oidc-spa 8.2.2 → 8.2.3

package/src/core/createOidc.ts

@@ -52,6 +52,7 @@ import {
     evtIsThereMoreThanOneInstanceThatCantUserIframes,
     notifyNewInstanceThatCantUseIframes
 } from "./instancesThatCantUseIframes";
+import { getDesiredPostLoginRedirectUrl } from "./desiredPostLoginRedirectUrl";
 
 // NOTE: Replaced at build time
 const VERSION = "{{OIDC_SPA_VERSION}}";
@@ -106,21 +107,6 @@ export type ParamsOfCreateOidc<
      *          extraTokenParams: { selectedCustomer: "xxx" }
      */
     extraTokenParams?: Record<string, string | undefined> | (() => Record<string, string | undefined>);
-    /**
-     * @deprecated: Use login({ redirectUrl: "..." }) instead.
-     *
-     * Usage discouraged, it's here because we don't want to assume too much on your
-     * usecase but I can't think of a scenario where you would want anything
-     * other than the current page.
-     *
-     * Where to redirect after successful login.
-     * Default: window.location.href (here)
-     *
-     * It does not need to include the origin, eg: "/dashboard"
-     *
-     * This parameter can also be passed to login() directly as `redirectUrl`.
-     */
-    postLoginRedirectUrl?: string;
 
     decodedIdTokenSchema?: {
         parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_OidcCoreSpec) => DecodedIdToken;
@@ -150,9 +136,43 @@ export type ParamsOfCreateOidc<
     autoLogin?: AutoLogin;
 
     /**
+     * Determines how session restoration is handled.
+     * Session restoration allows users to stay logged in between visits
+     * without needing to explicitly sign in each time.
+     *
+     * Options:
+     *
+     * - **"auto" (default)**:
+     *   Automatically selects the best method.
+     *   If the app’s domain shares a common parent domain with the authorization endpoint,
+     *   an iframe is used for silent session restoration.
+     *   Otherwise, a full-page redirect is used.
+     *
+     * - **"full page redirect"**:
+     *   Forces full-page reloads for session restoration.
+     *   Use this if your application is served with a restrictive CSP
+     *   (e.g., `Content-Security-Policy: frame-ancestors "none"`)
+     *   or `X-Frame-Options: DENY`, and you cannot modify those headers.
+     *   This mode provides a slightly less seamless UX and will lead oidc-spa to
+     *   store tokens in `localStorage` if multiple OIDC clients are used
+     *   (e.g., your app communicates with several APIs).
+     *
+     * - **"iframe"**:
+     *   Forces iframe-based session restoration.
+     *   In development, if you go in your browser setting and allow your auth server’s domain
+     *   to set third-party cookies this value will let you test your app
+     *   with the local dev server as it will behave in production.
+     *
+     *  See: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration
+     */
+    sessionRestorationMethod?: "iframe" | "full page redirect" | "auto";
+
+    /**
+     * @deprecated Use `sessionRestorationMethod: "full page redirect"` instead.
+     *
      * Default: false
      *
-     * See: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues
+     * See: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration
      */
     noIframe?: boolean;
 
@@ -205,6 +225,21 @@ export type ParamsOfCreateOidc<
 
     /** @deprecated: Use BASE_URL (same thing, just renamed). */
     homeUrl?: string;
+
+    /**
+     * This parameter is irrelevant in most usecases.
+     * It tells where to redirect after a successful login or autoLogin.
+     *
+     * If you are not in autoLogin mode there is absolutely no reason to use
+     * this parameter since you can pass `login({ redirectUrl: "..." })`.
+     *
+     * It can only be useful in some edge case with `autoLogin: true`
+     * When you want to precisely redirect somewhere after login.
+     *
+     * This can make sense if you have multiple clients to talk with different
+     * API and no iframe capabilities.
+     */
+    postLoginRedirectUrl?: string;
 };
 
 const globalContext = {
@@ -338,8 +373,8 @@ export async function createOidc_nonMemoized<
         __unsafe_clientSecret,
         __unsafe_useIdTokenAsAccessToken = false,
         __metadata,
-        noIframe = false,
-        scopes = ["openid", "profile"]
+        scopes = ["openid", "profile"],
+        sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto"
     } = params;
 
