{"version":3,"file":"auth-flow-CWAq4eQH.js","sources":["../../../src/packages/core/auth/components/auth-provider-default.element.ts","../../../src/packages/core/auth/constants.ts","../../../src/packages/core/auth/auth-flow.ts"],"sourcesContent":["import type { UmbAuthProviderDefaultProps, UmbUserLoginState } from '../types.js';\r\nimport type { ManifestAuthProvider } from '../auth-provider.extension.js';\r\nimport { css, customElement, html, nothing, property } from '@umbraco-cms/backoffice/external/lit';\r\nimport { UmbLitElement } from '@umbraco-cms/backoffice/lit-element';\r\nimport { UmbTextStyles } from '@umbraco-cms/backoffice/style';\r\n\r\n@customElement('umb-auth-provider-default')\r\nexport class UmbAuthProviderDefaultElement extends UmbLitElement implements UmbAuthProviderDefaultProps {\r\n\t@property({ attribute: false })\r\n\tuserLoginState?: UmbUserLoginState | undefined;\r\n\r\n\t@property({ attribute: false })\r\n\tmanifest!: ManifestAuthProvider;\r\n\r\n\t@property({ attribute: false })\r\n\tonSubmit!: (manifestOrProviderName: string | ManifestAuthProvider, loginHint?: string) => void;\r\n\r\n\toverride connectedCallback(): void {\r\n\t\tsuper.connectedCallback();\r\n\t\tthis.setAttribute('part', 'auth-provider-default');\r\n\t}\r\n\r\n\tget #label() {\r\n\t\tconst label = this.manifest.meta?.label ?? this.manifest.forProviderName;\r\n\t\tconst labelLocalized = this.localize.string(label);\r\n\t\treturn this.localize.term('login_signInWith', labelLocalized);\r\n\t}\r\n\r\n\toverride render() {\r\n\t\treturn html`\r\n\t\t\t<uui-button\r\n\t\t\t\ttype=\"button\"\r\n\t\t\t\t@click=${() => this.onSubmit(this.manifest)}\r\n\t\t\t\tid=\"auth-provider-button\"\r\n\t\t\t\t.label=${this.#label}\r\n\t\t\t\t.look=${this.manifest.meta?.defaultView?.look ?? 'outline'}\r\n\t\t\t\t.color=${this.manifest.meta?.defaultView?.color ?? 'default'}>\r\n\t\t\t\t${this.manifest.meta?.defaultView?.icon\r\n\t\t\t\t\t? html`<uui-icon id=\"icon\" .name=${this.manifest.meta?.defaultView?.icon}></uui-icon>`\r\n\t\t\t\t\t: nothing}\r\n\t\t\t\t${this.#label}\r\n\t\t\t</uui-button>\r\n\t\t`;\r\n\t}\r\n\r\n\tstatic override styles = [\r\n\t\tUmbTextStyles,\r\n\t\tcss`\r\n\t\t\t:host {\r\n\t\t\t\tdisplay: block;\r\n\t\t\t}\r\n\r\n\t\t\t#auth-provider-button {\r\n\t\t\t\twidth: 100%;\r\n\t\t\t}\r\n\r\n\t\t\t#icon {\r\n\t\t\t\tmargin-right: var(--uui-size-space-1);\r\n\t\t\t}\r\n\t\t`,\r\n\t];\r\n}\r\n\r\ndeclare global {\r\n\tinterface HTMLElementTagNameMap {\r\n\t\t'umb-auth-provider-default': UmbAuthProviderDefaultElement;\r\n\t}\r\n}\r\n","export const UMB_STORAGE_TOKEN_RESPONSE_NAME = 'umb:userAuthTokenResponse';\r\n","/*\r\n * Copyright 2017 Google Inc.\r\n *\r\n * Licensed under the Apache License, Version 2.0 (the \"License\"); you may not\r\n * use this file except in compliance with the License. You may obtain a copy of\r\n * the License at\r\n *\r\n * http://www.apache.org/licenses/LICENSE-2.0\r\n *\r\n * Unless required by applicable law or agreed to in writing, software\r\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\r\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the\r\n * License for the specific language governing permissions and limitations under\r\n * the License.