Skip to content

Latest commit

 

History

History
1190 lines (745 loc) · 37.6 KB

CHANGELOG.md

File metadata and controls

1190 lines (745 loc) · 37.6 KB

Angular Lib for OpenID Connect/OAuth2 Changelog

2022-01-17 14.0.0

In this version the APP_INITIALIZER was removed. (See PR). The library will not do anything until the application interact with it. There is no pre-loading of anything and it does not affect your application's bootstrapping process at all. You can however explicitly preload the secure token server well-known endpoints with a new method called preloadAuthWellKnownDocument(). As a side effect because the config has to be loaded first, a lot of APIs become reactive and return an Observable now.

See the migration guide.

  • refresh token rotation is now optional and can be activated using allowUnsafeReuseRefreshToken
  • Fixed getUrlParameter's handling of fragment response
  • isLoading observable in OidcSecurityService
  • Add redirectUrl customization (via AuthOptions)
  • Fix: implicit flow in popup window error (fixes #1385)

2021-12-01 13.1.0

  • Using window.crypto for jwt signature validation
  • Removed jsrsasign dependency

2021-11-19 13.0.0

  • Update to Angular 13 and rxjs 7

2021-08-17 12.0.3

  • docs(guards): use UrlTree for redirect, clean up
  • fixing storage mechanism
  • Additional logging when a nonce is created and validated

2021-07-20 12.0.2

  • Added fix overwriting prompt param
  • Unclear error message when providing improper config to module
  • added multiple configs documentation
  • Expose PopupService and PopupOptions as public
  • Support end session for Auth0 (non conform OIDC endpoint)

2021-07-06 12.0.1

  • Fix #1168 userInfoEndpoint Typo

2021-07-04 Version 12.0.0

  • Configuration via forRoot(...) method

  • Remove the "AuthorizedState" enum in Version 12

  • Use a different key than redirect to store redirect route when using autologin

  • Returnvalue of loginwithpopup and login should be the same

  • How to provide client id during logoff

  • urlHandler callback function parameter in LogoffRevocationService.logoff does nothing

  • Convert all instances of "Authorized" to "Authenticated"

  • Support for multiple APIs with unique scopes

  • Multiple access tokens for the same client_id but different scopes

  • Is there a silent renew event?

  • Angular 12 Support

  • Add configuration to disable or enable id_token expired check

  • Support for Azure B2C multiple policies

  • Improve AutoLoginSample

  • Accessing AuthResult response object

  • Rename stsServer configuration parameter to authority

  • Only one returntype (object) when subscribing to isAuthenticated and user data to avoid confusion.

2021-06-12 Version 11.6.11

  • Silent renew does not always start

2021-05-28 Version 11.6.10

  • AutoLoginGuard appears to cause some sort of infinite loop.

2021-05-16 Version 11.6.9

  • Support Custom Params for EndSession and RefreshTokens Renew
  • Added Auth0 example
  • Bugfix: the "use" attr on the jwks key is optional if only one key is present

2021-05-04 Version 11.6.8

  • bugfix incorrect storage for silent renew, requires Json object

2021-05-01 Version 11.6.7

  • Enable handling users closing login popup
  • Renamed all occurrences of "Persistance" to "Persistence"
  • Document public facing API
  • Exported and moved authOptions
  • Fix(randomService): fix misuse of Uint8Array
  • hooking into the zone again to avoid outside ngzone messages and throw event only when value change
  • fixed json stringify objects and storage

2021-04-18 Version 11.6.6

  • fix: use navigateByUrl to fix url params encoding
  • Store singing keys as fallback
  • Exposing popup options

2021-04-11 Version 11.6.5

  • Silent renew with refresh tokens - handle no connection use case
  • Added Guard CanLoad interface

2021-03-13 Version 11.6.4

  • Improve AutoLoginGuard
  • Add support custom params during token exchange
  • Clean up user data when autoUserInfo is false => from id_token

2021-03-12 Version 11.6.3

  • Inconsistent behavior of OidcSecurityService.userData$ Observable, if autoUserinfo is false
  • CheckSessionService keeps polling after logoffLocal() is invoked