     const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
@@ -416,8 +451,15 @@ export async function createOidc_nonMemoized<
     const oidcMetadata = __metadata ?? (await fetchOidcMetadata({ issuerUri }));
 
     const canUseIframe = (() => {
-        if (noIframe) {
-            return false;
+        switch (sessionRestorationMethod) {
+            case "auto":
+                break;
+            case "full page redirect":
+                return false;
+            case "iframe":
+                return true;
+            default:
+                assert<Equals<typeof sessionRestorationMethod, never>>;
         }
 
         third_party_cookies: {
@@ -525,7 +567,7 @@ export async function createOidc_nonMemoized<
                             ];
                         })(),
                         "\n\nMore info:",
-                        "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                        "https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
                     ].join(" ")
                 );
             } else {
@@ -555,7 +597,7 @@ export async function createOidc_nonMemoized<
                             ];
                         })(),
                         "\nMore info:",
-                        "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                        "https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
                     ].join(" ")
                 );
             }
@@ -599,7 +641,7 @@ export async function createOidc_nonMemoized<
                               return new InMemoryWebStorage();
                           }
 
-                          const storage = createLazySessionStorage();
+                          const storage = createLazySessionStorage({ storageId: configId });
 
                           if (evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
                               storage.persistCurrentStateAndSubsequentChanges();
@@ -896,7 +938,7 @@ export async function createOidc_nonMemoized<
                         redirectUri: homeUrlAndRedirectUri,
                         clientId,
                         issuerUri,
-                        noIframe
+                        canUseIframe
                     });
                 }
 
@@ -957,11 +999,15 @@ export async function createOidc_nonMemoized<
                         action: "login",
                         doForceReloadOnBfCache: true,
                         redirectUrl: (() => {
-                            if (evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
-                                return window.location.href;
+                            if (postLoginRedirectUrl_default) {
+                                return postLoginRedirectUrl_default;
+                            }
+
+                            if (!evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+                                return getRootRelativeOriginalLocationHref();
                             }
 
-                            return getRootRelativeOriginalLocationHref();
+                            return getDesiredPostLoginRedirectUrl() ?? window.location.href;
                         })(),
                         // NOTE: Wether or not it's the preferred behavior, pushing to history
                         // only works on user interaction so it have to be false

package/src/core/desiredPostLoginRedirectUrl.ts

@@ -0,0 +1,9 @@
+let postLoginRedirectUrl: string | undefined;
+
+export function setDesiredPostLoginRedirectUrl(params: { postLoginRedirectUrl: string | undefined }) {
+    postLoginRedirectUrl = params.postLoginRedirectUrl;
+}
+
+export function getDesiredPostLoginRedirectUrl() {
+    return postLoginRedirectUrl;
+}

package/src/core/diagnostic.ts

@@ -90,9 +90,9 @@ export async function createIframeTimeoutInitializationError(params: {
     redirectUri: string;
     issuerUri: string;
     clientId: string;
-    noIframe: boolean;
+    canUseIframe: boolean;
 }): Promise<OidcInitializationError> {
-    const { redirectUri, issuerUri, clientId, noIframe } = params;
+    const { redirectUri, issuerUri, clientId, canUseIframe } = params;
 
     check_if_well_known_endpoint_is_reachable: {
         const isValid = await getIsValidRemoteJson(`${issuerUri}${WELL_KNOWN_PATH}`);
@@ -105,7 +105,7 @@ export async function createIframeTimeoutInitializationError(params: {
     }
 
     iframe_blocked: {
-        if (noIframe) {
+        if (!canUseIframe) {
             break iframe_blocked;
         }
 
@@ -189,7 +189,7 @@ export async function createIframeTimeoutInitializationError(params: {
             messageOrCause: [
                 `${redirectUri} is currently served by your web server with the HTTP header \`${key_problem}: ${headers[key_problem]}\`.\n`,
                 "This header prevents the silent sign-in process from working.\n",
-                "Refer to this documentation page to fix this issue: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues"
+                "Refer to this documentation page to fix this issue: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
             ].join(" ")
         });
     }

package/src/keycloak/keycloak-js/Keycloak.ts

@@ -23,7 +23,48 @@ import { type StatefulEvt, createStatefulEvt } from "../../tools/StatefulEvt";
 import { readExpirationTimeInJwt } from "../../tools/readExpirationTimeInJwt";
 
