oidc-spa 8.6.18 → 8.7.0

package/README.md

@@ -29,8 +29,8 @@
 The Framework Agnostic Adapter:
 
 ```ts
-import { createOidc } from "oidc-spa/core"; // 32 KB min+gzip (bundlephobia.com, Import Cost and NPM overestimate by counting polyfills that are only loaded when needed.)
-import { z } from "zod"; // 59kb min+zip, but it's optional.
+import { createOidc } from "oidc-spa/core"; // 32 KB min+gzip (Import Cost overestimate by counting polyfills that are only loaded when needed.)
+import { z } from "zod"; // 59 KB min+zip, but it's optional.
 
 const oidc = await createOidc({
     issuerUri: "https://auth.my-domain.net/realms/myrealm",

package/backend.d.ts

@@ -1,24 +1,6 @@
 import type { ZodSchemaLike } from "./tools/ZodSchemaLike";
-/**
- * Claims defined by RFC 9068: "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
- * https://datatracker.ietf.org/doc/html/rfc9068
- *
- * These tokens are intended for consumption by resource servers.
- */
-export type DecodedAccessToken_RFC9068 = {
-    iss: string;
-    sub: string;
-    aud: string | string[];
-    exp: number;
-    iat: number;
-    client_id?: string;
-    scope?: string;
-    jti?: string;
-    nbf?: number;
-    auth_time?: number;
-    cnf?: Record<string, unknown>;
-    [key: string]: unknown;
-};
+import { DecodedAccessToken_RFC9068 } from "./server/types";
+export type { DecodedAccessToken_RFC9068 };
 export type ParamsOfCreateOidcBackend<DecodedAccessToken> = {
     issuerUri: string;
     decodedAccessTokenSchema?: ZodSchemaLike<DecodedAccessToken_RFC9068, DecodedAccessToken>;
@@ -45,4 +27,5 @@ export declare namespace ResultOfAccessTokenVerify {
         decodedAccessToken_original?: never;
     };
 }
+/** @deprecated: Use "oidc-spa/server" instead */
 export declare function createOidcBackend<DecodedAccessToken extends Record<string, unknown> = DecodedAccessToken_RFC9068>(params: ParamsOfCreateOidcBackend<DecodedAccessToken>): Promise<OidcBackend<DecodedAccessToken>>;

package/backend.js

@@ -1,262 +1,70 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createOidcBackend = createOidcBackend;
-const tsafe_1 = require("./vendor/backend/tsafe");
-const jose_1 = require("./vendor/backend/jose");
-const zod_1 = require("./vendor/backend/zod");
-const evt_1 = require("./vendor/backend/evt");
-const zDecodedAccessToken_RFC9068 = (() => {
-    const zTargetType = zod_1.z
-        .object({
-        iss: zod_1.z.string(),
-        sub: zod_1.z.string(),
-        aud: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]),
-        exp: zod_1.z.number(),
-        iat: zod_1.z.number(),
-        client_id: zod_1.z.string().optional(),
-        scope: zod_1.z.string().optional(),
-        jti: zod_1.z.string().optional(),
-        nbf: zod_1.z.number().optional(),
-        auth_time: zod_1.z.number().optional(),
-        cnf: zod_1.z.record(zod_1.z.unknown()).optional()
-    })
-        .catchall(zod_1.z.unknown());
-    tsafe_1.assert;
-    return (0, tsafe_1.id)(zTargetType);
-})();
+const tsafe_1 = require("./vendor/server/tsafe");
+const server_1 = require("./server");
+/** @deprecated: Use "oidc-spa/server" instead */
 async function createOidcBackend(params) {
     const { issuerUri, decodedAccessTokenSchema } = params;
-    let publicSigningKeys = await fetchPublicSigningKeys({ issuerUri });
-    const evtInvalidSignature = evt_1.Evt.create();
-    evtInvalidSignature.pipe((0, evt_1.throttleTime)(3600000)).attach(async () => {
-        const publicSigningKeys_new = await (async function callee(count) {
-            let wrap;
-            try {
-                wrap = await fetchPublicSigningKeys({ issuerUri });
-            }
-            catch (error) {
-                if (count === 9) {
-                    console.warn(`Failed to refresh public key and signing algorithm after ${count + 1} attempts`);
-                    return undefined;
-                }
-                const delayMs = 1000 * Math.pow(2, count);
