My understanding might be totally wrong. But I wanted to have a discussion around the same.

I was testing the library from ng app hosted on localhost:4200. I am authenticating against Azure AD app (implicit flow). The auth flow gets stuck while getting signing keys.

It appears the some key discovery endpoints (e.g. jwks_uri: https://login.microsoftonline.com/common/discovery/keys, userinfo : https://login.microsoftonline.com/common/openid/userinfo ) do not have CORS enabled. We can not make an XHR request to retrieve information post callback.

Have you guys encountered this error before? am I missing something here?

This is the flow -

1. Login method initiates auth url generation
2. Round trip to auth url and retrieval of access token, state etc.
3. Get signing keys (throws CORS error).
4. Post validation, get user information (thrown CORS error after I explicitly tried to skip token validation)

Opened an issue since couldn't find better channel to talk.

error screenshot

Cheers,
Rahul.

At present only the id_token token flow is supported.

Just wanted to say "THANKS!!!!!!" For all your hard work on this Damo!

Fantastic work!!!!!

Cheers mate

Nige

I think the library should handle dependency on jsrsasign, so the developer doesn't have to do it 'manually'. Should figure out a proper way to do it.

Hi,

I used angular 4 with asp core server rendering (based on https://github.com/MarkPieszak/aspnetcore-angular2-universal). This library is compliant with server side rendering?

If not what you advise for ?

Thank

In my component I have a property bound to the isAuthorized which remains false since authorizedCallback is async.

ngOnInit() {
    if (window.location.hash) {
      this.oidcSecurityService.authorizedCallback();
    }
    this.authenticated = this.oidcSecurityService.isAuthorized;
  }

The way I got around this is by subscribing to the onUserDataLoaded EventEmitter, but it feels like there should be an Observable that can emit specifically for this property.

If no provider is defined, the module causes the app to crash. Temp fix remove provider from constructor in version 1.0.6,, and replaced with a setStorage method.

TODO test with side app
documentation

@astegmaier had to reset this, recieved angular errors when no provider was defined per default.

The authorize callback function tries to access the jwk_uris from the well known discovery endpoint without checking and waiting for the endpoint to load.

In certain edge cases, where the configuring module is loaded later, and the discovery of the well known configuration arrives after the call of the authorizeCallback, the authorizeCallback fails with the following error message:

jwks_uri: undefined
angular-auth-oidc-client.es5.js:1495 Unexpected token < in JSON at position 0
OidcSecurityService.handleErrorGetSigningKeys @ angular-auth-oidc-client.es5.js:1495
CatchSubscriber.error @ catch.js:104
MapSubscriber._next @ map.js:80
Subscriber.next @ Subscriber.js:89
onLoad @ http.es5.js:1226
ZoneDelegate.invokeTask @ zone.js:424
onInvokeTask @ core.es5.js:3924
ZoneDelegate.invokeTask @ zone.js:423
Zone.runTask @ zone.js:191
ZoneTask.invoke @ zone.js:486
core.es5.js:1020 ERROR Unexpected token < in JSON at position 0

To fix such timing issues it would be best to wait for the well known config Observable to complete and then parse the callback token.

this.authWellKnownEndpoints.onWellKnownEndpointsLoaded
            .concat(this.http.get(this.authWellKnownEndpoints.jwks_uri)
            .map(this.extractData)
            .catch(this.handleErrorGetSigningKeys));

I get this when I try to run my app.
I guess you left this so the developer perforns the configuration by himself, right?
What happens if I'm using another routing provider like ui-router??

I might be missing something obvious here or I've discovered a bug.

I'm getting an error "Well known endpoints must be loaded before user can login!" when I call securityService.authorize() but only in Firefox. In Chrome and IE11 this works properly and redirects to the login page.

I am using the implicit flow. I'm using angular-auth-oidc-client 1.3.0, Firefox 54.0.1, Angular 4.3.1. This same problem also happens in a different angular 4+ app using angular-auth-oidc-client 1.3.0. It also happens to all 3 coworkers that I tested firefox with in both apps.

This is the setup code:
`initOpenIdServer(): OpenIDImplicitFlowConfiguration {

    if (this.openIdConfiguration != null)
        return this.openIdConfiguration;

    let implicitFlow = new OpenIDImplicitFlowConfiguration();

    implicitFlow.stsServer = this.cs.config.openIdBaseApiUrl;
    implicitFlow.redirect_url = this.cs.config.openIdRedirectUrl;
    implicitFlow.post_logout_redirect_uri = this.cs.config.openIdRedirectUrl;

    implicitFlow.client_id = 'my.id';
    implicitFlow.response_type = 'id_token token';
    implicitFlow.scope = 'openid profile email';

    implicitFlow.start_checksession = true;
    implicitFlow.silent_renew = true;
    implicitFlow.max_id_token_iat_offset_allowed_in_seconds = 10;

    implicitFlow.log_console_warning_active = true;
    implicitFlow.log_console_debug_active = false;

    implicitFlow.startup_route = '/';
    implicitFlow.forbidden_route = '/forbidden';
    implicitFlow.unauthorized_route = '/unauthorized';

    this.securityService.setupModule(implicitFlow);

    return implicitFlow;
}

`

I have verified the values coming from config files are correct before this code runs.

