npm - oidc-spa - Versions diffs - 8.2.1 → 8.2.3 - Mend

oidc-spa 8.2.1 → 8.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/core/AuthResponse.d.ts +0 -5
package/core/AuthResponse.js +0 -25
package/core/AuthResponse.js.map +1 -1
package/core/createOidc.d.ts +49 -16
package/core/createOidc.js +97 -122
package/core/createOidc.js.map +1 -1
package/core/desiredPostLoginRedirectUrl.d.ts +4 -0
package/core/desiredPostLoginRedirectUrl.js +12 -0
package/core/desiredPostLoginRedirectUrl.js.map +1 -0
package/core/diagnostic.d.ts +1 -1
package/core/diagnostic.js +3 -3
package/core/diagnostic.js.map +1 -1
package/core/instancesThatCantUseIframes.d.ts +2 -0
package/core/instancesThatCantUseIframes.js +20 -0
package/core/instancesThatCantUseIframes.js.map +1 -0
package/core/loginOrGoToAuthServer.d.ts +1 -0
package/core/loginOrGoToAuthServer.js +3 -0
package/core/loginOrGoToAuthServer.js.map +1 -1
package/core/persistedAuthState.d.ts +1 -0
package/core/persistedAuthState.js +14 -4
package/core/persistedAuthState.js.map +1 -1
package/esm/angular.d.ts +27 -4
package/esm/angular.js +28 -6
package/esm/angular.js.map +1 -1
package/esm/core/AuthResponse.d.ts +0 -5
package/esm/core/AuthResponse.js +0 -23
package/esm/core/AuthResponse.js.map +1 -1
package/esm/core/createOidc.d.ts +49 -16
package/esm/core/createOidc.js +98 -123
package/esm/core/createOidc.js.map +1 -1
package/esm/core/desiredPostLoginRedirectUrl.d.ts +4 -0
package/esm/core/desiredPostLoginRedirectUrl.js +8 -0
package/esm/core/desiredPostLoginRedirectUrl.js.map +1 -0
package/esm/core/diagnostic.d.ts +1 -1
package/esm/core/diagnostic.js +3 -3
package/esm/core/diagnostic.js.map +1 -1
package/esm/core/instancesThatCantUseIframes.d.ts +2 -0
package/esm/core/instancesThatCantUseIframes.js +16 -0
package/esm/core/instancesThatCantUseIframes.js.map +1 -0
package/esm/core/loginOrGoToAuthServer.d.ts +1 -0
package/esm/core/loginOrGoToAuthServer.js +3 -0
package/esm/core/loginOrGoToAuthServer.js.map +1 -1
package/esm/core/persistedAuthState.d.ts +1 -0
package/esm/core/persistedAuthState.js +14 -4
package/esm/core/persistedAuthState.js.map +1 -1
package/esm/keycloak/keycloak-js/Keycloak.d.ts +40 -0
package/esm/keycloak/keycloak-js/Keycloak.js +2 -1
package/esm/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/esm/react/react.js +24 -2
package/esm/react/react.js.map +1 -1
package/esm/react-spa/createOidcSpaApi.js +26 -4
package/esm/react-spa/createOidcSpaApi.js.map +1 -1
package/esm/react-spa/types.d.ts +26 -3
package/esm/tanstack-start/react/createOidcSpaApi.js +25 -3
package/esm/tanstack-start/react/createOidcSpaApi.js.map +1 -1
package/esm/tanstack-start/react/types.d.ts +26 -3
package/esm/tools/{EphemeralSessionStorage.d.ts → lazySessionStorage.d.ts} +4 -4
package/esm/tools/lazySessionStorage.js +83 -0
package/esm/tools/lazySessionStorage.js.map +1 -0
package/keycloak/keycloak-js/Keycloak.d.ts +40 -0
package/keycloak/keycloak-js/Keycloak.js +2 -1
package/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/package.json +5 -1
package/react/react.js +24 -2
package/react/react.js.map +1 -1
package/react-spa/createOidcSpaApi.js +26 -4
package/react-spa/createOidcSpaApi.js.map +1 -1
package/react-spa/types.d.ts +26 -3
package/src/angular.ts +72 -18
package/src/core/AuthResponse.ts +0 -36
package/src/core/createOidc.ts +160 -173
package/src/core/desiredPostLoginRedirectUrl.ts +9 -0
package/src/core/diagnostic.ts +4 -4
package/src/core/instancesThatCantUseIframes.ts +24 -0
package/src/core/loginOrGoToAuthServer.ts +5 -0
package/src/core/persistedAuthState.ts +27 -5
package/src/keycloak/keycloak-js/Keycloak.ts +43 -1
package/src/react/react.tsx +32 -3
package/src/react-spa/createOidcSpaApi.tsx +34 -5
