zudoku 0.0.0-f3858d6 → 0.0.0-f49e3ea

package/lib/zudoku.auth-openid.js

@@ -1,31 +1,28 @@
 var Ie = Object.defineProperty;
-var je = (t, e, r) => e in t ? Ie(t, e, { enumerable: !0, configurable: !0, writable: !0, value: r }) : t[e] = r;
-var _ = (t, e, r) => je(t, typeof e != "symbol" ? e + "" : e, r);
-import { j as A } from "./jsx-runtime-B6kdoens.js";
-import { c as Je, g as Oe } from "./index-DJqnphbT.js";
-import { A as ze } from "./AuthenticationPlugin-Cnqy9csQ.js";
-import { useState as Ne, useRef as De, useEffect as Ke } from "react";
-import { D as We } from "./DeveloperHint-CNyuFROc.js";
-import { E as He } from "./ErrorPage-CUz-Zzmx.js";
-import { S as $e } from "./Spinner-3cQDBVGr.js";
-import { S as Fe } from "./Markdown-C-0TaxoY.js";
-import { a as Me } from "./index-SrtqdZ3j.js";
-import { u as N } from "./state-CsuHT8ZO.js";
+var je = (t, e, n) => e in t ? Ie(t, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : t[e] = n;
+var b = (t, e, n) => je(t, typeof e != "symbol" ? e + "" : e, n);
+import { j as fe } from "./jsx-runtime-B6kdoens.js";
+import { c as Je, g as Oe } from "./_commonjsHelpers-BkfeUUK-.js";
+import { A as ze } from "./AuthenticationPlugin-DeGDVa1r.js";
+import { g as De } from "./utils-DcpDOncX.js";
+import { Z as Ne } from "./invariant-Caa8-XvF.js";
+import { l as Ke } from "./index-Czzd9rjU.js";
+import { u as z } from "./state-tsXBLONe.js";
 var pe = { exports: {} };
 (function(t) {
-  (function(e, r) {
-    t.exports ? t.exports = r() : e.log = r();
+  (function(e, n) {
+    t.exports ? t.exports = n() : e.log = n();
   })(Je, function() {
     var e = function() {
-    }, r = "undefined", o = typeof window !== r && typeof window.navigator !== r && /Trident\/|MSIE /.test(window.navigator.userAgent), s = [
+    }, n = "undefined", o = typeof window !== n && typeof window.navigator !== n && /Trident\/|MSIE /.test(window.navigator.userAgent), a = [
       "trace",
       "debug",
       "info",
       "warn",
       "error"
-    ], n = {}, i = null;
-    function c(l, g) {
-      var u = l[g];
+    ], r = {}, i = null;
+    function c(l, m) {
+      var u = l[m];
       if (typeof u.bind == "function")
         return u.bind(l);
       try {
@@ -39,54 +36,54 @@ var pe = { exports: {} };
     function p() {
       console.log && (console.log.apply ? console.log.apply(console, arguments) : Function.prototype.apply.apply(console.log, [console, arguments])), console.trace && console.trace();
     }
-    function b(l) {
-      return l === "debug" && (l = "log"), typeof console === r ? !1 : l === "trace" && o ? p : console[l] !== void 0 ? c(console, l) : console.log !== void 0 ? c(console, "log") : e;
+    function _(l) {
+      return l === "debug" && (l = "log"), typeof console === n ? !1 : l === "trace" && o ? p : console[l] !== void 0 ? c(console, l) : console.log !== void 0 ? c(console, "log") : e;
     }
     function f() {
-      for (var l = this.getLevel(), g = 0; g < s.length; g++) {
-        var u = s[g];
-        this[u] = g < l ? e : this.methodFactory(u, l, this.name);
+      for (var l = this.getLevel(), m = 0; m < a.length; m++) {
+        var u = a[m];
+        this[u] = m < l ? e : this.methodFactory(u, l, this.name);
       }
-      if (this.log = this.debug, typeof console === r && l < this.levels.SILENT)
+      if (this.log = this.debug, typeof console === n && l < this.levels.SILENT)
         return "No console available for logging";
     }
     function y(l) {
       return function() {
-        typeof console !== r && (f.call(this), this[l].apply(this, arguments));
+        typeof console !== n && (f.call(this), this[l].apply(this, arguments));
       };
     }
-    function T(l, g, u) {
-      return b(l) || y.apply(this, arguments);
+    function T(l, m, u) {
+      return _(l) || y.apply(this, arguments);
     }
-    function h(l, g) {
-      var u = this, O, B, P, S = "loglevel";
-      typeof l == "string" ? S += ":" + l : typeof l == "symbol" && (S = void 0);
-      function xe(d) {
-        var m = (s[d] || "silent").toUpperCase();
-        if (!(typeof window === r || !S)) {
+    function h(l, m) {
+      var u = this, J, F, R, v = "loglevel";
+      typeof l == "string" ? v += ":" + l : typeof l == "symbol" && (v = void 0);
+      function Ce(d) {
+        var g = (a[d] || "silent").toUpperCase();
+        if (!(typeof window === n || !v)) {
           try {
-            window.localStorage[S] = m;
+            window.localStorage[v] = g;
             return;
           } catch {
           }
           try {
-            window.document.cookie = encodeURIComponent(S) + "=" + m + ";";
+            window.document.cookie = encodeURIComponent(v) + "=" + g + ";";
           } catch {
           }
         }
       }
-      function ne() {
+      function te() {
         var d;
-        if (!(typeof window === r || !S)) {
+        if (!(typeof window === n || !v)) {
           try {
-            d = window.localStorage[S];
+            d = window.localStorage[v];
           } catch {
           }
-          if (typeof d === r)
+          if (typeof d === n)
             try {
-              var m = window.document.cookie, z = encodeURIComponent(S), ie = m.indexOf(z + "=");
-              ie !== -1 && (d = /^([^;]+)/.exec(
-                m.slice(ie + z.length + 1)
+              var g = window.document.cookie, O = encodeURIComponent(v), re = g.indexOf(O + "=");
+              re !== -1 && (d = /^([^;]+)/.exec(
+                g.slice(re + O.length + 1)
               )[1]);
             } catch {
             }
@@ -94,21 +91,21 @@ var pe = { exports: {} };
         }
       }
       function Le() {
-        if (!(typeof window === r || !S)) {
+        if (!(typeof window === n || !v)) {
           try {
-            window.localStorage.removeItem(S);
+            window.localStorage.removeItem(v);
           } catch {
           }
           try {
-            window.document.cookie = encodeURIComponent(S) + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
+            window.document.cookie = encodeURIComponent(v) + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
           } catch {
           }
         }
       }
-      function x(d) {
-        var m = d;
-        if (typeof m == "string" && u.levels[m.toUpperCase()] !== void 0 && (m = u.levels[m.toUpperCase()]), typeof m == "number" && m >= 0 && m <= u.levels.SILENT)
-          return m;
+      function U(d) {
+        var g = d;
+        if (typeof g == "string" && u.levels[g.toUpperCase()] !== void 0 && (g = u.levels[g.toUpperCase()]), typeof g == "number" && g >= 0 && g <= u.levels.SILENT)
+          return g;
         throw new TypeError("log.setLevel() called with invalid level: " + d);
       }
       u.name = l, u.levels = {
@@ -118,51 +115,51 @@ var pe = { exports: {} };
         WARN: 3,
         ERROR: 4,
         SILENT: 5
-      }, u.methodFactory = g || T, u.getLevel = function() {
-        return P ?? B ?? O;
-      }, u.setLevel = function(d, m) {
-        return P = x(d), m !== !1 && xe(P), f.call(u);
+      }, u.methodFactory = m || T, u.getLevel = function() {
+        return R ?? F ?? J;
+      }, u.setLevel = function(d, g) {
+        return R = U(d), g !== !1 && Ce(R), f.call(u);
       }, u.setDefaultLevel = function(d) {
-        B = x(d), ne() || u.setLevel(d, !1);
+        F = U(d), te() || u.setLevel(d, !1);
       }, u.resetLevel = function() {
-        P = null, Le(), f.call(u);
+        R = null, Le(), f.call(u);
       }, u.enableAll = function(d) {
         u.setLevel(u.levels.TRACE, d);
       }, u.disableAll = function(d) {