\r\n */\r\nimport { UMB_STORAGE_TOKEN_RESPONSE_NAME } from './constants.js';\r\nimport type { LocationLike, StringMap } from '@umbraco-cms/backoffice/external/openid';\r\nimport {\r\n\tBaseTokenRequestHandler,\r\n\tBasicQueryStringUtils,\r\n\tFetchRequestor,\r\n\tLocalStorageBackend,\r\n\tRedirectRequestHandler,\r\n\tAuthorizationRequest,\r\n\tAuthorizationNotifier,\r\n\tAuthorizationServiceConfiguration,\r\n\tGRANT_TYPE_AUTHORIZATION_CODE,\r\n\tGRANT_TYPE_REFRESH_TOKEN,\r\n\tRevokeTokenRequest,\r\n\tTokenRequest,\r\n\tTokenResponse,\r\n} from '@umbraco-cms/backoffice/external/openid';\r\nimport { Subject } from '@umbraco-cms/backoffice/external/rxjs';\r\n\r\nconst requestor = new FetchRequestor();\r\n\r\n/**\r\n * This class is needed to prevent the hash from being parsed as part of the query string.\r\n */\r\nclass UmbNoHashQueryStringUtils extends BasicQueryStringUtils {\r\n\toverride parse(input: LocationLike) {\r\n\t\treturn super.parse(input, false);\r\n\t}\r\n}\r\n\r\n/**\r\n * This class is used to handle the auth flow through any backend supporting OpenID Connect.\r\n * It needs to know the server url, the client id, the redirect uri and the scope.\r\n *\r\n * For a default Umbraco installation, the server url is the base url of the Umbraco server.\r\n * and the client id is \"umbraco-back-office\"\r\n * and the scope is \"offline_access\"\r\n *\r\n * It will:\r\n * - Fetch the service configuration from the server\r\n * - Check if there is a token response in local storage\r\n * - If there is a token response, check if it is valid\r\n * - If it is not valid, check if there is a new authorization to be made\r\n * - If there is a new authorization to be made, complete it\r\n * - If there is no token response, check if there is a new authorization to be made\r\n * - If there is a new authorization to be made, complete it\r\n * - If there is no new authorization to be made, do nothing (= logged in)\r\n *\r\n * It will also:\r\n * - Save the token response in local storage\r\n * - Save the authorization code in local storage\r\n *\r\n * It will also provide methods to:\r\n * - Make a refresh token request\r\n * - Perform an action with fresh tokens\r\n * - Clear the token state (logout)\r\n *\r\n * It should be used as follows:\r\n * 1. Create an instance of this class\r\n * 2. Call the `setInitialState` method on startup\r\n *   a. This will fetch the service configuration and check if there is a token response in the storage backend\r\n *   b. If there is a token response, it will check if it is valid and if it is not, it will check if there is a new authorization to be made\r\n *     which happens when the user is redirected back to the app after logging in\r\n * 3. Call the `makeAuthorizationRequest` method on all pages that need to be authorized\r\n *   a. This will redirect the user to the authorization endpoint of the server\r\n * 4. After login, get the latest token before each request to the server by calling the `performWithFreshTokens` method\r\n */\r\nexport class UmbAuthFlow {\r\n\t// handlers\r\n\treadonly #notifier: AuthorizationNotifier;\r\n\treadonly #authorizationHandler: RedirectRequestHandler;\r\n\treadonly #tokenHandler: BaseTokenRequestHandler;\r\n\treadonly #storageBackend: LocalStorageBackend;\r\n\r\n\t// state\r\n\treadonly #configuration: AuthorizationServiceConfiguration;\r\n\treadonly #redirectUri: string;\r\n\treadonly #postLogoutRedirectUri: string;\r\n\treadonly #clientId: string;\r\n\treadonly #scope: string;\r\n\treadonly #timeoutSignal;\r\n\r\n\t// tokens\r\n\t#tokenResponse?: TokenResponse;\r\n\r\n\t// external login\r\n\t#link_endpoint;\r\n\t#link_key_endpoint;\r\n\t#unlink_endpoint;\r\n\r\n\t/**\r\n\t * This signal will emit when the authorization flow is complete.\r\n\t * @remark It will also emit if there is an error during the authorization flow.