npm - oidc-spa - Versions diffs - 8.2.5 → 8.2.7 - Mend

oidc-spa 8.2.5 → 8.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/core/createOidc.js +1 -1
package/esm/core/createOidc.js +1 -1
package/esm/keycloak/keycloak-js/Keycloak.d.ts +15 -15
package/esm/keycloak/keycloak-js/Keycloak.js +382 -381
package/esm/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/esm/react-spa/createOidcSpaApi.js +36 -6
package/esm/react-spa/createOidcSpaApi.js.map +1 -1
package/esm/react-spa/types.d.ts +5 -1
package/keycloak/keycloak-js/Keycloak.d.ts +15 -15
package/keycloak/keycloak-js/Keycloak.js +383 -382
package/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/package.json +1 -1
package/react-spa/createOidcSpaApi.js +35 -5
package/react-spa/createOidcSpaApi.js.map +1 -1
package/react-spa/types.d.ts +5 -1
package/src/keycloak/keycloak-js/Keycloak.ts +24 -12
package/src/react-spa/createOidcSpaApi.tsx +52 -8
package/src/react-spa/types.tsx +2 -1

package/esm/keycloak/keycloak-js/Keycloak.js CHANGED Viewed

@@ -9,7 +9,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _Keycloak_state;
+var _Keycloak_instances, _Keycloak_state, _Keycloak_init, _Keycloak_login, _Keycloak_logout, _Keycloak_register, _Keycloak_accountManagement, _Keycloak_createAccountUrl, _Keycloak_isTokenExpired, _Keycloak_updateToken, _Keycloak_hasRealmRole, _Keycloak_hasResourceRole, _Keycloak_loadUserProfile, _Keycloak_loadUserInfo;
 import { assert, is } from "../../tools/tsafe/assert";
 import { isAmong } from "../../tools/tsafe/isAmong";
 import { createOidc, OidcInitializationError } from "../../core";
@@ -37,7 +37,14 @@ export class Keycloak {
      * I'm not seeing the usecase when ran against keycloak right now so not doing it.
      */
     constructor(params) {
+        _Keycloak_instances.add(this);
         _Keycloak_state.set(this, void 0);
+        /**
+         * Called to initialize the adapter.
+         * @param initOptions Initialization options.
+         * @returns A promise to set functions to be invoked on success or error.
+         */
+        this.init = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_init).bind(this);
         /**
          * Response mode passed in init (default value is `'fragment'`).
          *
@@ -58,6 +65,109 @@ export class Keycloak {
          * NOTE oidc-spa: Can only be 'standard'
          */
         this.flow = "standard";
+        /**
+         * Redirects to login form.
+         * @param options Login options.
+         */
+        this.login = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_login).bind(this);
+        /**
+         * Redirects to logout.
+         * @param options Logout options.
+         */
+        this.logout = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_logout).bind(this);
+        /**
+         * Redirects to registration form.
+         * @param options The options used for the registration.
+         */
+        this.register = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_register).bind(this);
+        /**
+         * Redirects to the Account Management Console.
+         */
+        this.accountManagement = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_accountManagement).bind(this);
+        /**
+         * Returns the URL to login form.
+         * @param options Supports same options as Keycloak#login.
+         *
+         * NOTE oidc-spa: Not supported, please use login() method.
+         */
+        //createLoginUrl(options?: KeycloakLoginOptions): Promise<string>;
+        /**
+         * Returns the URL to logout the user.
+         * @param options Logout options.
+         *
+         * NOTE oidc-spa: Not supported, please use logout() method.
+         */
+        //createLogoutUrl(options?: KeycloakLogoutOptions): string;
+        /**
+         * Returns the URL to registration page.
+         * @param options The options used for creating the registration URL.
+         *
+         * NOTE oidc-spa: Not supported please user login({ action: "register" })
+         */
+        //createRegisterUrl(options?: KeycloakRegisterOptions): Promise<string>;
+        /**
+         * Returns the URL to the Account Management Console.
+         * @param options The options used for creating the account URL.
