npm - oidc-spa - Versions diffs - 8.2.0 → 8.2.2 - Mend

oidc-spa 8.2.0 → 8.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (84) hide show

package/core/AuthResponse.d.ts +0 -5
package/core/AuthResponse.js +0 -25
package/core/AuthResponse.js.map +1 -1
package/core/OidcMetadata.d.ts +5 -0
package/core/OidcMetadata.js +56 -0
package/core/OidcMetadata.js.map +1 -1
package/core/createOidc.d.ts +4 -3
package/core/createOidc.js +229 -197
package/core/createOidc.js.map +1 -1
package/core/diagnostic.d.ts +0 -1
package/core/diagnostic.js +18 -5
package/core/diagnostic.js.map +1 -1
package/core/instancesThatCantUseIframes.d.ts +2 -0
package/core/instancesThatCantUseIframes.js +20 -0
package/core/instancesThatCantUseIframes.js.map +1 -0
package/core/loginOrGoToAuthServer.d.ts +1 -1
package/core/loginOrGoToAuthServer.js +4 -16
package/core/loginOrGoToAuthServer.js.map +1 -1
package/core/loginSilent.d.ts +1 -2
package/core/loginSilent.js +3 -21
package/core/loginSilent.js.map +1 -1
package/core/persistedAuthState.d.ts +1 -0
package/core/persistedAuthState.js +14 -4
package/core/persistedAuthState.js.map +1 -1
package/esm/core/AuthResponse.d.ts +0 -5
package/esm/core/AuthResponse.js +0 -23
package/esm/core/AuthResponse.js.map +1 -1
package/esm/core/OidcMetadata.d.ts +5 -0
package/esm/core/OidcMetadata.js +54 -0
package/esm/core/OidcMetadata.js.map +1 -1
package/esm/core/createOidc.d.ts +4 -3
package/esm/core/createOidc.js +230 -198
package/esm/core/createOidc.js.map +1 -1
package/esm/core/diagnostic.d.ts +0 -1
package/esm/core/diagnostic.js +15 -1
package/esm/core/diagnostic.js.map +1 -1
package/esm/core/instancesThatCantUseIframes.d.ts +2 -0
package/esm/core/instancesThatCantUseIframes.js +16 -0
package/esm/core/instancesThatCantUseIframes.js.map +1 -0
package/esm/core/loginOrGoToAuthServer.d.ts +1 -1
package/esm/core/loginOrGoToAuthServer.js +4 -16
package/esm/core/loginOrGoToAuthServer.js.map +1 -1
package/esm/core/loginSilent.d.ts +1 -2
package/esm/core/loginSilent.js +3 -21
package/esm/core/loginSilent.js.map +1 -1
package/esm/core/persistedAuthState.d.ts +1 -0
package/esm/core/persistedAuthState.js +14 -4
package/esm/core/persistedAuthState.js.map +1 -1
package/esm/keycloak/keycloakIssuerUriParsed.js +8 -1
package/esm/keycloak/keycloakIssuerUriParsed.js.map +1 -1
package/esm/tools/isLikelyDevServer.d.ts +1 -0
package/esm/tools/isLikelyDevServer.js +14 -0
package/esm/tools/isLikelyDevServer.js.map +1 -0
package/esm/tools/{EphemeralSessionStorage.d.ts → lazySessionStorage.d.ts} +2 -4
package/esm/tools/lazySessionStorage.js +81 -0
package/esm/tools/lazySessionStorage.js.map +1 -0
package/keycloak/keycloakIssuerUriParsed.js +8 -1
package/keycloak/keycloakIssuerUriParsed.js.map +1 -1
package/package.json +1 -1
package/src/core/AuthResponse.ts +0 -36
package/src/core/OidcMetadata.ts +75 -0
package/src/core/createOidc.ts +277 -264
package/src/core/diagnostic.ts +21 -2
package/src/core/instancesThatCantUseIframes.ts +24 -0
package/src/core/loginOrGoToAuthServer.ts +5 -22
package/src/core/loginSilent.ts +4 -27
package/src/core/persistedAuthState.ts +27 -5
package/src/keycloak/keycloakIssuerUriParsed.ts +10 -1
package/src/tools/isLikelyDevServer.ts +17 -0
package/src/tools/lazySessionStorage.ts +119 -0
package/src/vite-plugin/manageOptimizedDeps.ts +2 -0
package/tools/isLikelyDevServer.d.ts +1 -0
package/tools/isLikelyDevServer.js +17 -0
package/tools/isLikelyDevServer.js.map +1 -0
package/tools/{EphemeralSessionStorage.d.ts → lazySessionStorage.d.ts} +2 -4
package/tools/lazySessionStorage.js +84 -0
package/tools/lazySessionStorage.js.map +1 -0
package/vite-plugin/manageOptimizedDeps.js +1 -0
package/vite-plugin/manageOptimizedDeps.js.map +1 -1
package/esm/tools/EphemeralSessionStorage.js +0 -143
package/esm/tools/EphemeralSessionStorage.js.map +0 -1
package/src/tools/EphemeralSessionStorage.ts +0 -225
package/tools/EphemeralSessionStorage.js +0 -146
package/tools/EphemeralSessionStorage.js.map +0 -1

package/esm/core/createOidc.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { UserManager as OidcClientTsUserManager, WebStorageStateStore, InMemoryWebStorage } from "../vendor/frontend/oidc-client-ts";
+import { fetchOidcMetadata } from "./OidcMetadata";
 import { assert, is } from "../tools/tsafe/assert";
 import { id } from "../tools/tsafe/id";
 import { setTimeout, clearTimeout } from "../tools/workerTimers";