Is there something I should be doing with implicitFlow.override_well_known_configuration or implicitFlow.override_well_known_configuration_url? Do I need to provide different storage for FireFox?

request

Hi,

I'd like to be able to pull the openIDImplicitFlowConfiguration configuration from an external JSON file and assign its values to the openIDImplicitFlowConfiguration object before passing it to the setupModule() method.

I've "outsourced" openIDImplicitFlowConfiguration's properties setting to an Angular service, in order to keep the AppModule clean. The service gets the JSON file with an HTTP request, parses the response with .json() and then passes it to oidcSecurityService.setupModule().
I use eval() on the .storage property, because it is stored as a string in JSON and needs to refer to a variable in the code.

When passing "sessionStorage" or "localStorage" from JSON to openIDImplicitFlowConfiguration.storage, the console throws the following error after calling authorize() and successfully logging in with IdentityServer4.

TypeError: Cannot read property 'storage' of undefined
    at AuthConfiguration.get [as storage] (angular-auth-oidc-client.es5.js:230)
    at BrowserStorage.webpackJsonp.../../../../angular-auth-oidc-client/modules/angular-auth-oidc-client.es5.js.BrowserStorage.read (angular-auth-oidc-client.es5.js:298)
    at OidcSecurityCommon.webpackJsonp.../../../../angular-auth-oidc-client/modules/angular-auth-oidc-client.es5.js.OidcSecurityCommon.retrieve (angular-auth-oidc-client.es5.js:350)
    at OidcSecurityService.webpackJsonp.../../../../angular-auth-oidc-client/modules/angular-auth-oidc-client.es5.js.OidcSecurityService.authorizedCallback (angular-auth-oidc-client.es5.js:1173)

It appears as if the storage property can't be read by your library's AuthConfiguration class, even when the openIDImplicitFlowConfiguration.storage is left unassigned (which should revert to DefaultConfiguration's values).

Using:
Node 8.1.4 on Windows 10
NPM 5.2.0
Angular 4.2.6 (& CLI 1.2.1)
angular-auth-oidc-client 1.2.1

Thank you so much for your help, and for your work!
Victor

Hi Damo,

Im trying out the new angular auth client.

I noticed when using this client ( OidcSecurityService.getToken() )that its not giving me the full access token. Its giving me the authorizationData

baa0badda05ed62ea1b108d7421cf666a00249d5709c4ee50a42b42ce4273162

But it should be giving me the authorizationDataIdToken like:

"eyJhbGciOiJSUzI1NiIsImtpZCI6ImI1ODllOTg0ZmE0ZjZkNDQ0OTIzZDIzNGY2OTIwYmQ5IiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MDA3MTQyMjksImV4cCI6MTUwMDcxNDUyOSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0NDMwNSIsImF1ZCI6ImFuZ.........."

I looked at the securityService but I only see the getToken function hanging off it.

I am I doing this wrong or is the library wrong?

Cheers

For example, you can get angular-auth-oidc-client to store access tokens in Cookies by downloading and adding Cookie-Storage to your project, creating a factory method to provide it:

let cookieStorageFactory = () => {
return new CookieStorage();
}

..and then adding it to the providers array in @NgModule:
{ provide: Storage, useFactory: cookieStorageFactory }

With Angular 4.3 release, Angular team was introduced new module to work with http requests.
I think it's good to use it.
What do you think about it?

@robisim74 @damienbod how about introducing yarn? Instead of / Beside npm 5?

Hi

We are pretty new in the Angular and OpenID Connect land, so maybe we are doing things just plain wrong :)

Our IdentityServer (v3 btw) returns a "large" list of claims ("groupSids" and associated roles) from the UserInfoEndpoint

The jwt is about >5500 chars.

Now we wanted to implement a proper storage for the auth data, so that we can get the silent renew workflow working, but unfortunately the "authorizationDataIdToken" is too big for the cookie and the browser refuses to save it.

The library tries to load some important oidc-keys (e.g. "exp") from the JWT token so it seems the complete authorizationDataIdToken is needed.

Have you a suggestion for us? Are we using the userinfo endpoint wrong? We also could "split" the jwt in several cookies (like in the old ASP.NET days) and combine them during runtime, but I'm not sure if this is the way we should go.
Or just use the HTML5 localStorage?

We faced a similar problem with our WPF Windows client, but we were using Reference-AccessTokens and using access-tokens & refresh-tokens, but it seems in the Angular world it is different. In the fat client app I only store the accesstoken, the expire-date and the refresh-token and thats it. With them I can get a fresh accesstoken and do a proper logout without the super large JWT token.

