Package detail

angular-auth-oidc-client

damienbod311.2kMIT19.0.0

Angular Lib for OpenID Connect & OAuth2

angular, oidc, oauth2, openid, security, typescript, openidconnect, auth, authn, authentication, identity, certified, oauth, authorization

readme

Angular Lib for OpenID Connect & OAuth2

Secure your Angular app using the latest standards for OpenID Connect & OAuth2. Provides support for token refresh, all modern OIDC Identity Providers and more.

Acknowledgements

This library is certified by OpenID Foundation. (RP Implicit and Config RP)

Features

Code samples for most of the common use cases
Supports schematics via ng add support
Supports all modern OIDC identity providers
Supports OpenID Connect Code Flow with PKCE
Supports Code Flow PKCE with Refresh tokens
Supports OpenID Connect Implicit Flow
Supports OpenID Connect Session Management 1.0
Supports RFC7009 - OAuth 2.0 Token Revocation
Supports RFC7636 - Proof Key for Code Exchange (PKCE)
Supports OAuth 2.0 Pushed authorisation requests (PAR) draft
Semantic releases
Github actions
Modern coding guidelines with prettier, husky
Up to date documentation
Implements OIDC validation as specified, complete client side validation for REQUIRED features
Supports authentication using redirect or popup

Installation

Ng Add

You can use the schematics and ng add the library.

ng add angular-auth-oidc-client

And answer the questions. A module will be created which encapsulates your configuration.

angular-auth-oidc-client schematics

Npm / Yarn

Navigate to the level of your package.json and type

 npm install angular-auth-oidc-client

or with yarn

 yarn add angular-auth-oidc-client

Documentation

Read the docs here

Samples

Explore the Samples here

Quickstart

For the example of the Code Flow. For further examples please check the Samples Section.

If you have done the installation with the schematics, these modules and files should be available already!

Configuration

Import the AuthModule in your module.

import { NgModule } from '@angular/core';
import { AuthModule, LogLevel } from 'angular-auth-oidc-client';
// ...

@NgModule({
  // ...
  imports: [
    // ...
    AuthModule.forRoot({
      config: {
        authority: '<your authority address here>',
        redirectUrl: window.location.origin,
        postLogoutRedirectUri: window.location.origin,
        clientId: '<your clientId>',
        scope: 'openid profile email offline_access',
        responseType: 'code',
        silentRenew: true,
        useRefreshToken: true,
        logLevel: LogLevel.Debug,
      },
    }),
  ],
  // ...
})
export class AppModule {}

And call the method checkAuth() from your app.component.ts. The method checkAuth() is needed to process the redirect from your Security Token Service and set the correct states. This method must be used to ensure the correct functioning of the library.

import { Component, OnInit, inject } from '@angular/core';
import { OidcSecurityService } from 'angular-auth-oidc-client';

@Component({
  /*...*/
})
export class AppComponent implements OnInit {
  private readonly oidcSecurityService = inject(OidcSecurityService);

  ngOnInit() {
    this.oidcSecurityService
      .checkAuth()
      .subscribe((loginResponse: LoginResponse) => {
        const { isAuthenticated, userData, accessToken, idToken, configId } =
          loginResponse;

        /*...*/
      });
  }

  login() {
    this.oidcSecurityService.authorize();
  }

  logout() {
    this.oidcSecurityService
      .logoff()
      .subscribe((result) => console.log(result));
  }
}

Using the access token

You can get the access token by calling the method getAccessToken() on the OidcSecurityService

const token = this.oidcSecurityService.getAccessToken().subscribe(...);

And then you can use it in the HttpHeaders

import { HttpHeaders } from '@angular/common/http';

const token = this.oidcSecurityServices.getAccessToken().subscribe((token) => {
  const httpOptions = {
    headers: new HttpHeaders({
      Authorization: 'Bearer ' + token,
    }),
  };
});

You can use the built in interceptor to add the accesstokens to your request

AuthModule.forRoot({
  config: {
    // ...
    secureRoutes: ['https://my-secure-url.com/', 'https://my-second-secure-url.com/'],
  },
}),

 providers: [
    { provide: HTTP_INTERCEPTORS, useClass: AuthInterceptor, multi: true },
  ],

