zudoku 0.3.0-dev.55 → 0.3.0-dev.57

package/lib/zudoku.auth-openid.js

@@ -1,529 +1,348 @@
-var __defProp = Object.defineProperty;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
-var _a, _b;
-import { a as useNavigate, j as jsxRuntimeExports } from "./jsx-runtime-DvZ6OKMM.js";
-import { c as commonjsGlobal, a as getDefaultExportFromCjs } from "./_commonjsHelpers-BxmBWJD2.js";
-import { useRef, useState, useEffect } from "react";
-import { u as useAuthState } from "./state-CmGfNKhR.js";
-var loglevel = { exports: {} };
-(function(module) {
-  (function(root, definition) {
-    if (module.exports) {
-      module.exports = definition();
-    } else {
-      root.log = definition();
-    }
-  })(commonjsGlobal, function() {
-    var noop = function() {
-    };
-    var undefinedType = "undefined";
-    var isIE = typeof window !== undefinedType && typeof window.navigator !== undefinedType && /Trident\/|MSIE /.test(window.navigator.userAgent);
-    var logMethods = [
+var Re = Object.defineProperty;
+var xe = (e, t, n) => t in e ? Re(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
+var S = (e, t, n) => xe(e, typeof t != "symbol" ? t + "" : t, n);
+import { a as Pe, j as T } from "./jsx-runtime-CJZJivg2.js";
+import { c as Le, a as Ue } from "./_commonjsHelpers-BVfed4GL.js";
+import { useRef as Ce, useState as je, useEffect as ze } from "react";
+import { u as re } from "./state-DKdaQzvh.js";
+var he = { exports: {} };
+(function(e) {
+  (function(t, n) {
+    e.exports ? e.exports = n() : t.log = n();
+  })(Le, function() {
+    var t = function() {
+    }, n = "undefined", o = typeof window !== n && typeof window.navigator !== n && /Trident\/|MSIE /.test(window.navigator.userAgent), s = [
       "trace",
       "debug",
       "info",
       "warn",
       "error"
-    ];
-    var _loggersByName = {};
-    var defaultLogger = null;
-    function bindMethod(obj, methodName) {
-      var method = obj[methodName];
-      if (typeof method.bind === "function") {
-        return method.bind(obj);
-      } else {
-        try {
-          return Function.prototype.bind.call(method, obj);
-        } catch (e) {
-          return function() {
-            return Function.prototype.apply.apply(method, [obj, arguments]);
-          };
-        }
+    ], r = {}, i = null;
+    function d(u, f) {
+      var c = u[f];
+      if (typeof c.bind == "function")
+        return c.bind(u);
+      try {
+        return Function.prototype.bind.call(c, u);
+      } catch {
+        return function() {
+          return Function.prototype.apply.apply(c, [u, arguments]);
+        };
       }
     }
-    function traceForIE() {
-      if (console.log) {
-        if (console.log.apply) {
-          console.log.apply(console, arguments);
-        } else {
-          Function.prototype.apply.apply(console.log, [console, arguments]);
-        }
-      }
-      if (console.trace) console.trace();
+    function g() {
+      console.log && (console.log.apply ? console.log.apply(console, arguments) : Function.prototype.apply.apply(console.log, [console, arguments])), console.trace && console.trace();
     }
-    function realMethod(methodName) {
-      if (methodName === "debug") {
-        methodName = "log";
-      }
-      if (typeof console === undefinedType) {
-        return false;
-      } else if (methodName === "trace" && isIE) {
-        return traceForIE;
-      } else if (console[methodName] !== void 0) {
-        return bindMethod(console, methodName);
-      } else if (console.log !== void 0) {
-        return bindMethod(console, "log");
-      } else {
-        return noop;
-      }
+    function m(u) {
+      return u === "debug" && (u = "log"), typeof console === n ? !1 : u === "trace" && o ? g : console[u] !== void 0 ? d(console, u) : console.log !== void 0 ? d(console, "log") : t;
     }
-    function replaceLoggingMethods() {
-      var level = this.getLevel();
-      for (var i = 0; i < logMethods.length; i++) {
-        var methodName = logMethods[i];
-        this[methodName] = i < level ? noop : this.methodFactory(methodName, level, this.name);
+    function _() {
+      for (var u = this.getLevel(), f = 0; f < s.length; f++) {
+        var c = s[f];
+        this[c] = f < u ? t : this.methodFactory(c, u, this.name);
       }
-      this.log = this.debug;
-      if (typeof console === undefinedType && level < this.levels.SILENT) {
+      if (this.log = this.debug, typeof console === n && u < this.levels.SILENT)
         return "No console available for logging";
-      }
     }
-    function enableLoggingWhenConsoleArrives(methodName) {
+    function y(u) {
       return function() {
-        if (typeof console !== undefinedType) {
-          replaceLoggingMethods.call(this);
-          this[methodName].apply(this, arguments);
-        }
+        typeof console !== n && (_.call(this), this[u].apply(this, arguments));
       };
     }
-    function defaultMethodFactory(methodName, _level, _loggerName) {
-      return realMethod(methodName) || enableLoggingWhenConsoleArrives.apply(this, arguments);
+    function h(u, f, c) {
+      return m(u) || y.apply(this, arguments);
     }
-    function Logger(name, factory) {
-      var self = this;
-      var inheritedLevel;
-      var defaultLevel;
-      var userLevel;
-      var storageKey = "loglevel";
-      if (typeof name === "string") {
-        storageKey += ":" + name;
-      } else if (typeof name === "symbol") {
-        storageKey = void 0;
-      }
-      function persistLevelIfPossible(levelNum) {
-        var levelName = (logMethods[levelNum] || "silent").toUpperCase();
-        if (typeof window === undefinedType || !storageKey) return;
-        try {
-          window.localStorage[storageKey] = levelName;
-          return;
-        } catch (ignore) {
-        }
-        try {
-          window.document.cookie = encodeURIComponent(storageKey) + "=" + levelName + ";";
-        } catch (ignore) {
+    function L(u, f) {
+      var c = this, J, $, x, b = "loglevel";
+      typeof u == "string" ? b += ":" + u : typeof u == "symbol" && (b = void 0);
+      function ke(l) {
+        var p = (s[l] || "silent").toUpperCase();
+        if (!(typeof window === n || !b)) {
+          try {
+            window.localStorage[b] = p;
+            return;
+          } catch {
+          }
+          try {
+            window.document.cookie = encodeURIComponent(b) + "=" + p + ";";
+          } catch {
+          }
         }
       }
-      function getPersistedLevel() {
-        var storedLevel;
-        if (typeof window === undefinedType || !storageKey) return;
-        try {
-          storedLevel = window.localStorage[storageKey];
-        } catch (ignore) {
-        }
-        if (typeof storedLevel === undefinedType) {
+      function ee() {
+        var l;
+        if (!(typeof window === n || !b)) {
           try {
-            var cookie = window.document.cookie;
-            var cookieName = encodeURIComponent(storageKey);
-            var location2 = cookie.indexOf(cookieName + "=");
-            if (location2 !== -1) {
-              storedLevel = /^([^;]+)/.exec(
-                cookie.slice(location2 + cookieName.length + 1)
-              )[1];
-            }
-          } catch (ignore) {
+            l = window.localStorage[b];
+          } catch {
           }
+          if (typeof l === n)
+            try {
+              var p = window.document.cookie, O = encodeURIComponent(b), ne = p.indexOf(O + "=");
+              ne !== -1 && (l = /^([^;]+)/.exec(
+                p.slice(ne + O.length + 1)
+              )[1]);
+            } catch {
+            }
+          return c.levels[l] === void 0 && (l = void 0), l;
         }
-        if (self.levels[storedLevel] === void 0) {
-          storedLevel = void 0;
-        }
-        return storedLevel;
       }
-      function clearPersistedLevel() {
-        if (typeof window === undefinedType || !storageKey) return;
-        try {
-          window.localStorage.removeItem(storageKey);
-        } catch (ignore) {
-        }
-        try {
-          window.document.cookie = encodeURIComponent(storageKey) + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
-        } catch (ignore) {
+      function Te() {
+        if (!(typeof window === n || !b)) {
+          try {
+            window.localStorage.removeItem(b);
+          } catch {
+          }
+          try {
+            window.document.cookie = encodeURIComponent(b) + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
+          } catch {
+          }
         }
       }
-      function normalizeLevel(input) {
-        var level = input;
-        if (typeof level === "string" && self.levels[level.toUpperCase()] !== void 0) {
-          level = self.levels[level.toUpperCase()];
-        }
-        if (typeof level === "number" && level >= 0 && level <= self.levels.SILENT) {
-          return level;
-        } else {
-          throw new TypeError("log.setLevel() called with invalid level: " + input);
-        }
+      function U(l) {
+        var p = l;
+        if (typeof p == "string" && c.levels[p.toUpperCase()] !== void 0 && (p = c.levels[p.toUpperCase()]), typeof p == "number" && p >= 0 && p <= c.levels.SILENT)
+          return p;
+        throw new TypeError("log.setLevel() called with invalid level: " + l);
       }
-      self.name = name;
-      self.levels = {
-        "TRACE": 0,
-        "DEBUG": 1,
-        "INFO": 2,
-        "WARN": 3,
-        "ERROR": 4,
-        "SILENT": 5
-      };
-      self.methodFactory = factory || defaultMethodFactory;
-      self.getLevel = function() {
-        if (userLevel != null) {
-          return userLevel;
-        } else if (defaultLevel != null) {
-          return defaultLevel;