2021-03-05 Version 11.6.2

  • Bugfix: Check session does not work when autoUserinfo is set to false in code flow with PKCE
  • Bugfix: checkAuth returning null when href target="_blank"
  • Support silent renew with refresh tokens without scope offline access
  • Bugfix: Refresh response without an id token breaks mechanism

2021-02-27 Version 11.6.1

  • Added AutoLoginGuard
  • Updated Azure AD, Azure B2C templates to prompt for select_account (problem with multiple accounts)

2021-02-24 Version 11.6.0

  • Added support for OAuth Pushed authorisation requests (PAR)
  • Added Pushed authorisation requests (PAR) example
  • Added OAuth Pushed authorisation requests (PAR) template using schematics
  • unsubscribe receivedUrl$ prevents multiple "/token" request

2021-02-13 Version 11.5.1

  • ApplicationRef.isStable is always false when using this package

2021-02-02 Version 11.5.0

  • Added support for authentication using a popup
  • Added popup sample
  • Added Title to Silent Renew IFrame

2021-02-02 Version 11.4.5

  • Added Auth0 template using schematics

2021-02-02 Version 11.4.4

  • Support aud arrays which are not ordered in id_token validation of refresh token process
  • Fixed Bug were Dynamic Custom Request Parameters are forgotten after first login or forceRefreshSession when doing a silent renew/refresh

2021-01-19 Version 11.4.3

  • Added ability to use Custom Parameters when calling ForceRefreshSession
  • Missing RefreshToken causes erroneous token request
  • Bug. App fully hang during silent renew

2021-01-10 Version 11.4.2

  • Added checksession null checks

2021-01-10 Version 11.4.1

  • Added event to throw when config could not be loaded
  • Check session fails if secure token server has a different origin than the check_session_iframe
  • Fix http config example and templates for HTTP config load

2021-01-03 Version 11.4.0

  • Adding schematics
  • Provided interceptor out of the lib

2020-12-18 Version 11.3.0

  • Update to Angular 11, fix tslib warnings
  • Use window object safely by injecting document

2020-11-20 Version 11.2.4

  • Do not clear session state when refreshing session with refresh tokens

2020-11-20 Version 11.2.3

  • Added config tokenRefreshInSeconds which controls the time interval to run the startTokenValidationPeriodically

2020-11-13 Version 11.2.2

  • Multiple tabs don't receive any event when session state becomes blank
  • Fixed issue with browser history on silent renew redirect to IS
  • UTC time fix
  • Small fixes of docs and naming

2020-10-23 Version 11.2.1

  • renewUserInfoAfterTokenRenew to OpenIdConfiguration
  • Remove items from local storage instead of writing empty string values

2020-08-08 Version 11.2.0

  • added possibility to pass url to check from the outside (for example to use in electron cases)

2020-07-04 Version 11.1.4

  • checkAuthIncludingServer cannot complete without credentials
  • QueryParams are getting lost when doing a silent renew
  • Token endpoint errors not reported correctly

2020-06-04 Version 11.1.3

  • Refresh checksession iframe regularly
  • Load checksession iframe right after checkSessionService.start() is invoked
  • Not throwing an exception if interceptor is set and config is loaded from http
  • Bug fix: forceRefreshSession prematurely completes its observable #767
  • Bug fix: Returns tokens but doesn't apply them #759

2020-05-24 Version 11.1.2

  • Added support to check the secure token server for an authenticated session if not locally logged in (iframe silent renew)
  • fix config bug with eager loading of the well known endpoints
  • prevent routing in silent renew requests with iframes
  • return tokens direct in forceRefreshSession

2020-05-16 Version 11.1.1

  • Added validation for the lib configuration
  • fixed some doc typos
  • fixed bug 2 auth events emitter on secure token server callback

2020-05-14 Version 11.1.0

  • Eager loading of well known endpoints can be configured: Made it possible to load the well known endpoints late (per configuration)
  • make it possible to force a session refresh

2020-05-12 Version 11.0.2

  • Add configuration property to disable auth_time validation in refresh flows with Azure B2C (Azure B2C implements this incorrectly)
  • Fix disable at_hash validation in refresh, this is not a required property
  • only use revocation endpoint if supported by the STS

