In this version the APP_INITIALIZER was removed. (See PR). The library will not do anything until the application interact with it. There is no pre-loading of anything and it does not affect your application's bootstrapping process at all. You can however explicitly preload the secure token server well-known endpoints with a new method called preloadAuthWellKnownDocument(). As a side effect because the config has to be loaded first, a lot of APIs become reactive and return an Observable now.
See the migration guide.
- refresh token rotation is now optional and can be activated using allowUnsafeReuseRefreshToken
- Fixed getUrlParameter's handling of fragment response
- isLoading observable in OidcSecurityService
- Add redirectUrl customization (via AuthOptions)
- Fix: implicit flow in popup window error (fixes #1385)
- Using window.crypto for jwt signature validation
- Removed jsrsasign dependency
- Update to Angular 13 and rxjs 7
- docs(guards): use UrlTree for redirect, clean up
- fixing storage mechanism
- Additional logging when a nonce is created and validated
- Added fix overwriting prompt param
- Unclear error message when providing improper config to module
- added multiple configs documentation
- Expose PopupService and PopupOptions as public
- Support end session for Auth0 (non conform OIDC endpoint)
- Fix #1168 userInfoEndpoint Typo
-
Configuration via forRoot(...) method
-
Remove the "AuthorizedState" enum in Version 12
-
Use a different key than redirect to store redirect route when using autologin
-
Returnvalue of loginwithpopup and login should be the same
-
How to provide client id during logoff
-
urlHandler callback function parameter in LogoffRevocationService.logoff does nothing
-
Convert all instances of "Authorized" to "Authenticated"
-
Support for multiple APIs with unique scopes
-
Multiple access tokens for the same client_id but different scopes
-
Is there a silent renew event?
-
Angular 12 Support
-
Add configuration to disable or enable id_token expired check
-
Support for Azure B2C multiple policies
-
Improve AutoLoginSample
-
Accessing AuthResult response object
-
Rename
stsServer
configuration parameter toauthority
-
Only one returntype (object) when subscribing to isAuthenticated and user data to avoid confusion.
- Silent renew does not always start
- AutoLoginGuard appears to cause some sort of infinite loop.
- Support Custom Params for EndSession and RefreshTokens Renew
- Added Auth0 example
- Bugfix: the "use" attr on the jwks key is optional if only one key is present
- bugfix incorrect storage for silent renew, requires Json object
- Enable handling users closing login popup
- Renamed all occurrences of "Persistance" to "Persistence"
- Document public facing API
- Exported and moved authOptions
- Fix(randomService): fix misuse of Uint8Array
- hooking into the zone again to avoid outside ngzone messages and throw event only when value change
- fixed json stringify objects and storage
- fix: use navigateByUrl to fix url params encoding
- Store singing keys as fallback
- Exposing popup options
- Silent renew with refresh tokens - handle no connection use case
- Added Guard CanLoad interface
- Improve AutoLoginGuard
- Add support custom params during token exchange
- Clean up user data when autoUserInfo is false => from id_token
- Inconsistent behavior of OidcSecurityService.userData$ Observable, if autoUserinfo is false
- CheckSessionService keeps polling after logoffLocal() is invoked
- Bugfix: Check session does not work when autoUserinfo is set to false in code flow with PKCE
- Bugfix: checkAuth returning null when href target="_blank"
- Support silent renew with refresh tokens without scope offline access
- Bugfix: Refresh response without an id token breaks mechanism
- Added AutoLoginGuard
- Updated Azure AD, Azure B2C templates to prompt for select_account (problem with multiple accounts)
- Added support for OAuth Pushed authorisation requests (PAR)
- Added Pushed authorisation requests (PAR) example
- Added OAuth Pushed authorisation requests (PAR) template using schematics
- unsubscribe receivedUrl$ prevents multiple "/token" request
- ApplicationRef.isStable is always false when using this package
- Added support for authentication using a popup
- Added popup sample
- Added Title to Silent Renew IFrame
- Added Auth0 template using schematics
- Support aud arrays which are not ordered in id_token validation of refresh token process
- Fixed Bug were Dynamic Custom Request Parameters are forgotten after first login or forceRefreshSession when doing a silent renew/refresh
- Added ability to use Custom Parameters when calling ForceRefreshSession
- Missing RefreshToken causes erroneous token request
- Bug. App fully hang during silent renew
- Added checksession null checks
- Added event to throw when config could not be loaded
- Check session fails if secure token server has a different origin than the check_session_iframe
- Fix http config example and templates for HTTP config load
- Do not clear session state when refreshing session with refresh tokens
- Added config tokenRefreshInSeconds which controls the time interval to run the startTokenValidationPeriodically
- Multiple tabs don't receive any event when session state becomes blank
- Fixed issue with browser history on silent renew redirect to IS