-        } else {
-          return inheritedLevel;
-        }
-      };
-      self.setLevel = function(level, persist) {
-        userLevel = normalizeLevel(level);
-        if (persist !== false) {
-          persistLevelIfPossible(userLevel);
-        }
-        return replaceLoggingMethods.call(self);
-      };
-      self.setDefaultLevel = function(level) {
-        defaultLevel = normalizeLevel(level);
-        if (!getPersistedLevel()) {
-          self.setLevel(level, false);
-        }
-      };
-      self.resetLevel = function() {
-        userLevel = null;
-        clearPersistedLevel();
-        replaceLoggingMethods.call(self);
-      };
-      self.enableAll = function(persist) {
-        self.setLevel(self.levels.TRACE, persist);
-      };
-      self.disableAll = function(persist) {
-        self.setLevel(self.levels.SILENT, persist);
-      };
-      self.rebuild = function() {
-        if (defaultLogger !== self) {
-          inheritedLevel = normalizeLevel(defaultLogger.getLevel());
-        }
-        replaceLoggingMethods.call(self);
-        if (defaultLogger === self) {
-          for (var childName in _loggersByName) {
-            _loggersByName[childName].rebuild();
-          }
-        }
-      };
-      inheritedLevel = normalizeLevel(
-        defaultLogger ? defaultLogger.getLevel() : "WARN"
+      c.name = u, c.levels = {
+        TRACE: 0,
+        DEBUG: 1,
+        INFO: 2,
+        WARN: 3,
+        ERROR: 4,
+        SILENT: 5
+      }, c.methodFactory = f || h, c.getLevel = function() {
+        return x ?? $ ?? J;
+      }, c.setLevel = function(l, p) {
+        return x = U(l), p !== !1 && ke(x), _.call(c);
+      }, c.setDefaultLevel = function(l) {
+        $ = U(l), ee() || c.setLevel(l, !1);
+      }, c.resetLevel = function() {
+        x = null, Te(), _.call(c);
+      }, c.enableAll = function(l) {
+        c.setLevel(c.levels.TRACE, l);
+      }, c.disableAll = function(l) {
+        c.setLevel(c.levels.SILENT, l);
+      }, c.rebuild = function() {
+        if (i !== c && (J = U(i.getLevel())), _.call(c), i === c)
+          for (var l in r)
+            r[l].rebuild();
+      }, J = U(
+        i ? i.getLevel() : "WARN"
       );
-      var initialLevel = getPersistedLevel();
-      if (initialLevel != null) {
-        userLevel = normalizeLevel(initialLevel);
-      }
-      replaceLoggingMethods.call(self);
+      var te = ee();
+      te != null && (x = U(te)), _.call(c);
     }
-    defaultLogger = new Logger();
-    defaultLogger.getLogger = function getLogger(name) {
-      if (typeof name !== "symbol" && typeof name !== "string" || name === "") {
+    i = new L(), i.getLogger = function(f) {
+      if (typeof f != "symbol" && typeof f != "string" || f === "")
         throw new TypeError("You must supply a name when creating a logger.");
-      }
-      var logger2 = _loggersByName[name];
-      if (!logger2) {
-        logger2 = _loggersByName[name] = new Logger(
-          name,
-          defaultLogger.methodFactory
-        );
-      }
-      return logger2;
-    };
-    var _log = typeof window !== undefinedType ? window.log : void 0;
-    defaultLogger.noConflict = function() {
-      if (typeof window !== undefinedType && window.log === defaultLogger) {
-        window.log = _log;
-      }
-      return defaultLogger;
+      var c = r[f];
+      return c || (c = r[f] = new L(
+        f,
+        i.methodFactory
+      )), c;
     };
-    defaultLogger.getLoggers = function getLoggers() {
-      return _loggersByName;
-    };
-    defaultLogger["default"] = defaultLogger;
-    return defaultLogger;
+    var R = typeof window !== n ? window.log : void 0;
+    return i.noConflict = function() {
+      return typeof window !== n && window.log === i && (window.log = R), i;
+    }, i.getLoggers = function() {
+      return r;
+    }, i.default = i, i;
   });
-})(loglevel);
-var loglevelExports = loglevel.exports;
-const logger = /* @__PURE__ */ getDefaultExportFromCjs(loglevelExports);
-let USER_AGENT;
-if (typeof navigator === "undefined" || !((_b = (_a = navigator.userAgent) == null ? void 0 : _a.startsWith) == null ? void 0 : _b.call(_a, "Mozilla/5.0 "))) {
-  const NAME = "oauth4webapi";
-  const VERSION = "v2.11.1";
-  USER_AGENT = `${NAME}/${VERSION}`;
-}
-function looseInstanceOf(input, expected) {
-  if (input == null) {
-    return false;
-  }
+})(he);
+var Je = he.exports;
+const oe = /* @__PURE__ */ Ue(Je);
+let M;
+var I, de;
+(typeof navigator > "u" || !((de = (I = navigator.userAgent) == null ? void 0 : I.startsWith) != null && de.call(I, "Mozilla/5.0 "))) && (M = "oauth4webapi/v2.11.1");
+function q(e, t) {
+  if (e == null)
+    return !1;
   try {
-    return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
+    return e instanceof t || Object.getPrototypeOf(e)[Symbol.toStringTag] === t.prototype[Symbol.toStringTag];
   } catch {
-    return false;
+    return !1;
   }
 }
-const clockSkew = Symbol();
-const clockTolerance = Symbol();
-const customFetch = Symbol();
-const encoder = new TextEncoder();
-const decoder = new TextDecoder();
-function buf(input) {
-  if (typeof input === "string") {
-    return encoder.encode(input);
-  }
-  return decoder.decode(input);
+const K = Symbol(), Oe = Symbol(), V = Symbol(), Ie = new TextEncoder(), Ne = new TextDecoder();
+function A(e) {
+  return typeof e == "string" ? Ie.encode(e) : Ne.decode(e);
 }
-const CHUNK_SIZE = 32768;
-function encodeBase64Url(input) {
-  if (input instanceof ArrayBuffer) {
-    input = new Uint8Array(input);
-  }
-  const arr = [];
-  for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {
-    arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
-  }
-  return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+const ie = 32768;
+function Ke(e) {
+  e instanceof ArrayBuffer && (e = new Uint8Array(e));
+  const t = [];
+  for (let n = 0; n < e.byteLength; n += ie)
+    t.push(String.fromCharCode.apply(null, e.subarray(n, n + ie)));
+  return btoa(t.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
-function decodeBase64Url(input) {
+function We(e) {
   try {
-    const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-      bytes[i] = binary.charCodeAt(i);
-    }
-    return bytes;
-  } catch (cause) {
-    throw new OPE("The input to be decoded is not correctly encoded.", { cause });
+    const t = atob(e.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(t.length);
+    for (let o = 0; o < t.length; o++)
+      n[o] = t.charCodeAt(o);
+    return n;
+  } catch (t) {
+    throw new a("The input to be decoded is not correctly encoded.", { cause: t });
   }
 }
-function b64u(input) {
-  if (typeof input === "string") {
-    return decodeBase64Url(input);
-  }
-  return encodeBase64Url(input);
+function k(e) {
+  return typeof e == "string" ? We(e) : Ke(e);
 }
-class LRU {
-  constructor(maxSize) {
-    this.cache = /* @__PURE__ */ new Map();
-    this._cache = /* @__PURE__ */ new Map();
-    this.maxSize = maxSize;
+class De {
+  constructor(t) {
+    this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = t;
   }
-  get(key) {
-    let v = this.cache.get(key);
-    if (v) {
-      return v;
-    }
-    if (v = this._cache.get(key)) {
-      this.update(key, v);
-      return v;
-    }
-    return void 0;
+  get(t) {
+    let n = this.cache.get(t);
+    if (n)
+      return n;
+    if (n = this._cache.get(t))
+      return this.update(t, n), n;
   }
-  has(key) {
-    return this.cache.has(key) || this._cache.has(key);
+  has(t) {
+    return this.cache.has(t) || this._cache.has(t);
   }
-  set(key, value) {
-    if (this.cache.has(key)) {
-      this.cache.set(key, value);
-    } else {
-      this.update(key, value);
-    }
-    return this;
+  set(t, n) {
+    return this.cache.has(t) ? this.cache.set(t, n) : this.update(t, n), this;
   }
-  delete(key) {
-    if (this.cache.has(key)) {
-      return this.cache.delete(key);
-    }
-    if (this._cache.has(key)) {
-      return this._cache.delete(key);
-    }
-    return false;
+  delete(t) {
+    return this.cache.has(t) ? this.cache.delete(t) : this._cache.has(t) ? this._cache.delete(t) : !1;
   }
-  update(key, value) {
-    this.cache.set(key, value);
-    if (this.cache.size >= this.maxSize) {
-      this._cache = this.cache;
-      this.cache = /* @__PURE__ */ new Map();
-    }
+  update(t, n) {
+    this.cache.set(t, n), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
   }
 }
-class UnsupportedOperationError extends Error {
-  constructor(message) {
-    var _a2;
-    super(message ?? "operation not supported");
-    this.name = this.constructor.name;
-    (_a2 = Error.captureStackTrace) == null ? void 0 : _a2.call(Error, this, this.constructor);
+class v extends Error {
+  constructor(t) {
+    var n;
+    super(t ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
   }
 }
-class OperationProcessingError extends Error {
-  constructor(message, options) {
-    var _a2;
-    super(message, options);
-    this.name = this.constructor.name;
-    (_a2 = Error.captureStackTrace) == null ? void 0 : _a2.call(Error, this, this.constructor);
+class He extends Error {
+  constructor(t, n) {
+    var o;
+    super(t, n), this.name = this.constructor.name, (o = Error.captureStackTrace) == null || o.call(Error, this, this.constructor);
   }
 }
-const OPE = OperationProcessingError;
-const dpopNonces = new LRU(100);
-function isCryptoKey(key) {
-  return key instanceof CryptoKey;
+const a = He, fe = new De(100);
+function pe(e) {
+  return e instanceof CryptoKey;
 }
-function isPrivateKey(key) {
-  return isCryptoKey(key) && key.type === "private";
+function we(e) {
+  return pe(e) && e.type === "private";
 }
-function isPublicKey(key) {
-  return isCryptoKey(key) && key.type === "public";
+function $e(e) {