         u.setLevel(u.levels.SILENT, d);
       }, u.rebuild = function() {
-        if (i !== u && (O = x(i.getLevel())), f.call(u), i === u)
-          for (var d in n)
-            n[d].rebuild();
-      }, O = x(
+        if (i !== u && (J = U(i.getLevel())), f.call(u), i === u)
+          for (var d in r)
+            r[d].rebuild();
+      }, J = U(
         i ? i.getLevel() : "WARN"
       );
-      var oe = ne();
-      oe != null && (P = x(oe)), f.call(u);
+      var ne = te();
+      ne != null && (R = U(ne)), f.call(u);
     }
-    i = new h(), i.getLogger = function(g) {
-      if (typeof g != "symbol" && typeof g != "string" || g === "")
+    i = new h(), i.getLogger = function(m) {
+      if (typeof m != "symbol" && typeof m != "string" || m === "")
         throw new TypeError("You must supply a name when creating a logger.");
-      var u = n[g];
-      return u || (u = n[g] = new h(
-        g,
+      var u = r[m];
+      return u || (u = r[m] = new h(
+        m,
         i.methodFactory
       )), u;
     };
-    var J = typeof window !== r ? window.log : void 0;
+    var j = typeof window !== n ? window.log : void 0;
     return i.noConflict = function() {
-      return typeof window !== r && window.log === i && (window.log = J), i;
+      return typeof window !== n && window.log === i && (window.log = j), i;
     }, i.getLoggers = function() {
-      return n;
+      return r;
     }, i.default = i, i;
   });
 })(pe);
-var Be = pe.exports;
-const K = /* @__PURE__ */ Oe(Be);
-let Y;
-var D, fe;
-(typeof navigator > "u" || !((fe = (D = navigator.userAgent) == null ? void 0 : D.startsWith) != null && fe.call(D, "Mozilla/5.0 "))) && (Y = "oauth4webapi/v2.17.0");
-function Q(t, e) {
+var We = pe.exports;
+const oe = /* @__PURE__ */ Oe(We);
+let V;
+var D, he;
+(typeof navigator > "u" || !((he = (D = navigator.userAgent) == null ? void 0 : D.startsWith) != null && he.call(D, "Mozilla/5.0 "))) && (V = "oauth4webapi/v2.17.0");
+function Z(t, e) {
   if (t == null)
     return !1;
   try {
@@ -171,167 +168,167 @@ function Q(t, e) {
     return !1;
   }
 }
-const H = Symbol(), qe = Symbol(), X = Symbol(), we = Symbol(), Ve = Symbol(), Ge = Symbol(), Ye = new TextEncoder(), Ze = new TextDecoder();
-function R(t) {
-  return typeof t == "string" ? Ye.encode(t) : Ze.decode(t);
+const K = Symbol(), He = Symbol(), Y = Symbol(), we = Symbol(), $e = Symbol(), Fe = Symbol(), Me = new TextEncoder(), Be = new TextDecoder();
+function E(t) {
+  return typeof t == "string" ? Me.encode(t) : Be.decode(t);
 }
-const se = 32768;
-function Qe(t) {
+const ie = 32768;
+function qe(t) {
   t instanceof ArrayBuffer && (t = new Uint8Array(t));
   const e = [];
-  for (let r = 0; r < t.byteLength; r += se)
-    e.push(String.fromCharCode.apply(null, t.subarray(r, r + se)));
+  for (let n = 0; n < t.byteLength; n += ie)
+    e.push(String.fromCharCode.apply(null, t.subarray(n, n + ie)));
   return btoa(e.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
-function Xe(t) {
+function Ve(t) {
   try {
-    const e = atob(t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), r = new Uint8Array(e.length);
+    const e = atob(t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(e.length);
     for (let o = 0; o < e.length; o++)
-      r[o] = e.charCodeAt(o);
-    return r;
+      n[o] = e.charCodeAt(o);
+    return n;
   } catch (e) {
-    throw new a("The input to be decoded is not correctly encoded.", { cause: e });
+    throw new s("The input to be decoded is not correctly encoded.", { cause: e });
   }
 }
-function E(t) {
-  return typeof t == "string" ? Xe(t) : Qe(t);
+function A(t) {
+  return typeof t == "string" ? Ve(t) : qe(t);
 }
-class et {
+class Ge {
   constructor(e) {
     this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = e;
   }
   get(e) {
-    let r = this.cache.get(e);
-    if (r)
-      return r;
-    if (r = this._cache.get(e))
-      return this.update(e, r), r;
+    let n = this.cache.get(e);
+    if (n)
+      return n;
+    if (n = this._cache.get(e))
+      return this.update(e, n), n;
   }
   has(e) {
     return this.cache.has(e) || this._cache.has(e);
   }
-  set(e, r) {
-    return this.cache.has(e) ? this.cache.set(e, r) : this.update(e, r), this;
+  set(e, n) {
+    return this.cache.has(e) ? this.cache.set(e, n) : this.update(e, n), this;
   }
   delete(e) {
     return this.cache.has(e) ? this.cache.delete(e) : this._cache.has(e) ? this._cache.delete(e) : !1;
   }
-  update(e, r) {
-    this.cache.set(e, r), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
+  update(e, n) {
+    this.cache.set(e, n), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
   }
 }
-class v extends Error {
+class S extends Error {
   constructor(e) {
-    var r;
-    super(e ?? "operation not supported"), this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+    var n;
+    super(e ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
   }
 }
-class tt extends Error {
-  constructor(e, r) {
+class Ze extends Error {
+  constructor(e, n) {
     var o;
-    super(e, r), this.name = this.constructor.name, (o = Error.captureStackTrace) == null || o.call(Error, this, this.constructor);
+    super(e, n), this.name = this.constructor.name, (o = Error.captureStackTrace) == null || o.call(Error, this, this.constructor);
   }
 }
-const a = tt, ge = new et(100);
-function me(t) {
+const s = Ze, me = new Ge(100);
+function ge(t) {
   return t instanceof CryptoKey;
 }
 function ye(t) {
-  return me(t) && t.type === "private";
+  return ge(t) && t.type === "private";
 }
-function rt(t) {
-  return me(t) && t.type === "public";
+function Ye(t) {
+  return ge(t) && t.type === "public";
 }
-function ee(t) {
+function Q(t) {
   try {
     const e = t.headers.get("dpop-nonce");
-    e && ge.set(new URL(t.url).origin, e);
+    e && me.set(new URL(t.url).origin, e);
   } catch {
   }
   return t;
 }
-function L(t) {
+function C(t) {
   return !(t === null || typeof t != "object" || Array.isArray(t));
 }
-function $(t) {
-  Q(t, Headers) && (t = Object.fromEntries(t.entries()));
+function W(t) {
+  Z(t, Headers) && (t = Object.fromEntries(t.entries()));
   const e = new Headers(t);
-  if (Y && !e.has("user-agent") && e.set("user-agent", Y), e.has("authorization"))
+  if (V && !e.has("user-agent") && e.set("user-agent", V), e.has("authorization"))
     throw new TypeError('"options.headers" must not include the "authorization" header name');
   if (e.has("dpop"))
     throw new TypeError('"options.headers" must not include the "dpop" header name');
   return e;
 }
-function te(t) {
+function X(t) {
   if (typeof t == "function" && (t = t()), !(t instanceof AbortSignal))
     throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
   return t;
 }
-async function nt(t, e) {
+async function Qe(t, e) {
   if (!(t instanceof URL))
     throw new TypeError('"issuerIdentifier" must be an instance of URL');
   if (t.protocol !== "https:" && t.protocol !== "http:")
     throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
-  const r = new URL(t.href);
+  const n = new URL(t.href);
   switch (e == null ? void 0 : e.algorithm) {
     case void 0:
     case "oidc":
-      r.pathname = `${r.pathname}/.well-known/openid-configuration`.replace("//", "/");
+      n.pathname = `${n.pathname}/.well-known/openid-configuration`.replace("//", "/");
       break;
     case "oauth2":
-      r.pathname === "/" ? r.pathname = ".well-known/oauth-authorization-server" : r.pathname = `.well-known/oauth-authorization-server/${r.pathname}`.replace("//", "/");