@@ -14,38 +15,29 @@ import { notifyOtherTabsOfLogin, getPrOtherTabLogin } from "./loginPropagationTo
 import { getConfigId } from "./configId";
 import { oidcClientTsUserToTokens } from "./oidcClientTsUserToTokens";
 import { loginSilent } from "./loginSilent";
-import { authResponseToUrl, getPersistedRedirectAuthResponses, setPersistedRedirectAuthResponses } from "./AuthResponse";
+import { authResponseToUrl } from "./AuthResponse";
 import { getRootRelativeOriginalLocationHref, getRedirectAuthResponse } from "./earlyInit";
 import { getPersistedAuthState, persistAuthState } from "./persistedAuthState";
 import { createEvt } from "../tools/Evt";
 import { getHaveSharedParentDomain } from "../tools/haveSharedParentDomain";
 import { createLoginOrGoToAuthServer, getPrSafelyRestoredFromBfCacheAfterLoginBackNavigationOrInitializationError } from "./loginOrGoToAuthServer";
-import { createEphemeralSessionStorage } from "../tools/EphemeralSessionStorage";
+import { createLazySessionStorage } from "../tools/lazySessionStorage";
 import { startLoginOrRefreshProcess, waitForAllOtherOngoingLoginOrRefreshProcessesToComplete } from "./ongoingLoginOrRefreshProcesses";
 import { createGetIsNewBrowserSession } from "./isNewBrowserSession";
 import { getIsOnline } from "../tools/getIsOnline";
 import { isKeycloak } from "../keycloak/isKeycloak";
 import { INFINITY_TIME } from "../tools/INFINITY_TIME";
-import { getIsValidRemoteJson } from "../tools/getIsValidRemoteJson";
 import { prShouldLoadApp } from "./prShouldLoadApp";
 import { getBASE_URL } from "./BASE_URL";
+import { getIsLikelyDevServer } from "../tools/isLikelyDevServer";
+import { createObjectThatThrowsIfAccessed } from "../tools/createObjectThatThrowsIfAccessed";
+import { evtIsThereMoreThanOneInstanceThatCantUserIframes, notifyNewInstanceThatCantUseIframes } from "./instancesThatCantUseIframes";
 // NOTE: Replaced at build time
-const VERSION = "8.2.0";
+const VERSION = "8.2.2";
 const globalContext = {
     prOidcByConfigId: new Map(),
-    hasLogoutBeenCalled: id(false),
-    evtRequestToPersistTokens: createEvt()
+    hasLogoutBeenCalled: id(false)
 };
-globalContext.evtRequestToPersistTokens.subscribe(() => {
-    const { authResponse } = getRedirectAuthResponse();
-    if (authResponse === undefined) {
-        return;
-    }
-    const { authResponses } = getPersistedRedirectAuthResponses();
-    setPersistedRedirectAuthResponses({
-        authResponses: [...authResponses, authResponse]
-    });
-});
 /** @see: https://docs.oidc-spa.dev/v/v8/usage */
 export async function createOidc(params) {
     for (const name of ["issuerUri", "clientId"]) {
@@ -54,7 +46,7 @@ export async function createOidc(params) {
             throw new Error(`The parameter "${name}" is required, you provided: ${value}. (Forgot a .env variable?)`);
         }
     }
-    const { issuerUri: issuerUri_params, clientId, scopes = ["profile"], debugLogs, ...rest } = params;
+    const { issuerUri: issuerUri_params, clientId, debugLogs, ...rest } = params;
     const issuerUri = toFullyQualifiedUrl({
         urlish: issuerUri_params,
         doAssertNoQueryParams: true,
@@ -96,7 +88,6 @@ export async function createOidc(params) {
     const oidc = await createOidc_nonMemoized(rest, {
         issuerUri,
         clientId,
-        scopes,
         configId,
         log
     });
@@ -119,9 +110,9 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
             return new Promise(() => { });
         }
     }
-    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false } = params;
+    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false, scopes = ["openid", "profile"] } = params;
     const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
-    const { issuerUri, clientId, scopes, configId, log } = preProcessedParams;
+    const { issuerUri, clientId, configId, log } = preProcessedParams;
     const getExtraQueryParams = (() => {
         if (extraQueryParamsOrGetter === undefined) {
             return undefined;
@@ -166,75 +157,174 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
         issuerUri,
         clientId,
         scopes,
-        configId,
-        homeUrlAndRedirectUri
+        oidcRedirectUri: homeUrlAndRedirectUri
     }, null, 2)}`);
     const stateUrlParamValue_instance = generateStateUrlParamValue();