Versions

Current Version is Version 19.x

License

MIT

Authors

changelog

Angular Lib for OpenID Connect/OAuth2 Changelog

2024-12-03 19.0.0

Angular 19

2024-10-12 18.0.2

Feat: log when provided configId does not exist
- PR
Fix: auto login guard passes correct config id
- PR
Feat: add guard autoLoginPartialRoutesGuardWithConfig for specific configuration
- PR
Fix: Rudimentary fix for popup closing too early
- PR
merge the well-known endpoints with the config ones
- PR
Bugfix: Updated URL service isCallbackFromSts
- PR

2024-06-21 18.0.1

Fix issue #1954: Ensure CheckingAuthFinished event fires regardless of authentication state
- PR
feat: add support for route data to autoLoginPartialRoutesGuard
- PR
docs: add migration docs
- PR

2024-06-06 18.0.0

Support Angular 18

2024-05-31 17.1.0

docs: add new signal properties to public api docs
- PR
fix(refresh-session): forceRefreshSession does not reset storageSilentRenewRunning
- PR
refactor example to control flow syntax
- PR
feat: add option to override the auth well known suffix
- PR
feat: add authenticated and userData signals
- PR
Bugfix: Updated URL service isCallbackFromSts
- PR
fix network error detection due to potential falsy instanceof ProgressEvent evaluation if ProgressEvent is monkey patched by another library
- PR
fix: refresh authWellKnownEndPoints
- PR
refactor: replace any types
- PR
fix: inject DOCUMENT
- PR
Moving to inject function
- PR
fix: adding missing field token_type from AuthResult.
- PR

2024-02-03 17.0.0

Support Angular 17

2023-08-27 16.0.1

Fix problem in logoff when urlHandler option is present
- PR
Included authOptions in createBodyForParCodeFlowRequest - url.service.ts
- PR
Added useCustomAuth0Domain flag
- PR
Check if savedRouteForRedirect is null
- PR
Remove provided in root for interceptor
- PR
Support ng-add for standalone applications
- PR
Code improvement, remove cast
- PR

2023-06-19 16.0.0

Add provideAuth for standalone applications
- PR
Docs: adds docs for standalone methods
- PR
Docs: add standalone example
- PR
Fix: returning a loginresponse and not null
- PR
moved the setting of popupauth in storage before opening the popup wi…
- PR
Deprecate guard and update docs
- PR

2023-05-05 15.0.5

Bugfix id token expire check
- PR

2023-04-15 15.0.4

isCurrentlyInPopup will check for opener and session storage
- PR
Expand configuration per default
- PR
Move code storage values to store to simple boolean
- PR
Bugfix: Library fails on Firefox REOPEN #1621
- PR
added localstorage service. refactored missed jsdocs + fixed imports
- PR
adding provided in root to services
- PR

2023-01-23 15.0.3

fix(refreshSession): fix refreshSessionWithRefreshTokens

2022-11-27 15.0.2

bugfix POST logout, missing parameters
- PR

2022-11-26 15.0.1

Add silent renew error event
- PR
Improve Popup flows
- PR
Bugfixes revocation
- PR
Updated project to Angular 15
- PR

2022-11-18 15.0.0

Support refresh tokens without returning an id_token in the refresh
run silent renew using only the access token
id_token only has to be valid on the first authentication
add support to disable id_token validation completely, not recommended
Renamed enableIdTokenExpiredValidationInRenew to triggerRefreshWhenIdTokenExpired
Added disableIdTokenValidation parameter in config
- PR
logoff() possible now with POST request
- PR
removed deprecated isLoading$ property
- PR

Docs: Silent Renew

Configuration

Migration V14 to V15

2022-09-21 14.1.5

Exposing payload of access token
- PR
Fix bug in logoffAndRevokeTokens() which was not revoking the access token correctly
- PR
Fix checkSession messageHandler configuration correctly
- PR
fix: Use correct offset in ID token expiry check
- PR

2022-08-26 14.1.4

Bugfix/unable to extract jwk without kid
- PR
Make id_token_hint optional on session end logout
- PR
construction of token endpoint body breaks if pkce is disable
- PR
deprecating is loading
- PR
added build step for rxjs 6
- PR
Added console debug to fulfill browser filters
- PR