- UTC time fix
- Small fixes of docs and naming
- renewUserInfoAfterTokenRenew to OpenIdConfiguration
- Remove items from local storage instead of writing empty string values
- added possibility to pass url to check from the outside (for example to use in electron cases)
- checkAuthIncludingServer cannot complete without credentials
- QueryParams are getting lost when doing a silent renew
- Token endpoint errors not reported correctly
- Refresh checksession iframe regularly
- Load checksession iframe right after checkSessionService.start() is invoked
- Not throwing an exception if interceptor is set and config is loaded from http
- Bug fix: forceRefreshSession prematurely completes its observable #767
- Bug fix: Returns tokens but doesn't apply them #759
- Added support to check the secure token server for an authenticated session if not locally logged in (iframe silent renew)
- fix config bug with eager loading of the well known endpoints
- prevent routing in silent renew requests with iframes
- return tokens direct in forceRefreshSession
- Added validation for the lib configuration
- fixed some doc typos
- fixed bug 2 auth events emitter on secure token server callback
- Eager loading of well known endpoints can be configured: Made it possible to load the well known endpoints late (per configuration)
- make it possible to force a session refresh
- Add configuration property to disable auth_time validation in refresh flows with Azure B2C (Azure B2C implements this incorrectly)
- Fix disable at_hash validation in refresh, this is not a required property
- only use revocation endpoint if supported by the STS
- Fixing the
Can't resolve all parameters for ...
error - Adding documentation to describe how to load configuration inside of child modules
- Refactor lib config to make it easier to use
- Update project to Angular 9 #610
- added examples #625
- support refresh tokens with example, and docs (coming safari change)
- refactor configuration property names
- eslint conform #627
- Remove avoidable classes and add interfaces instead #626
- Create Loglevel enum instead of boolean "isxyzactive" #628
- Add prefix configuration for storage to allow multiple angular run in parallel #634
- Add an event service with an enum to throw events out #635
- Make folders for features not services, etc. #636
- SilentRenew breaks when using refresh_token and refresh_token is expired/invalid #667
- Pack the tests beside the files which are being tested when feature folders are available #637
- support multiple instances in browser
- Do not provide default config when config should have been set before #644
- Code Verifier not cryptographically random #642
- After successful login, getIsAuthorized still returns false for a bit. #549
- Expose silent renew running observable #447
- Issue with silent renew when js execution has been suspended #605
- Add support for OAuth 2.0 Token Revocation #673
- Silent renew dies if startRenew fails #617
- support for Angular 8 , Angular 9
- redesign login init
- Remove avoidable anys #624
- Use returned expired value of access token for expired validation
- Id_Token is rejected because of timing issue when server hour is different then client hour
- fix validate, fix max time offset #175
- Support azp and multiple audiences #582
- Add extra Refresh token validation #687
- Notification that checking session is initialized #686
- Refactor rxjs events, user profile events, silent renew, check session
- Add support for EC certificates #645
- id_token : alg : HS256 support #597
- redesign docs
- Subscribe startRenew after isAuthorized is true
- check session origin check improvement, support for non-domain urls
- 552-add-config-ignore-nonce-after-refresh
- bug-xmlurlencode-has-newlines
- clean up some file formats
- Added renew process denotation to AuthorizationResult
- bug fix logging, code flow callback
- generic OidcSecurityService.getUserData
- OidcSecurityService with some observables
- Do not check idToken nonce when using refreshToken
- strictNullChecks
- safer-silent-renew
- reduce size of the package
- Ability to change the amount of seconds for the IsAuthorizedRace to do a Timeout
- fixing url parse wo format
- documentation fixes
- use_refresh_token configuration added.
- Added support for refresh tokens in code flow
- expose logger service
- Added a try catch to handle the CORS error that is thrown if the parent has a different origin htne the iframe. Issue #466
- bug fix: onConfigurationLoaded does not fired
- bug fix: [SSR] Session storage is not defined
- revert angular build to angular 7, fix npm dist
- remove silent_redirect_url only use silent_renew_url
- refactored configuration for module, angular style
- rename OpenIDImplicitFlowConfiguration to OpenIDConfiguration
Before
this.oidcConfigService.onConfigurationLoaded.subscribe(() => {
const openIDImplicitFlowConfiguration = new OpenIDImplicitFlowConfiguration();
openIDImplicitFlowConfiguration.stsServer = this.oidcConfigService.clientConfiguration.stsServer;
openIDImplicitFlowConfiguration.redirect_url = this.oidcConfigService.clientConfiguration.redirect_url;
openIDImplicitFlowConfiguration.client_id = this.oidcConfigService.clientConfiguration.client_id;
openIDImplicitFlowConfiguration.response_type = this.oidcConfigService.clientConfiguration.response_type;
...