package/src/react-spa/types.tsx +26 -3
package/src/tanstack-start/react/createOidcSpaApi.tsx +33 -4
package/src/tanstack-start/react/types.tsx +26 -3
package/src/tools/lazySessionStorage.ts +123 -0
package/src/vite-plugin/manageOptimizedDeps.ts +4 -1
package/tools/{EphemeralSessionStorage.d.ts → lazySessionStorage.d.ts} +4 -4
package/tools/lazySessionStorage.js +86 -0
package/tools/lazySessionStorage.js.map +1 -0
package/vite-plugin/manageOptimizedDeps.js +3 -1
package/vite-plugin/manageOptimizedDeps.js.map +1 -1
package/esm/tools/EphemeralSessionStorage.js +0 -143
package/esm/tools/EphemeralSessionStorage.js.map +0 -1
package/src/tools/EphemeralSessionStorage.ts +0 -225
package/tools/EphemeralSessionStorage.js +0 -146
package/tools/EphemeralSessionStorage.js.map +0 -1

package/esm/core/AuthResponse.js CHANGED Viewed

@@ -1,5 +1,4 @@
 import { addOrUpdateSearchParam } from "../tools/urlSearchParams";
-import { createEphemeralSessionStorage } from "../tools/EphemeralSessionStorage";
 export function authResponseToUrl(authResponse) {
     let authResponseUrl = "https://dummy.com";
     for (const [name, value] of Object.entries(authResponse)) {
@@ -16,26 +15,4 @@ export function authResponseToUrl(authResponse) {
     authResponseUrl = `${authResponseUrl}#${authResponseUrl.split("?")[1]}`;
     return authResponseUrl;
 }
-export const { setPersistedRedirectAuthResponses, getPersistedRedirectAuthResponses } = (() => {
-    const { getEphemeralSessionStorage } = (() => {
-        let cache = undefined;
-        const getEphemeralSessionStorage = () => (cache ?? (cache = createEphemeralSessionStorage({
-            sessionStorageTtlMs: 30000
-        })));
-        return { getEphemeralSessionStorage };
-    })();
-    const KEY = "oidc-spa:persisted-redirect-auth-response";
-    function setPersistedRedirectAuthResponses(params) {
-        const { authResponses } = params;
-        const storage = getEphemeralSessionStorage();
-        storage.persistCurrentStateAndSubsequentChanges();
-        storage.setItem(KEY, JSON.stringify(authResponses));
-    }
-    function getPersistedRedirectAuthResponses() {
-        const value = getEphemeralSessionStorage().getItem(KEY);
-        const authResponses = value === null ? [] : JSON.parse(value);
-        return { authResponses };
-    }
-    return { setPersistedRedirectAuthResponses, getPersistedRedirectAuthResponses };
-})();
 //# sourceMappingURL=AuthResponse.js.map

package/esm/core/AuthResponse.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"AuthResponse.js","sourceRoot":"","sources":["../../src/core/AuthResponse.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;~~AAClE~~,~~OAAO,EACH,6BAA6B,EAEhC,~~MAAM,~~kCAAkC,CAAC;AAO1C,MAAM,~~UAAU,iBAAiB,CAAC,YAA0B;IACxD,IAAI,eAAe,GAAG,mBAAmB,CAAC;IAE1C,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACvD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACtB,SAAS;QACb,CAAC;QACD,eAAe,GAAG,sBAAsB,CAAC;YACrC,GAAG,EAAE,eAAe;YACpB,IAAI;YACJ,KAAK;YACL,YAAY,EAAE,UAAU;SAC3B,CAAC,CAAC;IACP,CAAC;IAED,eAAe,GAAG,GAAG,eAAe,IAAI,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAExE,OAAO,eAAe,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,MAAM,EAAE,iCAAiC,EAAE,iCAAiC,EAAE,GAAG,CAAC,GAAG,EAAE;IAC1F,MAAM,EAAE,0BAA0B,EAAE,GAAG,CAAC,GAAG,EAAE;QACzC,IAAI,KAAK,GAAwC,SAAS,CAAC;QAC3D,MAAM,0BAA0B,GAAG,GAAG,EAAE,CACpC,CAAC,KAAK,KAAL,KAAK,GAAK,6BAA6B,CAAC;YACrC,mBAAmB,EAAE,KAAM;SAC9B,CAAC,EAAC,CAAC;QACR,OAAO,EAAE,0BAA0B,EAAE,CAAC;IAC1C,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,GAAG,GAAG,2CAA2C,CAAC;IAExD,SAAS,iCAAiC,CAAC,MAAyC;QAChF,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;QAEjC,MAAM,OAAO,GAAG,0BAA0B,EAAE,CAAC;QAC7C,OAAO,CAAC,uCAAuC,EAAE,CAAC;QAElD,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,SAAS,iCAAiC;QACtC,MAAM,KAAK,GAAG,0BAA0B,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAExD,MAAM,aAAa,GAAmB,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAE9E,OAAO,EAAE,aAAa,EAAE,CAAC;IAC7B,CAAC;IAED,OAAO,EAAE,iCAAiC,EAAE,iCAAiC,EAAE,CAAC;AACpF,CAAC,CAAC,EAAE,CAAC"}