2022-08-06 14.1.3

Improve logging error messages
- PR
Support observable open id configuration in sts config http loader constructor
- PR
Fix sample links for azure implementations
- PR
Fix throwing config event
- PR

2022-07-31 14.1.2

Bugfix RxJS imports to be compatible with RxJS 6
- PR
Updated dependencies
- PR
Bugfix concurrent issue with renew and normal code flow
- PR
Add disablePkce config parameter
- PR

2022-07-05 14.1.1

Bugfix getUserData - You provided an invalid object where a stream was expected.
- PR

2022-07-02 14.1.0

Support Angular 14

2022-06-10 14.0.2

Disable id_token time validation
- PR

2022-05-22 14.0.1

Fix regression in the check session service
- PR

2022-04-18 14.0.0

In this version the APP_INITIALIZER was removed. (See PR). The library will not do anything until the application interact with it. There is no pre-loading of anything and it does not affect your application's bootstrapping process at all. You can however explicitly preload the secure token server well-known endpoints with a new method called preloadAuthWellKnownDocument(). As a side effect because the config has to be loaded first, a lot of APIs become reactive and return an Observable now.

See the migration guide.

refresh token rotation is now optional and can be activated using allowUnsafeReuseRefreshToken
- PR
Fixed getUrlParameter's handling of fragment response
- PR
isLoading observable in OidcSecurityService
- PR
Add redirectUrl customization (via AuthOptions)
- PR
Fix: implicit flow in popup window error (fixes #1385)
- PR
Enhancement: Improved abstract services
- PR
Remove double quotes in info messages
- PR
Enhancement: Added auth result
- PR

2021-12-01 13.1.0

Using window.crypto for jwt signature validation
Removed jsrsasign dependency
- PR

2021-11-19 13.0.0

Update to Angular 13 and rxjs 7

2021-08-17 12.0.3

docs(guards): use UrlTree for redirect, clean up
- PR
fixing storage mechanism
- PR
Additional logging when a nonce is created and validated
- PR

2021-07-20 12.0.2

Added fix overwriting prompt param
- PR
Unclear error message when providing improper config to module
- PR
added multiple configs documentation
- PR
Expose PopupService and PopupOptions as public
- PR
Support end session for Auth0 (non conform OIDC endpoint)
- PR

2021-07-06 12.0.1

Fix #1168 userInfoEndpoint Typo

2021-07-04 Version 12.0.0

Configuration via forRoot(...) method
- Issue | PR
Remove the "AuthorizedState" enum in Version 12
- Issue | PR
Use a different key than redirect to store redirect route when using autologin
- Issue | PR
Returnvalue of loginwithpopup and login should be the same
- Issue | PR
How to provide client id during logoff
- Issue | PR
urlHandler callback function parameter in LogoffRevocationService.logoff does nothing
- Issue | PR
Convert all instances of "Authorized" to "Authenticated"
- Issue | PR
Support for multiple APIs with unique scopes
- Issue | PR
Multiple access tokens for the same client_id but different scopes
- Issue | PR
Is there a silent renew event？
- Issue | PR
Angular 12 Support
- Issue | PR
Add configuration to disable or enable id_token expired check
- Issue | PR
Support for Azure B2C multiple policies
- Issue | PR
Improve AutoLoginSample
- Issue | PR
Accessing AuthResult response object
- Issue | PR
Rename stsServer configuration parameter to authority
- Issue | PR
Only one returntype (object) when subscribing to isAuthenticated and user data to avoid confusion.
- Issue | PR

2021-06-12 Version 11.6.11

Silent renew does not always start
- PR

2021-05-28 Version 11.6.10

AutoLoginGuard appears to cause some sort of infinite loop.
- PR

2021-05-16 Version 11.6.9

Support Custom Params for EndSession and RefreshTokens Renew
- PR
Added Auth0 example
Bugfix: the "use" attr on the jwks key is optional if only one key is present
- PR

2021-05-04 Version 11.6.8

bugfix incorrect storage for silent renew, requires Json object
- PR

2021-05-01 Version 11.6.7

Enable handling users closing login popup
- PR
Renamed all occurrences of "Persistance" to "Persistence"
- PR
Document public facing API
- PR
Exported and moved authOptions
- PR
Fix(randomService): fix misuse of Uint8Array
- PR
hooking into the zone again to avoid outside ngzone messages and throw event only when value change
- PR
fixed json stringify objects and storage
- PR