+      n.pathname === "/" ? n.pathname = ".well-known/oauth-authorization-server" : n.pathname = `.well-known/oauth-authorization-server/${n.pathname}`.replace("//", "/");
       break;
     default:
       throw new TypeError('"options.algorithm" must be "oidc" (default), or "oauth2"');
   }
-  const o = $(e == null ? void 0 : e.headers);
-  return o.set("accept", "application/json"), ((e == null ? void 0 : e[X]) || fetch)(r.href, {
+  const o = W(e == null ? void 0 : e.headers);
+  return o.set("accept", "application/json"), ((e == null ? void 0 : e[Y]) || fetch)(n.href, {
     headers: Object.fromEntries(o.entries()),
     method: "GET",
     redirect: "manual",
-    signal: e != null && e.signal ? te(e.signal) : null
-  }).then(ee);
+    signal: e != null && e.signal ? X(e.signal) : null
+  }).then(Q);
 }
 function w(t) {
   return typeof t == "string" && t.length !== 0;
 }
-async function ot(t, e) {
+async function Xe(t, e) {
   if (!(t instanceof URL))
     throw new TypeError('"expectedIssuer" must be an instance of URL');
-  if (!Q(e, Response))
+  if (!Z(e, Response))
     throw new TypeError('"response" must be an instance of Response');
   if (e.status !== 200)
-    throw new a('"response" is not a conform Authorization Server Metadata response');
-  re(e);
-  let r;
+    throw new s('"response" is not a conform Authorization Server Metadata response');
+  ee(e);
+  let n;
   try {
-    r = await e.json();
+    n = await e.json();
   } catch (o) {
-    throw new a('failed to parse "response" body as JSON', { cause: o });
+    throw new s('failed to parse "response" body as JSON', { cause: o });
   }
-  if (!L(r))
-    throw new a('"response" body must be a top level object');
-  if (!w(r.issuer))
-    throw new a('"response" body "issuer" property must be a non-empty string');
-  if (new URL(r.issuer).href !== t.href)
-    throw new a('"response" body "issuer" does not match "expectedIssuer"');
-  return r;
+  if (!C(n))
+    throw new s('"response" body must be a top level object');
+  if (!w(n.issuer))
+    throw new s('"response" body "issuer" property must be a non-empty string');
+  if (new URL(n.issuer).href !== t.href)
+    throw new s('"response" body "issuer" does not match "expectedIssuer"');
+  return n;
 }
-function F() {
-  return E(crypto.getRandomValues(new Uint8Array(32)));
+function H() {
+  return A(crypto.getRandomValues(new Uint8Array(32)));
 }
-function it() {
-  return F();
+function et() {
+  return H();
 }
-function st() {
-  return F();
+function tt() {
+  return H();
 }
-async function at(t) {
+async function nt(t) {
   if (!w(t))
     throw new TypeError('"codeVerifier" must be a non-empty string');
-  return E(await crypto.subtle.digest("SHA-256", R(t)));
+  return A(await crypto.subtle.digest("SHA-256", E(t)));
 }
-function ct(t) {
+function rt(t) {
   if (t instanceof CryptoKey)
     return { key: t };
   if (!((t == null ? void 0 : t.key) instanceof CryptoKey))
@@ -347,11 +344,11 @@ function ct(t) {
 function ae(t) {
   return encodeURIComponent(t).replace(/%20/g, "+");
 }
-function ut(t, e) {
-  const r = ae(t), o = ae(e);
-  return `Basic ${btoa(`${r}:${o}`)}`;
+function ot(t, e) {
+  const n = ae(t), o = ae(e);
+  return `Basic ${btoa(`${n}:${o}`)}`;
 }
-function lt(t) {
+function it(t) {
   switch (t.algorithm.hash.name) {
     case "SHA-256":
       return "PS256";
@@ -360,10 +357,10 @@ function lt(t) {
     case "SHA-512":
       return "PS512";
     default:
-      throw new v("unsupported RsaHashedKeyAlgorithm hash name");
+      throw new S("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function dt(t) {
+function at(t) {
   switch (t.algorithm.hash.name) {
     case "SHA-256":
       return "RS256";
@@ -372,10 +369,10 @@ function dt(t) {
     case "SHA-512":
       return "RS512";
     default:
-      throw new v("unsupported RsaHashedKeyAlgorithm hash name");
+      throw new S("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function ht(t) {
+function st(t) {
   switch (t.algorithm.namedCurve) {
     case "P-256":
       return "ES256";
@@ -384,295 +381,295 @@ function ht(t) {
     case "P-521":
       return "ES512";
     default:
-      throw new v("unsupported EcKeyAlgorithm namedCurve");
+      throw new S("unsupported EcKeyAlgorithm namedCurve");
   }
 }
-function _e(t) {
+function be(t) {
   switch (t.algorithm.name) {
     case "RSA-PSS":
-      return lt(t);
+      return it(t);
     case "RSASSA-PKCS1-v1_5":
-      return dt(t);
+      return at(t);
     case "ECDSA":
-      return ht(t);
+      return st(t);
     case "Ed25519":
     case "Ed448":
       return "EdDSA";
     default:
-      throw new v("unsupported CryptoKey algorithm name");
+      throw new S("unsupported CryptoKey algorithm name");
   }
 }
-function C(t) {
-  const e = t == null ? void 0 : t[H];
+function L(t) {
+  const e = t == null ? void 0 : t[K];
   return typeof e == "number" && Number.isFinite(e) ? e : 0;
 }
-function be(t) {
-  const e = t == null ? void 0 : t[qe];
+function _e(t) {
+  const e = t == null ? void 0 : t[He];
   return typeof e == "number" && Number.isFinite(e) && Math.sign(e) !== -1 ? e : 30;
 }
-function M() {
+function $() {
   return Math.floor(Date.now() / 1e3);
 }
-function ft(t, e) {
-  const r = M() + C(e);
+function ct(t, e) {
+  const n = $() + L(e);
   return {
-    jti: F(),
+    jti: H(),
     aud: [t.issuer, t.token_endpoint],
-    exp: r + 60,
-    iat: r,
-    nbf: r,
+    exp: n + 60,
+    iat: n,
+    nbf: n,
     iss: e.client_id,
     sub: e.client_id
   };
 }
-async function pt(t, e, r, o, s) {
-  const n = { alg: _e(r), kid: o }, i = ft(t, e);
-  return s == null || s(n, i), Se(n, i, r);
+async function ut(t, e, n, o, a) {
+  const r = { alg: be(n), kid: o }, i = ct(t, e);
+  return a == null || a(r, i), ve(r, i, n);
 }
-function I(t) {
+function x(t) {
   if (typeof t != "object" || t === null)
     throw new TypeError('"as" must be an object');
   if (!w(t.issuer))
     throw new TypeError('"as.issuer" property must be a non-empty string');
   return !0;
 }
-function j(t) {
+function I(t) {
   if (typeof t != "object" || t === null)
     throw new TypeError('"client" must be an object');
   if (!w(t.client_id))
     throw new TypeError('"client.client_id" property must be a non-empty string');
   return !0;
 }
-function ce(t) {
+function se(t) {
   if (!w(t))
     throw new TypeError('"client.client_secret" property must be a non-empty string');
   return t;
 }
-function q(t, e) {
+function M(t, e) {
   if (e !== void 0)
     throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${t} client authentication method is used.`);
 }
-function ue(t, e) {
+function ce(t, e) {
   if (e !== void 0)
     throw new TypeError(`"client.client_secret" property must not be provided when ${t} client authentication method is used.`);
 }
-async function wt(t, e, r, o, s) {
-  switch (r.delete("client_secret"), r.delete("client_assertion_type"), r.delete("client_assertion"), e.token_endpoint_auth_method) {
+async function lt(t, e, n, o, a) {
+  switch (n.delete("client_secret"), n.delete("client_assertion_type"), n.delete("client_assertion"), e.token_endpoint_auth_method) {
     case void 0:
     case "client_secret_basic": {
-      q("client_secret_basic", s), o.set("authorization", ut(e.client_id, ce(e.client_secret)));
+      M("client_secret_basic", a), o.set("authorization", ot(e.client_id, se(e.client_secret)));
       break;
     }
     case "client_secret_post": {
-      q("client_secret_post", s), r.set("client_id", e.client_id), r.set("client_secret", ce(e.client_secret));