1	+ {"version":3,"file":"AuthResponse.js","sourceRoot":"","sources":["../../src/core/AuthResponse.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAOlE,MAAM,UAAU,iBAAiB,CAAC,YAA0B;IACxD,IAAI,eAAe,GAAG,mBAAmB,CAAC;IAE1C,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACvD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACtB,SAAS;QACb,CAAC;QACD,eAAe,GAAG,sBAAsB,CAAC;YACrC,GAAG,EAAE,eAAe;YACpB,IAAI;YACJ,KAAK;YACL,YAAY,EAAE,UAAU;SAC3B,CAAC,CAAC;IACP,CAAC;IAED,eAAe,GAAG,GAAG,eAAe,IAAI,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAExE,OAAO,eAAe,CAAC;AAC3B,CAAC"}

package/esm/core/createOidc.d.ts CHANGED Viewed

@@ -49,19 +49,6 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
      *          extraTokenParams: { selectedCustomer: "xxx" }
      */
     extraTokenParams?: Record<string, string | undefined> | (() => Record<string, string | undefined>);
-    /**
-     * Usage discouraged, it's here because we don't want to assume too much on your
-     * usecase but I can't think of a scenario where you would want anything
-     * other than the current page.
-     *
-     * Where to redirect after successful login.
-     * Default: window.location.href (here)
-     *
-     * It does not need to include the origin, eg: "/dashboard"
-     *
-     * This parameter can also be passed to login() directly as `redirectUrl`.
-     */
-    postLoginRedirectUrl?: string;
     decodedIdTokenSchema?: {
         parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_OidcCoreSpec) => DecodedIdToken;
     };
@@ -87,9 +74,42 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
     autoLogoutParams?: Parameters<Oidc.LoggedIn<any>["logout"]>[0];
     autoLogin?: AutoLogin;
     /**
+     * Determines how session restoration is handled.
+     * Session restoration allows users to stay logged in between visits
+     * without needing to explicitly sign in each time.
+     *
+     * Options:
+     *
+     * - **"auto" (default)**:
+     *   Automatically selects the best method.
+     *   If the app’s domain shares a common parent domain with the authorization endpoint,
+     *   an iframe is used for silent session restoration.
+     *   Otherwise, a full-page redirect is used.
+     *
+     * - **"full page redirect"**:
+     *   Forces full-page reloads for session restoration.
+     *   Use this if your application is served with a restrictive CSP
+     *   (e.g., `Content-Security-Policy: frame-ancestors "none"`)
+     *   or `X-Frame-Options: DENY`, and you cannot modify those headers.
+     *   This mode provides a slightly less seamless UX and will lead oidc-spa to
+     *   store tokens in `localStorage` if multiple OIDC clients are used
+     *   (e.g., your app communicates with several APIs).
+     *
+     * - **"iframe"**:
+     *   Forces iframe-based session restoration.
+     *   In development, if you go in your browser setting and allow your auth server’s domain
+     *   to set third-party cookies this value will let you test your app
+     *   with the local dev server as it will behave in production.
+     *
+     *  See: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration
+     */
+    sessionRestorationMethod?: "iframe" | "full page redirect" | "auto";
+    /**
+     * @deprecated Use `sessionRestorationMethod: "full page redirect"` instead.