-                console.warn(`Failed to refresh public key and signing algorithm: ${String(error)}, retrying in ${delayMs}ms`);
-                await new Promise(resolve => setTimeout(resolve, delayMs));
-                return callee(count + 1);
-            }
-            return wrap;
-        })(0);
-        if (publicSigningKeys_new === undefined) {
-            return;
-        }
-        publicSigningKeys = publicSigningKeys_new;
+    const { bootstrapAuth, validateAndDecodeAccessToken } = decodedAccessTokenSchema === undefined
+        ? server_1.oidcSpa.createUtils()
+        : server_1.oidcSpa.withExpectedDecodedAccessTokenShape({ decodedAccessTokenSchema }).createUtils();
+    await bootstrapAuth({
+        implementation: "real",
+        issuerUri,
+        expectedAudience: undefined
     });
     return {
         verifyAndDecodeAccessToken: async ({ accessToken }) => {
-            let kid;
-            let alg;
-            {
-                let header;
-                try {
-                    header = (0, jose_1.decodeProtectedHeader)(accessToken);
-                }
-                catch {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: "Failed to decode the JWT header"
-                    };
-                }
-                const { kid: kidFromHeader, alg: algFromHeader } = header;
-                if (typeof kidFromHeader !== "string" || kidFromHeader.length === 0) {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: "The decoded JWT header does not have a kid property"
-                    };
-                }
-                if (typeof algFromHeader !== "string") {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: "The decoded JWT header does not specify an algorithm"
-                    };
-                }
-                const supportedAlgs = [
-                    "RS256",
-                    "RS384",
-                    "RS512",
-                    "ES256",
-                    "ES384",
-                    "ES512",
-                    "PS256",
-                    "PS384",
-                    "PS512"
-                ];
-                if (!(0, tsafe_1.isAmong)(supportedAlgs, algFromHeader)) {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: `Unsupported or too weak algorithm ${algFromHeader}`
-                    };
-                }
-                kid = kidFromHeader;
-                alg = algFromHeader;
-            }
-            if (!publicSigningKeys.kidSet.has(kid)) {
-                return {
-                    isValid: false,
-                    errorCase: "invalid signature",
-                    errorMessage: `No public signing key found with kid ${kid}`
-                };
-            }
-            let payload;
-            try {
-                const verification = await (0, jose_1.jwtVerify)(accessToken, publicSigningKeys.keyResolver, {
-                    algorithms: [alg]
-                });
-                payload = verification.payload;
-            }
-            catch (error) {
-                if (error instanceof jose_1.errors.JWTExpired) {
-                    return (0, tsafe_1.id)({
-                        isValid: false,
-                        errorCase: "expired",
-                        errorMessage: error.message
-                    });
-                }
-                evtInvalidSignature.post();
-                return (0, tsafe_1.id)({
-                    isValid: false,
-                    errorCase: "invalid signature",
-                    errorMessage: error instanceof Error ? error.message : String(error)
-                });
-            }
-            const decodedAccessToken_unknown = payload;
-            try {
-                zDecodedAccessToken_RFC9068.parse(decodedAccessToken_unknown);
-            }
-            catch (error) {
-                return (0, tsafe_1.id)({
-                    isValid: false,
-                    errorCase: "does not respect schema",
-                    errorMessage: [
-                        `The decoded access token does not satisfies`,