+      M("client_secret_post", a), n.set("client_id", e.client_id), n.set("client_secret", se(e.client_secret));
       break;
     }
     case "private_key_jwt": {
-      if (ue("private_key_jwt", e.client_secret), s === void 0)
+      if (ce("private_key_jwt", e.client_secret), a === void 0)
         throw new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
-      const { key: n, kid: i, modifyAssertion: c } = ct(s);
-      if (!ye(n))
+      const { key: r, kid: i, modifyAssertion: c } = rt(a);
+      if (!ye(r))
         throw new TypeError('"options.clientPrivateKey.key" must be a private CryptoKey');
-      r.set("client_id", e.client_id), r.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), r.set("client_assertion", await pt(t, e, n, i, c));
+      n.set("client_id", e.client_id), n.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), n.set("client_assertion", await ut(t, e, r, i, c));
       break;
     }
     case "tls_client_auth":
     case "self_signed_tls_client_auth":
     case "none": {
-      ue(e.token_endpoint_auth_method, e.client_secret), q(e.token_endpoint_auth_method, s), r.set("client_id", e.client_id);
+      ce(e.token_endpoint_auth_method, e.client_secret), M(e.token_endpoint_auth_method, a), n.set("client_id", e.client_id);
       break;
     }
     default:
-      throw new v("unsupported client token_endpoint_auth_method");
+      throw new S("unsupported client token_endpoint_auth_method");
   }
 }
-async function Se(t, e, r) {
-  if (!r.usages.includes("sign"))
+async function ve(t, e, n) {
+  if (!n.usages.includes("sign"))
     throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
-  const o = `${E(R(JSON.stringify(t)))}.${E(R(JSON.stringify(e)))}`, s = E(await crypto.subtle.sign(Pe(r), r, R(o)));
-  return `${o}.${s}`;
+  const o = `${A(E(JSON.stringify(t)))}.${A(E(JSON.stringify(e)))}`, a = A(await crypto.subtle.sign(Pe(n), n, E(o)));
+  return `${o}.${a}`;
 }
-async function gt(t, e, r, o, s, n) {
+async function dt(t, e, n, o, a, r) {
   var T;
-  const { privateKey: i, publicKey: c, nonce: p = ge.get(r.origin) } = e;
+  const { privateKey: i, publicKey: c, nonce: p = me.get(n.origin) } = e;
   if (!ye(i))
     throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
-  if (!rt(c))
+  if (!Ye(c))
     throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
   if (p !== void 0 && !w(p))
     throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
   if (!c.extractable)
     throw new TypeError('"DPoP.publicKey.extractable" must be true');
-  const b = M() + s, f = {
-    alg: _e(i),
+  const _ = $() + a, f = {
+    alg: be(i),
     typ: "dpop+jwt",
-    jwk: await yt(c)
+    jwk: await ft(c)
   }, y = {
-    iat: b,
-    jti: F(),
+    iat: _,
+    jti: H(),
     htm: o,
     nonce: p,
-    htu: `${r.origin}${r.pathname}`,
-    ath: n ? E(await crypto.subtle.digest("SHA-256", R(n))) : void 0
+    htu: `${n.origin}${n.pathname}`,
+    ath: r ? A(await crypto.subtle.digest("SHA-256", E(r))) : void 0
   };
-  (T = e[we]) == null || T.call(e, f, y), t.set("dpop", await Se(f, y, i));
+  (T = e[we]) == null || T.call(e, f, y), t.set("dpop", await ve(f, y, i));
 }
-let W;
-async function mt(t) {
-  const { kty: e, e: r, n: o, x: s, y: n, crv: i } = await crypto.subtle.exportKey("jwk", t), c = { kty: e, e: r, n: o, x: s, y: n, crv: i };
-  return W.set(t, c), c;
+let N;
+async function ht(t) {
+  const { kty: e, e: n, n: o, x: a, y: r, crv: i } = await crypto.subtle.exportKey("jwk", t), c = { kty: e, e: n, n: o, x: a, y: r, crv: i };
+  return N.set(t, c), c;
 }
-async function yt(t) {
-  return W || (W = /* @__PURE__ */ new WeakMap()), W.get(t) || mt(t);
+async function ft(t) {
+  return N || (N = /* @__PURE__ */ new WeakMap()), N.get(t) || ht(t);
 }
-function le(t, e, r) {
+function ue(t, e, n) {
   if (typeof t != "string")
-    throw r ? new TypeError(`"as.mtls_endpoint_aliases.${e}" must be a string`) : new TypeError(`"as.${e}" must be a string`);
+    throw n ? new TypeError(`"as.mtls_endpoint_aliases.${e}" must be a string`) : new TypeError(`"as.${e}" must be a string`);
   return new URL(t);
 }
-function ve(t, e, r = !1) {
-  return r && t.mtls_endpoint_aliases && e in t.mtls_endpoint_aliases ? le(t.mtls_endpoint_aliases[e], e, r) : le(t[e], e, r);
+function Se(t, e, n = !1) {
+  return n && t.mtls_endpoint_aliases && e in t.mtls_endpoint_aliases ? ue(t.mtls_endpoint_aliases[e], e, n) : ue(t[e], e, n);
 }
 function Te(t, e) {
-  return !!(t.use_mtls_endpoint_aliases || e != null && e[Ge]);
+  return !!(t.use_mtls_endpoint_aliases || e != null && e[Fe]);
 }
-function Z(t) {
+function G(t) {
   const e = t;
   return typeof e != "object" || Array.isArray(e) || e === null ? !1 : e.error !== void 0;
 }
-async function _t(t, e, r, o, s, n) {
+async function pt(t, e, n, o, a, r) {
   if (!w(t))
     throw new TypeError('"accessToken" must be a non-empty string');
-  if (!(r instanceof URL))
+  if (!(n instanceof URL))
     throw new TypeError('"url" must be an instance of URL');
-  return o = $(o), (n == null ? void 0 : n.DPoP) === void 0 ? o.set("authorization", `Bearer ${t}`) : (await gt(o, n.DPoP, r, e.toUpperCase(), C({ [H]: n == null ? void 0 : n[H] }), t), o.set("authorization", `DPoP ${t}`)), ((n == null ? void 0 : n[X]) || fetch)(r.href, {
-    body: s,
+  return o = W(o), (r == null ? void 0 : r.DPoP) === void 0 ? o.set("authorization", `Bearer ${t}`) : (await dt(o, r.DPoP, n, e.toUpperCase(), L({ [K]: r == null ? void 0 : r[K] }), t), o.set("authorization", `DPoP ${t}`)), ((r == null ? void 0 : r[Y]) || fetch)(n.href, {
+    body: a,
     headers: Object.fromEntries(o.entries()),
     method: e,
     redirect: "manual",
-    signal: n != null && n.signal ? te(n.signal) : null
-  }).then(ee);
+    signal: r != null && r.signal ? X(r.signal) : null
+  }).then(Q);
 }
-async function bt(t, e, r, o) {
-  I(t), j(e);
-  const s = ve(t, "userinfo_endpoint", Te(e, o)), n = $(o == null ? void 0 : o.headers);
-  return e.userinfo_signed_response_alg ? n.set("accept", "application/jwt") : (n.set("accept", "application/json"), n.append("accept", "application/jwt")), _t(r, "GET", s, n, null, {
+async function wt(t, e, n, o) {
+  x(t), I(e);
+  const a = Se(t, "userinfo_endpoint", Te(e, o)), r = W(o == null ? void 0 : o.headers);
+  return e.userinfo_signed_response_alg ? r.set("accept", "application/jwt") : (r.set("accept", "application/json"), r.append("accept", "application/jwt")), pt(n, "GET", a, r, null, {
     ...o,
-    [H]: C(e)
+    [K]: L(e)
   });
 }
-async function St(t, e, r, o, s, n, i) {
-  return await wt(t, e, s, n, i == null ? void 0 : i.clientPrivateKey), n.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((i == null ? void 0 : i[X]) || fetch)(o.href, {
-    body: s,
-    headers: Object.fromEntries(n.entries()),
-    method: r,
+async function mt(t, e, n, o, a, r, i) {
+  return await lt(t, e, a, r, i == null ? void 0 : i.clientPrivateKey), r.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((i == null ? void 0 : i[Y]) || fetch)(o.href, {
+    body: a,
+    headers: Object.fromEntries(r.entries()),
+    method: n,
     redirect: "manual",
-    signal: i != null && i.signal ? te(i.signal) : null
-  }).then(ee);
+    signal: i != null && i.signal ? X(i.signal) : null
+  }).then(Q);
 }
-async function ke(t, e, r, o, s) {
-  const n = ve(t, "token_endpoint", Te(e, s));
-  o.set("grant_type", r);
-  const i = $(s == null ? void 0 : s.headers);
-  return i.set("accept", "application/json"), St(t, e, "POST", n, o, i, s);
+async function ke(t, e, n, o, a) {
+  const r = Se(t, "token_endpoint", Te(e, a));
+  o.set("grant_type", n);
