npm - oidc-spa - Versions diffs - 8.2.1 → 8.2.3 - Mend

oidc-spa 8.2.1 → 8.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/core/AuthResponse.d.ts +0 -5
package/core/AuthResponse.js +0 -25
package/core/AuthResponse.js.map +1 -1
package/core/createOidc.d.ts +49 -16
package/core/createOidc.js +97 -122
package/core/createOidc.js.map +1 -1
package/core/desiredPostLoginRedirectUrl.d.ts +4 -0
package/core/desiredPostLoginRedirectUrl.js +12 -0
package/core/desiredPostLoginRedirectUrl.js.map +1 -0
package/core/diagnostic.d.ts +1 -1
package/core/diagnostic.js +3 -3
package/core/diagnostic.js.map +1 -1
package/core/instancesThatCantUseIframes.d.ts +2 -0
package/core/instancesThatCantUseIframes.js +20 -0
package/core/instancesThatCantUseIframes.js.map +1 -0
package/core/loginOrGoToAuthServer.d.ts +1 -0
package/core/loginOrGoToAuthServer.js +3 -0
package/core/loginOrGoToAuthServer.js.map +1 -1
package/core/persistedAuthState.d.ts +1 -0
package/core/persistedAuthState.js +14 -4
package/core/persistedAuthState.js.map +1 -1
package/esm/angular.d.ts +27 -4
package/esm/angular.js +28 -6
package/esm/angular.js.map +1 -1
package/esm/core/AuthResponse.d.ts +0 -5
package/esm/core/AuthResponse.js +0 -23
package/esm/core/AuthResponse.js.map +1 -1
package/esm/core/createOidc.d.ts +49 -16
package/esm/core/createOidc.js +98 -123
package/esm/core/createOidc.js.map +1 -1
package/esm/core/desiredPostLoginRedirectUrl.d.ts +4 -0
package/esm/core/desiredPostLoginRedirectUrl.js +8 -0
package/esm/core/desiredPostLoginRedirectUrl.js.map +1 -0
package/esm/core/diagnostic.d.ts +1 -1
package/esm/core/diagnostic.js +3 -3
package/esm/core/diagnostic.js.map +1 -1
package/esm/core/instancesThatCantUseIframes.d.ts +2 -0
package/esm/core/instancesThatCantUseIframes.js +16 -0
package/esm/core/instancesThatCantUseIframes.js.map +1 -0
package/esm/core/loginOrGoToAuthServer.d.ts +1 -0
package/esm/core/loginOrGoToAuthServer.js +3 -0
package/esm/core/loginOrGoToAuthServer.js.map +1 -1
package/esm/core/persistedAuthState.d.ts +1 -0
package/esm/core/persistedAuthState.js +14 -4
package/esm/core/persistedAuthState.js.map +1 -1
package/esm/keycloak/keycloak-js/Keycloak.d.ts +40 -0
package/esm/keycloak/keycloak-js/Keycloak.js +2 -1
package/esm/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/esm/react/react.js +24 -2
package/esm/react/react.js.map +1 -1
package/esm/react-spa/createOidcSpaApi.js +26 -4
package/esm/react-spa/createOidcSpaApi.js.map +1 -1
package/esm/react-spa/types.d.ts +26 -3
package/esm/tanstack-start/react/createOidcSpaApi.js +25 -3
package/esm/tanstack-start/react/createOidcSpaApi.js.map +1 -1
package/esm/tanstack-start/react/types.d.ts +26 -3
package/esm/tools/{EphemeralSessionStorage.d.ts → lazySessionStorage.d.ts} +4 -4
package/esm/tools/lazySessionStorage.js +83 -0
package/esm/tools/lazySessionStorage.js.map +1 -0
package/keycloak/keycloak-js/Keycloak.d.ts +40 -0
package/keycloak/keycloak-js/Keycloak.js +2 -1
package/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/package.json +5 -1
package/react/react.js +24 -2
package/react/react.js.map +1 -1
package/react-spa/createOidcSpaApi.js +26 -4
package/react-spa/createOidcSpaApi.js.map +1 -1