2020-05-08 Version 11.0.1

  • Fixing the Can't resolve all parameters for ... error
  • Adding documentation to describe how to load configuration inside of child modules

2020-05-02 Version 11.0.0

  • Refactor lib config to make it easier to use
  • Update project to Angular 9 #610
  • added examples #625
  • support refresh tokens with example, and docs (coming safari change)
  • refactor configuration property names
  • eslint conform #627
  • Remove avoidable classes and add interfaces instead #626
  • Create Loglevel enum instead of boolean "isxyzactive" #628
  • Add prefix configuration for storage to allow multiple angular run in parallel #634
  • Add an event service with an enum to throw events out #635
  • Make folders for features not services, etc. #636
  • SilentRenew breaks when using refresh_token and refresh_token is expired/invalid #667
  • Pack the tests beside the files which are being tested when feature folders are available #637
  • support multiple instances in browser
  • Do not provide default config when config should have been set before #644
  • Code Verifier not cryptographically random #642
  • After successful login, getIsAuthorized still returns false for a bit. #549
  • Expose silent renew running observable #447
  • Issue with silent renew when js execution has been suspended #605
  • Add support for OAuth 2.0 Token Revocation #673
  • Silent renew dies if startRenew fails #617
  • support for Angular 8 , Angular 9
  • redesign login init
  • Remove avoidable anys #624
  • Use returned expired value of access token for expired validation
  • Id_Token is rejected because of timing issue when server hour is different then client hour
  • fix validate, fix max time offset #175
  • Support azp and multiple audiences #582
  • Add extra Refresh token validation #687
  • Notification that checking session is initialized #686
  • Refactor rxjs events, user profile events, silent renew, check session
  • Add support for EC certificates #645
  • id_token : alg : HS256 support #597
  • redesign docs

2020-02-14 version 10.0.15

  • Subscribe startRenew after isAuthorized is true
  • check session origin check improvement, support for non-domain urls

2020-01-24 version 10.0.14

  • 552-add-config-ignore-nonce-after-refresh
  • bug-xmlurlencode-has-newlines
  • clean up some file formats

2020-01-03 version 10.0.11

  • Added renew process denotation to AuthorizationResult

2019-10-07 version 10.0.10

  • bug fix logging, code flow callback

2019-10-05 version 10.0.9

  • generic OidcSecurityService.getUserData
  • OidcSecurityService with some observables
  • Do not check idToken nonce when using refreshToken
  • strictNullChecks
  • safer-silent-renew

2019-09-20 version 10.0.8

  • reduce size of the package

2019-09-11 version 10.0.7

  • Ability to change the amount of seconds for the IsAuthorizedRace to do a Timeout

2019-09-05 version 10.0.6

  • fixing url parse wo format
  • documentation fixes

2019-09-03 version 10.0.5

  • use_refresh_token configuration added.

2019-09-01 version 10.0.4

  • Added support for refresh tokens in code flow
  • expose logger service

2019-07-30 version 10.0.3

  • Added a try catch to handle the CORS error that is thrown if the parent has a different origin htne the iframe. Issue #466

2019-06-25 version 10.0.2

  • bug fix: onConfigurationLoaded does not fired
  • bug fix: [SSR] Session storage is not defined

2019-06-21 version 10.0.1

  • revert angular build to angular 7, fix npm dist

2019-05-24 version 10.0.0

  • remove silent_redirect_url only use silent_renew_url
  • refactored configuration for module, angular style
  • rename OpenIDImplicitFlowConfiguration to OpenIDConfiguration

Breaking changes

Before

this.oidcConfigService.onConfigurationLoaded.subscribe(() => {

	const openIDImplicitFlowConfiguration = new OpenIDImplicitFlowConfiguration();
	openIDImplicitFlowConfiguration.stsServer = this.oidcConfigService.clientConfiguration.stsServer;
	openIDImplicitFlowConfiguration.redirect_url = this.oidcConfigService.clientConfiguration.redirect_url;
	openIDImplicitFlowConfiguration.client_id = this.oidcConfigService.clientConfiguration.client_id;
	openIDImplicitFlowConfiguration.response_type = this.oidcConfigService.clientConfiguration.response_type;