 type ConstructorParams = KeycloakServerConfig & {
+    /**
+     * NOTE: This parameter is optional if you use the Vite plugin.
+     *
+     * This parameter let's you overwrite the value provided in
+     * oidcEarlyInit({ BASE_URL: xxx });
+     *
+     * What should you put in this parameter?
+     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
+     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
+     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
+     */
     BASE_URL?: string;
+
+    /**
+     * Determines how session restoration is handled.
+     * Session restoration allows users to stay logged in between visits
+     * without needing to explicitly sign in each time.
+     *
+     * Options:
+     *
+     * - **"auto" (default)**:
+     *   Automatically selects the best method.
+     *   If the app’s domain shares a common parent domain with the authorization endpoint,
+     *   an iframe is used for silent session restoration.
+     *   Otherwise, a full-page redirect is used.
+     *
+     * - **"full page redirect"**:
+     *   Forces full-page reloads for session restoration.
+     *   Use this if your application is served with a restrictive CSP
+     *   (e.g., `Content-Security-Policy: frame-ancestors "none"`)
+     *   or `X-Frame-Options: DENY`, and you cannot modify those headers.
+     *   This mode provides a slightly less seamless UX and will lead oidc-spa to
+     *   store tokens in `localStorage` if multiple OIDC clients are used
+     *   (e.g., your app communicates with several APIs).
+     *
+     * - **"iframe"**:
+     *   Forces iframe-based session restoration.
+     *   In development, if you go in your browser setting and allow your auth server’s domain
+     *   to set third-party cookies this value will let you test your app
+     *   with the local dev server as it will behave in production.
+     */
+    sessionRestorationMethod?: "iframe" | "full page redirect" | "auto";
 };
 
 /**
@@ -99,7 +140,8 @@ export class Keycloak {
         let hasCreateResolved = false;
 
         const oidcOrError = await createOidc({
-            homeUrl: constructorParams.BASE_URL,
+            BASE_URL: constructorParams.BASE_URL,
+            sessionRestorationMethod: constructorParams.sessionRestorationMethod,
             issuerUri,
             clientId: this.#state.constructorParams.clientId,
             autoLogin,

package/src/react/react.tsx

@@ -15,6 +15,7 @@ import { id } from "../tools/tsafe/id";
 import type { ValueOrAsyncGetter } from "../tools/ValueOrAsyncGetter";
 import { Deferred } from "../tools/Deferred";
 import { toFullyQualifiedUrl } from "../tools/toFullyQualifiedUrl";
+import { setDesiredPostLoginRedirectUrl } from "../core/desiredPostLoginRedirectUrl";
 
 export type OidcReact<DecodedIdToken extends Record<string, unknown>> =
     | OidcReact.NotLoggedIn
@@ -409,20 +410,48 @@ export function createReactOidc_dependencyInjection<
 
         const oidc = await getOidc();
 
+        const isUrlAlreadyReplaced =
+            window.location.href.replace(/\/$/, "") === redirectUrl.replace(/\/$/, "");
+
         if (!oidc.isUserLoggedIn) {
             if (cause === "preload") {
                 throw new Error(
                     "oidc-spa: User is not yet logged in. This is an expected error, nothing to be addressed."
                 );
             }
-            const doesCurrentHrefRequiresAuth =
-                location.href.replace(/\/$/, "") === redirectUrl.replace(/\/$/, "");
 
             await oidc.login({
                 redirectUrl,
-                doesCurrentHrefRequiresAuth
+                doesCurrentHrefRequiresAuth: isUrlAlreadyReplaced
             });
         }
+
+        define_temporary_postLoginRedirectUrl: {
+            if (isUrlAlreadyReplaced) {
+                break define_temporary_postLoginRedirectUrl;
+            }
+
+            setDesiredPostLoginRedirectUrl({ postLoginRedirectUrl: redirectUrl });
+
+            const history_pushState = history.pushState;
+            const history_replaceState = history.replaceState;
+
+            const onNavigated = () => {
+                history.pushState = history_pushState;
+                history.replaceState = history_replaceState;
+                setDesiredPostLoginRedirectUrl({ postLoginRedirectUrl: undefined });
+            };
+
+            history.pushState = function pushState(...args) {
+                onNavigated();
+                return history_pushState.call(history, ...args);
+            };
+
+            history.replaceState = function replaceState(...args) {
+                onNavigated();
+                return history_replaceState.call(history, ...args);
+            };
+        }
     }
 