First of all, I wanted to say thanks for sharing this package. I'm finding it lean, well-conceived, and very useful!

I was trying to use it in the context of a project where I'd like to leverage server-side rendering (SSR) based of this template from @SteveSandersonMS, and I was running into trouble.

One of the constraints of SSR is that there is no access to SessionStorage or LocalStorage. It looks like this package currently depends on these being available in order to successfully retrieve auth tokens from a previous signin.

I'd like to be able to provide server-side mock of the Storage interface that populates its values from cookies. That way, when a page was being rendered in node on the server and it needed to make a call to a protected API, it could pull auth keys from this storage, and everything would work well.

Would you be open to a PR aimed at enabling this scenario? An idea for an approach would be to allow an implementation of Storage to be injected using angular's DI. The constructor of oidc.security.common might look something like this:

constructor(private authConfiguration: AuthConfiguration, private injectedStorage: Storage) {
    if (typeof Storage !== 'undefined') { 
        if (injectedStorage) { this.storage = injectedStorage }
        else { this.storage = sessionStorage; }
    } 
}

Thoughts? I'm happy to work on a PR if you like this direction.

Reject ID Token without kid claim if multiple JWKs supplied in jwks_uri

Request with prompt=login

Request with prompt=none when not logged in

Request with prompt=none when logged in

http://openid.net/wordpress-content/uploads/2016/12/OpenID-Connect-Conformance-Profiles.pdf

openid-certification/oidctest#29

Context

Given I've got an STS at https://sts.foo.com (based on IdentityServer4)
And an Angular Client at https://client.foo.com
And I want to access an API Resource at https://api.foo.com
When I start an implicit flow
Then I get an ID token 
And I get an Access Token with audience "https://client.foo.com"

Question
How can I request an Access Token with an audience of https://api.foo.com?

Package depends on jsrsasign which doesn't tree shake so good. See if it's possible to reduce the size of the auth.module

Some public OpenID server implementations block this for browser applications

Clean up this code.

Reported by @breaman
Using the URL class and the searchParams property doesn't seem to be very well supported in many browsers. (https://developer.mozilla.org/en/docs/Web/API/URL). I tried using the url-polyfill to get this working in IE10+ and Edge, but was unsuccessful. Do you know of a way to get this working in more than just Chrome, Firefox, and Opera?

8cec12f

AuthConfiguration and OidcSecurityService

Have run 1.3.1 / 1.3.2 / 1.3.3 without issue. Went to latest version 1.3.4 and get the error shown in screen dump.

Looking at the code it appears the createAuthorizeUrl is making a call

var /** @type {?} */ customParams =
this.oidcSecurityCommon.retrieve(this.oidcSecurityCommon.storage_custom_request_params);
Object.keys(customParams).forEach(function (key) {
params.set(key, customParams[key]);
});

The 'customParams' object is null hence causing the issue I am seeing locally.

I have tried creating a new app from scratch using the quick start tutorial and still see this problem.

Thoughts?
Thanks!

@robisim74 @FabianGosebrink

This npm is ready now for certification. Should we bump the version to 1.0.0 to do the certifcation?

cheers Damien

The discovery is loaded when then AuthWellKnownEndpoints constructor is call, round trip. Until this is finished, the urls are not available. A check needs to be added for this, before the authorize function is called.

Example
https://github.com/robisim74/angular-l10n/blob/master/src/services/locale-storage.ts

reported by @InDieTasten
light-weight copy-paste callback handler script for iframe callbacks
damienbod/AspNet6IdentityServer4AngularOidcFlows#82

oidc silent-renew only checks for id_token
damienbod/AspNet6IdentityServer4AngularOidcFlows#81

oidc silent-renew unnecessary decoding of tokens in loop
damienbod/AspNet6IdentityServer4AngularOidcFlows#80

I see. Even if the norm is specified like this, I think it does not specify language, right? So we could use Angular Renderer2 class, which allows you to work on the DOM without incurring any errors.
Here another example on how I used Renderer2 in a Directive to support SSR: https://github.com/robisim74/angular-l10n/blob/master/src/models/base-directive.ts but many other examples can easily be found.

Hi,
This might be a question that has a trivial answer, but I'm new to Angular and OIDC.

In order to get a token, where do I specify the Authorization (in header of POST request), and grant_type, username and password (in POST request's body) in the code?

Thanks a lot for your support and for your work!

I'm having an issue for the silent token renew flow.
After a few (three or four) successful token renewals, it seems that the library is starting two consecutive silent renew sessions, which causes the local state to be overridden and the response from the first renewal attempt fails at the state validation.
I'm also including a console log snippet showing the last successful silent renewal attempt and the following one that failed at the state validation.
Please note that the token provider from my scenario is implemented with Identity Server 4 and I replicated the client configuration from the samples provided at damienbod/AspNet5IdentityServerAngularImplicitFlow for the angularclient client.