	...

	configuration.FileServer = this.oidcConfigService.clientConfiguration.apiFileServer;
	configuration.Server = this.oidcConfigService.clientConfiguration.apiServer;

	const authWellKnownEndpoints = new AuthWellKnownEndpoints();
	authWellKnownEndpoints.setWellKnownEndpoints(this.oidcConfigService.wellKnownEndpoints);

	this.oidcSecurityService.setupModule(openIDImplicitFlowConfiguration, authWellKnownEndpoints);

After


import {
    AuthModule,
    OidcSecurityService,
    ConfigResult,
    OidcConfigService,
    OpenIdConfiguration
} from 'angular-auth-oidc-client';

export function loadConfig(oidcConfigService: OidcConfigService) {
    console.log('APP_INITIALIZER STARTING');
    return () => oidcConfigService.load(`${window.location.origin}/api/ClientAppSettings`);
}

@NgModule({
    imports: [
        ...
        HttpClientModule,
        AuthModule.forRoot(),
    ],
    providers: [
        OidcConfigService,
        OidcSecurityService,
        {
            provide: APP_INITIALIZER,
            useFactory: loadConfig,
            deps: [OidcConfigService],
            multi: true
        }
    ],
    bootstrap: [AppComponent],
})

export class AppModule {

    constructor(
        private oidcSecurityService: OidcSecurityService,
        private oidcConfigService: OidcConfigService,
    ) {

        this.oidcConfigService.onConfigurationLoaded.subscribe((configResult: ConfigResult) => {

            const config: OpenIdConfiguration = {
                stsServer: configResult.customConfig.stsServer,
                redirect_url: configResult.customConfig.redirect_url,
                client_id: configResult.customConfig.client_id,
                response_type: configResult.customConfig.response_type,
                scope: configResult.customConfig.scope,
                post_logout_redirect_uri: configResult.customConfig.post_logout_redirect_uri,
                start_checksession: configResult.customConfig.start_checksession,
                silent_renew: configResult.customConfig.silent_renew,
                silent_renew_url: configResult.customConfig.redirect_url + '/silent-renew.html',
                post_login_route: configResult.customConfig.startup_route,
                forbidden_route: configResult.customConfig.forbidden_route,
                unauthorized_route: configResult.customConfig.unauthorized_route,
                log_console_warning_active: configResult.customConfig.log_console_warning_active,
                log_console_debug_active: configResult.customConfig.log_console_debug_active,
                max_id_token_iat_offset_allowed_in_seconds: configResult.customConfig.max_id_token_iat_offset_allowed_in_seconds,
                history_cleanup_off: true
                // iss_validation_off: false
                // disable_iat_offset_validation: true
            };

            this.oidcSecurityService.setupModule(config, configResult.authWellknownEndpoints);
        });
    }
}

2019-05-21 version 9.0.8

  • authNonce not cleared in storage after unsuccessful login and logout
  • Should 5 seconds timeout on silent_renew be configurable? => fails fast now if server responds

2019-04-28 version 9.0.7

  • increased length of state value for OIDC authorize request

2019-04-22 version 9.0.6

  • session_state is optional for code flow

2019-04-14 version 9.0.5

  • Added disable_iat_offset_validation configuration for clients with clock problems
  • Updated the Docs

2019-03-29 version 9.0.4

  • Updated the Docs
  • Adding sample usage to repo

2019-03-22 version 9.0.3

  • Updated the Docs
  • Changed to Angular-CLI builder
  • Added a sample in this repo

2019-02-27 version 9.0.3

  • Add TokenHelperService to public API
  • logs: use !! to display getIdToken() and _userData.value in silentRenewHeartBeatCheck()

2019-02-01 version 9.0.2

  • bug fix at_hash is optional for code flow
  • removing session_state check from code flow response

2019-01-11 version 9.0.1

  • Validation state in code callback redirect
  • Make it possible to turn off history clean up, so that the angular state is preserved.