+  return pe(e) && e.type === "public";
 }
-function processDpopNonce(response) {
+function Y(e) {
   try {
-    const nonce = response.headers.get("dpop-nonce");
-    if (nonce) {
-      dpopNonces.set(new URL(response.url).origin, nonce);
-    }
+    const t = e.headers.get("dpop-nonce");
+    t && fe.set(new URL(e.url).origin, t);
   } catch {
   }
-  return response;
+  return e;
 }
-function isJsonObject(input) {
-  if (input === null || typeof input !== "object" || Array.isArray(input)) {
-    return false;
-  }
-  return true;
+function C(e) {
+  return !(e === null || typeof e != "object" || Array.isArray(e));
 }
-function prepareHeaders(input) {
-  if (looseInstanceOf(input, Headers)) {
-    input = Object.fromEntries(input.entries());
-  }
-  const headers = new Headers(input);
-  if (USER_AGENT && !headers.has("user-agent")) {
-    headers.set("user-agent", USER_AGENT);
-  }
-  if (headers.has("authorization")) {
+function W(e) {
+  q(e, Headers) && (e = Object.fromEntries(e.entries()));
+  const t = new Headers(e);
+  if (M && !t.has("user-agent") && t.set("user-agent", M), t.has("authorization"))
     throw new TypeError('"options.headers" must not include the "authorization" header name');
-  }
-  if (headers.has("dpop")) {
+  if (t.has("dpop"))
     throw new TypeError('"options.headers" must not include the "dpop" header name');
-  }
-  return headers;
+  return t;
 }
-function signal(value) {
-  if (typeof value === "function") {
-    value = value();
-  }
-  if (!(value instanceof AbortSignal)) {
+function Z(e) {
+  if (typeof e == "function" && (e = e()), !(e instanceof AbortSignal))
     throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
-  }
-  return value;
+  return e;
 }
-async function discoveryRequest(issuerIdentifier, options) {
-  if (!(issuerIdentifier instanceof URL)) {
+async function Fe(e, t) {
+  if (!(e instanceof URL))
     throw new TypeError('"issuerIdentifier" must be an instance of URL');
-  }
-  if (issuerIdentifier.protocol !== "https:" && issuerIdentifier.protocol !== "http:") {
+  if (e.protocol !== "https:" && e.protocol !== "http:")
     throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
-  }
-  const url = new URL(issuerIdentifier.href);
-  switch (options == null ? void 0 : options.algorithm) {
+  const n = new URL(e.href);
+  switch (t == null ? void 0 : t.algorithm) {
     case void 0:
     case "oidc":
-      url.pathname = `${url.pathname}/.well-known/openid-configuration`.replace("//", "/");
+      n.pathname = `${n.pathname}/.well-known/openid-configuration`.replace("//", "/");
       break;
     case "oauth2":
-      if (url.pathname === "/") {
-        url.pathname = ".well-known/oauth-authorization-server";
-      } else {
-        url.pathname = `.well-known/oauth-authorization-server/${url.pathname}`.replace("//", "/");
-      }
+      n.pathname === "/" ? n.pathname = ".well-known/oauth-authorization-server" : n.pathname = `.well-known/oauth-authorization-server/${n.pathname}`.replace("//", "/");
       break;
     default:
       throw new TypeError('"options.algorithm" must be "oidc" (default), or "oauth2"');
   }
-  const headers = prepareHeaders(options == null ? void 0 : options.headers);
-  headers.set("accept", "application/json");
-  return ((options == null ? void 0 : options[customFetch]) || fetch)(url.href, {
-    headers: Object.fromEntries(headers.entries()),
+  const o = W(t == null ? void 0 : t.headers);
+  return o.set("accept", "application/json"), ((t == null ? void 0 : t[V]) || fetch)(n.href, {
+    headers: Object.fromEntries(o.entries()),
     method: "GET",
     redirect: "manual",
-    signal: (options == null ? void 0 : options.signal) ? signal(options.signal) : null
-  }).then(processDpopNonce);
+    signal: t != null && t.signal ? Z(t.signal) : null
+  }).then(Y);
 }
-function validateString(input) {
-  return typeof input === "string" && input.length !== 0;
+function w(e) {
+  return typeof e == "string" && e.length !== 0;
 }
-async function processDiscoveryResponse(expectedIssuerIdentifier, response) {
-  if (!(expectedIssuerIdentifier instanceof URL)) {
+async function Me(e, t) {
+  if (!(e instanceof URL))
     throw new TypeError('"expectedIssuer" must be an instance of URL');
-  }
-  if (!looseInstanceOf(response, Response)) {
+  if (!q(t, Response))
     throw new TypeError('"response" must be an instance of Response');
-  }
-  if (response.status !== 200) {
-    throw new OPE('"response" is not a conform Authorization Server Metadata response');
-  }
-  assertReadableResponse(response);
-  let json;
+  if (t.status !== 200)
+    throw new a('"response" is not a conform Authorization Server Metadata response');
+  X(t);
+  let n;
   try {
-    json = await response.json();
-  } catch (cause) {
-    throw new OPE('failed to parse "response" body as JSON', { cause });
-  }
-  if (!isJsonObject(json)) {
-    throw new OPE('"response" body must be a top level object');
-  }
-  if (!validateString(json.issuer)) {
-    throw new OPE('"response" body "issuer" property must be a non-empty string');
+    n = await t.json();
+  } catch (o) {
+    throw new a('failed to parse "response" body as JSON', { cause: o });
   }
-  if (new URL(json.issuer).href !== expectedIssuerIdentifier.href) {
-    throw new OPE('"response" body "issuer" does not match "expectedIssuer"');
-  }
-  return json;
+  if (!C(n))
+    throw new a('"response" body must be a top level object');
+  if (!w(n.issuer))
+    throw new a('"response" body "issuer" property must be a non-empty string');
+  if (new URL(n.issuer).href !== e.href)
+    throw new a('"response" body "issuer" does not match "expectedIssuer"');
+  return n;
 }
-function randomBytes() {
-  return b64u(crypto.getRandomValues(new Uint8Array(32)));
+function D() {
+  return k(crypto.getRandomValues(new Uint8Array(32)));
 }
-function generateRandomCodeVerifier() {
-  return randomBytes();
+function Be() {
+  return D();
 }
-function generateRandomState() {
-  return randomBytes();
+function Ge() {
+  return D();
 }
-async function calculatePKCECodeChallenge(codeVerifier) {
-  if (!validateString(codeVerifier)) {
+async function qe(e) {
+  if (!w(e))
     throw new TypeError('"codeVerifier" must be a non-empty string');
-  }
-  return b64u(await crypto.subtle.digest("SHA-256", buf(codeVerifier)));
+  return k(await crypto.subtle.digest("SHA-256", A(e)));
 }
-function getKeyAndKid(input) {
-  if (input instanceof CryptoKey) {
-    return { key: input };
-  }
-  if (!((input == null ? void 0 : input.key) instanceof CryptoKey)) {
+function Ve(e) {
+  if (e instanceof CryptoKey)
+    return { key: e };
+  if (!((e == null ? void 0 : e.key) instanceof CryptoKey))
     return {};
-  }
-  if (input.kid !== void 0 && !validateString(input.kid)) {
+  if (e.kid !== void 0 && !w(e.kid))
     throw new TypeError('"kid" must be a non-empty string');
-  }
-  return { key: input.key, kid: input.kid };
+  return { key: e.key, kid: e.kid };
 }
-function formUrlEncode(token) {
-  return encodeURIComponent(token).replace(/%20/g, "+");
+function se(e) {
+  return encodeURIComponent(e).replace(/%20/g, "+");
 }
-function clientSecretBasic(clientId, clientSecret) {
-  const username = formUrlEncode(clientId);
-  const password = formUrlEncode(clientSecret);
-  const credentials = btoa(`${username}:${password}`);
-  return `Basic ${credentials}`;
+function Ye(e, t) {
+  const n = se(e), o = se(t);
+  return `Basic ${btoa(`${n}:${o}`)}`;
 }
-function psAlg(key) {
-  switch (key.algorithm.hash.name) {
+function Ze(e) {
+  switch (e.algorithm.hash.name) {
     case "SHA-256":
       return "PS256";
     case "SHA-384":
@@ -531,11 +350,11 @@ function psAlg(key) {
     case "SHA-512":
       return "PS512";
     default:
-      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name");
+      throw new v("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function rsAlg(key) {
-  switch (key.algorithm.hash.name) {
+function Qe(e) {
+  switch (e.algorithm.hash.name) {
     case "SHA-256":
       return "RS256";
     case "SHA-384":
@@ -543,11 +362,11 @@ function rsAlg(key) {
     case "SHA-512":
       return "RS512";
     default:
-      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name");
+      throw new v("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function esAlg(key) {
-  switch (key.algorithm.namedCurve) {
+function Xe(e) {
+  switch (e.algorithm.namedCurve) {
     case "P-256":
       return "ES256";
     case "P-384":
@@ -555,367 +374,281 @@ function esAlg(key) {
     case "P-521":
       return "ES512";
     default:
-      throw new UnsupportedOperationError("unsupported EcKeyAlgorithm namedCurve");
+      throw new v("unsupported EcKeyAlgorithm namedCurve");
   }
 }
-function keyToJws(key) {
-  switch (key.algorithm.name) {
+function ge(e) {
+  switch (e.algorithm.name) {
     case "RSA-PSS":
-      return psAlg(key);
+      return Ze(e);
     case "RSASSA-PKCS1-v1_5":
-      return rsAlg(key);
+      return Qe(e);
     case "ECDSA":
-      return esAlg(key);
+      return Xe(e);
     case "Ed25519":
     case "Ed448":
       return "EdDSA";
     default:
-      throw new UnsupportedOperationError("unsupported CryptoKey algorithm name");
+      throw new v("unsupported CryptoKey algorithm name");
   }
 }
-function getClockSkew(client) {
-  const skew = client == null ? void 0 : client[clockSkew];
-  return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
+function H(e) {
+  const t = e == null ? void 0 : e[K];
+  return typeof t == "number" && Number.isFinite(t) ? t : 0;
 }
-function getClockTolerance(client) {
-  const tolerance = client == null ? void 0 : client[clockTolerance];
-  return typeof tolerance === "number" && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