+         */
+        this.createAccountUrl = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_createAccountUrl).bind(this);
+        /**
+         * Returns true if the token has less than `minValidity` seconds left before
+         * it expires.
+         * @param minValidity If not specified, `0` is used.
+         */
+        this.isTokenExpired = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_isTokenExpired).bind(this);
+        /**
+         * If the token expires within `minValidity` seconds, the token is refreshed.
+         * If the session status iframe is enabled, the session status is also
+         * checked.
+         * @param minValidity If not specified, `5` is used.
+         * @returns A promise to set functions that can be invoked if the token is
+         *          still valid, or if the token is no longer valid.
+         * @example
+         * ```js
+         * keycloak.updateToken(5).then(function(refreshed) {
+         *   if (refreshed) {
+         *     alert('Token was successfully refreshed');
+         *   } else {
+         *     alert('Token is still valid');
+         *   }
+         * }).catch(function() {
+         *   alert('Failed to refresh the token, or the session has expired');
+         * });
+         */
+        this.updateToken = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_updateToken).bind(this);
+        /**
+         * Clears authentication state, including tokens. This can be useful if
+         * the application has detected the session was expired, for example if
+         * updating token fails. Invoking this results in Keycloak#onAuthLogout
+         * callback listener being invoked.
+         *
+         * NOTE oidc-spa: In this implementation we never end up in the kind of
+         * state where calling this makes sense.
+         * oidc-spa take more control and exposes less complexity to the user of the
+         * adapter.
+         */
+        //clearToken(): void;
+        /**
+         * Returns true if the token has the given realm role.
+         * @param role A realm role name.
+         */
+        this.hasRealmRole = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_hasRealmRole).bind(this);
+        /**
+         * Returns true if the token has the given role for the resource.
+         * @param role A role name.
+         * @param resource If not specified, `clientId` is used.
+         */
+        this.hasResourceRole = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_hasResourceRole).bind(this);
+        /**
+         * Loads the user's profile.
+         * @returns A promise to set functions to be invoked on success or error.
+         */
+        this.loadUserProfile = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_loadUserProfile).bind(this);
+        /**
+         * @private Undocumented.
+         */
+        this.loadUserInfo = __classPrivateFieldGet(this, _Keycloak_instances, "m", _Keycloak_loadUserInfo).bind(this);
         const issuerUri = `${params.url.replace(/\/$/, "")}/realms/${params.realm}`;
         __classPrivateFieldSet(this, _Keycloak_state, {
             constructorParams: params,
@@ -72,146 +182,6 @@ export class Keycloak {
             $onTokenExpired: createStatefulEvt(() => undefined)
         }, "f");
     }
-    /**
-     * Called to initialize the adapter.
-     * @param initOptions Initialization options.
-     * @returns A promise to set functions to be invoked on success or error.
-     */
-    async init(initOptions = {}) {
-        const { onLoad = "check-sso", redirectUri, enableLogging, scope, locale } = initOptions;
-        if (__classPrivateFieldGet(this, _Keycloak_state, "f").initOptions !== undefined) {
-            if (JSON.stringify(__classPrivateFieldGet(this, _Keycloak_state, "f").initOptions) !== JSON.stringify(initOptions)) {
-                throw new Error("Can't call init() multiple time with different params");
-            }
-            await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
-            const { oidc } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-            assert(oidc !== undefined);
-            return oidc.isUserLoggedIn;
-        }
-        __classPrivateFieldGet(this, _Keycloak_state, "f").initOptions = initOptions;
-        const { constructorParams, issuerUri } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-        const autoLogin = onLoad === "login-required";
-        let hasCreateResolved = false;
-        const oidcOrError = await createOidc({
-            BASE_URL: constructorParams.BASE_URL,
-            sessionRestorationMethod: constructorParams.sessionRestorationMethod,
-            issuerUri,
-            clientId: __classPrivateFieldGet(this, _Keycloak_state, "f").constructorParams.clientId,
-            autoLogin,
-            postLoginRedirectUrl: redirectUri,
