9.0.0

New Features/ Merged PRs

• ~ 50% less bundle size for code flow (recommended flow) due to putting non-treeshakable code only needed for implicit flow (not recommended anymore) into an lib of its own (see breaking change, below)
• New demo-project quickstart-demo shows most important aspects for code flow
• Angular 9 upgrade #718, jeroenheijmans
• Fix for issue 661 #720, mike-rivera
• Set userinfoEndpoint if userinfo_endpoint not exists #685, luciimon
• Add more types in OAuthService #684, vadjs
• Fix destroying route via silentRefresh when using hash strategy (Issue 277) #672, tpeter1985
• Clean up more resources in ngOnDestroy #666, Andreas-Hjortland
• Fix positioning of popup login window #664, Andreas-Hjortland
• Fixed not using config.openUri in code flow #660, axle-h
• Merge pull request #656 from dirkbolte/improve-error-for-missing-endpointUrl, dirkbolte
• Add more guides on another way to use loadDiscoveryDocumentAndTryLogin #648, jonyeezs
• Added popup related error handling for implicit grant, dekundu
• Support hash location strategy with code flow #634, gingters
• Unsubscribe from 'token_received' events before re-subscribing #630, l1b3r
• Correct implementation of rfc7636 section 4.1 #629, jfyne
• During session check, ignore messages with irrelevant origin #617, Maximaximum
• Allow clockSkewInSec to be different from 600 #615, vdveer
• Fixing disableAtHashCheck, not being recognized correctly #613, dorianweidler
• Add support for code flow silent-refresh and popup #609, KevinCathcart
• Always set expiration timers for valid token types #597, harmpauw
• Validate self when calling crypto provider #588, ryanmwright
• Removed duplicated condition for allowedUrls during interceptor logic and make it optional #584, adrianbenjuya
• Add CryptoHandler to public api. #583, Chris3773

Big Thanks to all Contributers

adrianbenjuya, Andreas-Hjortland, axle-h, Chris3773, dekundu, dirkbolte, dorianweidler, gingters, harmpauw, jeroenheijmans, jfyne, jonyeezs, KevinCathcart, l1b3r, luciimon, Maximaximum, mike-rivera, ryanmwright, tpeter1985, vadjs, vdveer

Also, big thanks to jeroenheijmans for doing an awesome job with moderating and analyzing the issues.

You all rock!

Resolved Bugs

• AutoSilentRefresh doesn't work after refresh the page bug #444
• Event type 'received_first_token' is never fired bug #564
• loadUserProfile will return roles of last user if current user has no roles assigned bug investigation-needed #580
• OAuthResourceServerConfig: customUrlValidation not used when allowedUrls not set bug future-version pr-welcome #593
• Url Helper Service should not discard question marks when parsing hash fragment bug investigation-needed #604
• Code Flow erroring out due to multipe expiry events bug pr-welcome #632
• Emit token_expires if token has already expired bug #637
• Unhandled Promise rejection: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document bug #641
• postMessage interfering issue bug #657
• Does Authorization Code Flow work with loadDiscoveryDocumentAndLogin(); bug #661
• Refresh timer not started after page reload bug investigation-needed #683
• refresh with code flow bug #688
• Debug mode with custom Logger breaks bug pr-welcome #709
• tryLoginCodeFlow Removing ? from URL Which is Invalid bug investigation-needed

Breaking Changes

With regards to tree shaking, beginning with version 9, the JwksValidationHandler has been moved to a library of its own. If you need it for implementing implicit flow, please install it using npm:

npm i angular-oauth2-oidc-jwks --save

After that, you can import it into your application by using this:

import { JwksValidationHandler } from 'angular-oauth2-oidc-jwks';

instead of that:

import { JwksValidationHandler } from 'angular-oauth2-oidc';

Please note, that this dependency is not needed for the code flow, which is nowadays the recommended flow for single page applications. This also results in smaller bundle sizes.

Bugfix

#515 caused a regression. We resolve it now by:

• catching a timeout error
• using a config property waitForTokenInMsec for the timeout
• this config property is set to 0 by default to be compatible with older versions of this lib

Code + PKCE

Features

• Tested with Angular 8
• Code Flow + PKCE (RFC 7637) to align with OAuth 2.0 Security Best Current Practice
• Support for refresh_token and automatic refresh when using Code Flow
  • See mentioned Best Current Practices document for things to consinder

More information about this can be found in the docs:

• https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/code-flow-+-pcke.html
• https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/refreshing-a-token.html

PR

Big thanks to all contributors for providing 21 PRs for this release! You all are awesome!!!