\r\n\t */\r\n\treadonly authorizationSignal = new Subject<void>();\r\n\r\n\tconstructor(\r\n\t\topenIdConnectUrl: string,\r\n\t\tredirectUri: string,\r\n\t\tpostLogoutRedirectUri: string,\r\n\t\ttimeoutSignal: Subject<void>,\r\n\t\tclientId = 'umbraco-back-office',\r\n\t\tscope = 'offline_access',\r\n\t) {\r\n\t\tthis.#redirectUri = redirectUri;\r\n\t\tthis.#postLogoutRedirectUri = postLogoutRedirectUri;\r\n\t\tthis.#timeoutSignal = timeoutSignal;\r\n\t\tthis.#clientId = clientId;\r\n\t\tthis.#scope = scope;\r\n\r\n\t\tthis.#configuration = new AuthorizationServiceConfiguration({\r\n\t\t\tauthorization_endpoint: `${openIdConnectUrl}/umbraco/management/api/v1/security/back-office/authorize`,\r\n\t\t\ttoken_endpoint: `${openIdConnectUrl}/umbraco/management/api/v1/security/back-office/token`,\r\n\t\t\trevocation_endpoint: `${openIdConnectUrl}/umbraco/management/api/v1/security/back-office/revoke`,\r\n\t\t\tend_session_endpoint: `${openIdConnectUrl}/umbraco/management/api/v1/security/back-office/signout`,\r\n\t\t});\r\n\r\n\t\tthis.#link_endpoint = `${openIdConnectUrl}/umbraco/management/api/v1/security/back-office/link-login`;\r\n\t\tthis.#link_key_endpoint = `${openIdConnectUrl}/umbraco/management/api/v1/security/back-office/link-login-key`;\r\n\t\tthis.#unlink_endpoint = `${openIdConnectUrl}/umbraco/management/api/v1/security/back-office/unlink-login`;\r\n\r\n\t\tthis.#notifier = new AuthorizationNotifier();\r\n\t\tthis.#tokenHandler = new BaseTokenRequestHandler(requestor);\r\n\t\tthis.#storageBackend = new LocalStorageBackend();\r\n\t\tthis.#authorizationHandler = new RedirectRequestHandler(this.#storageBackend, new UmbNoHashQueryStringUtils());\r\n\r\n\t\t// set notifier to deliver responses\r\n\t\tthis.#authorizationHandler.setAuthorizationNotifier(this.#notifier);\r\n\r\n\t\t// set a listener to listen for authorization responses\r\n\t\tthis.#notifier.setAuthorizationListener(async (request, response, error) => {\r\n\t\t\tif (error) {\r\n\t\t\t\tconsole.error('Authorization error', error);\r\n\t\t\t\tthis.authorizationSignal.next();\r\n\t\t\t\tthrow error;\r\n\t\t\t}\r\n\r\n\t\t\tif (response) {\r\n\t\t\t\tlet codeVerifier: string | undefined;\r\n\t\t\t\tif (request.internal && request.internal.code_verifier) {\r\n\t\t\t\t\tcodeVerifier = request.internal.code_verifier;\r\n\t\t\t\t}\r\n\r\n\t\t\t\tawait this.#makeTokenRequest(response.code, codeVerifier);\r\n\t\t\t\tawait this.performWithFreshTokens();\r\n\t\t\t\tawait this.#saveTokenState();\r\n\t\t\t}\r\n\r\n\t\t\tthis.authorizationSignal.next();\r\n\t\t});\r\n\t}\r\n\r\n\t/**\r\n\t * This method will initialize all the state needed for the auth flow.\r\n\t *\r\n\t * It will:\r\n\t * - Check if there is a token response in local storage\r\n\t * - If there is a token response, check if it is valid\r\n\t * - If it is not valid, check if there is a new authorization to be made\r\n\t * - If there is a new authorization to be made, complete it\r\n\t * - If there is no token response, check if there is a new authorization to be made\r\n\t * - If there is a new authorization to be made, complete it\r\n\t */\r\n\tasync setInitialState() {\r\n\t\tconst tokenResponseJson = await this.#storageBackend.getItem(UMB_STORAGE_TOKEN_RESPONSE_NAME);\r\n\t\tif (tokenResponseJson) {\r\n\t\t\tconst response = new TokenResponse(JSON.parse(tokenResponseJson));\r\n\t\t\tthis.#tokenResponse = response;\r\n\t\t}\r\n\t}\r\n\r\n\t/**\r\n\t * This method will check if there is a new authorization to be made and complete it if there is.\r\n\t * This method will be called on initialization to check if there is a new authorization to be made.