-            debugLogs: enableLogging,
-            scopes: scope?.split(" "),
-            extraQueryParams: !autoLogin || locale === undefined
-                ? undefined
-                : () => {
-                    if (hasCreateResolved) {
-                        return {};
-                    }
-                    return {
-                        ui_locales: locale
-                    };
-                }
-        })
-            // NOTE: This can only happen when autoLogin is true, otherwise the error
-            // is in oidc.initializationError
-            .catch((error) => error);
-        hasCreateResolved = true;
-        if (oidcOrError instanceof OidcInitializationError) {
-            this.onAuthError?.({
-                error: oidcOrError.name,
-                error_description: oidcOrError.message
-            });
-            await new Promise(() => { });
-            assert(false);
-        }
-        const oidc = oidcOrError;
-        if (oidc.isUserLoggedIn) {
-            const tokens = await oidc.getTokens();
-            const onNewToken = (tokens_new) => {
-                __classPrivateFieldGet(this, _Keycloak_state, "f").tokens = tokens_new;
-                this.onAuthRefreshSuccess?.();
-            };
-            onNewToken(tokens);
-            oidc.subscribeToTokensChange(onNewToken);
-        }
-        __classPrivateFieldGet(this, _Keycloak_state, "f").oidc = oidc;
-        __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.resolve();
-        this.onReady?.(oidc.isUserLoggedIn);
-        onAuthSuccess_call: {
-            if (!oidc.isUserLoggedIn) {
-                break onAuthSuccess_call;
-            }
-            this.onAuthSuccess?.();
-        }
-        onAuthError_call: {
-            if (oidc.isUserLoggedIn) {
-                break onAuthError_call;
-            }
-            if (oidc.initializationError === undefined) {
-                break onAuthError_call;
-            }
-            this.onAuthError?.({
-                error: oidc.initializationError.name,
-                error_description: oidc.initializationError.message
-            });
-        }
-        onActionUpdate_call: {
-            if (!oidc.isUserLoggedIn) {
-                break onActionUpdate_call;
-            }
-            if (this.onActionUpdate === undefined) {
-                break onActionUpdate_call;
-            }
-            const { backFromAuthServer } = oidc;
-            if (backFromAuthServer === undefined) {
-                break onActionUpdate_call;
-            }
-            const status = backFromAuthServer.result.kc_action_status;
-            if (!isAmong(["success", "cancelled", "error"], status)) {
-                break onActionUpdate_call;
-            }
-            const action = backFromAuthServer.extraQueryParams.kc_action;
-            if (action === undefined) {
-                break onActionUpdate_call;
-            }
-            this.onActionUpdate(status, action);
-        }
-        schedule_onTokenExpired_call: {
-            if (!oidc.isUserLoggedIn) {
-                break schedule_onTokenExpired_call;
-            }
-            const { $onTokenExpired } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-            let clear = undefined;
-            const next = (onTokenExpired) => {
-                clear?.();
-                if (onTokenExpired === undefined) {
-                    return;
-                }
-                let timer = undefined;
-                const onNewToken = () => {
-                    if (timer !== undefined) {
-                        workerTimers.clearTimeout(timer);
-                    }
-                    const { tokens } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-                    assert(tokens !== undefined);
-                    timer = workerTimers.setTimeout(() => {
-                        onTokenExpired.call(this);
-                    }, Math.max(tokens.accessTokenExpirationTime - tokens.getServerDateNow() - 3000, 0));
-                };
-                onNewToken();
-                const { unsubscribe } = oidc.subscribeToTokensChange(onNewToken);
-                clear = () => {
-                    if (timer !== undefined) {
-                        workerTimers.clearTimeout(timer);
-                    }
-                    unsubscribe();
-                };
-            };
-            next($onTokenExpired.current);
-            $onTokenExpired.subscribe(next);
-        }
-        return oidc.isUserLoggedIn;
-    }
     /**
      * Is true if the user is authenticated, false otherwise.
      */
@@ -514,263 +484,294 @@ export class Keycloak {
         const { $onTokenExpired } = __classPrivateFieldGet(this, _Keycloak_state, "f");
         return $onTokenExpired.current;
     }
-    /**
-     * Redirects to login form.
-     * @param options Login options.