+  const i = W(a == null ? void 0 : a.headers);
+  return i.set("accept", "application/json"), mt(t, e, "POST", r, o, i, a);
 }
-async function vt(t, e, r, o) {
-  if (I(t), j(e), !w(r))
+async function gt(t, e, n, o) {
+  if (x(t), I(e), !w(n))
     throw new TypeError('"refreshToken" must be a non-empty string');
-  const s = new URLSearchParams(o == null ? void 0 : o.additionalParameters);
-  return s.set("refresh_token", r), ke(t, e, "refresh_token", s, o);
+  const a = new URLSearchParams(o == null ? void 0 : o.additionalParameters);
+  return a.set("refresh_token", n), ke(t, e, "refresh_token", a, o);
 }
-const Ee = /* @__PURE__ */ new WeakMap();
-function Tt(t) {
+const Ae = /* @__PURE__ */ new WeakMap();
+function yt(t) {
   if (!t.id_token)
     return;
-  const e = Ee.get(t);
+  const e = Ae.get(t);
   if (!e)
     throw new TypeError('"ref" was already garbage collected or did not resolve from the proper sources');
   return e[0];
 }
-async function Ae(t, e, r, o = !1, s = !1) {
-  if (I(t), j(e), !Q(r, Response))
+async function Ee(t, e, n, o = !1, a = !1) {
+  if (x(t), I(e), !Z(n, Response))
     throw new TypeError('"response" must be an instance of Response');
-  if (r.status !== 200) {
+  if (n.status !== 200) {
     let i;
-    if (i = await It(r))
+    if (i = await Pt(n))
       return i;
-    throw new a('"response" is not a conform Token Endpoint response');
+    throw new s('"response" is not a conform Token Endpoint response');
   }
-  re(r);
-  let n;
+  ee(n);
+  let r;
   try {
-    n = await r.json();
+    r = await n.json();
   } catch (i) {
-    throw new a('failed to parse "response" body as JSON', { cause: i });
+    throw new s('failed to parse "response" body as JSON', { cause: i });
   }
-  if (!L(n))
-    throw new a('"response" body must be a top level object');
-  if (!w(n.access_token))
-    throw new a('"response" body "access_token" property must be a non-empty string');
-  if (!w(n.token_type))
-    throw new a('"response" body "token_type" property must be a non-empty string');
-  if (n.token_type = n.token_type.toLowerCase(), n.token_type !== "dpop" && n.token_type !== "bearer")
-    throw new v("unsupported `token_type` value");
-  if (n.expires_in !== void 0 && (typeof n.expires_in != "number" || n.expires_in <= 0))
-    throw new a('"response" body "expires_in" property must be a positive number');
-  if (!s && n.refresh_token !== void 0 && !w(n.refresh_token))
-    throw new a('"response" body "refresh_token" property must be a non-empty string');
-  if (n.scope !== void 0 && typeof n.scope != "string")
-    throw new a('"response" body "scope" property must be a string');
+  if (!C(r))
+    throw new s('"response" body must be a top level object');
+  if (!w(r.access_token))
+    throw new s('"response" body "access_token" property must be a non-empty string');
+  if (!w(r.token_type))
+    throw new s('"response" body "token_type" property must be a non-empty string');
+  if (r.token_type = r.token_type.toLowerCase(), r.token_type !== "dpop" && r.token_type !== "bearer")
+    throw new S("unsupported `token_type` value");
+  if (r.expires_in !== void 0 && (typeof r.expires_in != "number" || r.expires_in <= 0))
+    throw new s('"response" body "expires_in" property must be a positive number');
+  if (!a && r.refresh_token !== void 0 && !w(r.refresh_token))
+    throw new s('"response" body "refresh_token" property must be a non-empty string');
+  if (r.scope !== void 0 && typeof r.scope != "string")
+    throw new s('"response" body "scope" property must be a string');
   if (!o) {
-    if (n.id_token !== void 0 && !w(n.id_token))
-      throw new a('"response" body "id_token" property must be a non-empty string');
-    if (n.id_token) {
-      const { claims: i, jwt: c } = await Ot(n.id_token, zt.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported), Ue, C(e), be(e), e[Ve]).then(xt.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(At.bind(void 0, t.issuer)).then(Et.bind(void 0, e.client_id));
+    if (r.id_token !== void 0 && !w(r.id_token))
+      throw new s('"response" body "id_token" property must be a non-empty string');
+    if (r.id_token) {
+      const { claims: i, jwt: c } = await Lt(r.id_token, xt.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported), Ue, L(e), _e(e), e[$e]).then(At.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(vt.bind(void 0, t.issuer)).then(_t.bind(void 0, e.client_id));
       if (Array.isArray(i.aud) && i.aud.length !== 1) {
         if (i.azp === void 0)
-          throw new a('ID Token "aud" (audience) claim includes additional untrusted audiences');
+          throw new s('ID Token "aud" (audience) claim includes additional untrusted audiences');
         if (i.azp !== e.client_id)
-          throw new a('unexpected ID Token "azp" (authorized party) claim value');
+          throw new s('unexpected ID Token "azp" (authorized party) claim value');
       }
       if (i.auth_time !== void 0 && (!Number.isFinite(i.auth_time) || Math.sign(i.auth_time) !== 1))
-        throw new a('ID Token "auth_time" (authentication time) must be a positive number');
-      Ee.set(n, [i, c]);
+        throw new s('ID Token "auth_time" (authentication time) must be a positive number');
+      Ae.set(r, [i, c]);
     }
   }
-  return n;
+  return r;
 }
-async function kt(t, e, r) {
-  return Ae(t, e, r);
+async function bt(t, e, n) {
+  return Ee(t, e, n);
 }
-function Et(t, e) {
+function _t(t, e) {
   if (Array.isArray(e.claims.aud)) {
     if (!e.claims.aud.includes(t))
-      throw new a('unexpected JWT "aud" (audience) claim value');
+      throw new s('unexpected JWT "aud" (audience) claim value');
   } else if (e.claims.aud !== t)
-    throw new a('unexpected JWT "aud" (audience) claim value');
+    throw new s('unexpected JWT "aud" (audience) claim value');
   return e;
 }
-function At(t, e) {
+function vt(t, e) {
   if (e.claims.iss !== t)
-    throw new a('unexpected JWT "iss" (issuer) claim value');
+    throw new s('unexpected JWT "iss" (issuer) claim value');
   return e;
 }
 const Re = /* @__PURE__ */ new WeakSet();
-function Rt(t) {
+function St(t) {
   return Re.add(t), t;
 }
-async function Pt(t, e, r, o, s, n) {
-  if (I(t), j(e), !Re.has(r))
+async function Tt(t, e, n, o, a, r) {
+  if (x(t), I(e), !Re.has(n))
     throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
   if (!w(o))
     throw new TypeError('"redirectUri" must be a non-empty string');
-  if (!w(s))
+  if (!w(a))
     throw new TypeError('"codeVerifier" must be a non-empty string');
-  const i = k(r, "code");
+  const i = k(n, "code");
   if (!i)
-    throw new a('no authorization code in "callbackParameters"');
-  const c = new URLSearchParams(n == null ? void 0 : n.additionalParameters);
-  return c.set("redirect_uri", o), c.set("code_verifier", s), c.set("code", i), ke(t, e, "authorization_code", c, n);
+    throw new s('no authorization code in "callbackParameters"');
+  const c = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
+  return c.set("redirect_uri", o), c.set("code_verifier", a), c.set("code", i), ke(t, e, "authorization_code", c, r);
 }
-const Ut = {
+const kt = {
   aud: "audience",
   c_hash: "code hash",
   client_id: "client id",
@@ -688,66 +685,66 @@ const Ut = {
   htu: "http uri",
   cnf: "confirmation"
 };
-function xt(t, e) {
-  for (const r of t)
-    if (e.claims[r] === void 0)
-      throw new a(`JWT "${r}" (${Ut[r]}) claim missing`);
+function At(t, e) {
+  for (const n of t)
+    if (e.claims[n] === void 0)
+      throw new s(`JWT "${n}" (${kt[n]}) claim missing`);