\r\n\t * It is useful if there is a ?code query string parameter in the URL from the server or if the auth flow\r\n\t * saved the state in local storage before redirecting the user to the login page.\r\n\t */\r\n\tcompleteAuthorizationIfPossible() {\r\n\t\treturn this.#authorizationHandler.completeAuthorizationRequestIfPossible();\r\n\t}\r\n\r\n\t/**\r\n\t * Make an authorization request to the server using the specified identity provider.\r\n\t * This method will redirect the user to the authorization endpoint of the server.\r\n\t * @param identityProvider The identity provider to use for the authorization request.\r\n\t * @param usernameHint (Optional) The username to use for the authorization request. It will be provided to the OpenID server as a hint.\r\n\t */\r\n\tmakeAuthorizationRequest(identityProvider: string, usernameHint?: string) {\r\n\t\tconst extras: StringMap = { prompt: 'consent', access_type: 'offline' };\r\n\r\n\t\t// If the identity provider is not 'Umbraco', we will add it to the extras.\r\n\t\tif (identityProvider !== 'Umbraco') {\r\n\t\t\textras['identity_provider'] = identityProvider;\r\n\t\t}\r\n\r\n\t\t// If there is a username hint, we will add it to the extras.\r\n\t\tif (usernameHint) {\r\n\t\t\textras['login_hint'] = usernameHint;\r\n\t\t}\r\n\r\n\t\t// create a request\r\n\t\tconst request = new AuthorizationRequest(\r\n\t\t\t{\r\n\t\t\t\tclient_id: this.#clientId,\r\n\t\t\t\tredirect_uri: this.#redirectUri,\r\n\t\t\t\tscope: this.#scope,\r\n\t\t\t\tresponse_type: AuthorizationRequest.RESPONSE_TYPE_CODE,\r\n\t\t\t\tstate: undefined,\r\n\t\t\t\textras: extras,\r\n\t\t\t},\r\n\t\t\tundefined,\r\n\t\t\ttrue,\r\n\t\t);\r\n\r\n\t\treturn this.#authorizationHandler.performAuthorizationRequest(this.#configuration, request);\r\n\t}\r\n\r\n\t/**\r\n\t * This method will check if the user is logged in by validating if there is a token stored.\r\n\t * If no token is stored, it will return false.\r\n\t * @returns true if the user is logged in, false otherwise.\r\n\t */\r\n\tisAuthorized(): boolean {\r\n\t\treturn !!this.#tokenResponse;\r\n\t}\r\n\r\n\t/**\r\n\t * Forget all cached token state\r\n\t */\r\n\tasync clearTokenStorage() {\r\n\t\tawait this.#storageBackend.removeItem(UMB_STORAGE_TOKEN_RESPONSE_NAME);\r\n\r\n\t\t// clear the internal state\r\n\t\tthis.#tokenResponse = undefined;\r\n\t}\r\n\r\n\t/**\r\n\t * This method will sign the user out of the application.\r\n\t */\r\n\tasync signOut() {\r\n\t\tconst signOutPromises: Promise<unknown>[] = [];\r\n\r\n\t\t// revoke the access token if it exists\r\n\t\tif (this.#tokenResponse) {\r\n\t\t\tconst tokenRevokeRequest = new RevokeTokenRequest({\r\n\t\t\t\ttoken: this.#tokenResponse.accessToken,\r\n\t\t\t\tclient_id: this.#clientId,\r\n\t\t\t\ttoken_type_hint: 'access_token',\r\n\t\t\t});\r\n\r\n\t\t\tsignOutPromises.push(this.#tokenHandler.performRevokeTokenRequest(this.#configuration, tokenRevokeRequest));\r\n\r\n\t\t\t// revoke the refresh token if it exists\r\n\t\t\tif (this.#tokenResponse.refreshToken) {\r\n\t\t\t\tconst refreshTokenRevokeRequest = new RevokeTokenRequest({\r\n\t\t\t\t\ttoken: this.#tokenResponse.refreshToken,\r\n\t\t\t\t\tclient_id: this.#clientId,\r\n\t\t\t\t\ttoken_type_hint: 'refresh_token',\r\n\t\t\t\t});\r\n\r\n\t\t\t\tsignOutPromises.push(\r\n\t\t\t\t\tthis.#tokenHandler.performRevokeTokenRequest(this.