-                        `the shape mandated by RFC9068: ${String(error)}`
-                    ].join(" ")
-                });
-            }
-            (0, tsafe_1.assert)((0, tsafe_1.is)(decodedAccessToken_unknown));
-            const decodedAccessToken_original = decodedAccessToken_unknown;
-            let decodedAccessToken;
-            if (decodedAccessTokenSchema === undefined) {
-                decodedAccessToken = decodedAccessToken_original;
-            }
-            else {
-                try {
-                    decodedAccessToken = decodedAccessTokenSchema.parse(decodedAccessToken_original);
+            const { isSuccess, errorCause, debugErrorMessage, decodedAccessToken, decodedAccessToken_original } = await validateAndDecodeAccessToken({
+                request: {
+                    method: "GET",
+                    url: "https://dummy.com",
+                    headers: {
+                        Authorization: `Bearer ${accessToken}`,
+                        DPoP: undefined
+                    }
                 }
-                catch (error) {
-                    return (0, tsafe_1.id)({
-                        isValid: false,
-                        errorCase: "does not respect schema",
-                        errorMessage: String(error)
-                    });
+            });
+            if (!isSuccess) {
+                switch (errorCause) {
+                    case "missing Authorization header":
+                        (0, tsafe_1.assert)(false, "29330204");
+                    case "validation error":
+                        if (debugErrorMessage.includes("shape") ||
+                            debugErrorMessage.includes("schema")) {
+                            return {
+                                isValid: false,
+                                errorCase: "does not respect schema",
+                                errorMessage: debugErrorMessage
+                            };
+                        }
+                        return {
+                            isValid: false,
+                            errorCase: "invalid signature",
+                            errorMessage: debugErrorMessage
+                        };
+                    case "validation error - access token expired":
+                        return {
+                            isValid: false,
+                            errorCase: "expired",
+                            errorMessage: debugErrorMessage
+                        };
+                    case "validation error - invalid signature":
+                        return {
+                            isValid: false,
+                            errorCase: "invalid signature",
+                            errorMessage: debugErrorMessage
+                        };
                 }
             }
             return (0, tsafe_1.id)({
                 isValid: true,
+                // @ts-expect-error
                 decodedAccessToken,
                 decodedAccessToken_original
             });
         }
     };
 }
-async function fetchPublicSigningKeys(params) {
-    const { issuerUri } = params;
-    const { jwks_uri } = await (async () => {
-        const url = `${issuerUri.replace(/\/$/, "")}/.well-known/openid-configuration`;
-        const response = await fetch(url);
-        if (!response.ok) {
-            throw new Error(`Failed to fetch openid configuration of the issuerUri: ${issuerUri} (${url}): ${response.statusText}`);
-        }
-        let data;
-        try {
-            data = await response.json();
-        }
-        catch (error) {
-            throw new Error(`Failed to parse json from ${url}: ${String(error)}`);
-        }
-        {
-            const zWellKnownConfiguration = zod_1.z.object({
-                jwks_uri: zod_1.z.string()
-            });
-            (0, tsafe_1.assert)();
-            try {
-                zWellKnownConfiguration.parse(data);