package/react-spa/types.d.ts +26 -3
package/src/angular.ts +72 -18
package/src/core/AuthResponse.ts +0 -36
package/src/core/createOidc.ts +160 -173
package/src/core/desiredPostLoginRedirectUrl.ts +9 -0
package/src/core/diagnostic.ts +4 -4
package/src/core/instancesThatCantUseIframes.ts +24 -0
package/src/core/loginOrGoToAuthServer.ts +5 -0
package/src/core/persistedAuthState.ts +27 -5
package/src/keycloak/keycloak-js/Keycloak.ts +43 -1
package/src/react/react.tsx +32 -3
package/src/react-spa/createOidcSpaApi.tsx +34 -5
package/src/react-spa/types.tsx +26 -3
package/src/tanstack-start/react/createOidcSpaApi.tsx +33 -4
package/src/tanstack-start/react/types.tsx +26 -3
package/src/tools/lazySessionStorage.ts +123 -0
package/src/vite-plugin/manageOptimizedDeps.ts +4 -1
package/tools/{EphemeralSessionStorage.d.ts → lazySessionStorage.d.ts} +4 -4
package/tools/lazySessionStorage.js +86 -0
package/tools/lazySessionStorage.js.map +1 -0
package/vite-plugin/manageOptimizedDeps.js +3 -1
package/vite-plugin/manageOptimizedDeps.js.map +1 -1
package/esm/tools/EphemeralSessionStorage.js +0 -143
package/esm/tools/EphemeralSessionStorage.js.map +0 -1
package/src/tools/EphemeralSessionStorage.ts +0 -225
package/tools/EphemeralSessionStorage.js +0 -146
package/tools/EphemeralSessionStorage.js.map +0 -1

package/core/AuthResponse.d.ts CHANGED Viewed

@@ -3,8 +3,3 @@ export type AuthResponse = {
     [key: string]: string | undefined;
 };
 export declare function authResponseToUrl(authResponse: AuthResponse): string;
-export declare const setPersistedRedirectAuthResponses: (params: {
-    authResponses: AuthResponse[];
-}) => void, getPersistedRedirectAuthResponses: () => {
-    authResponses: AuthResponse[];
-};

package/core/AuthResponse.js CHANGED Viewed

@@ -1,10 +1,7 @@
 "use strict";
-var _a;
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getPersistedRedirectAuthResponses = exports.setPersistedRedirectAuthResponses = void 0;
 exports.authResponseToUrl = authResponseToUrl;
 const urlSearchParams_1 = require("../tools/urlSearchParams");
-const EphemeralSessionStorage_1 = require("../tools/EphemeralSessionStorage");
 function authResponseToUrl(authResponse) {
     let authResponseUrl = "https://dummy.com";
     for (const [name, value] of Object.entries(authResponse)) {
@@ -21,26 +18,4 @@ function authResponseToUrl(authResponse) {
     authResponseUrl = `${authResponseUrl}#${authResponseUrl.split("?")[1]}`;
     return authResponseUrl;
 }
-_a = (() => {
-    const { getEphemeralSessionStorage } = (() => {
-        let cache = undefined;
-        const getEphemeralSessionStorage = () => (cache ?? (cache = (0, EphemeralSessionStorage_1.createEphemeralSessionStorage)({
-            sessionStorageTtlMs: 30000
-        })));
-        return { getEphemeralSessionStorage };
-    })();
-    const KEY = "oidc-spa:persisted-redirect-auth-response";
-    function setPersistedRedirectAuthResponses(params) {
-        const { authResponses } = params;
-        const storage = getEphemeralSessionStorage();
-        storage.persistCurrentStateAndSubsequentChanges();
-        storage.setItem(KEY, JSON.stringify(authResponses));
