oidc-spa 8.2.0 → 8.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. package/core/AuthResponse.d.ts +0 -5
  2. package/core/AuthResponse.js +0 -25
  3. package/core/AuthResponse.js.map +1 -1
  4. package/core/OidcMetadata.d.ts +5 -0
  5. package/core/OidcMetadata.js +56 -0
  6. package/core/OidcMetadata.js.map +1 -1
  7. package/core/createOidc.d.ts +4 -3
  8. package/core/createOidc.js +229 -197
  9. package/core/createOidc.js.map +1 -1
  10. package/core/diagnostic.d.ts +0 -1
  11. package/core/diagnostic.js +18 -5
  12. package/core/diagnostic.js.map +1 -1
  13. package/core/instancesThatCantUseIframes.d.ts +2 -0
  14. package/core/instancesThatCantUseIframes.js +20 -0
  15. package/core/instancesThatCantUseIframes.js.map +1 -0
  16. package/core/loginOrGoToAuthServer.d.ts +1 -1
  17. package/core/loginOrGoToAuthServer.js +4 -16
  18. package/core/loginOrGoToAuthServer.js.map +1 -1
  19. package/core/loginSilent.d.ts +1 -2
  20. package/core/loginSilent.js +3 -21
  21. package/core/loginSilent.js.map +1 -1
  22. package/core/persistedAuthState.d.ts +1 -0
  23. package/core/persistedAuthState.js +14 -4
  24. package/core/persistedAuthState.js.map +1 -1
  25. package/esm/core/AuthResponse.d.ts +0 -5
  26. package/esm/core/AuthResponse.js +0 -23
  27. package/esm/core/AuthResponse.js.map +1 -1
  28. package/esm/core/OidcMetadata.d.ts +5 -0
  29. package/esm/core/OidcMetadata.js +54 -0
  30. package/esm/core/OidcMetadata.js.map +1 -1
  31. package/esm/core/createOidc.d.ts +4 -3
  32. package/esm/core/createOidc.js +230 -198
  33. package/esm/core/createOidc.js.map +1 -1
  34. package/esm/core/diagnostic.d.ts +0 -1
  35. package/esm/core/diagnostic.js +15 -1
  36. package/esm/core/diagnostic.js.map +1 -1
  37. package/esm/core/instancesThatCantUseIframes.d.ts +2 -0
  38. package/esm/core/instancesThatCantUseIframes.js +16 -0
  39. package/esm/core/instancesThatCantUseIframes.js.map +1 -0
  40. package/esm/core/loginOrGoToAuthServer.d.ts +1 -1
  41. package/esm/core/loginOrGoToAuthServer.js +4 -16
  42. package/esm/core/loginOrGoToAuthServer.js.map +1 -1
  43. package/esm/core/loginSilent.d.ts +1 -2
  44. package/esm/core/loginSilent.js +3 -21
  45. package/esm/core/loginSilent.js.map +1 -1
  46. package/esm/core/persistedAuthState.d.ts +1 -0
  47. package/esm/core/persistedAuthState.js +14 -4
  48. package/esm/core/persistedAuthState.js.map +1 -1
  49. package/esm/keycloak/keycloakIssuerUriParsed.js +8 -1
  50. package/esm/keycloak/keycloakIssuerUriParsed.js.map +1 -1
  51. package/esm/tools/isLikelyDevServer.d.ts +1 -0
  52. package/esm/tools/isLikelyDevServer.js +14 -0
  53. package/esm/tools/isLikelyDevServer.js.map +1 -0
  54. package/esm/tools/{EphemeralSessionStorage.d.ts → lazySessionStorage.d.ts} +2 -4
  55. package/esm/tools/lazySessionStorage.js +81 -0
  56. package/esm/tools/lazySessionStorage.js.map +1 -0
  57. package/keycloak/keycloakIssuerUriParsed.js +8 -1
  58. package/keycloak/keycloakIssuerUriParsed.js.map +1 -1
  59. package/package.json +1 -1
  60. package/src/core/AuthResponse.ts +0 -36
  61. package/src/core/OidcMetadata.ts +75 -0
  62. package/src/core/createOidc.ts +277 -264
  63. package/src/core/diagnostic.ts +21 -2
