noIframe) {
             return false;
         }
 
         third_party_cookies: {
-            const isOidcServerThirdPartyRelativeToApp =
-                getHaveSharedParentDomain({
-                    url1: window.location.origin,
-                    url2: issuerUri
-                }) === false;
-
-            if (!isOidcServerThirdPartyRelativeToApp) {
-                break third_party_cookies;
+            if (oidcMetadata === undefined) {
+                return false;
             }
 
-            const isGoogleChrome = (() => {
-                const ua = navigator.userAgent;
-                const vendor = navigator.vendor;
+            const { authorization_endpoint } = oidcMetadata;
 
-                return (
-                    /Chrome/.test(ua) && /Google Inc/.test(vendor) && !/Edg/.test(ua) && !/OPR/.test(ua)
-                );
-            })();
+            assert(
+                authorization_endpoint !== undefined,
+                "Missing authorization_endpoint on the provided __metadata"
+            );
+
+            const isOidcServerThirdPartyRelativeToApp = !getHaveSharedParentDomain({
+                url1: window.location.origin,
+                // TODO: No, here we should test against the authorization endpoint!
+                url2: authorization_endpoint
+            });
 
-            if (window.location.origin.startsWith("http://localhost") && isGoogleChrome) {
+            if (!isOidcServerThirdPartyRelativeToApp) {
                 break third_party_cookies;
             }
 
-            log?.(
-                [
-                    "Can't use iframe because your auth server is on a third party domain relative",
-                    "to the domain of your app and third party cookies are blocked by navigators."
-                ].join(" ")
-            );
+            const isLikelyDevServer = getIsLikelyDevServer();
 
-            return false;
-        }
+            const domain_auth = new URL(authorization_endpoint).origin.split("//")[1];
 
-        // NOTE: Maybe not, it depend if the app can iframe itself.
-        return true;
-    })();
+            assert(domain_auth !== undefined, "33921384");
+
+            const domain_here = window.location.origin.split("//")[1];
+
+            let isWellKnownProviderDomain = false;
+            let isIp = false;
 
-    let isUserStoreInMemoryOnly: boolean;
-
-    const oidcClientTsUserManager = new OidcClientTsUserManager({
-        stateUrlParamValue: stateUrlParamValue_instance,
-        authority: issuerUri,
-        client_id: clientId,
-        redirect_uri: homeUrlAndRedirectUri,
-        silent_redirect_uri: homeUrlAndRedirectUri,
-        post_logout_redirect_uri: homeUrlAndRedirectUri,
-        response_mode: isKeycloak({ issuerUri }) ? "fragment" : "query",
-        response_type: "code",
-        scope: Array.from(new Set(["openid", ...scopes])).join(" "),
-        automaticSilentRenew: false,
-        userStore: new WebStorageStateStore({
-            store: (() => {
-                if (canUseIframe) {
-                    isUserStoreInMemoryOnly = true;
-                    return new InMemoryWebStorage();
+            const suggestedDeployments = (() => {
+                if (/^(?:\d{1,3}\.){3}\d{1,3}$|^\[?[A-Fa-f0-9:]+\]?$/.test(domain_auth)) {
+                    isIp = true;
+                    return [];
                 }
 
-                isUserStoreInMemoryOnly = false;
+                const baseDomain = (() => {
+                    const segments = domain_auth.split(".");
 
-                const storage = createEphemeralSessionStorage({
-                    sessionStorageTtlMs: 3 * 60_000
-                });
+                    if (segments.length >= 3) {
+                        segments.shift();
+                    }
+                    return segments.join(".");
+                })();
 
-                const { evtRequestToPersistTokens } = globalContext;
+                {
+                    const baseDomain_low = baseDomain.toLowerCase();
 