Proposal: Add implicit flow through popup
#468 by leonardochaia

Improve default oauth interceptor investigating
#515 by simonmulser was merged

feat: Upgrade to angular 8
#573 by killzoner was merged

Improve documentation for events
#520 by jeroenheijmans

Added customUrlValidation
#331 by vytautas-pranskunas-

Properly implements openUri for implicit flow
#369 by nhance was merged

Refresh the timers after configuration has changed
#382 by FabienDehopre

Cleanup timers when OAuthService is destroyed
#463 by leonardochaia

Fixed HTTPS error messages in service
#510 by bobvandevijver

Calculate the timeout using now as a reference
#487 by filipvh

Add documentation about configuring custom OAuthStorage
#512 by dennisameling

update README re: discovery doc validation disabling
#521 by cconcannon

optionally use crypto to generate nonce
#540 by ChristianMurphy

Pause silent refresh if user has logged out
#526 by l1b3r

Skip issuer check in processIdToken if skipIssuerCheck is true
#527 by ismcagdas

Corrects how localStorage could be used
#533 by ManuelRauber

Add noPrompt parameter to setupAutomaticSilentRefresh method
#536 by remiburtin

feature: Abort current implicit flow
#537 by enricodeleo

Fix spelling mistake
#544 by peterneave

Only present the sendAccessToken interceptor mechanism in the Readme
#554 by nhumblot

Added clock skew parameter
#569 by nenadmaricic

5.0.2

Unfortunately, we had to defer the removal jsrsasign. We will still look into this as it allows an amazing reduction in bundle size.

Version 5: Angular 7

Major Features

• Tested with Angular 7

Deferred

• Smaller footprint (-86% compressed) thanks to using browser apis instead of a lib for validating the id_token's signature (Thx Toxicable)

All Features and Bugfixes

• Update to Angular 7 #456 (akehir)
• feat: remove jsrsasign dependancy #356 (Toxicable)
• Decouple OAuthService from console #427 (jeroenheijmans)
• upgrade example to new rxjs (6?) syntax with operators in .pipe() #399 (hellerbarde)
• Docs: fix english #398 (lukasmatta)
• Use responseType parameter #397 (mpbalmeida)
• Clarify imports in README example #372 (jeroenheijmans)
• Change 'Authentication' to 'Authorization' #371 (jeroenheijmans)
• Properly implements openUri for implicit flow #369 (nhance)
• Issue #343 onTokenReceived callback is not called if no iodc - after tr… #345 (denisbeklarov)
• Make all of the login functions return Promise #339 (ajpierson)
• Session check changed to run outside of Angular zone #441
• Resolves #439 #448 [use protected vs private]

Thanks to all Contributers

Big thanks to ajpierson, denisbeklarov, Fabian Wiles, jdgeier, Jeroen Heijmans, Lukáš Matta, Marcos Paulo Belasco de Almeida, Martin Černý, Nicholas Hance, P. Stark, Raphael Ochsenbein

You all are awesome!

Thanks for Moderation

Also, big thanks to Jeroen Heijmans for moderating and answering a lot of questions in this github repo.

4.0.2

• Redirect to logoutUrl, even if there is no id_token #322
• Resolved some issues in documentation (broken links, added clarifications)

Thanks to all the contributors for the discussions and hints in the issues section and for filing PRs. You are awesome!

4.0.1

PR

Fixed bug with required grant and made allowedUrls optional #312

4.0.0 - Angular 6 support

Version 4.0.0

Features

• Angular 6 support
• Upgraded to CLI 6 based monorepo

Pull Requests

• Get granted scopes #274
• Upgraded to Angular 6 #304
• use custom encoder to allow + in password #272
• Adds a new configuration option to allow external control over how the login page is opened #235
• Fix typo in the interceptor docs #234
• fix: run tokensetup outside ngzone #233
• Fixes typo in readme #232
• Fix typo in docs #231
• State improvements #224
• Added support for logout using client id. #201
• Updates repository and bug url in package.json #192

Thanks to all contributers! You are awesome!

3.1

• Introduces a default HttpInterceptor for error handling and sending the access_token to the resource server

• Fixed Issues: #166 #167 #170 #171 #173 #174 #177 #184 #188

Big thx to all the contributers

3.0.1

Features

• Supports Angular 5 (#162, #152, #165)
• Supports Angular 4.3+
• Uses HttpClient instead of Http
• Auto redirect log in Identity Server #157
• Allow custom parameter for password flow #158
• Add method getRefreshToken() #164
• Silent refresh with token_hint (closes #155)
• Integration with angular seed #121

Fixed

• Events and onTokenReceived seemingly not working. #133
• sessionChecksEnabled = false is not respected if discovery doc contains check_session_iframe #132

Breaking Changes

• As we now depend on the new HttpClient instead of the Http(Service) deprecated with Angular 5, we need >= Angular 4.3 (--> Version 5.x is also fine).

Big thanks to all the contributers for helping to make this possible!