+function et(e) {
+  const t = e == null ? void 0 : e[Oe];
+  return typeof t == "number" && Number.isFinite(t) && Math.sign(t) !== -1 ? t : 30;
 }
-function epochTime() {
+function Q() {
   return Math.floor(Date.now() / 1e3);
 }
-function clientAssertion(as, client) {
-  const now = epochTime() + getClockSkew(client);
+function tt(e, t) {
+  const n = Q() + H(t);
   return {
-    jti: randomBytes(),
-    aud: [as.issuer, as.token_endpoint],
-    exp: now + 60,
-    iat: now,
-    nbf: now,
-    iss: client.client_id,
-    sub: client.client_id
+    jti: D(),
+    aud: [e.issuer, e.token_endpoint],
+    exp: n + 60,
+    iat: n,
+    nbf: n,
+    iss: t.client_id,
+    sub: t.client_id
   };
 }
-async function privateKeyJwt(as, client, key, kid) {
-  return jwt({
-    alg: keyToJws(key),
-    kid
-  }, clientAssertion(as, client), key);
+async function nt(e, t, n, o) {
+  return me({
+    alg: ge(n),
+    kid: o
+  }, tt(e, t), n);
 }
-function assertAs(as) {
-  if (typeof as !== "object" || as === null) {
+function j(e) {
+  if (typeof e != "object" || e === null)
     throw new TypeError('"as" must be an object');
-  }
-  if (!validateString(as.issuer)) {
+  if (!w(e.issuer))
     throw new TypeError('"as.issuer" property must be a non-empty string');
-  }
-  return true;
+  return !0;
 }
-function assertClient(client) {
-  if (typeof client !== "object" || client === null) {
+function z(e) {
+  if (typeof e != "object" || e === null)
     throw new TypeError('"client" must be an object');
-  }
-  if (!validateString(client.client_id)) {
+  if (!w(e.client_id))
     throw new TypeError('"client.client_id" property must be a non-empty string');
-  }
-  return true;
+  return !0;
 }
-function assertClientSecret(clientSecret) {
-  if (!validateString(clientSecret)) {
+function ae(e) {
+  if (!w(e))
     throw new TypeError('"client.client_secret" property must be a non-empty string');
-  }
-  return clientSecret;
+  return e;
 }
-function assertNoClientPrivateKey(clientAuthMethod, clientPrivateKey) {
-  if (clientPrivateKey !== void 0) {
-    throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${clientAuthMethod} client authentication method is used.`);
-  }
+function F(e, t) {
+  if (t !== void 0)
+    throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${e} client authentication method is used.`);
 }
-function assertNoClientSecret(clientAuthMethod, clientSecret) {
-  if (clientSecret !== void 0) {
-    throw new TypeError(`"client.client_secret" property must not be provided when ${clientAuthMethod} client authentication method is used.`);
-  }
+function ce(e, t) {
+  if (t !== void 0)
+    throw new TypeError(`"client.client_secret" property must not be provided when ${e} client authentication method is used.`);
 }
-async function clientAuthentication(as, client, body, headers, clientPrivateKey) {
-  body.delete("client_secret");
-  body.delete("client_assertion_type");
-  body.delete("client_assertion");
-  switch (client.token_endpoint_auth_method) {
+async function rt(e, t, n, o, s) {
+  switch (n.delete("client_secret"), n.delete("client_assertion_type"), n.delete("client_assertion"), t.token_endpoint_auth_method) {
     case void 0:
     case "client_secret_basic": {
-      assertNoClientPrivateKey("client_secret_basic", clientPrivateKey);
-      headers.set("authorization", clientSecretBasic(client.client_id, assertClientSecret(client.client_secret)));
+      F("client_secret_basic", s), o.set("authorization", Ye(t.client_id, ae(t.client_secret)));
       break;
     }
     case "client_secret_post": {
-      assertNoClientPrivateKey("client_secret_post", clientPrivateKey);
-      body.set("client_id", client.client_id);
-      body.set("client_secret", assertClientSecret(client.client_secret));
+      F("client_secret_post", s), n.set("client_id", t.client_id), n.set("client_secret", ae(t.client_secret));
       break;
     }
     case "private_key_jwt": {
-      assertNoClientSecret("private_key_jwt", client.client_secret);
-      if (clientPrivateKey === void 0) {
+      if (ce("private_key_jwt", t.client_secret), s === void 0)
         throw new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
-      }
-      const { key, kid } = getKeyAndKid(clientPrivateKey);
-      if (!isPrivateKey(key)) {
+      const { key: r, kid: i } = Ve(s);
+      if (!we(r))
         throw new TypeError('"options.clientPrivateKey.key" must be a private CryptoKey');
-      }
-      body.set("client_id", client.client_id);
-      body.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
-      body.set("client_assertion", await privateKeyJwt(as, client, key, kid));
+      n.set("client_id", t.client_id), n.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), n.set("client_assertion", await nt(e, t, r, i));
       break;
     }
     case "tls_client_auth":
     case "self_signed_tls_client_auth":
     case "none": {
-      assertNoClientSecret(client.token_endpoint_auth_method, client.client_secret);
-      assertNoClientPrivateKey(client.token_endpoint_auth_method, clientPrivateKey);
-      body.set("client_id", client.client_id);
+      ce(t.token_endpoint_auth_method, t.client_secret), F(t.token_endpoint_auth_method, s), n.set("client_id", t.client_id);
       break;
     }
     default:
-      throw new UnsupportedOperationError("unsupported client token_endpoint_auth_method");
+      throw new v("unsupported client token_endpoint_auth_method");
   }
 }
-async function jwt(header, claimsSet, key) {
-  if (!key.usages.includes("sign")) {
+async function me(e, t, n) {
+  if (!n.usages.includes("sign"))
     throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
-  }
-  const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(claimsSet)))}`;
-  const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));
-  return `${input}.${signature}`;
+  const o = `${k(A(JSON.stringify(e)))}.${k(A(JSON.stringify(t)))}`, s = k(await crypto.subtle.sign(Se(n), n, A(o)));
+  return `${o}.${s}`;
 }
-async function dpopProofJwt(headers, options, url, htm, clockSkew2, accessToken) {
-  const { privateKey, publicKey, nonce = dpopNonces.get(url.origin) } = options;
-  if (!isPrivateKey(privateKey)) {
+async function ot(e, t, n, o, s, r) {
+  const { privateKey: i, publicKey: d, nonce: g = fe.get(n.origin) } = t;
+  if (!we(i))
     throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
-  }
-  if (!isPublicKey(publicKey)) {
+  if (!$e(d))
     throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
-  }
-  if (nonce !== void 0 && !validateString(nonce)) {
+  if (g !== void 0 && !w(g))
     throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
-  }
-  if (!publicKey.extractable) {
+  if (!d.extractable)
     throw new TypeError('"DPoP.publicKey.extractable" must be true');
-  }
-  const now = epochTime() + clockSkew2;
-  const proof = await jwt({
-    alg: keyToJws(privateKey),
+  const m = Q() + s, _ = await me({
+    alg: ge(i),
     typ: "dpop+jwt",
-    jwk: await publicJwk(publicKey)
+    jwk: await st(d)
   }, {
-    iat: now,
-    jti: randomBytes(),
-    htm,
-    nonce,
-    htu: `${url.origin}${url.pathname}`,
-    ath: accessToken ? b64u(await crypto.subtle.digest("SHA-256", buf(accessToken))) : void 0
-  }, privateKey);
-  headers.set("dpop", proof);
-}
-let jwkCache;
-async function getSetPublicJwkCache(key) {
-  const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey("jwk", key);
-  const jwk = { kty, e, n, x, y, crv };
-  jwkCache.set(key, jwk);
-  return jwk;
-}
-async function publicJwk(key) {
-  jwkCache || (jwkCache = /* @__PURE__ */ new WeakMap());
-  return jwkCache.get(key) || getSetPublicJwkCache(key);
-}
-function validateEndpoint(value, endpoint, options) {
-  if (typeof value !== "string") {
-    throw new TypeError(`"as.${endpoint}" must be a string`);
-  }
-  return new URL(value);
-}
-function resolveEndpoint(as, endpoint, options) {
-  return validateEndpoint(as[endpoint], endpoint);
-}
-function isOAuth2Error(input) {
-  const value = input;
-  if (typeof value !== "object" || Array.isArray(value) || value === null) {
-    return false;
-  }
-  return value.error !== void 0;
-}
-async function protectedResourceRequest(accessToken, method, url, headers, body, options) {
-  if (!validateString(accessToken)) {
+    iat: m,
+    jti: D(),
+    htm: o,
+    nonce: g,
+    htu: `${n.origin}${n.pathname}`,
+    ath: r ? k(await crypto.subtle.digest("SHA-256", A(r))) : void 0
+  }, i);
+  e.set("dpop", _);
+}
+let N;
+async function it(e) {
+  const { kty: t, e: n, n: o, x: s, y: r, crv: i } = await crypto.subtle.exportKey("jwk", e), d = { kty: t, e: n, n: o, x: s, y: r, crv: i };
+  return N.set(e, d), d;
+}
+async function st(e) {
+  return N || (N = /* @__PURE__ */ new WeakMap()), N.get(e) || it(e);
+}
+function at(e, t, n) {
+  if (typeof e != "string")
+    throw new TypeError(`"as.${t}" must be a string`);
+  return new URL(e);
+}
+function ye(e, t, n) {
+  return at(e[t], t);
+}
+function B(e) {
+  const t = e;
+  return typeof t != "object" || Array.isArray(t) || t === null ? !1 : t.error !== void 0;
+}
+async function ct(e, t, n, o, s, r) {
+  if (!w(e))
     throw new TypeError('"accessToken" must be a non-empty string');
-  }
-  if (!(url instanceof URL)) {
+  if (!(n instanceof URL))
     throw new TypeError('"url" must be an instance of URL');
-  }
-  headers = prepareHeaders(headers);
-  if ((options == null ? void 0 : options.DPoP) === void 0) {
-    headers.set("authorization", `Bearer ${accessToken}`);
-  } else {
-    await dpopProofJwt(headers, options.DPoP, url, "GET", getClockSkew({ [clockSkew]: options == null ? void 0 : options[clockSkew] }), accessToken);
-    headers.set("authorization", `DPoP ${accessToken}`);
-  }
