Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
angular-oauth2-oidc
Advanced tools
Support for OAuth 2(.1) and OpenId Connect (OIDC) in Angular
The angular-oauth2-oidc package is an Angular library that provides support for OAuth 2 and OpenID Connect (OIDC) authentication. It allows developers to easily integrate secure authentication and authorization into their Angular applications.
OAuth2 and OIDC Authentication
This feature allows you to configure and initiate OAuth2 and OIDC authentication in your Angular application. The code sample demonstrates how to set up the OAuthService with the necessary configuration and initiate the login process.
import { OAuthService, AuthConfig } from 'angular-oauth2-oidc';
const authConfig: AuthConfig = {
issuer: 'https://your-identity-server',
redirectUri: window.location.origin + '/index.html',
clientId: 'your-client-id',
scope: 'openid profile email',
responseType: 'code'
};
oauthService.configure(authConfig);
oauthService.loadDiscoveryDocumentAndTryLogin();
Token Management
This feature provides methods to manage tokens, including retrieving access and ID tokens, and refreshing tokens. The code sample shows how to get the access token, ID token, and refresh the token using the OAuthService.
import { OAuthService } from 'angular-oauth2-oidc';
// Get access token
const accessToken = oauthService.getAccessToken();
// Get ID token
const idToken = oauthService.getIdToken();
// Refresh token
oauthService.refreshToken();
User Profile Information
This feature allows you to retrieve user profile information from the ID token. The code sample demonstrates how to get the identity claims and log them to the console.
import { OAuthService } from 'angular-oauth2-oidc';
// Get user profile information
const claims = oauthService.getIdentityClaims();
if (claims) {
console.log(claims);
}
The oidc-client package is a JavaScript library for managing OpenID Connect (OIDC) and OAuth2 authentication. It is framework-agnostic and can be used with any JavaScript framework, including Angular. Compared to angular-oauth2-oidc, oidc-client provides more flexibility but requires more manual setup and integration.
The angular-auth-oidc-client package is another Angular library for implementing OAuth2 and OIDC authentication. It offers similar functionalities to angular-oauth2-oidc, such as token management and user profile retrieval. However, it has a different API and configuration approach, which some developers might find more intuitive or easier to use.
The auth0-angular package is an Angular SDK for integrating Auth0 authentication and authorization services. It provides a seamless way to implement OAuth2 and OIDC authentication with Auth0 as the identity provider. Compared to angular-oauth2-oidc, auth0-angular is specifically designed for use with Auth0 and offers additional features like user management and analytics.
Support for OAuth 2 and OpenId Connect (OIDC) in Angular. Already prepared for the upcoming OAuth 2.1.
Successfully tested with Angular 4.3 to Angular 16 and its Router, PathLocationStrategy as well as HashLocationStrategy and CommonJS-Bundling via webpack.
On the server-side we've used IdentityServer (.NET / .NET Core), Redhat's Keycloak (Java), and Auth0 (Auth0 is officially supported since version 10 of this lib). For Auth0, please have a look into the respective documentation page here.
For using this library with Azure Active Directory (Azure AD), we recommend an additional look to this blog post and the example linked at the end of this blog post.
Also, the Okta community created some guidelines on how to use this lib with Okta. See the links at the end of this page for more information.
Angular 19: Use 19.x versions of this library (should also work with older Angular versions!).
Angular 18: Use 18.x versions of this library (should also work with older Angular versions!).
Angular 17: Use 17.x versions of this library (should also work with older Angular versions!).
Angular 16: Use 16.x versions of this library (should also work with older Angular versions!).
Angular 15: Use 15.x versions of this library (should also work with older Angular versions!).
Angular 14: Use 14.x versions of this library (should also work with older Angular versions!).
Angular 13: Use 13.x versions of this library (should also work with older Angular versions!).
Angular 12: Use 12.x versions of this library (should also work with older Angular versions!).
Angular 11: Use 10.x versions of this library (should also work with older Angular versions!).
Angular 10: Use 10.x versions of this library (should also work with older Angular versions!).
Angular 9: Use 9.x versions of this library (should also work with older Angular versions!).
Angular 8: Use 8.x versions of this library.
Angular 7: Use 7.x versions of this library.
Angular 6: Use Version 4.x of this library. Version 4.x was tested with Angular 6. You can also try the newer version 5.x of this library which has a much smaller bundle size.
Angular 5.x or 4.3: If you need support for Angular < 6 (4.3 to 5.x) you can download the former version 3.1.4 (npm i angular-oauth2-oidc@^3 --save).