+     *
      * Default: false
      *
-     * See: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues
+     * See: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration
      */
     noIframe?: boolean;
     debugLogs?: boolean;
@@ -136,13 +156,26 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
     BASE_URL?: string;
     /** @deprecated: Use BASE_URL (same thing, just renamed). */
     homeUrl?: string;
+    /**
+     * This parameter is irrelevant in most usecases.
+     * It tells where to redirect after a successful login or autoLogin.
+     *
+     * If you are not in autoLogin mode there is absolutely no reason to use
+     * this parameter since you can pass `login({ redirectUrl: "..." })`.
+     *
+     * It can only be useful in some edge case with `autoLogin: true`
+     * When you want to precisely redirect somewhere after login.
+     *
+     * This can make sense if you have multiple clients to talk with different
+     * API and no iframe capabilities.
+     */
+    postLoginRedirectUrl?: string;
 };
 /** @see: https://docs.oidc-spa.dev/v/v8/usage */
 export declare function createOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false>(params: ParamsOfCreateOidc<DecodedIdToken, AutoLogin>): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;
-export declare function createOidc_nonMemoized<DecodedIdToken extends Record<string, unknown>, AutoLogin extends boolean>(params: Omit<ParamsOfCreateOidc<DecodedIdToken, AutoLogin>, "issuerUri" | "clientId" | "scopes" | "debugLogs">, preProcessedParams: {
+export declare function createOidc_nonMemoized<DecodedIdToken extends Record<string, unknown>, AutoLogin extends boolean>(params: Omit<ParamsOfCreateOidc<DecodedIdToken, AutoLogin>, "issuerUri" | "clientId" | "debugLogs">, preProcessedParams: {
     issuerUri: string;
     clientId: string;
-    scopes: string[];
     configId: string;
     log: typeof console.log | undefined;
 }): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;

package/esm/core/createOidc.js CHANGED Viewed

@@ -15,13 +15,13 @@ import { notifyOtherTabsOfLogin, getPrOtherTabLogin } from "./loginPropagationTo
 import { getConfigId } from "./configId";
 import { oidcClientTsUserToTokens } from "./oidcClientTsUserToTokens";
 import { loginSilent } from "./loginSilent";
-import { authResponseToUrl, getPersistedRedirectAuthResponses, setPersistedRedirectAuthResponses } from "./AuthResponse";
+import { authResponseToUrl } from "./AuthResponse";
 import { getRootRelativeOriginalLocationHref, getRedirectAuthResponse } from "./earlyInit";
 import { getPersistedAuthState, persistAuthState } from "./persistedAuthState";
 import { createEvt } from "../tools/Evt";
 import { getHaveSharedParentDomain } from "../tools/haveSharedParentDomain";
 import { createLoginOrGoToAuthServer, getPrSafelyRestoredFromBfCacheAfterLoginBackNavigationOrInitializationError } from "./loginOrGoToAuthServer";
-import { createEphemeralSessionStorage } from "../tools/EphemeralSessionStorage";
+import { createLazySessionStorage } from "../tools/lazySessionStorage";
 import { startLoginOrRefreshProcess, waitForAllOtherOngoingLoginOrRefreshProcessesToComplete } from "./ongoingLoginOrRefreshProcesses";
 import { createGetIsNewBrowserSession } from "./isNewBrowserSession";
 import { getIsOnline } from "../tools/getIsOnline";
@@ -31,23 +31,14 @@ import { prShouldLoadApp } from "./prShouldLoadApp";
 import { getBASE_URL } from "./BASE_URL";
 import { getIsLikelyDevServer } from "../tools/isLikelyDevServer";
 import { createObjectThatThrowsIfAccessed } from "../tools/createObjectThatThrowsIfAccessed";
+import { evtIsThereMoreThanOneInstanceThatCantUserIframes, notifyNewInstanceThatCantUseIframes } from "./instancesThatCantUseIframes";
+import { getDesiredPostLoginRedirectUrl } from "./desiredPostLoginRedirectUrl";
 // NOTE: Replaced at build time
-const VERSION = "8.2.1";
+const VERSION = "8.2.3";
 const globalContext = {
     prOidcByConfigId: new Map(),
-    hasLogoutBeenCalled: id(false),
-    evtRequestToPersistTokens: createEvt()
+    hasLogoutBeenCalled: id(false)
 };
-globalContext.evtRequestToPersistTokens.subscribe(() => {
-    const { authResponse } = getRedirectAuthResponse();
-    if (authResponse === undefined) {
-        return;
-    }
-    const { authResponses } = getPersistedRedirectAuthResponses();
-    setPersistedRedirectAuthResponses({
-        authResponses: [...authResponses, authResponse]
-    });
-});
 /** @see: https://docs.oidc-spa.dev/v/v8/usage */
 export async function createOidc(params) {
     for (const name of ["issuerUri", "clientId"]) {
@@ -56,7 +47,7 @@ export async function createOidc(params) {
             throw new Error(`The parameter "${name}" is required, you provided: ${value}. (Forgot a .env variable?)`);
         }
     }
-    const { issuerUri: issuerUri_params, clientId, scopes = ["profile"], debugLogs, ...rest } = params;
+    const { issuerUri: issuerUri_params, clientId, debugLogs, ...rest } = params;
     const issuerUri = toFullyQualifiedUrl({
         urlish: issuerUri_params,
         doAssertNoQueryParams: true,
@@ -98,7 +89,6 @@ export async function createOidc(params) {
     const oidc = await createOidc_nonMemoized(rest, {
         issuerUri,
         clientId,
-        scopes,
         configId,
         log
     });
@@ -121,9 +111,9 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
             return new Promise(() => { });
         }
     }