-  return ((options == null ? void 0 : options[customFetch]) || fetch)(url.href, {
-    body,
-    headers: Object.fromEntries(headers.entries()),
-    method,
+  return o = W(o), (r == null ? void 0 : r.DPoP) === void 0 ? o.set("authorization", `Bearer ${e}`) : (await ot(o, r.DPoP, n, "GET", H({ [K]: r == null ? void 0 : r[K] }), e), o.set("authorization", `DPoP ${e}`)), ((r == null ? void 0 : r[V]) || fetch)(n.href, {
+    body: s,
+    headers: Object.fromEntries(o.entries()),
+    method: t,
     redirect: "manual",
-    signal: (options == null ? void 0 : options.signal) ? signal(options.signal) : null
-  }).then(processDpopNonce);
-}
-async function userInfoRequest(as, client, accessToken, options) {
-  assertAs(as);
-  assertClient(client);
-  const url = resolveEndpoint(as, "userinfo_endpoint");
-  const headers = prepareHeaders(options == null ? void 0 : options.headers);
-  if (client.userinfo_signed_response_alg) {
-    headers.set("accept", "application/jwt");
-  } else {
-    headers.set("accept", "application/json");
-    headers.append("accept", "application/jwt");
-  }
-  return protectedResourceRequest(accessToken, "GET", url, headers, null, {
-    ...options,
-    [clockSkew]: getClockSkew(client)
+    signal: r != null && r.signal ? Z(r.signal) : null
+  }).then(Y);
+}
+async function ut(e, t, n, o) {
+  j(e), z(t);
+  const s = ye(e, "userinfo_endpoint"), r = W(o == null ? void 0 : o.headers);
+  return t.userinfo_signed_response_alg ? r.set("accept", "application/jwt") : (r.set("accept", "application/json"), r.append("accept", "application/jwt")), ct(n, "GET", s, r, null, {
+    ...o,
+    [K]: H(t)
   });
 }
-async function authenticatedRequest(as, client, method, url, body, headers, options) {
-  await clientAuthentication(as, client, body, headers, options == null ? void 0 : options.clientPrivateKey);
-  headers.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8");
-  return ((options == null ? void 0 : options[customFetch]) || fetch)(url.href, {
-    body,
-    headers: Object.fromEntries(headers.entries()),
-    method,
+async function lt(e, t, n, o, s, r, i) {
+  return await rt(e, t, s, r, i == null ? void 0 : i.clientPrivateKey), r.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((i == null ? void 0 : i[V]) || fetch)(o.href, {
+    body: s,
+    headers: Object.fromEntries(r.entries()),
+    method: n,
     redirect: "manual",
-    signal: (options == null ? void 0 : options.signal) ? signal(options.signal) : null
-  }).then(processDpopNonce);
-}
-async function tokenEndpointRequest(as, client, grantType, parameters, options) {
-  const url = resolveEndpoint(as, "token_endpoint");
-  parameters.set("grant_type", grantType);
-  const headers = prepareHeaders(options == null ? void 0 : options.headers);
-  headers.set("accept", "application/json");
-  return authenticatedRequest(as, client, "POST", url, parameters, headers, options);
-}
-async function refreshTokenGrantRequest(as, client, refreshToken, options) {
-  assertAs(as);
-  assertClient(client);
-  if (!validateString(refreshToken)) {
+    signal: i != null && i.signal ? Z(i.signal) : null
+  }).then(Y);
+}
+async function _e(e, t, n, o, s) {
+  const r = ye(e, "token_endpoint");
+  o.set("grant_type", n);
+  const i = W(s == null ? void 0 : s.headers);
+  return i.set("accept", "application/json"), lt(e, t, "POST", r, o, i, s);
+}
+async function dt(e, t, n, o) {
+  if (j(e), z(t), !w(n))
     throw new TypeError('"refreshToken" must be a non-empty string');
-  }
-  const parameters = new URLSearchParams(options == null ? void 0 : options.additionalParameters);
-  parameters.set("refresh_token", refreshToken);
-  return tokenEndpointRequest(as, client, "refresh_token", parameters, options);
-}
-const idTokenClaims = /* @__PURE__ */ new WeakMap();
-async function processGenericAccessTokenResponse(as, client, response, ignoreIdToken = false, ignoreRefreshToken = false) {
-  assertAs(as);
-  assertClient(client);
-  if (!looseInstanceOf(response, Response)) {
+  const s = new URLSearchParams(o == null ? void 0 : o.additionalParameters);
+  return s.set("refresh_token", n), _e(e, t, "refresh_token", s, o);
+}
+const ht = /* @__PURE__ */ new WeakMap();
+async function be(e, t, n, o = !1, s = !1) {
+  if (j(e), z(t), !q(n, Response))
     throw new TypeError('"response" must be an instance of Response');
-  }
-  if (response.status !== 200) {
-    let err;
-    if (err = await handleOAuthBodyError(response)) {
-      return err;
-    }
-    throw new OPE('"response" is not a conform Token Endpoint response');
-  }
-  assertReadableResponse(response);
-  let json;
+  if (n.status !== 200) {
+    let i;
+    if (i = await vt(n))
+      return i;
+    throw new a('"response" is not a conform Token Endpoint response');
+  }
+  X(n);
+  let r;
   try {
-    json = await response.json();
-  } catch (cause) {
-    throw new OPE('failed to parse "response" body as JSON', { cause });
-  }
-  if (!isJsonObject(json)) {
-    throw new OPE('"response" body must be a top level object');
-  }
-  if (!validateString(json.access_token)) {
-    throw new OPE('"response" body "access_token" property must be a non-empty string');
-  }
-  if (!validateString(json.token_type)) {
-    throw new OPE('"response" body "token_type" property must be a non-empty string');
-  }
-  json.token_type = json.token_type.toLowerCase();
-  if (json.token_type !== "dpop" && json.token_type !== "bearer") {
-    throw new UnsupportedOperationError("unsupported `token_type` value");
-  }
-  if (json.expires_in !== void 0 && (typeof json.expires_in !== "number" || json.expires_in <= 0)) {
-    throw new OPE('"response" body "expires_in" property must be a positive number');
-  }
-  if (!ignoreRefreshToken && json.refresh_token !== void 0 && !validateString(json.refresh_token)) {
-    throw new OPE('"response" body "refresh_token" property must be a non-empty string');
-  }
-  if (json.scope !== void 0 && typeof json.scope !== "string") {
-    throw new OPE('"response" body "scope" property must be a string');
-  }
-  if (!ignoreIdToken) {
-    if (json.id_token !== void 0 && !validateString(json.id_token)) {
-      throw new OPE('"response" body "id_token" property must be a non-empty string');
-    }
-    if (json.id_token) {
-      const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(void 0, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client)).then(validatePresence.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(validateIssuer.bind(void 0, as.issuer)).then(validateAudience.bind(void 0, client.client_id));
-      if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {
-        throw new OPE('unexpected ID Token "azp" (authorized party) claim value');
-      }
-      if (claims.auth_time !== void 0 && (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {
-        throw new OPE('ID Token "auth_time" (authentication time) must be a positive number');
-      }
-      idTokenClaims.set(json, claims);
+    r = await n.json();
+  } catch (i) {
+    throw new a('failed to parse "response" body as JSON', { cause: i });
+  }
+  if (!C(r))
+    throw new a('"response" body must be a top level object');
+  if (!w(r.access_token))
+    throw new a('"response" body "access_token" property must be a non-empty string');
+  if (!w(r.token_type))
+    throw new a('"response" body "token_type" property must be a non-empty string');
+  if (r.token_type = r.token_type.toLowerCase(), r.token_type !== "dpop" && r.token_type !== "bearer")
+    throw new v("unsupported `token_type` value");
+  if (r.expires_in !== void 0 && (typeof r.expires_in != "number" || r.expires_in <= 0))
+    throw new a('"response" body "expires_in" property must be a positive number');
+  if (!s && r.refresh_token !== void 0 && !w(r.refresh_token))
+    throw new a('"response" body "refresh_token" property must be a non-empty string');
+  if (r.scope !== void 0 && typeof r.scope != "string")
+    throw new a('"response" body "scope" property must be a string');
+  if (!o) {
+    if (r.id_token !== void 0 && !w(r.id_token))
+      throw new a('"response" body "id_token" property must be a non-empty string');
+    if (r.id_token) {
+      const { claims: i } = await Et(r.id_token, kt.bind(void 0, t.id_token_signed_response_alg, e.id_token_signing_alg_values_supported), Ee, H(t), et(t)).then(_t.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(wt.bind(void 0, e.issuer)).then(pt.bind(void 0, t.client_id));
+      if (Array.isArray(i.aud) && i.aud.length !== 1 && i.azp !== t.client_id)
+        throw new a('unexpected ID Token "azp" (authorized party) claim value');
+      if (i.auth_time !== void 0 && (!Number.isFinite(i.auth_time) || Math.sign(i.auth_time) !== 1))
+        throw new a('ID Token "auth_time" (authentication time) must be a positive number');
+      ht.set(r, i);
     }
   }
-  return json;
+  return r;
 }
-async function processRefreshTokenResponse(as, client, response) {
-  return processGenericAccessTokenResponse(as, client, response);
+async function ft(e, t, n) {
+  return be(e, t, n);
 }
-function validateAudience(expected, result) {
-  if (Array.isArray(result.claims.aud)) {
-    if (!result.claims.aud.includes(expected)) {
-      throw new OPE('unexpected JWT "aud" (audience) claim value');
-    }
-  } else if (result.claims.aud !== expected) {
-    throw new OPE('unexpected JWT "aud" (audience) claim value');
-  }
-  return result;
+function pt(e, t) {
+  if (Array.isArray(t.claims.aud)) {
+    if (!t.claims.aud.includes(e))
+      throw new a('unexpected JWT "aud" (audience) claim value');
+  } else if (t.claims.aud !== e)
+    throw new a('unexpected JWT "aud" (audience) claim value');
+  return t;
 }
-function validateIssuer(expected, result) {
-  if (result.claims.iss !== expected) {