  64. package/src/core/instancesThatCantUseIframes.ts +24 -0
  65. package/src/core/loginOrGoToAuthServer.ts +5 -22
  66. package/src/core/loginSilent.ts +4 -27
  67. package/src/core/persistedAuthState.ts +27 -5
  68. package/src/keycloak/keycloakIssuerUriParsed.ts +10 -1
  69. package/src/tools/isLikelyDevServer.ts +17 -0
  70. package/src/tools/lazySessionStorage.ts +119 -0
  71. package/src/vite-plugin/manageOptimizedDeps.ts +2 -0
  72. package/tools/isLikelyDevServer.d.ts +1 -0
  73. package/tools/isLikelyDevServer.js +17 -0
  74. package/tools/isLikelyDevServer.js.map +1 -0
  75. package/tools/{EphemeralSessionStorage.d.ts → lazySessionStorage.d.ts} +2 -4
  76. package/tools/lazySessionStorage.js +84 -0
  77. package/tools/lazySessionStorage.js.map +1 -0
  78. package/vite-plugin/manageOptimizedDeps.js +1 -0
  79. package/vite-plugin/manageOptimizedDeps.js.map +1 -1
  80. package/esm/tools/EphemeralSessionStorage.js +0 -143
  81. package/esm/tools/EphemeralSessionStorage.js.map +0 -1
  82. package/src/tools/EphemeralSessionStorage.ts +0 -225
  83. package/tools/EphemeralSessionStorage.js +0 -146
  84. package/tools/EphemeralSessionStorage.js.map +0 -1
package/core/createOidc.js CHANGED
@@ -36,6 +36,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
36
36
  exports.createOidc = createOidc;
37
37
  exports.createOidc_nonMemoized = createOidc_nonMemoized;
38
38
  const oidc_client_ts_1 = require("../vendor/frontend/oidc-client-ts");
39
+ const OidcMetadata_1 = require("./OidcMetadata");
39
40
  const assert_1 = require("../tools/tsafe/assert");
40
41
  const id_1 = require("../tools/tsafe/id");
41
42
  const workerTimers_1 = require("../tools/workerTimers");
@@ -57,32 +58,23 @@ const persistedAuthState_1 = require("./persistedAuthState");
57
58
  const Evt_1 = require("../tools/Evt");
58
59
  const haveSharedParentDomain_1 = require("../tools/haveSharedParentDomain");
59
60
  const loginOrGoToAuthServer_1 = require("./loginOrGoToAuthServer");
60
- const EphemeralSessionStorage_1 = require("../tools/EphemeralSessionStorage");
61
+ const lazySessionStorage_1 = require("../tools/lazySessionStorage");
61
62
  const ongoingLoginOrRefreshProcesses_1 = require("./ongoingLoginOrRefreshProcesses");
62
63
  const isNewBrowserSession_1 = require("./isNewBrowserSession");
63
64
  const getIsOnline_1 = require("../tools/getIsOnline");
64
65
  const isKeycloak_1 = require("../keycloak/isKeycloak");
65
66
  const INFINITY_TIME_1 = require("../tools/INFINITY_TIME");
66
- const getIsValidRemoteJson_1 = require("../tools/getIsValidRemoteJson");
67
67
  const prShouldLoadApp_1 = require("./prShouldLoadApp");
68
68
  const BASE_URL_1 = require("./BASE_URL");
69
+ const isLikelyDevServer_1 = require("../tools/isLikelyDevServer");
70
+ const createObjectThatThrowsIfAccessed_1 = require("../tools/createObjectThatThrowsIfAccessed");
71
+ const instancesThatCantUseIframes_1 = require("./instancesThatCantUseIframes");
69
72
  // NOTE: Replaced at build time
70
- const VERSION = "8.2.0";
73
+ const VERSION = "8.2.2";
71
74
  const globalContext = {
72
75
  prOidcByConfigId: new Map(),
73
- hasLogoutBeenCalled: (0, id_1.id)(false),
74
- evtRequestToPersistTokens: (0, Evt_1.createEvt)()
76
+ hasLogoutBeenCalled: (0, id_1.id)(false)