-    }
-    function getPersistedRedirectAuthResponses() {
-        const value = getEphemeralSessionStorage().getItem(KEY);
-        const authResponses = value === null ? [] : JSON.parse(value);
-        return { authResponses };
-    }
-    return { setPersistedRedirectAuthResponses, getPersistedRedirectAuthResponses };
-})(), exports.setPersistedRedirectAuthResponses = _a.setPersistedRedirectAuthResponses, exports.getPersistedRedirectAuthResponses = _a.getPersistedRedirectAuthResponses;
 //# sourceMappingURL=AuthResponse.js.map

package/core/AuthResponse.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"AuthResponse.js","sourceRoot":"","sources":["../src/core/AuthResponse.ts"],"names":[],"mappings":"~~;;;;AAWA~~,8CAkBC;~~AA7BD~~,8DAAkE;~~AAClE~~,~~8EAG0C;AAO1C,~~SAAgB,iBAAiB,CAAC,YAA0B;IACxD,IAAI,eAAe,GAAG,mBAAmB,CAAC;IAE1C,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACvD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACtB,SAAS;QACb,CAAC;QACD,eAAe,GAAG,IAAA,wCAAsB,EAAC;YACrC,GAAG,EAAE,eAAe;YACpB,IAAI;YACJ,KAAK;YACL,YAAY,EAAE,UAAU;SAC3B,CAAC,CAAC;IACP,CAAC;IAED,eAAe,GAAG,GAAG,eAAe,IAAI,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAExE,OAAO,eAAe,CAAC;AAC3B,CAAC;AAEY,KAA2E,CAAC,GAAG,EAAE;IAC1F,MAAM,EAAE,0BAA0B,EAAE,GAAG,CAAC,GAAG,EAAE;QACzC,IAAI,KAAK,GAAwC,SAAS,CAAC;QAC3D,MAAM,0BAA0B,GAAG,GAAG,EAAE,CACpC,CAAC,KAAK,KAAL,KAAK,GAAK,IAAA,uDAA6B,EAAC;YACrC,mBAAmB,EAAE,KAAM;SAC9B,CAAC,EAAC,CAAC;QACR,OAAO,EAAE,0BAA0B,EAAE,CAAC;IAC1C,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,GAAG,GAAG,2CAA2C,CAAC;IAExD,SAAS,iCAAiC,CAAC,MAAyC;QAChF,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;QAEjC,MAAM,OAAO,GAAG,0BAA0B,EAAE,CAAC;QAC7C,OAAO,CAAC,uCAAuC,EAAE,CAAC;QAElD,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,SAAS,iCAAiC;QACtC,MAAM,KAAK,GAAG,0BAA0B,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAExD,MAAM,aAAa,GAAmB,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAE9E,OAAO,EAAE,aAAa,EAAE,CAAC;IAC7B,CAAC;IAED,OAAO,EAAE,iCAAiC,EAAE,iCAAiC,EAAE,CAAC;AACpF,CAAC,CAAC,EAAE,EA9BW,yCAAiC,yCAAE,yCAAiC,wCA8B9E"}
1	+ {"version":3,"file":"AuthResponse.js","sourceRoot":"","sources":["../src/core/AuthResponse.ts"],"names":[],"mappings":";;AAOA,8CAkBC;AAzBD,8DAAkE;AAOlE,SAAgB,iBAAiB,CAAC,YAA0B;IACxD,IAAI,eAAe,GAAG,mBAAmB,CAAC;IAE1C,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACvD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACtB,SAAS;QACb,CAAC;QACD,eAAe,GAAG,IAAA,wCAAsB,EAAC;YACrC,GAAG,EAAE,eAAe;YACpB,IAAI;YACJ,KAAK;YACL,YAAY,EAAE,UAAU;SAC3B,CAAC,CAAC;IACP,CAAC;IAED,eAAe,GAAG,GAAG,eAAe,IAAI,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAExE,OAAO,eAAe,CAAC;AAC3B,CAAC"}

package/core/createOidc.d.ts CHANGED Viewed

@@ -49,19 +49,6 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
      *          extraTokenParams: { selectedCustomer: "xxx" }
      */
     extraTokenParams?: Record<string, string | undefined> | (() => Record<string, string | undefined>);
-    /**
-     * Usage discouraged, it's here because we don't want to assume too much on your
-     * usecase but I can't think of a scenario where you would want anything
-     * other than the current page.