-     */
-    async login(options) {
-        const { redirectUri, action, loginHint, acr, acrValues, idpHint, locale, doesCurrentHrefRequiresAuth } = options ?? {};
-        if (!this.didInitialize) {
-            await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
-        }
-        const { oidc, keycloakUtils } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+    /** Get the underlying oidc-spa instance */
+    get oidc() {
+        assert(this.didInitialize, "Cannot get keycloak.oidc before the init() method was called and have resolved.");
+        const { oidc } = __classPrivateFieldGet(this, _Keycloak_state, "f");
         assert(oidc !== undefined);
-        const extraQueryParams_commons = {
-            claims: acr === undefined
-                ? undefined
-                : JSON.stringify({
-                    id_token: {
-                        acr
-                    }
-                }),
-            acr_values: acrValues,
-            ui_locales: locale
-        };
-        if (oidc.isUserLoggedIn) {
-            assert(action !== "register");
-            assert(loginHint === undefined);
-            assert(idpHint === undefined);
-            assert(doesCurrentHrefRequiresAuth === undefined);
-            await oidc.goToAuthServer({
-                redirectUrl: redirectUri,
-                extraQueryParams: {
-                    ...extraQueryParams_commons,
-                    kc_action: action,
-                    ui_locales: locale
-                }
-            });
-            assert(false);
-        }
-        assert(action === undefined || action === "register");
-        await oidc.login({
-            redirectUrl: redirectUri,
-            doesCurrentHrefRequiresAuth: doesCurrentHrefRequiresAuth ?? false,
-            extraQueryParams: {
-                ...extraQueryParams_commons,
-                login_hint: loginHint,
-                kc_idp_hint: idpHint
-            },
-            transformUrlBeforeRedirect: action !== "register" ? undefined : keycloakUtils.transformUrlBeforeRedirectForRegister
-        });
-        assert(false);
+        return oidc;
     }
-    /**
-     * Redirects to logout.
-     * @param options Logout options.
-     */
-    async logout(options) {
-        if (!this.didInitialize) {
-            await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+}
+_Keycloak_state = new WeakMap(), _Keycloak_instances = new WeakSet(), _Keycloak_init = async function _Keycloak_init(initOptions = {}) {
+    const { onLoad = "check-sso", redirectUri, enableLogging, scope, locale } = initOptions;
+    if (__classPrivateFieldGet(this, _Keycloak_state, "f").initOptions !== undefined) {
+        if (JSON.stringify(__classPrivateFieldGet(this, _Keycloak_state, "f").initOptions) !== JSON.stringify(initOptions)) {
+            throw new Error("Can't call init() multiple time with different params");
         }
-        const { oidc, initOptions } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+        await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+        const { oidc } = __classPrivateFieldGet(this, _Keycloak_state, "f");
         assert(oidc !== undefined);
-        assert(initOptions !== undefined);
-        assert(oidc.isUserLoggedIn, "The user is not currently logged in");
-        const redirectUri = options?.redirectUri ?? initOptions.redirectUri;
-        await oidc.logout({
-            ...(redirectUri === undefined
-                ? { redirectTo: "current page" }
-                : { redirectTo: "specific url", url: redirectUri })
-        });
-        assert(false);
-    }
-    /**
-     * Redirects to registration form.
-     * @param options The options used for the registration.
-     */
-    async register(options) {
-        return this.login({
-            ...options,
-            action: "register"
-        });
-    }
-    /**
-     * Redirects to the Account Management Console.
-     */
-    async accountManagement(options) {
-        const { redirectUri, locale } = options ?? {};
-        window.location.href = this.createAccountUrl({
-            redirectUri,
-            locale
-        });
-        return new Promise(() => { });
+        return oidc.isUserLoggedIn;
     }
-    /**
-     * Returns the URL to login form.
-     * @param options Supports same options as Keycloak#login.
-     *
-     * NOTE oidc-spa: Not supported, please use login() method.
-     */
-    //createLoginUrl(options?: KeycloakLoginOptions): Promise<string>;
-    /**
-     * Returns the URL to logout the user.