-            }
-            catch {
-                throw new Error(`${url} does not have a jwks_uri property`);
-            }
-            (0, tsafe_1.assert)((0, tsafe_1.is)(data));
-        }
-        const { jwks_uri } = data;
-        return { jwks_uri };
-    })();
-    const { jwks } = await (async () => {
-        const response = await fetch(jwks_uri);
-        if (!response.ok) {
-            throw new Error(`Failed to fetch public key and algorithm from ${jwks_uri}: ${response.statusText}`);
-        }
-        let jwks;
-        try {
-            jwks = await response.json();
-        }
-        catch (error) {
-            throw new Error(`Failed to parse json from ${jwks_uri}: ${String(error)}`);
-        }
-        {
-            const zJwks = zod_1.z.object({
-                keys: zod_1.z.array(zod_1.z.object({
-                    kid: zod_1.z.string(),
-                    kty: zod_1.z.string(),
-                    use: zod_1.z.string().optional(),
-                    alg: zod_1.z.string().optional()
-                }))
-            });
-            (0, tsafe_1.assert)();
-            try {
-                zJwks.parse(jwks);
-            }
-            catch {
-                throw new Error(`${jwks_uri} does not have the expected shape`);
-            }
-            (0, tsafe_1.assert)((0, tsafe_1.is)(jwks));
-        }
-        return { jwks };
-    })();
-    //const signatureKeys = jwks.keys.filter((key): key is JWKS["keys"][number] & { kid: string } => {
-    const signatureKeys = jwks.keys.filter(key => {
-        if (typeof key.kid !== "string" || key.kid.length === 0) {
-            return false;
-        }
-        if (key.use !== undefined && key.use !== "sig") {
-            return false;
-        }
-        const supportedKty = ["RSA", "EC"];
-        if (!supportedKty.includes(key.kty)) {
-            return false;
-        }
-        return true;
-    });
-    (0, tsafe_1.assert)(signatureKeys.length !== 0, `No public signing key found at ${jwks_uri}, ${JSON.stringify(jwks, null, 2)}`);
-    const kidSet = new Set(signatureKeys.map(({ kid }) => kid));
-    const keyResolver = (0, jose_1.createLocalJWKSet)({
-        keys: signatureKeys
-    });
-    return {
-        keyResolver,
-        kidSet
-    };
-}
 //# sourceMappingURL=backend.js.map

package/backend.js.map

@@ -1 +1 @@
-{"version":3,"file":"backend.js","sourceRoot":"","sources":["./src/backend.ts"],"names":[],"mappings":";;AAoGA,8CAyLC;AA7RD,kDAA8E;AAC9E,gDAM+B;AAC/B,8CAAyC;AACzC,8CAAyD;AA6BzD,MAAM,2BAA2B,GAAG,CAAC,GAAG,EAAE;IAGtC,MAAM,WAAW,GAAG,OAAC;SAChB,MAAM,CAAC;QACJ,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC/C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC5B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,GAAG,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;KACxC,CAAC;SACD,QAAQ,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAI3B,cAAwC,CAAC;IAEzC,OAAO,IAAA,UAAE,EAAwB,WAAW,CAAC,CAAC;AAClD,CAAC,CAAC,EAAE,CAAC;AAsCE,KAAK,UAAU,iBAAiB,CAErC,MAAqD;IACnD,MAAM,EAAE,SAAS,EAAE,wBAAwB,EAAE,GAAG,MAAM,CAAC;IAEvD,IAAI,iBAAiB,GAAG,MAAM,sBAAsB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;IAEpE,MAAM,mBAAmB,GAAG,SAAG,CAAC,MAAM,EAAQ,CAAC;IAE/C,mBAAmB,CAAC,IAAI,CAAC,IAAA,kBAAY,EAAC,OAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;QAC/D,MAAM,qBAAqB,GAAG,MAAM,CAAC,KAAK,UAAU,MAAM,CACtD,KAAa;YAEb,IAAI,IAAmC,CAAC;YAExC,IAAI,CAAC;gBACD,IAAI,GAAG,MAAM,sBAAsB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;oBACd,OAAO,CAAC,IAAI,CACR,4DAA4D,KAAK,GAAG,CAAC,WAAW,CACnF,CAAC;oBAEF,OAAO,SAAS,CAAC;gBACrB,CAAC;gBAED,MAAM,OAAO,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;gBAE1C,OAAO,CAAC,IAAI,CACR,uDAAuD,MAAM,CACzD,KAAK,CACR,iBAAiB,OAAO,IAAI,CAChC,CAAC;gBAEF,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;gBAE3D,OAAO,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC7B,CAAC;YAED,OAAO,IAAI,CAAC;QAChB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEN,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