-     *
-     * Where to redirect after successful login.
-     * Default: window.location.href (here)
-     *
-     * It does not need to include the origin, eg: "/dashboard"
-     *
-     * This parameter can also be passed to login() directly as `redirectUrl`.
-     */
-    postLoginRedirectUrl?: string;
     decodedIdTokenSchema?: {
         parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_OidcCoreSpec) => DecodedIdToken;
     };
@@ -87,9 +74,42 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
     autoLogoutParams?: Parameters<Oidc.LoggedIn<any>["logout"]>[0];
     autoLogin?: AutoLogin;
     /**
+     * Determines how session restoration is handled.
+     * Session restoration allows users to stay logged in between visits
+     * without needing to explicitly sign in each time.
+     *
+     * Options:
+     *
+     * - **"auto" (default)**:
+     *   Automatically selects the best method.
+     *   If the app’s domain shares a common parent domain with the authorization endpoint,
+     *   an iframe is used for silent session restoration.
+     *   Otherwise, a full-page redirect is used.
+     *
+     * - **"full page redirect"**:
+     *   Forces full-page reloads for session restoration.
+     *   Use this if your application is served with a restrictive CSP
+     *   (e.g., `Content-Security-Policy: frame-ancestors "none"`)
+     *   or `X-Frame-Options: DENY`, and you cannot modify those headers.
+     *   This mode provides a slightly less seamless UX and will lead oidc-spa to
+     *   store tokens in `localStorage` if multiple OIDC clients are used
+     *   (e.g., your app communicates with several APIs).
+     *
+     * - **"iframe"**:
+     *   Forces iframe-based session restoration.
+     *   In development, if you go in your browser setting and allow your auth server’s domain
+     *   to set third-party cookies this value will let you test your app
+     *   with the local dev server as it will behave in production.
+     *
+     *  See: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration
+     */
+    sessionRestorationMethod?: "iframe" | "full page redirect" | "auto";
+    /**
+     * @deprecated Use `sessionRestorationMethod: "full page redirect"` instead.
+     *
      * Default: false
      *
-     * See: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues
+     * See: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration
      */
     noIframe?: boolean;
     debugLogs?: boolean;
@@ -136,13 +156,26 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
     BASE_URL?: string;
     /** @deprecated: Use BASE_URL (same thing, just renamed). */
     homeUrl?: string;
+    /**
+     * This parameter is irrelevant in most usecases.
+     * It tells where to redirect after a successful login or autoLogin.
+     *
+     * If you are not in autoLogin mode there is absolutely no reason to use
+     * this parameter since you can pass `login({ redirectUrl: "..." })`.
+     *
+     * It can only be useful in some edge case with `autoLogin: true`
+     * When you want to precisely redirect somewhere after login.
+     *
+     * This can make sense if you have multiple clients to talk with different
+     * API and no iframe capabilities.