-     * @param options Logout options.
-     *
-     * NOTE oidc-spa: Not supported, please use logout() method.
-     */
-    //createLogoutUrl(options?: KeycloakLogoutOptions): string;
-    /**
-     * Returns the URL to registration page.
-     * @param options The options used for creating the registration URL.
-     *
-     * NOTE oidc-spa: Not supported please user login({ action: "register" })
-     */
-    //createRegisterUrl(options?: KeycloakRegisterOptions): Promise<string>;
-    /**
-     * Returns the URL to the Account Management Console.
-     * @param options The options used for creating the account URL.
-     */
-    createAccountUrl(options) {
-        const { locale, redirectUri } = options ?? {};
-        const { keycloakUtils, constructorParams } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-        return keycloakUtils.getAccountUrl({
-            clientId: this.clientId,
-            validRedirectUri: (() => {
-                if (redirectUri !== undefined) {
-                    return redirectUri;
+    __classPrivateFieldGet(this, _Keycloak_state, "f").initOptions = initOptions;
+    const { constructorParams, issuerUri } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+    const autoLogin = onLoad === "login-required";
+    let hasCreateResolved = false;
+    const oidcOrError = await createOidc({
+        BASE_URL: constructorParams.BASE_URL,
+        sessionRestorationMethod: constructorParams.sessionRestorationMethod,
+        issuerUri,
+        clientId: __classPrivateFieldGet(this, _Keycloak_state, "f").constructorParams.clientId,
+        autoLogin,
+        postLoginRedirectUrl: redirectUri,
+        debugLogs: enableLogging,
+        scopes: scope?.split(" "),
+        extraQueryParams: !autoLogin || locale === undefined
+            ? undefined
+            : () => {
+                if (hasCreateResolved) {
+                    return {};
                 }
-                const { homeUrlAndRedirectUri } = getHomeAndRedirectUri({
-                    BASE_URL_params: constructorParams.BASE_URL
-                });
-                return homeUrlAndRedirectUri;
-            })(),
-            locale
+                return {
+                    ui_locales: locale
+                };
+            }
+    })
+        // NOTE: This can only happen when autoLogin is true, otherwise the error
+        // is in oidc.initializationError
+        .catch((error) => error);
+    hasCreateResolved = true;
+    if (oidcOrError instanceof OidcInitializationError) {
+        this.onAuthError?.({
+            error: oidcOrError.name,
+            error_description: oidcOrError.message
         });
+        await new Promise(() => { });
+        assert(false);
     }
-    /**
-     * Returns true if the token has less than `minValidity` seconds left before
-     * it expires.
-     * @param minValidity If not specified, `0` is used.
-     */
-    isTokenExpired(minValidity = 0) {
-        let accessTokenExpirationTime;
-        if (!this.didInitialize) {
-            const fakeAccessToken = this.token;
-            if (fakeAccessToken === undefined) {
-                throw new Error("isTokenExpired was called too early");
-            }
-            const time = readExpirationTimeInJwt(fakeAccessToken);
-            assert(time !== undefined, "The initial token is not a JWT");
-            accessTokenExpirationTime = time;
+    const oidc = oidcOrError;
+    if (oidc.isUserLoggedIn) {
+        const tokens = await oidc.getTokens();
+        const onNewToken = (tokens_new) => {
+            __classPrivateFieldGet(this, _Keycloak_state, "f").tokens = tokens_new;
+            this.onAuthRefreshSuccess?.();
+        };
+        onNewToken(tokens);
+        oidc.subscribeToTokensChange(onNewToken);
+    }
+    __classPrivateFieldGet(this, _Keycloak_state, "f").oidc = oidc;
+    __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.resolve();
+    this.onReady?.(oidc.isUserLoggedIn);
+    onAuthSuccess_call: {
+        if (!oidc.isUserLoggedIn) {
+            break onAuthSuccess_call;
         }
-        else {
-            const { tokens } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-            assert(tokens !== undefined);
-            accessTokenExpirationTime = tokens.accessTokenExpirationTime;
+        this.onAuthSuccess?.();
+    }
+    onAuthError_call: {
+        if (oidc.isUserLoggedIn) {
+            break onAuthError_call;
         }
-        if (accessTokenExpirationTime > Date.now() + minValidity * 1000) {
-            return false;
+        if (oidc.initializationError === undefined) {
+            break onAuthError_call;
         }
-        return true;
+        this.onAuthError?.({
+            error: oidc.initializationError.name,
+            error_description: oidc.initializationError.message
+        });
     }
-    /**
-     * If the token expires within `minValidity` seconds, the token is refreshed.