2021-04-18 Version 11.6.6

fix: use navigateByUrl to fix url params encoding
- PR
Store singing keys as fallback
- PR
Exposing popup options
- PR

2021-04-11 Version 11.6.5

Silent renew with refresh tokens - handle no connection use case
- PR
Added Guard CanLoad interface
- PR

2021-03-13 Version 11.6.4

Improve AutoLoginGuard
- PR
Add support custom params during token exchange
- PR
Clean up user data when autoUserInfo is false => from id_token
- PR

2021-03-12 Version 11.6.3

Inconsistent behavior of OidcSecurityService.userData$ Observable, if autoUserinfo is false
- PR
CheckSessionService keeps polling after logoffLocal() is invoked
- PR

2021-03-05 Version 11.6.2

Bugfix: Check session does not work when autoUserinfo is set to false in code flow with PKCE
- PR, ISSUE
Bugfix: checkAuth returning null when href target="_blank"
- PR, ISSUE
Support silent renew with refresh tokens without scope offline access
- PR
Bugfix: Refresh response without an id token breaks mechanism
- PR

2021-02-27 Version 11.6.1

Added AutoLoginGuard
- PR
Updated Azure AD, Azure B2C templates to prompt for select_account (problem with multiple accounts)

2021-02-24 Version 11.6.0

Added support for OAuth Pushed authorisation requests (PAR)
- PR
Added Pushed authorisation requests (PAR) example
Added OAuth Pushed authorisation requests (PAR) template using schematics
- PR
unsubscribe receivedUrl$ prevents multiple "/token" request
- PR

2021-02-13 Version 11.5.1

ApplicationRef.isStable is always false when using this package
- PR

2021-02-02 Version 11.5.0

Added support for authentication using a popup
- PR
Added popup sample
Added Title to Silent Renew IFrame
- PR

2021-02-02 Version 11.4.5

Added Auth0 template using schematics

2021-02-02 Version 11.4.4

Support aud arrays which are not ordered in id_token validation of refresh token process
- PR
Fixed Bug were Dynamic Custom Request Parameters are forgotten after first login or forceRefreshSession when doing a silent renew/refresh
- PR

2021-01-19 Version 11.4.3

Added ability to use Custom Parameters when calling ForceRefreshSession
- PR
Missing RefreshToken causes erroneous token request
- issue
Bug. App fully hang during silent renew
- PR

2021-01-10 Version 11.4.2

Added checksession null checks
- PR

2021-01-10 Version 11.4.1

Added event to throw when config could not be loaded
- PR
Check session fails if secure token server has a different origin than the check_session_iframe
- PR
Fix http config example and templates for HTTP config load
- PR

2021-01-03 Version 11.4.0

Adding schematics
- PR
Provided interceptor out of the lib
- PR

2020-12-18 Version 11.3.0

Update to Angular 11, fix tslib warnings
- PR
Use window object safely by injecting document
- PR

2020-11-20 Version 11.2.4

Do not clear session state when refreshing session with refresh tokens
- PR

2020-11-20 Version 11.2.3

Added config tokenRefreshInSeconds which controls the time interval to run the startTokenValidationPeriodically
- PR

2020-11-13 Version 11.2.2

Multiple tabs don't receive any event when session state becomes blank
- PR
Fixed issue with browser history on silent renew redirect to IS
- PR
UTC time fix
- PR
Small fixes of docs and naming
- PR

2020-10-23 Version 11.2.1

renewUserInfoAfterTokenRenew to OpenIdConfiguration
- PR
Remove items from local storage instead of writing empty string values
- PR

2020-08-08 Version 11.2.0

added possibility to pass url to check from the outside (for example to use in electron cases)
- PR

2020-07-04 Version 11.1.4

checkAuthIncludingServer cannot complete without credentials
- PR // Fixes #779
QueryParams are getting lost when doing a silent renew
- PR // Fixes #795
Token endpoint errors not reported correctly
- PR // Fixes #805