+    const oidcMetadata = __metadata ?? (await fetchOidcMetadata({ issuerUri }));
     const canUseIframe = (() => {
         if (noIframe) {
             return false;
         }
         third_party_cookies: {
-            const isOidcServerThirdPartyRelativeToApp = getHaveSharedParentDomain({
+            if (oidcMetadata === undefined) {
+                return false;
+            }
+            const { authorization_endpoint } = oidcMetadata;
+            assert(authorization_endpoint !== undefined, "Missing authorization_endpoint on the provided __metadata");
+            const isOidcServerThirdPartyRelativeToApp = !getHaveSharedParentDomain({
                 url1: window.location.origin,
-                url2: issuerUri
-            }) === false;
+                // TODO: No, here we should test against the authorization endpoint!
+                url2: authorization_endpoint
+            });
             if (!isOidcServerThirdPartyRelativeToApp) {
                 break third_party_cookies;
             }
-            const isGoogleChrome = (() => {
-                const ua = navigator.userAgent;
-                const vendor = navigator.vendor;
-                return (/Chrome/.test(ua) && /Google Inc/.test(vendor) && !/Edg/.test(ua) && !/OPR/.test(ua));
+            const isLikelyDevServer = getIsLikelyDevServer();
+            const domain_auth = new URL(authorization_endpoint).origin.split("//")[1];
+            assert(domain_auth !== undefined, "33921384");
+            const domain_here = window.location.origin.split("//")[1];
+            let isWellKnownProviderDomain = false;
+            let isIp = false;
+            const suggestedDeployments = (() => {
+                if (/^(?:\d{1,3}\.){3}\d{1,3}$|^\[?[A-Fa-f0-9:]+\]?$/.test(domain_auth)) {
+                    isIp = true;
+                    return [];
+                }
+                const baseDomain = (() => {
+                    const segments = domain_auth.split(".");
+                    if (segments.length >= 3) {
+                        segments.shift();
+                    }
+                    return segments.join(".");
+                })();
+                {
+                    const baseDomain_low = baseDomain.toLowerCase();
+                    if (baseDomain_low.includes("auth0") ||
+                        baseDomain_low.includes("clerk") ||
+                        baseDomain_low.includes("microsoft") ||
+                        baseDomain_low.includes("okta") ||
+                        baseDomain_low.includes("aws")) {
+                        isWellKnownProviderDomain = true;
+                        return [];
+                    }
+                }
+                const baseUrl = new URL(homeUrlAndRedirectUri).pathname;
+                return [
+                    `myapp.${baseDomain}`,
+                    baseDomain === domain_auth ? undefined : baseDomain,
+                    `${baseDomain}/${baseUrl === "/" ? "dashboard" : baseUrl}`
+                ].filter(x => x !== undefined);
             })();
-            if (window.location.origin.startsWith("http://localhost") && isGoogleChrome) {
-                break third_party_cookies;
+            if (isLikelyDevServer) {
+                log?.([
+                    "Detected localhost environment.",
+                    "\nWhen reloading while logged in, you will briefly see",
+                    "some URL params appear in the address bar.",
+                    "\nThis happens because session restore via iframe is disabled,",
+                    "the browser treats your auth server as a third party.",
+                    `\nAuth server: ${domain_auth}`,
+                    `\nApp domain:  ${domain_here}`,
+                    ...(() => {
+                        if (isIp) {
+                            return [];
+                        }
+                        if (isWellKnownProviderDomain) {
+                            return [
+                                "\nYou seem to be using a well-known auth provider.",
+                                "Check your provider's docs, some allow configuring",
+                                `a your custom domain at least for the authorization endpoint.`,
+                                "\nIf configured, oidc-spa will restore sessions silently",
+                                "and improve the user experience."