     async function getOidc(): Promise<Oidc<DecodedIdToken>> {

package/src/react-spa/createOidcSpaApi.tsx

@@ -10,6 +10,7 @@ import { createObjectThatThrowsIfAccessed } from "../tools/createObjectThatThrow
 import { createStatefulEvt } from "../tools/StatefulEvt";
 import { id } from "../tools/tsafe/id";
 import { toFullyQualifiedUrl } from "../tools/toFullyQualifiedUrl";
+import { setDesiredPostLoginRedirectUrl } from "../core/desiredPostLoginRedirectUrl";
 
 export function createOidcSpaApi<
     AutoLogin extends boolean,
@@ -390,7 +391,7 @@ export function createOidcSpaApi<
                                 transformUrlBeforeRedirect: paramsOfBootstrap.transformUrlBeforeRedirect,
                                 extraQueryParams: paramsOfBootstrap.extraQueryParams,
                                 extraTokenParams: paramsOfBootstrap.extraTokenParams,
-                                noIframe: paramsOfBootstrap.noIframe,
+                                sessionRestorationMethod: paramsOfBootstrap.sessionRestorationMethod,
                                 debugLogs: paramsOfBootstrap.debugLogs,
                                 __unsafe_clientSecret: paramsOfBootstrap.__unsafe_clientSecret,
                                 __metadata: paramsOfBootstrap.__metadata,
@@ -440,25 +441,53 @@ export function createOidcSpaApi<
                 });
             }
 
-            return location.href;
+            return window.location.href;
         })();
 
         const oidc = await getOidc();
 
+        const isUrlAlreadyReplaced =
+            window.location.href.replace(/\/$/, "") === redirectUrl.replace(/\/$/, "");
+
         if (!oidc.isUserLoggedIn) {
             if (cause === "preload") {
                 throw new Error(
                     "oidc-spa: User is not yet logged in. This is an expected error, nothing to be addressed."
                 );
             }
-            const doesCurrentHrefRequiresAuth =
-                location.href.replace(/\/$/, "") === redirectUrl.replace(/\/$/, "");
 
             await oidc.login({
                 redirectUrl,
-                doesCurrentHrefRequiresAuth
+                doesCurrentHrefRequiresAuth: isUrlAlreadyReplaced
             });
         }
+
+        define_temporary_postLoginRedirectUrl: {
+            if (isUrlAlreadyReplaced) {
+                break define_temporary_postLoginRedirectUrl;
+            }
+
+            setDesiredPostLoginRedirectUrl({ postLoginRedirectUrl: redirectUrl });
+
+            const history_pushState = history.pushState;
+            const history_replaceState = history.replaceState;
+
+            const onNavigated = () => {
+                history.pushState = history_pushState;
+                history.replaceState = history_replaceState;
+                setDesiredPostLoginRedirectUrl({ postLoginRedirectUrl: undefined });
+            };
+
+            history.pushState = function pushState(...args) {
+                onNavigated();
+                return history_pushState.call(history, ...args);
+            };
+
+            history.replaceState = function replaceState(...args) {
+                onNavigated();
+                return history_replaceState.call(history, ...args);
+            };
+        }
     }
 
     function OidcInitializationErrorGate(props: {

package/src/react-spa/types.tsx

@@ -213,11 +213,34 @@ export namespace ParamsOfBootstrap {
             | (() => Record<string, string | undefined>);
 
         /**
-         * Default: false
+         * Determines how session restoration is handled.
+         * Session restoration allows users to stay logged in between visits
+         * without needing to explicitly sign in each time.
          *
-         * See: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues
+         * Options:
+         *
+         * - **"auto" (default)**:
+         *   Automatically selects the best method.
+         *   If the app’s domain shares a common parent domain with the authorization endpoint,
+         *   an iframe is used for silent session restoration.
+         *   Otherwise, a full-page redirect is used.
+         *
+         * - **"full page redirect"**:
+         *   Forces full-page reloads for session restoration.
+         *   Use this if your application is served with a restrictive CSP
+         *   (e.g., `Content-Security-Policy: frame-ancestors "none"`)
+         *   or `X-Frame-Options: DENY`, and you cannot modify those headers.
+         *   This mode provides a slightly less seamless UX and will lead oidc-spa to
+         *   store tokens in `localStorage` if multiple OIDC clients are used
+         *   (e.g., your app communicates with several APIs).
+         *
+         * - **"iframe"**:
+         *   Forces iframe-based session restoration.
+         *   In development, if you go in your browser setting and allow your auth server’s domain
+         *   to set third-party cookies this value will let you test your app
+         *   with the local dev server as it will behave in production.
          */
-        noIframe?: boolean;
+        sessionRestorationMethod?: "iframe" | "full page redirect" | "auto";
 