2020-06-04 Version 11.1.3

Refresh checksession iframe regularly
- PR // Fixes #756
Load checksession iframe right after checkSessionService.start() is invoked
- PR // fixes #750
Not throwing an exception if interceptor is set and config is loaded from http
- PR // fixes #772
Bug fix: forceRefreshSession prematurely completes its observable #767
Bug fix: Returns tokens but doesn't apply them #759

2020-05-24 Version 11.1.2

Added support to check the secure token server for an authenticated session if not locally logged in (iframe silent renew)
- PR // Fixes #744
fix config bug with eager loading of the well known endpoints
- PR
prevent routing in silent renew requests with iframes
return tokens direct in forceRefreshSession

2020-05-16 Version 11.1.1

Added validation for the lib configuration
- PR // Fixes #725
fixed some doc typos
fixed bug 2 auth events emitter on secure token server callback
- Fixes PR // #734

2020-05-14 Version 11.1.0

Eager loading of well known endpoints can be configured: Made it possible to load the well known endpoints late (per configuration)
- PR // Fixes #717
make it possible to force a session refresh
- PR // Fixes #729

2020-05-12 Version 11.0.2

Add configuration property to disable auth_time validation in refresh flows with Azure B2C (Azure B2C implements this incorrectly)
Fix disable at_hash validation in refresh, this is not a required property
only use revocation endpoint if supported by the STS

2020-05-08 Version 11.0.1

Fixing the Can't resolve all parameters for ... error
Adding documentation to describe how to load configuration inside of child modules

2020-05-02 Version 11.0.0

Refactor lib config to make it easier to use
Update project to Angular 9 #610
added examples #625
support refresh tokens with example, and docs (coming safari change)
refactor configuration property names
eslint conform #627
Remove avoidable classes and add interfaces instead #626
Create Loglevel enum instead of boolean "isxyzactive" #628
Add prefix configuration for storage to allow multiple angular run in parallel #634
Add an event service with an enum to throw events out #635
Make folders for features not services, etc. #636
SilentRenew breaks when using refresh_token and refresh_token is expired/invalid #667
Pack the tests beside the files which are being tested when feature folders are available #637
support multiple instances in browser
Do not provide default config when config should have been set before #644
Code Verifier not cryptographically random #642
After successful login, getIsAuthorized still returns false for a bit. #549
Expose silent renew running observable #447
Issue with silent renew when js execution has been suspended #605
Add support for OAuth 2.0 Token Revocation #673
Silent renew dies if startRenew fails #617
support for Angular 8 , Angular 9
redesign login init
Remove avoidable anys #624
Use returned expired value of access token for expired validation
Id_Token is rejected because of timing issue when server hour is different then client hour
fix validate, fix max time offset #175
Support azp and multiple audiences #582
Add extra Refresh token validation #687
Notification that checking session is initialized #686
Refactor rxjs events, user profile events, silent renew, check session
Add support for EC certificates #645
id_token : alg : HS256 support #597
redesign docs

2020-02-14 version 10.0.15

Subscribe startRenew after isAuthorized is true
check session origin check improvement, support for non-domain urls

2020-01-24 version 10.0.14

552-add-config-ignore-nonce-after-refresh
bug-xmlurlencode-has-newlines
clean up some file formats

2020-01-03 version 10.0.11

Added renew process denotation to AuthorizationResult

2019-10-07 version 10.0.10

bug fix logging, code flow callback

2019-10-05 version 10.0.9

generic OidcSecurityService.getUserData
OidcSecurityService with some observables
Do not check idToken nonce when using refreshToken
strictNullChecks
safer-silent-renew

2019-09-20 version 10.0.8

reduce size of the package

2019-09-11 version 10.0.7

Ability to change the amount of seconds for the IsAuthorizedRace to do a Timeout

2019-09-05 version 10.0.6

fixing url parse wo format
documentation fixes

2019-09-03 version 10.0.5

use_refresh_token configuration added.