-     * If the session status iframe is enabled, the session status is also
-     * checked.
-     * @param minValidity If not specified, `5` is used.
-     * @returns A promise to set functions that can be invoked if the token is
-     *          still valid, or if the token is no longer valid.
-     * @example
-     * ```js
-     * keycloak.updateToken(5).then(function(refreshed) {
-     *   if (refreshed) {
-     *     alert('Token was successfully refreshed');
-     *   } else {
-     *     alert('Token is still valid');
-     *   }
-     * }).catch(function() {
-     *   alert('Failed to refresh the token, or the session has expired');
-     * });
-     */
-    async updateToken(minValidity = 5) {
-        if (!this.didInitialize) {
-            await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+    onActionUpdate_call: {
+        if (!oidc.isUserLoggedIn) {
+            break onActionUpdate_call;
         }
-        const { oidc } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-        assert(oidc !== undefined);
-        assert(oidc.isUserLoggedIn, "updateToken called too early");
-        if (!this.isTokenExpired(minValidity)) {
-            return false;
+        if (this.onActionUpdate === undefined) {
+            break onActionUpdate_call;
         }
-        await oidc.renewTokens();
-        return true;
-    }
-    /**
-     * Clears authentication state, including tokens. This can be useful if
-     * the application has detected the session was expired, for example if
-     * updating token fails. Invoking this results in Keycloak#onAuthLogout
-     * callback listener being invoked.
-     *
-     * NOTE oidc-spa: In this implementation we never end up in the kind of
-     * state where calling this makes sense.
-     * oidc-spa take more control and exposes less complexity to the user of the
-     * adapter.
-     */
-    //clearToken(): void;
-    /**
-     * Returns true if the token has the given realm role.
-     * @param role A realm role name.
-     */
-    hasRealmRole(role) {
-        const access = this.realmAccess;
-        return access !== undefined && access.roles.indexOf(role) >= 0;
-    }
-    /**
-     * Returns true if the token has the given role for the resource.
-     * @param role A role name.
-     * @param resource If not specified, `clientId` is used.
-     */
-    hasResourceRole(role, resource) {
-        if (this.resourceAccess === undefined) {
-            return false;
+        const { backFromAuthServer } = oidc;
+        if (backFromAuthServer === undefined) {
+            break onActionUpdate_call;
         }
-        const access = this.resourceAccess[resource || this.clientId];
-        return access !== undefined && access.roles.indexOf(role) >= 0;
-    }
-    /**
-     * Loads the user's profile.
-     * @returns A promise to set functions to be invoked on success or error.
-     */
-    async loadUserProfile() {
-        if (!this.didInitialize) {
-            await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+        const status = backFromAuthServer.result.kc_action_status;
+        if (!isAmong(["success", "cancelled", "error"], status)) {
+            break onActionUpdate_call;
         }
-        const { oidc, keycloakUtils } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-        assert(oidc !== undefined);
-        assert(oidc.isUserLoggedIn, "Can't load userProfile if user not authenticated");
-        const { accessToken } = await oidc.getTokens();
-        return (__classPrivateFieldGet(this, _Keycloak_state, "f").profile = await keycloakUtils.fetchUserProfile({ accessToken }));
-    }
-    /**
-     * @private Undocumented.