+                            ];
+                        }
+                        return [
+                            "\nOnce deployed under the same root domain as your auth server,",
+                            "oidc-spa will use iframes to restore sessions silently.",
+                            "\nSuggested deployments:",
+                            ...suggestedDeployments.map(d => `\n  • ${d}`)
+                        ];
+                    })(),
+                    "\n\nMore info:",
+                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                ].join(" "));
+            }
+            else {
+                log?.([
+                    "Silent session restore via iframe is disabled.",
+                    `\nAuth server: ${domain_auth}`,
+                    `App domain:  ${domain_here}`,
+                    "\nThey do not share a common root domain.",
+                    ...(() => {
+                        if (isIp) {
+                            return [];
+                        }
+                        if (isWellKnownProviderDomain) {
+                            return [
+                                "\nYou seem to be using a well-known auth provider.",
+                                "Check if you can configure a custom auth domain.",
+                                "\nIf so, oidc-spa can restore sessions silently",
+                                "and improve the user experience."
+                            ];
+                        }
+                        return [
+                            "\nTo improve the experience, here are some examples of deployment for your app:",
+                            ...suggestedDeployments.map(d => `\n  • ${d}`)
+                        ];
+                    })(),
+                    "\nMore info:",
+                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                ].join(" "));
             }
-            log?.([
-                "Can't use iframe because your auth server is on a third party domain relative",
-                "to the domain of your app and third party cookies are blocked by navigators."
-            ].join(" "));
             return false;
         }
-        // NOTE: Maybe not, it depend if the app can iframe itself.
         return true;
     })();
-    let isUserStoreInMemoryOnly;
-    const oidcClientTsUserManager = new OidcClientTsUserManager({
-        stateUrlParamValue: stateUrlParamValue_instance,
-        authority: issuerUri,
-        client_id: clientId,
-        redirect_uri: homeUrlAndRedirectUri,
-        silent_redirect_uri: homeUrlAndRedirectUri,
-        post_logout_redirect_uri: homeUrlAndRedirectUri,
-        response_mode: isKeycloak({ issuerUri }) ? "fragment" : "query",
-        response_type: "code",
-        scope: Array.from(new Set(["openid", ...scopes])).join(" "),
-        automaticSilentRenew: false,
-        userStore: new WebStorageStateStore({
-            store: (() => {
-                if (canUseIframe) {
-                    isUserStoreInMemoryOnly = true;
-                    return new InMemoryWebStorage();
-                }
-                isUserStoreInMemoryOnly = false;
-                const storage = createEphemeralSessionStorage({
-                    sessionStorageTtlMs: 3 * 60000
-                });
-                const { evtRequestToPersistTokens } = globalContext;
-                evtRequestToPersistTokens.subscribe(({ configIdOfInstancePostingTheRequest }) => {
-                    if (configIdOfInstancePostingTheRequest === configId) {
-                        return;
+    notifyNewInstanceThatCantUseIframes();
+    if (evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+        log?.([
+            "More than one oidc instance can't use iframe",
+            "falling back to persisting tokens in session storage"
+        ].join(" "));
+    }
+    const oidcClientTsUserManager = oidcMetadata === undefined
+        ? createObjectThatThrowsIfAccessed({
+            debugMessage: "oidc-spa: Wrong assertion 43943"
+        })
+        : new OidcClientTsUserManager({
+            stateUrlParamValue: stateUrlParamValue_instance,
+            authority: issuerUri,
+            client_id: clientId,
+            redirect_uri: homeUrlAndRedirectUri,
+            silent_redirect_uri: homeUrlAndRedirectUri,
+            post_logout_redirect_uri: homeUrlAndRedirectUri,
+            response_mode: isKeycloak({ issuerUri }) ? "fragment" : "query",
+            response_type: "code",
+            scope: Array.from(new Set(["openid", ...scopes])).join(" "),
+            automaticSilentRenew: false,
+            userStore: new WebStorageStateStore({
+                store: (() => {
+                    if (canUseIframe) {
+                        return new InMemoryWebStorage();
                     }