2019-09-01 version 10.0.4

Added support for refresh tokens in code flow
expose logger service

2019-07-30 version 10.0.3

Added a try catch to handle the CORS error that is thrown if the parent has a different origin htne the iframe. Issue #466

2019-06-25 version 10.0.2

bug fix: onConfigurationLoaded does not fired
bug fix: [SSR] Session storage is not defined

2019-06-21 version 10.0.1

revert angular build to angular 7, fix npm dist

2019-05-24 version 10.0.0

remove silent_redirect_url only use silent_renew_url
refactored configuration for module, angular style
rename OpenIDImplicitFlowConfiguration to OpenIDConfiguration

Breaking changes

Before

this.oidcConfigService.onConfigurationLoaded.subscribe(() => {

    const openIDImplicitFlowConfiguration = new OpenIDImplicitFlowConfiguration();
    openIDImplicitFlowConfiguration.stsServer = this.oidcConfigService.clientConfiguration.stsServer;
    openIDImplicitFlowConfiguration.redirect_url = this.oidcConfigService.clientConfiguration.redirect_url;
    openIDImplicitFlowConfiguration.client_id = this.oidcConfigService.clientConfiguration.client_id;
    openIDImplicitFlowConfiguration.response_type = this.oidcConfigService.clientConfiguration.response_type;

    ...

    configuration.FileServer = this.oidcConfigService.clientConfiguration.apiFileServer;
    configuration.Server = this.oidcConfigService.clientConfiguration.apiServer;

    const authWellKnownEndpoints = new AuthWellKnownEndpoints();
    authWellKnownEndpoints.setWellKnownEndpoints(this.oidcConfigService.wellKnownEndpoints);

    this.oidcSecurityService.setupModule(openIDImplicitFlowConfiguration, authWellKnownEndpoints);

After


import {
    AuthModule,
    OidcSecurityService,
    ConfigResult,
    OidcConfigService,
    OpenIdConfiguration
} from 'angular-auth-oidc-client';

export function loadConfig(oidcConfigService: OidcConfigService) {
    console.log('APP_INITIALIZER STARTING');
    return () => oidcConfigService.load(`${window.location.origin}/api/ClientAppSettings`);
}

@NgModule({
    imports: [
        ...
        HttpClientModule,
        AuthModule.forRoot(),
    ],
    providers: [
        OidcConfigService,
        OidcSecurityService,
        {
            provide: APP_INITIALIZER,
            useFactory: loadConfig,
            deps: [OidcConfigService],
            multi: true
        }
    ],
    bootstrap: [AppComponent],
})

export class AppModule {

    constructor(
        private oidcSecurityService: OidcSecurityService,
        private oidcConfigService: OidcConfigService,
    ) {

        this.oidcConfigService.onConfigurationLoaded.subscribe((configResult: ConfigResult) => {

            const config: OpenIdConfiguration = {
                stsServer: configResult.customConfig.stsServer,
                redirect_url: configResult.customConfig.redirect_url,
                client_id: configResult.customConfig.client_id,
                response_type: configResult.customConfig.response_type,
                scope: configResult.customConfig.scope,
                post_logout_redirect_uri: configResult.customConfig.post_logout_redirect_uri,
                start_checksession: configResult.customConfig.start_checksession,
                silent_renew: configResult.customConfig.silent_renew,
                silent_renew_url: configResult.customConfig.redirect_url + '/silent-renew.html',
                post_login_route: configResult.customConfig.startup_route,
                forbidden_route: configResult.customConfig.forbidden_route,
                unauthorized_route: configResult.customConfig.unauthorized_route,
                log_console_warning_active: configResult.customConfig.log_console_warning_active,
                log_console_debug_active: configResult.customConfig.log_console_debug_active,
                max_id_token_iat_offset_allowed_in_seconds: configResult.customConfig.max_id_token_iat_offset_allowed_in_seconds,
                history_cleanup_off: true
                // iss_validation_off: false
                // disable_iat_offset_validation: true
            };

            this.oidcSecurityService.setupModule(config, configResult.authWellknownEndpoints);
        });
    }
}

2019-05-21 version 9.0.8

authNonce not cleared in storage after unsuccessful login and logout
Should 5 seconds timeout on silent_renew be configurable? => fails fast now if server responds

2019-04-28 version 9.0.7

increased length of state value for OIDC authorize request

2019-04-22 version 9.0.6

session_state is optional for code flow

2019-04-14 version 9.0.5

Added disable_iat_offset_validation configuration for clients with clock problems
Updated the Docs

2019-03-29 version 9.0.4

Updated the Docs
Adding sample usage to repo

2019-03-22 version 9.0.3

Updated the Docs
Changed to Angular-CLI builder
Added a sample in this repo

2019-02-27 version 9.0.3

Add TokenHelperService to public API
logs: use !! to display getIdToken() and _userData.value in silentRenewHeartBeatCheck()

2019-02-01 version 9.0.2

bug fix at_hash is optional for code flow
removing session_state check from code flow response

2019-01-11 version 9.0.1

Validation state in code callback redirect
Make it possible to turn off history clean up, so that the angular state is preserved.