   return e;
 }
-const Lt = Symbol(), V = Symbol();
-async function Ct(t, e, r, o, s) {
-  const n = await Ae(t, e, r);
-  if (Z(n))
-    return n;
-  if (!w(n.id_token))
-    throw new a('"response" body "id_token" property must be a non-empty string');
-  s ?? (s = e.default_max_age ?? V);
-  const i = Tt(n);
-  if ((e.require_auth_time || s !== V) && i.auth_time === void 0)
-    throw new a('ID Token "auth_time" (authentication time) claim missing');
-  if (s !== V) {
-    if (typeof s != "number" || s < 0)
+const Et = Symbol(), B = Symbol();
+async function Rt(t, e, n, o, a) {
+  const r = await Ee(t, e, n);
+  if (G(r))
+    return r;
+  if (!w(r.id_token))
+    throw new s('"response" body "id_token" property must be a non-empty string');
+  a ?? (a = e.default_max_age ?? B);
+  const i = yt(r);
+  if ((e.require_auth_time || a !== B) && i.auth_time === void 0)
+    throw new s('ID Token "auth_time" (authentication time) claim missing');
+  if (a !== B) {
+    if (typeof a != "number" || a < 0)
       throw new TypeError('"maxAge" must be a non-negative number');
-    const c = M() + C(e), p = be(e);
-    if (i.auth_time + s < c - p)
-      throw new a("too much time has elapsed since the last End-User authentication");
+    const c = $() + L(e), p = _e(e);
+    if (i.auth_time + a < c - p)
+      throw new s("too much time has elapsed since the last End-User authentication");
   }
   switch (o) {
     case void 0:
-    case Lt:
+    case Et:
       if (i.nonce !== void 0)
-        throw new a('unexpected ID Token "nonce" claim value');
+        throw new s('unexpected ID Token "nonce" claim value');
       break;
     default:
       if (!w(o))
         throw new TypeError('"expectedNonce" must be a non-empty string');
       if (i.nonce === void 0)
-        throw new a('ID Token "nonce" claim missing');
+        throw new s('ID Token "nonce" claim missing');
       if (i.nonce !== o)
-        throw new a('unexpected ID Token "nonce" claim value');
+        throw new s('unexpected ID Token "nonce" claim value');
   }
-  return n;
+  return r;
 }
-function re(t) {
+function ee(t) {
   if (t.bodyUsed)
     throw new TypeError('"response" body has been used already');
 }
-async function It(t) {
+async function Pt(t) {
   if (t.status > 399 && t.status < 500) {
-    re(t);
+    ee(t);
     try {
       const e = await t.json();
-      if (L(e) && typeof e.error == "string" && e.error.length)
+      if (C(e) && typeof e.error == "string" && e.error.length)
         return e.error_description !== void 0 && typeof e.error_description != "string" && delete e.error_description, e.error_uri !== void 0 && typeof e.error_uri != "string" && delete e.error_uri, e.algs !== void 0 && typeof e.algs != "string" && delete e.algs, e.scope !== void 0 && typeof e.scope != "string" && delete e.scope, e;
     } catch {
     }
   }
 }
-function de(t) {
+function le(t) {
   if (typeof t.modulusLength != "number" || t.modulusLength < 2048)
-    throw new a(`${t.name} modulusLength must be at least 2048 bits`);
+    throw new s(`${t.name} modulusLength must be at least 2048 bits`);
 }
-function jt(t) {
+function Ut(t) {
   switch (t) {
     case "P-256":
       return "SHA-256";
@@ -756,7 +753,7 @@ function jt(t) {
     case "P-521":
       return "SHA-512";
     default:
-      throw new v();
+      throw new S();
   }
 }
 function Pe(t) {
@@ -764,10 +761,10 @@ function Pe(t) {
     case "ECDSA":
       return {
         name: t.algorithm.name,
-        hash: jt(t.algorithm.namedCurve)
+        hash: Ut(t.algorithm.namedCurve)
       };
     case "RSA-PSS":
-      switch (de(t.algorithm), t.algorithm.hash.name) {
+      switch (le(t.algorithm), t.algorithm.hash.name) {
         case "SHA-256":
         case "SHA-384":
         case "SHA-512":
@@ -776,245 +773,243 @@ function Pe(t) {
             saltLength: parseInt(t.algorithm.hash.name.slice(-3), 10) >> 3
           };
         default:
-          throw new v();
+          throw new S();
       }
     case "RSASSA-PKCS1-v1_5":
-      return de(t.algorithm), t.algorithm.name;
+      return le(t.algorithm), t.algorithm.name;
     case "Ed448":
     case "Ed25519":
       return t.algorithm.name;
   }
-  throw new v();
+  throw new S();
 }
 const Ue = Symbol();
-async function Jt(t, e, r, o) {
-  const s = `${t}.${e}`;
-  if (!await crypto.subtle.verify(Pe(r), r, o, R(s)))
-    throw new a("JWT signature verification failed");
-}
-async function Ot(t, e, r, o, s, n) {
-  let { 0: i, 1: c, 2: p, length: b } = t.split(".");
-  if (b === 5)
-    if (n !== void 0)
-      t = await n(t), { 0: i, 1: c, 2: p, length: b } = t.split(".");
+async function Ct(t, e, n, o) {
+  const a = `${t}.${e}`;
+  if (!await crypto.subtle.verify(Pe(n), n, o, E(a)))
+    throw new s("JWT signature verification failed");
+}
+async function Lt(t, e, n, o, a, r) {
+  let { 0: i, 1: c, 2: p, length: _ } = t.split(".");
+  if (_ === 5)
+    if (r !== void 0)
+      t = await r(t), { 0: i, 1: c, 2: p, length: _ } = t.split(".");
     else
-      throw new v("JWE structure JWTs are not supported");
-  if (b !== 3)
-    throw new a("Invalid JWT");
+      throw new S("JWE structure JWTs are not supported");
+  if (_ !== 3)
+    throw new s("Invalid JWT");
   let f;
   try {
-    f = JSON.parse(R(E(i)));
+    f = JSON.parse(E(A(i)));
   } catch (l) {
-    throw new a("failed to parse JWT Header body as base64url encoded JSON", { cause: l });
+    throw new s("failed to parse JWT Header body as base64url encoded JSON", { cause: l });
   }
-  if (!L(f))
-    throw new a("JWT Header must be a top level object");
+  if (!C(f))
+    throw new s("JWT Header must be a top level object");
   if (e(f), f.crit !== void 0)
-    throw new a('unexpected JWT "crit" header parameter');
-  const y = E(p);
+    throw new s('unexpected JWT "crit" header parameter');
+  const y = A(p);
   let T;
-  r !== Ue && (T = await r(f), await Jt(i, c, T, y));
+  n !== Ue && (T = await n(f), await Ct(i, c, T, y));
   let h;
   try {
-    h = JSON.parse(R(E(c)));
+    h = JSON.parse(E(A(c)));
   } catch (l) {
-    throw new a("failed to parse JWT Payload body as base64url encoded JSON", { cause: l });
+    throw new s("failed to parse JWT Payload body as base64url encoded JSON", { cause: l });
   }
-  if (!L(h))
-    throw new a("JWT Payload must be a top level object");
-  const J = M() + o;
+  if (!C(h))
+    throw new s("JWT Payload must be a top level object");
+  const j = $() + o;
   if (h.exp !== void 0) {
     if (typeof h.exp != "number")
-      throw new a('unexpected JWT "exp" (expiration time) claim type');
-    if (h.exp <= J - s)
-      throw new a('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
+      throw new s('unexpected JWT "exp" (expiration time) claim type');
+    if (h.exp <= j - a)
+      throw new s('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
   }
   if (h.iat !== void 0 && typeof h.iat != "number")
-    throw new a('unexpected JWT "iat" (issued at) claim type');
+    throw new s('unexpected JWT "iat" (issued at) claim type');
   if (h.iss !== void 0 && typeof h.iss != "string")
-    throw new a('unexpected JWT "iss" (issuer) claim type');
+    throw new s('unexpected JWT "iss" (issuer) claim type');
   if (h.nbf !== void 0) {
     if (typeof h.nbf != "number")
-      throw new a('unexpected JWT "nbf" (not before) claim type');
-    if (h.nbf > J + s)
-      throw new a('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
+      throw new s('unexpected JWT "nbf" (not before) claim type');
+    if (h.nbf > j + a)
+      throw new s('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