;YACtC,OAAO;QACX,CAAC;QAED,iBAAiB,GAAG,qBAAqB,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,OAAO;QACH,0BAA0B,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE;YAClD,IAAI,GAAW,CAAC;YAChB,IAAI,GAAW,CAAC;YAEhB,CAAC;gBACG,IAAI,MAAgD,CAAC;gBAErD,IAAI,CAAC;oBACD,MAAM,GAAG,IAAA,4BAAqB,EAAC,WAAW,CAAC,CAAC;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACL,OAAO;wBACH,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,mBAAmB;wBAC9B,YAAY,EAAE,iCAAiC;qBAClD,CAAC;gBACN,CAAC;gBAED,MAAM,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;gBAE1D,IAAI,OAAO,aAAa,KAAK,QAAQ,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAClE,OAAO;wBACH,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,mBAAmB;wBAC9B,YAAY,EAAE,qDAAqD;qBACtE,CAAC;gBACN,CAAC;gBAED,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;oBACpC,OAAO;wBACH,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,mBAAmB;wBAC9B,YAAY,EAAE,sDAAsD;qBACvE,CAAC;gBACN,CAAC;gBAED,MAAM,aAAa,GAAG;oBAClB,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;iBACD,CAAC;gBAEX,IAAI,CAAC,IAAA,eAAO,EAAC,aAAa,EAAE,aAA+C,CAAC,EAAE,CAAC;oBAC3E,OAAO;wBACH,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,mBAAmB;wBAC9B,YAAY,EAAE,qCAAqC,aAAa,EAAE;qBACrE,CAAC;gBACN,CAAC;gBAED,GAAG,GAAG,aAAa,CAAC;gBACpB,GAAG,GAAG,aAAa,CAAC;YACxB,CAAC;YAED,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrC,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,SAAS,EAAE,mBAAmB;oBAC9B,YAAY,EAAE,wCAAwC,GAAG,EAAE;iBAC9D,CAAC;YACN,CAAC;YAED,IAAI,OAAmB,CAAC;YAExB,IAAI,CAAC;gBACD,MAAM,YAAY,GAAG,MAAM,IAAA,gBAAS,EAAC,WAAW,EAAE,iBAAiB,CAAC,WAAW,EAAE;oBAC7E,UAAU,EAAE,CAAC,GAAG,CAAC;iBACpB,CAAC,CAAC;gBAEH,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC;YACnC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAI,KAAK,YAAY,aAAM,CAAC,UAAU,EAAE,CAAC;oBACrC,OAAO,IAAA,UAAE,EAAoC;wBACzC,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,SAAS;wBACpB,YAAY,EAAE,KAAK,CAAC,OAAO;qBAC9B,CAAC,CAAC;gBACP,CAAC;gBAED,mBAAmB,CAAC,IAAI,EAAE,CAAC;gBAE3B,OAAO,IAAA,UAAE,EAAoC;oBACzC,OAAO,EAAE,KAAK;oBACd,SAAS,EAAE,mBAAmB;oBAC9B,YAAY,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBACvE,CAAC,CAAC;YACP,CAAC;YAED,MAAM,0BAA0B,GAAG,OAAkB,CAAC;YAEtD,IAAI,CAAC;gBACD,2BAA2B,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;YAClE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,OAAO,IAAA,UAAE,EAAoC;oBACzC,OAAO,EAAE,KAAK;oBACd,SAAS,EAAE,yBAAyB;oBACpC,YAAY,EAAE;wBACV,6CAA6C;wBAC7C,kCAAkC,MAAM,CAAC,KAAK,CAAC,EAAE;qBACpD,CAAC,IAAI,CAAC,GAAG,CAAC;iBACd,CAAC,CAAC;YACP,CAAC;YAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAA6B,0BAA0B,CAAC,CAAC,CAAC;YAEnE,MAAM,2BAA2B,GAAG,0BAA0B,CAAC;YAE/D,IAAI,kBAAsC,CAAC;YAE3C,IAAI,wBAAwB,KAAK,SAAS,EAAE,CAAC;gBACzC,kBAAkB,GAAG,2BAA4D,CAAC;YACtF,CAAC;iBAAM,CAAC;gBACJ,IAAI,CAAC;oBACD,kBAAkB,GAAG,wBAAwB,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;gBACrF,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACb,OAAO,IAAA,UAAE,EAAoC;wBACzC,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,yBAAyB;wBACpC,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC;qBAC9B,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;YAED,OAAO,IAAA,UAAE,EAAsD;gBAC3D,OAAO,EAAE,IAAI;gBACb,kBAAkB;gBAClB,2BAA2B;aAC9B,CAAC,CAAC;QACP,CAAC;KACJ,CAAC;AACN,CAAC;AAOD,KAAK,UAAU,sBAAsB,CAAC,MAA6B;IAC/D,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE;QACnC,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,mCAAmC,CAAC;QAE/E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;QAElC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACX,0DAA0D,SAAS,KAAK,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CACzG,CAAC;QACN,CAAC;QAED,IAAI,IAAa,CAAC;QAElB,IAAI,CAAC;YACD,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,KAAK,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,CAAC;YAKG,MAAM,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;gBACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;aACvB,CAAC,CAAC;YAEH,IAAA,cAAM,GAA2E,CAAC;YAElF,IAAI,CAAC;gBACD,