75
77
  };
76
- globalContext.evtRequestToPersistTokens.subscribe(() => {
77
- const { authResponse } = (0, earlyInit_1.getRedirectAuthResponse)();
78
- if (authResponse === undefined) {
79
- return;
80
- }
81
- const { authResponses } = (0, AuthResponse_1.getPersistedRedirectAuthResponses)();
82
- (0, AuthResponse_1.setPersistedRedirectAuthResponses)({
83
- authResponses: [...authResponses, authResponse]
84
- });
85
- });
86
78
  /** @see: https://docs.oidc-spa.dev/v/v8/usage */
87
79
  async function createOidc(params) {
88
80
  for (const name of ["issuerUri", "clientId"]) {
@@ -91,7 +83,7 @@ async function createOidc(params) {
91
83
  throw new Error(`The parameter "${name}" is required, you provided: ${value}. (Forgot a .env variable?)`);
92
84
  }
93
85
  }
94
- const { issuerUri: issuerUri_params, clientId, scopes = ["profile"], debugLogs, ...rest } = params;
86
+ const { issuerUri: issuerUri_params, clientId, debugLogs, ...rest } = params;
95
87
  const issuerUri = (0, toFullyQualifiedUrl_1.toFullyQualifiedUrl)({
96
88
  urlish: issuerUri_params,
97
89
  doAssertNoQueryParams: true,
@@ -133,7 +125,6 @@ async function createOidc(params) {
133
125
  const oidc = await createOidc_nonMemoized(rest, {
134
126
  issuerUri,
135
127
  clientId,
136
- scopes,
137
128
  configId,
138
129
  log
139
130
  });
@@ -156,9 +147,9 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
156
147
  return new Promise(() => { });
157
148
  }
158
149
  }
159
- const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false } = params;
150
+ const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false, scopes = ["openid", "profile"] } = params;
160
151
  const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
161
- const { issuerUri, clientId, scopes, configId, log } = preProcessedParams;
152
+ const { issuerUri, clientId, configId, log } = preProcessedParams;
162
153
  const getExtraQueryParams = (() => {
163
154
  if (extraQueryParamsOrGetter === undefined) {
164
155
  return undefined;
@@ -203,75 +194,174 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
203
194
  issuerUri,
204
195
  clientId,
205
196
  scopes,
206
- configId,
207
- homeUrlAndRedirectUri
197
+ oidcRedirectUri: homeUrlAndRedirectUri
208
198
  }, null, 2)}`);
209
199
  const stateUrlParamValue_instance = (0, StateData_1.generateStateUrlParamValue)();
200
+ const oidcMetadata = __metadata ?? (await (0, OidcMetadata_1.fetchOidcMetadata)({ issuerUri }));
210
201
  const canUseIframe = (() => {
211
202
  if (noIframe) {
212
203
  return false;
213
204
  }
214
205
  third_party_cookies: {
215
- const isOidcServerThirdPartyRelativeToApp = (0, haveSharedParentDomain_1.getHaveSharedParentDomain)({
206
+ if (oidcMetadata === undefined) {
207
+ return false;
208
+ }
209
+ const { authorization_endpoint } = oidcMetadata;
210
+ (0, assert_1.assert)(authorization_endpoint !== undefined, "Missing authorization_endpoint on the provided __metadata");
211
+ const isOidcServerThirdPartyRelativeToApp = !(0, haveSharedParentDomain_1.getHaveSharedParentDomain)({
216
212
  url1: window.location.origin,
217
- url2: issuerUri
218
- }) === false;
213
+ // TODO: No, here we should test against the authorization endpoint!