2019-01-08 version 9.0.0

Support for OpenID Connect Code Flow with PKCE

Breaking changes:

Implicit flow callback renamed from authorizedCallback() to authorizedImplicitFlowCallback()

2018-11-16 version 8.0.3

Changed iframe to avoid changing history state for repeated silent token renewals
make it possible to turn the iss validation off per configuration
reset history after OIDC callback with tokens

2018-11-07 version 8.0.2

When logOff() is called storage should be cleared before emitting an authorization event.
AuthConfiguration object will now always return false for start_checksession and silent_renew properties when not running on a browser platform.

2018-11-02 version 8.0.1

Adding an onConfigurationChange Observable to `OidcSecurityService

2018-10-31 version 8.0.0

replaced eventemitters with Subjects/Observables and updated and docs
Optional url handler for logoff function
silent_renew is now off by default (false).
Fix for when token contains multiple dashes or underscores

2018-10-20 version 7.0.3

Unicode special characters (accents and such) in JWT are now properly…

2018-10-20 version 7.0.2

authorizedCallback should wait until the module is setup before running.

2018-10-18 version 7.0.1

Check session will now be stopped when the user is logged out

2018-10-14 version 7.0.0

Adding validation state result info to authorization event result
bug fixes in check session

2018-10-07 version 6.0.12

Refactoring getIsAuthorized()
A blank session_state in the check session heartbeat should emit a …
Fixing inability to turn off silent_renew and adding safety timeout
check for valid tokens on start up

2018-10-03 version 6.0.11

silent_renew inconsistent with execution

2018-09-14 version 6.0.10

Handle callback params that contain equals char

2018-09-09 version 6.0.7

Removing the fetch package, using the httpClient now instead

2018-08-18 version 6.0.6

Add unique ending to key to prevent storage crossover
Public resetAuthorizationData method and getEndSessionUrl function
wso2 Identity Server audience validation failed support

2018-07-09 version 6.0.2

Throw error when userinfo_endpoint is not defined (Azure AD)

2018-06-03 version 6.0.1

Removing resource propety from the config, not used.
fixing silent renew bug

2018-05-05 version 6.0.0

Updating src to support rxjs 6.1.0, Angular 6.0.0

2018-04-31 version 4.1.1

Updating src to support typescript 2.7.2

2018-03-31 version 4.1.0

Lightweight silent renew

2018-03-05 version 4.0.3

added optional url handler parameter in the authorize function.

2018-02-23 version 4.0.2

returning bool event from config service

2018-02-03 version 4.0.1

silent renew fixes
check session renew fixes
adding error handling to config service, used for the APP_INITIALIZER

2018-01-15 version 4.0.0

fixing init process, using APP_INITIALIZER, and proper support for angular guards
removed override_well_known_configuration, well_known_configuration now loaded from the APP_INITIALIZER
removed override_well_known_configuration_url, well_known_configuration now loaded from the APP_INITIALIZER

If you want to configure the well known endpoints locally, you need to set this to true.

override_well_known_configuration_url

2018-01-08 version 3.0.13

fixing rollup build

2018-01-06 version 3.0.12

adding a check session event
adding onAuthorizationResult for the silent renew event
onAuthorizationResult is always sent now
no redirects are triggered for silent renews

2018-01-01 version 3.0.11

bug fix incorrect user data type

2017-12-31 version 3.0.10

bug fix silent renew error handling

2017-12-15 version 3.0.9

bug fix aud string arrays not supported
bug fix user data set from id_token, when oidc user api is not supported
code clean up, package size