+     */
+    postLoginRedirectUrl?: string;
 };
 /** @see: https://docs.oidc-spa.dev/v/v8/usage */
 export declare function createOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false>(params: ParamsOfCreateOidc<DecodedIdToken, AutoLogin>): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;
-export declare function createOidc_nonMemoized<DecodedIdToken extends Record<string, unknown>, AutoLogin extends boolean>(params: Omit<ParamsOfCreateOidc<DecodedIdToken, AutoLogin>, "issuerUri" | "clientId" | "scopes" | "debugLogs">, preProcessedParams: {
+export declare function createOidc_nonMemoized<DecodedIdToken extends Record<string, unknown>, AutoLogin extends boolean>(params: Omit<ParamsOfCreateOidc<DecodedIdToken, AutoLogin>, "issuerUri" | "clientId" | "debugLogs">, preProcessedParams: {
     issuerUri: string;
     clientId: string;
-    scopes: string[];
     configId: string;
     log: typeof console.log | undefined;
 }): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;

package/core/createOidc.js CHANGED Viewed

@@ -58,7 +58,7 @@ const persistedAuthState_1 = require("./persistedAuthState");
 const Evt_1 = require("../tools/Evt");
 const haveSharedParentDomain_1 = require("../tools/haveSharedParentDomain");
 const loginOrGoToAuthServer_1 = require("./loginOrGoToAuthServer");
-const EphemeralSessionStorage_1 = require("../tools/EphemeralSessionStorage");
+const lazySessionStorage_1 = require("../tools/lazySessionStorage");
 const ongoingLoginOrRefreshProcesses_1 = require("./ongoingLoginOrRefreshProcesses");
 const isNewBrowserSession_1 = require("./isNewBrowserSession");
 const getIsOnline_1 = require("../tools/getIsOnline");
@@ -68,23 +68,14 @@ const prShouldLoadApp_1 = require("./prShouldLoadApp");
 const BASE_URL_1 = require("./BASE_URL");
 const isLikelyDevServer_1 = require("../tools/isLikelyDevServer");
 const createObjectThatThrowsIfAccessed_1 = require("../tools/createObjectThatThrowsIfAccessed");
+const instancesThatCantUseIframes_1 = require("./instancesThatCantUseIframes");
+const desiredPostLoginRedirectUrl_1 = require("./desiredPostLoginRedirectUrl");
 // NOTE: Replaced at build time
-const VERSION = "8.2.1";
+const VERSION = "8.2.3";
 const globalContext = {
     prOidcByConfigId: new Map(),
-    hasLogoutBeenCalled: (0, id_1.id)(false),
-    evtRequestToPersistTokens: (0, Evt_1.createEvt)()
+    hasLogoutBeenCalled: (0, id_1.id)(false)
 };
-globalContext.evtRequestToPersistTokens.subscribe(() => {
-    const { authResponse } = (0, earlyInit_1.getRedirectAuthResponse)();
-    if (authResponse === undefined) {
-        return;
-    }
-    const { authResponses } = (0, AuthResponse_1.getPersistedRedirectAuthResponses)();
-    (0, AuthResponse_1.setPersistedRedirectAuthResponses)({
-        authResponses: [...authResponses, authResponse]
-    });
-});
 /** @see: https://docs.oidc-spa.dev/v/v8/usage */
 async function createOidc(params) {
     for (const name of ["issuerUri", "clientId"]) {
@@ -93,7 +84,7 @@ async function createOidc(params) {
             throw new Error(`The parameter "${name}" is required, you provided: ${value}. (Forgot a .env variable?)`);
         }
     }
-    const { issuerUri: issuerUri_params, clientId, scopes = ["profile"], debugLogs, ...rest } = params;
+    const { issuerUri: issuerUri_params, clientId, debugLogs, ...rest } = params;
     const issuerUri = (0, toFullyQualifiedUrl_1.toFullyQualifiedUrl)({
         urlish: issuerUri_params,
         doAssertNoQueryParams: true,
@@ -135,7 +126,6 @@ async function createOidc(params) {
     const oidc = await createOidc_nonMemoized(rest, {
         issuerUri,
         clientId,
-        scopes,
         configId,
         log
     });
@@ -158,9 +148,9 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
             return new Promise(() => { });
         }
     }
-    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false } = params;
+    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, scopes = ["openid", "profile"], sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto" } = params;
     const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
-    const { issuerUri, clientId, scopes, configId, log } = preProcessedParams;
+    const { issuerUri, clientId, configId, log } = preProcessedParams;
     const getExtraQueryParams = (() => {
         if (extraQueryParamsOrGetter === undefined) {
             return undefined;
@@ -205,14 +195,20 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
         issuerUri,
         clientId,
         scopes,
-        configId,
-        homeUrlAndRedirectUri
+        oidcRedirectUri: homeUrlAndRedirectUri
     }, null, 2)}`);
     const stateUrlParamValue_instance = (0, StateData_1.generateStateUrlParamValue)();