2019-01-08 version 9.0.0

  • Support for OpenID Connect Code Flow with PKCE

Breaking changes:

Implicit flow callback renamed from authorizedCallback() to authorizedImplicitFlowCallback()

2018-11-16 version 8.0.3

  • Changed iframe to avoid changing history state for repeated silent token renewals
  • make it possible to turn the iss validation off per configuration
  • reset history after OIDC callback with tokens

2018-11-07 version 8.0.2

  • When logOff() is called storage should be cleared before emitting an authorization event.
  • AuthConfiguration object will now always return false for start_checksession and silent_renew properties when not running on a browser platform.

2018-11-02 version 8.0.1

  • Adding an onConfigurationChange Observable to `OidcSecurityService

2018-10-31 version 8.0.0

  • replaced eventemitters with Subjects/Observables and updated and docs
  • Optional url handler for logoff function
  • silent_renew is now off by default (false).
  • Fix for when token contains multiple dashes or underscores

2018-10-20 version 7.0.3

  • Unicode special characters (accents and such) in JWT are now properly…

2018-10-20 version 7.0.2

  • authorizedCallback should wait until the module is setup before running.

2018-10-18 version 7.0.1

  • Check session will now be stopped when the user is logged out

2018-10-14 version 7.0.0

  • Adding validation state result info to authorization event result
  • bug fixes in check session

2018-10-07 version 6.0.12

  • Refactoring getIsAuthorized()
  • A blank session_state in the check session heartbeat should emit a …
  • Fixing inability to turn off silent_renew and adding safety timeout
  • check for valid tokens on start up

2018-10-03 version 6.0.11

  • silent_renew inconsistent with execution

2018-09-14 version 6.0.10

  • Handle callback params that contain equals char

2018-09-09 version 6.0.7

  • Removing the fetch package, using the httpClient now instead

2018-08-18 version 6.0.6

  • Add unique ending to key to prevent storage crossover
  • Public resetAuthorizationData method and getEndSessionUrl function
  • wso2 Identity Server audience validation failed support

2018-07-09 version 6.0.2

  • Throw error when userinfo_endpoint is not defined (Azure AD)

2018-06-03 version 6.0.1

  • Removing resource propety from the config, not used.
  • fixing silent renew bug

2018-05-05 version 6.0.0

  • Updating src to support rxjs 6.1.0, Angular 6.0.0

2018-04-31 version 4.1.1

  • Updating src to support typescript 2.7.2

2018-03-31 version 4.1.0

  • Lightweight silent renew

2018-03-05 version 4.0.3

  • added optional url handler parameter in the authorize function.

2018-02-23 version 4.0.2

  • returning bool event from config service

2018-02-03 version 4.0.1

  • silent renew fixes
  • check session renew fixes
  • adding error handling to config service, used for the APP_INITIALIZER

2018-01-15 version 4.0.0

  • fixing init process, using APP_INITIALIZER, and proper support for angular guards
  • removed override_well_known_configuration, well_known_configuration now loaded from the APP_INITIALIZER
  • removed override_well_known_configuration_url, well_known_configuration now loaded from the APP_INITIALIZER

If you want to configure the well known endpoints locally, you need to set this to true.

override_well_known_configuration_url

2018-01-08 version 3.0.13

  • fixing rollup build

2018-01-06 version 3.0.12

  • adding a check session event
  • adding onAuthorizationResult for the silent renew event
  • onAuthorizationResult is always sent now
  • no redirects are triggered for silent renews

2018-01-01 version 3.0.11

  • bug fix incorrect user data type

2017-12-31 version 3.0.10

  • bug fix silent renew error handling

2017-12-15 version 3.0.9

  • bug fix aud string arrays not supported
  • bug fix user data set from id_token, when oidc user api is not supported
  • code clean up, package size

2017-12-10 version 3.0.8

  • bug fix, rxjs imports

2017-12-10 version 3.0.7

  • bug fix, rxjs imports

2017-12-10 version 3.0.6

  • using lettable operators rxjs
  • bug fix, check session

2017-11-06 version 3.0.5

  • refreshSession is now public

2017-11-06 version 3.0.4

  • isAuthorized does not working on refresh

2017-11-03 version 3.0.3

  • Add prompt= none to silent renew, according to the spec: in fact some op do not refresh the token in the absence of it. Related to: #14
  • Fix the starting of silent renew and check session after the authWellKnownEndpoint has been loaded, to avoid an undefined router (they use its info)
  • Fix(building): public api exports