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,oCAAoC,CAAC,CAAC;YAChE,CAAC;YAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAAyB,IAAI,CAAC,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;QAE1B,OAAO,EAAE,QAAQ,EAAE,CAAC;IACxB,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE;QAC/B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;QAEvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACX,iDAAiD,QAAQ,KAAK,QAAQ,CAAC,UAAU,EAAE,CACtF,CAAC;QACN,CAAC;QAED,IAAI,IAAa,CAAC;QAElB,IAAI,CAAC;YACD,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,KAAK,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC/E,CAAC;QAED,CAAC;YAUG,MAAM,KAAK,GAAG,OAAC,CAAC,MAAM,CAAC;gBACnB,IAAI,EAAE,OAAC,CAAC,KAAK,CACT,OAAC,CAAC,MAAM,CAAC;oBACL,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;oBACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;oBACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;oBAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;iBAC7B,CAAC,CACL;aACJ,CAAC,CAAC;YAEH,IAAA,cAAM,GAAuC,CAAC;YAE9C,IAAI,CAAC;gBACD,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,mCAAmC,CAAC,CAAC;YACpE,CAAC;YAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAAO,IAAI,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,CAAC;IACpB,CAAC,CAAC,EAAE,CAAC;IAEL,kGAAkG;IAClG,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;QACzC,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtD,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YAC7C,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,IAAI,CAAU,CAAC;QAE5C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAoC,CAAC,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,IAAA,cAAM,EACF,aAAa,CAAC,MAAM,KAAK,CAAC,EAC1B,kCAAkC,QAAQ,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CACjF,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAE5D,MAAM,WAAW,GAAG,IAAA,wBAAiB,EAAC;QAClC,IAAI,EAAE,aAAa;KACtB,CAAC,CAAC;IAEH,OAAO;QACH,WAAW;QACX,MAAM;KACT,CAAC;AACN,CAAC"}
+{"version":3,"file":"backend.js","sourceRoot":"","sources":["./src/backend.ts"],"names":[],"mappings":";;AA4CA,8CAgFC;AA5HD,iDAAmD;AAGnD,qCAAmC;AAwCnC,iDAAiD;AAC1C,KAAK,UAAU,iBAAiB,CAErC,MAAqD;IACnD,MAAM,EAAE,SAAS,EAAE,wBAAwB,EAAE,GAAG,MAAM,CAAC;IAEvD,MAAM,EAAE,aAAa,EAAE,4BAA4B,EAAE,GACjD,wBAAwB,KAAK,SAAS;QAClC,CAAC,CAAC,gBAAO,CAAC,WAAW,EAAE;QACvB,CAAC,CAAC,gBAAO,CAAC,mCAAmC,CAAC,EAAE,wBAAwB,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAElG,MAAM,aAAa,CAAC;QAChB,cAAc,EAAE,MAAM;QACtB,SAAS;QACT,gBAAgB,EAAE,SAAS;KAC9B,CAAC,CAAC;IAEH,OAAO;QACH,0BAA0B,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE;YAClD,MAAM,EACF,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,kBAAkB,EAClB,2BAA2B,EAC9B,GAAG,MAAM,4BAA4B,CAAC;gBACnC,OAAO,EAAE;oBACL,MAAM,EAAE,KAAK;oBACb,GAAG,EAAE,mBAAmB;oBACxB,OAAO,EAAE;wBACL,aAAa,EAAE,UAAU,WAAW,EAAE;wBACtC,IAAI,EAAE,SAAS;qBAClB;iBACJ;aACJ,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,EAAE,CAAC;gBACb,QAAQ,UAAU,EAAE,CAAC;oBACjB,KAAK,8BAA8B;wBAC/B,IAAA,cAAM,EAAC,KAAK,EAAE,UAAU,CAAC,CAAC;oBAC9B,KAAK,kBAAkB;wBACnB,IACI,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC;4BACnC,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,EACtC,CAAC;4BACC,OAAO;gCACH,OAAO,EAAE,KAAK;gCACd,SAAS,EAAE,yBAAyB;gCACpC,YAAY,EAAE,iBAAiB;6BAClC,CAAC;wBACN,CAAC;wBAED,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,SAAS,EAAE,mBAAmB;4BAC9B,YAAY,EAAE,iBAAiB;yBAClC,CAAC;oBAEN,KAAK,yCAAyC;wBAC1C,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,SAAS,EAAE,SAAS;4BACpB,YAAY,EAAE,iBAAiB;yBAClC,CAAC;oBACN,KAAK,sCAAsC;wBACvC,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,SAAS,EAAE,mBAAmB;4BAC9B,YAAY,EAAE,iBAAiB;yBAClC,CAAC;gBACV,CAAC;YACL,CAAC;YAED,OAAO,IAAA,UAAE,EAAsD;gBAC3D,OAAO,EAAE,IAAI;gBACb,mBAAmB;gBACnB,kBAAkB;gBAClB,2BAA2B;aAC9B,CAAC,CAAC;QACP,CAAC;KACJ,CAAC;AACN,CAAC"}

package/core/OidcMetadata.d.ts

@@ -1,4 +1,3 @@
-import { type OidcMetadata as OidcClientTsOidcMetadata } from "../vendor/frontend/oidc-client-ts";
 /**
  * OpenID Providers have metadata describing their configuration.