#configuration, refreshTokenRevokeRequest),\r\n\t\t\t\t);\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\t// clear the internal token state\r\n\t\tsignOutPromises.push(this.clearTokenStorage());\r\n\r\n\t\t// wait for all promises to settle before continuing\r\n\t\tawait Promise.allSettled(signOutPromises);\r\n\r\n\t\t// clear the session on the server as well\r\n\t\t// this will redirect the user to the end session endpoint of the server\r\n\t\t// which will redirect the user back to the client\r\n\t\t// and the client will then try and log in again (if the user is not logged in)\r\n\t\t// which will redirect the user to the login page\r\n\t\tconst postLogoutRedirectUri = new URL(this.#postLogoutRedirectUri, window.origin);\r\n\t\tconst endSessionEndpoint = this.#configuration.endSessionEndpoint;\r\n\t\tif (!endSessionEndpoint) {\r\n\t\t\tlocation.href = postLogoutRedirectUri.href;\r\n\t\t\treturn;\r\n\t\t}\r\n\r\n\t\tconst postLogoutLocation = new URL(endSessionEndpoint, this.#redirectUri);\r\n\t\tpostLogoutLocation.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri.href);\r\n\t\tlocation.href = postLogoutLocation.href;\r\n\t}\r\n\r\n\t/**\r\n\t * This method will check if the token needs to be refreshed and if so, it will refresh it and return the new access token.\r\n\t * If the token does not need to be refreshed, it will return the current access token.\r\n\t * @returns The access token for the user.\r\n\t */\r\n\tasync performWithFreshTokens(): Promise<string> {\r\n\t\t// if the access token is valid, return it\r\n\t\tif (this.#tokenResponse?.isValid()) {\r\n\t\t\treturn Promise.resolve(this.#tokenResponse.accessToken);\r\n\t\t}\r\n\r\n\t\tconst success = await this.makeRefreshTokenRequest();\r\n\r\n\t\tif (!success) {\r\n\t\t\tthis.clearTokenStorage();\r\n\t\t\tthis.#timeoutSignal.next();\r\n\t\t\treturn Promise.reject('Missing tokenResponse.');\r\n\t\t}\r\n\r\n\t\treturn this.#tokenResponse\r\n\t\t\t? Promise.resolve(this.#tokenResponse.accessToken)\r\n\t\t\t: Promise.reject('Missing tokenResponse.');\r\n\t}\r\n\r\n\t/**\r\n\t * This method will link the current user to the specified provider by redirecting the user to the link endpoint.\r\n\t * @param provider The provider to link to.\r\n\t */\r\n\tasync linkLogin(provider: string): Promise<void> {\r\n\t\tconst linkKey = await this.#makeLinkTokenRequest(provider);\r\n\r\n\t\tconst form = document.createElement('form');\r\n\t\tform.method = 'POST';\r\n\t\tform.action = this.#link_endpoint;\r\n\t\tform.style.display = 'none';\r\n\r\n\t\tconst providerInput = document.createElement('input');\r\n\t\tproviderInput.name = 'provider';\r\n\t\tproviderInput.value = provider;\r\n\t\tform.appendChild(providerInput);\r\n\r\n\t\tconst linkKeyInput = document.createElement('input');\r\n\t\tlinkKeyInput.name = 'linkKey';\r\n\t\tlinkKeyInput.value = linkKey;\r\n\t\tform.appendChild(linkKeyInput);\r\n\r\n\t\tdocument.body.appendChild(form);\r\n\t\tform.submit();\r\n\t}\r\n\r\n\t/**\r\n\t * This method will unlink the current user from the specified provider.\r\n\t * @param loginProvider\r\n\t * @param providerKey\r\n\t */\r\n\tasync unlinkLogin(loginProvider: string, providerKey: string): Promise<boolean> {\r\n\t\tconst token = await this.performWithFreshTokens();\r\n\t\tconst request = new Request(this.#unlink_endpoint, {\r\n\t\t\tmethod: 'POST',\r\n\t\t\theaders: { 'Content-Type': 'application/json', Authorization: `Bearer ${token}` },\r\n\t\t\tbody: JSON.stringify({ loginProvider, providerKey }),\r\n\t\t});\r\n\r\n\t\tconst result = await fetch(request);\r\n\r\n\t\tif (!result.ok) {\r\n\t\t\tconst error = await result.json();\r\n\t\t\tthrow error;\r\n\t\t}\r\n\r\n\t\tawait this.signOut();\r\n\r\n\t\treturn true;\r\n\t}\r\n\r\n\t/**\r\n\t * Save the current token response to local storage.