-                    storage.persistCurrentStateAndSubsequentChanges();
-                });
-                return storage;
-            })()
-        }),
-        stateStore: new WebStorageStateStore({ store: localStorage, prefix: STATE_STORE_KEY_PREFIX }),
-        client_secret: __unsafe_clientSecret,
-        metadata: __metadata
-    });
+                    const storage = createLazySessionStorage();
+                    if (evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+                        storage.persistCurrentStateAndSubsequentChanges();
+                    }
+                    else {
+                        evtIsThereMoreThanOneInstanceThatCantUserIframes.subscribe(() => {
+                            storage.persistCurrentStateAndSubsequentChanges();
+                        });
+                    }
+                    return storage;
+                })()
+            }),
+            stateStore: new WebStorageStateStore({
+                store: localStorage,
+                prefix: STATE_STORE_KEY_PREFIX
+            }),
+            client_secret: __unsafe_clientSecret,
+            metadata: oidcMetadata
+        });
     const evtInitializationOutcomeUserNotLoggedIn = createEvt();
     const { loginOrGoToAuthServer } = createLoginOrGoToAuthServer({
         configId,
@@ -252,54 +342,57 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
     });
     const { completeLoginOrRefreshProcess } = await startLoginOrRefreshProcess();
     const resultOfLoginProcess = await (async () => {
+        if (oidcMetadata === undefined) {
+            return (await import("./diagnostic")).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
+                issuerUri
+            });
+        }
+        restore_from_session_storage: {
+            if (canUseIframe) {
+                break restore_from_session_storage;
+            }
+            if (!evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+                break restore_from_session_storage;
+            }
+            let oidcClientTsUser;
+            try {
+                oidcClientTsUser = await oidcClientTsUserManager.getUser();
+            }
+            catch {
+                // NOTE: Not sure if it can throw, but let's be safe.
+                oidcClientTsUser = null;
+                try {
+                    await oidcClientTsUserManager.removeUser();
+                }
+                catch { }
+            }
+            if (oidcClientTsUser === null) {
+                break restore_from_session_storage;
+            }
+            log?.("Session was restored from session storage");
+            return {
+                oidcClientTsUser,
+                backFromAuthServer: undefined
+            };
+        }
         handle_redirect_auth_response: {
             let stateDataAndAuthResponse = undefined;
-            get_stateData_and_authResponse: {
-                from_memory: {
-                    const { authResponse, clearAuthResponse } = getRedirectAuthResponse();
-                    if (authResponse === undefined) {
-                        break from_memory;
-                    }
-                    const stateData = getStateData({ stateUrlParamValue: authResponse.state });
-                    if (stateData === undefined) {
-                        clearAuthResponse();
-                        break from_memory;
-                    }
-                    if (stateData.configId !== configId) {
-                        break from_memory;
-                    }
-                    assert(stateData.context === "redirect", "3229492");
+            {
+                const { authResponse, clearAuthResponse } = getRedirectAuthResponse();
+                if (authResponse === undefined) {
+                    break handle_redirect_auth_response;
+                }
+                const stateData = getStateData({ stateUrlParamValue: authResponse.state });
+                if (stateData === undefined) {
                     clearAuthResponse();
-                    stateDataAndAuthResponse = { stateData, authResponse };
-                    break get_stateData_and_authResponse;
+                    break handle_redirect_auth_response;
                 }
-                // from storage, this is for race condition in multiple instance
-                // setup where one instance would need to redirect before
-                // the authResponse in memory had the chance to be processed.
-                // This can only happen if:
-                // 1) There are multiple oidc instances in the App.
-                // 2) They are instantiated in a non deterministic order.
-                // 3) We can't use iframe
-                // We practically never persist the auth response and do it only in session
-                // an ephemeral session storage, when we know it's gonna be required.