2017-12-10 version 3.0.8

bug fix, rxjs imports

2017-12-10 version 3.0.7

bug fix, rxjs imports

2017-12-10 version 3.0.6

using lettable operators rxjs
bug fix, check session

2017-11-06 version 3.0.5

refreshSession is now public

2017-11-06 version 3.0.4

isAuthorized does not working on refresh

2017-11-03 version 3.0.3

Add prompt= none to silent renew, according to the spec: in fact some op do not refresh the token in the absence of it. Related to: #14
Fix the starting of silent renew and check session after the authWellKnownEndpoint has been loaded, to avoid an undefined router (they use its info)
Fix(building): public api exports

2017-10-26 version 3.0.2

fix: adding additional URL parameters to the authorize request in IE, Edge
documentation HTTPClient intercept

2017-10-21 version 3.0.1

fixing peer dependency bug

2017-10-21 version 3.0.0

Update to HttpClient

2017-10-20 version 2.0.1

Removing forChild function, not used

2017-10-20 version 2.0.0

Renaming startup_route to post_login_route
setting better default values for the configuration
Documentation fixes

2017-10-15 version 1.3.19

Fix rxjs imports
Add optional hd parameter for Google Auth with particular G Suite domain, see https://developers.google.com/identity/protocols/OpenIDConnect#hd-param
fix: local_state is always null because is not being set
fix: change for emtpy header in id_token, improved logging

2017-10-05 version 1.3.18

fix: Local Storage session_state undefined parse error

2017-10-03 version 1.3.17

fix: silent renew fix after refresh

2017-09-26 version 1.3.16

fix: OidcSecurityService emits onModuleSetup before authWellKnownEndpoints are loaded

2017-09-06 version 1.3.15

fix: if auto_userinfo is false, we still need to execute runTokenValidation

2017-09-03 version 1.3.14

Add silent_renew_offset_in_seconds option

2017-09-01 version 1.3.13

Add option to trigger event on authorization resolution instead of automatic redirect

2017-08-27 version 1.3.12

Throws Exception when the library is used in an application inside a iframe (cross domain)

2017-08-20 version 1.3.11

updating jsrasign

2017-08-15 version 1.3.9

endsession support for custom parameters

2017-08-13 version 1.3.8

auto_clean_state_after_authentication which can be used for custom state logic handling

2017-08-11 version 1.3.7

support for hash routes

2017-08-11 version 1.3.6

support for custom authorization strings like Azure Active Directory B2C

2017-08-09 version 1.3.4

Fix authorization url construction

2017-08-09 version 1.3.3

adding moduleSetup boolean so that the authorization callback can wait until the module is ready

2017-08-09 version 1.3.2

API new function for get id_token
API new function for get user info
user info configuration for auto get user info after login
API custom request params can be added to the authorization request URL using the setCustomRequestParameters function

2017-07-21 version 1.3.1

bugfix error handling
bugfix configuration default values

2017-07-21 version 1.3.0

bugfix refresh isAuthorized
bugfix refresh user data

2017-07-19 version 1.2.2

support reading json file configurations

2017-07-12 version 1.2.1

Fix types in storage class

2017-07-06 version 1.2.0

support for SSR
support for custom storage

2017-07-06 version 1.1.4

bugfix server side rendering, null check for storage

2017-07-01 version 1.1.3

clean up session management
bugfix Silent token renew fails on state validation

2017-07-01 version 1.1.2

API documentation

2017-06-28 version 1.1.1

refactor init of module

2017-06-28 version 1.0.8

setStorage method added
bug fix well known endpoints loaded logout.

2017-06-28 version 1.0.6

Event for well known endpoints loaded
storage is can be set per function

2017-06-27 version 1.0.5

Adding support for server rendering in Angular
storage can be set now

2017-06-23 version 1.0.3

updating validation messages

2017-06-21 version 1.0.2

Bug fix no kid validation withe single, multiple jwks headers

2017-06-20 version 1.0.1

Bug fix validation

2017-06-20 version 1.0.0

Version for OpenID Certification
support for decoded tokens

2017-06-20 version 0.0.11

Adding a resource configuration

2017-06-17 version 0.0.10

Validating kid in id_token header

2017-06-17 version 0.0.9

remove manual dependency to jsrasign

2017-06-15 version 0.0.8

build clean up
new configuration override for well known endpoints.

2017-06-14 version 0.0.7

validate user data sub value

2017-06-14

id_token flow
fixed rollup build

2017-06-13

Adding some docs to the project

2017-06-13

init