-    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, noIframe = false } = params;
+    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, scopes = ["openid", "profile"], sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto" } = params;
     const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
-    const { issuerUri, clientId, scopes, configId, log } = preProcessedParams;
+    const { issuerUri, clientId, configId, log } = preProcessedParams;
     const getExtraQueryParams = (() => {
         if (extraQueryParamsOrGetter === undefined) {
             return undefined;
@@ -168,14 +158,20 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
         issuerUri,
         clientId,
         scopes,
-        configId,
-        homeUrlAndRedirectUri
+        oidcRedirectUri: homeUrlAndRedirectUri
     }, null, 2)}`);
     const stateUrlParamValue_instance = generateStateUrlParamValue();
     const oidcMetadata = __metadata ?? (await fetchOidcMetadata({ issuerUri }));
     const canUseIframe = (() => {
-        if (noIframe) {
-            return false;
+        switch (sessionRestorationMethod) {
+            case "auto":
+                break;
+            case "full page redirect":
+                return false;
+            case "iframe":
+                return true;
+            default:
+                assert;
         }
         third_party_cookies: {
             if (oidcMetadata === undefined) {
@@ -230,7 +226,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
             if (isLikelyDevServer) {
                 log?.([
                     "Detected localhost environment.",
-                    "\nWhen reloading while logged in, you may briefly see",
+                    "\nWhen reloading while logged in, you will briefly see",
                     "some URL params appear in the address bar.",
                     "\nThis happens because session restore via iframe is disabled,",
                     "the browser treats your auth server as a third party.",
@@ -257,7 +253,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                         ];
                     })(),
                     "\n\nMore info:",
-                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                    "https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
                 ].join(" "));
             }
             else {
@@ -284,14 +280,20 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                         ];
                     })(),
                     "\nMore info:",
-                    "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                    "https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
                 ].join(" "));
             }
             return false;
         }
         return true;
     })();
-    let isUserStoreInMemoryOnly = undefined;
+    notifyNewInstanceThatCantUseIframes();
+    if (evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+        log?.([
+            "More than one oidc instance can't use iframe",
+            "falling back to persisting tokens in session storage"
+        ].join(" "));
+    }
     const oidcClientTsUserManager = oidcMetadata === undefined
         ? createObjectThatThrowsIfAccessed({
             debugMessage: "oidc-spa: Wrong assertion 43943"
@@ -310,20 +312,17 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
             userStore: new WebStorageStateStore({
                 store: (() => {
                     if (canUseIframe) {
-                        isUserStoreInMemoryOnly = true;
                         return new InMemoryWebStorage();
                     }
-                    isUserStoreInMemoryOnly = false;
-                    const storage = createEphemeralSessionStorage({
-                        sessionStorageTtlMs: 3 * 60000
-                    });
-                    const { evtRequestToPersistTokens } = globalContext;
-                    evtRequestToPersistTokens.subscribe(({ configIdOfInstancePostingTheRequest }) => {
-                        if (configIdOfInstancePostingTheRequest === configId) {
-                            return;
-                        }
+                    const storage = createLazySessionStorage({ storageId: configId });
+                    if (evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
                         storage.persistCurrentStateAndSubsequentChanges();
-                    });
+                    }
+                    else {
+                        evtIsThereMoreThanOneInstanceThatCantUserIframes.subscribe(() => {
+                            storage.persistCurrentStateAndSubsequentChanges();
+                        });
+                    }
                     return storage;
                 })()
             }),
@@ -356,54 +355,52 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                 issuerUri
             });
         }
+        restore_from_session_storage: {
+            if (canUseIframe) {
+                break restore_from_session_storage;
+            }
+            if (!evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+                break restore_from_session_storage;
+            }
+            let oidcClientTsUser;
+            try {
+                oidcClientTsUser = await oidcClientTsUserManager.getUser();
+            }
+            catch {
+                // NOTE: Not sure if it can throw, but let's be safe.