-     */
-    async loadUserInfo() {
-        if (!this.didInitialize) {
-            await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+        const action = backFromAuthServer.extraQueryParams.kc_action;
+        if (action === undefined) {
+            break onActionUpdate_call;
         }
-        const { oidc, keycloakUtils } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-        assert(oidc !== undefined);
-        assert(oidc.isUserLoggedIn, "Can't load userInfo if user not authenticated");
-        const { accessToken } = await oidc.getTokens();
-        return (__classPrivateFieldGet(this, _Keycloak_state, "f").userInfo = await keycloakUtils.fetchUserInfo({ accessToken }));
+        this.onActionUpdate(status, action);
     }
-    /** Get the underlying oidc-spa instance */
-    get oidc() {
-        assert(this.didInitialize, "Cannot get keycloak.oidc before the init() method was called and have resolved.");
-        const { oidc } = __classPrivateFieldGet(this, _Keycloak_state, "f");
-        assert(oidc !== undefined);
-        return oidc;
+    schedule_onTokenExpired_call: {
+        if (!oidc.isUserLoggedIn) {
+            break schedule_onTokenExpired_call;
+        }
+        const { $onTokenExpired } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+        let clear = undefined;
+        const next = (onTokenExpired) => {
+            clear?.();
+            if (onTokenExpired === undefined) {
+                return;
+            }
+            let timer = undefined;
+            const onNewToken = () => {
+                if (timer !== undefined) {
+                    workerTimers.clearTimeout(timer);
+                }
+                const { tokens } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+                assert(tokens !== undefined);
+                timer = workerTimers.setTimeout(() => {
+                    onTokenExpired.call(this);
+                }, Math.max(tokens.accessTokenExpirationTime - tokens.getServerDateNow() - 3000, 0));
+            };
+            onNewToken();
+            const { unsubscribe } = oidc.subscribeToTokensChange(onNewToken);
+            clear = () => {
+                if (timer !== undefined) {
+                    workerTimers.clearTimeout(timer);
+                }
+                unsubscribe();
+            };
+        };
+        next($onTokenExpired.current);
+        $onTokenExpired.subscribe(next);
+    }
+    return oidc.isUserLoggedIn;
+}, _Keycloak_login = async function _Keycloak_login(options) {
+    const { redirectUri, action, loginHint, acr, acrValues, idpHint, locale, doesCurrentHrefRequiresAuth } = options ?? {};
+    if (!this.didInitialize) {
+        await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+    }
+    const { oidc, keycloakUtils } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+    assert(oidc !== undefined);
+    const extraQueryParams_commons = {
+        claims: acr === undefined
+            ? undefined
+            : JSON.stringify({
+                id_token: {
+                    acr
+                }
+            }),
+        acr_values: acrValues,
+        ui_locales: locale
+    };
+    if (oidc.isUserLoggedIn) {
+        assert(action !== "register");
+        assert(loginHint === undefined);
+        assert(idpHint === undefined);
+        assert(doesCurrentHrefRequiresAuth === undefined);
+        await oidc.goToAuthServer({
+            redirectUrl: redirectUri,
+            extraQueryParams: {
+                ...extraQueryParams_commons,
+                kc_action: action,
+                ui_locales: locale
+            }
+        });
+        assert(false);
     }
-}
-_Keycloak_state = new WeakMap();
+    assert(action === undefined || action === "register");
+    await oidc.login({
+        redirectUrl: redirectUri,
+        doesCurrentHrefRequiresAuth: doesCurrentHrefRequiresAuth ?? false,
+        extraQueryParams: {
+            ...extraQueryParams_commons,
+            login_hint: loginHint,
+            kc_idp_hint: idpHint
+        },
+        transformUrlBeforeRedirect: action !== "register" ? undefined : keycloakUtils.transformUrlBeforeRedirectForRegister
+    });
+    assert(false);
+}, _Keycloak_logout = async function _Keycloak_logout(options) {
+    if (!this.didInitialize) {
+        await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+    }
+    const { oidc, initOptions } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+    assert(oidc !== undefined);