-                evtRequestToPersistTokens.subscribe(({ configIdOfInstancePostingTheRequest }) => {
-                    if (configIdOfInstancePostingTheRequest === configId) {
-                        return;
+                    if (
+                        baseDomain_low.includes("auth0") ||
+                        baseDomain_low.includes("clerk") ||
+                        baseDomain_low.includes("microsoft") ||
+                        baseDomain_low.includes("okta") ||
+                        baseDomain_low.includes("aws")
+                    ) {
+                        isWellKnownProviderDomain = true;
+                        return [];
                     }
+                }
 
-                    storage.persistCurrentStateAndSubsequentChanges();
-                });
+                const baseUrl = new URL(homeUrlAndRedirectUri).pathname;
 
-                return storage;
-            })()
-        }),
-        stateStore: new WebStorageStateStore({ store: localStorage, prefix: STATE_STORE_KEY_PREFIX }),
-        client_secret: __unsafe_clientSecret,
-        metadata: __metadata
-    });
+                return [
+                    `myapp.${baseDomain}`,
+                    baseDomain === domain_auth ? undefined : baseDomain,
+                    `${baseDomain}/${baseUrl === "/" ? "dashboard" : baseUrl}`
+                ].filter(x => x !== undefined);
+            })();
+
+            if (isLikelyDevServer) {
+                log?.(
+                    [
+                        "Detected localhost environment.",
+                        "\nWhen reloading while logged in, you may briefly see",
+                        "some URL params appear in the address bar.",
+                        "\nThis happens because session restore via iframe is disabled,",
+                        "the browser treats your auth server as a third party.",
+                        `\nAuth server: ${domain_auth}`,
+                        `\nApp domain:  ${domain_here}`,
+                        ...(() => {
+                            if (isIp) {
+                                return [];
+                            }
+
+                            if (isWellKnownProviderDomain) {
+                                return [
+                                    "\nYou seem to be using a well-known auth provider.",
+                                    "Check your provider's docs, some allow configuring",
+                                    `a your custom domain at least for the authorization endpoint.`,
+                                    "\nIf configured, oidc-spa will restore sessions silently",
+                                    "and improve the user experience."
+                                ];
+                            }
+
+                            return [
+                                "\nOnce deployed under the same root domain as your auth server,",
+                                "oidc-spa will use iframes to restore sessions silently.",
+                                "\nSuggested deployments:",
+                                ...suggestedDeployments.map(d => `\n  • ${d}`)
+                            ];
+                        })(),
+                        "\n\nMore info:",
+                        "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                    ].join(" ")
+                );
+            } else {
+                log?.(
+                    [
+                        "Silent session restore via iframe is disabled.",
+                        `\nAuth server: ${domain_auth}`,
+                        `App domain:  ${domain_here}`,
+                        "\nThey do not share a common root domain.",
+                        ...(() => {
+                            if (isIp) {
+                                return [];
+                            }
+
+                            if (isWellKnownProviderDomain) {
+                                return [
+                                    "\nYou seem to be using a well-known auth provider.",
+                                    "Check if you can configure a custom auth domain.",
+                                    "\nIf so, oidc-spa can restore sessions silently",
+                                    "and improve the user experience."
+                                ];
+                            }
+
+                            return [
+                                "\nTo improve the experience, here are some examples of deployment for your app:",
+                                ...suggestedDeployments.map(d => `\n  • ${d}`)
+                            ];
+                        })(),
+                        "\nMore info:",
+                        "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                    ].join(" ")
+                );
+            }
+
+            return false;
+        }
+
+        return true;
+    })();
+
+    let isUserStoreInMemoryOnly: boolean | undefined = undefined;
+
+    const oidcClientTsUserManager =
+        oidcMetadata === undefined
+            ? createObjectThatThrowsIfAccessed<OidcClientTsUserManager>({
+                  debugMessage: "oidc-spa: Wrong assertion 43943"
+              })
+            : new OidcClientTsUserManager({
+                  stateUrlParamValue: stateUrlParamValue_instance,
+                  authority: issuerUri,
+                  client_id: clientId,
+                  redirect_uri: homeUrlAndRedirectUri,
+                  silent_redirect_uri: homeUrlAndRedirectUri,
+                  post_logout_redirect_uri: homeUrlAndRedirectUri,
+                  response_mode: isKeycloak({ issuerUri }) ? "fragment" : "query",
+                  response_type: "code",
+                  scope: Array.from(new Set(["openid", ...scopes])).join(" "),
+                  automaticSilentRenew: false,
+                  userStore: new WebStorageStateStore({
+                      store: (() => {
+                          if (canUseIframe) {
+                              isUserStoreInMemoryOnly = true;
+                              return new InMemoryWebStorage();
+                          }
+
+                          isUserStoreInMemoryOnly = false;
+
+                          const storage = createEphemeralSessionStorage({
+                              sessionStorageTtlMs: 3 * 60_000
+                          });
+
+                          const { evtRequestToPersistTokens } = globalContext;
+
+                          evtRequestToPersistTokens.subscribe(
+                              ({ configIdOfInstancePostingTheRequest }) => {
+                                  if (configIdOfInstancePostingTheRequest === configId) {
+                                      return;
+                                  }
+
+                                  storage.persistCurrentStateAndSubsequentChanges();
+                              }
+                          );
+
+                          return storage;
+                      })()
+                  }),
+                  stateStore: new WebStorageStateStore({
+                      store: localStorage,
+                      prefix: STATE_STORE_KEY_PREFIX
+                  }),
+                  client_secret: __unsafe_clientSecret,
+                  metadata: oidcMetadata
+              });
 