configuration.FileServer = this.oidcConfigService.clientConfiguration.apiFileServer;
configuration.Server = this.oidcConfigService.clientConfiguration.apiServer;
const authWellKnownEndpoints = new AuthWellKnownEndpoints();
authWellKnownEndpoints.setWellKnownEndpoints(this.oidcConfigService.wellKnownEndpoints);
this.oidcSecurityService.setupModule(openIDImplicitFlowConfiguration, authWellKnownEndpoints);
After
import {
AuthModule,
OidcSecurityService,
ConfigResult,
OidcConfigService,
OpenIdConfiguration
} from 'angular-auth-oidc-client';
export function loadConfig(oidcConfigService: OidcConfigService) {
console.log('APP_INITIALIZER STARTING');
return () => oidcConfigService.load(`${window.location.origin}/api/ClientAppSettings`);
}
@NgModule({
imports: [
...
HttpClientModule,
AuthModule.forRoot(),
],
providers: [
OidcConfigService,
OidcSecurityService,
{
provide: APP_INITIALIZER,
useFactory: loadConfig,
deps: [OidcConfigService],
multi: true
}
],
bootstrap: [AppComponent],
})
export class AppModule {
constructor(
private oidcSecurityService: OidcSecurityService,
private oidcConfigService: OidcConfigService,
) {
this.oidcConfigService.onConfigurationLoaded.subscribe((configResult: ConfigResult) => {
const config: OpenIdConfiguration = {
stsServer: configResult.customConfig.stsServer,
redirect_url: configResult.customConfig.redirect_url,
client_id: configResult.customConfig.client_id,
response_type: configResult.customConfig.response_type,
scope: configResult.customConfig.scope,
post_logout_redirect_uri: configResult.customConfig.post_logout_redirect_uri,
start_checksession: configResult.customConfig.start_checksession,
silent_renew: configResult.customConfig.silent_renew,
silent_renew_url: configResult.customConfig.redirect_url + '/silent-renew.html',
post_login_route: configResult.customConfig.startup_route,
forbidden_route: configResult.customConfig.forbidden_route,
unauthorized_route: configResult.customConfig.unauthorized_route,
log_console_warning_active: configResult.customConfig.log_console_warning_active,
log_console_debug_active: configResult.customConfig.log_console_debug_active,
max_id_token_iat_offset_allowed_in_seconds: configResult.customConfig.max_id_token_iat_offset_allowed_in_seconds,
history_cleanup_off: true
// iss_validation_off: false
// disable_iat_offset_validation: true
};
this.oidcSecurityService.setupModule(config, configResult.authWellknownEndpoints);
});
}
}
- authNonce not cleared in storage after unsuccessful login and logout
- Should 5 seconds timeout on silent_renew be configurable? => fails fast now if server responds
- increased length of state value for OIDC authorize request
- session_state is optional for code flow
- Added disable_iat_offset_validation configuration for clients with clock problems
- Updated the Docs
- Updated the Docs
- Adding sample usage to repo
- Updated the Docs
- Changed to Angular-CLI builder
- Added a sample in this repo
- Add TokenHelperService to public API
- logs: use !! to display getIdToken() and _userData.value in silentRenewHeartBeatCheck()
- bug fix at_hash is optional for code flow
- removing session_state check from code flow response
- Validation state in code callback redirect
- Make it possible to turn off history clean up, so that the angular state is preserved.
- Support for OpenID Connect Code Flow with PKCE
Implicit flow callback renamed from authorizedCallback() to authorizedImplicitFlowCallback()
- Changed iframe to avoid changing history state for repeated silent token renewals
- make it possible to turn the iss validation off per configuration
- reset history after OIDC callback with tokens
- When
logOff()
is called storage should be cleared before emitting an authorization event. - AuthConfiguration object will now always return false for
start_checksession and silent_renew
properties when not running on a browser platform.
- Adding an
onConfigurationChange
Observable to `OidcSecurityService
- replaced eventemitters with Subjects/Observables and updated and docs
- Optional url handler for logoff function
- silent_renew is now off by default (false).
- Fix for when token contains multiple dashes or underscores
- Unicode special characters (accents and such) in JWT are now properly…
- authorizedCallback should wait until the module is setup before running.