     const oidcMetadata = __metadata ?? (await (0, OidcMetadata_1.fetchOidcMetadata)({ issuerUri }));
     const canUseIframe = (() => {
-        if (noIframe) {
-            return false;
+        switch (sessionRestorationMethod) {
+            case "auto":
+                break;
+            case "full page redirect":
+                return false;
+            case "iframe":
+                return true;
+            default:
+                assert_1.assert;
         }
         third_party_cookies: {
             if (oidcMetadata === undefined) {
@@ -267,7 +263,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
             if (isLikelyDevServer) {
                 log?.([
                     "Detected localhost environment.",
-                    "\nWhen reloading while logged in, you may briefly see",
+                    "\nWhen reloading while logged in, you will briefly see",
                     "some URL params appear in the address bar.",
                     "\nThis happens because session restore via iframe is disabled,",
                     "the browser treats your auth server as a third party.",
@@ -294,7 +290,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                         ];
                     })(),
                     "\n\nMore info:",
-                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                    "https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
                 ].join(" "));
             }
             else {
@@ -321,14 +317,20 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                         ];
                     })(),
                     "\nMore info:",
-                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                    "https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
                 ].join(" "));
             }
             return false;
         }
         return true;
     })();
-    let isUserStoreInMemoryOnly = undefined;
+    (0, instancesThatCantUseIframes_1.notifyNewInstanceThatCantUseIframes)();
+    if (instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+        log?.([
+            "More than one oidc instance can't use iframe",
+            "falling back to persisting tokens in session storage"
+        ].join(" "));
+    }
     const oidcClientTsUserManager = oidcMetadata === undefined
         ? (0, createObjectThatThrowsIfAccessed_1.createObjectThatThrowsIfAccessed)({
             debugMessage: "oidc-spa: Wrong assertion 43943"
@@ -347,20 +349,17 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
             userStore: new oidc_client_ts_1.WebStorageStateStore({
                 store: (() => {
                     if (canUseIframe) {
-                        isUserStoreInMemoryOnly = true;
                         return new oidc_client_ts_1.InMemoryWebStorage();
                     }
-                    isUserStoreInMemoryOnly = false;
-                    const storage = (0, EphemeralSessionStorage_1.createEphemeralSessionStorage)({
-                        sessionStorageTtlMs: 3 * 60000
-                    });
-                    const { evtRequestToPersistTokens } = globalContext;
-                    evtRequestToPersistTokens.subscribe(({ configIdOfInstancePostingTheRequest }) => {
-                        if (configIdOfInstancePostingTheRequest === configId) {
-                            return;
-                        }
+                    const storage = (0, lazySessionStorage_1.createLazySessionStorage)({ storageId: configId });
+                    if (instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
                         storage.persistCurrentStateAndSubsequentChanges();
-                    });
+                    }
+                    else {
+                        instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.subscribe(() => {
+                            storage.persistCurrentStateAndSubsequentChanges();
+                        });
+                    }
                     return storage;
                 })()
             }),
@@ -393,54 +392,52 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                 issuerUri
             });
         }
+        restore_from_session_storage: {
+            if (canUseIframe) {
+                break restore_from_session_storage;
+            }
+            if (!instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+                break restore_from_session_storage;
+            }
+            let oidcClientTsUser;
+            try {
+                oidcClientTsUser = await oidcClientTsUserManager.getUser();
+            }
+            catch {
+                // NOTE: Not sure if it can throw, but let's be safe.