         debugLogs?: boolean;
 

package/src/tanstack-start/react/createOidcSpaApi.tsx

@@ -30,6 +30,7 @@ import { createServerFn, createMiddleware } from "@tanstack/react-start";
 import { getRequest, setResponseHeader, setResponseStatus } from "@tanstack/react-start/server";
 import { toFullyQualifiedUrl } from "../../tools/toFullyQualifiedUrl";
 import { UnifiedClientRetryForSsrLoadersError } from "./rfcUnifiedClientRetryForSsrLoaders/UnifiedClientRetryForSsrLoadersError";
+import { setDesiredPostLoginRedirectUrl } from "../../core/desiredPostLoginRedirectUrl";
 
 export function createOidcSpaApi<
     AutoLogin extends boolean,
@@ -662,7 +663,7 @@ export function createOidcSpaApi<
                                 transformUrlBeforeRedirect: paramsOfBootstrap.transformUrlBeforeRedirect,
                                 extraQueryParams: paramsOfBootstrap.extraQueryParams,
                                 extraTokenParams: paramsOfBootstrap.extraTokenParams,
-                                noIframe: paramsOfBootstrap.noIframe,
+                                sessionRestorationMethod: paramsOfBootstrap.sessionRestorationMethod,
                                 debugLogs: paramsOfBootstrap.debugLogs,
                                 __unsafe_clientSecret: paramsOfBootstrap.__unsafe_clientSecret,
                                 __metadata: paramsOfBootstrap.__metadata,
@@ -714,6 +715,9 @@ export function createOidcSpaApi<
 
         const oidc = await getOidc();
 
+        const isUrlAlreadyReplaced =
+            window.location.href.replace(/\/$/, "") === redirectUrl.replace(/\/$/, "");
+
         if (!oidc.isUserLoggedIn) {
             if (cause === "preload") {
                 throw new Error(
@@ -724,14 +728,39 @@ export function createOidcSpaApi<
                     ].join(" ")
                 );
             }
-            const doesCurrentHrefRequiresAuth =
-                location.href.replace(/\/$/, "") === redirectUrl.replace(/\/$/, "");
 
             await oidc.login({
                 redirectUrl,
-                doesCurrentHrefRequiresAuth
+                doesCurrentHrefRequiresAuth: isUrlAlreadyReplaced
             });
         }
+
+        define_temporary_postLoginRedirectUrl: {
+            if (isUrlAlreadyReplaced) {
+                break define_temporary_postLoginRedirectUrl;
+            }
+
+            setDesiredPostLoginRedirectUrl({ postLoginRedirectUrl: redirectUrl });
+
+            const history_pushState = history.pushState;
+            const history_replaceState = history.replaceState;
+
+            const onNavigated = () => {
+                history.pushState = history_pushState;
+                history.replaceState = history_replaceState;
+                setDesiredPostLoginRedirectUrl({ postLoginRedirectUrl: undefined });
+            };
+
+            history.pushState = function pushState(...args) {
+                onNavigated();
+                return history_pushState.call(history, ...args);
+            };
+
+            history.replaceState = function replaceState(...args) {
+                onNavigated();
+                return history_replaceState.call(history, ...args);
+            };
+        }
     }
 
     enforceLogin.__isOidcSpaEnforceLogin = true;

package/src/tanstack-start/react/types.tsx

@@ -306,11 +306,34 @@ export namespace ParamsOfBootstrap {
             | (() => Record<string, string | undefined>);
 