  *
@@ -264,8 +263,9 @@ export type OidcMetadata = {
      * @see https://datatracker.ietf.org/doc/html/rfc8414
      */
     code_challenge_methods_supported: string[];
+    dpop_signing_alg_values_supported: string[];
 };
 export declare const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
 export declare function fetchOidcMetadata(params: {
     issuerUri: string;
-}): Promise<Partial<OidcClientTsOidcMetadata> | undefined>;
+}): Promise<Partial<OidcMetadata> | undefined>;

package/core/OidcMetadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"OidcMetadata.js","sourceRoot":"","sources":["../src/core/OidcMetadata.ts"],"names":[],"mappings":";;;AA2SA,8CA8CC;AAxVD,kDAA4D;AAC5D,kEAAkE;AA6QlE,eAAsD,CAAC;AAE1C,QAAA,eAAe,GAAG,mCAAmC,CAAC;AAEnE,SAAS,oBAAoB,CAAC,MAA6B;IACvD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,OAAO,iCAAiC,SAAS,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA6B;IACrD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAE1E,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACjB,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAsC,CAAC;AAClE,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAkE;IACzF,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAE3C,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;AAC9F,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAA6B;IACjE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,UAAU,EAAE,CAAC;QACT,MAAM,YAAY,GAAG,kBAAkB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;QAEvD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,UAAU,CAAC;QACrB,CAAC;QAED,OAAO,YAAY,CAAC;IACxB,CAAC;IAED,IAAI,YAAmC,CAAC;IAExC,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,GAAG,uBAAe,EAAE,EAAE;YAC3D,OAAO,EAAE;gBACL,MAAM,EAAE,4CAA4C;aACvD;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAElC,CAAC;YACG,MAAM,EAAE,sBAAsB,EAAE,GAAG,GAAG,CAAC;YAEvC,IAAI,OAAO,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,EAAE,CAAC;YACtB,CAAC;QACL,CAAC;QAED,YAAY,GAAG,GAAG,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,IAAI,CAAC,IAAA,wCAAoB,GAAE,EAAE,CAAC;QAC1B,iBAAiB,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,YAAY,CAAC;AACxB,CAAC"}
+{"version":3,"file":"OidcMetadata.js","sourceRoot":"","sources":["../src/core/OidcMetadata.ts"],"names":[],"mappings":";;;AA6SA,8CA8CC;AA1VD,kDAA4D;AAC5D,kEAAkE;AA+QlE,eAAiG,CAAC;AAErF,QAAA,eAAe,GAAG,mCAAmC,CAAC;AAEnE,SAAS,oBAAoB,CAAC,MAA6B;IACvD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,OAAO,iCAAiC,SAAS,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA6B;IACrD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAE1E,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACjB,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAA0B,CAAC;AACtD,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAkE;IACzF,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAE3C,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;AAC9F,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAA6B;IACjE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,UAAU,EAAE,CAAC;QACT,MAAM,YAAY,GAAG,kBAAkB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;QAEvD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,UAAU,CAAC;QACrB,CAAC;QAED,OAAO,YAAY,CAAC;IACxB,CAAC;IAED,IAAI,YAAmC,CAAC;IAExC,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,GAAG,uBAAe,EAAE,EAAE;YAC3D,OAAO,EAAE;gBACL,MAAM,EAAE,4CAA4C;aACvD;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAElC,CAAC;YACG,MAAM,EAAE,sBAAsB,EAAE,GAAG,GAAG,CAAC;YAEvC,IAAI,OAAO,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,EAAE,CAAC;YACtB,CAAC;QACL,CAAC;QAED,YAAY,GAAG,GAAG,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,IAAI,CAAC,IAAA,wCAAoB,GAAE,EAAE,CAAC;QAC1B,iBAAiB,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,YAAY,CAAC;AACxB,CAAC"}

package/core/createOidc.d.ts

@@ -65,10 +65,6 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
      * */
     idleSessionLifetimeInSeconds?: number;
     /**
-     * Usage discouraged, this parameter exists because we don't want to assume
-     * too much about your usecase but I can't think of a scenario where you would
-     * want anything other than the current page.
-     *
      * Default: { redirectTo: "current page" }
      */
     autoLogoutParams?: Parameters<Oidc.LoggedIn<any>["logout"]>[0];
@@ -170,6 +166,8 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
      * API and no iframe capabilities.