+                oidcClientTsUser = null;
+                try {
+                    await oidcClientTsUserManager.removeUser();
+                }
+                catch { }
+            }
+            if (oidcClientTsUser === null) {
+                break restore_from_session_storage;
+            }
+            log?.("Session was restored from session storage");
+            return {
+                oidcClientTsUser,
+                backFromAuthServer: undefined
+            };
+        }
         handle_redirect_auth_response: {
             let stateDataAndAuthResponse = undefined;
-            get_stateData_and_authResponse: {
-                from_memory: {
-                    const { authResponse, clearAuthResponse } = (0, earlyInit_1.getRedirectAuthResponse)();
-                    if (authResponse === undefined) {
-                        break from_memory;
-                    }
-                    const stateData = (0, StateData_1.getStateData)({ stateUrlParamValue: authResponse.state });
-                    if (stateData === undefined) {
-                        clearAuthResponse();
-                        break from_memory;
-                    }
-                    if (stateData.configId !== configId) {
-                        break from_memory;
-                    }
-                    (0, assert_1.assert)(stateData.context === "redirect", "3229492");
+            {
+                const { authResponse, clearAuthResponse } = (0, earlyInit_1.getRedirectAuthResponse)();
+                if (authResponse === undefined) {
+                    break handle_redirect_auth_response;
+                }
+                const stateData = (0, StateData_1.getStateData)({ stateUrlParamValue: authResponse.state });
+                if (stateData === undefined) {
                     clearAuthResponse();
-                    stateDataAndAuthResponse = { stateData, authResponse };
-                    break get_stateData_and_authResponse;
+                    break handle_redirect_auth_response;
                 }
-                // from storage, this is for race condition in multiple instance
-                // setup where one instance would need to redirect before
-                // the authResponse in memory had the chance to be processed.
-                // This can only happen if:
-                // 1) There are multiple oidc instances in the App.
-                // 2) They are instantiated in a non deterministic order.
-                // 3) We can't use iframe
-                // We practically never persist the auth response and do it only in session
-                // an ephemeral session storage, when we know it's gonna be required.
-                {
-                    const { authResponses } = (0, AuthResponse_1.getPersistedRedirectAuthResponses)();
-                    for (const authResponse of authResponses) {
-                        const stateData = (0, StateData_1.getStateData)({ stateUrlParamValue: authResponse.state });
-                        if (stateData === undefined) {
-                            continue;
-                        }
-                        if (stateData.configId !== configId) {
-                            continue;
-                        }
-                        (0, assert_1.assert)(stateData.context === "redirect", "35935591");
-                        (0, AuthResponse_1.setPersistedRedirectAuthResponses)({
-                            authResponses: authResponses.filter(authResponse_i => authResponse_i !== authResponse)
-                        });
-                        stateDataAndAuthResponse = { stateData, authResponse };
-                        break get_stateData_and_authResponse;
-                    }
+                if (stateData.configId !== configId) {
+                    break handle_redirect_auth_response;
                 }
+                (0, assert_1.assert)(stateData.context === "redirect", "3229492");
+                clearAuthResponse();
+                stateDataAndAuthResponse = { stateData, authResponse };
             }
             if (stateDataAndAuthResponse === undefined) {
                 break handle_redirect_auth_response;
@@ -519,34 +516,6 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                     (0, assert_1.assert)(false);
             }
         }
-        // NOTE: We almost never persist tokens, we have to only to support edge case
-        // of multiple oidc instance in a single App with no iframe support.
-        restore_from_session_storage: {
-            (0, assert_1.assert)(isUserStoreInMemoryOnly !== undefined, "3392204");
-            if (isUserStoreInMemoryOnly) {
-                break restore_from_session_storage;
-            }
-            let oidcClientTsUser;
-            try {
-                oidcClientTsUser = await oidcClientTsUserManager.getUser();
-            }
-            catch {
-                // NOTE: Not sure if it can throw, but let's be safe.