-    throw new OPE('unexpected JWT "iss" (issuer) claim value');
-  }
-  return result;
+function wt(e, t) {
+  if (t.claims.iss !== e)
+    throw new a('unexpected JWT "iss" (issuer) claim value');
+  return t;
 }
-const branded = /* @__PURE__ */ new WeakSet();
-function brand(searchParams) {
-  branded.add(searchParams);
-  return searchParams;
+const ve = /* @__PURE__ */ new WeakSet();
+function gt(e) {
+  return ve.add(e), e;
 }
-async function authorizationCodeGrantRequest(as, client, callbackParameters, redirectUri, codeVerifier, options) {
-  assertAs(as);
-  assertClient(client);
-  if (!branded.has(callbackParameters)) {
+async function mt(e, t, n, o, s, r) {
+  if (j(e), z(t), !ve.has(n))
     throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
-  }
-  if (!validateString(redirectUri)) {
+  if (!w(o))
     throw new TypeError('"redirectUri" must be a non-empty string');
-  }
-  if (!validateString(codeVerifier)) {
+  if (!w(s))
     throw new TypeError('"codeVerifier" must be a non-empty string');
-  }
-  const code = getURLSearchParameter(callbackParameters, "code");
-  if (!code) {
-    throw new OPE('no authorization code in "callbackParameters"');
-  }
-  const parameters = new URLSearchParams(options == null ? void 0 : options.additionalParameters);
-  parameters.set("redirect_uri", redirectUri);
-  parameters.set("code_verifier", codeVerifier);
-  parameters.set("code", code);
-  return tokenEndpointRequest(as, client, "authorization_code", parameters, options);
+  const i = E(n, "code");
+  if (!i)
+    throw new a('no authorization code in "callbackParameters"');
+  const d = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
+  return d.set("redirect_uri", o), d.set("code_verifier", s), d.set("code", i), _e(e, t, "authorization_code", d, r);
 }
-const jwtClaimNames = {
+const yt = {
   aud: "audience",
   c_hash: "code hash",
   client_id: "client id",
@@ -931,64 +664,44 @@ const jwtClaimNames = {
   htu: "http uri",
   cnf: "confirmation"
 };
-function validatePresence(required, result) {
-  for (const claim of required) {
-    if (result.claims[claim] === void 0) {
-      throw new OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`);
-    }
-  }
-  return result;
-}
-async function processAuthorizationCodeOAuth2Response(as, client, response) {
-  const result = await processGenericAccessTokenResponse(as, client, response, true);
-  if (isOAuth2Error(result)) {
-    return result;
-  }
-  if (result.id_token !== void 0) {
-    if (typeof result.id_token === "string" && result.id_token.length) {
-      throw new OPE("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
-    }
-    delete result.id_token;
-  }
-  return result;
-}
-function assertReadableResponse(response) {
-  if (response.bodyUsed) {
+function _t(e, t) {
+  for (const n of e)
+    if (t.claims[n] === void 0)
+      throw new a(`JWT "${n}" (${yt[n]}) claim missing`);
+  return t;
+}
+async function bt(e, t, n) {
+  const o = await be(e, t, n, !0);
+  if (B(o))
+    return o;
+  if (o.id_token !== void 0) {
+    if (typeof o.id_token == "string" && o.id_token.length)
+      throw new a("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
+    delete o.id_token;
+  }
+  return o;
+}
+function X(e) {
+  if (e.bodyUsed)
     throw new TypeError('"response" body has been used already');
-  }
 }
-async function handleOAuthBodyError(response) {
-  if (response.status > 399 && response.status < 500) {
-    assertReadableResponse(response);
+async function vt(e) {
+  if (e.status > 399 && e.status < 500) {
+    X(e);
     try {
-      const json = await response.json();
-      if (isJsonObject(json) && typeof json.error === "string" && json.error.length) {
-        if (json.error_description !== void 0 && typeof json.error_description !== "string") {
-          delete json.error_description;
-        }
-        if (json.error_uri !== void 0 && typeof json.error_uri !== "string") {
-          delete json.error_uri;
-        }
-        if (json.algs !== void 0 && typeof json.algs !== "string") {
-          delete json.algs;
-        }
-        if (json.scope !== void 0 && typeof json.scope !== "string") {
-          delete json.scope;
-        }
-        return json;
-      }
+      const t = await e.json();
+      if (C(t) && typeof t.error == "string" && t.error.length)
+        return t.error_description !== void 0 && typeof t.error_description != "string" && delete t.error_description, t.error_uri !== void 0 && typeof t.error_uri != "string" && delete t.error_uri, t.algs !== void 0 && typeof t.algs != "string" && delete t.algs, t.scope !== void 0 && typeof t.scope != "string" && delete t.scope, t;
     } catch {
     }
   }
-  return void 0;
 }
-function checkRsaKeyAlgorithm(algorithm) {
-  if (typeof algorithm.modulusLength !== "number" || algorithm.modulusLength < 2048) {
-    throw new OPE(`${algorithm.name} modulusLength must be at least 2048 bits`);
-  }
+function ue(e) {
+  if (typeof e.modulusLength != "number" || e.modulusLength < 2048)
+    throw new a(`${e.name} modulusLength must be at least 2048 bits`);
 }
-function ecdsaHashName(namedCurve) {
-  switch (namedCurve) {
+function St(e) {
+  switch (e) {
     case "P-256":
       return "SHA-256";
     case "P-384":
@@ -996,453 +709,353 @@ function ecdsaHashName(namedCurve) {
     case "P-521":
       return "SHA-512";
     default:
-      throw new UnsupportedOperationError();
+      throw new v();
   }
 }
-function keyToSubtle(key) {
-  switch (key.algorithm.name) {
+function Se(e) {
+  switch (e.algorithm.name) {
     case "ECDSA":
       return {
-        name: key.algorithm.name,
-        hash: ecdsaHashName(key.algorithm.namedCurve)
+        name: e.algorithm.name,
+        hash: St(e.algorithm.namedCurve)
       };
-    case "RSA-PSS": {
-      checkRsaKeyAlgorithm(key.algorithm);
-      switch (key.algorithm.hash.name) {
+    case "RSA-PSS":
+      switch (ue(e.algorithm), e.algorithm.hash.name) {
         case "SHA-256":
         case "SHA-384":
         case "SHA-512":
           return {
-            name: key.algorithm.name,
-            saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3
+            name: e.algorithm.name,
+            saltLength: parseInt(e.algorithm.hash.name.slice(-3), 10) >> 3
           };
         default:
-          throw new UnsupportedOperationError();
+          throw new v();
       }
-    }
     case "RSASSA-PKCS1-v1_5":
-      checkRsaKeyAlgorithm(key.algorithm);
-      return key.algorithm.name;
+      return ue(e.algorithm), e.algorithm.name;
     case "Ed448":
     case "Ed25519":
-      return key.algorithm.name;
-  }
-  throw new UnsupportedOperationError();
-}
-const noSignatureCheck = Symbol();
-async function validateJwt(jws, checkAlg, getKey, clockSkew2, clockTolerance2) {
-  const { 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split(".");
-  if (length === 5) {
-    throw new UnsupportedOperationError("JWE structure JWTs are not supported");
-  }
-  if (length !== 3) {
-    throw new OPE("Invalid JWT");
-  }
-  let header;
+      return e.algorithm.name;
+  }
+  throw new v();
+}
+const Ee = Symbol();
+async function Et(e, t, n, o, s) {
+  const { 0: r, 1: i, 2: d, length: g } = e.split(".");
+  if (g === 5)
+    throw new v("JWE structure JWTs are not supported");
+  if (g !== 3)
+    throw new a("Invalid JWT");
+  let m;
   try {
-    header = JSON.parse(buf(b64u(protectedHeader)));
-  } catch (cause) {
-    throw new OPE("failed to parse JWT Header body as base64url encoded JSON", { cause });
-  }
-  if (!isJsonObject(header)) {
-    throw new OPE("JWT Header must be a top level object");
-  }
-  checkAlg(header);
-  if (header.crit !== void 0) {
-    throw new OPE('unexpected JWT "crit" header parameter');
-  }
-  const signature = b64u(encodedSignature);
-  let key;
-  if (getKey !== noSignatureCheck) {
-    key = await getKey(header);
-    const input = `${protectedHeader}.${payload}`;
-    const verified = await crypto.subtle.verify(keyToSubtle(key), key, signature, buf(input));
-    if (!verified) {
-      throw new OPE("JWT signature verification failed");
-    }
-  }
-  let claims;
+    m = JSON.parse(A(k(r)));
+  } catch (R) {
+    throw new a("failed to parse JWT Header body as base64url encoded JSON", { cause: R });
+  }
+  if (!C(m))
+    throw new a("JWT Header must be a top level object");
+  if (t(m), m.crit !== void 0)
+    throw new a('unexpected JWT "crit" header parameter');
+  const _ = k(d);
+  let y;
+  if (n !== Ee) {
+    y = await n(m);
+    const R = `${r}.${i}`;
+    if (!await crypto.subtle.verify(Se(y), y, _, A(R)))
+      throw new a("JWT signature verification failed");
+  }
+  let h;
   try {
-    claims = JSON.parse(buf(b64u(payload)));
-  } catch (cause) {
-    throw new OPE("failed to parse JWT Payload body as base64url encoded JSON", { cause });
-  }
-  if (!isJsonObject(claims)) {
-    throw new OPE("JWT Payload must be a top level object");
-  }
-  const now = epochTime() + clockSkew2;
-  if (claims.exp !== void 0) {
-    if (typeof claims.exp !== "number") {
-      throw new OPE('unexpected JWT "exp" (expiration time) claim type');
-    }
-    if (claims.exp <= now - clockTolerance2) {
-      throw new OPE('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
-    }
-  }
-  if (claims.iat !== void 0) {
-    if (typeof claims.iat !== "number") {
-      throw new OPE('unexpected JWT "iat" (issued at) claim type');
-    }
-  }
-  if (claims.iss !== void 0) {
-    if (typeof claims.iss !== "string") {
-      throw new OPE('unexpected JWT "iss" (issuer) claim type');
-    }
-  }
-  if (claims.nbf !== void 0) {
-    if (typeof claims.nbf !== "number") {
-      throw new OPE('unexpected JWT "nbf" (not before) claim type');
-    }
-    if (claims.nbf > now + clockTolerance2) {