Feel free to file pull requests
The issues contain some ideas for PRs and enhancements (see labels)
If you want to contribute to the docs, you can do so in the docs-src
folder. Make sure you update summary.json
as well. Then generate the docs with the following commands:
npm install -g @compodoc/compodoc
npm run docs
You can use the OIDC-Sample-Server used in our examples. It assumes, that your Web-App runs on http://localhost:4200
Username/Password:
clientIds:
redirectUris:
npm i angular-oauth2-oidc --save
If you use Standalone Components introduced with Angular 14, you can use our standalone API (call to provideOAuthClient
) in your main.ts
to setup the OAuthClient
:
// main.ts -- Angular 15+ version
import { bootstrapApplication } from '@angular/platform-browser';
import { provideHttpClient } from '@angular/common/http';
import { AppComponent } from './app/app.component';
import { provideOAuthClient } from 'angular-oauth2-oidc';
bootstrapApplication(AppComponent, {
providers: [
provideHttpClient(),
provideOAuthClient()
]
});
As Angular 14 does have Standalone Components but no Standalone API for its HttpClient
, you need to go with the traditional HttpClientModule
in this version:
// main.ts -- Angular 14 version
import { bootstrapApplication } from '@angular/platform-browser';
import { HttpClientModule } from '@angular/common/http';
import { AppComponent } from './app/app.component';
import { provideOAuthClient } from 'angular-oauth2-oidc';
import { importProvidersFrom } from '@angular/core';
bootstrapApplication(AppComponent, {
providers: [
importProvidersFrom(HttpClientModule),
provideOAuthClient()
]
});
The provideOAuthClient
function takes the same parameters as the forRoot function of the OAuthModule that is still in place for the sake of compatibility with existing code bases.
import { HttpClientModule } from '@angular/common/http';
import { OAuthModule } from 'angular-oauth2-oidc';
// etc.
@NgModule({
imports: [
// etc.
HttpClientModule,
OAuthModule.forRoot()
],
declarations: [
AppComponent,
HomeComponent,
// etc.
],
bootstrap: [
AppComponent
]
})
export class AppModule {
}
Since Version 8, this library supports code flow and PKCE to align with the current draft of the OAuth 2.0 Security Best Current Practice document. This is also the foundation of the upcoming OAuth 2.1.
To configure your solution for code flow + PKCE you have to set the responseType
to code
:
import { AuthConfig } from 'angular-oauth2-oidc';
export const authCodeFlowConfig: AuthConfig = {
// Url of the Identity Provider
issuer: 'https://idsvr4.azurewebsites.net',
// URL of the SPA to redirect the user to after login
redirectUri: window.location.origin + '/index.html',
// The SPA's id. The SPA is registerd with this id at the auth-server
// clientId: 'server.code',
clientId: 'spa',
// Just needed if your auth server demands a secret. In general, this
// is a sign that the auth server is not configured with SPAs in mind
// and it might not enforce further best practices vital for security
// such applications.
// dummyClientSecret: 'secret',
responseType: 'code',
// set the scope for the permissions the client should request
// The first four are defined by OIDC.
// Important: Request offline_access to get a refresh token
// The api scope is a usecase specific one
scope: 'openid profile email offline_access api',
showDebugInformation: true,
};
After this, you can initialize the code flow using:
this.oauthService.initCodeFlow();
There is also a convenience method initLoginFlow
which initializes either the code flow or the implicit flow depending on your configuration.
this.oauthService.initLoginFlow();
Also -- as shown in the readme -- you have to execute the following code when bootstrapping to make the library to fetch the token:
this.oauthService.configure(authCodeFlowConfig);
this.oauthService.loadDiscoveryDocumentAndTryLogin();
The logOut method clears the used token store (by default sessionStorage
) and forwards the user to the auth servers logout endpoint if one was configured (manually or via the discovery document).
this.oauthService.logOut();
If you want to revoke the existing access token and the existing refresh token before logging out, use the following method:
this.oauthService.revokeTokenAndLogout();
If you don't want to display a login form that tells the user that they are redirected to the identity server, you can use the convenience function this.oauthService.loadDiscoveryDocumentAndLogin();
instead of this.oauthService.loadDiscoveryDocumentAndTryLogin();
when setting up the library.
This directly redirects the user to the identity server if there are no valid tokens. Ensure you have your issuer
set to your discovery document endpoint!
You can automate this task by switching sendAccessToken
on and by setting allowedUrls
to an array with prefixes for the respective URLs. Use lower case for the prefixes.
OAuthModule.forRoot({
resourceServer: {
allowedUrls: ['http://www.angular.at/api'],
sendAccessToken: true
}
})
If you need more versatility, you can look in the documentation how to setup a custom interceptor.
If you use the PathLocationStrategy
(which is on by default) and have a general catch-all-route (path: '**'
) you should be fine. Otherwise look up the section Routing with the HashStrategy
in the documentation.
Nowadays, using code flow + PKCE -- as shown above -- is the recommended OAuth 2/OIDC flow for SPAs. To use the older implicit flow, lookup this docs: https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/using-implicit-flow.html
See the documentation for more information about this library.
With regards to tree shaking, beginning with version 9, the JwksValidationHandler
has been moved to a library of its own. If you need it for implementing implicit flow, please install it using npm:
npm i angular-oauth2-oidc-jwks --save
After that, you can import it into your application by using this:
import { JwksValidationHandler } from 'angular-oauth2-oidc-jwks';
instead of that:
import { JwksValidationHandler } from 'angular-oauth2-oidc';
Please note, that this dependency is not needed for the code flow, which is nowadays the recommended flow for single page applications. This also results in smaller bundle sizes.
The use of encodeURIComponent
on the argument passed to initImplicitFlow
and its Code Flow counterparts was mandatory before this version.
Since that was considered a bug, the need to do so was removed. Now the reverse is true if you're upgrading from before 9.0.0: you need to remove any call to encode URI components in your own application, as the library will now do it for you.
FAQs
Support for OAuth 2(.1) and OpenId Connect (OIDC) in Angular
We found that angular-oauth2-oidc demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.