- Add provideAuth for standalone applications
- Docs: adds docs for standalone methods
- Docs: add standalone example
- Fix: returning a loginresponse and not null
- moved the setting of popupauth in storage before opening the popup wi…
- Deprecate guard and update docs
- Bugfix id token expire check
- isCurrentlyInPopup will check for opener and session storage
- Expand configuration per default
- Move code storage values to store to simple boolean
- Bugfix: Library fails on Firefox REOPEN #1621
- added localstorage service. refactored missed jsdocs + fixed imports
- adding provided in root to services
- fix(refreshSession): fix refreshSessionWithRefreshTokens
- bugfix POST logout, missing parameters
- Add silent renew error event
- Improve Popup flows
- Bugfixes revocation
- Updated project to Angular 15
- Support refresh tokens without returning an id_token in the refresh
- run silent renew using only the access token
- id_token only has to be valid on the first authentication
- add support to disable id_token validation completely, not recommended
- Renamed
- Added
parameter in config logoff()
possible now withPOST
request- removed deprecated
Docs: Silent Renew
- Exposing payload of access token
- Fix bug in logoffAndRevokeTokens() which was not revoking the access token correctly
- Fix checkSession messageHandler configuration correctly
- fix: Use correct offset in ID token expiry check
- Bugfix/unable to extract jwk without kid
- Make id_token_hint optional on session end logout
- construction of token endpoint body breaks if pkce is disable
- deprecating is loading
- added build step for rxjs 6
- Added console debug to fulfill browser filters
- Improve logging error messages
- Support observable open id configuration in sts config http loader constructor
- Fix sample links for azure implementations
- Fix throwing config event
- Bugfix RxJS imports to be compatible with RxJS 6
- Updated dependencies
- Bugfix concurrent issue with renew and normal code flow
- Add disablePkce config parameter
- Bugfix getUserData - You provided an invalid object where a stream was expected.
- Support Angular 14
- Disable id_token time validation
- Fix regression in the check session service
In this version the APP_INITIALIZER was removed. (See PR). The library will not do anything until the application interact with it. There is no pre-loading of anything and it does not affect your application's bootstrapping process at all. You can however explicitly preload the secure token server well-known endpoints with a new method called preloadAuthWellKnownDocument(). As a side effect because the config has to be loaded first, a lot of APIs become reactive and return an Observable now.
See the migration guide.
- refresh token rotation is now optional and can be activated using allowUnsafeReuseRefreshToken
- Fixed getUrlParameter's handling of fragment response
- isLoading observable in OidcSecurityService
- Add redirectUrl customization (via AuthOptions)
- Fix: implicit flow in popup window error (fixes #1385)
- Enhancement: Improved abstract services
- Remove double quotes in info messages
- Enhancement: Added auth result
- Using window.crypto for jwt signature validation
- Removed jsrsasign dependency
- Update to Angular 13 and rxjs 7
- docs(guards): use UrlTree for redirect, clean up
- fixing storage mechanism
- Additional logging when a nonce is created and validated
- Added fix overwriting prompt param
- Unclear error message when providing improper config to module
- added multiple configs documentation
- Expose PopupService and PopupOptions as public
- Support end session for Auth0 (non conform OIDC endpoint)
- Fix #1168 userInfoEndpoint Typo
Configuration via forRoot(...) method
Remove the "AuthorizedState" enum in Version 12
Use a different key than redirect to store redirect route when using autologin
Returnvalue of loginwithpopup and login should be the same
How to provide client id during logoff
urlHandler callback function parameter in LogoffRevocationService.logoff does nothing
Convert all instances of "Authorized" to "Authenticated"
Support for multiple APIs with unique scopes
Multiple access tokens for the same client_id but different scopes
Is there a silent renew event?
Angular 12 Support
Add configuration to disable or enable id_token expired check
Support for Azure B2C multiple policies
Improve AutoLoginSample
Accessing AuthResult response object
configuration parameter toauthority
Only one returntype (object) when subscribing to isAuthenticated and user data to avoid confusion.