214
+ url2: authorization_endpoint
215
+ });
219
216
  if (!isOidcServerThirdPartyRelativeToApp) {
220
217
  break third_party_cookies;
221
218
  }
222
- const isGoogleChrome = (() => {
223
- const ua = navigator.userAgent;
224
- const vendor = navigator.vendor;
225
- return (/Chrome/.test(ua) && /Google Inc/.test(vendor) && !/Edg/.test(ua) && !/OPR/.test(ua));
219
+ const isLikelyDevServer = (0, isLikelyDevServer_1.getIsLikelyDevServer)();
220
+ const domain_auth = new URL(authorization_endpoint).origin.split("//")[1];
221
+ (0, assert_1.assert)(domain_auth !== undefined, "33921384");
222
+ const domain_here = window.location.origin.split("//")[1];
223
+ let isWellKnownProviderDomain = false;
224
+ let isIp = false;
225
+ const suggestedDeployments = (() => {
226
+ if (/^(?:\d{1,3}\.){3}\d{1,3}$|^\[?[A-Fa-f0-9:]+\]?$/.test(domain_auth)) {
227
+ isIp = true;
228
+ return [];
229
+ }
230
+ const baseDomain = (() => {
231
+ const segments = domain_auth.split(".");
232
+ if (segments.length >= 3) {
233
+ segments.shift();
234
+ }
235
+ return segments.join(".");
236
+ })();
237
+ {
238
+ const baseDomain_low = baseDomain.toLowerCase();
239
+ if (baseDomain_low.includes("auth0") ||
240
+ baseDomain_low.includes("clerk") ||
241
+ baseDomain_low.includes("microsoft") ||
242
+ baseDomain_low.includes("okta") ||
243
+ baseDomain_low.includes("aws")) {
244
+ isWellKnownProviderDomain = true;
245
+ return [];
246
+ }
247
+ }
248
+ const baseUrl = new URL(homeUrlAndRedirectUri).pathname;
249
+ return [
250
+ `myapp.${baseDomain}`,
251
+ baseDomain === domain_auth ? undefined : baseDomain,
252
+ `${baseDomain}/${baseUrl === "/" ? "dashboard" : baseUrl}`
253
+ ].filter(x => x !== undefined);
226
254
  })();
227
- if (window.location.origin.startsWith("http://localhost") && isGoogleChrome) {
228
- break third_party_cookies;
255
+ if (isLikelyDevServer) {
256
+ log?.([
257
+ "Detected localhost environment.",
258
+ "\nWhen reloading while logged in, you will briefly see",
259
+ "some URL params appear in the address bar.",
260
+ "\nThis happens because session restore via iframe is disabled,",
261
+ "the browser treats your auth server as a third party.",
262
+ `\nAuth server: ${domain_auth}`,
263
+ `\nApp domain: ${domain_here}`,
264
+ ...(() => {
265
+ if (isIp) {
266
+ return [];
267
+ }
268
+ if (isWellKnownProviderDomain) {
269
+ return [
270
+ "\nYou seem to be using a well-known auth provider.",
271
+ "Check your provider's docs, some allow configuring",
272
+ `a your custom domain at least for the authorization endpoint.`,
273
+ "\nIf configured, oidc-spa will restore sessions silently",
274
+ "and improve the user experience."
275
+ ];
276
+ }
277
+ return [
278
+ "\nOnce deployed under the same root domain as your auth server,",
279
+ "oidc-spa will use iframes to restore sessions silently.",
280
+ "\nSuggested deployments:",
281
+ ...suggestedDeployments.map(d => `\n • ${d}`)
282
+ ];
283
+ })(),
284
+ "\n\nMore info:",
285
+ "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
286
+ ].join(" "));
287
+ }
288
+ else {
289
+ log?.([
290
+ "Silent session restore via iframe is disabled.",
291
+ `\nAuth server: ${domain_auth}`,
292
+ `App domain: ${domain_here}`,
293
+ "\nThey do not share a common root domain.",
294
+ ...(() => {
295
+ if (isIp) {
296
+ return [];
297
+ }
298
+ if (isWellKnownProviderDomain) {
299
+ return [
300
+ "\nYou seem to be using a well-known auth provider.",
301
+ "Check if you can configure a custom auth domain.",
302
+ "\nIf so, oidc-spa can restore sessions silently",
303
+ "and improve the user experience."
304
+ ];
305
+ }
306
+ return [
307
+ "\nTo improve the experience, here are some examples of deployment for your app:",
308
+ ...suggestedDeployments.map(d => `\n • ${d}`)
309
+ ];
310
+ })(),
311
+ "\nMore info:",
312
+ "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
313
+ ].join(" "));
229
314
  }
230
- log?.([
231
- "Can't use iframe because your auth server is on a third party domain relative",
232
- "to the domain of your app and third party cookies are blocked by navigators."
233
- ].join(" "));
234
315
  return false;
235
316
  }
236
- // NOTE: Maybe not, it depend if the app can iframe itself.