     const evtInitializationOutcomeUserNotLoggedIn = createEvt<void>();
 
@@ -493,6 +667,14 @@ export async function createOidc_nonMemoized<
               backFromAuthServer: Oidc.LoggedIn["backFromAuthServer"]; // Undefined is silent signin
           }
     > => {
+        if (oidcMetadata === undefined) {
+            return (
+                await import("./diagnostic")
+            ).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
+                issuerUri
+            });
+        }
+
         handle_redirect_auth_response: {
             let stateDataAndAuthResponse:
                 | { stateData: StateData.Redirect; authResponse: AuthResponse }
@@ -677,6 +859,8 @@ export async function createOidc_nonMemoized<
         // NOTE: We almost never persist tokens, we have to only to support edge case
         // of multiple oidc instance in a single App with no iframe support.
         restore_from_session_storage: {
+            assert(isUserStoreInMemoryOnly !== undefined, "3392204");
+
             if (isUserStoreInMemoryOnly) {
                 break restore_from_session_storage;
             }
@@ -747,20 +931,6 @@ export async function createOidc_nonMemoized<
                 }
 
                 if (!canUseIframe) {
-                    if (
-                        !(await getIsValidRemoteJson(
-                            `${issuerUri}${id<typeof WELL_KNOWN_PATH>(
-                                "/.well-known/openid-configuration"
-                            )}`
-                        ))
-                    ) {
-                        return (
-                            await import("./diagnostic")
-                        ).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
-                            issuerUri
-                        });
-                    }
-
                     break actual_silent_signin;
                 }
 
@@ -781,26 +951,13 @@ export async function createOidc_nonMemoized<
 
                 assert(result_loginSilent.outcome !== "token refreshed using refresh token", "876995");
 
-                if (result_loginSilent.outcome === "failure") {
-                    switch (result_loginSilent.cause) {
-                        case "can't reach well-known oidc endpoint":
-                            return (
-                                await import("./diagnostic")
-                            ).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
-                                issuerUri
-                            });
-                        case "timeout":
-                            return (await import("./diagnostic")).createIframeTimeoutInitializationError(
-                                {
-                                    redirectUri: homeUrlAndRedirectUri,
-                                    clientId,
-                                    issuerUri,
-                                    noIframe
-                                }
-                            );
-                    }
-
-                    assert<Equals<typeof result_loginSilent.cause, never>>(false);
+                if (result_loginSilent.outcome === "timeout") {
+                    return (await import("./diagnostic")).createIframeTimeoutInitializationError({
+                        redirectUri: homeUrlAndRedirectUri,
+                        clientId,
+                        issuerUri,
+                        noIframe
+                    });
                 }
 
                 assert<Equals<typeof result_loginSilent.outcome, "got auth response from iframe">>();
@@ -864,9 +1021,7 @@ export async function createOidc_nonMemoized<
                         });
                     }
 