- Silent renew does not always start
- AutoLoginGuard appears to cause some sort of infinite loop.
- Support Custom Params for EndSession and RefreshTokens Renew
- Added Auth0 example
- Bugfix: the "use" attr on the jwks key is optional if only one key is present
- bugfix incorrect storage for silent renew, requires Json object
- Enable handling users closing login popup
- Renamed all occurrences of "Persistance" to "Persistence"
- Document public facing API
- Exported and moved authOptions
- Fix(randomService): fix misuse of Uint8Array
- hooking into the zone again to avoid outside ngzone messages and throw event only when value change
- fixed json stringify objects and storage
- fix: use navigateByUrl to fix url params encoding
- Store singing keys as fallback
- Exposing popup options
- Silent renew with refresh tokens - handle no connection use case
- Added Guard CanLoad interface
- Improve AutoLoginGuard
- Add support custom params during token exchange
- Clean up user data when autoUserInfo is false => from id_token
- Inconsistent behavior of OidcSecurityService.userData$ Observable, if autoUserinfo is false
- CheckSessionService keeps polling after logoffLocal() is invoked
- Bugfix: Check session does not work when autoUserinfo is set to false in code flow with PKCE
- Bugfix: checkAuth returning null when href target="_blank"
- Support silent renew with refresh tokens without scope offline access
- Bugfix: Refresh response without an id token breaks mechanism
- Added AutoLoginGuard
- Updated Azure AD, Azure B2C templates to prompt for select_account (problem with multiple accounts)
- Added support for OAuth Pushed authorisation requests (PAR)
- Added Pushed authorisation requests (PAR) example
- Added OAuth Pushed authorisation requests (PAR) template using schematics
- unsubscribe receivedUrl$ prevents multiple "/token" request
- ApplicationRef.isStable is always false when using this package
- Added support for authentication using a popup
- Added popup sample
- Added Title to Silent Renew IFrame
- Added Auth0 template using schematics
- Support aud arrays which are not ordered in id_token validation of refresh token process
- Fixed Bug were Dynamic Custom Request Parameters are forgotten after first login or forceRefreshSession when doing a silent renew/refresh
- Added ability to use Custom Parameters when calling ForceRefreshSession
- Missing RefreshToken causes erroneous token request
- Bug. App fully hang during silent renew
- Added checksession null checks
- Added event to throw when config could not be loaded
- Check session fails if secure token server has a different origin than the check_session_iframe
- Fix http config example and templates for HTTP config load
- Do not clear session state when refreshing session with refresh tokens
- Added config tokenRefreshInSeconds which controls the time interval to run the startTokenValidationPeriodically
- Multiple tabs don't receive any event when session state becomes blank
- Fixed issue with browser history on silent renew redirect to IS
- UTC time fix
- Small fixes of docs and naming
- renewUserInfoAfterTokenRenew to OpenIdConfiguration
- Remove items from local storage instead of writing empty string values
- added possibility to pass url to check from the outside (for example to use in electron cases)
- checkAuthIncludingServer cannot complete without credentials
- QueryParams are getting lost when doing a silent renew
- Token endpoint errors not reported correctly
- Refresh checksession iframe regularly
- Load checksession iframe right after checkSessionService.start() is invoked
- Not throwing an exception if interceptor is set and config is loaded from http
- Bug fix: forceRefreshSession prematurely completes its observable #767
- Bug fix: Returns tokens but doesn't apply them #759
- Added support to check the secure token server for an authenticated session if not locally logged in (iframe silent renew)
- fix config bug with eager loading of the well known endpoints
- prevent routing in silent renew requests with iframes
- return tokens direct in forceRefreshSession
- Added validation for the lib configuration
- fixed some doc typos
- fixed bug 2 auth events emitter on secure token server callback
- Eager loading of well known endpoints can be configured: Made it possible to load the well known endpoints late (per configuration)
- make it possible to force a session refresh
- Add configuration property to disable auth_time validation in refresh flows with Azure B2C (Azure B2C implements this incorrectly)
- Fix disable at_hash validation in refresh, this is not a required property
- only use revocation endpoint if supported by the STS
- Fixing the
Can't resolve all parameters for ...