2017-10-26 version 3.0.2

  • fix: adding additional URL parameters to the authorize request in IE, Edge
  • documentation HTTPClient intercept

2017-10-21 version 3.0.1

  • fixing peer dependency bug

2017-10-21 version 3.0.0

  • Update to HttpClient

2017-10-20 version 2.0.1

  • Removing forChild function, not used

2017-10-20 version 2.0.0

  • Renaming startup_route to post_login_route
  • setting better default values for the configuration
  • Documentation fixes

2017-10-15 version 1.3.19

2017-10-05 version 1.3.18

  • fix: Local Storage session_state undefined parse error

2017-10-03 version 1.3.17

  • fix: silent renew fix after refresh

2017-09-26 version 1.3.16

  • fix: OidcSecurityService emits onModuleSetup before authWellKnownEndpoints are loaded

2017-09-06 version 1.3.15

  • fix: if auto_userinfo is false, we still need to execute runTokenValidation

2017-09-03 version 1.3.14

  • Add silent_renew_offset_in_seconds option

2017-09-01 version 1.3.13

  • Add option to trigger event on authorization resolution instead of automatic redirect

2017-08-27 version 1.3.12

  • Throws Exception when the library is used in an application inside a iframe (cross domain)

2017-08-20 version 1.3.11

  • updating jsrasign

2017-08-15 version 1.3.9

  • endsession support for custom parameters

2017-08-13 version 1.3.8

  • auto_clean_state_after_authentication which can be used for custom state logic handling

2017-08-11 version 1.3.7

  • support for hash routes

2017-08-11 version 1.3.6

  • support for custom authorization strings like Azure Active Directory B2C

2017-08-09 version 1.3.4

  • Fix authorization url construction

2017-08-09 version 1.3.3

  • adding moduleSetup boolean so that the authorization callback can wait until the module is ready

2017-08-09 version 1.3.2

  • API new function for get id_token
  • API new function for get user info
  • user info configuration for auto get user info after login
  • API custom request params can be added to the authorization request URL using the setCustomRequestParameters function

2017-07-21 version 1.3.1

  • bugfix error handling
  • bugfix configuration default values

2017-07-21 version 1.3.0

  • bugfix refresh isAuthorized
  • bugfix refresh user data

2017-07-19 version 1.2.2

  • support reading json file configurations

2017-07-12 version 1.2.1

  • Fix types in storage class

2017-07-06 version 1.2.0

  • support for SSR
  • support for custom storage

2017-07-06 version 1.1.4

  • bugfix server side rendering, null check for storage

2017-07-01 version 1.1.3

  • clean up session management
  • bugfix Silent token renew fails on state validation

2017-07-01 version 1.1.2

  • API documentation

2017-06-28 version 1.1.1

  • refactor init of module

2017-06-28 version 1.0.8

  • setStorage method added
  • bug fix well known endpoints loaded logout.

2017-06-28 version 1.0.6

  • Event for well known endpoints loaded
  • storage is can be set per function

2017-06-27 version 1.0.5

  • Adding support for server rendering in Angular
  • storage can be set now

2017-06-23 version 1.0.3

  • updating validation messages

2017-06-21 version 1.0.2

  • Bug fix no kid validation withe single, multiple jwks headers

2017-06-20 version 1.0.1

  • Bug fix validation

2017-06-20 version 1.0.0

  • Version for OpenID Certification
  • support for decoded tokens

2017-06-20 version 0.0.11

  • Adding a resource configuration

2017-06-17 version 0.0.10

  • Validating kid in id_token header

2017-06-17 version 0.0.9

  • remove manual dependency to jsrasign

2017-06-15 version 0.0.8

  • build clean up
  • new configuration override for well known endpoints.

2017-06-14 version 0.0.7

  • validate user data sub value

2017-06-14

  • id_token flow
  • fixed rollup build

2017-06-13

  • Adding some docs to the project

2017-06-13

  • init