-                {
-                    const { authResponses } = getPersistedRedirectAuthResponses();
-                    for (const authResponse of authResponses) {
-                        const stateData = getStateData({ stateUrlParamValue: authResponse.state });
-                        if (stateData === undefined) {
-                            continue;
-                        }
-                        if (stateData.configId !== configId) {
-                            continue;
-                        }
-                        assert(stateData.context === "redirect", "35935591");
-                        setPersistedRedirectAuthResponses({
-                            authResponses: authResponses.filter(authResponse_i => authResponse_i !== authResponse)
-                        });
-                        stateDataAndAuthResponse = { stateData, authResponse };
-                        break get_stateData_and_authResponse;
-                    }
+                if (stateData.configId !== configId) {
+                    break handle_redirect_auth_response;
                 }
+                assert(stateData.context === "redirect", "3229492");
+                clearAuthResponse();
+                stateDataAndAuthResponse = { stateData, authResponse };
             }
             if (stateDataAndAuthResponse === undefined) {
                 break handle_redirect_auth_response;
@@ -378,33 +471,6 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     assert(false);
             }
         }
-        // NOTE: We almost never persist tokens, we have to only to support edge case
-        // of multiple oidc instance in a single App with no iframe support.
-        restore_from_session_storage: {
-            if (isUserStoreInMemoryOnly) {
-                break restore_from_session_storage;
-            }
-            let oidcClientTsUser;
-            try {
-                oidcClientTsUser = await oidcClientTsUserManager.getUser();
-            }
-            catch {
-                // NOTE: Not sure if it can throw, but let's be safe.
-                oidcClientTsUser = null;
-                try {
-                    await oidcClientTsUserManager.removeUser();
-                }
-                catch { }
-            }
-            if (oidcClientTsUser === null) {
-                break restore_from_session_storage;
-            }
-            log?.("Restored the auth from ephemeral session storage");
-            return {
-                oidcClientTsUser,
-                backFromAuthServer: undefined
-            };
-        }
         silent_login_if_possible_and_auto_login: {
             const persistedAuthState = getPersistedAuthState({ configId });
             if (persistedAuthState === "explicitly logged out" && !autoLogin) {
@@ -438,11 +504,6 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     break actual_silent_signin;
                 }
                 if (!canUseIframe) {
-                    if (!(await getIsValidRemoteJson(`${issuerUri}${id("/.well-known/openid-configuration")}`))) {
-                        return (await import("./diagnostic")).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
-                            issuerUri
-                        });
-                    }
                     break actual_silent_signin;
                 }
                 log?.("Trying to restore the auth from the http only cookie (silent signin with iframe)");
@@ -457,21 +518,13 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     log
                 });
                 assert(result_loginSilent.outcome !== "token refreshed using refresh token", "876995");
-                if (result_loginSilent.outcome === "failure") {
-                    switch (result_loginSilent.cause) {
-                        case "can't reach well-known oidc endpoint":
-                            return (await import("./diagnostic")).createWellKnownOidcConfigurationEndpointUnreachableInitializationError({
-                                issuerUri
-                            });
-                        case "timeout":
-                            return (await import("./diagnostic")).createIframeTimeoutInitializationError({
-                                redirectUri: homeUrlAndRedirectUri,
-                                clientId,
-                                issuerUri,
-                                noIframe
-                            });
-                    }
-                    assert(false);
+                if (result_loginSilent.outcome === "timeout") {
+                    return (await import("./diagnostic")).createIframeTimeoutInitializationError({
+                        redirectUri: homeUrlAndRedirectUri,
+                        clientId,
+                        issuerUri,
+                        noIframe
+                    });
                 }
                 assert();
                 const { authResponse } = result_loginSilent;
@@ -502,7 +555,6 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                             authResponse_error === "consent_required" ||
                             authResponse_error === "account_selection_required"))) {
                     log?.("Performing auto login with redirect");
-                    persistAuthState({ configId, state: undefined });
                     completeLoginOrRefreshProcess();
                     if (autoLogin && persistedAuthState !== "logged in") {
                         evtInitializationOutcomeUserNotLoggedIn.post();
@@ -510,16 +562,15 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     await waitForAllOtherOngoingLoginOrRefreshProcessesToComplete({
                         prUnlock: getPrSafelyRestoredFromBfCacheAfterLoginBackNavigationOrInitializationError()
                     });
-                    if (persistedAuthState === "logged in") {
-                        globalContext.evtRequestToPersistTokens.post({
-                            configIdOfInstancePostingTheRequest: configId
-                        });
-                    }
-                    const dCantFetchWellKnownEndpointOrNever = new Deferred();