-                oidcClientTsUser = null;
-                try {
-                    await oidcClientTsUserManager.removeUser();
-                }
-                catch { }
-            }
-            if (oidcClientTsUser === null) {
-                break restore_from_session_storage;
-            }
-            log?.("Restored the auth from ephemeral session storage");
-            return {
-                oidcClientTsUser,
-                backFromAuthServer: undefined
-            };
-        }
         silent_login_if_possible_and_auto_login: {
             const persistedAuthState = (0, persistedAuthState_1.getPersistedAuthState)({ configId });
             if (persistedAuthState === "explicitly logged out" && !autoLogin) {
@@ -599,7 +568,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                         redirectUri: homeUrlAndRedirectUri,
                         clientId,
                         issuerUri,
-                        noIframe
+                        canUseIframe
                     });
                 }
                 (0, assert_1.assert)();
@@ -631,7 +600,6 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                             authResponse_error === "consent_required" ||
                             authResponse_error === "account_selection_required"))) {
                     log?.("Performing auto login with redirect");
-                    (0, persistedAuthState_1.persistAuthState)({ configId, state: undefined });
                     completeLoginOrRefreshProcess();
                     if (autoLogin && persistedAuthState !== "logged in") {
                         evtInitializationOutcomeUserNotLoggedIn.post();
@@ -639,15 +607,18 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                     await (0, ongoingLoginOrRefreshProcesses_1.waitForAllOtherOngoingLoginOrRefreshProcessesToComplete)({
                         prUnlock: (0, loginOrGoToAuthServer_1.getPrSafelyRestoredFromBfCacheAfterLoginBackNavigationOrInitializationError)()
                     });
-                    if (persistedAuthState === "logged in") {
-                        globalContext.evtRequestToPersistTokens.post({
-                            configIdOfInstancePostingTheRequest: configId
-                        });
-                    }
                     await loginOrGoToAuthServer({
                         action: "login",
                         doForceReloadOnBfCache: true,
-                        redirectUrl: (0, earlyInit_1.getRootRelativeOriginalLocationHref)(),
+                        redirectUrl: (() => {
+                            if (postLoginRedirectUrl_default) {
+                                return postLoginRedirectUrl_default;
+                            }
+                            if (!instancesThatCantUseIframes_1.evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+                                return (0, earlyInit_1.getRootRelativeOriginalLocationHref)();
+                            }
+                            return (0, desiredPostLoginRedirectUrl_1.getDesiredPostLoginRedirectUrl)() ?? window.location.href;
+                        })(),
                         // NOTE: Wether or not it's the preferred behavior, pushing to history
                         // only works on user interaction so it have to be false
                         doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
@@ -661,7 +632,10 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                                 return "directly redirect if active session show login otherwise";
                             }
                             return "ensure no interaction";
-                        })()
+                        })(),
+                        preRedirectHook: () => {
+                            (0, persistedAuthState_1.persistAuthState)({ configId, state: undefined });
+                        }
                     });
                 }
                 if (authResponse_error !== undefined) {
@@ -748,7 +722,8 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                             transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
                             interaction: (0, persistedAuthState_1.getPersistedAuthState)({ configId }) === "explicitly logged out"
                                 ? "ensure interaction"
-                                : "directly redirect if active session show login otherwise"
+                                : "directly redirect if active session show login otherwise",
+                            preRedirectHook: undefined
                         });
                     },
                     initializationError: undefined
@@ -805,6 +780,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                 state: {
                     stateDescription: "logged in",
                     refreshTokenExpirationTime: currentTokens.refreshTokenExpirationTime,
+                    serverDateNow: currentTokens.getServerDateNow(),
                     idleSessionLifetimeInSeconds
                 }
             });
@@ -922,9 +898,6 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                     await (0, ongoingLoginOrRefreshProcesses_1.waitForAllOtherOngoingLoginOrRefreshProcessesToComplete)({
                         prUnlock: new Promise(() => { })
                     });
-                    globalContext.evtRequestToPersistTokens.post({
-                        configIdOfInstancePostingTheRequest: configId
-                    });
                     await loginOrGoToAuthServer({
                         action: "login",
                         redirectUrl: window.location.href,
@@ -932,7 +905,8 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                         extraQueryParams_local: undefined,
                         transformUrlBeforeRedirect_local: undefined,
                         doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
-                        interaction: "directly redirect if active session show login otherwise"
+                        interaction: "directly redirect if active session show login otherwise",
+                        preRedirectHook: undefined
                     });
                     (0, assert_1.assert)(false, "136134");
                 };
@@ -1024,6 +998,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                         state: {
                             stateDescription: "logged in",
                             refreshTokenExpirationTime: currentTokens.refreshTokenExpirationTime,
+                            serverDateNow: currentTokens.getServerDateNow(),
                             idleSessionLifetimeInSeconds
                         }
                     });