+                oidcClientTsUser = null;
+                try {
+                    await oidcClientTsUserManager.removeUser();
+                }
+                catch { }
+            }
+            if (oidcClientTsUser === null) {
+                break restore_from_session_storage;
+            }
+            log?.("Session was restored from session storage");
+            return {
+                oidcClientTsUser,
+                backFromAuthServer: undefined
+            };
+        }
         handle_redirect_auth_response: {
             let stateDataAndAuthResponse = undefined;
-            get_stateData_and_authResponse: {
-                from_memory: {
-                    const { authResponse, clearAuthResponse } = getRedirectAuthResponse();
-                    if (authResponse === undefined) {
-                        break from_memory;
-                    }
-                    const stateData = getStateData({ stateUrlParamValue: authResponse.state });
-                    if (stateData === undefined) {
-                        clearAuthResponse();
-                        break from_memory;
-                    }
-                    if (stateData.configId !== configId) {
-                        break from_memory;
-                    }
-                    assert(stateData.context === "redirect", "3229492");
+            {
+                const { authResponse, clearAuthResponse } = getRedirectAuthResponse();
+                if (authResponse === undefined) {
+                    break handle_redirect_auth_response;
+                }
+                const stateData = getStateData({ stateUrlParamValue: authResponse.state });
+                if (stateData === undefined) {
                     clearAuthResponse();
-                    stateDataAndAuthResponse = { stateData, authResponse };
-                    break get_stateData_and_authResponse;
+                    break handle_redirect_auth_response;
                 }
-                // from storage, this is for race condition in multiple instance
-                // setup where one instance would need to redirect before
-                // the authResponse in memory had the chance to be processed.
-                // This can only happen if:
-                // 1) There are multiple oidc instances in the App.
-                // 2) They are instantiated in a non deterministic order.
-                // 3) We can't use iframe
-                // We practically never persist the auth response and do it only in session
-                // an ephemeral session storage, when we know it's gonna be required.
-                {
-                    const { authResponses } = getPersistedRedirectAuthResponses();
-                    for (const authResponse of authResponses) {
-                        const stateData = getStateData({ stateUrlParamValue: authResponse.state });
-                        if (stateData === undefined) {
-                            continue;
-                        }
-                        if (stateData.configId !== configId) {
-                            continue;
-                        }
-                        assert(stateData.context === "redirect", "35935591");
-                        setPersistedRedirectAuthResponses({
-                            authResponses: authResponses.filter(authResponse_i => authResponse_i !== authResponse)
-                        });
-                        stateDataAndAuthResponse = { stateData, authResponse };
-                        break get_stateData_and_authResponse;
-                    }
+                if (stateData.configId !== configId) {
+                    break handle_redirect_auth_response;
                 }
+                assert(stateData.context === "redirect", "3229492");
+                clearAuthResponse();
+                stateDataAndAuthResponse = { stateData, authResponse };
             }
             if (stateDataAndAuthResponse === undefined) {
                 break handle_redirect_auth_response;
@@ -482,34 +479,6 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     assert(false);
             }
         }
-        // NOTE: We almost never persist tokens, we have to only to support edge case
-        // of multiple oidc instance in a single App with no iframe support.
-        restore_from_session_storage: {
-            assert(isUserStoreInMemoryOnly !== undefined, "3392204");
-            if (isUserStoreInMemoryOnly) {
-                break restore_from_session_storage;
-            }
-            let oidcClientTsUser;
-            try {
-                oidcClientTsUser = await oidcClientTsUserManager.getUser();
-            }
-            catch {
-                // NOTE: Not sure if it can throw, but let's be safe.