-                    loginOrGoToAuthServer({
+                    await loginOrGoToAuthServer({
                         action: "login",
                         doForceReloadOnBfCache: true,
-                        redirectUrl: getRootRelativeOriginalLocationHref(),
+                        redirectUrl: (() => {
+                            if (evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+                                return window.location.href;
+                            }
+                            return getRootRelativeOriginalLocationHref();
+                        })(),
                         // NOTE: Wether or not it's the preferred behavior, pushing to history
                         // only works on user interaction so it have to be false
                         doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
@@ -534,15 +585,10 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                             }
                             return "ensure no interaction";
                         })(),
-                        onCantFetchWellKnownEndpointError: () => {
-                            dCantFetchWellKnownEndpointOrNever.resolve();
+                        preRedirectHook: () => {
+                            persistAuthState({ configId, state: undefined });
                         }
                     });
-                    await dCantFetchWellKnownEndpointOrNever.pr;
-                    return (await import("./diagnostic")).createFailedToFetchTokenEndpointInitializationError({
-                        clientId,
-                        issuerUri
-                    });
                 }
                 if (authResponse_error !== undefined) {
                     log?.([
@@ -629,10 +675,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                             interaction: getPersistedAuthState({ configId }) === "explicitly logged out"
                                 ? "ensure interaction"
                                 : "directly redirect if active session show login otherwise",
-                            onCantFetchWellKnownEndpointError: () => {
-                                log?.("Login called but the auth server seems to be down..");
-                                alert("Authentication unavailable please try again later.");
-                            }
+                            preRedirectHook: undefined
                         });
                     },
                     initializationError: undefined
@@ -689,6 +732,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                 state: {
                     stateDescription: "logged in",
                     refreshTokenExpirationTime: currentTokens.refreshTokenExpirationTime,
+                    serverDateNow: currentTokens.getServerDateNow(),
                     idleSessionLifetimeInSeconds
                 }
             });
@@ -806,9 +850,6 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     await waitForAllOtherOngoingLoginOrRefreshProcessesToComplete({
                         prUnlock: new Promise(() => { })
                     });
-                    globalContext.evtRequestToPersistTokens.post({
-                        configIdOfInstancePostingTheRequest: configId
-                    });
                     await loginOrGoToAuthServer({
                         action: "login",
                         redirectUrl: window.location.href,
@@ -817,13 +858,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                         transformUrlBeforeRedirect_local: undefined,
                         doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
                         interaction: "directly redirect if active session show login otherwise",
-                        onCantFetchWellKnownEndpointError: () => {
-                            log?.([
-                                "The auth server seems to be down while we needed to refresh the token",
-                                "with a full page redirect. Reloading the page"
-                            ].join(" "));
-                            window.location.reload();
-                        }
+                        preRedirectHook: undefined
                     });
                     assert(false, "136134");
                 };
@@ -849,9 +884,9 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     autoLogin,
                     log
                 });
-                if (result_loginSilent.outcome === "failure") {
+                if (result_loginSilent.outcome === "timeout") {
                     log?.([
-                        `Silent refresh of the token failed with ${result_loginSilent.cause}.`,
+                        `Silent refresh of the token failed the iframe didn't post a response (timeout).`,
                         `This isn't recoverable, reloading the page.`
                     ].join(" "));
                     window.location.reload();
@@ -915,6 +950,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                         state: {
                             stateDescription: "logged in",
                             refreshTokenExpirationTime: currentTokens.refreshTokenExpirationTime,
+                            serverDateNow: currentTokens.getServerDateNow(),
                             idleSessionLifetimeInSeconds
                         }
                     });
@@ -989,11 +1025,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
             action: "go to auth server",
             redirectUrl: redirectUrl ?? window.location.href,
             extraQueryParams_local: extraQueryParams,
-            transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
-            onCantFetchWellKnownEndpointError: () => {
-                log?.("goToAuthServer called but the auth server seems to be down..");
-                alert("Authentication unavailable please try again later.");
-            }
+            transformUrlBeforeRedirect_local: transformUrlBeforeRedirect
         }),
         backFromAuthServer: resultOfLoginProcess.backFromAuthServer,
         isNewBrowserSession: (() => {