237
317
  return true;
238
318
  })();
239
- let isUserStoreInMemoryOnly;
240
- const oidcClientTsUserManager = new oidc_client_ts_1.UserManager({
241
- stateUrlParamValue: stateUrlParamValue_instance,
242
- authority: issuerUri,
243
- client_id: clientId,
244
- redirect_uri: homeUrlAndRedirectUri,
245
- silent_redirect_uri: homeUrlAndRedirectUri,
246
- post_logout_redirect_uri: homeUrlAndRedirectUri,
247
- response_mode: (0, isKeycloak_1.isKeycloak)({ issuerUri }) ? "fragment" : "query",
248
- response_type: "code",
249
- scope: Array.from(new Set(["openid", ...scopes])).join(" "),
250
- automaticSilentRenew: false,
251
- userStore: new oidc_client_ts_1.WebStorageStateStore({
252
- store: (() => {
253
- if (canUseIframe) {
254
- isUserStoreInMemoryOnly = true;
255
- return new oidc_client_ts_1.InMemoryWebStorage();
256
- }
257
- isUserStoreInMemoryOnly = false;
258
- const storage = (0, EphemeralSessionStorage_1.createEphemeralSessionStorage)({
259
- sessionStorageTtlMs: 3 * 60000
260
- });
261
- const { evtRequestToPersistTokens } = globalContext;
262
- evtRequestToPersistTokens.subscribe(({ configIdOfInstancePostingTheRequest }) => {
263
- if (configIdOfInstancePostingTheRequest === configId) {
264
- return;
319
+ (0, instancesThatCantUseIframes_1.notifyNewInstanceThatCantUseIframes)();
320
+ if (instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
321
+ log?.([
322
+ "More than one oidc instance can't use iframe",
323
+ "falling back to persisting tokens in session storage"
324
+ ].join(" "));
325
+ }
326
+ const oidcClientTsUserManager = oidcMetadata === undefined
327
+ ? (0, createObjectThatThrowsIfAccessed_1.createObjectThatThrowsIfAccessed)({
328
+ debugMessage: "oidc-spa: Wrong assertion 43943"
329
+ })
330
+ : new oidc_client_ts_1.UserManager({
331
+ stateUrlParamValue: stateUrlParamValue_instance,
332
+ authority: issuerUri,
333
+ client_id: clientId,
334
+ redirect_uri: homeUrlAndRedirectUri,
335
+ silent_redirect_uri: homeUrlAndRedirectUri,
336
+ post_logout_redirect_uri: homeUrlAndRedirectUri,
337
+ response_mode: (0, isKeycloak_1.isKeycloak)({ issuerUri }) ? "fragment" : "query",
338
+ response_type: "code",
339
+ scope: Array.from(new Set(["openid", ...scopes])).join(" "),
340
+ automaticSilentRenew: false,
341
+ userStore: new oidc_client_ts_1.WebStorageStateStore({
342
+ store: (() => {
343
+ if (canUseIframe) {
344
+ return new oidc_client_ts_1.InMemoryWebStorage();
265
345
  }
266
- storage.persistCurrentStateAndSubsequentChanges();
267
- });
268
- return storage;
269
- })()
270
- }),
271
- stateStore: new oidc_client_ts_1.WebStorageStateStore({ store: localStorage, prefix: StateData_1.STATE_STORE_KEY_PREFIX }),
272
- client_secret: __unsafe_clientSecret,
273
- metadata: __metadata
274
- });
346
+ const storage = (0, lazySessionStorage_1.createLazySessionStorage)();
347
+ if (instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
348
+ storage.persistCurrentStateAndSubsequentChanges();
349
+ }
350
+ else {
351
+ instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.subscribe(() => {
352
+ storage.persistCurrentStateAndSubsequentChanges();
353
+ });
354
+ }
355
+ return storage;
356
+ })()
357
+ }),
358
+ stateStore: new oidc_client_ts_1.WebStorageStateStore({
359
+ store: localStorage,
360
+ prefix: StateData_1.STATE_STORE_KEY_PREFIX
361
+ }),
362
+ client_secret: __unsafe_clientSecret,
363
+ metadata: oidcMetadata
364
+ });
275
365
  const evtInitializationOutcomeUserNotLoggedIn = (0, Evt_1.createEvt)();
276
366
  const { loginOrGoToAuthServer } = (0, loginOrGoToAuthServer_1.createLoginOrGoToAuthServer)({
277
367
  configId,
@@ -289,54 +379,57 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
289
379
  });
290
380
  const { completeLoginOrRefreshProcess } = await (0, ongoingLoginOrRefreshProcesses_1.startLoginOrRefreshProcess)();
291
381
  const resultOfLoginProcess = await (async () => {
382
+ if (oidcMetadata === undefined) {
383
+ return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
384
+ issuerUri
385
+ });
386
+ }
387
+ restore_from_session_storage: {
388
+ if (canUseIframe) {
389
+ break restore_from_session_storage;
390
+ }
391
+ if (!instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
392
+ break restore_from_session_storage;
393
+ }
394
+ let oidcClientTsUser;
395
+ try {
396
+ oidcClientTsUser = await oidcClientTsUserManager.getUser();
397
+ }
398
+ catch {
399
+ // NOTE: Not sure if it can throw, but let's be safe.