-      throw new OPE('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
-    }
-  }
-  if (claims.aud !== void 0) {
-    if (typeof claims.aud !== "string" && !Array.isArray(claims.aud)) {
-      throw new OPE('unexpected JWT "aud" (audience) claim type');
-    }
-  }
-  return { header, claims, signature, key };
-}
-function checkSigningAlgorithm(client, issuer, header) {
-  if (client !== void 0) {
-    if (header.alg !== client) {
-      throw new OPE('unexpected JWT "alg" header parameter');
-    }
+    h = JSON.parse(A(k(i)));
+  } catch (R) {
+    throw new a("failed to parse JWT Payload body as base64url encoded JSON", { cause: R });
+  }
+  if (!C(h))
+    throw new a("JWT Payload must be a top level object");
+  const L = Q() + o;
+  if (h.exp !== void 0) {
+    if (typeof h.exp != "number")
+      throw new a('unexpected JWT "exp" (expiration time) claim type');
+    if (h.exp <= L - s)
+      throw new a('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
+  }
+  if (h.iat !== void 0 && typeof h.iat != "number")
+    throw new a('unexpected JWT "iat" (issued at) claim type');
+  if (h.iss !== void 0 && typeof h.iss != "string")
+    throw new a('unexpected JWT "iss" (issuer) claim type');
+  if (h.nbf !== void 0) {
+    if (typeof h.nbf != "number")
+      throw new a('unexpected JWT "nbf" (not before) claim type');
+    if (h.nbf > L + s)
+      throw new a('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
+  }
+  if (h.aud !== void 0 && typeof h.aud != "string" && !Array.isArray(h.aud))
+    throw new a('unexpected JWT "aud" (audience) claim type');
+  return { header: m, claims: h, signature: _, key: y };
+}
+function kt(e, t, n) {
+  if (e !== void 0) {
+    if (n.alg !== e)
+      throw new a('unexpected JWT "alg" header parameter');
     return;
   }
-  if (Array.isArray(issuer)) {
-    if (!issuer.includes(header.alg)) {
-      throw new OPE('unexpected JWT "alg" header parameter');
-    }
+  if (Array.isArray(t)) {
+    if (!t.includes(n.alg))
+      throw new a('unexpected JWT "alg" header parameter');
     return;
   }
-  if (header.alg !== "RS256") {
-    throw new OPE('unexpected JWT "alg" header parameter');
-  }
+  if (n.alg !== "RS256")
+    throw new a('unexpected JWT "alg" header parameter');
 }
-function getURLSearchParameter(parameters, name) {
-  const { 0: value, length } = parameters.getAll(name);
-  if (length > 1) {
-    throw new OPE(`"${name}" parameter must be provided only once`);
-  }
-  return value;
-}
-const skipStateCheck = Symbol();
-const expectNoState = Symbol();
-function validateAuthResponse(as, client, parameters, expectedState) {
-  assertAs(as);
-  assertClient(client);
-  if (parameters instanceof URL) {
-    parameters = parameters.searchParams;
-  }
-  if (!(parameters instanceof URLSearchParams)) {
+function E(e, t) {
+  const { 0: n, length: o } = e.getAll(t);
+  if (o > 1)
+    throw new a(`"${t}" parameter must be provided only once`);
+  return n;
+}
+const Tt = Symbol(), At = Symbol();
+function Rt(e, t, n, o) {
+  if (j(e), z(t), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams))
     throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
-  }
-  if (getURLSearchParameter(parameters, "response")) {
-    throw new OPE('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
-  }
-  const iss = getURLSearchParameter(parameters, "iss");
-  const state = getURLSearchParameter(parameters, "state");
-  if (!iss && as.authorization_response_iss_parameter_supported) {
-    throw new OPE('response parameter "iss" (issuer) missing');
-  }
-  if (iss && iss !== as.issuer) {
-    throw new OPE('unexpected "iss" (issuer) response parameter value');
-  }
-  switch (expectedState) {
+  if (E(n, "response"))
+    throw new a('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
+  const s = E(n, "iss"), r = E(n, "state");
+  if (!s && e.authorization_response_iss_parameter_supported)
+    throw new a('response parameter "iss" (issuer) missing');
+  if (s && s !== e.issuer)
+    throw new a('unexpected "iss" (issuer) response parameter value');
+  switch (o) {
     case void 0:
-    case expectNoState:
-      if (state !== void 0) {
-        throw new OPE('unexpected "state" response parameter encountered');
-      }
+    case At:
+      if (r !== void 0)
+        throw new a('unexpected "state" response parameter encountered');
       break;
-    case skipStateCheck:
+    case Tt:
       break;
     default:
-      if (!validateString(expectedState)) {
-        throw new OPE('"expectedState" must be a non-empty string');
-      }
-      if (state === void 0) {
-        throw new OPE('response parameter "state" missing');
-      }
-      if (state !== expectedState) {
-        throw new OPE('unexpected "state" response parameter value');
-      }
-  }
-  const error = getURLSearchParameter(parameters, "error");
-  if (error) {
+      if (!w(o))
+        throw new a('"expectedState" must be a non-empty string');
+      if (r === void 0)
+        throw new a('response parameter "state" missing');
+      if (r !== o)
+        throw new a('unexpected "state" response parameter value');
+  }
+  const i = E(n, "error");
+  if (i)
     return {
-      error,
-      error_description: getURLSearchParameter(parameters, "error_description"),
-      error_uri: getURLSearchParameter(parameters, "error_uri")
+      error: i,
+      error_description: E(n, "error_description"),
+      error_uri: E(n, "error_uri")
     };
-  }
-  const id_token = getURLSearchParameter(parameters, "id_token");
-  const token = getURLSearchParameter(parameters, "token");
-  if (id_token !== void 0 || token !== void 0) {
-    throw new UnsupportedOperationError("implicit and hybrid flows are not supported");
-  }
-  return brand(new URLSearchParams(parameters));
+  const d = E(n, "id_token"), g = E(n, "token");
+  if (d !== void 0 || g !== void 0)
+    throw new v("implicit and hybrid flows are not supported");
+  return gt(new URLSearchParams(n));
 }
-class AuthorizationError extends Error {
+class P extends Error {
 }
-class OAuthAuthorizationError extends AuthorizationError {
-  constructor(message, error, options) {
-    super(message, options);
-    this.error = error;
+class G extends P {
+  constructor(t, n, o) {
+    super(t, o), this.error = n;
   }
 }
-function Callback({
-  handleCallback
+function xt({
+  handleCallback: e
 }) {
-  const didInitialize = useRef(false);
-  const [error, setError] = useState(void 0);
-  const navigate = useNavigate();
-  useEffect(() => {
-    if (didInitialize.current) {
-      return;
-    }
-    didInitialize.current = true;
-    handleCallback().then(() => {
-      navigate("/");
-    }).catch((err) => {
-      setError(err);
-    });
-  }, []);
-  if (error) {
-    if (error instanceof OAuthAuthorizationError) {
-      return /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { children: [
-        /* @__PURE__ */ jsxRuntimeExports.jsx("h2", { children: "Error" }),
-        /* @__PURE__ */ jsxRuntimeExports.jsxs("pre", { children: [
-          error.error.error,
-          error.error.error_description,
-          error.error.error_uri
-        ] })
-      ] });
-    }
-    return /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { children: [
-      /* @__PURE__ */ jsxRuntimeExports.jsx("h2", { children: "Error" }),
-      /* @__PURE__ */ jsxRuntimeExports.jsxs("pre", { children: [
-        error.message,
-        error.stack
-      ] })
-    ] });
-  }
-  return /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." });
-}
-const CODE_VERIFIER_KEY = "code-verifier";
-class OpenIDAuthenticationProvider {
+  const t = Ce(!1), [n, o] = je(void 0), s = Pe();
+  return ze(() => {
+    t.current || (t.current = !0, e().then(() => {
+      s("/");
+    }).catch((r) => {
+      o(r);
+    }));
+  }, []), n ? n instanceof G ? /* @__PURE__ */ T.jsxs("div", { children: [
+    /* @__PURE__ */ T.jsx("h2", { children: "Error" }),
+    /* @__PURE__ */ T.jsxs("pre", { children: [
+      n.error.error,
+      n.error.error_description,
+      n.error.error_uri
+    ] })
+  ] }) : /* @__PURE__ */ T.jsxs("div", { children: [
+    /* @__PURE__ */ T.jsx("h2", { children: "Error" }),
+    /* @__PURE__ */ T.jsxs("pre", { children: [
+      n.message,
+      n.stack
+    ] })
+  ] }) : /* @__PURE__ */ T.jsx("div", { children: "Loading..." });
+}
+const le = "code-verifier";
+class Pt {
   constructor({
-    issuer,
-    authorizationEndpoint,
-    tokenEndpoint,
-    clientId
+    issuer: t,
+    authorizationEndpoint: n,
+    tokenEndpoint: o,
+    clientId: s
   }) {
-    __publicField(this, "client");
-    __publicField(this, "issuer");
-    __publicField(this, "authorizationEndpoint");
-    __publicField(this, "tokenEndpoint");
-    __publicField(this, "authorizationServer");
-    __publicField(this, "tokens");
-    __publicField(this, "callbackUrlPath", "/oauth/callback");
-    __publicField(this, "logoutRedirectUrlPath", "/");
-    __publicField(this, "handleCallback", async () => {
-      const url = new URL(window.location.href);
-      const state = url.searchParams.get("state");
-      const codeVerifier = localStorage.getItem(CODE_VERIFIER_KEY);
-      if (!codeVerifier) {
-        throw new AuthorizationError(
+    S(this, "client");
+    S(this, "issuer");
+    S(this, "authorizationEndpoint");
+    S(this, "tokenEndpoint");
+    S(this, "authorizationServer");
+    S(this, "tokens");
+    S(this, "callbackUrlPath", "/oauth/callback");
+    S(this, "logoutRedirectUrlPath", "/");
+    S(this, "handleCallback", async () => {
+      const t = new URL(window.location.href), n = t.searchParams.get("state"), o = localStorage.getItem(le);
+      if (!o)
+        throw new P(
           "Code verifier not found. Invalid auth state."