-                    const dCantFetchWellKnownEndpointOrNever = new Deferred<void | never>();
-
-                    loginOrGoToAuthServer({
+                    await loginOrGoToAuthServer({
                         action: "login",
                         doForceReloadOnBfCache: true,
                         redirectUrl: getRootRelativeOriginalLocationHref(),
@@ -885,19 +1040,7 @@ export async function createOidc_nonMemoized<
                             }
 
                             return "ensure no interaction";
-                        })(),
-                        onCantFetchWellKnownEndpointError: () => {
-                            dCantFetchWellKnownEndpointOrNever.resolve();
-                        }
-                    });
-
-                    await dCantFetchWellKnownEndpointOrNever.pr;
-
-                    return (
-                        await import("./diagnostic")
-                    ).createFailedToFetchTokenEndpointInitializationError({
-                        clientId,
-                        issuerUri
+                        })()
                     });
                 }
 
@@ -1018,11 +1161,7 @@ export async function createOidc_nonMemoized<
                             interaction:
                                 getPersistedAuthState({ configId }) === "explicitly logged out"
                                     ? "ensure interaction"
-                                    : "directly redirect if active session show login otherwise",
-                            onCantFetchWellKnownEndpointError: () => {
-                                log?.("Login called but the auth server seems to be down..");
-                                alert("Authentication unavailable please try again later.");
-                            }
+                                    : "directly redirect if active session show login otherwise"
                         });
                     },
                     initializationError: undefined
@@ -1254,16 +1393,7 @@ export async function createOidc_nonMemoized<
                         extraQueryParams_local: undefined,
                         transformUrlBeforeRedirect_local: undefined,
                         doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
-                        interaction: "directly redirect if active session show login otherwise",
-                        onCantFetchWellKnownEndpointError: () => {
-                            log?.(
-                                [
-                                    "The auth server seems to be down while we needed to refresh the token",
-                                    "with a full page redirect. Reloading the page"
-                                ].join(" ")
-                            );
-                            window.location.reload();
-                        }
+                        interaction: "directly redirect if active session show login otherwise"
                     });
                     assert(false, "136134");
                 };
@@ -1298,10 +1428,10 @@ export async function createOidc_nonMemoized<
                     log
                 });
 
-                if (result_loginSilent.outcome === "failure") {
+                if (result_loginSilent.outcome === "timeout") {
                     log?.(
                         [
-                            `Silent refresh of the token failed with ${result_loginSilent.cause}.`,
+                            `Silent refresh of the token failed the iframe didn't post a response (timeout).`,
                             `This isn't recoverable, reloading the page.`
                         ].join(" ")
                     );
@@ -1491,11 +1621,7 @@ export async function createOidc_nonMemoized<
                 action: "go to auth server",
                 redirectUrl: redirectUrl ?? window.location.href,
                 extraQueryParams_local: extraQueryParams,
-                transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
-                onCantFetchWellKnownEndpointError: () => {
-                    log?.("goToAuthServer called but the auth server seems to be down..");
-                    alert("Authentication unavailable please try again later.");
-                }
+                transformUrlBeforeRedirect_local: transformUrlBeforeRedirect
             }),
         backFromAuthServer: resultOfLoginProcess.backFromAuthServer,
         isNewBrowserSession: (() => {

package/src/core/diagnostic.ts

@@ -1,8 +1,7 @@
 import { OidcInitializationError } from "./OidcInitializationError";
 import { isKeycloak, createKeycloakUtils } from "../keycloak";
 import { getIsValidRemoteJson } from "../tools/getIsValidRemoteJson";
-
-export const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
+import { WELL_KNOWN_PATH } from "./OidcMetadata";
 
 export async function createWellKnownOidcConfigurationEndpointUnreachableInitializationError(params: {
     issuerUri: string;
@@ -95,6 +94,16 @@ export async function createIframeTimeoutInitializationError(params: {
 }): Promise<OidcInitializationError> {
     const { redirectUri, issuerUri, clientId, noIframe } = params;
 