+    assert(initOptions !== undefined);
+    assert(oidc.isUserLoggedIn, "The user is not currently logged in");
+    const redirectUri = options?.redirectUri ?? initOptions.redirectUri;
+    await oidc.logout({
+        ...(redirectUri === undefined
+            ? { redirectTo: "current page" }
+            : { redirectTo: "specific url", url: redirectUri })
+    });
+    assert(false);
+}, _Keycloak_register = async function _Keycloak_register(options) {
+    return this.login({
+        ...options,
+        action: "register"
+    });
+}, _Keycloak_accountManagement = async function _Keycloak_accountManagement(options) {
+    const { redirectUri, locale } = options ?? {};
+    window.location.href = this.createAccountUrl({
+        redirectUri,
+        locale
+    });
+    return new Promise(() => { });
+}, _Keycloak_createAccountUrl = function _Keycloak_createAccountUrl(options) {
+    const { locale, redirectUri } = options ?? {};
+    const { keycloakUtils, constructorParams } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+    return keycloakUtils.getAccountUrl({
+        clientId: this.clientId,
+        validRedirectUri: (() => {
+            if (redirectUri !== undefined) {
+                return redirectUri;
+            }
+            const { homeUrlAndRedirectUri } = getHomeAndRedirectUri({
+                BASE_URL_params: constructorParams.BASE_URL
+            });
+            return homeUrlAndRedirectUri;
+        })(),
+        locale
+    });
+}, _Keycloak_isTokenExpired = function _Keycloak_isTokenExpired(minValidity = 0) {
+    let accessTokenExpirationTime;
+    if (!this.didInitialize) {
+        const fakeAccessToken = this.token;
+        if (fakeAccessToken === undefined) {
+            throw new Error("isTokenExpired was called too early");
+        }
+        const time = readExpirationTimeInJwt(fakeAccessToken);
+        assert(time !== undefined, "The initial token is not a JWT");
+        accessTokenExpirationTime = time;
+    }
+    else {
+        const { tokens } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+        assert(tokens !== undefined);
+        accessTokenExpirationTime = tokens.accessTokenExpirationTime;
+    }
+    if (accessTokenExpirationTime > Date.now() + minValidity * 1000) {
+        return false;
+    }
+    return true;
+}, _Keycloak_updateToken = async function _Keycloak_updateToken(minValidity = 5) {
+    if (!this.didInitialize) {
+        await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+    }
+    const { oidc } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+    assert(oidc !== undefined);
+    assert(oidc.isUserLoggedIn, "updateToken called too early");
+    if (!this.isTokenExpired(minValidity)) {
+        return false;
+    }
+    await oidc.renewTokens();
+    return true;
+}, _Keycloak_hasRealmRole = function _Keycloak_hasRealmRole(role) {
+    const access = this.realmAccess;
+    return access !== undefined && access.roles.indexOf(role) >= 0;
+}, _Keycloak_hasResourceRole = function _Keycloak_hasResourceRole(role, resource) {
+    if (this.resourceAccess === undefined) {
+        return false;
+    }
+    const access = this.resourceAccess[resource || this.clientId];
+    return access !== undefined && access.roles.indexOf(role) >= 0;
+}, _Keycloak_loadUserProfile = async function _Keycloak_loadUserProfile() {
+    if (!this.didInitialize) {
+        await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+    }
+    const { oidc, keycloakUtils } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+    assert(oidc !== undefined);
+    assert(oidc.isUserLoggedIn, "Can't load userProfile if user not authenticated");
+    const { accessToken } = await oidc.getTokens();
+    return (__classPrivateFieldGet(this, _Keycloak_state, "f").profile = await keycloakUtils.fetchUserProfile({ accessToken }));
+}, _Keycloak_loadUserInfo = async function _Keycloak_loadUserInfo() {
+    if (!this.didInitialize) {
+        await __classPrivateFieldGet(this, _Keycloak_state, "f").dInitialized.pr;
+    }
+    const { oidc, keycloakUtils } = __classPrivateFieldGet(this, _Keycloak_state, "f");
+    assert(oidc !== undefined);
+    assert(oidc.isUserLoggedIn, "Can't load userInfo if user not authenticated");
+    const { accessToken } = await oidc.getTokens();
+    return (__classPrivateFieldGet(this, _Keycloak_state, "f").userInfo = await keycloakUtils.fetchUserInfo({ accessToken }));
+};
 //# sourceMappingURL=Keycloak.js.map