   }
   if (h.aud !== void 0 && typeof h.aud != "string" && !Array.isArray(h.aud))
-    throw new a('unexpected JWT "aud" (audience) claim type');
+    throw new s('unexpected JWT "aud" (audience) claim type');
   return { header: f, claims: h, signature: y, key: T, jwt: t };
 }
-function zt(t, e, r) {
+function xt(t, e, n) {
   if (t !== void 0) {
-    if (r.alg !== t)
-      throw new a('unexpected JWT "alg" header parameter');
+    if (n.alg !== t)
+      throw new s('unexpected JWT "alg" header parameter');
     return;
   }
   if (Array.isArray(e)) {
-    if (!e.includes(r.alg))
-      throw new a('unexpected JWT "alg" header parameter');
+    if (!e.includes(n.alg))
+      throw new s('unexpected JWT "alg" header parameter');
     return;
   }
-  if (r.alg !== "RS256")
-    throw new a('unexpected JWT "alg" header parameter');
+  if (n.alg !== "RS256")
+    throw new s('unexpected JWT "alg" header parameter');
 }
 function k(t, e) {
-  const { 0: r, length: o } = t.getAll(e);
+  const { 0: n, length: o } = t.getAll(e);
   if (o > 1)
-    throw new a(`"${e}" parameter must be provided only once`);
-  return r;
+    throw new s(`"${e}" parameter must be provided only once`);
+  return n;
 }
-const Nt = Symbol(), Dt = Symbol();
-function Kt(t, e, r, o) {
-  if (I(t), j(e), r instanceof URL && (r = r.searchParams), !(r instanceof URLSearchParams))
+const It = Symbol(), jt = Symbol();
+function Jt(t, e, n, o) {
+  if (x(t), I(e), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams))
     throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
-  if (k(r, "response"))
-    throw new a('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
-  const s = k(r, "iss"), n = k(r, "state");
-  if (!s && t.authorization_response_iss_parameter_supported)
-    throw new a('response parameter "iss" (issuer) missing');
-  if (s && s !== t.issuer)
-    throw new a('unexpected "iss" (issuer) response parameter value');
+  if (k(n, "response"))
+    throw new s('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
+  const a = k(n, "iss"), r = k(n, "state");
+  if (!a && t.authorization_response_iss_parameter_supported)
+    throw new s('response parameter "iss" (issuer) missing');
+  if (a && a !== t.issuer)
+    throw new s('unexpected "iss" (issuer) response parameter value');
   switch (o) {
     case void 0:
-    case Dt:
-      if (n !== void 0)
-        throw new a('unexpected "state" response parameter encountered');
+    case jt:
+      if (r !== void 0)
+        throw new s('unexpected "state" response parameter encountered');
       break;
-    case Nt:
+    case It:
       break;
     default:
       if (!w(o))
-        throw new a('"expectedState" must be a non-empty string');
-      if (n === void 0)
-        throw new a('response parameter "state" missing');
-      if (n !== o)
-        throw new a('unexpected "state" response parameter value');
+        throw new s('"expectedState" must be a non-empty string');
+      if (r === void 0)
+        throw new s('response parameter "state" missing');
+      if (r !== o)
+        throw new s('unexpected "state" response parameter value');
   }
-  const i = k(r, "error");
+  const i = k(n, "error");
   if (i)
     return {
       error: i,
-      error_description: k(r, "error_description"),
-      error_uri: k(r, "error_uri")
+      error_description: k(n, "error_description"),
+      error_uri: k(n, "error_uri")
     };
-  const c = k(r, "id_token"), p = k(r, "token");
+  const c = k(n, "id_token"), p = k(n, "token");
   if (c !== void 0 || p !== void 0)
-    throw new v("implicit and hybrid flows are not supported");
-  return Rt(new URLSearchParams(r));
+    throw new S("implicit and hybrid flows are not supported");
+  return St(new URLSearchParams(n));
 }
-function Wt({
+function Ot({
   handleCallback: t
 }) {
-  const [e, r] = Ne(null), o = Me(), s = De(!1);
-  return Ke(() => {
-    s.current || (s.current = !0, t().then((n) => {
-      o(n);
-    }).catch((n) => {
-      K.error(n), r(n);
-    }));
-  }, [o, t]), e ? /* @__PURE__ */ A.jsx(
-    He,
-    {
-      category: "Error",
-      title: "Authentication Error",
-      message: /* @__PURE__ */ A.jsxs(A.Fragment, { children: [
-        /* @__PURE__ */ A.jsx(We, { className: "mb-4", children: "Check the configuration of your authorization provider and ensure all settings such as the callback URL are configured correctly." }),
-        "An error occurred while authorizing the user.",
-        /* @__PURE__ */ A.jsx(Fe, { code: e.toString(), language: "plain" })
-      ] })
+  const e = De({
+    retry: !1,
+    queryKey: ["oauth-callback"],
+    queryFn: async () => {
+      try {
+        return await t();
+      } catch (n) {
+        throw new Ne("Could not validate user", {
+          cause: n,
+          title: "Authentication Error",
+          developerHint: "Check the configuration of your authorization provider and ensure all settings such as the callback URL are configured correctly."
+        });
+      }
     }
-  ) : /* @__PURE__ */ A.jsx("div", { className: "grid h-full place-items-center", children: /* @__PURE__ */ A.jsx($e, {}) });
+  });
+  return /* @__PURE__ */ fe.jsx(Ke, { to: e.data });
 }
-class U extends Error {
+class P extends Error {
 }
-class he extends U {
-  constructor(e, r, o) {
-    super(e, o), this.error = r;
+class de extends P {
+  constructor(e, n, o) {
+    super(e, o), this.error = n;
   }
 }
-const G = "code-verifier";
-class Ht extends ze {
-  constructor(e, r) {
-    super(), this.callbackUrlPath = e, this.handleCallback = r;
+const q = "code-verifier";
+class zt extends ze {
+  constructor(e, n) {
+    super(), this.callbackUrlPath = e, this.handleCallback = n;
   }
   getRoutes() {
     return [
       ...super.getRoutes(),
       {
         path: this.callbackUrlPath,
-        element: /* @__PURE__ */ A.jsx(Wt, { handleCallback: this.handleCallback })
+        element: /* @__PURE__ */ fe.jsx(Ot, { handleCallback: this.handleCallback })
       }
     ];
   }
 }
-class $t {
+class Dt {
   constructor({
     issuer: e,
-    audience: r,
+    audience: n,
     clientId: o,
-    redirectToAfterSignUp: s,
-    redirectToAfterSignIn: n,
+    redirectToAfterSignUp: a,
+    redirectToAfterSignIn: r,
     redirectToAfterSignOut: i
   }) {
-    _(this, "client");
-    _(this, "issuer");
-    _(this, "authorizationServer");
-    _(this, "callbackUrlPath", "/oauth/callback");
-    _(this, "logoutRedirectUrlPath", "/");
-    _(this, "onAuthorizationUrl");
-    _(this, "redirectToAfterSignUp");
-    _(this, "redirectToAfterSignIn");
-    _(this, "redirectToAfterSignOut");
-    _(this, "audience");
-    _(this, "signOut", async () => {
-      N.setState({
+    b(this, "client");
+    b(this, "issuer");
+    b(this, "authorizationServer");
+    b(this, "callbackUrlPath", "/oauth/callback");
+    b(this, "logoutRedirectUrlPath", "/");
+    b(this, "onAuthorizationUrl");
+    b(this, "redirectToAfterSignUp");
+    b(this, "redirectToAfterSignIn");
+    b(this, "redirectToAfterSignOut");
+    b(this, "audience");
+    b(this, "signOut", async () => {
+      z.setState({
         isAuthenticated: !1,
         isPending: !1,
-        profile: void 0
-      }), sessionStorage.clear();
-      const e = await this.getAuthServer(), r = new URL(
+        profile: void 0,
+        providerData: void 0
+      });
+      const e = await this.getAuthServer(), n = new URL(
         window.location.origin + this.redirectToAfterSignOut
       );
-      r.pathname = this.logoutRedirectUrlPath;
+      n.pathname = this.logoutRedirectUrlPath;