error - Adding documentation to describe how to load configuration inside of child modules
- Refactor lib config to make it easier to use
- Update project to Angular 9 #610
- added examples #625
- support refresh tokens with example, and docs (coming safari change)
- refactor configuration property names
- eslint conform #627
- Remove avoidable classes and add interfaces instead #626
- Create Loglevel enum instead of boolean "isxyzactive" #628
- Add prefix configuration for storage to allow multiple angular run in parallel #634
- Add an event service with an enum to throw events out #635
- Make folders for features not services, etc. #636
- SilentRenew breaks when using refresh_token and refresh_token is expired/invalid #667
- Pack the tests beside the files which are being tested when feature folders are available #637
- support multiple instances in browser
- Do not provide default config when config should have been set before #644
- Code Verifier not cryptographically random #642
- After successful login, getIsAuthorized still returns false for a bit. #549
- Expose silent renew running observable #447
- Issue with silent renew when js execution has been suspended #605
- Add support for OAuth 2.0 Token Revocation #673
- Silent renew dies if startRenew fails #617
- support for Angular 8 , Angular 9
- redesign login init
- Remove avoidable anys #624
- Use returned expired value of access token for expired validation
- Id_Token is rejected because of timing issue when server hour is different then client hour
- fix validate, fix max time offset #175
- Support azp and multiple audiences #582
- Add extra Refresh token validation #687
- Notification that checking session is initialized #686
- Refactor rxjs events, user profile events, silent renew, check session
- Add support for EC certificates #645
- id_token : alg : HS256 support #597
- redesign docs
- Subscribe startRenew after isAuthorized is true
- check session origin check improvement, support for non-domain urls
- 552-add-config-ignore-nonce-after-refresh
- bug-xmlurlencode-has-newlines
- clean up some file formats
- Added renew process denotation to AuthorizationResult
- bug fix logging, code flow callback
- generic OidcSecurityService.getUserData
- OidcSecurityService with some observables
- Do not check idToken nonce when using refreshToken
- strictNullChecks
- safer-silent-renew
- reduce size of the package
- Ability to change the amount of seconds for the IsAuthorizedRace to do a Timeout
- fixing url parse wo format
- documentation fixes
- use_refresh_token configuration added.
- Added support for refresh tokens in code flow
- expose logger service
- Added a try catch to handle the CORS error that is thrown if the parent has a different origin htne the iframe. Issue #466
- bug fix: onConfigurationLoaded does not fired
- bug fix: [SSR] Session storage is not defined
- revert angular build to angular 7, fix npm dist
- remove silent_redirect_url only use silent_renew_url
- refactored configuration for module, angular style
- rename OpenIDImplicitFlowConfiguration to OpenIDConfiguration
this.oidcConfigService.onConfigurationLoaded.subscribe(() => {
const openIDImplicitFlowConfiguration = new OpenIDImplicitFlowConfiguration();
openIDImplicitFlowConfiguration.stsServer = this.oidcConfigService.clientConfiguration.stsServer;
openIDImplicitFlowConfiguration.redirect_url = this.oidcConfigService.clientConfiguration.redirect_url;
openIDImplicitFlowConfiguration.client_id = this.oidcConfigService.clientConfiguration.client_id;
openIDImplicitFlowConfiguration.response_type = this.oidcConfigService.clientConfiguration.response_type;
configuration.FileServer = this.oidcConfigService.clientConfiguration.apiFileServer;
configuration.Server = this.oidcConfigService.clientConfiguration.apiServer;
const authWellKnownEndpoints = new AuthWellKnownEndpoints();
this.oidcSecurityService.setupModule(openIDImplicitFlowConfiguration, authWellKnownEndpoints);
import {
} from 'angular-auth-oidc-client';
export function loadConfig(oidcConfigService: OidcConfigService) {
return () => oidcConfigService.load(`${window.location.origin}/api/ClientAppSettings`);
imports: [