400
+ oidcClientTsUser = null;
401
+ try {
402
+ await oidcClientTsUserManager.removeUser();
403
+ }
404
+ catch { }
405
+ }
406
+ if (oidcClientTsUser === null) {
407
+ break restore_from_session_storage;
408
+ }
409
+ log?.("Session was restored from session storage");
410
+ return {
411
+ oidcClientTsUser,
412
+ backFromAuthServer: undefined
413
+ };
414
+ }
292
415
  handle_redirect_auth_response: {
293
416
  let stateDataAndAuthResponse = undefined;
294
- get_stateData_and_authResponse: {
295
- from_memory: {
296
- const { authResponse, clearAuthResponse } = (0, earlyInit_1.getRedirectAuthResponse)();
297
- if (authResponse === undefined) {
298
- break from_memory;
299
- }
300
- const stateData = (0, StateData_1.getStateData)({ stateUrlParamValue: authResponse.state });
301
- if (stateData === undefined) {
302
- clearAuthResponse();
303
- break from_memory;
304
- }
305
- if (stateData.configId !== configId) {
306
- break from_memory;
307
- }
308
- (0, assert_1.assert)(stateData.context === "redirect", "3229492");
417
+ {
418
+ const { authResponse, clearAuthResponse } = (0, earlyInit_1.getRedirectAuthResponse)();
419
+ if (authResponse === undefined) {
420
+ break handle_redirect_auth_response;
421
+ }
422
+ const stateData = (0, StateData_1.getStateData)({ stateUrlParamValue: authResponse.state });
423
+ if (stateData === undefined) {
309
424
  clearAuthResponse();
310
- stateDataAndAuthResponse = { stateData, authResponse };
311
- break get_stateData_and_authResponse;
425
+ break handle_redirect_auth_response;
312
426
  }
313
- // from storage, this is for race condition in multiple instance
314
- // setup where one instance would need to redirect before
315
- // the authResponse in memory had the chance to be processed.
316
- // This can only happen if:
317
- // 1) There are multiple oidc instances in the App.
318
- // 2) They are instantiated in a non deterministic order.
319
- // 3) We can't use iframe
320
- // We practically never persist the auth response and do it only in session
321
- // an ephemeral session storage, when we know it's gonna be required.
322
- {
323
- const { authResponses } = (0, AuthResponse_1.getPersistedRedirectAuthResponses)();
324
- for (const authResponse of authResponses) {
325
- const stateData = (0, StateData_1.getStateData)({ stateUrlParamValue: authResponse.state });
326
- if (stateData === undefined) {
327
- continue;
328
- }
329
- if (stateData.configId !== configId) {
330
- continue;
331
- }
332
- (0, assert_1.assert)(stateData.context === "redirect", "35935591");
333
- (0, AuthResponse_1.setPersistedRedirectAuthResponses)({
334
- authResponses: authResponses.filter(authResponse_i => authResponse_i !== authResponse)
335
- });
336
- stateDataAndAuthResponse = { stateData, authResponse };
337
- break get_stateData_and_authResponse;
338
- }
427
+ if (stateData.configId !== configId) {
428
+ break handle_redirect_auth_response;
339
429
  }
430
+ (0, assert_1.assert)(stateData.context === "redirect", "3229492");
431
+ clearAuthResponse();
432
+ stateDataAndAuthResponse = { stateData, authResponse };
340
433
  }
341
434
  if (stateDataAndAuthResponse === undefined) {
342
435
  break handle_redirect_auth_response;
@@ -415,33 +508,6 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
415
508
  (0, assert_1.assert)(false);
416
509
  }
417
510
  }
418
- // NOTE: We almost never persist tokens, we have to only to support edge case
419
- // of multiple oidc instance in a single App with no iframe support.