         );
-      }
-      const authServer = await this.getAuthServer();
-      const params = validateAuthResponse(
-        authServer,
+      const s = await this.getAuthServer(), r = Rt(
+        s,
         this.client,
-        url.searchParams,
-        state ?? void 0
+        t.searchParams,
+        n ?? void 0
       );
-      if (isOAuth2Error(params)) {
-        logger.error("Error validating OAuth response", params);
-        throw new OAuthAuthorizationError(
+      if (B(r))
+        throw oe.error("Error validating OAuth response", r), new G(
           "Error validating OAuth response",
-          params
+          r
         );
-      }
-      const redirectUrl = new URL(url);
-      redirectUrl.pathname = this.callbackUrlPath;
-      redirectUrl.search = "";
-      const response = await authorizationCodeGrantRequest(
-        authServer,
+      const i = new URL(t);
+      i.pathname = this.callbackUrlPath, i.search = "";
+      const d = await mt(
+        s,
         this.client,
-        params,
-        redirectUrl.toString(),
-        codeVerifier
-      );
-      const oauthResult = await processAuthorizationCodeOAuth2Response(
-        authServer,
+        r,
+        i.toString(),
+        o
+      ), g = await bt(
+        s,
         this.client,
-        response
+        d
       );
-      this.setTokensFromResponse(oauthResult);
-      const accessToken = await this.getAccessToken();
-      const userInfoResponse = await userInfoRequest(
-        authServer,
+      this.setTokensFromResponse(g);
+      const m = await this.getAccessToken(), y = await (await ut(
+        s,
         this.client,
-        accessToken
-      );
-      const userInfo = await userInfoResponse.json();
-      const profile = {
-        sub: userInfo.sub,
-        email: userInfo.email,
-        name: userInfo.name,
-        emailVerified: userInfo.email_verified ?? false,
-        pictureUrl: userInfo.picture
+        m
+      )).json(), h = {
+        sub: y.sub,
+        email: y.email,
+        name: y.name,
+        emailVerified: y.email_verified ?? !1,
+        pictureUrl: y.picture
       };
-      useAuthState.setState({
-        isAuthenticated: true,
-        isPending: false,
-        profile
+      re.setState({
+        isAuthenticated: !0,
+        isPending: !1,
+        profile: h
       });
     });
     this.client = {
-      client_id: clientId,
+      client_id: s,
       token_endpoint_auth_method: "none"
-    };
-    this.issuer = issuer;
-    this.authorizationEndpoint = authorizationEndpoint;
-    this.tokenEndpoint = tokenEndpoint;
+    }, this.issuer = t, this.authorizationEndpoint = n, this.tokenEndpoint = o;
   }
   async getAuthServer() {
-    if (!this.authorizationServer) {
-      if (this.tokenEndpoint && this.authorizationEndpoint) {
+    if (!this.authorizationServer)
+      if (this.tokenEndpoint && this.authorizationEndpoint)
         this.authorizationServer = {
           issuer: new URL(this.authorizationEndpoint).origin,
           authorization_endpoint: this.authorizationEndpoint,
           token_endpoint: this.tokenEndpoint,
           code_challenge_methods_supported: []
         };
-      } else {
-        const issuerUrl = new URL(this.issuer);
-        const response = await discoveryRequest(issuerUrl);
-        this.authorizationServer = await processDiscoveryResponse(
-          issuerUrl,
-          response
+      else {
+        const t = new URL(this.issuer), n = await Fe(t);
+        this.authorizationServer = await Me(
+          t,
+          n
         );
       }
-    }
     return this.authorizationServer;
   }
   /**
    * Sets the tokens from various OAuth responses
    * @param response
    */
-  setTokensFromResponse(response) {
-    if (isOAuth2Error(response)) {
-      logger.error("Bad Token Response", response);
-      throw new OAuthAuthorizationError("Bad Token Response", response);
-    }
-    if (!response.expires_in) {
-      throw new AuthorizationError("No expires_in in response");
-    }
+  setTokensFromResponse(t) {
+    if (B(t))
+      throw oe.error("Bad Token Response", t), new G("Bad Token Response", t);
+    if (!t.expires_in)
+      throw new P("No expires_in in response");
     this.tokens = {
-      accessToken: response.access_token,
-      refreshToken: response.refresh_token,
-      expiresOn: new Date(Date.now() + response.expires_in * 1e3),
-      tokenType: response.token_type
+      accessToken: t.access_token,
+      refreshToken: t.refresh_token,
+      expiresOn: new Date(Date.now() + t.expires_in * 1e3),
+      tokenType: t.token_type
     };
   }
   async initialize() {
   }
   async login() {
-    var _a2;
-    const code_challenge_method = "S256";
-    const authorizationServer = await this.getAuthServer();
-    if (!authorizationServer.authorization_endpoint) {
-      throw new AuthorizationError("No authorization endpoint");
-    }
-    const codeVerifier = generateRandomCodeVerifier();
-    const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
-    localStorage.setItem(CODE_VERIFIER_KEY, codeVerifier);
-    const authorizationUrl = new URL(
-      authorizationServer.authorization_endpoint
-    );
-    const redirectUrl = new URL(window.location.href);
-    redirectUrl.pathname = this.callbackUrlPath;
-    redirectUrl.search = "";
-    authorizationUrl.searchParams.set("client_id", this.client.client_id);
-    authorizationUrl.searchParams.set("redirect_uri", redirectUrl.toString());
-    authorizationUrl.searchParams.set("response_type", "code");
-    authorizationUrl.searchParams.set("scope", "openid+profile+email");
-    authorizationUrl.searchParams.set("code_challenge", codeChallenge);
-    authorizationUrl.searchParams.set(
+    var d;
+    const t = "S256", n = await this.getAuthServer();
+    if (!n.authorization_endpoint)
+      throw new P("No authorization endpoint");
+    const o = Be(), s = await qe(o);
+    localStorage.setItem(le, o);
+    const r = new URL(
+      n.authorization_endpoint
+    ), i = new URL(window.location.href);
+    if (i.pathname = this.callbackUrlPath, i.search = "", r.searchParams.set("client_id", this.client.client_id), r.searchParams.set("redirect_uri", i.toString()), r.searchParams.set("response_type", "code"), r.searchParams.set("scope", "openid+profile+email"), r.searchParams.set("code_challenge", s), r.searchParams.set(
       "code_challenge_method",
-      code_challenge_method
-    );
-    if (((_a2 = authorizationServer.code_challenge_methods_supported) == null ? void 0 : _a2.includes("S256")) !== true) {
-      const state = generateRandomState();
-      authorizationUrl.searchParams.set("state", state);
+      t
+    ), ((d = n.code_challenge_methods_supported) == null ? void 0 : d.includes("S256")) !== !0) {
+      const g = Ge();
+      r.searchParams.set("state", g);
     }
-    location.href = authorizationUrl.href;
+    location.href = r.href;
   }
   async getAccessToken() {
-    const as = await this.getAuthServer();
-    if (!this.tokens) {
-      throw new AuthorizationError("User is not authenticated");
-    }
+    const t = await this.getAuthServer();
+    if (!this.tokens)
+      throw new P("User is not authenticated");
     if (this.tokens.expiresOn < /* @__PURE__ */ new Date()) {
-      if (!this.tokens.refreshToken) {
-        throw new AuthorizationError(
+      if (!this.tokens.refreshToken)
+        throw new P(
           "Token expired and no refresh token available"
         );
-      }
-      const request = await refreshTokenGrantRequest(
-        as,
+      const n = await dt(
+        t,
         this.client,
         this.tokens.refreshToken
-      );
-      const response = await processRefreshTokenResponse(
-        as,
+      ), o = await ft(
+        t,
         this.client,
-        request
+        n
       );
-      this.setTokensFromResponse(response);
+      this.setTokensFromResponse(o);
     }
     return this.tokens.accessToken;
   }
   async logout() {
-    useAuthState.setState({
-      isAuthenticated: false,
-      isPending: false,
+    re.setState({
+      isAuthenticated: !1,
+      isPending: !1,
       profile: void 0
     });
-    const as = await this.getAuthServer();
-    const redirectUrl = new URL(window.location.href);
-    redirectUrl.pathname = this.logoutRedirectUrlPath;
-    let logoutUrl;
-    if (as.end_session_endpoint) {
-      logoutUrl = new URL(as.end_session_endpoint);
-      logoutUrl.searchParams.set(
-        "post_logout_redirect_uri",
-        redirectUrl.toString()
-      );
-    } else {
-      logoutUrl = redirectUrl;
-    }
+    const t = await this.getAuthServer(), n = new URL(window.location.href);
+    n.pathname = this.logoutRedirectUrlPath;
+    let o;
+    t.end_session_endpoint ? (o = new URL(t.end_session_endpoint), o.searchParams.set(
+      "post_logout_redirect_uri",
+      n.toString()
+    )) : o = n;
   }
   getRoutes() {
     return [
       {
         path: this.callbackUrlPath,
-        element: /* @__PURE__ */ jsxRuntimeExports.jsx(Callback, { handleCallback: this.handleCallback })
+        element: /* @__PURE__ */ T.jsx(xt, { handleCallback: this.handleCallback })
       }
     ];
   }
 }
-const openIDAuth = (options) => new OpenIDAuthenticationProvider(options);
+const Jt = (e) => new Pt(e);
 export {
-  OpenIDAuthenticationProvider,
-  openIDAuth as default
+  Pt as OpenIDAuthenticationProvider,
+  Jt as default
 };
 //# sourceMappingURL=zudoku.auth-openid.js.map