providers: [
useFactory: loadConfig,
deps: [OidcConfigService],
multi: true
bootstrap: [AppComponent],
export class AppModule {
private oidcSecurityService: OidcSecurityService,
private oidcConfigService: OidcConfigService,
) {
this.oidcConfigService.onConfigurationLoaded.subscribe((configResult: ConfigResult) => {
const config: OpenIdConfiguration = {
stsServer: configResult.customConfig.stsServer,
redirect_url: configResult.customConfig.redirect_url,
client_id: configResult.customConfig.client_id,
response_type: configResult.customConfig.response_type,
scope: configResult.customConfig.scope,
post_logout_redirect_uri: configResult.customConfig.post_logout_redirect_uri,
start_checksession: configResult.customConfig.start_checksession,
silent_renew: configResult.customConfig.silent_renew,
silent_renew_url: configResult.customConfig.redirect_url + '/silent-renew.html',
post_login_route: configResult.customConfig.startup_route,
forbidden_route: configResult.customConfig.forbidden_route,
unauthorized_route: configResult.customConfig.unauthorized_route,
log_console_warning_active: configResult.customConfig.log_console_warning_active,
log_console_debug_active: configResult.customConfig.log_console_debug_active,
max_id_token_iat_offset_allowed_in_seconds: configResult.customConfig.max_id_token_iat_offset_allowed_in_seconds,
history_cleanup_off: true
// iss_validation_off: false
// disable_iat_offset_validation: true
this.oidcSecurityService.setupModule(config, configResult.authWellknownEndpoints);
- authNonce not cleared in storage after unsuccessful login and logout
- Should 5 seconds timeout on silent_renew be configurable? => fails fast now if server responds
- increased length of state value for OIDC authorize request
- session_state is optional for code flow
- Added disable_iat_offset_validation configuration for clients with clock problems
- Updated the Docs
- Updated the Docs
- Adding sample usage to repo
- Updated the Docs
- Changed to Angular-CLI builder
- Added a sample in this repo
- Add TokenHelperService to public API
- logs: use !! to display getIdToken() and _userData.value in silentRenewHeartBeatCheck()
- bug fix at_hash is optional for code flow
- removing session_state check from code flow response
- Validation state in code callback redirect
- Make it possible to turn off history clean up, so that the angular state is preserved.
- Support for OpenID Connect Code Flow with PKCE
Implicit flow callback renamed from authorizedCallback() to authorizedImplicitFlowCallback()
- Changed iframe to avoid changing history state for repeated silent token renewals
- make it possible to turn the iss validation off per configuration
- reset history after OIDC callback with tokens
- When
is called storage should be cleared before emitting an authorization event. - AuthConfiguration object will now always return false for
start_checksession and silent_renew
properties when not running on a browser platform.
- Adding an
Observable to `OidcSecurityService
- replaced eventemitters with Subjects/Observables and updated and docs
- Optional url handler for logoff function
- silent_renew is now off by default (false).
- Fix for when token contains multiple dashes or underscores
- Unicode special characters (accents and such) in JWT are now properly…
- authorizedCallback should wait until the module is setup before running.
- Check session will now be stopped when the user is logged out
- Adding validation state result info to authorization event result
- bug fixes in check session
- Refactoring getIsAuthorized()
- A blank
in the check session heartbeat should emit a … - Fixing inability to turn off silent_renew and adding safety timeout
- check for valid tokens on start up
- silent_renew inconsistent with execution
- Handle callback params that contain equals char
- Removing the fetch package, using the httpClient now instead
- Add unique ending to key to prevent storage crossover
- Public resetAuthorizationData method and getEndSessionUrl function
- wso2 Identity Server audience validation failed support
- Throw error when userinfo_endpoint is not defined (Azure AD)
- Removing resource propety from the config, not used.