- Check session will now be stopped when the user is logged out
- Adding validation state result info to authorization event result
- bug fixes in check session
- Refactoring getIsAuthorized()
- A blank
session_state
in the check session heartbeat should emit a … - Fixing inability to turn off silent_renew and adding safety timeout
- check for valid tokens on start up
- silent_renew inconsistent with execution
- Handle callback params that contain equals char
- Removing the fetch package, using the httpClient now instead
- Add unique ending to key to prevent storage crossover
- Public resetAuthorizationData method and getEndSessionUrl function
- wso2 Identity Server audience validation failed support
- Throw error when userinfo_endpoint is not defined (Azure AD)
- Removing resource propety from the config, not used.
- fixing silent renew bug
- Updating src to support rxjs 6.1.0, Angular 6.0.0
- Updating src to support typescript 2.7.2
- Lightweight silent renew
- added optional url handler parameter in the authorize function.
- returning bool event from config service
- silent renew fixes
- check session renew fixes
- adding error handling to config service, used for the APP_INITIALIZER
- fixing init process, using APP_INITIALIZER, and proper support for angular guards
- removed override_well_known_configuration, well_known_configuration now loaded from the APP_INITIALIZER
- removed override_well_known_configuration_url, well_known_configuration now loaded from the APP_INITIALIZER
If you want to configure the well known endpoints locally, you need to set this to true.
- fixing rollup build
- adding a check session event
- adding onAuthorizationResult for the silent renew event
- onAuthorizationResult is always sent now
- no redirects are triggered for silent renews
- bug fix incorrect user data type
- bug fix silent renew error handling
- bug fix aud string arrays not supported
- bug fix user data set from id_token, when oidc user api is not supported
- code clean up, package size
- bug fix, rxjs imports
- bug fix, rxjs imports
- using lettable operators rxjs
- bug fix, check session
- refreshSession is now public
- isAuthorized does not working on refresh
- Add prompt= none to silent renew, according to the spec: in fact some op do not refresh the token in the absence of it. Related to: #14
- Fix the starting of silent renew and check session after the authWellKnownEndpoint has been loaded, to avoid an undefined router (they use its info)
- Fix(building): public api exports
- fix: adding additional URL parameters to the authorize request in IE, Edge
- documentation HTTPClient intercept
- fixing peer dependency bug
- Update to HttpClient
- Removing forChild function, not used
- Renaming startup_route to post_login_route
- setting better default values for the configuration
- Documentation fixes
- Fix rxjs imports
- Add optional hd parameter for Google Auth with particular G Suite domain, see https://developers.google.com/identity/protocols/OpenIDConnect#hd-param
- fix: local_state is always null because is not being set
- fix: change for emtpy header in id_token, improved logging
- fix: Local Storage session_state undefined parse error
- fix: silent renew fix after refresh
- fix: OidcSecurityService emits onModuleSetup before authWellKnownEndpoints are loaded
- fix: if auto_userinfo is false, we still need to execute runTokenValidation
- Add silent_renew_offset_in_seconds option
- Add option to trigger event on authorization resolution instead of automatic redirect
- Throws Exception when the library is used in an application inside a iframe (cross domain)
- updating jsrasign
- endsession support for custom parameters
- auto_clean_state_after_authentication which can be used for custom state logic handling
- support for hash routes
- support for custom authorization strings like Azure Active Directory B2C
- Fix authorization url construction
- adding moduleSetup boolean so that the authorization callback can wait until the module is ready
- API new function for get id_token
- API new function for get user info
- user info configuration for auto get user info after login
- API custom request params can be added to the authorization request URL using the setCustomRequestParameters function
- bugfix error handling
- bugfix configuration default values
- bugfix refresh isAuthorized
- bugfix refresh user data
- support reading json file configurations
- Fix types in storage class
- support for SSR
- support for custom storage
- bugfix server side rendering, null check for storage
- clean up session management
- bugfix Silent token renew fails on state validation
- API documentation
- refactor init of module
- setStorage method added
- bug fix well known endpoints loaded logout.
- Event for well known endpoints loaded
- storage is can be set per function
- Adding support for server rendering in Angular
- storage can be set now
- updating validation messages
- Bug fix no kid validation withe single, multiple jwks headers
- Bug fix validation
- Version for OpenID Certification
- support for decoded tokens
- Adding a resource configuration
- Validating kid in id_token header
- remove manual dependency to jsrasign
- build clean up
- new configuration override for well known endpoints.
- validate user data sub value
- id_token flow
- fixed rollup build
- Adding some docs to the project
- init