\r\n\t */\r\n\tasync #saveTokenState() {\r\n\t\tif (this.#tokenResponse) {\r\n\t\t\tawait this.#storageBackend.setItem(UMB_STORAGE_TOKEN_RESPONSE_NAME, JSON.stringify(this.#tokenResponse.toJson()));\r\n\t\t}\r\n\t}\r\n\r\n\t/**\r\n\t * This method will make a token request to the server using the authorization code.\r\n\t * @param code\r\n\t * @param codeVerifier\r\n\t */\r\n\tasync #makeTokenRequest(code: string, codeVerifier: string | undefined): Promise<void> {\r\n\t\tconst extras: StringMap = {};\r\n\r\n\t\tif (codeVerifier) {\r\n\t\t\textras.code_verifier = codeVerifier;\r\n\t\t}\r\n\r\n\t\t// use the code to make the token request.\r\n\t\tconst request = new TokenRequest({\r\n\t\t\tclient_id: this.#clientId,\r\n\t\t\tredirect_uri: this.#redirectUri,\r\n\t\t\tgrant_type: GRANT_TYPE_AUTHORIZATION_CODE,\r\n\t\t\tcode: code,\r\n\t\t\trefresh_token: undefined,\r\n\t\t\textras: extras,\r\n\t\t});\r\n\r\n\t\tawait this.#performTokenRequest(request);\r\n\t}\r\n\r\n\tasync makeRefreshTokenRequest(): Promise<boolean> {\r\n\t\tif (!this.#tokenResponse?.refreshToken) {\r\n\t\t\treturn false;\r\n\t\t}\r\n\r\n\t\tconst request = new TokenRequest({\r\n\t\t\tclient_id: this.#clientId,\r\n\t\t\tredirect_uri: this.#redirectUri,\r\n\t\t\tgrant_type: GRANT_TYPE_REFRESH_TOKEN,\r\n\t\t\tcode: undefined,\r\n\t\t\trefresh_token: this.#tokenResponse.refreshToken,\r\n\t\t\textras: undefined,\r\n\t\t});\r\n\r\n\t\treturn this.#performTokenRequest(request);\r\n\t}\r\n\r\n\t/**\r\n\t * This method will make a token request to the server using the refresh token.\r\n\t * If the request fails, it will sign the user out (clear the token state).\r\n\t * @param request\r\n\t */\r\n\tasync #performTokenRequest(request: TokenRequest): Promise<boolean> {\r\n\t\ttry {\r\n\t\t\tthis.#tokenResponse = await this.#tokenHandler.performTokenRequest(this.#configuration, request);\r\n\t\t\tthis.#saveTokenState();\r\n\t\t\treturn true;\r\n\t\t} catch (error) {\r\n\t\t\tconsole.error('Token request error', error);\r\n\t\t\tthis.clearTokenStorage();\r\n\t\t\treturn false;\r\n\t\t}\r\n\t}\r\n\r\n\tasync #makeLinkTokenRequest(provider: string) {\r\n\t\tconst token = await this.performWithFreshTokens();\r\n\r\n\t\tconst request = await fetch(`${this.#link_key_endpoint}?provider=${provider}`, {\r\n\t\t\theaders: {\r\n\t\t\t\tAuthorization: `Bearer ${token}`,\r\n\t\t\t\t'Content-Type': 'application/json',\r\n\t\t\t},\r\n\t\t});\r\n\r\n\t\tif (!request.ok) {\r\n\t\t\tthrow new Error('Failed to link login');\r\n\t\t}\r\n\r\n\t\treturn request.json();\r\n\t}\r\n}\r\n"],"names":["_UmbAuthProviderDefaultElement_instances","label_get","UmbAuthProviderDefaultElement","UmbLitElement","__privateAdd","html","__privateGet","nothing","label","labelLocalized","UmbTextStyles","css","__decorateClass","property","customElement","UMB_STORAGE_TOKEN_RESPONSE_NAME","requestor","FetchRequestor","UmbNoHashQueryStringUtils","BasicQueryStringUtils","input","UmbAuthFlow","openIdConnectUrl","redirectUri","postLogoutRedirectUri","timeoutSignal","clientId","scope","Subject","#redirectUri","#postLogoutRedirectUri","#timeoutSignal","#clientId","#scope","#configuration","AuthorizationServiceConfiguration","#link_endpoint","#link_key_endpoint","#unlink_endpoint","#notifier","AuthorizationNotifier","#tokenHandler","BaseTokenRequestHandler","#storageBackend","LocalStorageBackend","#authorizationHandler","RedirectRequestHandler","request","response","error","codeVerifier","#makeTokenRequest","#saveTokenState","#tokenResponse","tokenResponseJson","TokenResponse","identityProvider","usernameHint","extras","AuthorizationRequest","signOutPromises","tokenRevokeRequest","RevokeTokenRequest","refreshTokenRevokeRequest","endSessionEndpoint","postLogoutLocation","provider","linkKey","#makeLinkTokenRequest","form","providerInput","linkKeyInput","loginProvider","providerKey","token","result","code","TokenRequest","GRANT_TYPE_AUTHORIZATION_CODE","#performTokenRequest","GRANT_TYPE_REFRESH_TOKEN"],"mappings":";;;;;;;;;;;uQAAAA,GAAAC;AAOa,IAAAC,IAAN,cAA4CC,EAAqD;AAAA,EAAjG,cAAA;AAAA,UAAA,GAAA,SAAA,GAAAC,EAAA,MAAAJ,CAAA;AAAA,EAAA;AAAA,EAUG,oBAA0B;AAClC,UAAM,kBAAkB,GACnB,KAAA,aAAa,QAAQ,uBAAuB;AAAA,EAAA;AAAA,EASzC,SAAS;AACV,WAAAK;AAAA;AAAA;AAAA,aAGI,MAAM,KAAK,SAAS,KAAK,QAAQ,CAAC;AAAA;AAAA,aAElCC,QAAKN,GAAMC,CAAA,CAAA;AAAA,YACZ,KAAK,SAAS,MAAM,aAAa,QAAQ,SAAS;AAAA,aACjD,KAAK,SAAS,MAAM,aAAa,SAAS,SAAS;AAAA,MAC1D,KAAK,SAAS,MAAM,aAAa,OAChCI,8BAAiC,KAAK,SAAS,MAAM,aAAa,IAAI,iBACtEE,CAAO;AAAA,MACRD,QAAKN,GAAMC,CAAA,CAAA;AAAA;AAAA;AAAA,EAAA;AAqBjB;AAtDOD,IAAA,oBAAA,QAAA;AAeFC,IAAM,WAAG;AACZ,QAAMO,IAAQ,KAAK,SAAS,MAAM,SAAS,KAAK,SAAS,iBACnDC,IAAiB,KAAK,SAAS,OAAOD,CAAK;AACjD,SAAO,KAAK,SAAS,KAAK,oBAAoBC,CAAc;AAC7D;AAnBYP,EAsCI,SAAS;AAAA,EACxBQ;AAAA,EACAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAaD;AAnDAC,EAAA;AAAA,EADCC,EAAS,EAAE,WAAW,GAAO,CAAA;AAAA,GADlBX,EAEZ,WAAA,kBAAA,CAAA;AAGAU,EAAA;AAAA,EADCC,EAAS,EAAE,WAAW,GAAO,CAAA;AAAA,GAJlBX,EAKZ,WAAA,YAAA,CAAA;AAGAU,EAAA;AAAA,EADCC,EAAS,EAAE,WAAW,GAAO,CAAA;AAAA,GAPlBX,EAQZ,WAAA,YAAA,CAAA;AARYA,IAANU,EAAA;AAAA,EADNE,EAAc,2BAA2B;AAAA,GAC7BZ,CAAA;ACPN,MAAMa,IAAkC,6BCkCzCC,IAAY,IAAIC,EAAe;AAKrC,MAAMC,UAAkCC,EAAsB;AAAA,EACpD,MAAMC,GAAqB;AAC5B,WAAA,MAAM,MAAMA,GAAO,EAAK;AAAA,EAAA;AAEjC;AAuCO,MAAMC,EAAY;AAAA,EA6BxB,YACCC,GACAC,GACAC,GACAC,GACAC,IAAW,uBACXC,IAAQ,kBACP;AATO,SAAA,sBAAsB,IAAIC,EAAc,GAUhD,KAAKC,KAAeN,GACpB,KAAKO,KAAyBN,GAC9B,KAAKO,KAAiBN,GACtB,KAAKO,KAAYN,GACjB,KAAKO,KAASN,GAET,KAAAO,KAAiB,IAAIC,EAAkC;AAAA,MAC3D,wBAAwB,GAAGb,CAAgB;AAAA,MAC3C,gBAAgB,GAAGA,CAAgB;AAAA,MACnC,qBAAqB,GAAGA,CAAgB;AAAA,MACxC,sBAAsB,GAAGA,CAAgB;AAAA,IAAA,CACzC,GAEI,KAAAc,KAAiB,GAAGd,CAAgB,8DACpC,KAAAe,KAAqB,GAAGf,CAAgB,kEACxC,KAAAgB,KAAmB,GAAGhB,CAAgB,gEAEtC,KAAAiB,KAAY,IAAIC,EAAsB,GACtC,KAAAC,KAAgB,IAAIC,EAAwB1B,CAAS,GACrD,KAAA2B,KAAkB,IAAIC,EAAoB,GAC/C,KAAKC,KAAwB,IAAIC,EAAuB,KAAKH,IAAiB,IAAIzB,GAA2B,GAGxG,KAAA2B,GAAsB,yBAAyB,KAAKN,EAAS,GAGlE,KAAKA,GAAU,yBAAyB,OAAOQ,GAASC,GAAUC,MAAU;AAC3E,UAAIA;AACK,sBAAA,MAAM,uBAAuBA,CAAK,GAC1C,KAAK,oBAAoB,KAAK,GACxBA;AAGP,UAAID,GAAU;AACT,YAAAE;AACJ,QAAIH,EAAQ,YAAYA,EAAQ,SAAS,kBACxCG,IAAeH,EAAQ,SAAS,gBAGjC,MAAM,KAAKI,GAAkBH,EAAS,MAAME,CAAY,GACxD,MAAM,KAAK,uBAAuB,GAClC,MAAM,KAAKE,GAAgB;AAAA,MAAA;AAG5B,WAAK,oBAAoB,KAAK;AAAA,IAAA,CAC9B;AAAA,EAAA;AAAA;AAAA,EAhFOb;AAAA,EACAM;AAAA,EACAJ;AAAA,EACAE;AAAA;AAAA,EAGAT;AAAA,EACAL;AAAA,EACAC;AAAA,EACAE;AAAA,EACAC;AAAA,EACAF;AAAA;AAAA,EAGTsB;AAAA;AAAA,EAGAjB;AAAA,EACAC;AAAA,EACAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2EA,MAAM,kBAAkB;AACvB,UAAMgB,IAAoB,MAAM,KAAKX,GAAgB,QAAQ5B,CAA+B;AAC5F,QAAIuC,GAAmB;AACtB,YAAMN,IAAW,IAAIO,EAAc,KAAK,MAAMD,CAAiB,CAAC;AAChE,WAAKD,KAAiBL;AAAA,IAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASD,kCAAkC;AAC1B,WAAA,KAAKH,GAAsB,uCAAuC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAS1E,yBAAyBW,GAA0BC,GAAuB;AACzE,UAAMC,IAAoB,EAAE,QAAQ,WAAW,aAAa,UAAU;AAGtE,IAAIF,MAAqB,cACxBE,EAAO,oBAAuBF,IAI3BC,MACHC,EAAO,aAAgBD;AAIxB,UAAMV,IAAU,IAAIY;AAAA,MACnB;AAAA,QACC,WAAW,KAAK3B;AAAA,QAChB,cAAc,KAAKH;AAAA,QACnB,OAAO,KAAKI;AAAA,QACZ,eAAe0B,EAAqB;AAAA,QACpC,OAAO;AAAA,QACP,QAAAD;AAAA,MACD;AAAA,MACA;AAAA,MACA