- fixing silent renew bug
- Updating src to support rxjs 6.1.0, Angular 6.0.0
- Updating src to support typescript 2.7.2
- Lightweight silent renew
- added optional url handler parameter in the authorize function.
- returning bool event from config service
- silent renew fixes
- check session renew fixes
- adding error handling to config service, used for the APP_INITIALIZER
- fixing init process, using APP_INITIALIZER, and proper support for angular guards
- removed override_well_known_configuration, well_known_configuration now loaded from the APP_INITIALIZER
- removed override_well_known_configuration_url, well_known_configuration now loaded from the APP_INITIALIZER
If you want to configure the well known endpoints locally, you need to set this to true.
- fixing rollup build
- adding a check session event
- adding onAuthorizationResult for the silent renew event
- onAuthorizationResult is always sent now
- no redirects are triggered for silent renews
- bug fix incorrect user data type
- bug fix silent renew error handling
- bug fix aud string arrays not supported
- bug fix user data set from id_token, when oidc user api is not supported
- code clean up, package size
- bug fix, rxjs imports
- bug fix, rxjs imports
- using lettable operators rxjs
- bug fix, check session
- refreshSession is now public
- isAuthorized does not working on refresh
- Add prompt= none to silent renew, according to the spec: in fact some op do not refresh the token in the absence of it. Related to: #14
- Fix the starting of silent renew and check session after the authWellKnownEndpoint has been loaded, to avoid an undefined router (they use its info)
- Fix(building): public api exports
- fix: adding additional URL parameters to the authorize request in IE, Edge
- documentation HTTPClient intercept
- fixing peer dependency bug
- Update to HttpClient
- Removing forChild function, not used
- Renaming startup_route to post_login_route
- setting better default values for the configuration
- Documentation fixes
- Fix rxjs imports
- Add optional hd parameter for Google Auth with particular G Suite domain, see https://developers.google.com/identity/protocols/OpenIDConnect#hd-param
- fix: local_state is always null because is not being set
- fix: change for emtpy header in id_token, improved logging
- fix: Local Storage session_state undefined parse error
- fix: silent renew fix after refresh
- fix: OidcSecurityService emits onModuleSetup before authWellKnownEndpoints are loaded
- fix: if auto_userinfo is false, we still need to execute runTokenValidation
- Add silent_renew_offset_in_seconds option
- Add option to trigger event on authorization resolution instead of automatic redirect
- Throws Exception when the library is used in an application inside a iframe (cross domain)
- updating jsrasign
- endsession support for custom parameters
- auto_clean_state_after_authentication which can be used for custom state logic handling
- support for hash routes
- support for custom authorization strings like Azure Active Directory B2C
- Fix authorization url construction
- adding moduleSetup boolean so that the authorization callback can wait until the module is ready
- API new function for get id_token
- API new function for get user info
- user info configuration for auto get user info after login
- API custom request params can be added to the authorization request URL using the setCustomRequestParameters function
- bugfix error handling
- bugfix configuration default values
- bugfix refresh isAuthorized
- bugfix refresh user data
- support reading json file configurations
- Fix types in storage class
- support for SSR
- support for custom storage
- bugfix server side rendering, null check for storage
- clean up session management
- bugfix Silent token renew fails on state validation
- API documentation
- refactor init of module
- setStorage method added
- bug fix well known endpoints loaded logout.
- Event for well known endpoints loaded
- storage is can be set per function
- Adding support for server rendering in Angular
- storage can be set now
- updating validation messages
- Bug fix no kid validation withe single, multiple jwks headers
- Bug fix validation
- Version for OpenID Certification
- support for decoded tokens
- Adding a resource configuration
- Validating kid in id_token header
- remove manual dependency to jsrasign
- build clean up
- new configuration override for well known endpoints.
- validate user data sub value
- id_token flow
- fixed rollup build
- Adding some docs to the project
- init