-                oidcClientTsUser = null;
-                try {
-                    await oidcClientTsUserManager.removeUser();
-                }
-                catch { }
-            }
-            if (oidcClientTsUser === null) {
-                break restore_from_session_storage;
-            }
-            log?.("Restored the auth from ephemeral session storage");
-            return {
-                oidcClientTsUser,
-                backFromAuthServer: undefined
-            };
-        }
         silent_login_if_possible_and_auto_login: {
             const persistedAuthState = getPersistedAuthState({ configId });
             if (persistedAuthState === "explicitly logged out" && !autoLogin) {
@@ -562,7 +531,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                         redirectUri: homeUrlAndRedirectUri,
                         clientId,
                         issuerUri,
-                        noIframe
+                        canUseIframe
                     });
                 }
                 assert();
@@ -594,7 +563,6 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                             authResponse_error === "consent_required" ||
                             authResponse_error === "account_selection_required"))) {
                     log?.("Performing auto login with redirect");
-                    persistAuthState({ configId, state: undefined });
                     completeLoginOrRefreshProcess();
                     if (autoLogin && persistedAuthState !== "logged in") {
                         evtInitializationOutcomeUserNotLoggedIn.post();
@@ -602,15 +570,18 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     await waitForAllOtherOngoingLoginOrRefreshProcessesToComplete({
                         prUnlock: getPrSafelyRestoredFromBfCacheAfterLoginBackNavigationOrInitializationError()
                     });
-                    if (persistedAuthState === "logged in") {
-                        globalContext.evtRequestToPersistTokens.post({
-                            configIdOfInstancePostingTheRequest: configId
-                        });
-                    }
                     await loginOrGoToAuthServer({
                         action: "login",
                         doForceReloadOnBfCache: true,
-                        redirectUrl: getRootRelativeOriginalLocationHref(),
+                        redirectUrl: (() => {
+                            if (postLoginRedirectUrl_default) {
+                                return postLoginRedirectUrl_default;
+                            }
+                            if (!evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+                                return getRootRelativeOriginalLocationHref();
+                            }
+                            return getDesiredPostLoginRedirectUrl() ?? window.location.href;
+                        })(),
                         // NOTE: Wether or not it's the preferred behavior, pushing to history
                         // only works on user interaction so it have to be false
                         doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
@@ -624,7 +595,10 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                                 return "directly redirect if active session show login otherwise";
                             }
                             return "ensure no interaction";
-                        })()
+                        })(),
+                        preRedirectHook: () => {
+                            persistAuthState({ configId, state: undefined });
+                        }
                     });
                 }
                 if (authResponse_error !== undefined) {
@@ -711,7 +685,8 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                             transformUrlBeforeRedirect_local: transformUrlBeforeRedirect,
                             interaction: getPersistedAuthState({ configId }) === "explicitly logged out"
                                 ? "ensure interaction"
-                                : "directly redirect if active session show login otherwise"
+                                : "directly redirect if active session show login otherwise",
+                            preRedirectHook: undefined
                         });
                     },
                     initializationError: undefined
@@ -768,6 +743,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                 state: {
                     stateDescription: "logged in",
                     refreshTokenExpirationTime: currentTokens.refreshTokenExpirationTime,
+                    serverDateNow: currentTokens.getServerDateNow(),
                     idleSessionLifetimeInSeconds
                 }
             });
@@ -885,9 +861,6 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                     await waitForAllOtherOngoingLoginOrRefreshProcessesToComplete({
                         prUnlock: new Promise(() => { })
                     });
-                    globalContext.evtRequestToPersistTokens.post({
-                        configIdOfInstancePostingTheRequest: configId
-                    });
                     await loginOrGoToAuthServer({
                         action: "login",
                         redirectUrl: window.location.href,
@@ -895,7 +868,8 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                         extraQueryParams_local: undefined,
                         transformUrlBeforeRedirect_local: undefined,
                         doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
-                        interaction: "directly redirect if active session show login otherwise"
+                        interaction: "directly redirect if active session show login otherwise",
+                        preRedirectHook: undefined
                     });
                     assert(false, "136134");
                 };
@@ -987,6 +961,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
                         state: {
                             stateDescription: "logged in",
                             refreshTokenExpirationTime: currentTokens.refreshTokenExpirationTime,
+                            serverDateNow: currentTokens.getServerDateNow(),
                             idleSessionLifetimeInSeconds
                         }
                     });