;AAAA,IACD;AAEA,WAAO,KAAKb,GAAsB,4BAA4B,KAAKX,IAAgBa,CAAO;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQ3F,eAAwB;AAChB,WAAA,CAAC,CAAC,KAAKM;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA,EAMf,MAAM,oBAAoB;AACnB,UAAA,KAAKV,GAAgB,WAAW5B,CAA+B,GAGrE,KAAKsC,KAAiB;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA,EAMvB,MAAM,UAAU;AACf,UAAMO,IAAsC,CAAC;AAG7C,QAAI,KAAKP,IAAgB;AAClB,YAAAQ,IAAqB,IAAIC,EAAmB;AAAA,QACjD,OAAO,KAAKT,GAAe;AAAA,QAC3B,WAAW,KAAKrB;AAAA,QAChB,iBAAiB;AAAA,MAAA,CACjB;AAKG,UAHJ4B,EAAgB,KAAK,KAAKnB,GAAc,0BAA0B,KAAKP,IAAgB2B,CAAkB,CAAC,GAGtG,KAAKR,GAAe,cAAc;AAC/B,cAAAU,IAA4B,IAAID,EAAmB;AAAA,UACxD,OAAO,KAAKT,GAAe;AAAA,UAC3B,WAAW,KAAKrB;AAAA,UAChB,iBAAiB;AAAA,QAAA,CACjB;AAEe,QAAA4B,EAAA;AAAA,UACf,KAAKnB,GAAc,0BAA0B,KAAKP,IAAgB6B,CAAyB;AAAA,QAC5F;AAAA,MAAA;AAAA,IACD;AAIe,IAAAH,EAAA,KAAK,KAAK,mBAAmB,GAGvC,MAAA,QAAQ,WAAWA,CAAe;AAOxC,UAAMpC,IAAwB,IAAI,IAAI,KAAKM,IAAwB,OAAO,MAAM,GAC1EkC,IAAqB,KAAK9B,GAAe;AAC/C,QAAI,CAAC8B,GAAoB;AACxB,eAAS,OAAOxC,EAAsB;AACtC;AAAA,IAAA;AAGD,UAAMyC,IAAqB,IAAI,IAAID,GAAoB,KAAKnC,EAAY;AACxE,IAAAoC,EAAmB,aAAa,IAAI,4BAA4BzC,EAAsB,IAAI,GAC1F,SAAS,OAAOyC,EAAmB;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQpC,MAAM,yBAA0C;AAE3C,WAAA,KAAKZ,IAAgB,YACjB,QAAQ,QAAQ,KAAKA,GAAe,WAAW,IAGvC,MAAM,KAAK,wBAAwB,IAQ5C,KAAKA,KACT,QAAQ,QAAQ,KAAKA,GAAe,WAAW,IAC/C,QAAQ,OAAO,wBAAwB,KAPzC,KAAK,kBAAkB,GACvB,KAAKtB,GAAe,KAAK,GAClB,QAAQ,OAAO,wBAAwB;AAAA,EAKL;AAAA;AAAA;AAAA;AAAA;AAAA,EAO3C,MAAM,UAAUmC,GAAiC;AAChD,UAAMC,IAAU,MAAM,KAAKC,GAAsBF,CAAQ,GAEnDG,IAAO,SAAS,cAAc,MAAM;AAC1C,IAAAA,EAAK,SAAS,QACdA,EAAK,SAAS,KAAKjC,IACnBiC,EAAK,MAAM,UAAU;AAEf,UAAAC,IAAgB,SAAS,cAAc,OAAO;AACpD,IAAAA,EAAc,OAAO,YACrBA,EAAc,QAAQJ,GACtBG,EAAK,YAAYC,CAAa;AAExB,UAAAC,IAAe,SAAS,cAAc,OAAO;AACnD,IAAAA,EAAa,OAAO,WACpBA,EAAa,QAAQJ,GACrBE,EAAK,YAAYE,CAAY,GAEpB,SAAA,KAAK,YAAYF,CAAI,GAC9BA,EAAK,OAAO;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQb,MAAM,YAAYG,GAAuBC,GAAuC;AACzE,UAAAC,IAAQ,MAAM,KAAK,uBAAuB,GAC1C3B,IAAU,IAAI,QAAQ,KAAKT,IAAkB;AAAA,MAClD,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oBAAoB,eAAe,UAAUoC,CAAK,GAAG;AAAA,MAChF,MAAM,KAAK,UAAU,EAAE,eAAAF,GAAe,aAAAC,EAAa,CAAA;AAAA,IAAA,CACnD,GAEKE,IAAS,MAAM,MAAM5B,CAAO;AAE9B,QAAA,CAAC4B,EAAO;AAEL,YADQ,MAAMA,EAAO,KAAK;AAIjC,iBAAM,KAAK,QAAQ,GAEZ;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA,EAMR,MAAMvB,KAAkB;AACvB,IAAI,KAAKC,MACF,MAAA,KAAKV,GAAgB,QAAQ5B,GAAiC,KAAK,UAAU,KAAKsC,GAAe,OAAO,CAAC,CAAC;AAAA,EACjH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQD,MAAMF,GAAkByB,GAAc1B,GAAiD;AACtF,UAAMQ,IAAoB,CAAC;AAE3B,IAAIR,MACHQ,EAAO,gBAAgBR;AAIlB,UAAAH,IAAU,IAAI8B,EAAa;AAAA,MAChC,WAAW,KAAK7C;AAAA,MAChB,cAAc,KAAKH;AAAA,MACnB,YAAYiD;AAAA,MACZ,MAAAF;AAAA,MACA,eAAe;AAAA,MACf,QAAAlB;AAAA,IAAA,CACA;AAEK,UAAA,KAAKqB,GAAqBhC,CAAO;AAAA,EAAA;AAAA,EAGxC,MAAM,0BAA4C;AAC7C,QAAA,CAAC,KAAKM,IAAgB;AAClB,aAAA;AAGF,UAAAN,IAAU,IAAI8B,EAAa;AAAA,MAChC,WAAW,KAAK7C;AAAA,MAChB,cAAc,KAAKH;AAAA,MACnB,YAAYmD;AAAA,MACZ,MAAM;AAAA,MACN,eAAe,KAAK3B,GAAe;AAAA,MACnC,QAAQ;AAAA,IAAA,CACR;AAEM,WAAA,KAAK0B,GAAqBhC,CAAO;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQzC,MAAMgC,GAAqBhC,GAAyC;AAC/D,QAAA;AACH,kBAAKM,KAAiB,MAAM,KAAKZ,GAAc,oBAAoB,KAAKP,IAAgBa,CAAO,GAC/F,KAAKK,GAAgB,GACd;AAAA,aACCH,GAAO;AACP,qBAAA,MAAM,uBAAuBA,CAAK,GAC1C,KAAK,kBAAkB,GAChB;AAAA,IAAA;AAAA,EACR;AAAA,EAGD,MAAMmB,GAAsBF,GAAkB;AACvC,UAAAQ,IAAQ,MAAM,KAAK,uBAAuB,GAE1C3B,IAAU,MAAM,MAAM,GAAG,KAAKV,EAAkB,aAAa6B,CAAQ,IAAI;AAAA,MAC9E,SAAS;AAAA,QACR,eAAe,UAAUQ,CAAK;AAAA,QAC9B,gBAAgB;AAAA,MAAA;AAAA,IACjB,CACA;AAEG,QAAA,CAAC3B,EAAQ;AACN,YAAA,IAAI,MAAM,sBAAsB;AAGvC,WAAOA,EAAQ,KAAK;AAAA,EAAA;AAEtB;"}