       let o;
       e.end_session_endpoint ? (o = new URL(e.end_session_endpoint), o.searchParams.set(
         "post_logout_redirect_uri",
-        r.toString()
-      )) : o = r;
+        n.toString()
+      )) : o = n;
     });
-    _(this, "handleCallback", async () => {
-      const e = new URL(window.location.href), r = e.searchParams.get("state"), o = sessionStorage.getItem(G);
-      if (sessionStorage.removeItem(G), !o)
-        throw new U("No code verifier found in state.");
-      const s = await this.getAuthServer(), n = Kt(
-        s,
+    b(this, "handleCallback", async () => {
+      const e = new URL(window.location.href), n = e.searchParams.get("state"), o = sessionStorage.getItem(q);
+      if (sessionStorage.removeItem(q), !o)
+        throw new P("No code verifier found in state.");
+      const a = await this.getAuthServer(), r = Jt(
+        a,
         this.client,
         e.searchParams,
-        r ?? void 0
+        n ?? void 0
       );
-      if (Z(n))
-        throw K.error("Error validating OAuth response", n), new he(
+      if (G(r))
+        throw oe.error("Error validating OAuth response", r), new de(
           "Error validating OAuth response",
-          n
+          r
         );
       const i = new URL(e);
       i.pathname = this.redirectToAfterSignIn, i.search = "";
-      const c = await Pt(
-        s,
+      const c = await Tt(
+        a,
         this.client,
-        n,
+        r,
         i.toString(),
         o
-      ), p = await Ct(
-        s,
+      ), p = await Rt(
+        a,
         this.client,
         c
       );
       this.setTokensFromResponse(p);
-      const b = await this.getAccessToken(), y = await (await bt(
-        s,
+      const _ = await this.getAccessToken(), y = await (await wt(
+        a,
         this.client,
-        b
+        _
       )).json(), T = {
         sub: y.sub,
         email: y.email,
@@ -1022,28 +1017,25 @@ class $t {
         emailVerified: y.email_verified ?? !1,
         pictureUrl: y.picture
       };
-      N.setState({
+      z.setState({
         isAuthenticated: !0,
         isPending: !1,
         profile: T
-      }), sessionStorage.setItem(
-        "profile-state",
-        JSON.stringify(N.getState().profile)
-      );
+      });
       const h = sessionStorage.getItem("redirect-to") ?? "/";
       return sessionStorage.removeItem("redirect-to"), h;
     });
     this.client = {
       client_id: o,
       token_endpoint_auth_method: "none"
-    }, this.audience = r, this.issuer = e, this.redirectToAfterSignUp = s ?? "/", this.redirectToAfterSignIn = n ?? "/", this.redirectToAfterSignOut = i ?? "/";
+    }, this.audience = n, this.issuer = e, this.redirectToAfterSignUp = a ?? "/", this.redirectToAfterSignIn = r ?? "/", this.redirectToAfterSignOut = i ?? "/";
   }
   async getAuthServer() {
     if (!this.authorizationServer) {
-      const e = new URL(this.issuer), r = await nt(e);
-      this.authorizationServer = await ot(
+      const e = new URL(this.issuer), n = await Qe(e);
+      this.authorizationServer = await Xe(
         e,
-        r
+        n
       );
     }
     return this.authorizationServer;
@@ -1053,17 +1045,19 @@ class $t {
    * @param response
    */
   setTokensFromResponse(e) {
-    if (Z(e))
-      throw K.error("Bad Token Response", e), new he("Bad Token Response", e);
+    if (G(e))
+      throw oe.error("Bad Token Response", e), new de("Bad Token Response", e);
     if (!e.expires_in)
-      throw new U("No expires_in in response");
-    const r = {
+      throw new P("No expires_in in response");
+    const n = {
       accessToken: e.access_token,
       refreshToken: e.refresh_token,
       expiresOn: new Date(Date.now() + e.expires_in * 1e3),
       tokenType: e.token_type
     };
-    sessionStorage.setItem("token-state", JSON.stringify(r));
+    z.setState({
+      providerData: n
+    });
   }
   async signUp({ redirectTo: e } = {}) {
     return this.authorize({
@@ -1078,75 +1072,61 @@ class $t {
   }
   async authorize({
     redirectTo: e,
-    isSignUp: r = !1
+    isSignUp: n = !1
   }) {
-    var b, f;
-    const o = "S256", s = await this.getAuthServer();
-    if (!s.authorization_endpoint)
-      throw new U("No authorization endpoint");
-    const n = it(), i = await at(n);
-    sessionStorage.setItem(G, n);
+    var _, f;
+    const o = "S256", a = await this.getAuthServer();
+    if (!a.authorization_endpoint)
+      throw new P("No authorization endpoint");
+    const r = et(), i = await nt(r);
+    sessionStorage.setItem(q, r);
     const c = new URL(
-      s.authorization_endpoint
+      a.authorization_endpoint
     );
     sessionStorage.setItem("redirect-to", e);
     const p = new URL(window.location.origin);
     if (p.pathname = this.callbackUrlPath, p.search = "", c.searchParams.set("client_id", this.client.client_id), c.searchParams.set("redirect_uri", p.toString()), c.searchParams.set("response_type", "code"), c.searchParams.set("scope", "openid profile email"), c.searchParams.set("code_challenge", i), c.searchParams.set(
       "code_challenge_method",
       o
-    ), this.audience && c.searchParams.set("audience", this.audience), (b = this.onAuthorizationUrl) == null || b.call(this, c, {
-      isSignIn: !r,
-      isSignUp: r
-    }), ((f = s.code_challenge_methods_supported) == null ? void 0 : f.includes("S256")) !== !0) {
-      const y = st();
+    ), this.audience && c.searchParams.set("audience", this.audience), (_ = this.onAuthorizationUrl) == null || _.call(this, c, {
+      isSignIn: !n,
+      isSignUp: n
+    }), ((f = a.code_challenge_methods_supported) == null ? void 0 : f.includes("S256")) !== !0) {
+      const y = tt();
       c.searchParams.set("state", y);
     }
     location.href = c.href;
   }
   async getAccessToken() {
-    const e = await this.getAuthServer(), r = sessionStorage.getItem("token-state");
-    if (!r)
-      throw new U("User is not authenticated");
-    const o = JSON.parse(r);
+    const e = await this.getAuthServer(), { providerData: n } = z.getState();
+    if (!n)
+      throw new P("User is not authenticated");
+    const o = n;
     if (o.expiresOn < /* @__PURE__ */ new Date()) {
       if (!o.refreshToken)
         return await this.signIn(), "";
-      const s = await vt(
+      const a = await gt(
         e,
         this.client,
         o.refreshToken
-      ), n = await kt(
+      ), r = await bt(
         e,
         this.client,
-        s
+        a
       );
-      if (!n.access_token)
-        throw new U("No access token in response");
-      return this.setTokensFromResponse(n), n.access_token.toString();
+      if (!r.access_token)
+        throw new P("No access token in response");
+      return this.setTokensFromResponse(r), r.access_token.toString();
     } else
       return o.accessToken;
   }
-  pageLoad() {
-    const e = sessionStorage.getItem("profile-state");
-    if (e)
-      try {
-        const r = JSON.parse(e);
-        N.setState({
-          isAuthenticated: !0,
-          isPending: !1,
-          profile: r
-        });
-      } catch (r) {
-        K.error("Error parsing auth state", r);
-      }
-  }
   getAuthenticationPlugin() {
-    return new Ht(this.callbackUrlPath, this.handleCallback);
+    return new zt(this.callbackUrlPath, this.handleCallback);
   }
 }
-const tr = (t) => new $t(t);
+const qt = (t) => new Dt(t);
 export {
-  $t as OpenIDAuthenticationProvider,
-  tr as default
+  Dt as OpenIDAuthenticationProvider,
+  qt as default
 };
 //# sourceMappingURL=zudoku.auth-openid.js.map