         /**
-         * Default: false
+         * Determines how session restoration is handled.
+         * Session restoration allows users to stay logged in between visits
+         * without needing to explicitly sign in each time.
          *
-         * See: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues
+         * Options:
+         *
+         * - **"auto" (default)**:
+         *   Automatically selects the best method.
+         *   If the app’s domain shares a common parent domain with the authorization endpoint,
+         *   an iframe is used for silent session restoration.
+         *   Otherwise, a full-page redirect is used.
+         *
+         * - **"full page redirect"**:
+         *   Forces full-page reloads for session restoration.
+         *   Use this if your application is served with a restrictive CSP
+         *   (e.g., `Content-Security-Policy: frame-ancestors "none"`)
+         *   or `X-Frame-Options: DENY`, and you cannot modify those headers.
+         *   This mode provides a slightly less seamless UX and will lead oidc-spa to
+         *   store tokens in `localStorage` if multiple OIDC clients are used
+         *   (e.g., your app communicates with several APIs).
+         *
+         * - **"iframe"**:
+         *   Forces iframe-based session restoration.
+         *   In development, if you go in your browser setting and allow your auth server’s domain
+         *   to set third-party cookies this value will let you test your app
+         *   with the local dev server as it will behave in production.
          */
-        noIframe?: boolean;
+        sessionRestorationMethod?: "iframe" | "full page redirect" | "auto";
 
         debugLogs?: boolean;
 

package/src/tools/lazySessionStorage.ts

@@ -1,7 +1,5 @@
 import { assert } from "../tools/tsafe/assert";
 
-const SESSION_STORAGE_PREFIX = "lazy-session-storage:";
-
 export type LazySessionStorage = {
     // `Storage` methods, we don't use the type directly because it has [name: string]: any;
     readonly length: number;
@@ -15,14 +13,20 @@ export type LazySessionStorage = {
     persistCurrentStateAndSubsequentChanges: () => void;
 };
 
-export function createLazySessionStorage(): LazySessionStorage {
+export function createLazySessionStorage(params: { storageId: string }): LazySessionStorage {
+    const { storageId } = params;
+
+    const sessionStoragePrefix = `lazy-session-storage:${storageId}:`;
+
+    const getSessionStorageKey = (key: string) => `${sessionStoragePrefix}${key}`;
+
     const entries: { key: string; value: string }[] = [];
 
     for (let i = 0; i < sessionStorage.length; i++) {
         const key = sessionStorage.key(i);
         assert(key !== null, "470498");
 
-        if (!key.startsWith(SESSION_STORAGE_PREFIX)) {
+        if (!key.startsWith(sessionStoragePrefix)) {
             continue;
         }
 
@@ -33,7 +37,7 @@ export function createLazySessionStorage(): LazySessionStorage {
         sessionStorage.removeItem(key);
 
         entries.push({
-            key: key.slice(SESSION_STORAGE_PREFIX.length),
+            key: key.slice(sessionStoragePrefix.length),
             value
         });
     }
@@ -74,7 +78,7 @@ export function createLazySessionStorage(): LazySessionStorage {
                 return;
             }
 
-            sessionStorage.removeItem(`${SESSION_STORAGE_PREFIX}${entry.key}`);
+            sessionStorage.removeItem(getSessionStorageKey(entry.key));
 
             const index = entries.indexOf(entry);
 
@@ -96,7 +100,7 @@ export function createLazySessionStorage(): LazySessionStorage {
         },
         setItem: (key, value) => {
             if (isPersistenceEnabled) {
-                sessionStorage.setItem(`${SESSION_STORAGE_PREFIX}${key}`, value);
+                sessionStorage.setItem(getSessionStorageKey(key), value);
             }
 
             update: {

package/src/vite-plugin/manageOptimizedDeps.ts

@@ -34,7 +34,8 @@ export function manageOptimizedDeps(params: {
                 const moduleNames_include = [
                     "oidc-spa/react-spa",
                     "oidc-spa/entrypoint",
-                    "oidc-spa/keycloak"
+                    "oidc-spa/keycloak",
+                    "oidc-spa/core"
                 ];
 
                 for (const moduleName of moduleNames_include) {

package/tools/lazySessionStorage.d.ts

@@ -7,4 +7,6 @@ export type LazySessionStorage = {
     setItem(key: string, value: string): void;
     persistCurrentStateAndSubsequentChanges: () => void;
 };
-export declare function createLazySessionStorage(): LazySessionStorage;
+export declare function createLazySessionStorage(params: {
+    storageId: string;
+}): LazySessionStorage;