      */
     postLoginRedirectUrl?: string;
+    /** Default: false */
+    dpop?: boolean;
 };
 /** @see: https://docs.oidc-spa.dev/v/v8/usage */
 export declare function createOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false>(params: ParamsOfCreateOidc<DecodedIdToken, AutoLogin>): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;

package/core/createOidc.js

@@ -72,9 +72,10 @@ const homeAndRedirectUri_1 = require("./homeAndRedirectUri");
 const ensureNonBlankPaint_1 = require("../tools/ensureNonBlankPaint");
 const StateDataCookie_1 = require("./StateDataCookie");
 const tokenPlaceholderSubstitution_1 = require("./tokenPlaceholderSubstitution");
+const dpop_1 = require("./dpop");
 const loadWebcryptoLinerShim_1 = require("../tools/loadWebcryptoLinerShim");
 // NOTE: Replaced at build time
-const VERSION = "8.6.18";
+const VERSION = "8.7.0";
 const globalContext = {
     prOidcByConfigId: new Map(),
     hasLogoutBeenCalled: (0, id_1.id)(false)
@@ -151,7 +152,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
             return new Promise(() => { });
         }
     }
-    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto" } = params;
+    const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto", dpop } = params;
     const scopes = Array.from(new Set(["openid", ...(params.scopes ?? ["profile"])]));
     const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
     const { issuerUri, clientId, configId, log } = preProcessedParams;
@@ -200,6 +201,35 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
     }
     const stateUrlParamValue_instance = (0, StateData_1.generateStateUrlParamValue)();
     const oidcMetadata = __metadata ?? (await (0, OidcMetadata_1.fetchOidcMetadata)({ issuerUri }));
+    const isDPoPEnabled = (() => {
+        if (dpop === undefined) {
+            log?.("DPoP disabled because it wasn't explicitly enabled when calling createOidc/bootstrapOidc");
+        }
+        if (!dpop) {
+            log?.("DPoP explicitly disabled in createOidc/bootstrapOidc params");
+            return false;
+        }
+        if (oidcMetadata === undefined) {
+            return false;
+        }
+        if (__unsafe_useIdTokenAsAccessToken) {
+            return false;
+        }
+        const isSupported = (() => {
+            const { dpop_signing_alg_values_supported } = oidcMetadata;
+            if (dpop_signing_alg_values_supported === undefined) {
+                return false;
+            }
+            return dpop_signing_alg_values_supported.includes("ES256");
+        })();
+        if (!isSupported) {
+            log?.("DPoP disabled because it's not supported by your IdP");
+        }
+        else {
+            log?.("DPoP enabled");
+        }
+        return isSupported;
+    })();
     const canUseIframe = (() => {
         switch (sessionRestorationMethod) {
             case "auto":
@@ -371,7 +401,13 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                 prefix: StateData_1.STATE_STORE_KEY_PREFIX
             }),
             client_secret: __unsafe_clientSecret,
-            metadata: oidcMetadata
+            metadata: oidcMetadata,
+            dpop: !isDPoPEnabled
+                ? undefined
+                : {
+                    bind_authorization_code: false,
+                    store: (0, dpop_1.createInMemoryDPoPStore)({ configId })
+                }
         });
     const evtInitializationOutcomeUserNotLoggedIn = (0, Evt_1.createEvt)();
     const { loginOrGoToAuthServer } = (0, loginOrGoToAuthServer_1.createLoginOrGoToAuthServer)({
@@ -791,6 +827,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
         decodedIdTokenSchema,
         __unsafe_useIdTokenAsAccessToken,
         decodedIdToken_previous: undefined,
+        isDPoPEnabled,
         log
     });
     detect_useless_idleSessionLifetimeInSeconds: {
@@ -1044,6 +1081,7 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                     decodedIdTokenSchema,
                     __unsafe_useIdTokenAsAccessToken,
                     decodedIdToken_previous: currentTokens.decodedIdToken,
+                    isDPoPEnabled,
                     log
                 });
                 if ((0, persistedAuthState_1.getPersistedAuthState)({ configId }) !== undefined) {
@@ -1370,8 +1408,8 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
             configId,
             sessionId
         });
-        const { unsubscribe: unsubscribeFromIsUserActive } = evtIsUserActive.subscribe(isUserActive => {
-            if (isUserActive) {
+        const { unsubscribe: unsubscribeFromIsUserActive } = evtIsUserActive.subscribe(eventData => {
+            if (eventData.isUserActive) {
                 if (stopCountdown !== undefined) {
                     stopCountdown();
                     stopCountdown = undefined;
@@ -1382,7 +1420,9 @@ async function createOidc_nonMemoized(params, preProcessedParams) {
                 const currentRefreshTokenTtlInSeconds = getCurrentRefreshTokenTtlInSeconds();
                 (0, assert_1.assert)(currentRefreshTokenTtlInSeconds !== undefined, "902992326");
                 stopCountdown = startCountdown({
-                    countDownFromSeconds: currentRefreshTokenTtlInSeconds
+                    countDownFromSeconds: Math.floor((currentRefreshTokenTtlInSeconds * 1000 -
+                        eventData.hasBeenInactiveForHowLongMs) /
+                        1000)
                 }).stopCountdown;
             }
         });