+    check_if_well_known_endpoint_is_reachable: {
+        const isValid = await getIsValidRemoteJson(`${issuerUri}${WELL_KNOWN_PATH}`);
+
+        if (isValid) {
+            break check_if_well_known_endpoint_is_reachable;
+        }
+
+        return createWellKnownOidcConfigurationEndpointUnreachableInitializationError({ issuerUri });
+    }
+
     iframe_blocked: {
         if (noIframe) {
             break iframe_blocked;
@@ -233,6 +242,16 @@ export async function createFailedToFetchTokenEndpointInitializationError(params
 }) {
     const { issuerUri, clientId } = params;
 
+    check_if_well_known_endpoint_is_reachable: {
+        const isValid = await getIsValidRemoteJson(`${issuerUri}${WELL_KNOWN_PATH}`);
+
+        if (isValid) {
+            break check_if_well_known_endpoint_is_reachable;
+        }
+
+        return createWellKnownOidcConfigurationEndpointUnreachableInitializationError({ issuerUri });
+    }
+
     return new OidcInitializationError({
         isAuthServerLikelyDown: false,
         messageOrCause: [

package/src/core/earlyInit.ts

@@ -7,6 +7,8 @@ import {
     preventSessionStorageSetItemOfPublicKeyByThirdParty
 } from "./iframeMessageProtection";
 import { setOidcRequiredPostHydrationReplaceNavigationUrl } from "./requiredPostHydrationReplaceNavigationUrl";
+import { setBASE_URL } from "./BASE_URL";
+import { resolvePrShouldLoadApp } from "./prShouldLoadApp";
 import { isBrowser } from "../tools/isBrowser";
 
 let hasEarlyInitBeenCalled = false;
@@ -18,6 +20,7 @@ export function oidcEarlyInit(params: {
     // Will be made mandatory next major.
     freezeWebSocket?: boolean;
     isPostLoginRedirectManual?: boolean;
+    BASE_URL?: string;
 }) {
     if (hasEarlyInitBeenCalled) {
         throw new Error("oidc-spa: oidcEarlyInit() Should be called only once");
@@ -35,8 +38,9 @@ export function oidcEarlyInit(params: {
         freezeFetch,
         freezeXMLHttpRequest,
         freezeWebSocket = false,
-        isPostLoginRedirectManual = false
-    } = params ?? {};
+        isPostLoginRedirectManual = false,
+        BASE_URL
+    } = params;
 
     const { shouldLoadApp } = handleOidcCallback({ isPostLoginRedirectManual });
 
@@ -83,8 +87,14 @@ export function oidcEarlyInit(params: {
         }
 
         preventSessionStorageSetItemOfPublicKeyByThirdParty();
+
+        if (BASE_URL !== undefined) {
+            setBASE_URL({ BASE_URL });
+        }
     }
 
+    resolvePrShouldLoadApp({ shouldLoadApp });
+
     return { shouldLoadApp };
 }
 
@@ -93,15 +103,8 @@ let redirectAuthResponse: AuthResponse | undefined = undefined;
 export function getRedirectAuthResponse():
     | { authResponse: AuthResponse; clearAuthResponse: () => void }
     | { authResponse: undefined; clearAuthResponse?: never } {
-    if (!hasEarlyInitBeenCalled) {
-        throw new Error(
-            [
-                "oidc-spa setup error.",
-                "oidcEarlyInit() wasn't called.",
-                "In newer version, using oidc-spa/entrypoint is no longer optional."
-            ].join(" ")
-        );
-    }
+    assert(hasEarlyInitBeenCalled, "34933395");
+
     return redirectAuthResponse === undefined
         ? { authResponse: undefined }
         : {