420
- restore_from_session_storage: {
421
- if (isUserStoreInMemoryOnly) {
422
- break restore_from_session_storage;
423
- }
424
- let oidcClientTsUser;
425
- try {
426
- oidcClientTsUser = await oidcClientTsUserManager.getUser();
427
- }
428
- catch {
429
- // NOTE: Not sure if it can throw, but let's be safe.
430
- oidcClientTsUser = null;
431
- try {
432
- await oidcClientTsUserManager.removeUser();
433
- }
434
- catch { }
435
- }
436
- if (oidcClientTsUser === null) {
437
- break restore_from_session_storage;
438
- }
439
- log?.("Restored the auth from ephemeral session storage");
440
- return {
441
- oidcClientTsUser,
442
- backFromAuthServer: undefined
443
- };
444
- }
445
511
  silent_login_if_possible_and_auto_login: {
446
512
  const persistedAuthState = (0, persistedAuthState_1.getPersistedAuthState)({ configId });
447
513
  if (persistedAuthState === "explicitly logged out" && !autoLogin) {
@@ -475,11 +541,6 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
475
541
  break actual_silent_signin;
476
542
  }
477
543
  if (!canUseIframe) {
478
- if (!(await (0, getIsValidRemoteJson_1.getIsValidRemoteJson)(`${issuerUri}${(0, id_1.id)("/.well-known/openid-configuration")}`))) {
479
- return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
480
- issuerUri
481
- });
482
- }
483
544
  break actual_silent_signin;
484
545
  }
485
546
  log?.("Trying to restore the auth from the http only cookie (silent signin with iframe)");
@@ -494,21 +555,13 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
494
555
  log
495
556
  });
496
557
  (0, assert_1.assert)(result_loginSilent.outcome !== "token refreshed using refresh token", "876995");
497
- if (result_loginSilent.outcome === "failure") {
498
- switch (result_loginSilent.cause) {
499
- case "can't reach well-known oidc endpoint":
500
- return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
501
- issuerUri
502
- });
503
- case "timeout":
504
- return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createIframeTimeoutInitializationError({
505
- redirectUri: homeUrlAndRedirectUri,
506
- clientId,
507
- issuerUri,
508
- noIframe
509
- });
510
- }
511
- (0, assert_1.assert)(false);
558
+ if (result_loginSilent.outcome === "timeout") {
559
+ return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createIframeTimeoutInitializationError({
560
+ redirectUri: homeUrlAndRedirectUri,
561
+ clientId,
562
+ issuerUri,
563
+ noIframe
564
+ });
512
565
  }
513
566
  (0, assert_1.assert)();
514
567
  const { authResponse } = result_loginSilent;
@@ -539,7 +592,6 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
539
592
  authResponse_error === "consent_required" ||
540
593
  authResponse_error === "account_selection_required"))) {
541
594
  log?.("Performing auto login with redirect");
542
- (0, persistedAuthState_1.persistAuthState)({ configId, state: undefined });
543
595
  completeLoginOrRefreshProcess();
544
596
  if (autoLogin && persistedAuthState !== "logged in") {
545
597
  evtInitializationOutcomeUserNotLoggedIn.post();
@@ -547,16 +599,15 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
547
599
  await (0, ongoingLoginOrRefreshProcesses_1.waitForAllOtherOngoingLoginOrRefreshProcessesToComplete)({
548
600
  prUnlock: (0, loginOrGoToAuthServer_1.getPrSafelyRestoredFromBfCacheAfterLoginBackNavigationOrInitializationError)()
549
601
  });
550
- if (persistedAuthState === "logged in") {
551
- globalContext.evtRequestToPersistTokens.post({
552
- configIdOfInstancePostingTheRequest: configId
553
- });
554
- }
555
- const dCantFetchWellKnownEndpointOrNever = new Deferred_1.Deferred();
556
- loginOrGoToAuthServer({
602
+ await loginOrGoToAuthServer({
557
603
  action: "login",
558
604
  doForceReloadOnBfCache: true,
559
- redirectUrl: (0, earlyInit_1.getRootRelativeOriginalLocationHref)(),
605
+ redirectUrl: (() => {
606
+ if (instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
607
+ return window.location.href;
608
+ }
609
+ return (0, earlyInit_1.getRootRelativeOriginalLocationHref)();
610
+ })(),
560
611
  // NOTE: Wether or not it's the preferred behavior, pushing to history
561
612
  // only works on user interaction so it have to be false
562
613
  doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
@@ -571,15 +622,10 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
571
622
  }
572
623
  return "ensure no interaction";
573
624
  })(),
574
- onCantFetchWellKnownEndpointError: () => {
575
- dCantFetchWellKnownEndpointOrNever.resolve();
625
+ preRedirectHook: () => {
626
+ (0, persistedAuthState_1.persistAuthState)({ configId, state: undefined });
576
627
  }
577
628
  });
578
- await dCantFetchWellKnownEndpointOrNever.pr;
579
- return (await Promise.resolve().then(() => __importStar(require("./diagnostic")))).createFailedToFetchTokenEndpointInitializationError({
580
- clientId,
581
- issuerUri
582
- });
583
629
  }
584
630
  if (authResponse_error !== undefined) {
585
631
  log?.([
@@ -666,10 +712,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
666
712
  interaction: (0, persistedAuthState_1.getPersistedAuthState)({ configId }) === "explicitly logged out"
667
713
  ? "ensure interaction"
668
714
  : "directly redirect if active session show login otherwise",
669
- onCantFetchWellKnownEndpointError: () => {
670
- log?.("Login called but the auth server seems to be down..");
671
- alert("Authentication unavailable please try again later.");
672
- }
715
+ preRedirectHook: undefined
673
716
  });
674
717
  },
675
718
  initializationError: undefined
@@ -726,6 +769,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
726
769
  state: {
727
770
  stateDescription: "logged in",
728
771
  refreshTokenExpirationTime: currentTokens.refreshTokenExpirationTime,
772
+ serverDateNow: currentTokens.getServerDateNow(),
729
773
  idleSessionLifetimeInSeconds
730
774
  }
731
775
  });
@@ -843,9 +887,6 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
843
887
  await (0, ongoingLoginOrRefreshProcesses_1.waitForAllOtherOngoingLoginOrRefreshProcessesToComplete)({
844
888
  prUnlock: new Promise(() => { })
845
889
  });
846
- globalContext.evtRequestToPersistTokens.post({
847
- configIdOfInstancePostingTheRequest: configId
848
- });
849
890
  await loginOrGoToAuthServer({
850
891
  action: "login",
851
892
  redirectUrl: window.location.href,
@@ -854,13 +895,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
854
895
  transformUrlBeforeRedirect_local: undefined,
855
896
  doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
856
897
  interaction: "directly redirect if active session show login otherwise",
857
- onCantFetchWellKnownEndpointError: () => {
858
- log?.([
859
- "The auth server seems to be down while we needed to refresh the token",
860
- "with a full page redirect. Reloading the page"
861
- ].join(" "));
862
- window.location.reload();
863
- }
898
+ preRedirectHook: undefined
864
899
  });
865
900
  (0, assert_1.assert)(false, "136134");
866
901
  };
@@ -886,9 +921,9 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
886
921
  autoLogin,
887
922
  log
888
923
  });
889
- if (result_loginSilent.outcome === "failure") {
924
+ if (result_loginSilent.outcome === "timeout") {
890
925
  log?.([
891
- `Silent refresh of the token failed with ${result_loginSilent.cause}.`,
926
+ `Silent refresh of the token failed the iframe didn't post a response (timeout).`,
892
927
  `This isn't recoverable, reloading the page.`
893
928
  ].join(" "));
894
929
  window.location.reload();
@@ -952,6 +987,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
952
987
  state: {
953
988
  stateDescription: "logged in",
954
989
  refreshTokenExpirationTime: currentTokens.refreshTokenExpirationTime,
990
+ serverDateNow: currentTokens.getServerDateNow(),
955
991
  idleSessionLifetimeInSeconds
956
992
  }
957
993
  });
@@ -1026,11 +1062,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
1026
1062
  action: "go to auth server",
1027
1063
  redirectUrl: redirectUrl ?? window.location.href,
1028
1064
  extraQueryParams_local: extraQueryParams,
1029
- transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
1030
- onCantFetchWellKnownEndpointError: () => {
1031
- log?.("goToAuthServer called but the auth server seems to be down..");
1032
- alert("Authentication unavailable please try again later.");
1033
- }
1065
+ transformUrlBeforeRedirect_local: transformUrlBeforeRedirect
1034
1066
  }),
1035
1067
  backFromAuthServer: resultOfLoginProcess.backFromAuthServer,
1036
1068
  isNewBrowserSession: (() => {